188 lines
5.5 KiB
TypeScript
188 lines
5.5 KiB
TypeScript
// Simple in-memory rate limiting (for production, consider Redis or database)
|
|
const loginAttempts = new Map<string, { count: number; lastAttempt: number }>();
|
|
const blockedIPs = new Map<string, number>(); // IP -> blocked until timestamp
|
|
|
|
export const checkRateLimit = (ip: string): { allowed: boolean; attemptsLeft: number } => {
|
|
const now = Date.now();
|
|
const maxAttempts = 5;
|
|
const windowMs = 15 * 60 * 1000; // 15 minutes
|
|
const blockDurationMs = 60 * 60 * 1000; // 1 hour
|
|
|
|
// Check if IP is currently blocked
|
|
const blockedUntil = blockedIPs.get(ip);
|
|
if (blockedUntil && now < blockedUntil) {
|
|
return { allowed: false, attemptsLeft: 0 };
|
|
}
|
|
|
|
// Remove expired block
|
|
if (blockedUntil && now >= blockedUntil) {
|
|
blockedIPs.delete(ip);
|
|
}
|
|
|
|
// Get current attempts for this IP
|
|
const attempts = loginAttempts.get(ip);
|
|
|
|
// Clean up old attempts outside the window
|
|
if (attempts && (now - attempts.lastAttempt) > windowMs) {
|
|
loginAttempts.delete(ip);
|
|
return { allowed: true, attemptsLeft: maxAttempts };
|
|
}
|
|
|
|
const currentCount = attempts?.count || 0;
|
|
|
|
if (currentCount >= maxAttempts) {
|
|
// Block the IP
|
|
blockedIPs.set(ip, now + blockDurationMs);
|
|
console.warn(`🚨 IP ${ip} blocked due to ${currentCount} failed login attempts`);
|
|
return { allowed: false, attemptsLeft: 0 };
|
|
}
|
|
|
|
return { allowed: true, attemptsLeft: maxAttempts - currentCount };
|
|
};
|
|
|
|
export const recordFailedAttempt = (ip: string): void => {
|
|
const now = Date.now();
|
|
const attempts = loginAttempts.get(ip);
|
|
|
|
if (attempts) {
|
|
attempts.count += 1;
|
|
attempts.lastAttempt = now;
|
|
} else {
|
|
loginAttempts.set(ip, { count: 1, lastAttempt: now });
|
|
}
|
|
|
|
const newCount = loginAttempts.get(ip)?.count || 1;
|
|
console.warn(`⚠️ Failed login attempt from ${ip} (${newCount}/5)`);
|
|
};
|
|
|
|
export const clearFailedAttempts = (ip: string): void => {
|
|
loginAttempts.delete(ip);
|
|
blockedIPs.delete(ip);
|
|
console.log(`✅ Cleared failed attempts for ${ip}`);
|
|
};
|
|
|
|
// Input validation
|
|
export const validateLoginInput = (username: string, password: string): string[] => {
|
|
const errors: string[] = [];
|
|
|
|
if (!username || typeof username !== 'string') {
|
|
errors.push('Username is required');
|
|
} else if (username.length < 2) {
|
|
errors.push('Username must be at least 2 characters');
|
|
} else if (username.length > 100) {
|
|
errors.push('Username is too long');
|
|
}
|
|
|
|
if (!password || typeof password !== 'string') {
|
|
errors.push('Password is required');
|
|
} else if (password.length < 6) {
|
|
errors.push('Password must be at least 6 characters');
|
|
} else if (password.length > 200) {
|
|
errors.push('Password is too long');
|
|
}
|
|
|
|
// Basic sanitization check
|
|
const dangerousChars = /<script|javascript:|data:|vbscript:/i;
|
|
if (dangerousChars.test(username) || dangerousChars.test(password)) {
|
|
errors.push('Invalid characters detected');
|
|
}
|
|
|
|
return errors;
|
|
};
|
|
|
|
// Get client IP helper
|
|
export const getClientIP = (event: any): string => {
|
|
// Try various headers that might contain the real IP
|
|
const headers = getHeaders(event);
|
|
|
|
return (
|
|
headers['x-forwarded-for']?.split(',')[0]?.trim() ||
|
|
headers['x-real-ip'] ||
|
|
headers['x-client-ip'] ||
|
|
headers['cf-connecting-ip'] || // Cloudflare
|
|
event.node?.req?.connection?.remoteAddress ||
|
|
event.node?.req?.socket?.remoteAddress ||
|
|
'unknown'
|
|
);
|
|
};
|
|
|
|
// Clean up old entries periodically (call this from a cron job or similar)
|
|
export const cleanupOldEntries = (): void => {
|
|
const now = Date.now();
|
|
const windowMs = 15 * 60 * 1000; // 15 minutes
|
|
|
|
// Clean up old login attempts
|
|
for (const [ip, attempts] of loginAttempts.entries()) {
|
|
if ((now - attempts.lastAttempt) > windowMs) {
|
|
loginAttempts.delete(ip);
|
|
}
|
|
}
|
|
|
|
// Clean up expired blocks
|
|
for (const [ip, blockedUntil] of blockedIPs.entries()) {
|
|
if (now >= blockedUntil) {
|
|
blockedIPs.delete(ip);
|
|
}
|
|
}
|
|
|
|
console.log('🧹 Cleaned up old security entries');
|
|
};
|
|
|
|
// Password validation function
|
|
export const validatePassword = (password: string): { isValid: boolean; errors: string[] } => {
|
|
const errors: string[] = [];
|
|
|
|
if (!password || typeof password !== 'string') {
|
|
errors.push('Password is required');
|
|
return { isValid: false, errors };
|
|
}
|
|
|
|
if (password.length < 8) {
|
|
errors.push('Password must be at least 8 characters long');
|
|
}
|
|
|
|
if (password.length > 128) {
|
|
errors.push('Password must not exceed 128 characters');
|
|
}
|
|
|
|
if (!/[A-Z]/.test(password)) {
|
|
errors.push('Password must contain at least one uppercase letter');
|
|
}
|
|
|
|
if (!/[a-z]/.test(password)) {
|
|
errors.push('Password must contain at least one lowercase letter');
|
|
}
|
|
|
|
if (!/[0-9]/.test(password)) {
|
|
errors.push('Password must contain at least one number');
|
|
}
|
|
|
|
// Optional: require special characters
|
|
// if (!/[^A-Za-z0-9]/.test(password)) {
|
|
// errors.push('Password must contain at least one special character');
|
|
// }
|
|
|
|
// Check for common weak patterns
|
|
const commonPatterns = [
|
|
/(.)\1{2,}/i, // Three or more consecutive identical characters
|
|
/123456|654321|abcdef|qwerty|password|admin|login/i, // Common weak passwords
|
|
];
|
|
|
|
for (const pattern of commonPatterns) {
|
|
if (pattern.test(password)) {
|
|
errors.push('Password contains common patterns that make it weak');
|
|
break;
|
|
}
|
|
}
|
|
|
|
return {
|
|
isValid: errors.length === 0,
|
|
errors
|
|
};
|
|
};
|
|
|
|
// Initialize cleanup interval (runs every 5 minutes)
|
|
if (typeof setInterval !== 'undefined') {
|
|
setInterval(cleanupOldEntries, 5 * 60 * 1000);
|
|
}
|