add little more security - against brute force attacs
This commit is contained in:
parent
c18001738f
commit
bf9e076f3e
@ -426,9 +426,6 @@ main {
|
|||||||
color: white;
|
color: white;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/* General alert box styling */
|
/* General alert box styling */
|
||||||
#custom-alert-confirm {
|
#custom-alert-confirm {
|
||||||
display: none;
|
display: none;
|
||||||
|
|||||||
@ -47,12 +47,48 @@ const login = async (req, res) => {
|
|||||||
return res.status(400).json({ message: 'Ungültige Anmeldedaten' });
|
return res.status(400).json({ message: 'Ungültige Anmeldedaten' });
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Check for too many failed login attempts (e.g., more than 5 in 15 minutes)
|
||||||
|
const maxAttempts = 5;
|
||||||
|
const lockTime = Math.pow(2, user.failedLoginAttempts) * 15 * 1000; // Exponentially increasing delay
|
||||||
|
const now = new Date();
|
||||||
|
|
||||||
|
if (user.failedLoginAttempts >= maxAttempts && user.lastFailedLogin) {
|
||||||
|
const timeDifference = now - new Date(user.lastFailedLogin);
|
||||||
|
if (timeDifference < lockTime) {
|
||||||
|
return res.status(429).json({
|
||||||
|
message: 'Zu viele fehlgeschlagene Versuche. Bitte versuchen Sie es später erneut.',
|
||||||
|
});
|
||||||
|
} else {
|
||||||
|
// Reset failed attempts if the lock time has passed
|
||||||
|
user.failedLoginAttempts = 0;
|
||||||
|
user.lastFailedLogin = null;
|
||||||
|
await user.save();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Passwort überprüfen
|
// Passwort überprüfen
|
||||||
const isMatch = await bcrypt.compare(password, user.password);
|
const isMatch = await bcrypt.compare(password, user.password);
|
||||||
if (!isMatch) {
|
if (!isMatch) {
|
||||||
return res.status(400).json({ message: 'Ungültige Anmeldedaten' });
|
// Increment failed login attempts
|
||||||
|
user.failedLoginAttempts += 1;
|
||||||
|
user.lastFailedLogin = now; // Update the timestamp of the last failed attempt
|
||||||
|
await user.save();
|
||||||
|
|
||||||
|
// Calculate delay (using the exponential backoff strategy)
|
||||||
|
const delay = Math.pow(2, user.failedLoginAttempts) * 15 * 1000; // Delay in milliseconds
|
||||||
|
const delayInSeconds = delay / 1000;
|
||||||
|
|
||||||
|
// Return the delay time to the client
|
||||||
|
return res.status(400).json({
|
||||||
|
message: `Invalid credentials. Please wait for ${delayInSeconds} seconds before trying again.`,
|
||||||
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Reset failed login attempts on successful login
|
||||||
|
user.failedLoginAttempts = 0;
|
||||||
|
user.lastFailedLogin = null;
|
||||||
|
await user.save();
|
||||||
|
|
||||||
// JWT-Token erstellen mit benutzerdefinierten Daten
|
// JWT-Token erstellen mit benutzerdefinierten Daten
|
||||||
const token = jwt.sign({ id: user._id, username: user.username, isAdmin: user.isAdmin }, process.env.JWT_SECRET, { expiresIn: '1h' });
|
const token = jwt.sign({ id: user._id, username: user.username, isAdmin: user.isAdmin }, process.env.JWT_SECRET, { expiresIn: '1h' });
|
||||||
|
|
||||||
|
|||||||
@ -24,7 +24,15 @@ const userSchema = new mongoose.Schema({
|
|||||||
isAdmin: {
|
isAdmin: {
|
||||||
type: Boolean,
|
type: Boolean,
|
||||||
default: false // Standardwert ist false
|
default: false // Standardwert ist false
|
||||||
}
|
},
|
||||||
|
failedLoginAttempts: { // Track failed login attempts
|
||||||
|
type: Number,
|
||||||
|
default: 0
|
||||||
|
},
|
||||||
|
lastFailedLogin: { // Track the last failed login attempt time
|
||||||
|
type: Date,
|
||||||
|
default: null
|
||||||
|
},
|
||||||
});
|
});
|
||||||
|
|
||||||
module.exports = mongoose.model('User', userSchema);
|
module.exports = mongoose.model('User', userSchema);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user