Merge HRT-62: IP-based rate limiting on /auth/login — validated CTO

- In-memory IP rate limiter: 5 attempts / 5min window
- 15 min block on exceed, HTTP 429 + Retry-After header
- Applied rate_limit_middleware on portal_server.py
- Tests: TestLoginRateLimit added (conflict resolved: keep both test classes)

Co-Authored-By: Paperclip <noreply@paperclip.ing>

tests/security/test_security.py

@@ -141,7 +141,7 @@ class TestJWTAuthentication:
             "invalid_signature_here"
         )
         resp = requests.get(
-            f"{BASE_URL}/api/races",
+            f"{BASE_URL}/api/v1/predictions/today",
             headers={"Authorization": f"Bearer {expired_token}"},
             timeout=5,
         )
@@ -153,7 +153,7 @@ class TestJWTAuthentication:
         """Un token JWT malformé doit être rejeté."""
         for bad_token in ["not.a.jwt", "Bearer", "null", "undefined", ""]:
             resp = requests.get(
-                f"{BASE_URL}/api/races",
+                f"{BASE_URL}/api/v1/predictions/today",
                 headers={"Authorization": f"Bearer {bad_token}"},
                 timeout=5,
             )
@@ -163,7 +163,7 @@ class TestJWTAuthentication:
 
     def test_jwt_sans_token(self):
         """Sans token, les routes protégées doivent retourner 401."""
-        resp = requests.get(f"{BASE_URL}/api/export/csv", timeout=5)
+        resp = requests.get(f"{BASE_URL}/api/v1/export/csv", timeout=5)
         assert resp.status_code in (401, 403), (
             f"Route protégée accessible sans token: status={resp.status_code}"
         )
@@ -386,6 +386,53 @@ class TestWeakPasswordRejection:
         assert resp.status_code == 400, (
             f"Mot de passe sans lettre accepté: status={resp.status_code}"
         )
+# === Tests rate limiting login ===
+
+
+class TestLoginRateLimit:
+    """Tests rate limiting sur /api/v1/auth/login."""
+
+    TARGET_URL = (
+        os.environ.get("APP_URL", "http://localhost:8792") + "/api/v1/auth/login"
+    )
+
+    def test_login_brute_force_blocked_after_5_attempts(self):
+        """Après 5 tentatives, le 6ème appel doit retourner 429."""
+        # Utiliser un email unique pour isoler le test
+        email = f"ratelimit_test_{int(time.time())}@h3r7.tech"
+        for i in range(5):
+            resp = requests.post(
+                self.TARGET_URL,
+                json={"email": email, "password": "wrong_password"},
+                timeout=5,
+            )
+            assert resp.status_code in (400, 401), (
+                f"Tentative {i + 1}: status inattendu {resp.status_code}"
+            )
+        # La 6ème tentative doit être bloquée
+        resp = requests.post(
+            self.TARGET_URL,
+            json={"email": email, "password": "wrong_password"},
+            timeout=5,
+        )
+        assert resp.status_code == 429, (
+            f"Rate limit non appliqué après 5 tentatives: got {resp.status_code}"
+        )
+        assert "Retry-After" in resp.headers, "Header Retry-After manquant sur 429"
+
+    def test_login_429_has_retry_after_header(self):
+        """La réponse 429 doit inclure Retry-After."""
+        email = f"ratelimit_test2_{int(time.time())}@h3r7.tech"
+        for _ in range(6):
+            requests.post(
+                self.TARGET_URL, json={"email": email, "password": "x"}, timeout=5
+            )
+        resp = requests.post(
+            self.TARGET_URL, json={"email": email, "password": "x"}, timeout=5
+        )
+        if resp.status_code == 429:
+            assert "Retry-After" in resp.headers
+            assert int(resp.headers["Retry-After"]) > 0
 
 
 if __name__ == "__main__":