Basic brute force detection added. Accounts throttle by captcha after 5 failed attempts, and locked out for 24 hours after 200 attempts.

2024-12-26 17:46:35 -05:00 · 2024-12-26 17:46:35 -05:00 · 9c18c23ad5
commit 9c18c23ad5
parent e0f53df176
13 changed files with 463 additions and 50 deletions
--- a/src/controllers/loginController.js
+++ b/src/controllers/loginController.js
@ -0,0 +1,64 @@
+/*Canopy - The next generation of stoner streaming software
+Copyright (C) 2024  Rainbownapkin and the TTN Community
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
+
+//Config
+const config = require('../../config.json');
+
+//NPM Imports
+const {validationResult, matchedData} = require('express-validator');
+
+//Local Imports
+const sessionUtils = require('../utils/sessionUtils');
+const altchaUtils = require('../utils/altchaUtils');
+
+//register page functions
+module.exports.get = async function(req, res){
+    //Check for validation errors
+    const validResult = validationResult(req);
+
+    //If there are none
+    if(validResult.isEmpty()){
+        //Get username from sanatized/validated data
+        const {user} = matchedData(req);
+        const attempts = sessionUtils.getLoginAttempts(user);
+
+        //if we have previous attempts for this user
+        if(attempts != null){
+            if(attempts.count > sessionUtils.maxAttempts){
+                return res.render('lockedAccount', {instance: config.instanceName, user: req.session.user});
+            }
+
+            //If the users login's are being throttled
+            if(attempts.count > sessionUtils.throttleAttempts){
+                //Get diffuculty based on amount of attempts past the max amount
+                const difficulty = attempts.count - sessionUtils.throttleAttempts;
+                //Generate challenge unique to specific user, with difficulty set based on failed login attempts
+                const challenge = await altchaUtils.genCaptcha(difficulty, user);
+
+                //Render page
+                return res.render('login', {instance: config.instanceName, user: req.session.user, challenge});
+            }
+        //otherwise
+        }else{
+            //Render generic page
+            return res.render('login', {instance: config.instanceName, user: req.session.user, challenge: null});
+        }
+    //if we received invalid input
+    }else{
+        //Render pretend nothing happened, send out a generic page
+        return res.render('login', {instance: config.instanceName, user: req.session.user, challenge: null});
+    }
+}