Merged from master

Author: Casassarnau

README.md

@@ -11,6 +11,7 @@
 - Email sign up ✉️
 - Email verification 📨
 - Forgot password 🤔
+- Ip block on failed login tries & ip blocklist ✋ (Optional)
 - Dark mode 🌚 🌝 Light mode (Optional)
 
 ## Development

app/settings.py

@@ -13,6 +13,7 @@
 from pathlib import Path
 
 from django.contrib.messages import constants as message_constants
+from django.utils import timezone
 
 from .hackathon_variables import *
 
@@ -47,6 +48,7 @@
     'django.contrib.sessions',
     'django.contrib.messages',
     'django.contrib.staticfiles',
+    'captcha',
     'django_tables2',
     'django_filters',
     'django_jwt',
@@ -60,6 +62,7 @@
     'application',
     'review',
     'event',
+    'axes',
 ]
 
 MIDDLEWARE = [
@@ -129,6 +132,22 @@
     },
 ]
 
+AUTHENTICATION_BACKENDS = [
+    # AxesStandaloneBackend should be the first backend in the AUTHENTICATION_BACKENDS list.
+    'axes.backends.AxesStandaloneBackend',
+
+    # Django ModelBackend is the default authentication backend.
+    'django.contrib.auth.backends.ModelBackend',
+]
+
+# django-axes configuration
+AXES_USERNAME_FORM_FIELD = 'user.models.User.USERNAME_FIELD'
+AXES_COOLOFF_TIME = timezone.timedelta(minutes=5)
+AXES_FAILURE_LIMIT = os.environ.get('AXES_FAILURE_LIMIT', 3)
+AXES_ENABLED = os.environ.get('AXES_ENABLED', not DEBUG)
+AXES_IP_BLACKLIST = os.environ.get('AXES_IP_BLACKLIST', '').split(',')
+SILENCED_SYSTEM_CHECKS = ['axes.W002']
+
 
 # Internationalization
 # https://docs.djangoproject.com/en/4.0/topics/i18n/
@@ -201,9 +220,16 @@
     message_constants.ERROR: 'danger',
 }
 
-# Google recaptcha
-GOOGLE_RECAPTCHA_SECRET_KEY = os.environ.get('GOOGLE_RECAPTCHA_SECRET_KEY', '')
-GOOGLE_RECAPTCHA_SITE_KEY = os.environ.get('GOOGLE_RECAPTCHA_SITE_KEY', '')
+# Google Recaptcha configuration
+RECAPTCHA_PUBLIC_KEY = os.environ.get('RECAPTCHA_PUBLIC_KEY', '')
+RECAPTCHA_PRIVATE_KEY = os.environ.get('RECAPTCHA_PRIVATE_KEY', '')
+RECAPTCHA_WIDGET = os.environ.get('RECAPTCHA_WIDGET', 'ReCaptchaV2Checkbox')
+RECAPTCHA_REGISTER = True
+RECAPTCHA_LOGIN = False
+try:
+    RECAPTCHA_REQUIRED_SCORE = float(os.environ.get('RECAPTCHA_REQUIRED_SCORE', "0.85"))
+except ValueError:
+    RECAPTCHA_REQUIRED_SCORE = 0.85
 
 # Login tries
 LOGIN_TRIES = 1000 if DEBUG else 4

app/static/css/main.css

@@ -147,3 +147,7 @@ footer {
 .bg-light .bg-contrast {
     background-color: rgba(0, 0, 0, 0.075);
 }
+
+.g-recaptcha {
+    display: inline-block;
+}

requirements.txt

@@ -8,18 +8,21 @@ cryptography==37.0.2
 Deprecated==1.2.13
 Django==4.0.7
 django-appconf==1.0.5
+django-axes==5.39.0
 django-bootstrap5==21.3
 django-colorfield==0.7.2
 django-compressor==4.1
 django-cors-headers==3.13.0
 django-crontab==0.7.1
 django-filter==22.1
+django-ipware==4.0.2
 django-jwt-oidc==0.3.9
 django-libsass==0.9
+django-recaptcha==3.0.0
 django-tables2==2.4.1
 flake8==4.0.1
 idna==3.3
-jwcrypto==1.3.1
+jwcrypto==1.4
 libsass==0.21.0
 mccabe==0.6.1
 Pillow==9.2.0

review/views.py

@@ -121,8 +121,9 @@ def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
         application = self.get_application()
         if application is not None:
-            details = {_('Full Name'): application.user.get_full_name(), _('Status'): application.get_status_display(),
-                       _('Promotion'): application.promotional_code.name}
+            details = {_('Full Name'): application.user.get_full_name(), _('Status'): application.get_status_display()}
+            if application.promotional_code:
+                details[_('Promotion')] = application.promotional_code.name
             ApplicationForm = self.get_form(application.type)
             for name, value in application.form_data.items():
                 if isinstance(value, FileField):

user/admin.py

@@ -3,7 +3,7 @@
 from django.contrib.auth.models import Group
 
 from user.forms import UserChangeForm, UserCreationForm
-from user.models import User, BlockedUser, LoginRequest
+from user.models import User, BlockedUser
 
 
 class UserAdmin(BaseUserAdmin):
@@ -45,5 +45,4 @@ class GroupAdmin(BaseGroupAdmin):
 admin.site.register(User, UserAdmin)
 admin.site.unregister(Group)
 admin.site.register(Group, GroupAdmin)
-admin.site.register(LoginRequest)
 admin.site.register(BlockedUser)

user/forms.py

@@ -1,5 +1,7 @@
 import re
 
+from captcha.fields import ReCaptchaField
+from captcha import widgets as captcha_widgets
 from django import forms
 from django.conf import settings
 from django.contrib.auth import password_validation
@@ -8,10 +10,34 @@
 from django.utils.safestring import mark_safe
 
 from app.mixins import BootstrapFormMixin
+from app.utils import get_theme
 from user.models import User
 from django.utils.translation import gettext_lazy as _
 
