ipasis
Blog/Security Engineering

Securing Node.js Authentication with IP Reputation Analysis

December 16, 20256 min read

Authentication endpoints remain the primary attack surface for modern web applications. Credential stuffing, brute force attacks, and account takeovers (ATO) predominantly originate from anonymized infrastructure—Tor exit nodes, residential proxies, and hosting centers.

Integrating IP reputation checks directly into your Node.js authentication flow shifts security left, blocking malicious actors before they interact with your database or password hashing algorithms.

The Architecture: Middleware vs. Controller Logic

For Node.js applications (specifically Express, Fastify, or NestJS), IP intelligence should be implemented at the middleware layer, specifically guarding sensitive routes (/login, /register, /reset-password).

Do not place this logic on every request to avoid unnecessary latency and API cost. Isolate it to high-risk state changes.

Implementation in Express.js

The following implementation demonstrates a middleware function that retrieves the client IP, queries the IPASIS API, and enforces a security policy based on the return data.

Prerequisites

  1. IP Extraction: Ensure your application correctly parses X-Forwarded-For headers if behind a load balancer (NGINX, AWS ELB, Cloudflare).
  2. Fail-Open vs. Fail-Closed: Decide if system failure (API timeout) should allow or block traffic. For general auth, Fail-Open is often preferred to prevent user lockout during outages, combined with aggressive rate limiting.

The Code

const axios = require('axios');

/**
 * Middleware to check IP reputation before processing auth logic
 */
const ipReputationGuard = async (req, res, next) => {
  // 1. Extract IP correctly (handle proxies)
  const clientIp = req.headers['x-forwarded-for']?.split(',')[0] || req.socket.remoteAddress;

  // Skip local checks for dev environments
  if (clientIp === '::1' || clientIp === '127.0.0.1') return next();

  try {
    // 2. Query IPASIS Intelligence API
    const response = await axios.get(`https://api.ipasis.com/json/${clientIp}`, {
      params: { key: process.env.IPASIS_API_KEY },
      timeout: 1000 // Strict timeout to prevent latency bottlenecks
    });

    const { is_crawler, is_proxy, is_vpn, is_tor, fraud_score } = response.data;

    // 3. Define Blocking Rules
    const isAnonymizer = is_proxy || is_vpn || is_tor;
    const isHighRisk = fraud_score > 85;

    // 4. Action: Block or Challenge
    if (isAnonymizer || isHighRisk) {
      console.warn(`[Security] Blocked login attempt from ${clientIp} (Score: ${fraud_score})`);
      
      return res.status(403).json({
        error: 'Access_Denied',
        message: 'Suspicious network activity detected. Please disable VPN/Proxies.'
      });
    }

    // Attach intelligence to request object for downstream logging
    req.ipIntelligence = response.data;
    next();

  } catch (error) {
    console.error('IP Reputation check failed:', error.message);
    // Fallback: Allow request to proceed (Fail-Open) or implement rate-limiting here
    next();
  }
};

module.exports = ipReputationGuard;

Handling Latency with Caching

Synchronous API calls add latency to the user experience. To mitigate this, implement a caching layer using Redis. IP reputation data does not change second-by-second; a TTL (Time To Live) of 10 to 60 minutes is sufficient.

// Pseudo-code for Redis integration
const cachedResult = await redis.get(`ip_rep:${clientIp}`);
if (cachedResult) {
    // Use cached decision
} else {
    // Call API -> Store in Redis with TTL 600s
}

Adaptive Security Strategies

Instead of a binary "Block/Allow," consider adaptive responses based on the IPASIS fraud_score:

  1. Score < 50: Allow standard login.
  2. Score 50-80 OR Data Center IP: Require 2FA or Email Verification even if credentials match.
  3. Score > 80 OR Tor Exit Node: Hard block (403 Forbidden).

FAQ

How does this impact login latency?

Without caching, an external API call adds 50-150ms. With Redis caching, the impact is negligible (<5ms) for repeat visitors. Always set a strict timeout (e.g., 1000ms) on the HTTP request.

Should I block all VPNs?

Not necessarily. Corporate VPNs are common in B2B contexts. Use the fraud_score in conjunction with is_vpn to distinguish between a legitimate privacy user and a malicious actor rotating IPs.

How do I handle false positives?

Log all blocked attempts. If a legitimate user is blocked, your support team needs the requestId or IP to investigate. Providing a distinct error code allows the frontend to trigger a CAPTCHA as a fallback mechanism.

Ready to secure your authentication flow?

Stop credential stuffing and anonymous abuse at the edge. Get accurate, real-time detection for proxies, VPNs, and bad actors with IPASIS.

Get your free API Key

Start detecting VPNs and Bots today.

Identify anonymized traffic instantly with IPASIS.

Get API Key