Changed brute force protection package from eluck:accounts-lockout to

lucasantoniassi:accounts-lockout that is maintained and works. Added Snap/Docker/Source settings. Thanks to xet7 ! Closes #1572, closes #1821
2025-04-23 05:27:14 -04:00 · 2019-03-11 19:47:23 +02:00 · 2019-03-11 19:47:23 +02:00 · b7c000b78b
commit b7c000b78b
parent 4ac8247db0
10 changed files with 115 additions and 5 deletions
--- a/.meteor/packages
+++ b/.meteor/packages
@ -82,7 +82,6 @@ staringatlights:fast-render
 mixmax:smart-disconnect
 accounts-password@1.5.0
 cfs:gridfs
-eluck:accounts-lockout
 rzymek:fullcalendar
 momentjs:moment@2.22.2
 browser-policy-framing
@ -92,3 +91,4 @@ wekan-scrollbar
 mquandalle:perfect-scrollbar
 mdg:meteor-apm-agent
 meteorhacks:unblock
+lucasantoniassi:accounts-lockout
--- a/.meteor/versions
+++ b/.meteor/versions
@ -60,7 +60,6 @@ ecmascript-runtime@0.5.0
 ecmascript-runtime-client@0.5.0
 ecmascript-runtime-server@0.5.0
 ejson@1.1.0
-eluck:accounts-lockout@0.9.0
 email@1.2.3
 es5-shim@4.6.15
 fastclick@1.0.13
@ -82,6 +81,7 @@ launch-screen@1.1.1
 livedata@1.0.18
 localstorage@1.2.0
 logging@1.1.19
+lucasantoniassi:accounts-lockout@1.0.0
 matb33:collection-hooks@0.8.4
 matteodem:easy-search@1.6.4
 mdg:meteor-apm-agent@3.1.2
@ -145,8 +145,6 @@ reload@1.1.11
 retry@1.0.9
 routepolicy@1.0.12
 rzymek:fullcalendar@3.8.0
-wekan-accounts-oidc@1.0.10
-wekan-oidc@1.0.12
 service-configuration@1.0.11
 session@1.1.7
 sha@1.0.9
@ -181,6 +179,8 @@ useraccounts:unstyled@1.14.2
 verron:autosize@3.0.8
 webapp@1.4.0
 webapp-hashing@1.0.9
+wekan-accounts-oidc@1.0.10
+wekan-oidc@1.0.12
 wekan-scrollbar@3.1.3
 wekan:accounts-cas@0.1.0
 wekan:wekan-ldap@0.0.2
--- a/12
+++ b/12
@ -12,6 +12,12 @@ ARG FIBERS_VERSION
 ARG ARCHITECTURE
 ARG SRC_PATH
 ARG WITH_API
+ARG ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE
+ARG ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD
+ARG ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW
+ARG ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE
+ARG ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD
+ARG ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW
 ARG EMAIL_NOTIFICATION_TIMEOUT
 ARG MATOMO_ADDRESS
 ARG MATOMO_SITE_ID
@ -102,6 +108,12 @@ ENV BUILD_DEPS="apt-utils bsdtar gnupg gosu wget curl bzip2 build-essential pyth
    ARCHITECTURE=linux-x64 \
    SRC_PATH=./ \
    WITH_API=true \
+    ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE=3 \
+    ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD=60 \
+    ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW=15 \
+    ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE=3 \
+    ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD=60 \
+    ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW=15 \
    EMAIL_NOTIFICATION_TIMEOUT=30000 \
    MATOMO_ADDRESS="" \
    MATOMO_SITE_ID="" \
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -221,6 +221,16 @@ services:
