Merge branch 'fhemberger-patch-1'

AdamPflug · AdamPflug · commit 202054c7c6cc · 2014-01-26T17:49:12.000-08:00
diff --git a/README.md b/README.md
@@ -20,7 +20,7 @@ var store = new ExpressBrute.MemoryStore(); // stores state locally, don't use t
 var bruteforce = new ExpressBrute(store);
 
 app.post('/auth',
-	bruteforce.prevent, // error 403 if we hit this route too often
+	bruteforce.prevent, // error 429 if we hit this route too often
 	function (req, res, next) {
 		res.send('Success!');
 	}
@@ -147,6 +147,7 @@ Changelog
 * NEW: Documentation updated to list some known store implementations.
 * CHANGED: Default failure callback is now `FailTooManyRequests`. `FailForbidden` remains an option for backwards compatiblity.
 * CHANGED: ExpressBrute.MemcachedStore is no longer included by default, and is now available as a separate module (because there are multiple store options it doesn't really make sense to include one by default).
+* CHANGED: `FailMark` no longer sets returns 403 Forbidden, instead does 429 TooManyRequets.
 
 ### v0.4.2
 * BUG: In some cases when no callbacks were supplied memcached would drop the request. Ensure that memcached always sees a callback even if ExpressBrute isn't given one.
diff --git a/index.js b/index.js
@@ -76,7 +76,7 @@ ExpressBrute.prototype.getMiddleware = function (options) {
 					reset: reset
 				};
 			}
-			
+
 
 			// filter request
 			this.store.get(key, _.bind(function (err, value) {
@@ -154,11 +154,21 @@ ExpressBrute.prototype.getIPFromRequest = function (req) {
 	return req.connection.remoteAddress;
 };
 
+var setRetryAfter = function (res, nextValidRequestDate) {
+	var secondUntilNextRequest = Math.ceil((nextValidRequestDate.getTime() - Date.now())/1000);
+	res.header('Retry-After', secondUntilNextRequest);
+};
+ExpressBrute.FailTooManyRequests = function (req, res, next, nextValidRequestDate) {
+	setRetryAfter(res, nextValidRequestDate);
+	res.send(429, {error: {text: "Too many requests in this time frame.", nextValidRequestDate: nextValidRequestDate}});
+};
 ExpressBrute.FailForbidden = function (req, res, next, nextValidRequestDate) {
+	setRetryAfter(res, nextValidRequestDate);
 	res.send(403, {error: {text: "Too many requests in this time frame.", nextValidRequestDate: nextValidRequestDate}});
 };
 ExpressBrute.FailMark = function (req, res, next, nextValidRequestDate) {
-	res.status(403);
+	res.status(429);
+	setRetryAfter(res, nextValidRequestDate);
 	res.nextValidRequestDate = nextValidRequestDate;
 	next();
 };
@@ -170,6 +180,6 @@ ExpressBrute.defaults = {
 	refreshTimeoutOnRequest: true,
 	minWait: 500,
 	maxWait: 1000*60*15, // 15 minutes
-	failCallback: ExpressBrute.FailForbidden
+	failCallback: ExpressBrute.FailTooManyRequests
 };
 ExpressBrute.instanceCount = 0;
diff --git a/mock/ResponseMock.js b/mock/ResponseMock.js
@@ -1,6 +1,7 @@
 module.exports = function () {
 	return {
 		status: jasmine.createSpy(),
-		send: jasmine.createSpy()
+		send: jasmine.createSpy(),
+		header: jasmine.createSpy()
 	};
 };
diff --git a/spec/ExpessBrute.js b/spec/ExpessBrute.js
@@ -113,7 +113,7 @@ describe("express brute", function () {
 				expect(errorSpy).toHaveBeenCalled();
 				expect(errorSpy.mostRecentCall.args[3].getTime()).toEqual(expectedTime);
 			});
-			
+
 		});
 		it('works even after the maxwait is reached', function () {
 			brute = new ExpressBrute(store, {
@@ -406,7 +406,7 @@ describe("express brute", function () {
 			runs(function () {
 				expect(errorSpy).toHaveBeenCalled();
 				expect(errorSpy2).not.toHaveBeenCalled();
-	
+
 				brute.prevent(req(), new ResponseMock(), nextSpy);
 				brute2.prevent(req(), new ResponseMock(), nextSpy);
 			});
@@ -474,10 +474,23 @@ describe("express brute", function () {
 			store = new ExpressBrute.MemoryStore();
 			req = function () { return { connection: { remoteAddress: '1.2.3.4' }}; };
 			nextSpy = jasmine.createSpy();
-			
+
+		});
+		it('can return a 429 Too Many Requests', function () {
+			var res = new ResponseMock();
+			brute = new ExpressBrute(store, {
+				freeRetries: 0,
+				minWait: 10,
+				maxWait: 100,
+				failCallback: ExpressBrute.FailTooManyRequests
+			});
+			brute.prevent(req(), res, nextSpy);
+			brute.prevent(req(), res, nextSpy);
+			expect(res.send).toHaveBeenCalled();
+			expect(res.send.mostRecentCall.args[0]).toEqual(429);
 		});
-		it('can return a 403 forbidden', function () {
-			var res = {send: jasmine.createSpy()};
+		it('can return a 403 Forbidden', function () {
+			var res = new ResponseMock();
 			brute = new ExpressBrute(store, {
 				freeRetries: 0,
 				minWait: 10,
@@ -490,7 +503,7 @@ describe("express brute", function () {
 			expect(res.send.mostRecentCall.args[0]).toEqual(403);
 		});
 		it('can mark a response as failed, but continue processing', function () {
-			var res = {status: jasmine.createSpy()};
+			var res = new ResponseMock();
 			brute = new ExpressBrute(store, {
 				freeRetries: 0,
 				minWait: 10,
@@ -499,10 +512,22 @@ describe("express brute", function () {
 			});
 			brute.prevent(req(), res, nextSpy);
 			brute.prevent(req(), res, nextSpy);
-			expect(res.status).toHaveBeenCalledWith(403);
+			expect(res.status).toHaveBeenCalledWith(429);
 			expect(nextSpy.calls.length).toEqual(2);
 			expect(res.nextValidRequestDate).toBeDefined();
 			expect(res.nextValidRequestDate instanceof Date).toBeTruthy();
 		});
+		it('sets Retry-After', function () {
+			var res = new ResponseMock();
+			brute = new ExpressBrute(store, {
+				freeRetries: 0,
+				minWait: 10,
+				maxWait: 100,
+				failCallback: ExpressBrute.FailTooManyRequests
+			});
+			brute.prevent(req(), res, nextSpy);
+			brute.prevent(req(), res, nextSpy);
+			expect(res.header).toHaveBeenCalledWith('Retry-After', 1);
+		});
 	});
 });
