**feat(security): Add login rate limiter and cleanup API curator handling**

- Introduced `LoginRateLimiter` to manage failed login attempts and block excessive retries from the same IP.
- Replaced `curatorId` in multiple API controllers with a hardcoded `ApiCuratorId` for audit logging, improving consistency and security.
- Enhanced input validation in `AuthController` login form with stricter constraints.
- Integrated `LoginRateLimiter` to throttle login attempts and provide meaningful error messages for blocked requests.

Author: JamesKane

app/controllers/AuthController.scala

@@ -7,7 +7,7 @@ import play.api.data.Form
 import play.api.data.Forms.*
 import play.api.i18n.I18nSupport
 import play.api.mvc.{Action, AnyContent, BaseController, ControllerComponents}
-import services.AuthService
+import services.{AuthService, LoginRateLimiter}
 
 import scala.concurrent.{ExecutionContext, Future}
 
@@ -17,13 +17,14 @@ case class LoginData(handle: String, appPassword: String)
 class AuthController @Inject()(
                                 val controllerComponents: ControllerComponents,
                                 authService: AuthService,
-                                userRoleRepository: repositories.UserRoleRepository // Injected
+                                userRoleRepository: repositories.UserRoleRepository,
+                                rateLimiter: LoginRateLimiter
                               )(implicit ec: ExecutionContext, webJarsUtil: WebJarsUtil) extends BaseController with I18nSupport with Logging {
 
   val loginForm = Form(
     mapping(
-      "handle" -> nonEmptyText,
-      "appPassword" -> nonEmptyText
+      "handle" -> nonEmptyText(maxLength = 255),
+      "appPassword" -> nonEmptyText(maxLength = 255)
     )(LoginData.apply)(data => Some((data.handle, data.appPassword)))
   )
 
@@ -32,31 +33,42 @@ class AuthController @Inject()(
   }
 
   def authenticate: Action[AnyContent] = Action.async { implicit request =>
-    loginForm.bindFromRequest().fold(
-      formWithErrors => Future.successful(BadRequest(views.html.auth.login(formWithErrors))),
-      data => {
-        authService.login(data.handle, data.appPassword).flatMap { // Changed map to flatMap
-          case Some(user) =>
-            // Fetch roles to store in session for UI logic
-            userRoleRepository.getUserRoles(user.id.get).map { roles =>
-              val roleString = roles.mkString(",")
-              val displayName = user.displayName.orElse(user.handle).getOrElse("User")
-              Redirect(routes.HomeController.index())
-                .withSession(
-                  "userId" -> user.id.get.toString,
-                  "userRoles" -> roleString,
-                  "userDisplayName" -> displayName
-                )
-                .flashing("success" -> s"Welcome back, $displayName!")
-            }
-          case None =>
-            Future.successful(
-              Redirect(routes.AuthController.login)
-                .flashing("error" -> "Invalid handle or password.")
-            )
+    val clientIp = request.headers.get("X-Real-IP").getOrElse(request.remoteAddress)
+
+    if (!rateLimiter.isAllowed(clientIp)) {
+      Future.successful(
+        Redirect(routes.AuthController.login)
+          .flashing("error" -> "Too many login attempts. Please try again later.")
+      )
+    } else {
+      loginForm.bindFromRequest().fold(
+        formWithErrors => Future.successful(BadRequest(views.html.auth.login(formWithErrors))),
+        data => {
+          authService.login(data.handle, data.appPassword).flatMap {
+            case Some(user) =>
+              rateLimiter.recordSuccess(clientIp)
+              // Fetch roles to store in session for UI logic
+              userRoleRepository.getUserRoles(user.id.get).map { roles =>
+                val roleString = roles.mkString(",")
+                val displayName = user.displayName.orElse(user.handle).getOrElse("User")
+                Redirect(routes.HomeController.index())
+                  .withSession(
+                    "userId" -> user.id.get.toString,
+                    "userRoles" -> roleString,
+                    "userDisplayName" -> displayName
+                  )
+                  .flashing("success" -> s"Welcome back, $displayName!")
+              }
+            case None =>
+              rateLimiter.recordFailure(clientIp)
+              Future.successful(
+                Redirect(routes.AuthController.login)
+                  .flashing("error" -> "Invalid handle or password.")
+              )
+          }
         }
-      }
-    )
+      )
+    }
   }
 
   def logout: Action[AnyContent] = Action { implicit request =>

app/controllers/DiscoveryApiController.scala

@@ -23,19 +23,16 @@ class DiscoveryApiController @Inject()(
   treeEvolutionService: TreeEvolutionService
 )(implicit ec: ExecutionContext) extends BaseController with Logging {
 
