- Description: `/api/usersessions` is publicly accessible. Secure it and introduce rate-limiting for auth flows, with audit logs. - Current state: `SecurityConfig` marks `/api/usersessions` as `permitAll`. No rate limiting. Limited auth auditing via SLF4J in `AuthController`. - Tasks: - Require authentication for `/api/usersessions/**` and consider `ROLE_Admin` for list/delete. - Add simple rate limiting (e.g., Bucket4j filter) on `/api/login` and `/api/refresh-token`. - Add structured audit logs for login attempts, refresh, and session invalidations. - Acceptance criteria: - Anonymous calls to `/api/usersessions/**` are rejected (401/403). - Excessive login attempts are throttled; audit logs present. - References: `SecurityConfig.java`, `UserSessionController.java`, `AuthController.java`.
