unknownUser.js 8.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329
  1. import { Meteor } from 'meteor/meteor';
  2. import { Accounts } from 'meteor/accounts-base';
  3. import _AccountsLockoutCollection from './accountsLockoutCollection';
  4. class UnknownUser {
  5. constructor(
  6. settings,
  7. {
  8. AccountsLockoutCollection = _AccountsLockoutCollection,
  9. } = {},
  10. ) {
  11. this.AccountsLockoutCollection = AccountsLockoutCollection;
  12. this.settings = settings;
  13. }
  14. startup() {
  15. if (!(this.settings instanceof Function)) {
  16. this.updateSettings();
  17. }
  18. this.scheduleUnlocksForLockedAccounts();
  19. this.unlockAccountsIfLockoutAlreadyExpired();
  20. this.hookIntoAccounts();
  21. }
  22. updateSettings() {
  23. const settings = UnknownUser.unknownUsers();
  24. if (settings) {
  25. settings.forEach(function updateSetting({ key, value }) {
  26. this.settings[key] = value;
  27. });
  28. }
  29. this.validateSettings();
  30. }
  31. validateSettings() {
  32. if (
  33. !this.settings.failuresBeforeLockout ||
  34. this.settings.failuresBeforeLockout < 0
  35. ) {
  36. throw new Error('"failuresBeforeLockout" is not positive integer');
  37. }
  38. if (
  39. !this.settings.lockoutPeriod ||
  40. this.settings.lockoutPeriod < 0
  41. ) {
  42. throw new Error('"lockoutPeriod" is not positive integer');
  43. }
  44. if (
  45. !this.settings.failureWindow ||
  46. this.settings.failureWindow < 0
  47. ) {
  48. throw new Error('"failureWindow" is not positive integer');
  49. }
  50. }
  51. scheduleUnlocksForLockedAccounts() {
  52. const lockedAccountsCursor = this.AccountsLockoutCollection.find(
  53. {
  54. 'services.accounts-lockout.unlockTime': {
  55. $gt: Number(new Date()),
  56. },
  57. },
  58. {
  59. fields: {
  60. 'services.accounts-lockout.unlockTime': 1,
  61. },
  62. },
  63. );
  64. const currentTime = Number(new Date());
  65. lockedAccountsCursor.forEach((connection) => {
  66. let lockDuration = this.unlockTime(connection) - currentTime;
  67. if (lockDuration >= this.settings.lockoutPeriod) {
  68. lockDuration = this.settings.lockoutPeriod * 1000;
  69. }
  70. if (lockDuration <= 1) {
  71. lockDuration = 1;
  72. }
  73. Meteor.setTimeout(
  74. this.unlockAccount.bind(this, connection.clientAddress),
  75. lockDuration,
  76. );
  77. });
  78. }
  79. unlockAccountsIfLockoutAlreadyExpired() {
  80. const currentTime = Number(new Date());
  81. const query = {
  82. 'services.accounts-lockout.unlockTime': {
  83. $lt: currentTime,
  84. },
  85. };
  86. const data = {
  87. $unset: {
  88. 'services.accounts-lockout.unlockTime': 0,
  89. 'services.accounts-lockout.failedAttempts': 0,
  90. },
  91. };
  92. this.AccountsLockoutCollection.update(query, data);
  93. }
  94. hookIntoAccounts() {
  95. Accounts.validateLoginAttempt(this.validateLoginAttempt.bind(this));
  96. Accounts.onLogin(this.onLogin.bind(this));
  97. }
  98. validateLoginAttempt(loginInfo) {
  99. // don't interrupt non-password logins
  100. if (
  101. loginInfo.type !== 'password' ||
  102. loginInfo.user !== undefined ||
  103. loginInfo.error === undefined ||
  104. loginInfo.error.reason !== 'User not found'
  105. ) {
  106. return loginInfo.allowed;
  107. }
  108. if (this.settings instanceof Function) {
  109. this.settings = this.settings(loginInfo.connection);
  110. this.validateSettings();
  111. }
  112. const clientAddress = loginInfo.connection.clientAddress;
  113. const unlockTime = this.unlockTime(loginInfo.connection);
  114. let failedAttempts = 1 + this.failedAttempts(loginInfo.connection);
  115. const firstFailedAttempt = this.firstFailedAttempt(loginInfo.connection);
  116. const currentTime = Number(new Date());
  117. const canReset = (currentTime - firstFailedAttempt) > (1000 * this.settings.failureWindow);
  118. if (canReset) {
  119. failedAttempts = 1;
  120. this.resetAttempts(failedAttempts, clientAddress);
  121. }
  122. const canIncrement = failedAttempts < this.settings.failuresBeforeLockout;
  123. if (canIncrement) {
  124. this.incrementAttempts(failedAttempts, clientAddress);
  125. }
  126. const maxAttemptsAllowed = this.settings.failuresBeforeLockout;
  127. const attemptsRemaining = maxAttemptsAllowed - failedAttempts;
  128. if (unlockTime > currentTime) {
  129. let duration = unlockTime - currentTime;
  130. duration = Math.ceil(duration / 1000);
  131. duration = duration > 1 ? duration : 1;
  132. UnknownUser.tooManyAttempts(duration);
  133. }
  134. if (failedAttempts === maxAttemptsAllowed) {
  135. this.setNewUnlockTime(failedAttempts, clientAddress);
  136. let duration = this.settings.lockoutPeriod;
  137. duration = Math.ceil(duration);
  138. duration = duration > 1 ? duration : 1;
  139. return UnknownUser.tooManyAttempts(duration);
  140. }
