使用Node和Express JS预防蛮力

也许这样的事情可能会帮助你开始。

var failures = {}; function tryToLogin() { var f = failures[remoteIp]; if (f && Date.now() < f.nextTry) { // Throttled. Can't try yet. return res.error(); } // Otherwise do login ... } function onLoginFail() { var f = failures[remoteIp] = failures[remoteIp] || {count: 0, nextTry: new Date()}; ++f.count; f.nextTry.setTime(Date.now() + 2000 * f.count); // Wait another two seconds for every failed attempt } function onLoginSuccess() { delete failures[remoteIp]; } // Clean up people that have given up var MINS10 = 600000, MINS30 = 3 * MINS10; setInterval(function() { for (var ip in failures) { if (Date.now() - failures[ip].nextTry > MINS10) { delete failures[ip]; } } }, MINS30); 

所以在做了一些search后，我找不到我喜欢的解决scheme，所以我根据Trevor的解决scheme编写了自己的解决scheme，并expression了自己的看法。 你可以在这里find它。

okk，我发现最大的login企图在mongoose和expressjs.sql错误密码的解决scheme。 *首先我们将定义用户模式*第二，我们将在错误密码处理函数中定义最大login。 *第三，当我们将创buildloginapi，那么我们将检查此function多less次用户login有错误的密码，所以准备好代码

 var config = require('../config'); var userSchema = new mongoose.Schema({ email: { type: String, unique: true, required: true }, password: String, verificationToken: { type: String, unique: true, required: true }, isVerified: { type: Boolean, required: true, default: false }, passwordResetToken: { type: String, unique: true }, passwordResetExpires: Date, loginAttempts: { type: Number, required: true, default: 0 }, lockUntil: Number, role: String }); userSchema.virtual('isLocked').get(function() { return !!(this.lockUntil && this.lockUntil > Date.now()); }); userSchema.methods.incrementLoginAttempts = function(callback) { console.log("lock until",this.lockUntil) // if we have a previous lock that has expired, restart at 1 var lockExpired = !!(this.lockUntil && this.lockUntil < Date.now()); console.log("lockExpired",lockExpired) if (lockExpired) { return this.update({ $set: { loginAttempts: 1 }, $unset: { lockUntil: 1 } }, callback); } // otherwise we're incrementing var updates = { $inc: { loginAttempts: 1 } }; // lock the account if we've reached max attempts and it's not locked already var needToLock = !!(this.loginAttempts + 1 >= config.login.maxAttempts && !this.isLocked); console.log("needToLock",needToLock) console.log("loginAttempts",this.loginAttempts) if (needToLock) { updates.$set = { lockUntil: Date.now() + config.login.lockoutHours }; console.log("config.login.lockoutHours",Date.now() + config.login.lockoutHours) } //console.log("lockUntil",this.lockUntil) return this.update(updates, callback); }; 

这里是我的loginfunction，我们已经检查了错误密码的最大login尝试，所以我们将调用这个函数

 User.findOne({ email: email }, function(err, user) { console.log("i am aurhebengdfhdbndbcxnvndcvb") if (!user) { return done(null, false, { msg: 'No user with the email ' + email + ' was found.' }); } if (user.isLocked) { return user.incrementLoginAttempts(function(err) { if (err) { return done(err); } return done(null, false, { msg: 'You have exceeded the maximum number of login attempts. Your account is locked until ' + moment(user.lockUntil).tz(config.server.timezone).format('LT z') + '. You may attempt to log in again after that time.' }); }); } if (!user.isVerified) { return done(null, false, { msg: 'Your email has not been verified. Check your inbox for a verification email.<p><a href="/user/verify-resend/' + email + '" class="btn waves-effect white black-text"><i class="material-icons left">email</i>Re-send verification email</a></p>' }); } user.comparePassword(password, function(err, isMatch) { if (isMatch) { return done(null, user); } else { user.incrementLoginAttempts(function(err) { if (err) { return done(err); } return done(null, false, { msg: 'Invalid password. Please try again.' }); }); } }); }); })); 

看看这个： https ： //github.com/AdamPflug/express-brute A brute-force protection middleware for express routes that rate-limits incoming requests, increasing the delay with each request in a fibonacci-like sequence.