Add “refreshTimeoutOnRequest” option, as well as a minor bug fix.

Author: AdamPflug

README.md

@@ -32,13 +32,14 @@ Classes
 ### ExpressBrute(store, options)
 - `store` An instance of `ExpressBrute.MemoryStore` or `ExpressBrute.MemcachedStore`
 - `options`
-	- `freeRetries`          The number of retires the user has before they need to start waiting (default: 2)
-	- `minWait`              The initial wait time (in milliseconds) after the user runs out of retries (default: 500 milliseconds)
-	- `maxWait`              The maximum amount of time (in milliseconds) between requests the user needs to wait (default: 15 minutes). The wait for a given request is determined by adding the time the user needed to wait for the previous two requests.
-	- `lifetime`             The length of time (in seconds since the last request) to remember the number of requests that have been made by an IP. By default it will be set to `maxWait * the number of attempts before you hit maxWait` to discourage simply waiting for the lifetime to expire before resuming an attack. With default values this is about 6 hours.
+	- `freeRetries`             The number of retires the user has before they need to start waiting (default: 2)
+	- `minWait`                 The initial wait time (in milliseconds) after the user runs out of retries (default: 500 milliseconds)
+	- `maxWait`                 The maximum amount of time (in milliseconds) between requests the user needs to wait (default: 15 minutes). The wait for a given request is determined by adding the time the user needed to wait for the previous two requests.
+	- `lifetime`                The length of time (in seconds since the last request) to remember the number of requests that have been made by an IP. By default it will be set to `maxWait * the number of attempts before you hit maxWait` to discourage simply waiting for the lifetime to expire before resuming an attack. With default values this is about 6 hours.
 	- `failCallback` gets called with (`req`, `resp`, `next`, `nextValidRequestDate`) when a request is rejected (default: ExpressBrute.FailForbidden)
-	- `proxyDepth`           Specifies how many levels of the `X-Forwarded-For` header to trust. If your web server is behind a CDN and/or load balancer you'll need to set this to however many levels of proxying it's behind to get a valid IP. Setting this too high allows attackers to get around brute force protection by spoofing the `X-Forwarded-For` header, so don't set it higher than you need to (default: 0)
-	- `attachResetToRequest` Specify whether or not a simplified reset method should be attached at `req.brute.reset`. The simplified method takes only a callback, and resets all `ExpressBrute` middleware that was called on the current request. If multiple instances of `ExpressBrute` have middleware on the same request, only those with `attachResetToRequest` set to true will be reset (default: true)
+	- `proxyDepth`              Specifies how many levels of the `X-Forwarded-For` header to trust. If your web server is behind a CDN and/or load balancer you'll need to set this to however many levels of proxying it's behind to get a valid IP. Setting this too high allows attackers to get around brute force protection by spoofing the `X-Forwarded-For` header, so don't set it higher than you need to (default: 0)
+	- `attachResetToRequest`    Specify whether or not a simplified reset method should be attached at `req.brute.reset`. The simplified method takes only a callback, and resets all `ExpressBrute` middleware that was called on the current request. If multiple instances of `ExpressBrute` have middleware on the same request, only those with `attachResetToRequest` set to true will be reset (default: true)
+	- `refreshTimeoutOnRequest` Defines whether the remaining `lifetime` of a counter should be based on the time since the last request (true) of the time since the first request (false). Useful for allowing limits over fixed periods of time, for example a limited number of requests per day. (Default: true)
 
 ### ExpressBrute.MemoryStore()
 An in-memory store for persisting request counts. Don't use this in production.
@@ -111,6 +112,7 @@ var globalBruteforce = new ExpressBrute(store, {
 	freeRetries: 1000,
 	proxyDepth: 1,
 	attachResetToRequest: false,
+	refreshTimeoutOnRequest: false,
 	winWait: 25*60*60*1000, // 1 day 1 hour (should never reach this wait time)
 	maxWait: 25*60*60*1000, // 1 day 1 hour (should never reach this wait time)
 	lifetime: 24*60*60*1000, // 1 day
@@ -141,6 +143,10 @@ app.post('/auth',
 
