Based on the git diff provided, here's a concise and descriptive commit message:

feat: add security event taxonomy and optimize park queryset - Add comprehensive security_event_types ChoiceGroup with categories for authentication, MFA, password, account, session, and API key events - Include severity levels, icons, and CSS classes for each event type - Fix park queryset optimization by using select_related for OneToOne location relationship - Remove location property fields (latitude/longitude) from values() call as they are not actual DB columns - Add proper location fields (city, state, country) to values() for map display This change enhances security event tracking capabilities and resolves a queryset optimization issue where property decorators were incorrectly used in values() queries.
2026-02-05 05:45:17 -05:00 · 2026-01-10 16:41:31 -05:00
parent 96df23242e
commit 2b66814d82
26 changed files with 2055 additions and 112 deletions
--- a/backend/apps/core/middleware/rate_limiting.py
+++ b/backend/apps/core/middleware/rate_limiting.py
@@ -39,15 +39,30 @@ class AuthRateLimitMiddleware:
        # Login endpoints
        "/api/v1/auth/login/": {"per_minute": 5, "per_hour": 30, "per_day": 100},
        "/accounts/login/": {"per_minute": 5, "per_hour": 30, "per_day": 100},
+        # MFA verification (strict limits - 6-digit codes have limited entropy)
+        "/api/v1/auth/login/mfa-verify/": {"per_minute": 5, "per_hour": 15, "per_day": 50},
+        "/api/v1/auth/mfa/totp/verify/": {"per_minute": 5, "per_hour": 15, "per_day": 50},
+        "/api/v1/auth/mfa/totp/activate/": {"per_minute": 3, "per_hour": 10, "per_day": 30},
+        "/api/v1/auth/mfa/totp/deactivate/": {"per_minute": 3, "per_hour": 10, "per_day": 20},
+        # Passkey endpoints
+        "/api/v1/auth/passkey/authenticate/": {"per_minute": 10, "per_hour": 30, "per_day": 100},
+        "/api/v1/auth/passkey/register/": {"per_minute": 5, "per_hour": 15, "per_day": 30},
        # Signup endpoints
        "/api/v1/auth/signup/": {"per_minute": 3, "per_hour": 10, "per_day": 20},
        "/accounts/signup/": {"per_minute": 3, "per_hour": 10, "per_day": 20},
        # Password reset endpoints
        "/api/v1/auth/password-reset/": {"per_minute": 2, "per_hour": 5, "per_day": 10},
        "/accounts/password/reset/": {"per_minute": 2, "per_hour": 5, "per_day": 10},
+        # Password change (prevent brute force on current password)
+        "/api/v1/auth/password/change/": {"per_minute": 3, "per_hour": 10, "per_day": 30},
        # Token endpoints
        "/api/v1/auth/token/": {"per_minute": 10, "per_hour": 60, "per_day": 200},
        "/api/v1/auth/token/refresh/": {"per_minute": 20, "per_hour": 120, "per_day": 500},
+        # Social account management
+        "/api/v1/auth/social/connect/google/": {"per_minute": 5, "per_hour": 15, "per_day": 30},
+        "/api/v1/auth/social/connect/discord/": {"per_minute": 5, "per_hour": 15, "per_day": 30},
+        "/api/v1/auth/social/disconnect/google/": {"per_minute": 5, "per_hour": 15, "per_day": 20},
+        "/api/v1/auth/social/disconnect/discord/": {"per_minute": 5, "per_hour": 15, "per_day": 20},
    }

    def __init__(self, get_response: Callable[[HttpRequest], HttpResponse]):