express-brute icon indicating copy to clipboard operation
express-brute copied to clipboard

Published 20 hours ago verified publisher icon AdamPflug

Ability to query status without incrementing

Open zenorbi opened this issue 9 years ago • 5 comments

I have a server where clients authenticate themselves with tokens. I want to make sure, nobody tries sending random tokens to find a working one. Random is the keyword, as I want to allow multiple requests using the same valid token. I cannot just reset upon a valid token as the attacker could easily create a token for itself, try breaking in but at the last attempt before protection kicks in use its valid token.

My solution would be: 1: query if I can check that the token is valid 1.1: if I can't, just reject the request 1.2: if I can, check that the token is valid 1.2.1: if valid, allow in, do nothing with the brute 1.2.2: if isn't valid, increment the brute counter

tl;dr: I would like to method where I can just query the state and I would like to manually increment the request count.

zenorbi avatar Jun 30 '15 14:06 zenorbi

My first inclination was to have a .decrement method that you could call instead of .reset on valid requests - but two trips to the persistent store is a bit messy. Maybe a better option is just letting you specify a autoincrement: false or something, then have an increment method you could call manually. Let me noodle on this a bit more and see if I can come up with a better solution.

AdamPflug avatar Jul 16 '15 04:07 AdamPflug

@AdamPflug

Just wanted to chime in here with my 2 pennies.

First off this package is SUPER TERRIFIC!

and then some thoughts on this issue with responses.

two trips to the persistent store is a bit messy

Agreed.

Maybe a better option is just letting you specify a autoincrement: false or something, then have an increment method you could call manually.

We could benefit from this as a pre-filter option (on routing)... although we're probably going to put something before express-brute as that pre-filter... but this would add to this packages already flexible nature if added.

Thank you from the entire OUJS team for your great contribution!

Martii avatar Apr 14 '16 21:04 Martii

@AdamPflug have you ever implemented the autoincrement option along side with the increment method?

hugoduraes avatar Mar 13 '17 17:03 hugoduraes

@AdamPflug

My first inclination was to have a .decrement method that you could call instead of .reset on valid requests - but two trips to the persistent store is a bit messy. Maybe a better option is just letting you specify a autoincrement: false or something, then have an increment method you could call manually. Let me noodle on this a bit more and see if I can come up with a better solution.

was this implemented ?

ManuZenou avatar Jul 04 '17 14:07 ManuZenou

@ManuZenou no not yet. I'm open for pull requests though.

AdamPflug avatar Jul 10 '17 04:07 AdamPflug