Anyone have a solution for locking out their user accounts if there are to many attempts with the wrong password? I have tried easy-security, but it was buggy when I had more than one tab open with the same user logged in. Oh, and I really don’t need anything terribly fancy. I’m looking for a good way to lockout an account, let the user know they are locked out (after 3 bad attempts) and then reset at x minutes so the user can try again.
Luca of meteor-useraccounts commented on this on github as well. His solution works, but it doesn’t let the user know their account is locked out until they use the correct password, which isn’t an expected behavior. Also, as far as I can tell there is no automatic reseting of the lock.
Here is what he has in his post, maybe someone could suggest an edit to accomplish the above.
Accounts.validateLoginAttempt(function(attempt){
if (attempt.error){
var reason = attempt.error.reason;
if (reason === "User not found" || reason === "Incorrect password")
throw new Meteor.Error(403, "Login forbidden");
}
return attempt.allowed;
});
Accounts.validateLoginAttempt(function(attempt){
if (!attempt.allowed)
return false;
// Possibly denies the access...
if (attempt.user && attempt.user.failedLogins >= 2) // CHANGE ME!
throw new Meteor.Error(403, "Account locked!");
return true;
});
Accounts.onLogin(function(attempt){
// Resets the number of failed login attempts
Meteor.users.update(attempt.user._id, {$set: {failedLogins: 0}});
});
Accounts.onLoginFailure(function(attempt){
if (attempt.user && attempt.error.reason === "Login forbidden") {
// Increments the number of failed login attempts
Meteor.users.update(attempt.user._id, {$inc: {failedLogins: 1}});
}
});