+  // Audit identity for API-key-authenticated actions
+  private val ApiCuratorId = "api-system"
+
   // Request DTOs
-  case class AcceptProposalRequest(curatorId: String, proposedName: String, reason: Option[String] = None)
+  case class AcceptProposalRequest(proposedName: String, reason: Option[String] = None)
   object AcceptProposalRequest { implicit val format: OFormat[AcceptProposalRequest] = Json.format }
 
-  case class RejectProposalRequest(curatorId: String, reason: String)
+  case class RejectProposalRequest(reason: String)
   object RejectProposalRequest { implicit val format: OFormat[RejectProposalRequest] = Json.format }
 
-  case class StartReviewRequest(curatorId: String)
-  object StartReviewRequest { implicit val format: OFormat[StartReviewRequest] = Json.format }
-
-  case class PromoteProposalRequest(curatorId: String)
-  object PromoteProposalRequest { implicit val format: OFormat[PromoteProposalRequest] = Json.format }
-
   /**
    * List proposals with optional filters.
    * GET /api/v1/discovery/proposals?type=Y&status=READY_FOR_REVIEW
@@ -78,9 +75,9 @@ class DiscoveryApiController @Inject()(
    * Start review of a proposal.
    * POST /api/v1/discovery/proposals/:id/start-review
    */
-  def startReview(id: Int): Action[StartReviewRequest] =
-    secureApi.jsonAction[StartReviewRequest].async { request =>
-      discoveryService.startReview(id, request.body.curatorId).map { proposal =>
+  def startReview(id: Int): Action[AnyContent] =
+    secureApi.async { request =>
+      discoveryService.startReview(id, ApiCuratorId).map { proposal =>
         Ok(Json.toJson(proposal))
       }.recover {
         case e: NoSuchElementException =>
@@ -100,7 +97,7 @@ class DiscoveryApiController @Inject()(
   def acceptProposal(id: Int): Action[AcceptProposalRequest] =
     secureApi.jsonAction[AcceptProposalRequest].async { request =>
       val body = request.body
-      discoveryService.acceptProposal(id, body.curatorId, body.proposedName, body.reason).map { proposal =>
+      discoveryService.acceptProposal(id, ApiCuratorId, body.proposedName, body.reason).map { proposal =>
         Ok(Json.toJson(proposal))
       }.recover {
         case e: NoSuchElementException =>
@@ -120,7 +117,7 @@ class DiscoveryApiController @Inject()(
   def rejectProposal(id: Int): Action[RejectProposalRequest] =
     secureApi.jsonAction[RejectProposalRequest].async { request =>
       val body = request.body
-      discoveryService.rejectProposal(id, body.curatorId, body.reason).map { proposal =>
+      discoveryService.rejectProposal(id, ApiCuratorId, body.reason).map { proposal =>
         Ok(Json.toJson(proposal))
       }.recover {
         case e: NoSuchElementException =>
@@ -137,9 +134,9 @@ class DiscoveryApiController @Inject()(
    * Promote an accepted proposal to the canonical haplogroup tree.
    * POST /api/v1/discovery/proposals/:id/promote
    */
-  def promoteProposal(id: Int): Action[PromoteProposalRequest] =
-    secureApi.jsonAction[PromoteProposalRequest].async { request =>
-      treeEvolutionService.promoteProposal(id, request.body.curatorId).map { result =>
+  def promoteProposal(id: Int): Action[AnyContent] =
+    secureApi.async { request =>
+      treeEvolutionService.promoteProposal(id, ApiCuratorId).map { result =>
         Ok(Json.toJson(result))
       }.recover {
         case e: NoSuchElementException =>

app/controllers/InstrumentProposalController.scala

@@ -21,16 +21,18 @@ class InstrumentProposalController @Inject()(
                                             )(implicit ec: ExecutionContext)
   extends BaseController with Logging {
 
+  // Audit identity for API-key-authenticated actions
+  private val ApiCuratorId = "api-system"
+
   case class AcceptProposalRequest(
-                                    curatorId: String,
                                     labName: String,
                                     manufacturer: Option[String] = None,
                                     model: Option[String] = None,
                                     notes: Option[String] = None
                                   )
   object AcceptProposalRequest { implicit val format: OFormat[AcceptProposalRequest] = Json.format }
 
