Use new brute force middleware for locking a token

[kirrg001]

We are using a new brute force middleware unit in current master, see https://github.com/TryGhost/Ghost/pull/7579/files.

I've added a TODO in one of my previous PR's, see https://github.com/TryGhost/Ghost/blob/2.9.1/core/server/api/v0.1/authentication.js#L276

We would like to use the new brute force middleware for locking a token if too many tries.

• consider if we can replace this by our brute force middleware
• delete brute protection in the api authentication file
• use brute middleware for this route (register as middleware)
• add tests or check if we have enough tests

Please read also through the conversation here https://github.com/TryGhost/Ghost/pull/7579/files#r86813677
It contains already a solution how this could be replaced.

[ErisDS]

@kirrg001 is this still relevant given the new authentication methods? Should it be prioritised or closed?

[kirrg001]

The new authentication methods and the v2 API still use the reset password controller logic. You can still login with username/password and you can still reset a password.

IMO yes, this is still relevant. And a refactoring would be very useful, because if we support multiple API versions, we don't want to copy this code around. IMO we should aim for as less as possible code in controllers. It would be great if the brute force middleware could handle this case:

consider if we can replace this by our brute force middleware

I have removed the help wanted label and added it to the backlog.

[ErisDS]

Closing as we intend to replace our brute force logic soon.