chore: move brute force protection logic to middleware and a singleton class

2026-01-09 23:40:06 +00:00 · 2023-03-29 15:33:32 +05:00
parent a82cabb001
commit 89048ce943
12 changed files with 190 additions and 121 deletions
--- a/api/src/routes/api/spec/web.spec.ts
+++ b/api/src/routes/api/spec/web.spec.ts
@@ -47,7 +47,7 @@ describe('web', () => {
    })
  })

-  describe.only('SASLogon/login', () => {
+  describe('SASLogon/login', () => {
    let csrfToken: string

    beforeAll(async () => {
@@ -63,7 +63,6 @@ describe('web', () => {
    it('should respond with successful login', async () => {
      await userController.createUser(user)

-      process.dbInstance = con
      const res = await request(app)
        .post('/SASLogon/login')
        .set('x-xsrf-token', csrfToken)
@@ -86,11 +85,13 @@ describe('web', () => {
    it('should respond with too many requests when attempting with invalid password for a same user 10 times', async () => {
      await userController.createUser(user)

-      process.dbInstance = con
-
      const promises: request.Test[] = []

-      Array(10)
+      const maxConsecutiveFailsByUsernameAndIp = Number(
+        process.env.MAX_CONSECUTIVE_FAILS_BY_USERNAME_AND_IP
+      )
+
+      Array(maxConsecutiveFailsByUsernameAndIp)
        .fill(0)
        .map((_, i) => {
          promises.push(
@@ -116,14 +117,16 @@ describe('web', () => {
        .expect(429)
    })

-    it.only('should respond with too many requests when attempting with invalid credentials for different users but with same ip 100 times', async () => {
+    it('should respond with too many requests when attempting with invalid credentials for different users but with same ip 100 times', async () => {
      await userController.createUser(user)

-      process.dbInstance = con
-
      const promises: request.Test[] = []

-      Array(100)
+      const maxWrongAttemptsByIpPerDay = Number(
+        process.env.MAX_WRONG_ATTEMPTS_BY_IP_PER_DAY
+      )
+
+      Array(maxWrongAttemptsByIpPerDay)
        .fill(0)
        .map((_, i) => {
          promises.push(
--- a/api/src/routes/web/web.ts
+++ b/api/src/routes/web/web.ts
@@ -1,7 +1,11 @@
 import express from 'express'
 import { generateCSRFToken } from '../../middlewares'
 import { WebController } from '../../controllers/web'
-import { authenticateAccessToken, desktopRestrict } from '../../middlewares'
+import {
+  authenticateAccessToken,
+  bruteForceProtection,
+  desktopRestrict
+} from '../../middlewares'
 import { authorizeValidation, loginWebValidation } from '../../utils'

 const webRouter = express.Router()
@@ -27,21 +31,26 @@ webRouter.get('/', async (req, res) => {
  }
 })

-webRouter.post('/SASLogon/login', desktopRestrict, async (req, res) => {
-  const { error, value: body } = loginWebValidation(req.body)
-  if (error) return res.status(400).send(error.details[0].message)
+webRouter.post(
+  '/SASLogon/login',
+  desktopRestrict,
+  bruteForceProtection,
+  async (req, res) => {
+    const { error, value: body } = loginWebValidation(req.body)
+    if (error) return res.status(400).send(error.details[0].message)

-  try {
-    const response = await controller.login(req, body)
-    res.send(response)
-  } catch (err: any) {
-    if (err instanceof Error) {
-      res.status(500).send(err.toString())
-    } else {
-      res.status(err.code).send(err.message)
+    try {
+      const response = await controller.login(req, body)
+      res.send(response)
+    } catch (err: any) {
+      if (err instanceof Error) {
+        res.status(500).send(err.toString())
+      } else {
+        res.status(err.code).send(err.message)
+      }
    }
  }
-})
+)

 webRouter.post(
  '/SASLogon/authorize',