Skip to content

feat: Login anomaly detection system (#124)#770

Open
wocaoac-cpu wants to merge 2 commits intorohitdash08:mainfrom
wocaoac-cpu:feat/login-anomaly-detection
Open

feat: Login anomaly detection system (#124)#770
wocaoac-cpu wants to merge 2 commits intorohitdash08:mainfrom
wocaoac-cpu:feat/login-anomaly-detection

Conversation

@wocaoac-cpu
Copy link
Copy Markdown

@wocaoac-cpu wocaoac-cpu commented Apr 3, 2026
edited
Loading

Summary

Implements login anomaly detection and suspicious activity alerts to detect unusual login behavior and alert users.

Closes #124

What's included

  • LoginAttempt model — records every login attempt with IP address, user-agent, country, success/failure, and timestamp
  • LoginAlert model — stores security alerts with severity levels (LOW/MEDIUM/HIGH/CRITICAL) and acknowledgement support
  • Anomaly detection service (login_anomaly.py) with five real-time detectors:
    • BRUTE_FORCE — detects rapid failed login attempts (5+ in 15 min), triggers account lockout via Redis
    • NEW_IP — alerts when a user logs in from a previously unseen IP address
    • NEW_DEVICE — alerts on login from an unrecognized user-agent
    • IMPOSSIBLE_TRAVEL — flags successive logins from different countries within 60 minutes
    • ODD_HOUR — low-severity alert for logins during unusual hours (01:00-05:00 UTC)
  • Account lockout — temporary 30-minute lockout after brute-force detection, backed by Redis with graceful fallback
  • Security alerts in login response — the /auth/login endpoint now returns security_alerts array when anomalies are detected
  • Three new API endpoints under /auth/security/:
    • GET /auth/security/history — paginated login attempt history
    • GET /auth/security/alerts — unacknowledged security alerts (with ?include_acknowledged=true option)
    • POST /auth/security/alerts/{id}/acknowledge — dismiss an alert
  • Database schema — SQL migration for login_attempts and login_alerts tables with proper indexes
  • OpenAPI spec — full documentation for all new endpoints and schemas

Tests

22 test cases covering:

  • Unit tests for each anomaly detector (brute force, new IP, new device, odd hour, impossible travel)
  • Unit tests for alert management (create, query, acknowledge)
  • Integration tests for all HTTP endpoints (history, alerts, acknowledge, auth-required checks)
  • Integration test for brute-force account lockout via the login endpoint

Test plan

  • All 22 new tests pass (pytest tests/test_login_anomaly.py)
  • Existing tests unaffected (no regressions introduced)
  • Login endpoint still returns tokens on successful auth
  • Brute-force lockout returns HTTP 429 after threshold
  • Security endpoints require JWT authentication
  • Redis graceful degradation (lockout silently skipped if Redis unavailable)

feat: Login anomaly detection system (rohitdash08#124)
b178af9 
- Add LoginEvent model to track all login attempts (IP, user-agent, timestamp, success/failure)
- Add login_anomaly service with real-time risk scoring:
  - Failed attempt frequency detection
  - New device/IP detection
  - Impossible travel detection (login from different geo in short time)
  - Brute force pattern detection
- Add /auth/login-history and /auth/security-status API endpoints
- Integrate anomaly detection into existing login flow
- Add comprehensive tests (12 test cases)

Closes rohitdash08#124
@wocaoac-cpu wocaoac-cpu requested a review from rohitdash08 as a code owner April 3, 2026 14:38
docs: add database schema and OpenAPI spec for login anomaly detection
fa9aa9f 
Add SQL migration for login_attempts and login_alerts tables with indexes,
and document the /auth/security/* API endpoints in the OpenAPI specification.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohitdash08 rohitdash08 Awaiting requested review from rohitdash08 rohitdash08 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Login anomaly detection & suspicious activity alerts

1 participant

@wocaoac-cpu