Skip to content

Latest commit

 

History

History
126 lines (97 loc) · 3.29 KB

README.md

File metadata and controls

126 lines (97 loc) · 3.29 KB

Meteor - Accounts - Lockout

Build Status Codacy Badge Code Climate

What it is

Seamless Meteor apps accounts protection from password brute-force attacks. Users won't notice it. Hackers shall not pass.

you-shall-not-pass

Installation

meteor add lucasantoniassi:accounts-lockout

Usage via ES6 import

// server
import { AccountsLockout } from 'meteor/lucasantoniassi:accounts-lockout';

How to use

Default settings:

  "knownUsers": {
    "failuresBeforeLockout": 3, // positive integer greater than 0
    "lockoutPeriod": 60, // in seconds
    "failureWindow": 10 // in seconds
  },
  "unknownUsers": {
    "failuresBeforeLockout": 3, // positive integer greater than 0
    "lockoutPeriod": 60, // in seconds
    "failureWindow": 10 // in seconds
  }

knownUsers are users where already belongs to your Meteor.users collections, these rules are applied if they attempt to login with an incorrect password but a know email.

unknownUsers are users where not belongs to your Meteor.users collections, these rules are applied if they attempt to login with a unknown email.

failuresBeforeLockout should be a positive integer greater than 0.

lockoutPeriod should be in seconds.

failureWindow should be in seconds.

If the default is nice to you, you can do that.

(new AccountsLockout()).startup();

You can overwrite passing an object as argument.

(new AccountsLockout({
  knownUsers: {
    failuresBeforeLockout: 3,
    lockoutPeriod: 60,
    failureWindow: 15,
  },
  unknownUsers: {
    failuresBeforeLockout: 3,
    lockoutPeriod: 60,
    failureWindow: 15,
  },
})).startup();

If you prefer, you can pass a function as argument.

const knownUsersRules = (user) => {
  // apply some logic with this user
  return {
    failuresBeforeLockout,
    lockoutPeriod,
    failureWindow,
  };
};

const unknownUsersRules = (connection) => {
  // apply some logic with this connection
  return {
    failuresBeforeLockout,
    lockoutPeriod,
    failureWindow,
  };
};

(new AccountsLockout({
  knownUsers: knownUsersRules,
  unknownUsers: unknownUsersRules,
})).startup();

If you prefer, you can use Meteor.settings. It will overwrite any previous case.

"accounts-lockout": {
  "knownUsers": {
    "failuresBeforeLockout": 3,
    "lockoutPeriod": 60,
    "failureWindow": 10
  },
  "unknownUsers": {
    "failuresBeforeLockout": 3,
    "lockoutPeriod": 60,
    "failureWindow": 10
  }
}

License

This package is open-sourced software licensed under the MIT license.