Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/ElthonJohan/Sistema-MRP/llms.txt

Use this file to discover all available pages before exploring further.

The Logs de Acceso page (pages/access_logs.py) gives the superadmin a real-time view of all authentication activity in Sistema MRP. It surfaces successful logins, failed attempts, and accounts currently locked out due to repeated failures.
This page is restricted to the superadmin role. Any attempt to access it as a client triggers a redirect enforced by require_superadmin().

What is logged

Three categories of events are recorded:
  • Successful logins — every successful authentication writes a LoginLog record containing the user ID, username, login timestamp, and IP address. The page displays the last 200 records.
  • Failed login attempts — every failed authentication (wrong password, unknown username) writes a FailedLoginAttempt record with the attempted username, timestamp, IP address, and reason. The page displays the last 200 records.
  • Account lockouts — when an account’s failed-attempt count reaches the threshold, get_locked_accounts() returns it as a currently locked account. This is derived in real time from the FailedLoginAttempt table rather than stored as a separate flag.
Both successful logins and failed attempts are exportable to CSV directly from the page.

Account lockout policy

Login security is implemented in services/auth_service.py:
  • 5 consecutive failed attempts within a 15-minute rolling window locks the account.
  • The lockout lasts 15 minutes from the time of the last failed attempt.
  • The lockout check normalizes the username to lowercase, so case variations (e.g., Admin vs admin) cannot be used to bypass the counter.
  • On a successful login, all prior failed-attempt records for that username are cleared.
The Alertas de Seguridad section at the top of the logs page shows all accounts currently locked, with the number of failed attempts for each.

Viewing logs

The access logs page is divided into three sections:
  1. Alertas de Seguridad — real-time list of currently locked accounts. If no accounts are locked, a green confirmation message is shown.
  2. Intentos Fallidos Recientes — a filterable table of the last 200 failed login attempts. Filter by username or IP address using the search input. Exportable to CSV.
  3. Historial de Accesos Exitosos — a filterable table of the last 200 successful logins. Filter by username or IP address. Exportable to CSV.
The KPI cards at the top of the page summarize:
CardValue
Accesos RegistradosTotal successful login records shown (up to 200).
Usuarios con AccesoCount of distinct usernames in the log.
Accesos HoySuccessful logins recorded today.
Alertas ActivasNumber of accounts currently locked.

Session expiry

Sessions in Sistema MRP are server-side records in the user_sessions table. The get_valid_session() function checks the session’s last_activity timestamp on every page load.
Sessions expire automatically after 30 minutes of inactivity. When a session expires, the user is redirected to the login page on their next interaction. This applies to both client and superadmin sessions.
Sessions are also invalidated immediately when:
  • The superadmin disables a client account (all active sessions for that client are deleted via delete_user_sessions).
  • The superadmin deletes a client account.
  • The superadmin edits a client’s username (the username change triggers a session wipe for that client).

Build docs developers (and LLMs) love

Get started for freeTalk to us