Merge pull request #39 from HackAssistant/login_tries_block

Login tries block

Author: Casassarnau

README.md

@@ -11,6 +11,7 @@
 - Email sign up ✉️
 - Email verification 📨
 - Forgot password 🤔
+- Ip block on failed login tries & ip blocklist ✋ (Optional)
 - Dark mode 🌚 🌝 Light mode (Optional)
 
 ## Development

app/settings.py

@@ -13,6 +13,7 @@
 from pathlib import Path
 
 from django.contrib.messages import constants as message_constants
+from django.utils import timezone
 
 from .hackathon_variables import *
 
@@ -60,6 +61,7 @@
     'application',
     'review',
     'event',
+    'axes',
 ]
 
 MIDDLEWARE = [
@@ -129,6 +131,22 @@
     },
 ]
 
+AUTHENTICATION_BACKENDS = [
+    # AxesStandaloneBackend should be the first backend in the AUTHENTICATION_BACKENDS list.
+    'axes.backends.AxesStandaloneBackend',
+
+    # Django ModelBackend is the default authentication backend.
+    'django.contrib.auth.backends.ModelBackend',
+]
+
+# django-axes configuration
+AXES_USERNAME_FORM_FIELD = 'user.models.User.USERNAME_FIELD'
+AXES_COOLOFF_TIME = timezone.timedelta(minutes=5)
+AXES_FAILURE_LIMIT = os.environ.get('AXES_FAILURE_LIMIT', 3)
+AXES_ENABLED = os.environ.get('AXES_ENABLED', not DEBUG)
+AXES_IP_BLACKLIST = os.environ.get('AXES_IP_BLACKLIST', '').split(',')
+SILENCED_SYSTEM_CHECKS = ['axes.W002']
+
 
 # Internationalization
 # https://docs.djangoproject.com/en/4.0/topics/i18n/

requirements.txt

@@ -8,12 +8,14 @@ cryptography==37.0.2
 Deprecated==1.2.13
 Django==4.0.7
 django-appconf==1.0.5
+django-axes==5.39.0
 django-bootstrap5==21.3
 django-colorfield==0.7.2
 django-compressor==4.1
 django-cors-headers==3.13.0
 django-crontab==0.7.1
 django-filter==22.1
+django-ipware==4.0.2
 django-jwt-oidc==0.3.9
 django-libsass==0.9
 django-tables2==2.4.1

user/admin.py

@@ -3,7 +3,7 @@
 from django.contrib.auth.models import Group
 
 from user.forms import UserChangeForm, UserCreationForm
-from user.models import User, BlockedUser, LoginRequest
+from user.models import User, BlockedUser
 
 
 class UserAdmin(BaseUserAdmin):
@@ -45,5 +45,4 @@ class GroupAdmin(BaseGroupAdmin):
 admin.site.register(User, UserAdmin)
 admin.site.unregister(Group)
 admin.site.register(Group, GroupAdmin)
-admin.site.register(LoginRequest)
 admin.site.register(BlockedUser)

user/migrations/0006_delete_loginrequest.py

@@ -0,0 +1,16 @@
+# Generated by Django 4.0.7 on 2022-10-01 14:04
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('user', '0005_user_qr_code_alter_user_diet'),
+    ]
+
+    operations = [
+        migrations.DeleteModel(
+            name='LoginRequest',
+        ),
+    ]

user/models.py

@@ -222,18 +222,6 @@ def get_users_with_permissions(cls, perms):
                                   Q(is_superuser=True)).distinct()
 
 
-class LoginRequest(models.Model):
-    ip = models.CharField(max_length=30)
-    latest_request = models.DateTimeField()
-    login_tries = models.IntegerField(default=1)
-
-    def __str__(self):
-        return self.ip
-
-    def reset_tries(self):
-        self.login_tries = 1
-
-
 class BlockedUser(models.Model):
     full_name = models.CharField(max_length=100)
     email = models.EmailField(max_length=100)

user/templates/auth.html

@@ -8,25 +8,35 @@
                 {% include 'components/tabs.html' %}
             {% endif %}
             <div class="bg-{{ theme }} text-{% if theme == 'dark' %}white{% else %}black{% endif %}">
-                <form method="post">
-                    {% csrf_token %}
-                    <div class="content p-4">
-                        {% include 'components/bootstrap5_form.html' %}
-                        {% if auth == 'register' %}
-                            {% if captcha_site_key %}
-                                <script src='https://www.google.com/recaptcha/api.js'></script>
-                                <div class="g-recaptcha" data-sitekey="{{ captcha_site_key }}"></div>
+                {% if not blocked_message %}
+                    <form method="post">
+                        {% csrf_token %}
+                        <div class="content p-4">
+                            {% include 'components/bootstrap5_form.html' %}
+                            {% if auth == 'register' %}
+                                {% if captcha_site_key %}
+                                    <script src='https://www.google.com/recaptcha/api.js'></script>
+                                    <div class="g-recaptcha" data-sitekey="{{ captcha_site_key }}"></div>
+                                {% endif %}
+                            {% else %}
+                                <p><a class="text-{% if theme == 'dark' %}white{% else %}black{% endif %}" style="text-decoration: none" href="{% url 'forgot_password' %}">{% translate 'Forgot your password?' %}</a></p>
                             {% endif %}
-                        {% else %}
-                            <p><a class="text-{% if theme == 'dark' %}white{% else %}black{% endif %}" style="text-decoration: none" href="{% url 'forgot_password' %}">{% translate 'Forgot your password?' %}</a></p>
-                        {% endif %}
-                        <div class="row justify-content-around">
-                            <div class="col-12 col-lg-6 d-grid d-md-block">
-                                <button type="submit" class="btn btn-primary col-12">{{ auth|title }}</button>
+                            <div class="row justify-content-around">
+                                <div class="col-12 col-lg-6 d-grid d-md-block">
+                                    <button type="submit" class="btn btn-primary col-12">{{ auth|title }}</button>
+                                </div>
                             </div>
                         </div>
+                    </form>
+                {% else %}
+                    <div class="p-3">
+                        <div class="alert alert-danger alert-dismissible fade show" role="alert">
+                            {{ blocked_message }}
+                            <button type="button" class="btn-close" data-bs-dismiss="alert" aria-label="Close"></button>
+                        </div>
                     </div>
-                </form>
+
+                {% endif %}
             </div>
         </div>
     </div>

