From 490b595a01c5824ff63ffb87f0efdfca95f4bf3b Mon Sep 17 00:00:00 2001 From: Chocobozzz Date: Thu, 29 Mar 2018 10:58:24 +0200 Subject: Prevent brute force login attack --- server/initializers/checker.ts | 1 + server/initializers/constants.ts | 9 +++++++++ server/initializers/installer.ts | 2 +- 3 files changed, 11 insertions(+), 1 deletion(-) (limited to 'server/initializers') diff --git a/server/initializers/checker.ts b/server/initializers/checker.ts index cd93f19a9..45f1d79c3 100644 --- a/server/initializers/checker.ts +++ b/server/initializers/checker.ts @@ -20,6 +20,7 @@ function checkConfig () { function checkMissedConfig () { const required = [ 'listen.port', 'webserver.https', 'webserver.hostname', 'webserver.port', + 'trust_proxy', 'database.hostname', 'database.port', 'database.suffix', 'database.username', 'database.password', 'redis.hostname', 'redis.port', 'redis.auth', 'smtp.hostname', 'smtp.port', 'smtp.username', 'smtp.password', 'smtp.tls', 'smtp.from_address', diff --git a/server/initializers/constants.ts b/server/initializers/constants.ts index 284acf8f3..986fed099 100644 --- a/server/initializers/constants.ts +++ b/server/initializers/constants.ts @@ -127,6 +127,7 @@ const CONFIG = { URL: '', HOST: '' }, + TRUST_PROXY: config.get('trust_proxy'), LOG: { LEVEL: config.get('log.level') }, @@ -234,6 +235,13 @@ const CONSTRAINTS_FIELDS = { } } +const RATES_LIMIT = { + LOGIN: { + WINDOW_MS: 5 * 60 * 1000, // 5 minutes + MAX: 10 // 10 attempts + } +} + let VIDEO_VIEW_LIFETIME = 60000 * 60 // 1 hour const VIDEO_TRANSCODING_FPS = { MIN: 10, @@ -468,6 +476,7 @@ export { USER_PASSWORD_RESET_LIFETIME, IMAGE_MIMETYPE_EXT, SCHEDULER_INTERVAL, + RATES_LIMIT, JOB_COMPLETED_LIFETIME, VIDEO_VIEW_LIFETIME } diff --git a/server/initializers/installer.ts b/server/initializers/installer.ts index d2f6c7c8c..f0adf8c9e 100644 --- a/server/initializers/installer.ts +++ b/server/initializers/installer.ts @@ -112,7 +112,7 @@ async function createOAuthAdminIfNotExist () { // Our password is weak so do not validate it validatePassword = false } else { - password = passwordGenerator(8, true) + password = passwordGenerator(16, true) } const userData = { -- cgit v1.2.3