All geek questions in one place

Preventing brute force with Node and Express JS

I am building a website using Node and Express JS and would like to block invalid login attempts. How to prevent online hacking and reduce unnecessary database calls. How can I implement this?

+6
source share
4 answers

Perhaps something like this can help you get started.

var failures = {}; function tryToLogin() { var f = failures[remoteIp]; if (f && Date.now() < f.nextTry) { // Throttled. Can't try yet. return res.error(); } // Otherwise do login ... } function onLoginFail() { var f = failures[remoteIp] = failures[remoteIp] || {count: 0, nextTry: new Date()}; ++f.count; f.nextTry.setTime(Date.now() + 2000 * f.count); // Wait another two seconds for every failed attempt } function onLoginSuccess() { delete failures[remoteIp]; } // Clean up people that have given up var MINS10 = 600000, MINS30 = 3 * MINS10; setInterval(function() { for (var ip in failures) { if (Date.now() - failures[ip].nextTry > MINS10) { delete failures[ip]; } } }, MINS30);
+4
source

So, after some searches, I could not find a solution that I liked, so I wrote my own based on Trevor and express-brute solutions. Here you can find.

+7
source

okk, I found the max login attemp solution on the wrong password in mongoose and expressjs.there is a solution. * first, define the user scheme * second, we will define max login for the function of the handler for the incorrect password * thirdly, when we create a login api, then we will check this function so that how many times the user login with the wrong password is ready for the code

 var config = require('../config'); var userSchema = new mongoose.Schema({ email: { type: String, unique: true, required: true }, password: String, verificationToken: { type: String, unique: true, required: true }, isVerified: { type: Boolean, required: true, default: false }, passwordResetToken: { type: String, unique: true }, passwordResetExpires: Date, loginAttempts: { type: Number, required: true, default: 0 }, lockUntil: Number, role: String }); userSchema.virtual('isLocked').get(function() { return !!(this.lockUntil && this.lockUntil > Date.now()); }); userSchema.methods.incrementLoginAttempts = function(callback) { console.log("lock until",this.lockUntil) // if we have a previous lock that has expired, restart at 1 var lockExpired = !!(this.lockUntil && this.lockUntil < Date.now()); console.log("lockExpired",lockExpired) if (lockExpired) { return this.update({ $set: { loginAttempts: 1 }, $unset: { lockUntil: 1 } }, callback); } // otherwise we're incrementing var updates = { $inc: { loginAttempts: 1 } }; // lock the account if we've reached max attempts and it not locked already var needToLock = !!(this.loginAttempts + 1 >= config.login.maxAttempts && !this.isLocked); console.log("needToLock",needToLock) console.log("loginAttempts",this.loginAttempts) if (needToLock) { updates.$set = { lockUntil: Date.now() + config.login.lockoutHours }; console.log("config.login.lockoutHours",Date.now() + config.login.lockoutHours) } //console.log("lockUntil",this.lockUntil) return this.update(updates, callback); };

here is my login function where we checked the maximum login attempt with the wrong password. We will also call this function

 User.findOne({ email: email }, function(err, user) { console.log("i am aurhebengdfhdbndbcxnvndcvb") if (!user) { return done(null, false, { msg: 'No user with the email ' + email + ' was found.' }); } if (user.isLocked) { return user.incrementLoginAttempts(function(err) { if (err) { return done(err); } return done(null, false, { msg: 'You have exceeded the maximum number of login attempts. Your account is locked until ' + moment(user.lockUntil).tz(config.server.timezone).format('LT z') + '. You may attempt to log in again after that time.' }); }); } if (!user.isVerified) { return done(null, false, { msg: 'Your email has not been verified. Check your inbox for a verification email.<p><a href="/user/verify-resend/' + email + '" class="btn waves-effect white black-text"><i class="material-icons left">email</i>Re-send verification email</a></p>' }); } user.comparePassword(password, function(err, isMatch) { if (isMatch) { return done(null, user); } else { user.incrementLoginAttempts(function(err) { if (err) { return done(err); } return done(null, false, { msg: 'Invalid password. Please try again.' }); }); } }); }); }));
0
source

Take a look at this: https://github.com/AdamPflug/express-brute A brute-force protection middleware for express routes that rate-limits incoming requests, increasing the delay with each request in a fibonacci-like sequence.

0
source

Source: https://habr.com/ru/post/957067/

More articles:


All Articles