Remove successful login connections from the auth

throttle list - once a user has successfully logged into ghost they no longer are a malicious user and as such their IP address should be removed from the array of login attempts - should also reduce the memory usage of Ghost as the loginSecurity array gets pruned upon every successful login - this also fixes a race condition i was experiencing during functional tests wherein i would receive the login throttle message during regular testing. Seems my machine is able to run casper fast enough that it could complete each test under an amount of time that tripped the login throttle message.
TryGhost · Jan 5, 2014 · 09b64c8 · 09b64c8
1 parent 3937c1b
commit 09b64c8
Showing 1 changed file with 8 additions and 3 deletions.
diff --git a/core/server/controllers/admin.js b/core/server/controllers/admin.js
@@ -72,16 +72,17 @@ adminControllers = {
     },
     'auth': function (req, res) {
         var currentTime = process.hrtime()[0],
+            remoteAddress = req.connection.remoteAddress,
             denied = '';
         loginSecurity = _.filter(loginSecurity, function (ipTime) {
             return (ipTime.time + 2 > currentTime);
         });
         denied = _.find(loginSecurity, function (ipTime) {
-            return (ipTime.ip === req.connection.remoteAddress);
+            return (ipTime.ip === remoteAddress);
         });
 
         if (!denied) {
-            loginSecurity.push({ip: req.connection.remoteAddress, time: process.hrtime()[0]});
+            loginSecurity.push({ip: remoteAddress, time: currentTime});
             api.users.check({email: req.body.email, pw: req.body.password}).then(function (user) {
                 req.session.regenerate(function (err) {
                     if (!err) {
@@ -90,7 +91,11 @@ adminControllers = {
                         if (req.body.redirect) {
                             redirect += decodeURIComponent(req.body.redirect);
                         }
-
+                        // If this IP address successfully logins we
+                        // can remove it from the array of failed login attempts.
+                        loginSecurity = _.reject(loginSecurity, function (ipTime) {
+                            return ipTime.ip === remoteAddress;
+                        });
                         res.json(200, {redirect: redirect});
                     }
                 });