Discussion - Invalid Logins

[engineertdog]

I’ll start this out as a discussion, but this will change into a feature request that I’ll work on.

The Idea

More than likely, all AD setups are going to have login attempt limits. I would find it hard to believe there are many without this rule implemented. For most places, it’s probably going to be 5 attempts before you’re locked out. Why is this important? Any login attempt through this plugin counts toward that limit.

The Solution

I believe this feature would need to be added to the main authenticate function because we need access to the error object. Using a setting that the user defines on ldap with the other settings, we would check the current number of bad logins with the setting that was provided.

Questions

• Do all systems have a 30 minute reset on failed logins? Does this reset after a good login? My thoughts are that this timeout setting should be configurable. But how do we approach this? In our environment for example, you have 5 tries before you’re locked out until the system resets every half hour. So it would make sense to put a limit of 3 bad login attempts on a Feathers app.
• How do we keep track of the number of bad login attempts and the reset time? It makes logical sense to store it with the user, but then that’s more configuration on the user model and that may not be ideal.
• Not sure if it’s helpful, but when the user does log in, there is a key on their user object of badPasswordTime.

[DaddyWarbucks]

This seems like it should be handled in hooks with some sort of rate limiter. For example, there is is https://daddywarbucks.github.io/feathers-fletching/hooks.html#ratelimit

That hook uses https://github.com/animir/node-rate-limiter-flexible under the hood, which has a bunch of storage options. It can handle the number of attempts (aka points) over some period of time.

You would probably want to configure that hook where it consumes 0 points in the before hook. So the user gets unlimited "valid" attempts. And then do a little custom error hook like

// Limiter Hook (before create)
// Consumes 0 points because we only want to limit on errors.
const limiter = rateLimit({ makeKey: context => context.data.email, makePoints: () => 0 })

// Error Hook (error create)
context => {
  // Manually consume a point for this email
  const rateLimiter = context.service.options.rateLimiter;
  rateLimiter.consume(data.email, 1)
}

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Apologies if the issue could not be resolved. FeathersJS ecosystem modules are community maintained so there may be a chance that there isn't anybody available to address the issue at the moment. For other ways to get help see here.