ghost/core/server/middleware/brute.js

var spamPrevention = require('./api/spam-prevention');

module.exports = {
    globalBlock: spamPrevention.globalBlock.getMiddleware({
        // We want to ignore req.ip and instead use req.connection.remoteAddress
        ignoreIP: true,
        key: function (req, res, next) {
            req.authInfo = req.authInfo || {};
            req.authInfo.ip = req.connection.remoteAddress;
            req.body.connection = req.connection.remoteAddress;

            next(req.authInfo.ip);
        }
    }),
    globalReset: spamPrevention.globalReset.getMiddleware({
        ignoreIP: true,
        key: function (req, res, next) {
            req.authInfo = req.authInfo || {};
            req.authInfo.ip = req.connection.remoteAddress;
            // prevent too many attempts for the same email address but keep separate to login brute force prevention
            next(req.authInfo.ip);
        }
    }),
    userLogin: spamPrevention.userLogin.getMiddleware({
        ignoreIP: true,
        key: function (req, res, next) {
            req.authInfo = req.authInfo || {};
            req.authInfo.ip = req.connection.remoteAddress || req.ip;
            // prevent too many attempts for the same username
            if (req.body.username) {
                return next(req.authInfo.ip + req.body.username + 'login');
            }

            if (req.body.authorizationCode) {
                return next(req.authInfo.ip + req.body.authorizationCode + 'login');
            }

            if (req.body.refresh_token) {
                return next(req.authInfo.ip + req.body.refresh_token + 'login');
            }

            return next();
        }
    }),
    userReset: spamPrevention.userReset.getMiddleware({
        ignoreIP: true,
        key: function (req, res, next) {
            req.authInfo = req.authInfo || {};
            req.authInfo.ip = req.connection.remoteAddress;
            // prevent too many attempts for the same email address but keep separate to login brute force prevention
            next(req.authInfo.ip + req.body.username + 'reset');
        }
    }),
    privateBlog: spamPrevention.privateBlog.getMiddleware({
        ignoreIP: true,
        key: function (req, res, next) {
            req.authInfo = req.authInfo || {};
            req.authInfo.ip = req.connection.remoteAddress;
            // prevent too many attempts for the same email address but keep separate to login brute force prevention
            next(req.authInfo.ip + 'private');
        }
    })
};
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`var spamPrevention = require('./api/spam-prevention');`

			`module.exports = {`
			`globalBlock: spamPrevention.globalBlock.getMiddleware({`
			`// We want to ignore req.ip and instead use req.connection.remoteAddress`
			`ignoreIP: true,`
			`key: function (req, res, next) {`
			`req.authInfo = req.authInfo \|\| {};`
			`req.authInfo.ip = req.connection.remoteAddress;`
			`req.body.connection = req.connection.remoteAddress;`
Fix brute for token exchanges (#7725) closes #7722 - fixes issue where token exhanges are logged with an undefined email address causing lockouts - use more relevant translations for errors 2016-11-17 13:02:56 +00:00
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`next(req.authInfo.ip);`
			`}`
			`}),`
			`globalReset: spamPrevention.globalReset.getMiddleware({`
			`ignoreIP: true,`
			`key: function (req, res, next) {`
			`req.authInfo = req.authInfo \|\| {};`
			`req.authInfo.ip = req.connection.remoteAddress;`
			`// prevent too many attempts for the same email address but keep separate to login brute force prevention`
			`next(req.authInfo.ip);`
			`}`
			`}),`
			`userLogin: spamPrevention.userLogin.getMiddleware({`
			`ignoreIP: true,`
			`key: function (req, res, next) {`
			`req.authInfo = req.authInfo \|\| {};`
Fix brute for token exchanges (#7725) closes #7722 - fixes issue where token exhanges are logged with an undefined email address causing lockouts - use more relevant translations for errors 2016-11-17 13:02:56 +00:00			`req.authInfo.ip = req.connection.remoteAddress \|\| req.ip;`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`// prevent too many attempts for the same username`
Fix brute for token exchanges (#7725) closes #7722 - fixes issue where token exhanges are logged with an undefined email address causing lockouts - use more relevant translations for errors 2016-11-17 13:02:56 +00:00			`if (req.body.username) {`
			`return next(req.authInfo.ip + req.body.username + 'login');`
			`}`

			`if (req.body.authorizationCode) {`
			`return next(req.authInfo.ip + req.body.authorizationCode + 'login');`
			`}`

			`if (req.body.refresh_token) {`
			`return next(req.authInfo.ip + req.body.refresh_token + 'login');`
			`}`

			`return next();`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`}`
			`}),`
			`userReset: spamPrevention.userReset.getMiddleware({`
			`ignoreIP: true,`
			`key: function (req, res, next) {`
			`req.authInfo = req.authInfo \|\| {};`
			`req.authInfo.ip = req.connection.remoteAddress;`
			`// prevent too many attempts for the same email address but keep separate to login brute force prevention`
			`next(req.authInfo.ip + req.body.username + 'reset');`
			`}`
			`}),`
			`privateBlog: spamPrevention.privateBlog.getMiddleware({`
			`ignoreIP: true,`
			`key: function (req, res, next) {`
			`req.authInfo = req.authInfo \|\| {};`
			`req.authInfo.ip = req.connection.remoteAddress;`
			`// prevent too many attempts for the same email address but keep separate to login brute force prevention`
			`next(req.authInfo.ip + 'private');`
			`}`
			`})`
			`};`