Skip to content

feat: Login anomaly detection & suspicious activity alerts (#124)#645

Open
DrGalio wants to merge 1 commit intorohitdash08:mainfrom
DrGalio:feature/login-anomaly-detection
Open

feat: Login anomaly detection & suspicious activity alerts (#124)#645
DrGalio wants to merge 1 commit intorohitdash08:mainfrom
DrGalio:feature/login-anomaly-detection

Conversation

@DrGalio
Copy link

@DrGalio DrGalio commented Mar 24, 2026

Fixes #124 — Login anomaly detection & suspicious activity alerts

Bounty: $50

What's Implemented

Backend (Python/Flask)

  • LoginAttempt model — tracks every login with IP, user agent, success/failure, timestamp
  • LoginAlert model — stores generated security alerts with severity and metadata
  • Anomaly detection service with 4 detection algorithms:
    • Brute force — alerts when 5+ failed attempts in 15 min window (Redis-backed for speed)
    • New IP — alerts on login from previously unseen IP address (30-day lookback)
    • New device — alerts on login from new device/user agent fingerprint (90-day lookback)
    • Credential stuffing — alerts on successful login after multiple failures
  • Modified /auth/login to record attempts, run anomaly checks, and return security alerts in response
  • New /alerts/ API: list (with unread filter), mark read, unread count
  • Schema migrations with proper indexes for production use

Frontend (React/TypeScript)

  • SecurityAlerts component with severity badges, filter tabs, mark-read actions
  • alerts.ts API module following existing patterns

Tests — 17 passing

  • Login attempt recording (3 tests)
  • Brute force detection (2 tests)
  • New IP detection (3 tests)
  • New device detection (1 test)
  • Credential stuffing detection (1 test)
  • Combined detection (1 test)
  • Alert management (2 tests)
  • Auth endpoint integration (4 tests)

Files Changed

  • packages/backend/app/models.py — Added LoginAttempt + LoginAlert models
  • packages/backend/app/services/login_anomaly.py — Anomaly detection service (new)
  • packages/backend/app/routes/auth.py — Integrated login tracking into auth flow
  • packages/backend/app/routes/alerts.py — Alert management endpoints (new)
  • packages/backend/app/routes/__init__.py — Registered alerts blueprint
  • packages/backend/app/db/schema.sql — Added tables + indexes
  • packages/backend/app/__init__.py — Schema compatibility patches
  • packages/backend/tests/test_login_anomaly.py — 17 comprehensive tests (new)
  • app/src/api/alerts.ts — Frontend API module (new)
  • app/src/components/SecurityAlerts.tsx — Security alerts UI component (new)

How It Works

  1. Every login attempt is recorded with IP, user agent, success/failure
  2. On successful login, anomaly checks run automatically
  3. If anomalies detected, alerts are created AND returned in the login response
  4. Users can view alerts via the /alerts/ API or the SecurityAlerts component
  5. Brute force detection uses Redis counters for sub-millisecond lookups

feat: Login anomaly detection & suspicious activity alerts
dc15a24 
Implements issue rohitdash08#124 - Login anomaly detection & suspicious activity alerts

## Changes

### Backend
- Added  model to track all login attempts (IP, user agent, timestamp, success/failure)
- Added  model for storing generated anomaly alerts
- Created  service with detection for:
  - **Brute force**: Rapid failed login attempts (5+ in 15 min window)
  - **New IP**: Login from previously unseen IP address
  - **New device**: Login from new user agent/device fingerprint
  - **Credential stuffing**: Successful login after multiple failures
- Modified auth  endpoint to record attempts and return security alerts in response
- Added  endpoints: list alerts, mark read, unread count
- Added schema migrations for new tables with proper indexes
- Added Redis-backed brute force detection for performance

### Frontend
- Added  API module for alert endpoints
- Added  component with:
  - Alert list with severity badges (high/medium/low)
  - Filter by all/unread
  - Mark individual or all as read
  - Relative time display
  - Alert type icons

### Tests
- 17 new tests covering:
  - Login attempt recording
  - Brute force detection (below/at threshold)
  - New IP detection (first login, new IP, same IP)
  - New device detection
  - Credential stuffing pattern
  - Combined anomaly detection
  - Alert CRUD operations
  - Auth endpoint integration
  - Alerts endpoint auth requirements
- All 17 tests passing

### Acceptance Criteria Met
- [x] Production-ready implementation
- [x] Includes tests (17 passing)
- [x] Database schema with migrations
@DrGalio DrGalio requested a review from rohitdash08 as a code owner March 24, 2026 23:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rohitdash08 rohitdash08 Awaiting requested review from rohitdash08 rohitdash08 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Login anomaly detection & suspicious activity alerts

1 participant

@DrGalio