Basic brute force detection added. Accounts throttle by captcha after 5 failed attempts, and locked out for 24 hours after 200 attempts.

2024-12-26 17:46:35 -05:00 · 2024-12-26 17:46:35 -05:00 · 9c18c23ad5
commit 9c18c23ad5
parent e0f53df176
13 changed files with 463 additions and 50 deletions
--- a/src/controllers/api/account/loginController.js
+++ b/src/controllers/api/account/loginController.js
@ -14,32 +14,58 @@ GNU Affero General Public License for more details.
 You should have received a copy of the GNU Affero General Public License
 along with this program.  If not, see <https://www.gnu.org/licenses/>.*/

+//Config
+const config = require('../../../../config.json');
+
 //npm imports
 const {validationResult, matchedData} = require('express-validator');

 //local imports
-const accountUtils = require('../../../utils/sessionUtils');
+const sessionUtils = require('../../../utils/sessionUtils');
 const {exceptionHandler, errorHandler} = require('../../../utils/loggerUtils');
-
+const altchaUtils = require('../../../utils/altchaUtils');
+const session = require('express-session');

 //api account functions
 module.exports.post = async function(req, res){
    try{
+        //Check validation results
        const validResult = validationResult(req);

+        //if we don't have errors
        if(validResult.isEmpty()){
-            const data = matchedData(req);
-            const {user, pass} = data;
-
+            //Pull sanatzied/validated data
+            const {user, pass} = matchedData(req);
+            
            //try to authenticate the session, and return a successful code if it works
-            await accountUtils.authenticateSession(user, pass, req);
+            await sessionUtils.authenticateSession(user, pass, req);
            return res.sendStatus(200);
        }else{
            res.status(400);
-            res.send({errors: validResult.array()})
+            return res.send({errors: validResult.array()})
        }
    }catch(err){
-        exceptionHandler(res, err);
+        //Check validation results
+        const validResult = validationResult(req);
+
+        //if we don't have errors
+        if(validResult.isEmpty()){
+            //Get login attempts for current user
+            const {user} = matchedData(req);
+            const attempts = sessionUtils.getLoginAttempts(user)
+
+            //if we've gone over max attempts and
+            if(attempts.count > sessionUtils.throttleAttempts){
+                //tell client it needs a captcha
+                return res.sendStatus(429);
+            }
+        }else{
+            res.status(400);
+            return res.send({errors: validResult.array()})
+        }
+
+        //
+        return exceptionHandler(res, err);
    }
    
 }