 
+class RecaptchaForm(forms.Form):
+    @classmethod
+    def active(cls):
+        return getattr(settings, 'RECAPTCHA_PUBLIC_KEY', False) and getattr(settings, 'RECAPTCHA_PRIVATE_KEY', False)
+
+    def __init__(self, *args, **kwargs):
+        request = kwargs.pop('request', None)
+        widget_setting = getattr(settings, 'RECAPTCHA_WIDGET', 'ReCaptchaV2Checkbox')
+        widget_class = getattr(captcha_widgets, widget_setting, captcha_widgets.ReCaptchaV2Checkbox)
+        if widget_class == captcha_widgets.ReCaptchaBase or not issubclass(widget_class, captcha_widgets.ReCaptchaBase):
+            widget_class = captcha_widgets.ReCaptchaV2Checkbox
+        theme = get_theme(request) if request is not None else 'light'
+        self.base_fields['captcha'] = ReCaptchaField(
+            widget=widget_class(attrs={'data-theme': theme}),
+            error_messages={'required': _('You must pass the reCAPTCHA challenge!')})
+        super().__init__(*args, **kwargs)
+
+    captcha = ReCaptchaField(
+        widget=captcha_widgets.ReCaptchaV2Checkbox(),
+        error_messages={'required': _('You must pass the reCAPTCHA challenge!')}
+    )
+
+
 class LoginForm(BootstrapFormMixin, forms.Form):
     bootstrap_field_info = {'': {'fields': [{'name': 'email', 'space': 12}, {'name': 'password', 'space': 12}]}}
 

user/migrations/0006_delete_loginrequest.py

@@ -0,0 +1,16 @@
+# Generated by Django 4.0.7 on 2022-10-01 14:04
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('user', '0005_user_qr_code_alter_user_diet'),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name='LoginRequest',
+        ),
+    ]

user/models.py

@@ -222,18 +222,6 @@ def get_users_with_permissions(cls, perms):
                                   Q(is_superuser=True)).distinct()
 
 
-class LoginRequest(models.Model):
-    ip = models.CharField(max_length=30)
-    latest_request = models.DateTimeField()
-    login_tries = models.IntegerField(default=1)
-
-    def __str__(self):
-        return self.ip
-
-    def reset_tries(self):
-        self.login_tries = 1
-
-
 class BlockedUser(models.Model):
     full_name = models.CharField(max_length=100)
     email = models.EmailField(max_length=100)

user/templates/auth.html

@@ -8,25 +8,34 @@
                 {% include 'components/tabs.html' %}
             {% endif %}
             <div class="bg-{{ theme }} text-{% if theme == 'dark' %}white{% else %}black{% endif %}">
-                <form method="post">
-                    {% csrf_token %}
-                    <div class="content p-4">
-                        {% include 'components/bootstrap5_form.html' %}
-                        {% if auth == 'register' %}
-                            {% if captcha_site_key %}
-                                <script src='https://www.google.com/recaptcha/api.js'></script>
-                                <div class="g-recaptcha" data-sitekey="{{ captcha_site_key }}"></div>
+                {% if not blocked_message %}
+                    <form method="post">
+                        {% csrf_token %}
+                        <div class="content p-4">
+                            {% include 'components/bootstrap5_form.html' %}
+                            {% if auth != 'register' %}
+                                <p><a class="text-{% if theme == 'dark' %}white{% else %}black{% endif %}" style="text-decoration: none" href="{% url 'forgot_password' %}">{% translate 'Forgot your password?' %}</a></p>
                             {% endif %}
-                        {% else %}
-                            <p><a class="text-{% if theme == 'dark' %}white{% else %}black{% endif %}" style="text-decoration: none" href="{% url 'forgot_password' %}">{% translate 'Forgot your password?' %}</a></p>
-                        {% endif %}
-                        <div class="row justify-content-around">
-                            <div class="col-12 col-lg-6 d-grid d-md-block">
-                                <button type="submit" class="btn btn-primary col-12">{{ auth|title }}</button>
+                            {% for field in recaptcha_form %}
+                                <div class="text-center mb-1">
+                                    {{ field }}
+                                </div>
+                            {% endfor %}
+                            <div class="row justify-content-around">
+                                <div class="col-12 col-lg-6 d-grid d-md-block">
+                                    <button type="submit" class="btn btn-primary col-12">{{ auth|title }}</button>
+                                </div>
                             </div>
                         </div>
+                    </form>
+                {% else %}
+                    <div class="p-3">
+                        <div class="alert alert-danger alert-dismissible fade show" role="alert">
+                            {{ blocked_message }}
+                            <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
+                        </div>
                     </div>
-                </form>
+                {% endif %}
             </div>
         </div>
     </div>