-  case class RejectProposalRequest(curatorId: String, reason: String)
+  case class RejectProposalRequest(reason: String)
   object RejectProposalRequest { implicit val format: OFormat[RejectProposalRequest] = Json.format }
 
   def listProposals(status: Option[String]): Action[AnyContent] = secureApi.async { _ =>
@@ -76,7 +78,7 @@ class InstrumentProposalController @Inject()(
   def acceptProposal(id: Int): Action[AcceptProposalRequest] =
     secureApi.jsonAction[AcceptProposalRequest].async { request =>
       val body = request.body
-      proposalService.acceptProposal(id, body.curatorId, body.labName, body.manufacturer, body.model, body.notes).map {
+      proposalService.acceptProposal(id, ApiCuratorId, body.labName, body.manufacturer, body.model, body.notes).map {
         case Right(proposal) => Ok(Json.toJson(proposal))
         case Left(error) => BadRequest(Json.obj("error" -> error))
       }.recover {
@@ -89,7 +91,7 @@ class InstrumentProposalController @Inject()(
   def rejectProposal(id: Int): Action[RejectProposalRequest] =
     secureApi.jsonAction[RejectProposalRequest].async { request =>
       val body = request.body
-      proposalService.rejectProposal(id, body.curatorId, body.reason).map {
+      proposalService.rejectProposal(id, ApiCuratorId, body.reason).map {
         case Right(proposal) => Ok(Json.toJson(proposal))
         case Left(error) => BadRequest(Json.obj("error" -> error))
       }.recover {

app/controllers/TreeVersioningApiController.scala

@@ -27,36 +27,23 @@ class TreeVersioningApiController @Inject()(
   // Request/Response DTOs
   // ============================================================================
 
-  case class StartReviewRequest(curatorId: String)
-  object StartReviewRequest {
-    implicit val format: OFormat[StartReviewRequest] = Json.format[StartReviewRequest]
-  }
-
-  case class ApplyChangeSetRequest(curatorId: String)
-  object ApplyChangeSetRequest {
-    implicit val format: OFormat[ApplyChangeSetRequest] = Json.format[ApplyChangeSetRequest]
-  }
+  // Audit identity for API-key-authenticated actions
+  private val ApiCuratorId = "api-system"
 
-  case class DiscardChangeSetRequest(curatorId: String, reason: String)
+  case class DiscardChangeSetRequest(reason: String)
   object DiscardChangeSetRequest {
     implicit val format: OFormat[DiscardChangeSetRequest] = Json.format[DiscardChangeSetRequest]
   }
 
   case class ReviewChangeRequest(
-    curatorId: String,
     action: String, // "APPLIED", "SKIPPED", "REVERTED"
     notes: Option[String] = None
   )
   object ReviewChangeRequest {
     implicit val format: OFormat[ReviewChangeRequest] = Json.format[ReviewChangeRequest]
   }
 