 Changelog
 ---------
+### v0.4.1
+* NEW: `refreshTimeoutOnRequest` option that allows you to prevent the remaining `lifetime` for a timer from being reset on each request (useful for implementing limits for set time frames, e.g. requests per day)
+* BUG: Lifetimes were not previously getting extended properly for instances of `ExpressBrute.MemoryStore`
+
 ### v0.4.0
 * NEW: `attachResetToRequest` parameter that lets you prevent the request object being decorated
 * NEW: `failCallback` can be overriden by `getMiddleware`

index.js

@@ -86,10 +86,12 @@ ExpressBrute.prototype.getMiddleware = function (options) {
 
 				var count = 0,
 					delay = 0,
-					lastValidRequestTime = this.now();
+					lastValidRequestTime = this.now(),
+					firstRequestTime = lastValidRequestTime;
 				if (value) {
 					count = value.count;
 					lastValidRequestTime = value.lastRequest.getTime();
+					firstRequestTime = value.firstRequest.getTime();
 
 					var delayIndex = value.count - this.options.freeRetries - 1;
 					if (delayIndex >= 0) {
@@ -100,10 +102,26 @@ ExpressBrute.prototype.getMiddleware = function (options) {
 						}
 					}
 				}
-				var nextValidRequestTime = lastValidRequestTime+delay;
-					
+				var nextValidRequestTime = lastValidRequestTime+delay,
+					remainingLifetime = this.options.lifetime || 0;
+
+				if (!this.options.refreshTimeoutOnRequest && remainingLifetime > 0) {
+					remainingLifetime = remainingLifetime - Math.floor((this.now() - firstRequestTime) / 1000);
+					if (remainingLifetime < 1) {
+						// it should be expired alredy, treat this as a new request and reset everything
+						count = 0;
+						delay = 0;
+						nextValidRequestTime = firstRequestTime = lastValidRequestTime = this.now();
+						remainingLifetime = this.options.lifetime || 0;
+					}
+				}
+
 				if (nextValidRequestTime <= this.now()) {
-					this.store.set(key, {count: count+1, lastRequest: new Date(this.now())}, this.options.lifetime || 0, function (err) {
+					this.store.set(key, {
+						count: count+1,
+						lastRequest: new Date(this.now()),
+						firstRequest: new Date(firstRequestTime)
+					}, remainingLifetime, function (err) {
 						if (err) {
 							throw "Cannot increment request count";
 						}
@@ -150,6 +168,7 @@ ExpressBrute.defaults = {
 	freeRetries: 2,
 	proxyDepth: 0,
 	attachResetToRequest: true,
+	refreshTimeoutOnRequest: true,
 	minWait: 500,
 	maxWait: 1000*60*15, // 15 minutes
 	failCallback: ExpressBrute.FailForbidden

lib/AbstractClientStore.js

@@ -8,10 +8,11 @@ AbstractClientStore.prototype.increment = function (key, lifetime, callback) {
 			callback(err);
 		} else {
 			var count = value ? value.count+1 : 1;
-			self.set(key, {count: count, lastRequest: new Date()}, lifetime, function (err) {
+			self.set(key, {count: count, lastRequest: new Date(), firstRequest: new Date()}, lifetime, function (err) {
 				var prevValue = {
 					count: value ? value.count : 0,
-					lastRequest: value ? value.lastRequest : null
+					lastRequest: value ? value.lastRequest : null,
+					firstRequest: value ? value.firstRequest : null
 				};
 				typeof callback == 'function' && callback(err, prevValue);
 			});

lib/MemcachedStore.js

@@ -23,6 +23,7 @@ MemcachedStore.prototype.get = function (key, callback) {
 			if (data) {
 				data = JSON.parse(data);
 				data.lastRequest = new Date(data.lastRequest);
+				data.firstRequest = new Date(data.firstRequest);
 			}
 			typeof callback == 'function' && callback(err, data);
 		}

mock/MemcachedMock.js

@@ -10,7 +10,7 @@ MemcachedMock.prototype.set = function (key, value, lifetime, callback) {
 	} else if (this.data[key].timeout) {
 		clearTimeout(this.data[key].timeout);
 	}
-	this.data[key] = value;
+	this.data[key].value = value;
 
 	if (lifetime) {
 		this.data[key].timeout = setTimeout(_.bind(function () {
@@ -20,7 +20,7 @@ MemcachedMock.prototype.set = function (key, value, lifetime, callback) {
 	typeof callback == 'function' && callback(null);
 };
 MemcachedMock.prototype.get = function (key, callback) {
-	typeof callback == 'function' && callback(null, this.data[key]);
+	typeof callback == 'function' && callback(null, this.data[key] && this.data[key].value);
 };
 MemcachedMock.prototype.del = function (key, callback) {
 	if (this.data[key] && this.data[key].timeout) {

package.json

@@ -1,6 +1,6 @@
 {
   "name": "express-brute",
-  "version": "0.4.0",
+  "version": "0.4.1",
   "description": "A brute-force protection middleware for express routes that rate limits incoming requests",
   "keywords": [
     "brute",

