Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to query status without incrementing #22

Open
zenorbi opened this issue Jun 30, 2015 · 5 comments
Open

Ability to query status without incrementing #22

zenorbi opened this issue Jun 30, 2015 · 5 comments

Comments

@zenorbi
Copy link

zenorbi commented Jun 30, 2015

I have a server where clients authenticate themselves with tokens. I want to make sure, nobody tries sending random tokens to find a working one. Random is the keyword, as I want to allow multiple requests using the same valid token. I cannot just reset upon a valid token as the attacker could easily create a token for itself, try breaking in but at the last attempt before protection kicks in use its valid token.

My solution would be:
1: query if I can check that the token is valid
1.1: if I can't, just reject the request
1.2: if I can, check that the token is valid
1.2.1: if valid, allow in, do nothing with the brute
1.2.2: if isn't valid, increment the brute counter

tl;dr: I would like to method where I can just query the state and I would like to manually increment the request count.
@AdamPflug
Copy link
Owner

My first inclination was to have a .decrement method that you could call instead of .reset on valid requests - but two trips to the persistent store is a bit messy. Maybe a better option is just letting you specify a autoincrement: false or something, then have an increment method you could call manually. Let me noodle on this a bit more and see if I can come up with a better solution.

@Martii
Copy link

Martii commented Apr 14, 2016
edited
Loading

@AdamPflug

Just wanted to chime in here with my 2 pennies.

First off this package is SUPER TERRIFIC!

and then some thoughts on this issue with responses.

two trips to the persistent store is a bit messy

Agreed.

Maybe a better option is just letting you specify a autoincrement: false or something, then have an increment method you could call manually.

We could benefit from this as a pre-filter option (on routing)... although we're probably going to put something before express-brute as that pre-filter... but this would add to this packages already flexible nature if added.

Thank you from the entire OUJS team for your great contribution!

@hugoduraes
Copy link

@AdamPflug have you ever implemented the autoincrement option along side with the increment method?

@ManuZenou
Copy link

@AdamPflug

My first inclination was to have a .decrement method that you could call instead of .reset on valid requests - but two trips to the persistent store is a bit messy. Maybe a better option is just letting you specify a autoincrement: false or something, then have an increment method you could call manually. Let me noodle on this a bit more and see if I can come up with a better solution.

was this implemented ?

@AdamPflug
Copy link
Owner

@ManuZenou no not yet. I'm open for pull requests though.

@AdamPflug AdamPflug mentioned this issue Feb 22, 2019
Closed
@AdamPflug AdamPflug mentioned this issue May 2, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Martii @zenorbi @AdamPflug @hugoduraes @ManuZenou