Is it protected against Brute-Force attack?

[toverux]

Right now, no. But you could implement that yourself using a custom authorizer. You could use a variable (or many) outside of the authorizer function itself to store the attempts and check there aren't too much from a same IP, for example.

[animir]

@toverux It wouldn't work if I launch application in Cluster mode or distributed environment.

I'm developer of rate-limiter-flexible package, it can be used in express-basic-auth package to provide Brute-Force protection.

[toverux]

That's a cool package you've got here! I am not the maintener or express-basic-auth, it's best waiting for @LionC's opinion, but maybe it would be good to keep this package simple. One can always include your package in its app and call it in a custom authorizer. In any case it would be bad to force a (peer)-dependency on a third-party package. If it's done it must be completely facultative and transparent. A code example in the documentation would be enough to make people concerned about potential brute-force attacks and providing guidance.

[animir]

@toverux yeah, code example is good too. Many good packages do not care about it and as a result we get many vulnerable applications.

[LionC]

Hi @animir . Thanks for the suggestion!

I personally want to try to limit this package to authentication. Brute force protection is really important, but IMO that should be done in another middleware above this package, as brute force protection is not only an authentication topic, but something you want to protect your business logic from as well.

So right now I would consider that out of scope for my middleware package

[animir]

@LionC agree, if you add some note to readme about it, it would lead less experienced developers to the best practice. It can be rate-limiter-flexible or any other package by your choice.

I'm closing this ticket, thanks for your attention and efforts.