      # If you disable Wekan API with false, Export Board does not work.
      - WITH_API=true
      #---------------------------------------------------------------
+      # ==== PASSWORD BRUTE FORCE PROTECTION ====
+      #https://atmospherejs.com/lucasantoniassi/accounts-lockout
+      #Defaults below. Uncomment to change. wekan/server/accounts-lockout.js
+      #- ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE=3
+      #- ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD=60
+      #- ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW=15
+      #- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE=3
+      #- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD=60
+      #- ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW=15
+      #---------------------------------------------------------------
      # ==== EMAIL NOTIFICATION TIMEOUT, ms =====
      # Defaut: 30000 ms = 30s
      #- EMAIL_NOTIFICATION_TIMEOUT=30000
--- a/releases/virtualbox/start-wekan.sh
+++ b/releases/virtualbox/start-wekan.sh
@ -25,6 +25,16 @@
        # Wekan Export Board works when WITH_API='true'.
        # If you disable Wekan API, Export Board does not work.
        export WITH_API='true'
+        #---------------------------------------------------------------
+        # ==== PASSWORD BRUTE FORCE PROTECTION ====
+        #https://atmospherejs.com/lucasantoniassi/accounts-lockout
+        #Defaults below. Uncomment to change. wekan/server/accounts-lockout.js
+        #export ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE=3
+        #export ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD=60
+        #export ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW=15
+        #export ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE=3
+        #export ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD=60
+        #export ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW=15
        #---------------------------------------------
        # CORS: Set Access-Control-Allow-Origin header. Example: *
        #export CORS=*
--- a/server/accounts-lockout.js
+++ b/server/accounts-lockout.js
@ -0,0 +1,16 @@
+// https://atmospherejs.com/lucasantoniassi/accounts-lockout
+// server
+import { AccountsLockout } from 'meteor/lucasantoniassi:accounts-lockout';
+
+(new AccountsLockout({
+  knownUsers: {
+    failuresBeforeLockout: process.env.ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE || 3,
+    lockoutPeriod: process.env.ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD || 60,
+    failureWindow: process.env.ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW || 15,
+  },
+  unknownUsers: {
+    failuresBeforeLockout: process.env.ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE || 3,
+    lockoutPeriod: process.env.ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD || 60,
+    failureWindow: process.env.ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW || 15,
+  },
+})).startup();
--- a/snap-src/bin/config
+++ b/snap-src/bin/config
@ -3,7 +3,7 @@
 # All supported keys are defined here together with descriptions and default values

 # list of supported keys
-keys="DEBUG MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API EMAIL_NOTIFICATION_TIMEOUT CORS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_EMAIL_MAP LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD"
