feat: block user after 5 failed login attemtps

src/auth/auth.route.ts

@@ -44,6 +44,8 @@ export async function authRoutes(fastify: FastifyInstance) {
         const hashedPassword = await hash(password);
         userInDB.passwordHash = hashedPassword;
 
+        userInDB.blocked = false;
+        userInDB.faliedLoginCount = 0;
         await userInDB.save();
       } catch (err) {
         return err;
@@ -79,9 +81,20 @@ export async function authRoutes(fastify: FastifyInstance) {
         if (!userInDB.passwordHash)
           return res.code(401).send({ error: "invalid email or password" });
 
+        if (userInDB.blocked)
+          return res
+            .code(401)
+            .send({ error: "Account blocked. Contact admin." });
+
         const match = await verify(userInDB.passwordHash, password);
-        if (!match)
+        if (!match) {
+          if (!userInDB.faliedLoginCount) userInDB.faliedLoginCount = 0;
+          if (userInDB.faliedLoginCount >= 4) userInDB.blocked = true;
+          userInDB.faliedLoginCount++;
+          await userInDB.save();
+
           return res.code(401).send({ error: "invalid email or password" });
+        }
 
         const newSession = await createSession(
           userInDB.id,
@@ -90,6 +103,7 @@ export async function authRoutes(fastify: FastifyInstance) {
         );
 
         userInDB.lastLogin = new Date();
+        userInDB.faliedLoginCount = 0;
         await userInDB.save();
 
         res.send({ session_token: newSession.sid });