  141. return UnknownUser.userNotFound(
  142. failedAttempts,
  143. maxAttemptsAllowed,
  144. attemptsRemaining,
  145. );
  146. }
  147. resetAttempts(
  148. failedAttempts,
  149. clientAddress,
  150. ) {
  151. const currentTime = Number(new Date());
  152. const query = { clientAddress };
  153. const data = {
  154. $set: {
  155. 'services.accounts-lockout.failedAttempts': failedAttempts,
  156. 'services.accounts-lockout.lastFailedAttempt': currentTime,
  157. 'services.accounts-lockout.firstFailedAttempt': currentTime,
  158. },
  159. };
  160. this.AccountsLockoutCollection.upsert(query, data);
  161. }
  162. incrementAttempts(
  163. failedAttempts,
  164. clientAddress,
  165. ) {
  166. const currentTime = Number(new Date());
  167. const query = { clientAddress };
  168. const data = {
  169. $set: {
  170. 'services.accounts-lockout.failedAttempts': failedAttempts,
  171. 'services.accounts-lockout.lastFailedAttempt': currentTime,
  172. },
  173. };
  174. this.AccountsLockoutCollection.upsert(query, data);
  175. }
  176. setNewUnlockTime(
  177. failedAttempts,
  178. clientAddress,
  179. ) {
  180. const currentTime = Number(new Date());
  181. const newUnlockTime = (1000 * this.settings.lockoutPeriod) + currentTime;
  182. const query = { clientAddress };
  183. const data = {
  184. $set: {
  185. 'services.accounts-lockout.failedAttempts': failedAttempts,
  186. 'services.accounts-lockout.lastFailedAttempt': currentTime,
  187. 'services.accounts-lockout.unlockTime': newUnlockTime,
  188. },
  189. };
  190. this.AccountsLockoutCollection.upsert(query, data);
  191. Meteor.setTimeout(
  192. this.unlockAccount.bind(this, clientAddress),
  193. this.settings.lockoutPeriod * 1000,
  194. );
  195. }
  196. onLogin(loginInfo) {
  197. if (loginInfo.type !== 'password') {
  198. return;
  199. }
  200. const clientAddress = loginInfo.connection.clientAddress;
  201. const query = { clientAddress };
  202. const data = {
  203. $unset: {
  204. 'services.accounts-lockout.unlockTime': 0,
  205. 'services.accounts-lockout.failedAttempts': 0,
  206. },
  207. };
  208. this.AccountsLockoutCollection.update(query, data);
  209. }
  210. static userNotFound(
  211. failedAttempts,
  212. maxAttemptsAllowed,
  213. attemptsRemaining,
  214. ) {
  215. throw new Meteor.Error(
  216. 403,
  217. 'User not found',
  218. JSON.stringify({
  219. message: 'User not found',
  220. failedAttempts,
  221. maxAttemptsAllowed,
  222. attemptsRemaining,
  223. }),
  224. );
  225. }
  226. static tooManyAttempts(duration) {
  227. throw new Meteor.Error(
  228. 403,
  229. 'Too many attempts',
  230. JSON.stringify({
  231. message: 'Wrong emails were submitted too many times. Account is locked for a while.',
  232. duration,
  233. }),
  234. );
  235. }
  236. static unknownUsers() {
  237. let unknownUsers;
  238. try {
  239. unknownUsers = Meteor.settings['accounts-lockout'].unknownUsers;
  240. } catch (e) {
  241. unknownUsers = false;
  242. }
  243. return unknownUsers || false;
  244. }
  245. findOneByConnection(connection) {
  246. return this.AccountsLockoutCollection.findOne({
  247. clientAddress: connection.clientAddress,
  248. });
  249. }
  250. unlockTime(connection) {
  251. connection = this.findOneByConnection(connection);
  252. let unlockTime;
  253. try {
  254. unlockTime = connection.services['accounts-lockout'].unlockTime;
  255. } catch (e) {
  256. unlockTime = 0;
  257. }
  258. return unlockTime || 0;
  259. }
  260. failedAttempts(connection) {
  261. connection = this.findOneByConnection(connection);
  262. let failedAttempts;
  263. try {
  264. failedAttempts = connection.services['accounts-lockout'].failedAttempts;
  265. } catch (e) {
  266. failedAttempts = 0;
  267. }
  268. return failedAttempts || 0;
  269. }
  270. lastFailedAttempt(connection) {
  271. connection = this.findOneByConnection(connection);
  272. let lastFailedAttempt;
  273. try {
  274. lastFailedAttempt = connection.services['accounts-lockout'].lastFailedAttempt;
  275. } catch (e) {
  276. lastFailedAttempt = 0;
  277. }
  278. return lastFailedAttempt || 0;
  279. }
  280. firstFailedAttempt(connection) {
  281. connection = this.findOneByConnection(connection);
  282. let firstFailedAttempt;
  283. try {
  284. firstFailedAttempt = connection.services['accounts-lockout'].firstFailedAttempt;
  285. } catch (e) {
  286. firstFailedAttempt = 0;
  287. }
  288. return firstFailedAttempt || 0;
  289. }
  290. unlockAccount(clientAddress) {
  291. const query = { clientAddress };
  292. const data = {
  293. $unset: {
  294. 'services.accounts-lockout.unlockTime': 0,
  295. 'services.accounts-lockout.failedAttempts': 0,
  296. },
  297. };
  298. this.AccountsLockoutCollection.update(query, data);
  299. }
  300. }
  301. export default UnknownUser;