✨ Add brute force prevention

Author: AnandChowdhary

package.json

@@ -37,6 +37,7 @@
     "@types/cors": "^2.8.5",
     "@types/dotenv": "^6.1.1",
     "@types/express": "^4.16.1",
+    "@types/express-brute": "^0.0.37",
     "@types/fs-extra": "^7.0.0",
     "@types/geolite2": "^1.2.0",
     "@types/hapi__joi": "^15.0.1",
@@ -76,6 +77,7 @@
     "crypto-random-string": "^3.0.0",
     "express": "^4.17.0",
     "express-async-handler": "^1.1.4",
+    "express-brute": "^1.0.1",
     "fs-extra": "^8.0.1",
     "geolite2": "^1.2.1",
     "googleapis": "^40.0.0",

src/config.ts

@@ -4,6 +4,12 @@ config();
 // Server
 export const PORT = process.env.PORT ? parseInt(process.env.PORT) : 7007;
 export const SENTRY_DSN = process.env.SENTRY_DSN || "";
+export const BRUTE_FREE_RETRIES = process.env.BRUTE_FREE_RETRIES
+  ? parseInt(process.env.BRUTE_FREE_RETRIES)
+  : 10;
+export const BRUTE_LIFETIME = process.env.BRUTE_LIFETIME
+  ? parseInt(process.env.BRUTE_LIFETIME)
+  : 300000;
 
 // Database
 export const DB_HOST = process.env.DB_HOST || "localhost";

src/controllers/auth.ts

@@ -19,20 +19,21 @@ import {
   Post,
   Controller,
   Middleware,
-  ClassWrapper
+  ClassWrapper,
+  ClassMiddleware
 } from "@overnightjs/core";
-import { authHandler } from "../helpers/middleware";
+import { authHandler, bruteForceHandler } from "../helpers/middleware";
 import { CREATED } from "http-status-codes";
 import asyncHandler from "express-async-handler";
 import { joiValidate } from "../helpers/utils";
 import Joi from "@hapi/joi";
 
 @Controller("auth")
+@ClassMiddleware(bruteForceHandler)
 @ClassWrapper(asyncHandler)
 export class AuthController {
   @Post("register")
   async register(req: Request, res: Response) {
-    const name = req.body.name;
     const email = req.body.email;
     joiValidate(
       {

src/helpers/middleware.ts

@@ -1,7 +1,14 @@
 import { Request, Response, NextFunction } from "express";
+import Brute from "express-brute";
 import { safeError } from "./errors";
 import { verifyToken } from "./jwt";
 import { ErrorCode, Tokens } from "../interfaces/enum";
+import { BRUTE_LIFETIME, BRUTE_FREE_RETRIES } from "../config";
+const store = new Brute.MemoryStore();
+const bruteForce = new Brute(store, {
+  freeRetries: BRUTE_FREE_RETRIES,
+  lifetime: BRUTE_LIFETIME
+});
 
 /**
  * Handle any errors for Express
@@ -63,3 +70,8 @@ export const authHandler = async (
     return res.json(error);
   }
 };
+
+/**
+ * Brute force middleware
+ */
+export const bruteForceHandler = bruteForce.prevent;

yarn.lock

@@ -1106,6 +1106,13 @@
   resolved "https://registry.yarnpkg.com/@types/events/-/events-3.0.0.tgz#2862f3f58a9a7f7c3e78d79f130dd4d71c25c2a7"
   integrity sha512-EaObqwIvayI5a8dCzhFrjKzVwKLxjoG9T6Ppd5CEo07LRKfQ8Yokw54r5+Wq7FaBQ+yXRvQAYPrHwya1/UFt9g==
 
+"@types/express-brute@^0.0.37":
+  version "0.0.37"
+  resolved "https://registry.yarnpkg.com/@types/express-brute/-/express-brute-0.0.37.tgz#0660dd3010dfe33e0dbf2bc971a48dd1d9c366f2"
+  integrity sha512-N1eDsPeRadiaLLfcCOxtQWSNN7ipdrg7IvRZNzQaUTvVvfGYwu8eZHOBbRrYb632jooc2Mmzz+TovBm+44itFA==
+  dependencies:
+    "@types/express" "*"
+
 "@types/express-serve-static-core@*":
   version "4.16.2"
   resolved "https://registry.yarnpkg.com/@types/express-serve-static-core/-/express-serve-static-core-4.16.2.tgz#5ee8a22e602005be6767df6b2cba9879df3f75aa"
@@ -2590,6 +2597,14 @@ express-async-handler@^1.1.4:
   resolved "https://registry.yarnpkg.com/express-async-handler/-/express-async-handler-1.1.4.tgz#225a84908df63b35ae9df94b6f0f1af061266426"
   integrity sha512-HdmbVF4V4w1q/iz++RV7bUxIeepTukWewiJGkoCKQMtvPF11MLTa7It9PRc/reysXXZSEyD4Pthchju+IUbMiQ==
 
+express-brute@^1.0.1:
+  version "1.0.1"
+  resolved "https://registry.yarnpkg.com/express-brute/-/express-brute-1.0.1.tgz#9f36d107fe34e40a682593e39bffcc53102b5335"
+  integrity sha1-nzbRB/405ApoJZPjm//MUxArUzU=
+  dependencies:
+    long-timeout "~0.1.1"
+    underscore "~1.8.3"
+
 express@^4.16.3, express@^4.17.0:
   version "4.17.1"
   resolved "https://registry.yarnpkg.com/express/-/express-4.17.1.tgz#4491fc38605cf51f8629d39c2b5d026f98a4c134"
@@ -4286,6 +4301,11 @@ log-driver@^1.2.7:
   resolved "https://registry.yarnpkg.com/log-driver/-/log-driver-1.2.7.tgz#63b95021f0702fedfa2c9bb0a24e7797d71871d8"
   integrity sha512-U7KCmLdqsGHBLeWqYlFA0V0Sl6P08EE1ZrmA9cxjUE0WVqT9qnyVDPz1kzpFEP0jdJuFnasWIfSd7fsaNXkpbg==
 
+long-timeout@~0.1.1:
+  version "0.1.1"
+  resolved "https://registry.yarnpkg.com/long-timeout/-/long-timeout-0.1.1.tgz#9721d788b47e0bcb5a24c2e2bee1a0da55dab514"
+  integrity sha1-lyHXiLR+C8taJMLivuGg2lXatRQ=
+
 loose-envify@^1.0.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/loose-envify/-/loose-envify-1.4.0.tgz#71ee51fa7be4caec1a63839f7e682d8132d30caf"
@@ -6238,6 +6258,11 @@ undefsafe@^2.0.2:
   dependencies:
     debug "^2.2.0"
 
+underscore@~1.8.3:
+  version "1.8.3"
+  resolved "https://registry.yarnpkg.com/underscore/-/underscore-1.8.3.tgz#4f3fb53b106e6097fcf9cb4109f2a5e9bdfa5022"
+  integrity sha1-Tz+1OxBuYJf8+ctBCfKl6b36UCI=
+
 unicode-canonical-property-names-ecmascript@^1.0.4:
   version "1.0.4"
   resolved "https://registry.yarnpkg.com/unicode-canonical-property-names-ecmascript/-/unicode-canonical-property-names-ecmascript-1.0.4.tgz#2619800c4c825800efdd8343af7dd9933cbe2818"