大家在做登录功能时，一般怎么做暴力破解防护？

import { serve } from "https://deno.land/std@0.209.0/http/server.ts"; // node:crypto在Deno中也能用, 同样适用于Node.js, 因此哈希计算逻辑可复用 import { createHash } from "node:crypto"; /** * 这是一个前后端同文件示例: * - 当访问根路径"/"时, 会返回内置的HTML页面(HTML_PAGE变量). * - /challenge 用来提供challenge(随机字符串)和难度difficulty. * - /verify 用来验证客户端提交的(challenge + nonce)是否满足难度要求. */ // —— 前端HTML + JS的内容, 放在一个字符串常量里. —— const HTML_PAGE = `<!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>Proof of Work (Single File Demo)</title> <style> body { font-family: sans-serif; margin: 20px; } #logArea { margin-top: 20px; padding: 10px; background: #f7f7f7; border: 1px solid #ccc; white-space: pre; font-family: monospace; } #status { margin-top: 10px; color: blue; font-weight: bold; } button { padding: 8px 16px; } </style> </head> <body> <h1>Proof of Work (Single File Demo)</h1> <button id="powButton">Compute POW and Verify</button> <p id="status"></p> <div id="logArea"></div> <script> // 获取页面元素 const logArea = document.getElementById('logArea'); const statusEl = document.getElementById('status'); /** * 前端的统一日志打印函数 * @param {string} level - 日志级别, 如"INFO","WARN","ERROR" * @param {string} message - 具体日志内容 */ function frontLog(level, message) { // 按[INFO] [WARN] [ERROR]的格式打印 const logMessage = \`[\${level}] \${message}\`; console.log(logMessage); // 同时输出到浏览器控制台 logArea.textContent += logMessage + "\\n"; // 显示到网页上的日志区域 } /** * 将 ArrayBuffer 转成十六进制字符串, 以便查看哈希结果 * @param {ArrayBuffer} buffer - 浏览器端计算的哈希结果(二进制) * @returns {string} - 对应的hex字符串 */ function bufferToHex(buffer) { const hexCodes = []; const view = new DataView(buffer); for (let i = 0; i < view.byteLength; i++) { // 将每个字节转成两位16进制表示 const value = view.getUint8(i).toString(16).padStart(2, "0"); hexCodes.push(value); } return hexCodes.join(""); } /** * 计算字符串的SHA-256哈希(浏览器端) * @param {string} str - 待哈希的字符串 * @returns {Promise<string>} - hex格式的哈希值 */ async function sha256(str) { const encoder = new TextEncoder(); const data = encoder.encode(str); // crypto.subtle.digest在浏览器端计算SHA-256, 返回ArrayBuffer const hashBuffer = await crypto.subtle.digest("SHA-256", data); return bufferToHex(hashBuffer); } /** * 前端执行POW: 不断尝试nonce, 找到一个令hash前difficulty位(16进制)为"0"的nonce * @param {string} challenge - 服务端下发的随机字符串 * @param {number} difficulty - 难度, 需要hash前多少位为"0" * @returns {Promise<number>} - 找到的nonce */ async function computeProofOfWork(challenge, difficulty) { const targetPrefix = "0".repeat(difficulty); const startTime = performance.now(); // 记录开始时间 let nonce = 0; while (true) { // 计算hash const hashValue = await sha256(challenge + nonce); // 判断hash的前difficulty个字符是否是"0" if (hashValue.startsWith(targetPrefix)) { // 算到满足条件后, 计算耗时 const endTime = performance.now(); const costMs = (endTime - startTime).toFixed(2); frontLog("INFO", \`PoW computation finished. nonce=\${nonce}, cost=\${costMs} ms\`); return nonce; } nonce++; } } /** * 处理"Compute POW and Verify"按钮的点击事件 * 1. 请求/challenge获取challenge和difficulty * 2. 前端计算PoW * 3. 提交到/verify进行验证 */ document.getElementById("powButton").addEventListener("click", async () => { // 每次点击按钮, 先清空前端日志显示 logArea.textContent = ""; statusEl.textContent = "请求 challenge 中..."; frontLog("INFO", "REQUEST /challenge -> 获取challenge和difficulty"); // 记录获取challenge的开始时间 const challengeStart = performance.now(); const challengeResp = await fetch("/challenge"); const { challenge, difficulty } = await challengeResp.json(); // 获取challenge结束 const challengeEnd = performance.now(); frontLog("INFO", \`RESPONSE /challenge, 耗时=\${(challengeEnd - challengeStart).toFixed(2)} ms -> challenge="\${challenge}", difficulty=\${difficulty}\`); // 开始计算POW statusEl.textContent = \`开始计算 POW, 难度 = \${difficulty}\`; frontLog("INFO", \`开始PoW计算, difficulty=\${difficulty}, challenge="\${challenge}"\`); const nonce = await computeProofOfWork(challenge, difficulty); // 计算完成后, 请求后端验证 statusEl.textContent = \`POW计算完成 (nonce = \${nonce}), 开始验证...