node.js - Node Sleep Command On Password Recovery - Prevent Account Harvesting -
i have pretty generic password recovery code asks email, , sends password link if email exists or prints message if doesn't. want prevent people trying efficiently harvest account data. understanding since node single-threaded, sleep block others actions. way prolong action of fetching user details (to full second).
app.post('/login/recover', function(req, res, next) { async.waterfall([ function(done) { // generate hash here }, function(token, done) { var genreset = function(user) { if (!user) { // sleep here!?!?!? req.flash('failuremessage', 'no account email address exists.'); return res.redirect('/login/recover'); } user.resetpasswordtoken = token; user.resetpasswordexpires = moment().add(1, 'hours').format(); // 1 hour //save user here } user_manager.getuserforemail(req.body.email, genreset); }, function(token, user, done) { // email here req.flash('successmessage', 'password link sent!'); done(null, 'done'); } ], function(err) { if (err) { return next(err); } res.redirect('/login/recover'); }); });
i assume trying keep people accessing endpoint frequently. sleep alone wouldn't accomplish that. attacker open hundreds of parallel requests.
you're better off limit access endpoint via ip address. keep map (js object) of ip addresses , number of times each address has accessed endpoint. if ip address has accessed endpoint more handful of times, disable access ip address. reset object , counters 0 once every few hours.
if still want implement sleep general pattern settimeout call.
function(done) { var dosomething = function() { //do here done(); }; settimeout(dosomething, 1000); }; 
Comments
Post a Comment