Security-Hardening Runde 10: Security-Monitoring + Alerting

Defense-in-Depth für alles, was in den ersten 9 Runden nicht durch Code
verhindert wurde: zumindest gesehen + alarmiert werden.

📊 SecurityEvent-Tabelle (Prisma)
- Type/Severity/IP/User/Endpoint + Indexen für Filter+Threshold-Detection
- Trennt sich vom AuditLog: AuditLog ist forensisch + hash-gekettet,
  SecurityEvent ist optimiert für Realtime-Alerting + Aggregation.

🪝 Hooks an kritischen Stellen
- Login (Success/Failed) – auth.controller
- Logout, Password-Reset (Request + Confirm) – auth.controller
- Rate-Limit-Hit – middleware/rateLimit
- IDOR-403 – utils/accessControl (canAccessCustomer / canAccessContract)
- SSRF-Block – emailProvider.controller (test-connection + test-mail-access)
- JWT-Reject (alg=none, expired, manipuliert) – middleware/auth

🚨 Threshold-Detection + Alerting (securityAlert.service.ts)
- Cron jede Minute: prüft Brute-Force-Patterns je IP
  - 10× LOGIN_FAILED in 60 min  → CRITICAL Brute-Force-Verdacht
  -  5× ACCESS_DENIED in 5 min  → CRITICAL IDOR-Probing-Verdacht
  -  3× SSRF_BLOCKED in 60 min  → CRITICAL SSRF-Probing
  -  3× TOKEN_REJECTED HIGH in 5 min → CRITICAL JWT-Manipulation
- CRITICAL-Events: Sofort-Alert per E-Mail (debounced)
- Cron stündlich: Digest mit HIGH+MEDIUM-Events (wenn aktiviert)
- Sofort-Alert + Digest laufen über System-E-Mail-Provider
  (gleicher Pfad wie Geburtstagsgrüße, Passwort-Reset)

🖥 Frontend: Settings → "Sicherheits-Monitoring"
- Alert-E-Mail-Adresse + Digest-Toggle
- Test-Alert-Button + Digest-jetzt-Button
- Stats-Cards pro Severity (CRITICAL/HIGH/MEDIUM/LOW/INFO)
- Filter (Type/Severity/Search/IP) + Pagination
- Auto-Refresh alle 30 s
- Verlinkt aus Settings-Übersicht (settings:read Permission)

🧪 Live-verifiziert
- Login-Fehlversuch → LOGIN_FAILED Event
- Portal probt 4× fremde Customer-IDs → 4× ACCESS_DENIED
- SSRF-Probe (169.254.169.254) → SSRF_BLOCKED Event
- 12× LOGIN_FAILED simuliert → Cron erzeugt CRITICAL nach ≤60s
- CRITICAL-Sofort-Alert binnen 30s zugestellt
- Test-Alert-Button: E-Mail zugestellt
- Hourly-Digest mit 5 Events: E-Mail mit Tabelle zugestellt

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

backend/src/controllers/auth.controller.ts

@@ -2,12 +2,13 @@ import { Request, Response } from 'express';
 import * as authService from '../services/auth.service.js';
 import { AuthRequest, ApiResponse } from '../types/index.js';
 import prisma from '../lib/prisma.js';
+import { emit as emitSecurityEvent, contextFromRequest } from '../services/securityMonitor.service.js';
 
 // Mitarbeiter-Login
 export async function login(req: Request, res: Response): Promise<void> {
+  const { email, password } = req.body || {};
+  const ctx = contextFromRequest(req);
   try {
-    const { email, password } = req.body;
-
     if (!email || !password) {
       res.status(400).json({
         success: false,
@@ -17,8 +18,25 @@ export async function login(req: Request, res: Response): Promise<void> {
     }
 
     const result = await authService.login(email, password);
+    emitSecurityEvent({
+      type: 'LOGIN_SUCCESS',
+      severity: 'INFO',
+      message: `Mitarbeiter-Login: ${email}`,
+      ipAddress: ctx.ipAddress,
+      userId: result.user.id,
+      userEmail: email,
+      endpoint: ctx.endpoint,
+    });
     res.json({ success: true, data: result } as ApiResponse);
   } catch (error) {
+    emitSecurityEvent({
+      type: 'LOGIN_FAILED',
+      severity: 'LOW',
+      message: `Login-Fehlversuch (Mitarbeiter): ${email || '<leer>'}`,
+      ipAddress: ctx.ipAddress,
+      userEmail: email,
+      endpoint: ctx.endpoint,
+    });
     res.status(401).json({
       success: false,
       error: error instanceof Error ? error.message : 'Anmeldung fehlgeschlagen',
@@ -28,9 +46,9 @@ export async function login(req: Request, res: Response): Promise<void> {
 
