ghost/core/server/middleware/brute.js

var url = require('url'),
    spamPrevention = require('./api/spam-prevention');

/**
 * We set ignoreIP to false, because we tell brute-knex to use `req.ip`.
 * We can use `req.ip`, because express trust proxy option is enabled.
 */
module.exports = {
    /**
     * block per route per ip
     */
    globalBlock: spamPrevention.globalBlock.getMiddleware({
        ignoreIP: false,
        key: function (req, res, next) {
            next(url.parse(req.url).pathname);
        }
    }),
    /**
     * block per route per ip
     */
    globalReset: spamPrevention.globalReset.getMiddleware({
        ignoreIP: false,
        key: function (req, res, next) {
            next(url.parse(req.url).pathname);
        }
    }),
    /**
     * block per user
     * username === email!
     */
    userLogin: spamPrevention.userLogin.getMiddleware({
        ignoreIP: false,
        key: function (req, res, next) {
            if (req.body.username) {
                return next(req.body.username + 'login');
            }

            if (req.body.authorizationCode) {
                return next(req.body.authorizationCode + 'login');
            }

            if (req.body.refresh_token) {
                return next(req.body.refresh_token + 'login');
            }

            return next();
        }
    }),
    /**
     * block per user
     */
    userReset: spamPrevention.userReset.getMiddleware({
        ignoreIP: false,
        key: function (req, res, next) {
            next(req.body.username + 'reset');
        }
    }),
    privateBlog: spamPrevention.privateBlog.getMiddleware({
        ignoreIP: false,
        key: function (req, res, next) {
            next('privateblog');
        }
    })
};
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`var url = require('url'),`
			`spamPrevention = require('./api/spam-prevention');`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`/**`
			* We set ignoreIP to false, because we tell brute-knex to use `req.ip`.
			* We can use `req.ip`, because express trust proxy option is enabled.
			`*/`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`module.exports = {`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`/**`
			`* block per route per ip`
			`*/`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`globalBlock: spamPrevention.globalBlock.getMiddleware({`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`ignoreIP: false,`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`key: function (req, res, next) {`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`next(url.parse(req.url).pathname);`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`}`
			`}),`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`/**`
			`* block per route per ip`
			`*/`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`globalReset: spamPrevention.globalReset.getMiddleware({`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`ignoreIP: false,`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`key: function (req, res, next) {`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`next(url.parse(req.url).pathname);`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`}`
			`}),`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`/**`
			`* block per user`
			`* username === email!`
			`*/`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`userLogin: spamPrevention.userLogin.getMiddleware({`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`ignoreIP: false,`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`key: function (req, res, next) {`
Fix brute for token exchanges (#7725) closes #7722 - fixes issue where token exhanges are logged with an undefined email address causing lockouts - use more relevant translations for errors 2016-11-17 13:02:56 +00:00			`if (req.body.username) {`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`return next(req.body.username + 'login');`
Fix brute for token exchanges (#7725) closes #7722 - fixes issue where token exhanges are logged with an undefined email address causing lockouts - use more relevant translations for errors 2016-11-17 13:02:56 +00:00			`}`

			`if (req.body.authorizationCode) {`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`return next(req.body.authorizationCode + 'login');`
Fix brute for token exchanges (#7725) closes #7722 - fixes issue where token exhanges are logged with an undefined email address causing lockouts - use more relevant translations for errors 2016-11-17 13:02:56 +00:00			`}`

			`if (req.body.refresh_token) {`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`return next(req.body.refresh_token + 'login');`
Fix brute for token exchanges (#7725) closes #7722 - fixes issue where token exhanges are logged with an undefined email address causing lockouts - use more relevant translations for errors 2016-11-17 13:02:56 +00:00			`}`

			`return next();`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`}`
			`}),`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`/**`
			`* block per user`
			`*/`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`userReset: spamPrevention.userReset.getMiddleware({`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`ignoreIP: false,`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`key: function (req, res, next) {`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`next(req.body.username + 'reset');`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`}`
			`}),`
			`privateBlog: spamPrevention.privateBlog.getMiddleware({`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`ignoreIP: false,`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`key: function (req, res, next) {`
🎨 optimisations for brute (#7867) closes #7766, refs #7579 - ensure we are using the correct brute keys - ensure we are using req.ip as Ghost is configured with trust proxy option - tidy up a little 2017-01-23 22:44:39 +01:00			`next('privateblog');`
Replace memory spam prevention with brute-express (#7579) no issue - removes count from user checks model - uses brute express brute with brute-knex adaptor to store persisted data on spam prevention - implement brute force protection for password/token exchange, password resets and private blogging 2016-11-08 11:33:19 +00:00			`}`
			`})`
			`};`