By default, there are rules added to the DDPRateLimiter that rate limit logins, new user registration and password reset calls to a limit of 5 requests per 10 seconds per session. These are a basic solution to dictionary attacks where a malicious user attempts to guess the passwords of legitimate users by attempting all possible passwords.
These rate limiting rules can be removed by calling Accounts.removeDefaultRateLimit() . Please see the DDPRateLimiter docs for more information.
Has anyone ever setup a basic lockout after X login attempts?
Just use the validateLoginAttempt function to check how many times a user tries to log in. Update the database whenever they fail to login. Here’s an example that I’ve used in my app. The only thing that would be changed is to save the loginTime as well. Check if they have exceeded loginAttempts and that they have been locked out for X minutes before allowing them to log in again.
import { Meteor } from 'meteor/meteor';
import { Accounts } from 'meteor/accounts-base';
Accounts.validateLoginAttempt(({ user, error }) => {
if (!user) {
return false;
}
let failedAttempts = user.numLoginAttempts;
let loginAllowed = false;
if (error && error.error === 403) {
if (failedAttempts > 5) {
throw new Meteor.Error(403, 'For security measures, your account has been locked due to many failed login attempts. Please reset your password through email.');
}
// increment the fail attempts
failedAttempts += 1;
loginAllowed = false;
} else {
// success login set to 0
failedAttempts = 0;
loginAllowed = true;
}
Meteor.users.update(user._id, {
$set: {
numLoginAttempts: failedAttempts,
},
});
return loginAllowed;
});