From 72075b7b71eb7e681163bccf06daf7b5580242ba Mon Sep 17 00:00:00 2001
From: Kyle Pope <kyle.a.pope@outlook.com>
Date: Wed, 25 Feb 2026 20:15:21 +0800
Subject: [PATCH] Address QA review warnings for pentest remediation

- Clear IP failure counter on successful /change-password (W-01)
- Add nginx rate limiting for /api/auth/totp-verify (W-02)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/app/routers/auth.py |  1 +
 frontend/nginx.conf         | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/backend/app/routers/auth.py b/backend/app/routers/auth.py
index db3092a..531d8ce 100644
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -424,6 +424,7 @@ async def change_password(
         await _record_failed_login(db, current_user)
         raise HTTPException(status_code=401, detail="Invalid current password")
 
+    _failed_attempts.pop(client_ip, None)
     current_user.password_hash = hash_password(data.new_password)
     await db.commit()
 
diff --git a/frontend/nginx.conf b/frontend/nginx.conf
index a7d1a28..9fe9c9e 100644
--- a/frontend/nginx.conf
+++ b/frontend/nginx.conf
@@ -46,6 +46,18 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 
+    location /api/auth/totp-verify {
+        limit_req zone=auth_limit burst=5 nodelay;
+        limit_req_status 429;
+
+        proxy_pass http://backend:8000;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
     location /api/auth/change-password {
         limit_req zone=auth_limit burst=5 nodelay;
         limit_req_status 429;