failCallback not triggered

[carlo161]

Hello, thanks for the very useful module. I'm trying to implement it in my application but it is not working. I tried both with Mongoose and with ExpressBrute.MemoryStore.

var failCallback = function (req, res, next, nextValidRequestDate) {
console.log('err');
};
var ExpressBrute = require('express-brute');

var store = new ExpressBrute.MemoryStore(); // stores state locally, don't use this in production 
var bruteforce = new ExpressBrute(store, {
    freeRetries: 3,
    minWait: 60*1000, // 1 minutes 
    maxWait: 60*60*1000,
    failCallback: failCallback
});

app.post('/auth',
    bruteforce.prevent, // error 429 if we hit this route too often 
    function (req, res, next) {
        console.log('aaa');
    }
);

// Brute-Force Limiter configuration
/*
var bruteForcemodel = mongoose.model('BruteForce', bruteForceSchema,'BruteForce');
var bruteForceStore = new mongooseStore(bruteForcemodel);
var bruteForce = new expressBrute(bruteForceStore,  { freeRetries: 2,
                                                      minWait: 10*1000, // 10 seconds
                                                      maxWait: 60*60*1000, // 1 hour
                                                      failCallback: failCallback
                                                    });
                                                    */

/*
app.post('/login',
    bruteForce.prevent, // error 429 if we hit this route too often 
    function (req, res, next) {
      console.log('asffa');
      res.send('Success!');
    }
);*/

If I try to send a POST from localhost or from a different IP, the failCallback is not triggered even after 100 calls.

I'm quite a noob and probably I am doing something wrong, could you please give me a hint?

Thank you.

[AdamPflug]

It works for me - although it behaves a little funny because you don't anything to end the request in app.post or failCallback

Adding res.send(statusCode) at least lets the requests finish:

var failCallback = function (req, res, next, nextValidRequestDate) {
    console.log('err');
    res.send(429)
};
var ExpressBrute = require('express-brute');

var store = new ExpressBrute.MemoryStore(); // stores state locally, don't use this in production
var bruteforce = new ExpressBrute(store, {
    freeRetries: 3,
    minWait: 60*1000, // 1 minutes
    maxWait: 60*60*1000,
    failCallback: failCallback
});

app.get('/auth',
    bruteforce.prevent, // error 429 if we hit this route too often
    function (req, res, next) {
        console.log('aaa');
        res.send(200);
    }
);

[carlo161]

Now it works, I understand where the problem was. With the following configuration : `// Brute-Force Limiter configuration var failCallback = function (req, res, next, nextValidRequestDate) { res.sendStatus(429); }; var bruteForceModel = mongoose.model('BruteForce', bruteForceSchema,'BruteForce'); var bruteForceStore = new mongooseStore(bruteForceModel); var bruteForce = new expressBrute(bruteForceStore, { freeRetries: 3, minWait: 15601000, // 1 minute maxWait: 60601000, // 1 hour lifetime: 126060, // 12 hours failCallback: failCallback });

app.post('/login', bruteForce.prevent);

/ Server Calls / // GETs app.use('/', index); app.use('/login', login);`

If I invert the code it does not work anymore: `/ Server Calls / // GETs app.use('/', index); app.use('/login', login);

// Brute-Force Limiter configuration var failCallback = function (req, res, next, nextValidRequestDate) { res.sendStatus(429); }; var bruteForceModel = mongoose.model('BruteForce', bruteForceSchema,'BruteForce'); var bruteForceStore = new mongooseStore(bruteForceModel); var bruteForce = new expressBrute(bruteForceStore, { freeRetries: 3, minWait: 15601000, // 1 minute maxWait: 60601000, // 1 hour lifetime: 126060, // 12 hours failCallback: failCallback });

app.post('/login', bruteForce.prevent);`

Thank you for the answer :)