Added “attachResetToRequest” option

AdamPflug · AdamPflug · commit 45ffed76cc4a · 2013-12-05T12:54:53.000-08:00
diff --git a/README.md b/README.md
@@ -32,12 +32,13 @@ Classes
 ### ExpressBrute(store, options)
 - `store` An instance of `ExpressBrute.MemoryStore` or `ExpressBrute.MemcachedStore`
 - `options`
-	- `freeRetries`  The number of retires the user has before they need to start waiting (default: 2)
-	- `minWait`      The initial wait time (in milliseconds) after the user runs out of retries (default: 500 milliseconds)
-	- `maxWait`      The maximum amount of time (in milliseconds) between requests the user needs to wait (default: 15 minutes). The wait for a given request is determined by adding the time the user needed to wait for the previous two requests.
-	- `lifetime`     The length of time (in seconds since the last request) to remember the number of requests that have been made by an IP. By default it will be set to `maxWait * the number of attempts before you hit maxWait` to discourage simply waiting for the lifetime to expire before resuming an attack. With default values this is about 6 hours.
+	- `freeRetries`          The number of retires the user has before they need to start waiting (default: 2)
+	- `minWait`              The initial wait time (in milliseconds) after the user runs out of retries (default: 500 milliseconds)
+	- `maxWait`              The maximum amount of time (in milliseconds) between requests the user needs to wait (default: 15 minutes). The wait for a given request is determined by adding the time the user needed to wait for the previous two requests.
+	- `lifetime`             The length of time (in seconds since the last request) to remember the number of requests that have been made by an IP. By default it will be set to `maxWait * the number of attempts before you hit maxWait` to discourage simply waiting for the lifetime to expire before resuming an attack. With default values this is about 6 hours.
 	- `failCallback` gets called with (`req`, `resp`, `next`, `nextValidRequestDate`) when a request is rejected (default: ExpressBrute.FailForbidden)
-	- `proxyDepth`   Specifies how many levels of the `X-Forwarded-For` header to trust. If your web server is behind a CDN and/or load balancer you'll need to set this to however many levels of proxying it's behind to get a valid IP. Setting this too high allows attackers to get around brute force protection by spoofing the `X-Forwarded-For` header, so don't set it higher than you need to (default: 0)
+	- `proxyDepth`           Specifies how many levels of the `X-Forwarded-For` header to trust. If your web server is behind a CDN and/or load balancer you'll need to set this to however many levels of proxying it's behind to get a valid IP. Setting this too high allows attackers to get around brute force protection by spoofing the `X-Forwarded-For` header, so don't set it higher than you need to (default: 0)
+	- `attachResetToRequest` Specify whether or not a simplified reset method should be attached at `req.brute.reset`. The simplified method takes only a callback, and resets all `ExpressBrute` middleware that was called on the current request. If multiple instances of `ExpressBrute` have middleware on the same request, only those with `attachResetToRequest` set to true will be reset (default: true)
 
 ### ExpressBrute.MemoryStore()
 An in-memory store for persisting request counts. Don't use this in production.
@@ -108,6 +109,7 @@ var userBruteforce = new ExpressBrute(store, {
 var globalBruteforce = new ExpressBrute(store, {
 	freeRetries: 1000,
 	proxyDepth: 1,
+	attachResetToRequest: false,
 	winWait: 25*60*60*1000, // 1 day 1 hour (should never reach this wait time)
 	maxWait: 25*60*60*1000, // 1 day 1 hour (should never reach this wait time)
 	lifetime: 24*60*60*1000, // 1 day
diff --git a/index.js b/index.js
@@ -53,23 +53,26 @@ ExpressBrute.prototype.getMiddleware = function (key) {
 		keyFunc(req, res, _.bind(function (key) {
 			key = getKey([this.getIPFromRequest(req), this.name, key]);
 
-			// attach a simpler "reset" functio to req.brute.reset
-			var reset = _.bind(function (callback) {
-				this.store.reset(key, callback);
-			}, this);
-			if (req.brute && req.brute.reset) {
-				// wrap existing reset if one exists
-				var oldReset = req.brute.reset;
-				var newReset = reset;
-				reset = function (callback) {
-					oldReset(function () {
-						newReset(callback);
-					});
+			// attach a simpler "reset" function to req.brute.reset
+			if (this.options.attachResetToRequest) {
+				var reset = _.bind(function (callback) {
+					this.store.reset(key, callback);
+				}, this);
+				if (req.brute && req.brute.reset) {
+					// wrap existing reset if one exists
+					var oldReset = req.brute.reset;
+					var newReset = reset;
+					reset = function (callback) {
+						oldReset(function () {
+							newReset(callback);
+						});
+					};
+				}
+				req.brute = {
+					reset: reset
 				};
 			}
-			req.brute = {
-				reset: reset
-			};
+			
 
 			// filter request
 			this.store.get(key, _.bind(function (err, value) {
@@ -141,6 +144,7 @@ ExpressBrute.MemcachedStore = require('./lib/MemcachedStore');
 ExpressBrute.defaults = {
 	freeRetries: 2,
 	proxyDepth: 0,
+	attachResetToRequest: true,
 	minWait: 500,
 	maxWait: 1000*60*15, // 15 minutes
 	failCallback: ExpressBrute.FailForbidden
diff --git a/spec/ExpessBrute.js b/spec/ExpessBrute.js
@@ -236,6 +236,14 @@ describe("express brute", function () {
 			mid(req(), new ResponseMock(), nextSpy);
 			expect(nextSpy.calls.length).toEqual(2);
 		});
+		it ('respects the attachResetToRequest', function () {
+			brute.options.attachResetToRequest = false;
+			var firstReq;
+
+			brute.prevent(firstReq = req(), new ResponseMock(), nextSpy);
+			expect(nextSpy.calls.length).toEqual(1);
+			expect(firstReq.brute).toBeUndefined();
+		});
 	});
 	describe('proxy severs', function () {
 		var brute, store, errorSpy, nextSpy, req, req2;
@@ -361,6 +369,36 @@ describe("express brute", function () {
 			});
 
 		});
+		it ('resets only one brute instance when the req.reset shortcut is called but attachResetToRequest is false on one', function () {
+			brute2 = new ExpressBrute(store, {
+				freeRetries: 1,
+				minWait: 100,
+				maxWait: 1000,
+				failCallback: errorSpy2,
+				lifetime: 0,
+				attachResetToRequest: false
+			});
+
+			var failReq = req();
+			var successSpy = jasmine.createSpy("success spy");
+			brute.prevent(req(), new ResponseMock(), nextSpy);
+			brute2.prevent(req(), new ResponseMock(), nextSpy);
+			brute2.prevent(req(), new ResponseMock(), nextSpy);
+			expect(errorSpy).not.toHaveBeenCalled();
+			expect(errorSpy2).not.toHaveBeenCalled();
+
+			brute.prevent(failReq, new ResponseMock(), nextSpy);
+			brute2.prevent(failReq, new ResponseMock(), nextSpy);
+			expect(errorSpy).toHaveBeenCalled();
+			expect(errorSpy2).toHaveBeenCalled();
+
+			failReq.brute.reset(function () {
+				brute.prevent(failReq, new ResponseMock(), successSpy);
+				brute2.prevent(failReq, new ResponseMock(), successSpy);
+				expect(successSpy.calls.length).toEqual(1);
+			});
+
+		});
 	});
 	describe("failure handlers", function () {
 		var brute, store, req, done, nextSpy;
