webupdatev1

backend/routes/auth.js

@@ -13,6 +13,11 @@ const {
   sendUnauthorized,
 } = require("../utils/responseHelpers");
 const { HTTP_STATUS } = require("../config/constants");
+const {
+  recordFailedAttempt,
+  resetFailedAttempts,
+  checkBlocked,
+} = require("../middleware/bruteForceProtection");
 const router = express.Router();
 
 const getUserByEmail = async (email) => {
@@ -47,28 +52,36 @@ const createUserSession = (req, user) => {
 // Login endpoint
 router.post(
   "/login",
+  checkBlocked,
   validators.login,
   handleValidationErrors,
   asyncHandler(async (req, res) => {
     const { email, password } = req.body;
+    const ip = req.ip || req.connection.remoteAddress;
     const admin = await getUserByEmail(email);
 
     if (!admin) {
-      logger.warn("Login attempt with invalid email", { email });
+      logger.warn("Login attempt with invalid email", { email, ip });
+      recordFailedAttempt(ip);
       return sendUnauthorized(res, "Invalid email or password");
     }
 
     if (!admin.isactive) {
-      logger.warn("Login attempt with deactivated account", { email });
+      logger.warn("Login attempt with deactivated account", { email, ip });
+      recordFailedAttempt(ip);
       return sendUnauthorized(res, "Account is deactivated");
     }
 
     const validPassword = await bcrypt.compare(password, admin.passwordhash);
     if (!validPassword) {
-      logger.warn("Login attempt with invalid password", { email });
+      logger.warn("Login attempt with invalid password", { email, ip });
+      recordFailedAttempt(ip);
       return sendUnauthorized(res, "Invalid email or password");
     }
 
+    // Reset failed attempts on successful login
+    resetFailedAttempts(ip);
+
     await updateLastLogin(admin.id);
     createUserSession(req, admin);
 
@@ -81,6 +94,7 @@ router.post(
       logger.info("User logged in successfully", {
         userId: admin.id,
         email: admin.email,
+        ip,
       });
       sendSuccess(res, { user: req.session.user });
     });