From 09b64c82dffc8768362703361f57f70093deee39 Mon Sep 17 00:00:00 2001 From: Harry Wolff Date: Sat, 4 Jan 2014 21:46:15 -0500 Subject: [PATCH] Remove successful login connections from the auth throttle list - once a user has successfully logged into ghost they no longer are a malicious user and as such their IP address should be removed from the array of login attempts - should also reduce the memory usage of Ghost as the loginSecurity array gets pruned upon every successful login - this also fixes a race condition i was experiencing during functional tests wherein i would receive the login throttle message during regular testing. Seems my machine is able to run casper fast enough that it could complete each test under an amount of time that tripped the login throttle message. --- core/server/controllers/admin.js | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/core/server/controllers/admin.js b/core/server/controllers/admin.js index c4cf34887b..230beedab4 100644 --- a/core/server/controllers/admin.js +++ b/core/server/controllers/admin.js @@ -72,16 +72,17 @@ adminControllers = { }, 'auth': function (req, res) { var currentTime = process.hrtime()[0], + remoteAddress = req.connection.remoteAddress, denied = ''; loginSecurity = _.filter(loginSecurity, function (ipTime) { return (ipTime.time + 2 > currentTime); }); denied = _.find(loginSecurity, function (ipTime) { - return (ipTime.ip === req.connection.remoteAddress); + return (ipTime.ip === remoteAddress); }); if (!denied) { - loginSecurity.push({ip: req.connection.remoteAddress, time: process.hrtime()[0]}); + loginSecurity.push({ip: remoteAddress, time: currentTime}); api.users.check({email: req.body.email, pw: req.body.password}).then(function (user) { req.session.regenerate(function (err) { if (!err) { @@ -90,7 +91,11 @@ adminControllers = { if (req.body.redirect) { redirect += decodeURIComponent(req.body.redirect); } - + // If this IP address successfully logins we + // can remove it from the array of failed login attempts. + loginSecurity = _.reject(loginSecurity, function (ipTime) { + return ipTime.ip === remoteAddress; + }); res.json(200, {redirect: redirect}); } });