feat: Comprehensive Authentication & Authorization Hardening

[devin-ai-integration]

Authentication & Authorization Hardening Implementation

Summary

This PR implements comprehensive authentication and authorization hardening for the NestJS banking application, including JWT refresh token rotation, token blacklisting, enhanced password security, account lockout mechanisms, and session management.

Key Features Added:

• Refresh Token Rotation: JWT tokens now include both access (30min) and refresh tokens (30 days) with automatic rotation
• Token Blacklisting: Logout functionality now blacklists tokens to prevent reuse
• Enhanced Password Security: Stronger validation rules, increased bcrypt rounds (10→12), password history tracking
• Account Lockout: Progressive lockout after failed login attempts with automatic unlock
• Session Management: Device/session tracking with concurrent session limits and management endpoints

Database Changes:

• 4 new tables: refresh_tokens, blacklisted_tokens, password_history, user_sessions
• Enhanced users_auth table with security fields
• Complete TypeORM migration included

Review & Testing Checklist for Human

⚠️ High Risk - Comprehensive Testing Required

• Run database migration - Verify the migration executes successfully without data loss
• Test complete authentication flows - Login, logout, password reset, and user registration still work correctly
• Verify new security features - Test refresh token rotation, account lockout after failed attempts, and token blacklisting on logout
• Test session management endpoints - Verify GET /auth/sessions, DELETE /auth/sessions/:token, and DELETE /auth/sessions work correctly
• Performance testing - Check that additional token validation queries don't significantly impact response times

Recommended Test Plan:

1. Set up local environment with PostgreSQL
2. Run migration and verify schema changes
3. Test existing login/logout flows for regression
4. Test new refresh token endpoint with valid/invalid tokens
5. Attempt login with wrong password multiple times to trigger lockout
6. Test session management endpoints with multiple active sessions
7. Verify password history prevents reuse of recent passwords

---

Diagram

%%{ init : { "theme" : "default" }}%%
graph TB
    subgraph "Authentication Flow"
        AuthController["auth/controllers/<br/>auth.controller.ts"]:::major-edit
        AuthService["auth/services/<br/>auth.service.ts"]:::major-edit
        RefreshTokenService["auth/services/<br/>refresh-token.service.ts"]:::major-edit
        TokenBlacklistService["auth/services/<br/>token-blacklist.service.ts"]:::major-edit
    end
    
    subgraph "User Management"
        UserService["user/services/<br/>user.service.ts"]:::minor-edit
        PasswordHistoryService["user/services/<br/>password-history.service.ts"]:::major-edit
        SessionManagementService["user/services/<br/>session-management.service.ts"]:::major-edit
    end
    
    subgraph "Database Layer"
        RefreshTokenEntity["user/entities/<br/>refresh-token.entity.ts"]:::major-edit
        BlacklistedTokenEntity["user/entities/<br/>blacklisted-token.entity.ts"]:::major-edit
        PasswordHistoryEntity["user/entities/<br/>password-history.entity.ts"]:::major-edit
        UserSessionEntity["user/entities/<br/>user-session.entity.ts"]:::major-edit
        UserAuthEntity["user/entities/<br/>user-auth.entity.ts"]:::minor-edit
    end
    
    subgraph "Configuration"
        AuthModule["auth/index.ts"]:::minor-edit
        UserModule["user/index.ts"]:::minor-edit
        Migration["migrations/<br/>auth-hardening.ts"]:::major-edit
    end
    
    AuthController --> AuthService
    AuthService --> RefreshTokenService
    AuthService --> TokenBlacklistService
    AuthService --> PasswordHistoryService
    AuthService --> SessionManagementService
    
    RefreshTokenService --> RefreshTokenEntity
    TokenBlacklistService --> BlacklistedTokenEntity
    PasswordHistoryService --> PasswordHistoryEntity
    SessionManagementService --> UserSessionEntity
    
    AuthModule --> AuthService
    UserModule --> UserService
    
    subgraph Legend
        L1[Major Edit]:::major-edit
        L2[Minor Edit]:::minor-edit
        L3[Context/No Edit]:::context
    end
    
    classDef major-edit fill:#90EE90
    classDef minor-edit fill:#87CEEB
    classDef context fill:#FFFFFF

Loading

Notes

⚠️ Testing Limitation: Due to local database connectivity issues, the authentication flows could not be tested during development. All code compiles successfully, but runtime testing is critical before merge.

Security Enhancements:

• Access tokens expire in 30 minutes (vs previous 1 hour)
• Refresh tokens expire in 30 days with automatic rotation
• Password requirements: 8+ chars, uppercase, lowercase, number, special character
• Account lockout after failed attempts with progressive delays
• Session tracking with device fingerprinting and concurrent session limits

Performance Considerations:

• Additional database queries for token validation and password history checks
• Cleanup cron jobs implemented for expired tokens and sessions

---

Link to Devin run: https://app.devin.ai/sessions/5f952db1308d403a9bbc679cc1c3de7a
Requested by: Arthur Poon (@akkp-windsurf)

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring