add little more security - against brute force attacs

2024-11-18 17:37:57 +01:00 · 2024-11-18 17:37:57 +01:00 · bf9e076f3e
commit bf9e076f3e
parent c18001738f
3 changed files with 46 additions and 5 deletions
--- a/client/css/styles.css
+++ b/client/css/styles.css
@ -426,9 +426,6 @@ main {
    color: white;
 }

-
-
-
 /* General alert box styling */
 #custom-alert-confirm {
    display: none;
--- a/server/controllers/authController.js
+++ b/server/controllers/authController.js
@ -47,12 +47,48 @@ const login = async (req, res) => {
            return res.status(400).json({ message: 'Ungültige Anmeldedaten' });
        }

+        // Check for too many failed login attempts (e.g., more than 5 in 15 minutes)
+        const maxAttempts = 5;
+        const lockTime = Math.pow(2, user.failedLoginAttempts) * 15 * 1000; // Exponentially increasing delay
+        const now = new Date();
+
+        if (user.failedLoginAttempts >= maxAttempts && user.lastFailedLogin) {
+            const timeDifference = now - new Date(user.lastFailedLogin);
+            if (timeDifference < lockTime) {
+                return res.status(429).json({
+                    message: 'Zu viele fehlgeschlagene Versuche. Bitte versuchen Sie es später erneut.',
+                });
+            } else {
+                // Reset failed attempts if the lock time has passed
+                user.failedLoginAttempts = 0;
+                user.lastFailedLogin = null;
+                await user.save();
+            }
+        }
+
        // Passwort überprüfen
        const isMatch = await bcrypt.compare(password, user.password);
        if (!isMatch) {
-            return res.status(400).json({ message: 'Ungültige Anmeldedaten' });
+            // Increment failed login attempts
+            user.failedLoginAttempts += 1;
+            user.lastFailedLogin = now; // Update the timestamp of the last failed attempt
+            await user.save();
+
+            // Calculate delay (using the exponential backoff strategy)
+            const delay = Math.pow(2, user.failedLoginAttempts) * 15 * 1000; // Delay in milliseconds
+            const delayInSeconds = delay / 1000;
+
+            // Return the delay time to the client
+            return res.status(400).json({
+                message: `Invalid credentials. Please wait for ${delayInSeconds} seconds before trying again.`,
+            });
        }

+        // Reset failed login attempts on successful login
+        user.failedLoginAttempts = 0;
+        user.lastFailedLogin = null;
+        await user.save();
+
        // JWT-Token erstellen mit benutzerdefinierten Daten
        const token = jwt.sign({ id: user._id, username: user.username, isAdmin: user.isAdmin }, process.env.JWT_SECRET, { expiresIn: '1h' });

--- a/server/models/User.js
+++ b/server/models/User.js
@ -24,7 +24,15 @@ const userSchema = new mongoose.Schema({
    isAdmin: {
        type: Boolean,
        default: false // Standardwert ist false
-    }
+    },
+    failedLoginAttempts: { // Track failed login attempts
+        type: Number,
+        default: 0
+    },
+    lastFailedLogin: { // Track the last failed login attempt time
+        type: Date,
+        default: null
+    },
 });

 module.exports = mongoose.model('User', userSchema);