Home Explore Help
Sign In
mirrors
/
wekan
mirror of https://github.com/wekan/wekan.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: 998d2f5b44
Branches Tags
wekan
/
packages
/
wekan-accounts-lockout
Lauri Ojansivu 23e5e1e3bd Reduced Wekan bundle size from 636 MB to 467 MB by deleting all 4 years ago
..
src 23e5e1e3bd Reduced Wekan bundle size from 636 MB to 467 MB by deleting all 4 years ago
CONTRIBUTING.md 23e5e1e3bd Reduced Wekan bundle size from 636 MB to 467 MB by deleting all 4 years ago
LICENSE 23e5e1e3bd Reduced Wekan bundle size from 636 MB to 467 MB by deleting all 4 years ago
README.md 23e5e1e3bd Reduced Wekan bundle size from 636 MB to 467 MB by deleting all 4 years ago
accounts-lockout.js 23e5e1e3bd Reduced Wekan bundle size from 636 MB to 467 MB by deleting all 4 years ago
package.js 23e5e1e3bd Reduced Wekan bundle size from 636 MB to 467 MB by deleting all 4 years ago
package.json 23e5e1e3bd Reduced Wekan bundle size from 636 MB to 467 MB by deleting all 4 years ago

README.md

Meteor - Accounts - Lockout

Build Status Codacy Badge Code Climate

What it is

Seamless Meteor apps accounts protection from password brute-force attacks. Users won't notice it. Hackers shall not pass.

you-shall-not-pass

Installation

meteor add lucasantoniassi:accounts-lockout

Usage via ES6 import

// server
import { AccountsLockout } from 'meteor/lucasantoniassi:accounts-lockout';

How to use

Default settings:

  "knownUsers": {
    "failuresBeforeLockout": 3, // positive integer greater than 0
    "lockoutPeriod": 60, // in seconds
    "failureWindow": 10 // in seconds
  },
  "unknownUsers": {
    "failuresBeforeLockout": 3, // positive integer greater than 0
    "lockoutPeriod": 60, // in seconds
    "failureWindow": 10 // in seconds
  }

knownUsers are users where already belongs to your Meteor.users collections, these rules are applied if they attempt to login with an incorrect password but a know email.

unknownUsers are users where not belongs to your Meteor.users collections, these rules are applied if they attempt to login with a unknown email.

failuresBeforeLockout should be a positive integer greater than 0.

lockoutPeriod should be in seconds.

failureWindow should be in seconds.

If the default is nice to you, you can do that.

(new AccountsLockout()).startup();

You can overwrite passing an object as argument.

(new AccountsLockout({
  knownUsers: {
    failuresBeforeLockout: 3,
    lockoutPeriod: 60,
    failureWindow: 15,
  },
  unknownUsers: {
    failuresBeforeLockout: 3,
    lockoutPeriod: 60,
    failureWindow: 15,
  },
})).startup();

If you prefer, you can pass a function as argument.

const knownUsersRules = (user) => {
  // apply some logic with this user
  return {
    failuresBeforeLockout,
    lockoutPeriod,
    failureWindow,
  };
};

const unknownUsersRules = (connection) => {
  // apply some logic with this connection
  return {
    failuresBeforeLockout,
    lockoutPeriod,
    failureWindow,
  };
};

(new AccountsLockout({
  knownUsers: knownUsersRules,
  unknownUsers: unknownUsersRules,
})).startup();

If you prefer, you can use Meteor.settings. It will overwrite any previous case.

"accounts-lockout": {
  "knownUsers": {
    "failuresBeforeLockout": 3,
    "lockoutPeriod": 60,
    "failureWindow": 10
  },
  "unknownUsers": {
    "failuresBeforeLockout": 3,
    "lockoutPeriod": 60,
    "failureWindow": 10
  }
}

License

This package is open-sourced software licensed under the MIT license.