TryGhost/Ghost
1
0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2024-12-18 16:01:40 +03:00
Code Issues Projects Releases Wiki Activity
e2bbf7d206
Ghost/core/server/middleware/brute.js
David Wolfe e2bbf7d206 Fix brute for token exchanges (#7725) 
closes #7722

- fixes issue where token exhanges are logged with an undefined email address causing lockouts
- use more relevant translations for errors
2016-11-17 14:02:56 +01:00

64 lines
2.5 KiB
JavaScript
Raw Blame History

var spamPrevention = require('./api/spam-prevention');
module.exports = {
globalBlock: spamPrevention.globalBlock.getMiddleware({
// We want to ignore req.ip and instead use req.connection.remoteAddress
ignoreIP: true,
key: function (req, res, next) {
req.authInfo = req.authInfo || {};
req.authInfo.ip = req.connection.remoteAddress;
req.body.connection = req.connection.remoteAddress;
next(req.authInfo.ip);
}
}),
globalReset: spamPrevention.globalReset.getMiddleware({
ignoreIP: true,
key: function (req, res, next) {
req.authInfo = req.authInfo || {};
req.authInfo.ip = req.connection.remoteAddress;
// prevent too many attempts for the same email address but keep separate to login brute force prevention
next(req.authInfo.ip);
}
}),
userLogin: spamPrevention.userLogin.getMiddleware({
ignoreIP: true,
key: function (req, res, next) {
req.authInfo = req.authInfo || {};
req.authInfo.ip = req.connection.remoteAddress || req.ip;
// prevent too many attempts for the same username
if (req.body.username) {
return next(req.authInfo.ip + req.body.username + 'login');
}
if (req.body.authorizationCode) {
return next(req.authInfo.ip + req.body.authorizationCode + 'login');
}
if (req.body.refresh_token) {
return next(req.authInfo.ip + req.body.refresh_token + 'login');
}
return next();
}
}),
userReset: spamPrevention.userReset.getMiddleware({
ignoreIP: true,
key: function (req, res, next) {
req.authInfo = req.authInfo || {};
req.authInfo.ip = req.connection.remoteAddress;
// prevent too many attempts for the same email address but keep separate to login brute force prevention
next(req.authInfo.ip + req.body.username + 'reset');
}
}),
privateBlog: spamPrevention.privateBlog.getMiddleware({
ignoreIP: true,
key: function (req, res, next) {
req.authInfo = req.authInfo || {};
req.authInfo.ip = req.connection.remoteAddress;
// prevent too many attempts for the same email address but keep separate to login brute force prevention
next(req.authInfo.ip + 'private');
}
})
};
Reference in New Issue View Git Blame Copy Permalink