feat: add SQLite storage for login attempts and sessions

Adds persistent storage using modernc.org/sqlite (pure Go). Login attempts are deduplicated by (username, password, ip) with counts. Sessions and session logs are tracked with UUID IDs. Includes embedded SQL migrations, configurable retention with background pruning, and an in-memory store for tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-14 17:33:45 +01:00
parent 75bac814d4
commit d655968216
21 changed files with 1131 additions and 10 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -9,12 +9,22 @@ import (
 )

 type Config struct {
-	SSH      SSHConfig  `toml:"ssh"`
-	Auth     AuthConfig `toml:"auth"`
+	SSH      SSHConfig      `toml:"ssh"`
+	Auth     AuthConfig     `toml:"auth"`
+	Storage  StorageConfig  `toml:"storage"`
 	LogLevel  string `toml:"log_level"`
 	LogFormat string `toml:"log_format"` // "text" (default) or "json"
 }

+type StorageConfig struct {
+	DBPath            string `toml:"db_path"`
+	RetentionDays     int    `toml:"retention_days"`
+	RetentionInterval string `toml:"retention_interval"`
+
+	// Parsed duration, not from TOML directly.
+	RetentionIntervalDuration time.Duration `toml:"-"`
+}
+
 type SSHConfig struct {
 	ListenAddr     string `toml:"listen_addr"`
 	HostKeyPath    string `toml:"host_key_path"`
@@ -77,6 +87,15 @@ func applyDefaults(cfg *Config) {
 	if cfg.LogFormat == "" {
 		cfg.LogFormat = "text"
 	}
+	if cfg.Storage.DBPath == "" {
+		cfg.Storage.DBPath = "oubliette.db"
+	}
+	if cfg.Storage.RetentionDays == 0 {
+		cfg.Storage.RetentionDays = 90
+	}
+	if cfg.Storage.RetentionInterval == "" {
+		cfg.Storage.RetentionInterval = "1h"
+	}
 }

 func validate(cfg *Config) error {
@@ -93,6 +112,19 @@ func validate(cfg *Config) error {
 		return fmt.Errorf("accept_after must be at least 1, got %d", cfg.Auth.AcceptAfter)
 	}

+	ri, err := time.ParseDuration(cfg.Storage.RetentionInterval)
+	if err != nil {
+		return fmt.Errorf("invalid retention_interval %q: %w", cfg.Storage.RetentionInterval, err)
+	}
+	if ri <= 0 {
+		return fmt.Errorf("retention_interval must be positive, got %s", ri)
+	}
+	cfg.Storage.RetentionIntervalDuration = ri
+
+	if cfg.Storage.RetentionDays < 1 {
+		return fmt.Errorf("retention_days must be at least 1, got %d", cfg.Storage.RetentionDays)
+	}
+
 	for i, cred := range cfg.Auth.StaticCredentials {
 		if cred.Username == "" {
 			return fmt.Errorf("static_credentials[%d]: username must not be empty", i)