Permalink
Browse files

add brute-force protection for change password and email actions

  • Loading branch information...
julianlam committed Jul 11, 2018
1 parent d0c22c5 commit 7558046e757640e99614aa88df4998bdb362d16b
Showing with 10 additions and 1 deletion.
  1. +10 −1 src/user/password.js
@@ -33,7 +33,16 @@ module.exports = function (User) {
function (next) {
Password.compare(password, hashedPassword, next);
},
], callback);
], function (err, ok) {
if (err) {
return callback(err);
}
// Delay return for incorrect current password
setTimeout(function () {
callback(null, ok);
}, ok ? 0 : 2500);
});
};
User.hasPassword = function (uid, callback) {

2 comments on commit 7558046

@BenLubar

This comment has been minimized.

Contributor

BenLubar replied Jul 22, 2018

Does this actually lock the client's session or can they just send a bunch of requests simultaneously and wait for one to return a success response?

@julianlam

This comment has been minimized.

Member

julianlam replied Jul 22, 2018

Integration into some sort of lockout based on IP would be ideal 👍

Please sign in to comment.