Security: brute force attack

[kylechine]

Auth log needed for defending brute force attack.

I've read the code at:

• https://github.com/Postleaf/postleaf/blob/master/source/middleware/auth_middleware.js
• https://github.com/Postleaf/postleaf/blob/master/source/controllers/api/auth_controller.js

No login-attempts log action was found. If I am wrong, please forgive me, this could be a problem for brute force attack.

Ideally, the system should provide a login-attempts failure counter to prevent some IP, which attempted too many times. Or at least provide an auth log system for other software like fail2ban to do so.

Thanks for your beautiful work!

[claviska]

Your observation is correct. I omitted that from the software layer because rate limiting is easy enough to configure on one's server. However, it would still be helpful to log failed attempts, so I'll leave this open for comments.

[ovidiucp]

This project appears to be dead, big bummer!

In any case, it would probably make sense to delegate the authentication to a third-party system like Google, Facebook etc., and have something like oauth2_proxy handle the user authentication.

[claviska]

In any case, it would probably make sense to delegate the authentication to a third-party system like Google, Facebook etc., and have something like oauth2_proxy handle the user authentication.

That would defeat the purpose of Postleaf being a decentralized publishing platform.

This project appears to be dead, big bummer!

Dev is paused for awhile due to lack of interest and other obligations. I will revisit it when the time is right.

[kylechine]

@claviska I love this project. Don't give it up!

[M8inC]

@claviska I agree with @kylechine!