Merge pull request #836 from ExtensionEngine/improvement/max-login-attempts

Implement max login attempts

Author: underscope

client/components/auth/Login.vue

@@ -76,6 +76,8 @@
 import { mapActions } from 'vuex';
 
 const LOGIN_ERR_MESSAGE = 'The email or password you entered is incorrect.';
+const TOO_MANY_REQ_CODE = 429;
+const TOO_MANY_REQ_ERR_MESSAGE = 'Too many login attempts. Please try again later.';
 const getOidcErrorMessage = (email, buttonLabel) =>
   `Account with email ${email} does not exist.
   Click "${buttonLabel}" to try with a different account.`;
@@ -104,7 +106,12 @@ export default {
       this.message = '';
       this.login({ email: this.email, password: this.password })
         .then(() => this.$router.push('/'))
-        .catch(() => (this.localError = LOGIN_ERR_MESSAGE));
+        .catch(err => {
+          const code = err?.response?.status;
+          this.localError = code === TOO_MANY_REQ_CODE
+            ? TOO_MANY_REQ_ERR_MESSAGE
+            : LOGIN_ERR_MESSAGE;
+        });
     }
   }
 };

server/shared/request/mw.js

@@ -1,11 +1,51 @@
 'use strict';
 
 const rateLimit = require('express-rate-limit');
+const Tapster = require('@extensionengine/tapster');
+const { provider, ...options } = require('../../../config/server').store;
 
 const DEFAULT_WINDOW_MS = 15 * 60 * 1000; // every 15 minutes
 
-function requestLimiter({ max = 10, windowMs = DEFAULT_WINDOW_MS, ...opts } = {}) {
-  return rateLimit({ max, windowMs, ...opts });
+// Store must be implemented using the following interface:
+// https://github.com/nfriedly/express-rate-limit/blob/master/README.md#store
+class Store {
+  constructor() {
+    this.cache = new Tapster({
+      ...options[provider],
+      store: provider,
+      namespace: 'request-limiter'
+    });
+  }
+
+  async incr(key, cb) {
+    const initialState = { hits: 0 };
+    const { hits, ...record } = await this.cache.has(key)
+      ? await this.cache.get(key)
+      : initialState;
+    await this.cache.set(key, { ...record, hits: hits + 1 });
+    cb(null, hits);
+  }
+
+  async decrement(key) {
+    const { hits, ...record } = await this.cache.get(key) || {};
+    if (!hits) return;
+    return this.cache.set(key, { ...record, hits: hits - 1 });
+  }
+
+  resetKey(key) {
+    return this.cache.delete(key);
+  }
+}
+
+const defaultStore = new Store();
+
+function requestLimiter({
+  max = 10,
+  windowMs = DEFAULT_WINDOW_MS,
+  store = defaultStore,
+  ...opts
+} = {}) {
+  return rateLimit({ max, windowMs, store, ...opts });
 }
 
 module.exports = { requestLimiter };

server/user/index.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const { authenticate, logout } = require('../shared/auth');
+const { loginRequestLimiter, resetLoginAttempts, setLoginLimitKey } = require('./mw');
 const { ACCEPTED } = require('http-status-codes');
 const { authorize } = require('../shared/auth/mw');
 const ctrl = require('./user.controller');
@@ -11,7 +12,14 @@ const { User } = require('../shared/database');
 
 // Public routes:
 router
-  .post('/login', authenticate('local', { setCookie: true }), ctrl.getProfile)
+  .post(
+    '/login',
+    setLoginLimitKey,
+    loginRequestLimiter,
+    authenticate('local', { setCookie: true }),
+    resetLoginAttempts,
+    ctrl.getProfile
+  )
   .post('/forgot-password', ctrl.forgotPassword)
   .use('/reset-password', requestLimiter(), authenticate('token'))
   .post('/reset-password', ctrl.resetPassword)

server/user/mw.js

@@ -0,0 +1,24 @@
+'use strict';
+
+const crypto = require('crypto');
+const { requestLimiter } = require('../shared/request/mw');
+
+const ONE_HOUR_IN_MS = 60 * 60 * 1000;
+
+const loginRequestLimiter = requestLimiter({
+  windowMs: ONE_HOUR_IN_MS,
+  keyGenerator: req => req.userKey
+});
+
+function setLoginLimitKey(req, res, next) {
+  const key = [req.ip, req.body.email].join(':');
+  req.userKey = crypto.createHash('sha256').update(key).digest('base64');
+  return next();
+}
+
+function resetLoginAttempts(req, res, next) {
+  return loginRequestLimiter.resetKey(req.userKey)
+    .then(() => next());
+}
+
+module.exports = { loginRequestLimiter, setLoginLimitKey, resetLoginAttempts };