bitkompagniet · slytter · Mar 7, 2017 · Jun 15, 2017 · Jul 3, 2017 · Jul 3, 2017
diff --git a/api/controllers/login.js b/api/controllers/login.js
@@ -16,6 +16,10 @@ module.exports = function(store) {
 
 			return res.success(token);
 		} catch (e) {
+			if (e.Error === 'LockError') {
+				res.set('Retry-After', e.retry);
+				return res.failure('To many attempts.', 429);
+			}
 			return res.failure('Invalid credentials.', 401);
 		}
 	};

diff --git a/store/createModels/index.js b/store/createModels/index.js
@@ -41,7 +41,8 @@ module.exports = function (db) {
 			role: String,
 			scope: String,
 		}],
-		data: {},
+		failedAttempts: { type: Number, default: 0 },
+		locked: { type: Date, default: null },
 	}, {
 		toJSON: {
 			virtuals: true,

diff --git a/store/query/auth.js b/store/query/auth.js
@@ -1,11 +1,23 @@
 const passwordHash = require('../util/passwordHash');
+const moment = require('moment');
 
 module.exports = async function(email, password) {
 	const hash = passwordHash(password);
+	const user = await this.findOne({ email });// the user has to be checked for locked whether the password was correct or not.
 
-	const users = await this.find({ email, password: hash });
-	if (users.length === 0) throw new Error('Wrong e-mail or password');
+	if (user.locked && moment().isBefore(user.locked)) {
+		throw { Error: 'LockError', retry: user.locked };
+	}
 
-	const user = users[0];
-	return user.toJSON();
+	if (user.password === hash) {
+		user.failedAttempts = 0;
+		user.locked = null;
+		await user.save();
+		return user.toJSON();
+	}
+
+	const time = 250 * user.failedAttempts;
+	const lockedTill = moment().add(time, 'ms');
+	await this.findOneAndUpdate({ email }, { $set: { failedAttempts: user.failedAttempts + 1, locked: lockedTill } });
+	throw new Error('Wrong e-mail or password');
 };