user/views.py

@@ -1,6 +1,11 @@
+from axes.handlers.proxy import AxesProxyHandler
+from axes.helpers import get_client_ip_address, get_cool_off
+from axes.models import AccessAttempt
+from axes.utils import reset_request
 from django.contrib import auth, messages
 from django.shortcuts import redirect
-from django.urls import reverse
+from django.urls import reverse, resolve
+from django.utils import timezone
 from django.views import View
 from django.views.generic import TemplateView
 from django.utils.translation import gettext as _
@@ -12,11 +17,21 @@
 from user.mixins import LoginRequiredMixin, EmailNotVerifiedMixin
 from user.models import User
 from user.tokens import AccountActivationTokenGenerator
-from user.verification import check_client_ip, reset_tries, check_recaptcha
 
 
-class Login(TabsViewMixin, TemplateView):
+class AuthTemplateViews(TabsViewMixin, TemplateView):
     template_name = 'auth.html'
+    names = {
+        'login': 'log in',
+        'register': 'register',
+    }
+    forms = {
+        'login': LoginForm,
+        'register': RegistrationForm,
+    }
+
+    def get_current_tabs(self, **kwargs):
+        return [('Log in', reverse('login')), ('Register', reverse('register'))]
 
     def redirect_successful(self):
         next_ = self.request.GET.get('next', reverse('home'))
@@ -29,31 +44,54 @@ def get(self, request, *args, **kwargs):
             return self.redirect_successful()
         return super().get(request, *args, **kwargs)
 
-    def get_current_tabs(self, **kwargs):
-        return [('Log in', reverse('login')), ('Register', reverse('register'))]
+    @property
+    def get_url_name(self):
+        return resolve(self.request.path_info).url_name
+
+    def get_form_class(self):
+        return self.forms.get(self.get_url_name)
+
+    def get_form(self):
+        form_class = self.get_form_class()
+        return form_class()
+
+    def get_context_data(self, **kwargs):
+        context = super().get_context_data(**kwargs)
+        context.update({'form': self.get_form(), 'auth': self.names.get(self.get_url_name, 'register')})
+        return context
+
+
+class Login(AuthTemplateViews):
+    def add_axes_context(self, context):
+        if not AxesProxyHandler.is_allowed(self.request):
+            ip_address = get_client_ip_address(self.request)
+            attempt = AccessAttempt.objects.get(ip_address=ip_address)
+            time_left = (attempt.attempt_time + get_cool_off()) - timezone.now()
+            minutes_left = int((time_left.total_seconds() + 59) // 60)
+            axes_error_message = _('Too many login attempts. Please try again in %s minutes.') % minutes_left
+            context.update({'blocked_message': axes_error_message})
 
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-        context.update({'form': LoginForm(), 'auth': 'log in'})
+        self.add_axes_context(context)
         return context
 
-    @check_client_ip
     def post(self, request, **kwargs):
         form = LoginForm(request.POST)
-        if form.is_valid() and request.client_req_is_valid:
+        context = self.get_context_data(**kwargs)
+        if form.is_valid():
             email = form.cleaned_data['email']
             password = form.cleaned_data['password']
-            user = auth.authenticate(email=email, password=password)
+            user = auth.authenticate(email=email, password=password, request=request)
             if user and user.is_active:
                 auth.login(request, user)
-                reset_tries(request)
+                reset_request(request)
                 messages.success(request, _('Successfully logged in!'))
                 return self.redirect_successful()
+            elif getattr(request, 'axes_locked_out', False):
+                return redirect(reverse('login'))
             else:
                 form.add_error(None, _('Incorrect username or password. Please try again.'))
-        if not request.client_req_is_valid:
-            form.add_error(None, _('Too many login attempts. Please try again in 5 minutes.'))
-        context = self.get_context_data(**kwargs)
         form.reset_status_fields()
         context.update({'form': form})
         return self.render_to_response(context)
@@ -62,10 +100,9 @@ def post(self, request, **kwargs):
 class Register(Login):
     def get_context_data(self, **kwargs):
         context = super().get_context_data(**kwargs)
-        context.update({'form': RegistrationForm(), 'auth': 'register'})
+        context.pop("blocked_message", None)
         return context
 
-    @check_recaptcha
     def post(self, request, **kwargs):
         form = RegistrationForm(request.POST)
         if form.is_valid() and request.recaptcha_is_valid: