Remove successful login connections from the auth

throttle list - once a user has successfully logged into ghost they no longer are a malicious user and as such their IP address should be removed from the array of login attempts - should also reduce the memory usage of Ghost as the loginSecurity array gets pruned upon every successful login - this also fixes a race condition i was experiencing during functional tests wherein i would receive the login throttle message during regular testing. Seems my machine is able to run casper fast enough that it could complete each test under an amount of time that tripped the login throttle message.
2025-03-18 02:21:47 -05:00 · 2014-01-04 21:46:15 -05:00 · 2014-01-04 21:46:15 -05:00 · 09b64c82df
commit 09b64c82df
parent 3937c1bf0e
1 changed files with 8 additions and 3 deletions
--- a/core/server/controllers/admin.js
+++ b/core/server/controllers/admin.js
@ -72,16 +72,17 @@ adminControllers = {
    },
    'auth': function (req, res) {
        var currentTime = process.hrtime()[0],
+            remoteAddress = req.connection.remoteAddress,
            denied = '';
        loginSecurity = _.filter(loginSecurity, function (ipTime) {
            return (ipTime.time + 2 > currentTime);
        });
        denied = _.find(loginSecurity, function (ipTime) {
-            return (ipTime.ip === req.connection.remoteAddress);
+            return (ipTime.ip === remoteAddress);
        });

        if (!denied) {
-            loginSecurity.push({ip: req.connection.remoteAddress, time: process.hrtime()[0]});
+            loginSecurity.push({ip: remoteAddress, time: currentTime});
            api.users.check({email: req.body.email, pw: req.body.password}).then(function (user) {
                req.session.regenerate(function (err) {
                    if (!err) {
@ -90,7 +91,11 @@ adminControllers = {
                        if (req.body.redirect) {
                            redirect += decodeURIComponent(req.body.redirect);
                        }
-
+                        // If this IP address successfully logins we
+                        // can remove it from the array of failed login attempts.
+                        loginSecurity = _.reject(loginSecurity, function (ipTime) {
+                            return ipTime.ip === remoteAddress;
+                        });
                        res.json(200, {redirect: redirect});
                    }
                });