-  case class ApproveAllRequest(curatorId: String)
-  object ApproveAllRequest {
-    implicit val format: OFormat[ApproveAllRequest] = Json.format[ApproveAllRequest]
-  }
-
-  case class AddCommentRequest(author: String, content: String, treeChangeId: Option[Int] = None)
+  case class AddCommentRequest(content: String, treeChangeId: Option[Int] = None)
   object AddCommentRequest {
     implicit val format: OFormat[AddCommentRequest] = Json.format[AddCommentRequest]
   }
@@ -112,9 +99,9 @@ class TreeVersioningApiController @Inject()(
    * Start review of a change set.
    * POST /api/v1/manage/change-sets/:id/start-review
    */
-  def startReview(id: Int): Action[StartReviewRequest] =
-    secureApi.jsonAction[StartReviewRequest].async { request =>
-      treeVersioningService.startReview(id, request.body.curatorId).map { success =>
+  def startReview(id: Int): Action[AnyContent] =
+    secureApi.async { request =>
+      treeVersioningService.startReview(id, ApiCuratorId).map { success =>
         if (success) {
           Ok(Json.obj("success" -> true, "message" -> s"Review started for change set $id"))
         } else {
@@ -135,9 +122,9 @@ class TreeVersioningApiController @Inject()(
    * Apply a change set to Production.
    * POST /api/v1/manage/change-sets/:id/apply
    */
-  def applyChangeSet(id: Int): Action[ApplyChangeSetRequest] =
-    secureApi.jsonAction[ApplyChangeSetRequest].async { request =>
-      treeVersioningService.applyChangeSet(id, request.body.curatorId).map { success =>
+  def applyChangeSet(id: Int): Action[AnyContent] =
+    secureApi.async { request =>
+      treeVersioningService.applyChangeSet(id, ApiCuratorId).map { success =>
         if (success) {
           Ok(Json.obj("success" -> true, "message" -> s"Change set $id applied to Production"))
         } else {
@@ -161,7 +148,7 @@ class TreeVersioningApiController @Inject()(
   def discardChangeSet(id: Int): Action[DiscardChangeSetRequest] =
     secureApi.jsonAction[DiscardChangeSetRequest].async { request =>
       val req = request.body
-      treeVersioningService.discardChangeSet(id, req.curatorId, req.reason).map { success =>
+      treeVersioningService.discardChangeSet(id, ApiCuratorId, req.reason).map { success =>
         if (success) {
           Ok(Json.obj("success" -> true, "message" -> s"Change set $id discarded"))
         } else {
@@ -211,7 +198,7 @@ class TreeVersioningApiController @Inject()(
         case None =>
           Future.successful(BadRequest(Json.obj("error" -> s"Invalid action: ${req.action}")))
         case Some(action) =>
-          treeVersioningService.reviewChange(changeId, req.curatorId, action, req.notes).map { success =>
+          treeVersioningService.reviewChange(changeId, ApiCuratorId, action, req.notes).map { success =>
             if (success) {
               Ok(Json.obj("success" -> true, "message" -> s"Change $changeId reviewed as ${req.action}"))
             } else {
@@ -231,9 +218,9 @@ class TreeVersioningApiController @Inject()(
    * Approve all pending changes in a change set.
    * POST /api/v1/manage/change-sets/:id/approve-all
    */
-  def approveAllPending(id: Int): Action[ApproveAllRequest] =
-    secureApi.jsonAction[ApproveAllRequest].async { request =>
-      treeVersioningService.approveAllPending(id, request.body.curatorId).map { count =>
+  def approveAllPending(id: Int): Action[AnyContent] =
+    secureApi.async { request =>
+      treeVersioningService.approveAllPending(id, ApiCuratorId).map { count =>
         Ok(Json.obj("success" -> true, "approvedCount" -> count))
       }.recover {
         case e: Exception =>
@@ -253,7 +240,7 @@ class TreeVersioningApiController @Inject()(
   def addComment(id: Int): Action[AddCommentRequest] =
     secureApi.jsonAction[AddCommentRequest].async { request =>
       val req = request.body
-      treeVersioningService.addComment(id, req.author, req.content, req.treeChangeId).map { commentId =>
+      treeVersioningService.addComment(id, ApiCuratorId, req.content, req.treeChangeId).map { commentId =>
         Created(Json.obj("success" -> true, "commentId" -> commentId))
       }.recover {
         case e: Exception =>

app/services/LoginRateLimiter.scala

@@ -0,0 +1,45 @@
+package services
+
+import java.time.Instant
+import java.util.concurrent.ConcurrentHashMap
+import javax.inject.Singleton
+
+/**
+ * Simple in-memory rate limiter for login attempts.
+ * Tracks failed attempts per IP and blocks after threshold.
+ */
+@Singleton
+class LoginRateLimiter {
+
+  private val MaxAttempts = 10
+  private val WindowSeconds = 900L // 15 minutes
+  private val attempts = new ConcurrentHashMap[String, (Int, Instant)]()
+
+  /** Returns true if the IP is allowed to attempt login. */
+  def isAllowed(ip: String): Boolean = {
+    pruneExpired()
+    val entry = attempts.get(ip)
+    entry == null || entry._1 < MaxAttempts
+  }
+
+  /** Record a failed login attempt for the given IP. */
+  def recordFailure(ip: String): Unit = {
+    attempts.compute(ip, (_, existing) => {
+      if (existing == null || existing._2.plusSeconds(WindowSeconds).isBefore(Instant.now())) {
+        (1, Instant.now())
+      } else {
+        (existing._1 + 1, existing._2)
+      }
+    })
+  }
+
+  /** Clear attempts for an IP on successful login. */
+  def recordSuccess(ip: String): Unit = {
+    attempts.remove(ip)
+  }
+
+  private def pruneExpired(): Unit = {
+    val cutoff = Instant.now().minusSeconds(WindowSeconds)
+    attempts.entrySet().removeIf(e => e.getValue._2.isBefore(cutoff))
+  }
+}