Merge pull request #9 from mrk-te/login_max_attemps

Lock user account after login failures

config/config.yaml.ci

@@ -17,6 +17,11 @@ app:
   # no trailing slash
   api_url: 'http://127.0.0.1:8181'
   www_url: 'https://yourdomain.com'
+  login:
+    # Max failed login attemps. Set to -1 to disable
+    max_attemps: 5
+    # User locked for this duration in seconds
+    lock_duration: 60
   emails:
     admin: 'admin@turtlapp.com'
     info: 'Turtl <info@turtlapp.com>'
@@ -49,5 +54,3 @@ s3:
   bucket: ''
   endpoint: 'https://s3.amazonaws.com'
   pathstyle: false
-
-

config/config.yaml.default

@@ -18,6 +18,11 @@ app:
   # no trailing slash
   api_url: 'http://api.yourdomain.com:8181'
   www_url: 'https://yourdomain.com'
+  login:
+    # Max failed login attemps. Set to -1 to disable
+    max_attemps: 5
+    # User locked for this duration in seconds
+    lock_duration: 60
   emails:
     admin: 'admin@turtlapp.com'
     info: 'Turtl <info@turtlapp.com>'
@@ -64,4 +69,3 @@ s3:
   bucket: ''
   endpoint: 'https://s3.amazonaws.com'
   pathstyle: false
-

config/config.yaml.docker

@@ -17,6 +17,11 @@ app:
   # no trailing slash
   api_url: 'http://127.0.0.1:8181'
   www_url: 'https://yourdomain.com'
+  login:
+    # Max failed login attemps. Set to -1 to disable
+    max_attemps: 5
+    # User locked for this duration in seconds
+    lock_duration: 60
   emails:
     admin: 'admin@turtlapp.com'
     info: 'Turtl <info@turtlapp.com>'

models/user.js

@@ -1,5 +1,7 @@
 "use strict";
 
+const log = require('../helpers/log');
+
 var db = require('../helpers/db');
 var config = require('../helpers/config');
 var Promise = require('bluebird');
@@ -96,7 +98,19 @@ exports.check_auth = function(authinfo) {
 		.then(function(user) {
 			if(!user) throw error.forbidden('bad login: '+username);
 			if(!user.active) throw error.forbidden('user inactive');
-			if(!secure_compare(user.auth, auth_hash(auth))) throw error.forbidden('bad login');
+			if(config.app.login.max_attemps > 0 && user.login_failed_count >= config.app.login.max_attemps) {
+				var currentDate = new Date();
+				if(currentDate.getTime() - user.login_failed_last.getTime() <= config.app.login.lock_duration*1000) {
+					throw error.forbidden('user locked');
+				}
+			}
+			if(!secure_compare(user.auth, auth_hash(auth))) {
+				exports.update_login_failed(user.id);
+				throw error.forbidden('bad login');
+			} else {
+				exports.reset_login_failed(user.id);
+			}
+
 			return clean_user(user);
 		});
 };
@@ -430,6 +444,14 @@ exports.update_last_login = function(user_id) {
 	return db.query('UPDATE users SET last_login = NOW() WHERE id = {{user_id}}', {user_id: user_id});
 };
 
+exports.update_login_failed = function(user_id) {
+	return db.query('UPDATE users SET login_failed_last = NOW(), login_failed_count = login_failed_count + 1 WHERE id = {{user_id}}', {user_id: user_id});
+};
+
+exports.reset_login_failed = function(user_id) {
+	return db.query('UPDATE users SET login_failed_last = NULL, login_failed_count = 0 WHERE id = {{user_id}}', {user_id: user_id});
+};
+
 exports.get_by_emails = function(emails) {
 	return db.by_ids('users', emails, {id_field: 'username'})
 };
@@ -495,4 +517,3 @@ sync_model.register('user', {
 	edit: edit,
 	link: link,
 });
-

tools/create-db-schema.js

@@ -50,6 +50,8 @@ const builder = {
 	},
 	not_null: function(type) { return type+' not null'; },
 
+  default: function(type, df) { return type+' default '+df; },
+
 	table: function(table_name, options) {
 		var fields = options.fields;
 		var table_indexes = options.indexes;
@@ -215,6 +217,8 @@ builder.table('users', {
 		confirmation_token: ty.text,
 		data: ty.json,
 		last_login: ty.date,
+    login_failed_last: ty.date,
+    login_failed_count: builder.default(ty.int, 0),
 	},
 	indexes: [
 		{name: 'username', fields: ['username'], unique: true},
@@ -257,4 +261,3 @@ function run() {
 }
 
 run();
-