Meteor,跟踪用户登录失败的尝试,并禁止他们在x次尝试后登录
[英]Meteor, Keep track of user's failed login attempts and forbid them to login after x attempts
问题描述
I am trying to prevent a user from logging in after 3 failed attempts when they provide the right username or email and wrong password. 
我试图阻止用户在3次失败尝试后登录,因为他们提供了正确的用户名或电子邮件和错误的密码。
Accounts.validateLoginAttempt(function(info){
var user = info.user;
var failAttemp = user.profile.loginFaileAttempt;
if(failAttemp == 3){
console.log('you need to contact the admin!')
return false;
}else{
if(Meteor.Error == 'Incorrect password '){
// incremnt the fail attempts
failAttemp++;
console.log(failAttemp);
}
}
return true;
// success login set to 0
failAttemp = 0;
});
but it is not working , what am I doing wrong and is there any Meteor way of doing this? 但它不起作用,我做错了什么,是否有任何流星方式这样做?
Thanks. 谢谢。
1 个解决方案
解决方案1
3 2015-12-13 17:29:37
The failed attempt count is not updated in the users collection in your code. 代码中的users集合中未更新失败的尝试计数。 And that last line failAttemp = 0; 最后一行failAttemp = 0; will never be executed because the function has already returned. 永远不会被执行,因为该函数已经返回。
Further, I see some issues that you might want to fix: Meteor.Error is not the proper way to check for incorrect passwords entered. 此外,我看到一些您可能想要解决的问题:Meteor.Error不是检查输入的错误密码的正确方法。 It will be undefined and even more it would not trigger because of the extra space in 'Incorrect password '. 由于“密码不正确”中的额外空间,它将是未定义的,甚至不会触发。 Use the error object that comes in with the info parameter and use the error code instead of the message. 使用info参数附带的error对象并使用错误代码而不是消息。
Login attempts from unregistered users get passed to Accounts.validateLoginAttempt anyway. 无论如何,来自未注册用户的登录尝试都会传递给Accounts.validateLoginAttempt 。 The info.user will be empty in such attempts. 在这种尝试中, info.user将为空。 Besides this, it's best to check for existence of the profile field is the user object. 除此之外,最好检查profile字段是否存在是用户对象。
When a user has 3 failed attempts and tries for the 4th time, he is not informed about what is wrong. 当用户有3次尝试失败并尝试第4次时,他没有被告知出了什么问题。 He still sees 'Incorrect password' and in the console on the server it shows 'you need to contact the admin!'. 他仍然看到“密码不正确”,并且在服务器的控制台中显示“您需要联系管理员!”。 You can throw a Meteor.Error with a more informative message. 您可以抛出带有更多信息的Meteor.Error。
When a user has 3 failed attempts he will be staying in the 'disabled' state. 当用户有3次失败尝试时,他将保持“禁用”状态。 By this I mean he can not login anymore even if he remembers his correct password. 我的意思是,即使他记得他的密码正确,他也不能再登录了。 First check whether the attempt is forbidden, then check the number of failed attempts. 首先检查是否禁止尝试,然后检查失败尝试的次数。
When a user enters the correct password after a failed attempt, the failed attempt count should return to 0, at least that's what I think you'll want looking at your code (last unreachable code line). 当用户在尝试失败后输入正确的密码时,失败的尝试次数应该返回0,至少我认为您需要查看代码(最后一次无法访问的代码行)。
Here is an example of a solution that will: 以下是一个解决方案示例:
- Save failed attempts. 保存失败的尝试。
- Performs a check based on error code rather than message. 根据错误代码而不是消息执行检查。
- Has a informative message after 3 failed attempts. 在3次尝试失败后有一条信息性消息。
- Handles unregistered users properly. 正确处理未注册的用户。
- Lets the user login after failed attempts if they remember their password. 如果用户忘记密码,则允许用户在尝试失败后登录。
- Reset the failed attempt count after successful login. 成功登录后重置失败的尝试次数。
Code: 码:
Accounts.validateLoginAttempt(function(info){
var user = info.user;
if (!user)
return false;
var failAttempt = 0;
if (user.profile)
failAttempt = user.profile.loginFaileAttempt;
var loginAllowed = false;
if(info.error && info.error.error == 403){
if(failAttempt >= 3) {
console.log('you need to contact the admin!');
throw new Meteor.Error(403, 'you need to contact the admin!');
}
// increment the fail attempts
failAttempt++;
console.log(failAttempt);
loginAllowed = false;
} else {
// success login set to 0
failAttempt = 0;
loginAllowed = true;
}
Meteor.users.update({_id: user._id}, {$set: {'profile.loginFaileAttempt': failAttempt}});
return loginAllowed;
});
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.