When lifetime is reset with refreshTimeoutOnRequest?

[SyRenity]

First of all, thanks for the great module!

From reading the documentation, I'm not very clear when exactly the lifetime is reset with refreshTimeoutOnRequest set to true.

Is it once the lifetime ends a new one starts then?

[AdamPflug]

So basically the lifetime is how long the record of request counts for an IP is kept. refreshTimeoutOnRequests renews that timeout each time a new request comes from that IP if it's set to true, while if it's set to false the timeout is the time since the first request from that IP.

If you look at the globalBruteforce example in the README, you'll see it's set to false - so that there is a limited number of requests from an IP in a given 24 hour period. If refreshTimeoutOnRequest was set to true (as is default) you would be locked out for 24 hours from the last request rather than 24 hours from the first request.

If you want to manually reset the count (for example because of a successful login) just call req.brute.reset(). I'm not sure I'm making this clear enough in the current "Basic Example" maybe I need to add the call to that.

Thoughts?

• Adam

[SyRenity]

So for example, following settings:

var genericBruteforce = new ExpressBrute(store, {
    freeRetries: 100,
    lifetime: 30,
    attachResetToRequest: false,
    refreshTimeoutOnRequest: false,
});

• allow up 100 requests during 30 seconds from a particular IP
• ban 101 request and higher from the IP during these 30 seconds
• once these 30 seconds are over, the IP can send up to 100 requests more
  Is this correct?

However if the refreshTimeoutOnRequest set to true, then it will not ban at all (with counter resetting every request)? Or perhaps I misunderstand how lifetime works?

[AdamPflug]

Almost. You would also want to set minWait and maxWait to 31. Oh, and I guess freeRetries would need to be 99. Then it would work as you described for the refreshTimeoutOnRequest: false case.

If true it would:

• Allow up 100 requests from a particular IP. Then:
• Ban 101 request and higher from the IP for 30 seconds from the last un-blocked request.
• Once these 30 seconds are over, the IP can send up to 100 requests more
• Additionally, if more than 30 seconds elapse between any two requests the request count is set back to 1

[SyRenity]

@AdamPflug Thanks, it's more clear now.

Would be great to have these 2 cases described more clearly in doc, e.g.:

• Option 1 - limit amount of requests in a certain time-period
• Option 2 - limit amount of requests over a period

The problem imho that the difference is too subtle, perhaps use case examples would help.

[AdamPflug]

I'm trying to balance keeping the documentation as simple as short as possible with providing enough information. Hopefully rephrasing it makes things a little clearer - if not I've linked to this issue.

[kangwen]

very nice

[bbock]

minWaitand maxWait are in ms, so I guess in the example above they should be set to 30001 instead of 31 as described in #14 (comment). At least, fo me it does the trick 😉