Unsolved Changing auth.js, NodeBB fails to start

  • We're trying to setup a countermeasure to only block user authentication from the IP from which the attempts were made. In auth.js in async function User.auth.logAttempt = async function (uid, ip) we're trying to use the fact that the IP address is also taken into account and as such make it harder for a DOS attack. Only limiting user account access for the provided IP. But when we change the code in the file NodeBB fails to launch and the local website does not appear anymore. We're using Ubuntu with mongodb and start NodeBB with ./nodebb start but when we do ./nodebb stop we get: "NodeBB is already stopped". We've added the following line: const exists = await db.exists(lockout:${ip}); which is very similar to line 20 apart from the fact that we're now using the IP. Are we experiencing problems perhaps because our database does not log the IP?

    Furthermore, we're doing this as part of a minor project in university so I understand and don't want a complete solution to our problem. We're quite limited in time however so if you have a good understanding of the source code it would be very helpful to point us in the right direction or tell us that this will be too problematic to do in 20 hours of time. 🙂 I'm currently trying to get a better understanding of the source code and I notice that it's quite complex!

    Are there steps necessary to take before changing the source code? Would it be better to build a plugin instead? What information have we missed?

  • I'm guessing you have a syntax error or something. Try running with ./nodebb dev so you can easily see any errors on startup.

    Line 20 is

    const exists = await db.exists(`lockout:${uid}`);

    The backticks are very important, as they make it a string. If you want to change it to check IP, you probably want

    const exists = await db.exists(`lockout:${ip}`);

    But I'd change it to check both

    const exists = await db.exists(`lockout:${uid}`) || await db.exists(`lockout:${ip}`);

  • @PitaJ Thank you for the straight answer! 🙂 Much appreciated!

Suggested Topics

| | | |