perk icon indicating copy to clipboard operation
perk copied to clipboard

Published 20 hours ago verified publisher icon alarner

Add incorrect password timeouts

Open alarner opened this issue 9 years ago • 2 comments

If a user enters in an incorrect password too many times (this should be configurable in config/auth.js) they should be locked out from logging in for a configurable amount of time.

This will involve creating a new table to keep track of authentication attempts and whether or not they were successful and from which IP addresses.

alarner avatar Jun 30 '16 02:06 alarner

Schema might look something like this:

CREATE TABLE IF NOT EXISTS `user_auth_attempts` (
    `user_auth_attempt_id` INT(10) UNSIGNED NOT NULL AUTO_INCREMENT,
    `auth_type` TINYINT(4) UNSIGNED NOT NULL,
    `auth_identifier` VARCHAR(255) NOT NULL,
    `auth_error` TINYINT(3) UNSIGNED DEFAULT 0,
    `ip` VARCHAR(40) DEFAULT NULL,
    `date` DATETIME NOT NULL,
    PRIMARY KEY (`user_auth_attempt_id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

alarner avatar Aug 18 '16 00:08 alarner

Here's the file where we need to hook in the logging of attempts: https://github.com/alarner/perk/blob/master/routes/auth.js#L129

alarner avatar Aug 18 '16 00:08 alarner