我对express-brute模块有疑问,我无法实现简单的实现(https://www.npmjs.com/package/express-brute)。
我实际上在部分路线中放置了保护,但它似乎不起作用。我在不到一分钟的时间内发出了 20 多次请求,但它没有阻止任何内容或阻止 ip。知道这应该如何运作吗?
安全.js
require('connect-flash');
module.exports = function(req, res, next) {
var ExpressBrute = require('express-brute'),
moment = require('moment'),
store;
store = new ExpressBrute.MemoryStore();
var failCallback = function(req, res, next, nextValidRequestDate) {
req.flash('error', "You've made too many failed attempts in a short period of time, please try again " + moment(nextValidRequestDate).fromNow());
// res.redirect('/login'); // brute force protection triggered, send them back to the login page
};
var handleStoreError = function(error) {
log.error(error); // log this error so we can figure out what went wrong
// cause node to exit, hopefully restarting the process fixes the problem
throw {
message: error.message,
parent: error.parent
};
}
// No more than 1000 login attempts per day per IP
var globalBruteforce = new ExpressBrute(store, {
freeRetries: 20,
attachResetToRequest: false,
refreshTimeoutOnRequest: false,
minWait: 25 * 60 * 60 * 1000, // 1 day 1 hour (should never reach this wait time)
maxWait: 25 * 60 * 60 * 1000, // 1 day 1 hour (should never reach this wait time)
lifetime: 24 * 60 * 60, // 1 day (seconds not milliseconds)
failCallback: failCallback,
handleStoreError: handleStoreError
});
return globalBruteforce;
}
app.js
var secure = require('./middleware/security');
var app = express();
var globalBruteforce = new secure();
app.use('/api', auth, globalBruteforce.prevent);
//more routes
拨打20次电话:
http://localhost:3000/api/user/systems
我实际上将代码放在系统路由中,但似乎不起作用,本地有任何成功的express-brute代码吗?
它只适用于直接托管的网站,而不是本地主机,正如我所见..
Express-brute 已过时,请使用 'rate-limiter-flexible/lib/ExpressBruteFlexible' 用于迁移https://github.com/animir/node-rate-limiter-flexible/wiki/ExpressBrute-migration