Bug: MFA challenge path writes no audit log entry

[mrveiss]

Problem

In autobot-slm-backend/api/auth.py, when a user has MFA enabled and provides correct credentials, the login endpoint returns an MFA challenge without writing any audit log entry (lines 104-105):

if user.mfa_enabled:
    return _create_mfa_challenge(user)

This means successful credential verification followed by MFA challenge is invisible in audit logs. A brute-force attacker who guesses the password of an MFA-enabled account would generate no audit trail until they fail MFA verification.

This was pre-existing in the deleted slm_auth.py and carried over to the consolidated endpoint in #1922.

Location

• autobot-slm-backend/api/auth.py, lines 104-105

Proposed Fix

Add an audit log entry before returning the MFA challenge:

if user.mfa_enabled:
    await create_audit_log(
        audit_db,
        category="authentication",
        action="mfa_challenge_issued",
        user_id=str(user.id),
        username=user.username,
        ip_address=client_ip,
        resource_type="session",
        description=f"MFA challenge issued for '{user.username}'",
        request_method="POST",
        request_path="/api/auth/login",
        response_status=200,
        success=True,
    )
    await audit_db.commit()
    return _create_mfa_challenge(user)

Impact

Medium — security audit gap. Credential brute-force against MFA-enabled accounts is undetectable in audit logs.

Discovered During

Code review of PR #2223 (#1922)

[github-actions]

PR #2246 (merged to Dev_new_gui) references this issue with a close keyword.

fix(auth): add audit log for MFA challenge path (#2242)

If this issue is fully resolved, close it manually. If work remains, no action is needed.

[mrveiss]

Merged via PR. Closing.