+keys="DEBUG MONGODB_BIND_UNIX_SOCKET MONGODB_BIND_IP MONGODB_PORT MAIL_URL MAIL_FROM ROOT_URL PORT DISABLE_MONGODB CADDY_ENABLED CADDY_BIND_PORT WITH_API ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW EMAIL_NOTIFICATION_TIMEOUT CORS MATOMO_ADDRESS MATOMO_SITE_ID MATOMO_DO_NOT_TRACK MATOMO_WITH_USERNAME BROWSER_POLICY_ENABLED TRUSTED_URL WEBHOOKS_ATTRIBUTES OAUTH2_ENABLED OAUTH2_CLIENT_ID OAUTH2_SECRET OAUTH2_SERVER_URL OAUTH2_AUTH_ENDPOINT OAUTH2_USERINFO_ENDPOINT OAUTH2_TOKEN_ENDPOINT OAUTH2_ID_MAP OAUTH2_USERNAME_MAP OAUTH2_FULLNAME_MAP OAUTH2_EMAIL_MAP LDAP_ENABLE LDAP_PORT LDAP_HOST LDAP_BASEDN LDAP_LOGIN_FALLBACK LDAP_RECONNECT LDAP_TIMEOUT LDAP_IDLE_TIMEOUT LDAP_CONNECT_TIMEOUT LDAP_AUTHENTIFICATION LDAP_AUTHENTIFICATION_USERDN LDAP_AUTHENTIFICATION_PASSWORD LDAP_LOG_ENABLED LDAP_BACKGROUND_SYNC LDAP_BACKGROUND_SYNC_INTERVAL LDAP_BACKGROUND_SYNC_KEEP_EXISTANT_USERS_UPDATED LDAP_BACKGROUND_SYNC_IMPORT_NEW_USERS LDAP_ENCRYPTION LDAP_CA_CERT LDAP_REJECT_UNAUTHORIZED LDAP_USER_SEARCH_FILTER LDAP_USER_SEARCH_SCOPE LDAP_USER_SEARCH_FIELD LDAP_SEARCH_PAGE_SIZE LDAP_SEARCH_SIZE_LIMIT LDAP_GROUP_FILTER_ENABLE LDAP_GROUP_FILTER_OBJECTCLASS LDAP_GROUP_FILTER_GROUP_ID_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_ATTRIBUTE LDAP_GROUP_FILTER_GROUP_MEMBER_FORMAT LDAP_GROUP_FILTER_GROUP_NAME LDAP_UNIQUE_IDENTIFIER_FIELD LDAP_UTF8_NAMES_SLUGIFY LDAP_USERNAME_FIELD LDAP_FULLNAME_FIELD LDAP_MERGE_EXISTING_USERS LDAP_SYNC_USER_DATA LDAP_SYNC_USER_DATA_FIELDMAP LDAP_SYNC_GROUP_ROLES LDAP_DEFAULT_DOMAIN LDAP_EMAIL_MATCH_ENABLE LDAP_EMAIL_MATCH_REQUIRE LDAP_EMAIL_MATCH_VERIFIED LDAP_EMAIL_FIELD LDAP_SYNC_ADMIN_STATUS LDAP_SYNC_ADMIN_GROUPS HEADER_LOGIN_ID HEADER_LOGIN_FIRSTNAME HEADER_LOGIN_LASTNAME HEADER_LOGIN_EMAIL LOGOUT_WITH_TIMER LOGOUT_IN LOGOUT_ON_HOURS LOGOUT_ON_MINUTES DEFAULT_AUTHENTICATION_METHOD"

 # default values
 DESCRIPTION_DEBUG="Debug OIDC OAuth2 etc. Example: sudo snap set wekan debug='true'"
@ -56,6 +56,30 @@ DESCRIPTION_WITH_API="Enable/disable the api of wekan"
 DEFAULT_WITH_API="true"
 KEY_WITH_API="with-api"

+DESCRIPTION_ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE="Accounts lockout known users failures before, greater than 0. Default: 3"
+DEFAULT_ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE="3"
+KEY_ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE="accounts-lockout-known-users-failures-before"
+
+DESCRIPTION_ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD="Accounts lockout know users period, in seconds. Default: 60"
+DEFAULT_ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD="60"
+KEY_ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD="accounts-lockout-known-users-period"
+
+DESCRIPTION_ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW="Accounts lockout unknown failure window, in seconds. Default: 15"
+DEFAULT_ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW="15"
+KEY_ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW="accounts-lockout-known-users-failure-window"
+
+DESCRIPTION_ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE="Accounts lockout unknown users failures before, greater than 0. Default: 3"
+DEFAULT_ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE="3"
+KEY_ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE="accounts-lockout-unknown-users-failures-before"
+
+DESCRIPTION_ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD="Accounts lockout unknown users lockout period, in seconds. Default: 60"
+DEFAULT_ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD="60"
+KEY_ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD="accounts-lockout-unknown-users-lockout-period"
+
+DESCRIPTION_ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW="Accounts lockout unknown users failure window, in seconds. Default: 15"
+DEFAULT_ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW="15"
+KEY_ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW="accounts-lockout-unknown-users-failure-window"
+
 DESCRIPTION_EMAIL_NOTIFICATION_TIMEOUT="Email notification timeout, ms. Default: 30000 (=30s)."
