Merge pull request #29 from jrtechs/securityEnhancement

Added security to login page to prevent brute-forcing.
6 years ago · 8442fb7eb5
--- a/admin/admin.js
+++ b/admin/admin.js
@ -14,7 +14,7 @@ module.exports=
     * @param request
     * @return {*|Promise}
     */
    main: function(request)
    main: function(request, clientAddress)
    {
        return new Promise(function(resolve, reject)
        {
--- a/admin/login/login.js
+++ b/admin/login/login.js
@ -4,6 +4,8 @@ const utils = require('../../utils/utils.js');
 //update db
 const sql = require('../../utils/sql');

 const qs = require('querystring');


 /**
 * Processes post data to see if the user has successfully
@ -13,16 +15,20 @@ const sql = require('../../utils/sql');
 * @param request
 * @returns {Promise}
 */
 const processLogin = function(request)
 const processLogin = function(request, clientAddress)
 {
    return new Promise(function(resolve, reject)
    {
        utils.getPostData(request).then(function(postData)
        {
            const post = qs.parse(postData);
            if(!post.username && !post.password)
            {
                resolve("");
            }
            return sql.checkLogin(postData);
        }).then(function(loginResult)
        {

            if(loginResult.pass)
            {
                request.session.user = loginResult.user;
@ -31,8 +37,9 @@ const processLogin = function(request)
            }
            else
            {
                console.log("password incorrect");
                resolve("Password incorrect");
                banIP(clientAddress);
                console.log("Invader!");
                resolve("Wrong!");
            }
        }).catch(function(err)
        {
@ -42,6 +49,54 @@ const processLogin = function(request)
 };


 /** Global Containing Ban Data **/
 var banData = {};

 /** Number of incorrect login attempts permitted per ip */
 const LOGIN_LIMIT = 5;


 /**
 * Determines if a client is banned from the server
 * or not.
 *
 * @param clientAddress
 */
 const isBanned = function(clientAddress)
 {
    if(clientAddress in banData)
    {
        user = banData[clientAddress];

        return user.incorrectLogins > LOGIN_LIMIT;
    }
    return false;

 };


 /**
 * Increments the user's incorrect login attempt
 * counter.
 *
 * @param clientAddress
 */
 const banIP = function(clientAddress)
 {
    if(clientAddress in banData)
    {
        user = banData[clientAddress];
        user.incorrectLogins++;
    }
    else
    {
        var newUser = new Object();
        newUser.incorrectLogins = 1;
        banData[clientAddress] = newUser;
    }
 };


 module.exports=
    {
        /**
@ -50,19 +105,27 @@ module.exports=
         * @param request express request containing post data
         * @returns {Promise} resolves html of login page
         */
        main: function(request)
        main: function(request, clientAddress)
        {
            return new Promise(function(resolve, reject)
            if(isBanned(clientAddress))
            {
                Promise.all([utils.include("./admin/login/login.html"),
                    require("../../sidebar/sidebar.js").main(),
                    processLogin(request)]).then(function(html)
                {
                    resolve(html.join('') + "</div>");
                }).catch(function(err)
                return utils.printBannedPage();
            }
            else
            {
                return new Promise(function(resolve, reject)
                {
                    reject(err);
                })
            });
                    Promise.all([utils.include("./admin/login/login.html"),
                        require("../../sidebar/sidebar.js").main(),
                        processLogin(request, clientAddress)]).then(function(html)
                    {
                        resolve(html.join('') + "</div>");
                    }).catch(function(err)
                    {
                        reject(err);
                    })
                });
            }

        },
    };
--- a/includes/html/banHammer.html
+++ b/includes/html/banHammer.html
@ -0,0 +1,4 @@
 <br>
 <center><h1>Ban Hammer!</h1></center>
 <br>
 <center><img src="/includes/img/404.jpg" alt="Page not found" width="70%" /></center>
--- a/sites/admin.js
+++ b/sites/admin.js
@ -26,12 +26,16 @@ module.exports=
            }
            else
            {
                const clientAddress = (request.headers['x-forwarded-for'] || '').split(',')[0]
                    || request.connection.remoteAddress;


                result.writeHead(200, {'Content-Type': 'text/html'});

                const file = "../admin/admin.js";

                Promise.all([includes.printAdminHeader(),
                    require(file).main(request),
                    require(file).main(request, clientAddress),
                    includes.printFooter()]).then(function(content)
                {
                    result.write(content.join(''));
--- a/utils/utils.js
+++ b/utils/utils.js
@ -133,5 +133,17 @@ module.exports=
    printWrongHost: function()
    {
        return this.include("includes/html/incorrectHost.html");
    },


    /**
     * Displays 404 error to user
     *
     * @param result
     * @returns {*}
     */
    printBannedPage: function()
    {
        return this.include("includes/html/banHammer.html");
    }
 };