Kyle Isom
4d3d438253
- REST login: change locked account response from HTTP 429 "account_locked" to HTTP 401 "invalid credentials" - gRPC login: change from ResourceExhausted to Unauthenticated with "invalid credentials" message - UI login: change from "account temporarily locked" to "invalid credentials" - REST password-change endpoint: same normalization - Audit logs still record "account_locked" internally - Added tests in all three layers verifying locked-account responses are indistinguishable from wrong-password responses Security: lockout responses now return identical status codes and messages as wrong-password failures across REST, gRPC, and UI, preventing user-enumeration via lockout differentiation. Internal audit logging of lockout events is preserved for operational use. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
19 KiB
19 KiB