How To Handle Brute Force Attack on the Backend Side

Photo by Possessed Photography on Unsplash

TL;DR

Definition

Why You Should Care

Concept

Database Design

Table failed_login_attm
Table failed_login_attm
Table failed_login_attm
CREATE TABLE failed_login_attm (
failedloginid serial NOT NULL,
username varchar NULL,
ip_address varchar NULL,
failed_login_attempts int4 NULL,
failed_login_time timestamptz NULL,
CONSTRAINT sys_fail_login_attm_pkey PRIMARY KEY (failedloginid)
);

Attributes Explanation

username

ip_address

failed_login_attempts & failed_login_time

Code Implementation

const login = (req, res) => {
// get body request for username and password
// get information about the request ip_address
...
if(verifyCredential(username, password)) {
// if credential is verfied, it allowed to login
} else {
// if credential is false, user failed to login and we record the attempt
failedLoginAttmCount(username, ip_address)
}
}
const login = (req, res) => {
// get body request for username and password
// get information about the request ip_address
...
checkFailedLoginAttm(username, res) // if it does exceeds the failed login limit, it will stop the process by returning the response of the requestif(verifyCredential(username, password)) {
// if credential is verfied, it allowed to login
} else {
// if credential is false, user failed to login and we record the attempt
failedLoginAttmCount(username, ip_address)
}
}
checkFailedLoginAttm(username) {
// get information about failed login attempt to a database
...
failed_login_attempt = query_result.failed_login_attempt
failed_login_time = query_result.failed_login_time

currTime = Date.now()
time_limit = ... // failed_login_time + 10 minutes
reset_time = ... // added 1 hour from current time
if (failed_login_attempt > 10 && currTime < failed_login_time + time_limit)
return res.status(400).json({success: 0, message: "You have reached failed login limit."})
else if (failed_login_attempt > 10 && currTime > failed_login_time + time_limit)
// reset the failed failed login attempt count to 0
resetFailedLoginAttm(username)
else if (failed_login_time > reset_time)
// reset the failed failed login attempt count to 0 if the last failed login attempt is 1 hour ago
resetFailedLoginAttm(username)
}
const login = (req, res) => {
// get body request for username and password
// get information about the request ip_address
...
const isExceedsFailedLogin = checkFailedLoginAttm(username, res)
// if it does surpass the failed login limit, it will return true. Otherwise it return false

if(!isExceedsFailedLogin ) {
if(verifyCredential(username, password)) {
// if credential is verfied, it allowed to login
} else {
// if credential is false, user failed to login and we record the attempt
failedLoginAttmCount(username, ip_address)
}
} else return res.status(400).json({success: 0, message: "You have reached failed login limit."})
}
checkFailedLoginAttm(username) {
// same code as the first one
...
let isExceedsFailedLogin = false
if (failed_login_attempt > 10 && currTime < failed_login_time + time_limit)
isExceedsFailedLogin = true
....
// same code as the first one
...
return isExceedsFailedLogin
}

References

Software Engineer | Content Creator | Entrepreneur