 DEFAULT_EMAIL_NOTIFICATION_TIMEOUT="30000"
 KEY_EMAIL_NOTIFICATION_TIMEOUT="email-notification-timeout"
--- a/snap-src/bin/wekan-help
+++ b/snap-src/bin/wekan-help
@ -40,6 +40,24 @@ echo -e "\t$ snap set $SNAP_NAME with-api='true'"
 echo -e "\t-Disable the API:"
 echo -e "\t$ snap set $SNAP_NAME with-api='false'"
 echo -e "\n"
+echo -e "Accounts lockout known users failures before, greater than 0. Default: 3"
+echo -e "\t$ snap set $SNAP_NAME accounts-lockout-known-users-failures-before='3'"
+echo -e "\n"
+echo -e "Accounts lockout know users period, in seconds. Default: 60"
+echo -e "\t$ snap set $SNAP_NAME accounts-lockout-known-users-period='60'"
+echo -e "\n"
+echo -e "Accounts lockout unknown failure window, in seconds. Default: 15"
+echo -e "\t$ snap set $SNAP_NAME accounts-lockout-known-users-failure-window='15'"
+echo -e "\n"
+echo -e "Accounts lockout unknown users failures before, greater than 0. Default: 3"
+echo -e "\t$ snap set $SNAP_NAME accounts-lockout-unknown-users-failures-before='3'"
+echo -e "\n"
+echo -e "Accounts lockout unknown users lockout period, in seconds. Default: 60"
+echo -e "\t$ snap set $SNAP_NAME accounts-lockout-unknown-users-lockout-period='60'"
+echo -e "\n"
+echo -e "Accounts lockout unknown users failure window, in seconds. Default: 15"
+echo -e "\t$ snap set $SNAP_NAME accounts-lockout-unknown-users-failure-window='15'"
+echo -e "\n"
 echo -e "To enable the Email Notification Timeout of wekan in ms, default 30000 (=30s):"
 echo -e "\t$ snap set $SNAP_NAME email-notification-timeout='10000'"
 echo -e "\t-Disable the Email Notification Timeout of Wekan:"
--- a/start-wekan.bat
+++ b/start-wekan.bat
@ -14,6 +14,16 @@ SET PORT=2000
 REM # If you disable Wekan API with false, Export Board does not work.
 SET WITH_API=true

+REM # ==== PASSWORD BRUTE FORCE PROTECTION ====
+REM #https://atmospherejs.com/lucasantoniassi/accounts-lockout
+REM #Defaults below. Uncomment to change. wekan/server/accounts-lockout.js
+REM SET ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE=3
+REM SET ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD=60
+REM SET ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW=15
+REM SET ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE=3
+REM SET ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD=60
+REM SET ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW=15
+
 REM # Optional: Integration with Matomo https://matomo.org that is installed to your server
 REM # The address of the server where Matomo is hosted.
 REM # example: - MATOMO_ADDRESS=https://example.com/matomo
--- a/start-wekan.sh
+++ b/start-wekan.sh
@ -43,6 +43,16 @@ function wekan_repo_check(){
      # Wekan Export Board works when WITH_API=true.
      # If you disable Wekan API with false, Export Board does not work.
      export WITH_API='true'
+      #---------------------------------------------------------------
+      # ==== PASSWORD BRUTE FORCE PROTECTION ====
+      #https://atmospherejs.com/lucasantoniassi/accounts-lockout
+      #Defaults below. Uncomment to change. wekan/server/accounts-lockout.js
+      #export ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURES_BEFORE=3
+      #export ACCOUNTS_LOCKOUT_KNOWN_USERS_PERIOD=60
+      #export ACCOUNTS_LOCKOUT_KNOWN_USERS_FAILURE_WINDOW=15
+      #export ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURES_BERORE=3
+      #export ACCOUNTS_LOCKOUT_UNKNOWN_USERS_LOCKOUT_PERIOD=60
+      #export ACCOUNTS_LOCKOUT_UNKNOWN_USERS_FAILURE_WINDOW=15
      #---------------------------------------------
      # CORS: Set Access-Control-Allow-Origin header. Example: *
      #export CORS=*