Throttle failed logins by target userid as well as IP

smogon · Apr 6, 2024 · 3fcde7d · 3fcde7d
1 parent 9e57116
commit 3fcde7d
Show file tree

Hide file tree

Showing 4 changed files with 44 additions and 4 deletions.
diff --git a/src/actions.ts b/src/actions.ts
@@ -686,7 +686,7 @@ export const actions: {[k: string]: QueryHandler} = {
 		}
 		let teams = [];
 		try {
-			teams = await tables.teams.selectAll<any>(
+			teams = await tables.teams.selectAll(
 				SQL`teamid, team, format, title as name`
 			)`WHERE ownerid = ${this.user.id}`;
 		} catch (e) {
@@ -717,7 +717,7 @@ export const actions: {[k: string]: QueryHandler} = {
 			throw new ActionError("Invalid team ID");
 		}
 		try {
-			const data = await tables.teams.selectOne<any>(
+			const data = await tables.teams.selectOne(
 				SQL`ownerid, team, private as privacy`
 			)`WHERE teamid = ${teamid}`;
 			if (!data || data.ownerid !== this.user.id) {

diff --git a/src/schemas/ntbb-loginattempts.sql b/src/schemas/ntbb-loginattempts.sql
@@ -0,0 +1,8 @@
+CREATE TABLE `ntbb_loginattempts` (
+  `count` int(11) NOT NULL,
+  `userid` varchar(63) COLLATE utf8mb4_bin NOT NULL,
+  `time` int(11) NOT NULL,
+  PRIMARY KEY (`userid`),
+  KEY `count` (`count`),
+  KEY `time` (`time`)
+) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_bin;
diff --git a/src/tables.ts b/src/tables.ts
@@ -96,6 +96,12 @@ export const loginthrottle = psdb.getTable<{
 	lastuserid: string;
 }>('loginthrottle', 'ip');
 
+export const loginattempts = psdb.getTable<{
+	count: number;
+	time: number;
+	userid: number;
+}>('loginattempts', 'userid');
+
 export const usermodlog = psdb.getTable<{
 	entryid: number;
 	userid: string;

diff --git a/src/user.ts b/src/user.ts
@@ -14,7 +14,9 @@ import * as gal from 'google-auth-library';
 import {SQL} from './database';
 import {ActionError, ActionContext} from './server';
 import {toID, time, signAsync} from './utils';
-import {ladder, loginthrottle, sessions, users, usermodlog} from './tables';
+import {
+	ladder, loginthrottle, loginattempts, sessions, users, usermodlog,
+} from './tables';
 
 const SID_DURATION = 2 * 7 * 24 * 60 * 60;
 const LOGINTIME_INTERVAL = 24 * 60 * 60;
@@ -251,7 +253,7 @@ export class Session {
 			}
 			const userstate = await users.get(userid);
 			if (userstate) {
-				if (userstate.banstate >= 100 || ((userstate as any).password && userstate.nonce)) {
+				if (userstate.banstate >= 100 || ((userstate).password && userstate.nonce)) {
 					return ';;Your username is no longer available.';
 				}
 				if (userstate.email?.endsWith('@')) {
@@ -356,6 +358,22 @@ export class Session {
 	async passwordVerify(name: string, pass: string) {
 		const ip = this.context.getIp();
 		const userid = toID(name);
+		let attempts = await loginattempts.get(userid);
+		if (attempts) {
+			// too many attempts, no valid login session from that ip on that userid
+			if (attempts.count >= 500 && !(await sessions.selectOne()`WHERE ip = ${ip} AND userid = ${userid}`)) {
+				attempts.count++;
+				await attempts.update(userid, {time: time(), count: attempts.count});
+				throw new ActionError(
+					`Too many unrecognized login attempts have been made against this account. Please try again later.`
+				);
+			} else if (attempts.time + 24 * 60 * 60 < time()) {
+				attempts = {
+					time: time(),
+					count: 0,
+				};
+			}
+		}
 		let throttleTable = await loginthrottle.get(
 			ip, ['count', 'time']
 		) as {count: number; time: number} || null;
@@ -410,6 +428,14 @@ export class Session {
 						ip, count: 1, lastuserid: userid, time: time(),
 					});
 				}
+				if (attempts) {
+					attempts.count++;
+					await attempts.update(userid, {
+						count: attempts.count, time: time(),
+					});
+				} else {
+					await attempts.insert({userid, ip, time: time()});
+				}
 				return false;
 			}
 			// i don't know how often this is actually necessary. so let's make this configurable.