Mitigate brute force attacks

[Yoann-TYT]

Mitigate brute force attacks #21

[yann-yinn]

Can you explain me how this works ?

const limiter = new RateLimiter({
  tokensPerInterval: starter.loginThrottling.maxAttempts,
  interval: "day",
  fireImmediately: true
});

It means a user can submit login form only 5 times per day ? (so, if he logs in / logs out 5 times a day: which is a valid scenario, what happens ?)

Not sure how the limiter work: how does he identifies visitor and where is persisted the number of attempts / tokens available ?

[Yoann-TYT]

You're right. As I coded it, all users are blocked after 5 attempts ! Not really that we want :D I found a librairie who do the job perfectly. adonis-request-throttler. It need redis to run, so I disabled it by default in the starter.ts

[Yoann-TYT]

And because brute force attack is done with bots, I think a max of 5 attemps by minute is acceptable. What do you think about ?

[yann-yinn]

New approach seems nice. It i got it correctly:

• On each login you check if login is successful or not
• If not, you store this attempt in live memory with node cache, keyed by IP
• The middleware check on each request if a new request is allowed for this IP; and throw an error if limit is exceeded.

I'm good ?

Note sur about the interface: this is to allow another implementation of ConnectionAttemptService (to use Redis for example, instead of node cache?) ?

Is this PR finished or you need to add something else ?

[Yoann-TYT]

Yes, you're right ! I just add a method to clean old cache. Yes, the interface can allow to implement other system like Redis This PR is ready to merge :)