add little more security - against brute force attacs
This commit is contained in:
parent
c18001738f
commit
bf9e076f3e
@ -426,9 +426,6 @@ main {
|
||||
color: white;
|
||||
}
|
||||
|
||||
|
||||
|
||||
|
||||
/* General alert box styling */
|
||||
#custom-alert-confirm {
|
||||
display: none;
|
||||
|
@ -47,12 +47,48 @@ const login = async (req, res) => {
|
||||
return res.status(400).json({ message: 'Ungültige Anmeldedaten' });
|
||||
}
|
||||
|
||||
// Check for too many failed login attempts (e.g., more than 5 in 15 minutes)
|
||||
const maxAttempts = 5;
|
||||
const lockTime = Math.pow(2, user.failedLoginAttempts) * 15 * 1000; // Exponentially increasing delay
|
||||
const now = new Date();
|
||||
|
||||
if (user.failedLoginAttempts >= maxAttempts && user.lastFailedLogin) {
|
||||
const timeDifference = now - new Date(user.lastFailedLogin);
|
||||
if (timeDifference < lockTime) {
|
||||
return res.status(429).json({
|
||||
message: 'Zu viele fehlgeschlagene Versuche. Bitte versuchen Sie es später erneut.',
|
||||
});
|
||||
} else {
|
||||
// Reset failed attempts if the lock time has passed
|
||||
user.failedLoginAttempts = 0;
|
||||
user.lastFailedLogin = null;
|
||||
await user.save();
|
||||
}
|
||||
}
|
||||
|
||||
// Passwort überprüfen
|
||||
const isMatch = await bcrypt.compare(password, user.password);
|
||||
if (!isMatch) {
|
||||
return res.status(400).json({ message: 'Ungültige Anmeldedaten' });
|
||||
// Increment failed login attempts
|
||||
user.failedLoginAttempts += 1;
|
||||
user.lastFailedLogin = now; // Update the timestamp of the last failed attempt
|
||||
await user.save();
|
||||
|
||||
// Calculate delay (using the exponential backoff strategy)
|
||||
const delay = Math.pow(2, user.failedLoginAttempts) * 15 * 1000; // Delay in milliseconds
|
||||
const delayInSeconds = delay / 1000;
|
||||
|
||||
// Return the delay time to the client
|
||||
return res.status(400).json({
|
||||
message: `Invalid credentials. Please wait for ${delayInSeconds} seconds before trying again.`,
|
||||
});
|
||||
}
|
||||
|
||||
// Reset failed login attempts on successful login
|
||||
user.failedLoginAttempts = 0;
|
||||
user.lastFailedLogin = null;
|
||||
await user.save();
|
||||
|
||||
// JWT-Token erstellen mit benutzerdefinierten Daten
|
||||
const token = jwt.sign({ id: user._id, username: user.username, isAdmin: user.isAdmin }, process.env.JWT_SECRET, { expiresIn: '1h' });
|
||||
|
||||
|
@ -24,7 +24,15 @@ const userSchema = new mongoose.Schema({
|
||||
isAdmin: {
|
||||
type: Boolean,
|
||||
default: false // Standardwert ist false
|
||||
}
|
||||
},
|
||||
failedLoginAttempts: { // Track failed login attempts
|
||||
type: Number,
|
||||
default: 0
|
||||
},
|
||||
lastFailedLogin: { // Track the last failed login attempt time
|
||||
type: Date,
|
||||
default: null
|
||||
},
|
||||
});
|
||||
|
||||
module.exports = mongoose.model('User', userSchema);
|
||||
|
Loading…
Reference in New Issue
Block a user