Skip to content

feat: Add login anomaly detection & suspicious activity alerts#260

Open
DebuggingMax wants to merge 1 commit intorohitdash08:mainfrom
DebuggingMax:feature/login-anomaly-detection
Open

feat: Add login anomaly detection & suspicious activity alerts#260
DebuggingMax wants to merge 1 commit intorohitdash08:mainfrom
DebuggingMax:feature/login-anomaly-detection

Conversation

@DebuggingMax
Copy link

@DebuggingMax DebuggingMax commented Feb 28, 2026

Summary

Implements comprehensive login anomaly detection to protect user accounts from suspicious activity.

Changes

New Models (models.py)

  • LoginAttempt - Records all login attempts with IP, user agent, device fingerprint, timestamp
  • LoginAnomaly - Tracks detected security anomalies with type, severity, resolution status
  • AnomalyType enum - BRUTE_FORCE, NEW_IP, NEW_DEVICE, UNUSUAL_TIME, IMPOSSIBLE_TRAVEL
  • AnomalySeverity enum - LOW, MEDIUM, HIGH, CRITICAL

New Service (services/login_anomaly.py)

Detection algorithms for:

  • Brute Force: Alerts after 5 failed attempts, lockout after 10
  • New IP: Alerts on login from previously unseen IP addresses
  • New Device: Alerts on new user agent fingerprints
  • Unusual Time: Alerts on logins between 2-5 AM (configurable)
  • Impossible Travel: Alerts on rapid logins from different IPs (credential theft indicator)

Updated Auth Routes (routes/auth.py)

  • Login now records attempts and checks for account lockout
  • Login response includes security warnings for unresolved anomalies
  • HTTP 423 response when account is locked

New Security Endpoints

  • GET /auth/security/summary - Security overview dashboard
  • GET /auth/security/login-history - View recent login attempts
  • GET /auth/security/anomalies - List detected anomalies
  • POST /auth/security/anomalies/{id}/resolve - Mark anomaly as legitimate
  • POST /auth/security/unlock - Self-service account unlock

Tests (tests/test_login_anomaly.py)

Comprehensive test coverage for all detection algorithms and endpoints.

Documentation

Updated README.md with Login Anomaly Detection section.

Acceptance Criteria

  • ✅ Production ready implementation
  • ✅ Includes tests
  • ✅ Documentation updated

Closes #124

@DebuggingMax
feat: Add login anomaly detection & suspicious activity alerts
76d5e78 
Implements comprehensive login security monitoring:

Detected Anomalies:
- Brute force attack detection (multiple failed attempts)
- New IP address alerts
- New device detection (user agent fingerprinting)
- Unusual login time detection (2-5 AM)
- Impossible travel detection (rapid IP changes)

Security Features:
- Automatic account lockout after 10 failed attempts
- Self-service account unlock endpoint
- Security warnings in login response
- Full login history tracking

New Endpoints:
- GET /auth/security/summary
- GET /auth/security/login-history
- GET /auth/security/anomalies
- POST /auth/security/anomalies/{id}/resolve
- POST /auth/security/unlock

Includes comprehensive test coverage.

Closes rohitdash08#124
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohitdash08 rohitdash08 Awaiting requested review from rohitdash08 rohitdash08 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Login anomaly detection & suspicious activity alerts

1 participant

@DebuggingMax