Ghost/core/server/web/middleware/brute.js

var url = require('url'),
    spamPrevention = require('./api/spam-prevention');

/**
 * We set ignoreIP to false, because we tell brute-knex to use `req.ip`.
 * We can use `req.ip`, because express trust proxy option is enabled.
 */
module.exports = {
    /**
     * block per route per ip
     */
    globalBlock: function (req, res, next) {
        return spamPrevention.globalBlock().getMiddleware({
            ignoreIP: false,
            key: function (req, res, next) {
                next(url.parse(req.url).pathname);
            }
        })(req, res, next);
    },
    /**
     * block per route per ip
     */
    globalReset: function (req, res, next) {
        return spamPrevention.globalReset().getMiddleware({
            ignoreIP: false,
            key: function (req, res, next) {
                next(url.parse(req.url).pathname);
            }
        })(req, res, next);
    },
    /**
     * block per user
     * username === email!
     */
    userLogin: function (req, res, next) {
        return spamPrevention.userLogin().getMiddleware({
            ignoreIP: false,
            key: function (req, res, next) {
                if (req.body.username) {
                    return next(req.body.username + 'login');
                }

                if (req.body.authorizationCode) {
                    return next(req.body.authorizationCode + 'login');
                }

                if (req.body.refresh_token) {
                    return next(req.body.refresh_token + 'login');
                }

                return next();
            }
        })(req, res, next);
    },
    /**
     * block per user
     */
    userReset: function (req, res, next) {
        return spamPrevention.userReset().getMiddleware({
            ignoreIP: false,
            key: function (req, res, next) {
                next(req.body.username + 'reset');
            }
        })(req, res, next);
    },
    /**
     * block per ip
     */
    privateBlog: function (req, res, next) {
        return spamPrevention.privateBlog().getMiddleware({
            ignoreIP: false,
            key: function (req, res, next) {
                next('privateblog');
            }
        })(req, res, next);
    }
};