Implement comprehensive authentication and authorization hardening

[devin-ai-integration]

Implement comprehensive authentication and authorization hardening

Summary

This PR implements critical security enhancements for the banking application's authentication system, including JWT refresh token rotation, password security hardening, multi-factor authentication, and comprehensive audit logging.

Key Security Features Added:

• JWT Security: Refresh token rotation, blacklisting, shortened access token expiration (15 minutes)
• Password Security: Strength requirements, history tracking (12 passwords), enhanced bcrypt (salt 12)
• Multi-Factor Authentication: TOTP with QR codes, backup codes, recovery mechanisms
• Account Protection: Progressive lockout after 5 failed attempts (5min → 15min → 1hr → 24hr)
• Session Management: Device fingerprinting, max 5 concurrent sessions per user
• Security Auditing: Comprehensive logging of all authentication events
• Rate Limiting: Granular limits for auth endpoints (5/min for login, 100/15min general)

New Database Tables:

• refresh_tokens - Token management and device tracking
• password_history - Historical password hashes
• user_two_factor - TOTP secrets and backup codes
• device_sessions - Active session tracking
• account_lockouts - Failed attempt tracking
• security_audit_logs - Security event logging

Review & Testing Checklist for Human

⚠️ CRITICAL - 5 items require thorough validation:

• Database Migration: Execute the migration and verify all new tables are created correctly with proper indexes and constraints
• End-to-End Authentication Testing: Test complete user flows - registration with new password requirements, login with account lockout, 2FA setup/verification, password changes with history validation
• Security Configuration Review: Validate lockout durations, token expiration times, bcrypt salt rounds, and rate limiting values are appropriate for banking security requirements
• Error Handling & Edge Cases: Test scenarios like expired tokens, invalid 2FA codes, maximum session limits, backup code usage, and account unlock processes
• Integration Testing: Verify new authentication services integrate properly with existing user management, bill payment, and transaction systems without breaking functionality

Recommended Test Plan:

1. Start with fresh database and run migration
2. Test user registration with weak/strong passwords
3. Test login failures leading to account lockout
4. Test 2FA setup, QR code generation, and TOTP verification
5. Test refresh token rotation and session management
6. Test password change with history validation
7. Verify security audit logs are properly created

---

Diagram

%%{ init : { "theme" : "default" }}%%
graph TB
    AuthController["auth.controller.ts<br/>New 2FA & session endpoints"]:::major-edit
    AuthSecurityService["auth-security.service.ts<br/>Enhanced login logic"]:::major-edit
    TwoFactorService["two-factor.service.ts<br/>TOTP & backup codes"]:::major-edit
    RefreshTokenService["refresh-token.service.ts<br/>Token rotation"]:::major-edit
    AccountLockoutService["account-lockout.service.ts<br/>Progressive lockout"]:::major-edit
    
    Migration["1753786297884-SecurityEnhancements.ts<br/>New security tables"]:::major-edit
    UtilsService["utils.service.ts<br/>Enhanced password hashing"]:::minor-edit
    AuthModule["auth/index.ts<br/>New service registration"]:::minor-edit
    
    UserEntity["user.entity.ts<br/>Existing user data"]:::context
    
    AuthController --> AuthSecurityService
    AuthController --> TwoFactorService
    AuthController --> RefreshTokenService
    
    AuthSecurityService --> AccountLockoutService
    AuthSecurityService --> TwoFactorService
    AuthSecurityService --> RefreshTokenService
    
    TwoFactorService --> UserEntity
    RefreshTokenService --> UserEntity
    AccountLockoutService --> UserEntity
    
    Migration --> AuthModule
    UtilsService --> AuthSecurityService
    
    subgraph Legend
        L1[Major Edit]:::major-edit
        L2[Minor Edit]:::minor-edit  
        L3[Context/No Edit]:::context
    end
    
    classDef major-edit fill:#90EE90
    classDef minor-edit fill:#87CEEB
    classDef context fill:#FFFFFF

Loading

Notes

⚠️ Environment Issue: Database connection was unavailable during development, so end-to-end testing was not completed. The code compiles successfully but requires database setup for functional validation.

Security Dependencies Added:

• speakeasy for TOTP generation
• qrcode for 2FA QR code generation
• argon2 as backup password hashing option

Breaking Changes:

• User registration now requires stronger passwords with confirmation
• Login process includes 2FA verification when enabled
• New rate limiting may affect existing API clients

Link to Devin run: https://app.devin.ai/sessions/edb35af8f9474ce0a6949af00a9a3e19
Requested by: @akkp-windsurf

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring