Add login brute force protection (#77)

perfood · Jul 19, 2023 · af8524d · af8524d
1 parent 04dfc89
commit af8524d
Show file tree

Hide file tree

Showing 5 changed files with 96 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -54,6 +54,7 @@ User authentication is often the hardest part of building any web app, especiall
 - Link multiple authentication strategies to the same account for user convenience
 - Provides seamless token access to both your CouchDB server (or Cloudant) and your private API
 - Manages permissions on an unlimited number of private or shared user databases and seeds them with the correct design documents
+- Enable slowing down requests to /login on errors to [prevent brute force attacks](#brute-force-protection)
 
 ## How It Works
 
@@ -373,6 +374,40 @@ It's easy to add custom fields to user documents. When added to a `profile` fiel
    });
    ```
 
+## Brute force protection
+
+To enable brute force protection for the `/login` route you just need to add `loginRateLimit: {}` to `security` in your `config`. Adding just the empty object uses following defaults that can be overriden as needed:
+
+```ts
+const config {
+
+  ...
+
+  security: {
+
+    ...
+
+    loginRateLimit: {
+      windowMs: 5 * 60 * 1000,
+      delayAfter: 3,
+      delayMs: 500
+      maxDelayMs: 10000,
+      skipSuccessfulRequests: true,
+      skipFailedRequests: false,
+      onLimitReached: function () {},
+      store: undefined, // if undefined uses Memory Store by default
+      headers: false
+    }
+  }
+}
+```
+
+couch-auth uses [express-slow-down](https://www.npmjs.com/package/express-slow-down) under the hood, feel free to check the docs to dig deeper into configuration options.
+
+### Important notes:
+- You won't be able to override the keyGenerator option, as we use usernameField from the config.
+- If you want to use Redis Store instead of Memory Store you currently need to use [rate-limit-redis@2x](https://github.com/wyattjoh/rate-limit-redis/tree/v2.1.0) for now [due to known issues](https://github.com/express-rate-limit/express-slow-down/issues/40#issuecomment-1548011953) with newer versions of rate-limit-redis.
+
 ## Advanced Configuration
 
 Take a look at `config.example.js` or `src/types/config.d.ts` for a complete tour of all available configuration options. You'll find a lot of cool hidden features there that aren't documented here.

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -47,10 +47,12 @@
     "@sl-nx/couch-pwd": "2.0.0",
     "@sl-nx/sofa-model": "^1.0.3",
     "@types/express": "^4.17.11",
+    "@types/express-slow-down": "1.3.2",
     "@types/nodemailer": "^6.4.0",
     "@types/passport": "^1.0.6",
     "deepmerge": "^4.2.2",
     "express": "^4.17.1",
+    "express-slow-down": "1.6.0",
     "nano": "^10.0.0",
     "nodemailer": "^6.7.0",
     "nunjucks": "^3.2.3",

diff --git a/src/routes.ts b/src/routes.ts
@@ -1,6 +1,7 @@
 'use strict';
 import { NextFunction, Request, Response, Router } from 'express';
 import { Authenticator } from 'passport';
+import slowDown from 'express-slow-down';
 import { Config } from './types/config';
 import { SlRequest } from './types/typings';
 import { User, ValidErr } from './user';
@@ -38,9 +39,32 @@ export default function (
     })(req, res, next);
   }
 
-  if (!disabled.includes('login'))
+  if (!disabled.includes('login')) {
+    const speedLimiter = slowDown({
+      windowMs: config.security.loginRateLimit?.windowMs || 5 * 60 * 1000,
+      delayAfter: config.security.loginRateLimit?.delayAfter || 3,
+      delayMs: config.security.loginRateLimit
+        ? config.security.loginRateLimit.delayMs || 500
+        : 0,
+      maxDelayMs: config.security.loginRateLimit?.maxDelayMs || 10000,
+      skipSuccessfulRequests:
+        config.security.loginRateLimit?.skipSuccessfulRequests || true,
+      skipFailedRequests:
+        config.security.loginRateLimit?.skipFailedRequests || false,
+      keyGenerator: function (req) {
+        const usernameField = config.local.usernameField || 'username';
+
+        return req.body[usernameField];
+      },
+      onLimitReached:
+        config.security.loginRateLimit?.onLimitReached || function () {},
+      store: config.security.loginRateLimit?.store || undefined,
+      headers: config.security.loginRateLimit?.headers || false
+    });
+
     router.post(
       '/login',
+      speedLimiter,
       function (req, res, next) {
         loginLocal(req, res, next);
       },
@@ -62,6 +86,7 @@ export default function (
           );
       }
     );
+  }
 
   if (!disabled.includes('refresh'))
     router.post(
@@ -464,7 +489,9 @@ export default function (
       if (env !== 'development') {
         isExpected
           ? res.status(err.status).json(err)
-          : res.status(500).json({ status: 500, error: 'Internal Server Error' });
+          : res
+              .status(500)
+              .json({ status: 500, error: 'Internal Server Error' });
       } else {
         res.status(err.status || 500).json(err);
       }

diff --git a/src/types/config.ts b/src/types/config.ts
@@ -7,6 +7,7 @@ import SESTransport from 'nodemailer/lib/ses-transport';
 import SMTPTransport from 'nodemailer/lib/smtp-transport';
 import StreamTransport from 'nodemailer/lib/stream-transport';
 import { ConsentConfig, PooledSMTPOptions } from './typings';
+import { Options as ExpressSlowDownOptions } from 'express-slow-down';
 
 export interface TestConfig {
   /** Use a stub transport so no email is actually sent. Default: false */
@@ -97,6 +98,7 @@ export interface SecurityConfig {
    * forward to the express error mechanism (`next(err)`)
    */
   forwardErrors?: boolean;
+  loginRateLimit?: ExpressSlowDownOptions;
 }
 
 export interface LengthConstraint {