I have a question with the module express-brute I can't reach a simple implementation (https://www.npmjs.com/package/express-brute).
I actually place the protection in a part of my routes but it seems to be not working. I made a request more than 20 times in less than a minute but it did not block anything or block the ip. Any idea how this should be working?
security.js
require('connect-flash');
module.exports = function(req, res, next) {
var ExpressBrute = require('express-brute'),
moment = require('moment'),
store;
store = new ExpressBrute.MemoryStore();
var failCallback = function(req, res, next, nextValidRequestDate) {
req.flash('error', "You've made too many failed attempts in a short period of time, please try again " + moment(nextValidRequestDate).fromNow());
// res.redirect('/login'); // brute force protection triggered, send them back to the login page
};
var handleStoreError = function(error) {
log.error(error); // log this error so we can figure out what went wrong
// cause node to exit, hopefully restarting the process fixes the problem
throw {
message: error.message,
parent: error.parent
};
}
// No more than 1000 login attempts per day per IP
var globalBruteforce = new ExpressBrute(store, {
freeRetries: 20,
attachResetToRequest: false,
refreshTimeoutOnRequest: false,
minWait: 25 * 60 * 60 * 1000, // 1 day 1 hour (should never reach this wait time)
maxWait: 25 * 60 * 60 * 1000, // 1 day 1 hour (should never reach this wait time)
lifetime: 24 * 60 * 60, // 1 day (seconds not milliseconds)
failCallback: failCallback,
handleStoreError: handleStoreError
});
return globalBruteforce;
}
app.js
var secure = require('./middleware/security');
var app = express();
var globalBruteforce = new secure();
app.use('/api', auth, globalBruteforce.prevent);
//more routes
Call made 20 times:
http://localhost:3000/api/user/systems
I actually place the code in the systems route but seems not to be working, any sucesfull code of express-brute in local?
It only works on directly hosted sites not in localhost as I can see..