\`; frontLog("INFO", \`REQUEST /verify -> 提交 {challenge="\${challenge}", nonce=\${nonce}, difficulty=\${difficulty}}\`); const verifyStart = performance.now(); const verifyResp = await fetch("/verify", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ challenge, nonce, difficulty }) }); const result = await verifyResp.json(); const verifyEnd = performance.now(); frontLog("INFO", \`RESPONSE /verify, 耗时=\${(verifyEnd - verifyStart).toFixed(2)} ms -> success=\${result.success}\`); // 更新页面状态 statusEl.textContent = result.success ? "验证成功!" : ("验证失败: " + (result.error || "未知错误")); }); </script> </body> </html> `; /** * 用于验证客户端提交的(challenge + nonce)是否满足难度 * @param {string} challenge - 随机字符串 * @param {number} nonce - 前端计算出的nonce * @param {number} difficulty - 难度系数, 需要hash前多少位是"0" * @returns {boolean} - 是否满足难度要求 */ function verifyPow(challenge: string, nonce: number, difficulty: number): boolean { // 这里用node:crypto的createHash在Deno里也能用, 同样可在Node.js中复用 const hash = createHash("sha256").update(challenge + nonce).digest("hex"); const success = hash.startsWith("0".repeat(difficulty)); // 后端日志按照统一格式输出 console.log(`[INFO] verifyPow -> challenge="${challenge}", nonce=${nonce}, difficulty=${difficulty}`); console.log(`[INFO] verifyPow -> computedHash="${hash}", success=${success}`); return success; } /** * 运行Deno服务器, 处理前端访问: * - GET / -> 返回HTML_PAGE(前端页面) * - GET /challenge -> 返回challenge和difficulty * - POST /verify -> 接收前端提交的(challenge, nonce, difficulty), 验证是否满足哈希难度 */ serve(async (req) => { const { method } = req; const url = new URL(req.url); // 后端请求日志 console.log(`[INFO] REQUEST -> method=${method}, path=${url.pathname}`); // 当访问根路径时, 返回内置HTML页面 if (url.pathname === "/") { console.log("[INFO] Serving root HTML page"); return new Response(HTML_PAGE, { headers: { "Content-Type": "text/html; charset=utf-8" }, }); } // 前端获取challenge和difficulty if (url.pathname === "/challenge") { console.log("[INFO] 生成新的 challenge 与 difficulty..."); // 生成随机字符串 const challenge = crypto.randomUUID(); // 可以自行调整难度, 这里默认为4 const difficulty = 4; console.log(`[INFO] 下发给前端 challenge="${challenge}", difficulty=${difficulty}`); return new Response( JSON.stringify({ challenge, difficulty }), { headers: { "Content-Type": "application/json" } } ); } // 前端提交验证 if (url.pathname === "/verify" && method === "POST") { try { // 记录后端验证开始时间, 观察耗时 const verifyStartTime = performance.now(); // 解析前端提交的数据 const { challenge, nonce, difficulty } = await req.json(); console.log(`[INFO] 接收到验证请求 -> challenge="${challenge}", nonce=${nonce}, difficulty=${difficulty}`); // 调用verifyPow函数验证 const success = verifyPow(challenge, nonce, difficulty); console.log(`[INFO] 验证结果 -> ${success ? "SUCCESS" : "FAILURE"}`); // 统计后端验证耗时 const verifyEndTime = performance.now(); const costMs = (verifyEndTime - verifyStartTime).toFixed(2); console.log(`[INFO] 本次验证耗时 -> ${costMs} ms`); // 返回结果给前端 return new Response( JSON.stringify({ success }), { headers: { "Content-Type": "application/json" }, status: success ? 200 : 400, }, ); } catch (err) { // 异常处理 console.log(`[ERROR] Exception during verification -> ${err.message}`); return new Response( JSON.stringify({ success: false, error: err.message }), { headers: { "Content-Type": "application/json" }, status: 400, }, ); } } // 其他未匹配的路径返回404 console.log(`[WARN] 404 Not Found -> ${url.pathname}`); return new Response("Not Found", { status: 404 }); });