feat(auth): add INVALID_CREDENTIALS + SESSION_EXPIRED error codes; LOGIN_SUCCESS/FAILED/LOGOUT audit kinds

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-17 19:19:01 +02:00
parent 8c7a2741b0
commit 393a3c25fd
2 changed files with 14 additions and 1 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/audit/AuditKind.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/audit/AuditKind.java
@@ -35,7 +35,16 @@ public enum AuditKind {
    USER_DELETED,

    /** Payload: {@code {"userId": "uuid", "email": "addr", "addedGroups": ["Admin"], "removedGroups": []}} */
-    GROUP_MEMBERSHIP_CHANGED;
+    GROUP_MEMBERSHIP_CHANGED,
+
+    /** Payload: {@code {"userId": "uuid", "ip": "1.2.3.4", "ua": "Mozilla/5.0..."}} */
+    LOGIN_SUCCESS,
+
+    /** Payload: {@code {"email": "addr", "ip": "1.2.3.4", "ua": "Mozilla/5.0..."}} — password NEVER included */
+    LOGIN_FAILED,
+
+    /** Payload: {@code {"userId": "uuid", "ip": "1.2.3.4", "ua": "Mozilla/5.0..."}} */
+    LOGOUT;

    public static final Set<AuditKind> ROLLUP_ELIGIBLE = Set.of(
            TEXT_SAVED, FILE_UPLOADED, ANNOTATION_CREATED,
--- a/backend/src/main/java/org/raddatz/familienarchiv/exception/ErrorCode.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/exception/ErrorCode.java
@@ -62,6 +62,10 @@ public enum ErrorCode {
    UNAUTHORIZED,
    /** The authenticated user lacks the required permission. 403 */
    FORBIDDEN,
+    /** The supplied email/password combination does not match any active account. 401 */
+    INVALID_CREDENTIALS,
+    /** The session has expired or been invalidated. 401 */
+    SESSION_EXPIRED,
    /** The password-reset token is missing, expired, or already used. 400 */
    INVALID_RESET_TOKEN,