/NodeBB

Permalink
Browse files

add brute-force protection for change password and email actions

  • Loading branch information...
@julianlam
julianlam committed Jul 11, 2018
1 parent d0c22c5 commit 7558046e757640e99614aa88df4998bdb362d16b
Unified Split
Showing with 10 additions and 1 deletion.
  1. +10 −1 src/user/password.js
View file
11 src/user/password.js
@@ -33,7 +33,16 @@ module.exports = function (User) {
function (next) {
Password.compare(password, hashedPassword, next);
},
], callback);
], function (err, ok) {
if (err) {
return callback(err);
}
// Delay return for incorrect current password
setTimeout(function () {
callback(null, ok);
}, ok ? 0 : 2500);
});
};
User.hasPassword = function (uid, callback) {

2 comments on commit 7558046

@BenLubar

This comment has been minimized.

Sign in to view
Contributor

BenLubar replied Jul 22, 2018

Does this actually lock the client's session or can they just send a bunch of requests simultaneously and wait for one to return a success response?
@julianlam

This comment has been minimized.

Sign in to view
Member

julianlam replied Jul 22, 2018

Integration into some sort of lockout based on IP would be ideal 👍
Please sign in to comment.