fix
This commit is contained in:
@@ -26,7 +26,17 @@ export default (router, tpl) => {
|
|||||||
const username = req.post.username;
|
const username = req.post.username;
|
||||||
const password = req.post.password;
|
const password = req.post.password;
|
||||||
|
|
||||||
if (!password || password.length < 20) {
|
const fail = async (msg) => {
|
||||||
|
await security.recordAttempt(ip, username, 'login', false);
|
||||||
|
// Artificial delay to prevent timing attacks and slow down brute-force
|
||||||
|
await new Promise(resolve => setTimeout(resolve, 1000));
|
||||||
|
if (req.headers['x-requested-with'] === 'XMLHttpRequest' || (req.headers.accept && req.headers.accept.includes('application/json'))) {
|
||||||
|
return res.writeHead(200, { 'Content-Type': 'application/json' }).end(JSON.stringify({ success: false, msg }));
|
||||||
|
}
|
||||||
|
return res.reply({ body: tpl.render("login", { error: msg, theme: req.theme }) });
|
||||||
|
};
|
||||||
|
|
||||||
|
if (!username || !password || password.length < 20) {
|
||||||
return fail("Invalid username or password.");
|
return fail("Invalid username or password.");
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -45,15 +55,6 @@ export default (router, tpl) => {
|
|||||||
limit 1
|
limit 1
|
||||||
`;
|
`;
|
||||||
|
|
||||||
const fail = async (msg) => {
|
|
||||||
await security.recordAttempt(ip, username, 'login', false);
|
|
||||||
// Artificial delay to prevent timing attacks and slow down brute-force
|
|
||||||
await new Promise(resolve => setTimeout(resolve, 1000));
|
|
||||||
if (req.headers['x-requested-with'] === 'XMLHttpRequest' || (req.headers.accept && req.headers.accept.includes('application/json'))) {
|
|
||||||
return res.writeHead(200, { 'Content-Type': 'application/json' }).end(JSON.stringify({ success: false, msg }));
|
|
||||||
}
|
|
||||||
return res.reply({ body: tpl.render("login", { error: msg, theme: req.theme }) });
|
|
||||||
};
|
|
||||||
|
|
||||||
if (user.length === 0)
|
if (user.length === 0)
|
||||||
return fail("user doesn't exist or wrong password");
|
return fail("user doesn't exist or wrong password");
|
||||||
|
|||||||
Reference in New Issue
Block a user