 // Kundenportal-Login
 export async function customerLogin(req: Request, res: Response): Promise<void> {
+  const { email, password } = req.body || {};
+  const ctx = contextFromRequest(req);
   try {
-    const { email, password } = req.body;
-
     if (!email || !password) {
       res.status(400).json({
         success: false,
@@ -40,8 +58,25 @@ export async function customerLogin(req: Request, res: Response): Promise<void>
     }
 
     const result = await authService.customerLogin(email, password);
+    emitSecurityEvent({
+      type: 'LOGIN_SUCCESS',
+      severity: 'INFO',
+      message: `Portal-Login: ${email}`,
+      ipAddress: ctx.ipAddress,
+      customerId: result.user.customerId,
+      userEmail: email,
+      endpoint: ctx.endpoint,
+    });
     res.json({ success: true, data: result } as ApiResponse);
   } catch (error) {
+    emitSecurityEvent({
+      type: 'LOGIN_FAILED',
+      severity: 'LOW',
+      message: `Login-Fehlversuch (Portal): ${email || '<leer>'}`,
+      ipAddress: ctx.ipAddress,
+      userEmail: email,
+      endpoint: ctx.endpoint,
+    });
     res.status(401).json({
       success: false,
       error: error instanceof Error ? error.message : 'Anmeldung fehlgeschlagen',
@@ -115,6 +150,17 @@ export async function requestPasswordReset(req: Request, res: Response): Promise
 
     await authService.requestPasswordReset(email, userType === 'portal' ? 'portal' : 'admin');
 
+    const ctx = contextFromRequest(req);
+    emitSecurityEvent({
+      type: 'PASSWORD_RESET_REQUEST',
+      severity: 'MEDIUM',
+      message: `Passwort-Reset angefordert (${userType === 'portal' ? 'Portal' : 'Mitarbeiter'}): ${email}`,
+      ipAddress: ctx.ipAddress,
+      userEmail: email,
+      endpoint: ctx.endpoint,
+      details: { userType: userType === 'portal' ? 'portal' : 'admin' },
+    });
+
     // IMMER success senden, damit Angreifer nicht herausfinden kann welche Emails existieren
     res.json({
       success: true,
@@ -155,11 +201,28 @@ export async function confirmPasswordReset(req: Request, res: Response): Promise
 
     await authService.confirmPasswordReset(token, password);
 
+    const ctx = contextFromRequest(req);
+    emitSecurityEvent({
+      type: 'PASSWORD_RESET_CONFIRM',
+      severity: 'HIGH',
+      message: 'Passwort-Reset abgeschlossen',
+      ipAddress: ctx.ipAddress,
+      endpoint: ctx.endpoint,
+    });
+
     res.json({
       success: true,
       message: 'Passwort erfolgreich zurückgesetzt. Du kannst dich jetzt einloggen.',
     } as ApiResponse);
   } catch (error) {
+    const ctx = contextFromRequest(req);
+    emitSecurityEvent({
+      type: 'TOKEN_REJECTED',
+      severity: 'MEDIUM',
+      message: 'Passwort-Reset mit ungültigem/abgelaufenem Token versucht',
+      ipAddress: ctx.ipAddress,
+      endpoint: ctx.endpoint,
+    });
     res.status(400).json({
       success: false,
       error: error instanceof Error ? error.message : 'Passwort-Reset fehlgeschlagen',
@@ -194,6 +257,17 @@ export async function logout(req: AuthRequest, res: Response): Promise<void> {
         data: { tokenInvalidatedAt: new Date() },
       });
     }
+    const ctx = contextFromRequest(req);
+    emitSecurityEvent({
+      type: 'LOGOUT',
+      severity: 'INFO',
+      message: `Logout: ${user.email || (user.isCustomerPortal ? 'Portal-User' : 'Mitarbeiter')}`,
+      ipAddress: ctx.ipAddress,
+      userId: ctx.userId,
+      customerId: ctx.customerId,
+      userEmail: user.email,
+      endpoint: ctx.endpoint,
+    });
     res.json({ success: true, message: 'Abgemeldet' } as ApiResponse);
   } catch (error) {
     res.status(500).json({