Prevent automated attacks designed to guess credentials
def handle_post(%{params: %{"username" => username, "password" => password}} = conn, _opts) do
if Users.validate_credentials(username, password) do
conn |> send_resp(200, "Logged in!")
else
conn |> send_resp(401, "Invalid credentials")
end
end
This code is vulnerable because it does not implement any control mechanism against brute force attacks. It simply checks if the credentials are valid and responds accordingly. This allows an attacker to try different combinations of usernames and passwords until they find a match.
def handle_post(%{params: %{"username" => username, "password" => password}} = conn, _opts) do
if RateLimiter.allow_request(username) and Captcha.verify(conn.params["captcha"]) and Users.validate_credentials(username, password) do
conn |> send_resp(200, "Logged in!")
else
conn |> send_resp(401, "Invalid credentials or too many attempts")
end
end
defmodule RateLimiter do
def allow_request(username) do
# Rate limiting logic here
end
end
defmodule Captcha do
def verify(captcha_response) do
# Captcha verification logic here
end
end
The secure code integrates a rate limiting mechanism using the RateLimiter module, which limits the number of login attempts for the same username. It also includes a CAPTCHA system using the Captcha module. If either the rate limit has been reached or the CAPTCHA verification fails, the user is not allowed to attempt to log in.