spec/ExpessBrute.js

@@ -170,6 +170,55 @@ describe("express brute", function () {
 				expect(errorSpy.calls.length).toEqual(1);
 			});
 		});
+		it("doesn't extend the lifetime if refreshTimeoutOnRequest is false", function () {
+			brute = new ExpressBrute(store, {
+				freeRetries: 0,
+				minWait: 10000,
+				maxWait: 10000,
+				lifetime: 1,
+				refreshTimeoutOnRequest: false,
+				failCallback: errorSpy
+			});
+			runs(function () {
+				brute.prevent(req(), new ResponseMock(), nextSpy);
+				expect(errorSpy).not.toHaveBeenCalled();
+				brute.prevent(req(), new ResponseMock(), nextSpy);
+				expect(errorSpy).toHaveBeenCalled();
+			});
+			waits((brute.options.lifetime*500));
+			runs(function () {
+				brute.prevent(req(), new ResponseMock(), nextSpy);
+				expect(errorSpy.calls.length).toEqual(2);
+			});
+			waits((brute.options.lifetime*500)+1);
+			runs(function () {
+				brute.prevent(req(), new ResponseMock(), nextSpy);
+				expect(errorSpy.calls.length).toEqual(2);
+			});
+		});
+		it('does extend the lifetime if refreshTimeoutOnRequest is true', function () {
+			brute = new ExpressBrute(store, {
+				freeRetries: 1,
+				minWait: 10000,
+				maxWait: 10000,
+				lifetime: 1,
+				failCallback: errorSpy
+			});
+			runs(function () {
+				brute.prevent(req(), new ResponseMock(), nextSpy);
+				expect(errorSpy).not.toHaveBeenCalled();
+			});
+			waits((brute.options.lifetime*500));
+			runs(function () {
+				brute.prevent(req(), new ResponseMock(), nextSpy);
+				expect(errorSpy).not.toHaveBeenCalled();
+			});
+			waits((brute.options.lifetime*500)+1);
+			runs(function () {
+				brute.prevent(req(), new ResponseMock(), nextSpy);
+				expect(errorSpy).toHaveBeenCalled();
+			});
+		});
 		it('allows failCallback to be overridden', function () {
 			brute = new ExpressBrute(store, {
 				freeRetries: 0,

spec/MemcachedStore.js

@@ -15,7 +15,7 @@ describe("Express brute memcached store", function () {
 	});
 	it("can set a key and get it back", function () {
 		var curDate = new Date(),
-		    object = {count: 1, lastRequest: curDate};
+		    object = {count: 1, lastRequest: curDate, firstRequest: curDate};
 		runs(function () {
 			instance.set("1.2.3.4", object, 0, callback);
 		});
@@ -37,7 +37,7 @@ describe("Express brute memcached store", function () {
 	});
 	it("increments values and returns that last value", function () {
 		var curDate = new Date(),
-		    object = {count: 1, lastRequest: curDate};
+		    object = {count: 1, lastRequest: curDate, firstRequest: curDate};
 		runs(function () {
 			instance.set("1.2.3.4", object, 0, callback);
 		});
@@ -75,7 +75,7 @@ describe("Express brute memcached store", function () {
 
 		runs(function () {
 			expect(callback.mostRecentCall.args[0]).toBe(null);
-			expect(callback.mostRecentCall.args[1]).toEqual({count: 0, lastRequest: null});
+			expect(callback.mostRecentCall.args[1]).toEqual({count: 0, lastRequest: null, firstRequest: null});
 
 			instance.get("1.2.3.4", callback);
 		});
@@ -86,6 +86,7 @@ describe("Express brute memcached store", function () {
 			expect(callback.mostRecentCall.args[0]).toBe(null);
 			expect(callback.mostRecentCall.args[1].count).toEqual(1);
 			expect(callback.mostRecentCall.args[1].lastRequest instanceof Date).toBeTruthy();
+			expect(callback.mostRecentCall.args[1].firstRequest instanceof Date).toBeTruthy();
 		});
 	});
 	it("returns null when no value is available", function () {
@@ -102,7 +103,7 @@ describe("Express brute memcached store", function () {
 	});
 	it("can reset the count of requests", function () {
 		var curDate = new Date(),
-		    object = {count: 1, lastRequest: curDate};
+		    object = {count: 1, lastRequest: curDate, firstRequest: curDate};
 		runs(function () {
 			instance.set("1.2.3.4", object, 0, callback);
 		});
@@ -141,7 +142,7 @@ describe("Express brute memcached store", function () {
 	});
 	it("supports data expiring", function () {
 		var curDate = new Date(),
-		    object = {count: 1, lastRequest: curDate};
+		    object = {count: 1, lastRequest: curDate, firstRequest: curDate};
 
 		runs(function () {
 			instance.set("1.2.3.4", object, 1, callback);