Created
January 3, 2024 08:51
-
-
Save pshaddel/ee73290a575682ee9f6e612da1ea7a43 to your computer and use it in GitHub Desktop.
Login Challenges
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
const { sleep } = require('@brickwise/express-utility'); | |
const app = require('express').Router(); | |
const UserService = { | |
getUser: (username) => { | |
} | |
} | |
// V1 | |
app.post('/login', async (req, res) => { | |
const { username, password } = req.body; | |
const user = await UserService.getUser(username); | |
if (!user) { | |
return res.status(400).json({ | |
message: 'User not found' | |
}); | |
} | |
const isValidPasword = await checkPasswod(password, user.password); | |
if (!isValidPasword) { | |
return res.status(400).json({ | |
message: 'Invalid password' | |
}); | |
} | |
const token = await generateToken(user); | |
res.json({ | |
token | |
}); | |
}); | |
// V2 + validatorSanitizerMiddleware | |
app.post('/login', validatorSanitizerMiddleware(), async (req, res) => { | |
const { username, password } = req.body; | |
const user = await UserService.getUser(username); | |
if (!user) { | |
return res.status(400).json({ | |
message: 'User not found' | |
}); | |
} | |
const isValidPasword = await checkPasswod(password, user.password); | |
if (!isValidPasword) { | |
return res.status(400).json({ | |
message: 'Invalid password' | |
}); | |
} | |
const token = await generateToken(user); | |
res.json({ | |
token | |
}); | |
}); | |
// V3 + validatorSanitizerMiddleware + Same error message | |
app.post('/login', validatorSanitizerMiddleware(), async (req, res) => { | |
const { username, password } = req.body; | |
const user = await UserService.getUser(username); | |
if (!user) { | |
return res.status(400).json({ | |
message: 'Invalid User or Password' | |
}); | |
} | |
const isValidPasword = await checkPasswod(password, user.password); | |
if (!isValidPasword) { | |
return res.status(400).json({ | |
message: 'Invalid User or Password' | |
}); | |
} | |
const token = await generateToken(user); | |
res.json({ | |
token | |
}); | |
}); | |
// V4 + validatorSanitizerMiddleware + Same error message + Fake Check Password | |
app.post('/login', validatorSanitizerMiddleware(), async (req, res) => { | |
const { username, password } = req.body; | |
const user = await UserService.getUser(username); | |
if (!user) { | |
await sleep(CHECK_PASSWORD_DURATION) | |
return res.status(400).json({ | |
message: 'Invalid User or Password' | |
}); | |
} | |
const isValidPasword = await checkPasswod(password, user.password); | |
if (!isValidPasword) { | |
return res.status(400).json({ | |
message: 'Invalid User or Password' | |
}); | |
} | |
const token = await generateToken(user); | |
res.json({ | |
token | |
}); | |
}); | |
// V5 + validatorSanitizerMiddleware + Same error message + Fake Check Password | |
app.post('/login', validatorSanitizerMiddleware(), async (req, res) => { | |
const { username, password } = req.body; | |
const user = await UserService.getUser(username); | |
if (!user) { | |
await sleep(FETCH_USER_DURATION) | |
await sleep(CHECK_PASSWORD_DURATION) | |
return res.status(400).json({ | |
message: 'Invalid User or Password' | |
}); | |
} | |
const isValidPasword = await checkPasswod(password, user.password); | |
if (!isValidPasword) { | |
return res.status(400).json({ | |
message: 'Invalid User or Password' | |
}); | |
} | |
const token = await generateToken(user); | |
res.json({ | |
token | |
}); | |
}); | |
// V6 + validatorSanitizerMiddleware + Same error message + Fake Check Password + CSRF | |
app.get('/login', giveUserCSRFToken()); | |
app.post('/login', checkCSRFToken(), validatorSanitizerMiddleware(), async (req, res) => { | |
const { username, password } = req.body; | |
const user = await UserService.getUser(username); | |
if (!user) { | |
await sleep(FETCH_USER_DURATION) | |
await sleep(CHECK_PASSWORD_DURATION) | |
return res.status(400).json({ | |
message: 'Invalid User or Password' | |
}); | |
} | |
const isValidPasword = await checkPasswod(password, user.password); | |
if (!isValidPasword) { | |
return res.status(400).json({ | |
message: 'Invalid User or Password' | |
}); | |
} | |
const token = await generateToken(user); | |
res.json({ | |
token | |
}); | |
}); | |
// V7 + validatorSanitizerMiddleware + Same error message + Fake Check Password + CSRF + Rate Limit | |
app.get('/login', giveUserCSRFToken()); | |
app.post('/login', rateLimiter(), checkCSRFToken(), validatorSanitizerMiddleware(), async (req, res) => { | |
const { username, password } = req.body; | |
const user = await UserService.getUser(username); | |
if (!user) { | |
await sleep(FETCH_USER_DURATION) | |
await sleep(CHECK_PASSWORD_DURATION) | |
return res.status(400).json({ | |
message: 'Invalid User or Password' | |
}); | |
} | |
const isValidPasword = await checkPasswod(password, user.password); | |
if (!isValidPasword) { | |
return res.status(400).json({ | |
message: 'Invalid User or Password' | |
}); | |
} | |
const token = await generateToken(user); | |
res.json({ | |
token | |
}); | |
}); | |
// V8 + validatorSanitizerMiddleware + Same error message + Fake Check Password + CSRF + Rate Limit + Captcha | |
app.get('/login', giveUserCSRFToken()); | |
app.post('/login', rateLimiter(), checkCSRFToken(), captcha(), validatorSanitizerMiddleware(), async (req, res) => { | |
const { username, password } = req.body; | |
const user = await UserService.getUser(username); | |
if (!user) { | |
await sleep(FETCH_USER_DURATION) | |
await sleep(CHECK_PASSWORD_DURATION) | |
return res.status(400).json({ | |
message: 'Invalid User or Password' | |
}); | |
} | |
const isValidPasword = await checkPasswod(password, user.password); | |
if (!isValidPasword) { | |
return res.status(400).json({ | |
message: 'Invalid User or Password' | |
}); | |
} | |
const token = await generateToken(user); | |
res.json({ | |
token | |
}); | |
}); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment