Optional security for login attempt: loging, deactivate account after many failed login.

author: Étienne Loks <etienne.loks@iggdrasil.net> 2023-04-07 15:00:00 +0200
committer: Étienne Loks <etienne.loks@iggdrasil.net> 2023-04-17 15:47:16 +0200
commit: eddc473c05d4913dfcb8b7e747a94b22968f6ea3 (patch)
tree: eefcabbe9bf046d62b754344c043837a6890c8b2
parent: 54a9b7389355119cc142ed61bdf3641c99630a60 (diff)
download: Ishtar-eddc473c05d4913dfcb8b7e747a94b22968f6ea3.tar.bz2
Ishtar-eddc473c05d4913dfcb8b7e747a94b22968f6ea3.zip
5 files changed, 25 insertions, 4 deletions
diff --git a/CHANGES.md b/CHANGES.md
index 7ef557f99..7fc883352 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -14,6 +14,7 @@ Ishtar changelog
 - Add default auth validator
 - Update and fix translations (refs #5578, refs #5579, refs #5581)
 - Default timeout for session is set to 5 days
+- Optional security for login attempt: loging, deactivate account after many failed login.
 
 ### Bug fixes ###
 - Json fields: fix bad save of multi values
diff --git a/example_project/settings.py b/example_project/settings.py
index 25a60fb93..a0f677755 100644
--- a/example_project/settings.py
+++ b/example_project/settings.py
@@ -133,6 +133,7 @@ MIDDLEWARE = [
     "django.contrib.auth.middleware.AuthenticationMiddleware",
     "django.contrib.messages.middleware.MessageMiddleware",
     "django.middleware.locale.LocaleMiddleware",
+    "axes.middleware.AxesMiddleware",
 ]
 
 TEMPLATES = [
@@ -159,7 +160,10 @@ TEMPLATES = [
 
 ROOT_URLCONF = "example_project.urls"
 
-AUTHENTICATION_BACKENDS = ("ishtar_common.backend.ObjectPermBackend",)
+AUTHENTICATION_BACKENDS = (
+    "axes.backends.AxesBackend",
+    "ishtar_common.backend.ObjectPermBackend",
+)
 
 INSTALLED_APPS = [
     "registration",
@@ -170,6 +174,7 @@ INSTALLED_APPS = [
     "archaeological_warehouse",
     "archaeological_finds",
     "compressor",
+    "axes",
     "rest_framework",
     "rest_framework.authtoken",
     "django.contrib.auth",
@@ -190,6 +195,10 @@ TRANSLATION_OVERLOAD_DEBUG = False
 
 SESSION_EXPIRE_AT_BROWSER_CLOSE = False
 SESSION_COOKIE_AGE = 5 * 24 * 60 * 60
+AXES_ENABLED = False
+AXES_FAILURE_LIMIT = 5
+AXES_COOLOFF_TIME = 2  # hours
+AXES_RESET_ON_SUCCESS = True
 
 MAIN_APP = ""
 
@@ -402,7 +411,7 @@ if DEBUG_TOOLBAR:
         sys.path.insert(0, "..")
     global DEBUG_TOOLBAR_PANELS
     global DEBUG_TOOLBAR_CONFIG
-    MIDDLEWARE += ["debug_toolbar.middleware.DebugToolbarMiddleware"]
+    MIDDLEWARE.insert(len(MIDDLEWARE) - 1, "debug_toolbar.middleware.DebugToolbarMiddleware")
     INSTALLED_APPS += ["debug_toolbar"]
     DEBUG_TOOLBAR_PANELS = (
         "debug_toolbar.panels.versions.VersionsPanel",
@@ -455,11 +464,12 @@ if SENTRY_ID and sentry_sdk:
 
 
 if ISHTAR_SECURE_OPTIONS:
+    AXES_ENABLED = True  # log logging attempts and block account on many fails
     # verify https is ok before activating
-    MIDDLEWARE += [
+    MIDDLEWARE = MIDDLEWARE[:-1] + [
         "django.middleware.security.SecurityMiddleware",
         "django.middleware.clickjacking.XFrameOptionsMiddleware",
-    ]
+    ] + [MIDDLEWARE[-1]]
     SECURE_HSTS_SECONDS = 31536000
     SECURE_HSTS_PRELOAD = True
     SECURE_HSTS_INCLUDE_SUBDOMAINS = True
diff --git a/ishtar_common/admin.py b/ishtar_common/admin.py
index a23e44b33..ab24ff58b 100644
--- a/ishtar_common/admin.py
+++ b/ishtar_common/admin.py
@@ -30,6 +30,8 @@ import zipfile
 from rest_framework.authtoken.admin import TokenAdmin
 from rest_framework.authtoken.models import Token
 
+from axes import models as axes_models
+from axes.admin import AccessAttemptAdmin, AccessLogAdmin
 from django.conf import settings
 from django.conf.urls import url
 from django.contrib import admin, messages
@@ -480,6 +482,11 @@ admin_site.register(Group, MyGroupAdmin)
 admin_site.register(Site, SiteAdmin)
 
 
+if settings.AXES_ENABLED and settings.AXES_ENABLE_ADMIN:
+    admin_site.register(axes_models.AccessAttempt, AccessAttemptAdmin)
+    admin_site.register(axes_models.AccessLog, AccessLogAdmin)
+
+
 class AdminIshtarSiteProfileForm(forms.ModelForm):
     class Meta:
         model = models.IshtarSiteProfile
diff --git a/requirements.txt b/requirements.txt
index bf2061e8e..f3e357de6 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -63,3 +63,5 @@ django-extensions==3.0.3
 # old 2.1.4
 
 # django-debug-toolbar==3.2.4
+
+django-axes==5.4.3
diff --git a/requirements_rtd.txt b/requirements_rtd.txt
index 8a737d7ba..a28f5b078 100644
--- a/requirements_rtd.txt
+++ b/requirements_rtd.txt
@@ -25,6 +25,7 @@ beautifulsoup4==4.5.3
 markdown==2.5.1
 django-ajax-selects==1.6.0
 django-compressor==2.1
+django-axes==5.4.3
 
 django-formtools==2.0
author	Étienne Loks <etienne.loks@iggdrasil.net>	2023-04-07 15:00:00 +0200
committer	Étienne Loks <etienne.loks@iggdrasil.net>	2023-04-17 15:47:16 +0200
commit	eddc473c05d4913dfcb8b7e747a94b22968f6ea3 (patch)
tree	eefcabbe9bf046d62b754344c043837a6890c8b2
parent	54a9b7389355119cc142ed61bdf3641c99630a60 (diff)
download	Ishtar-eddc473c05d4913dfcb8b7e747a94b22968f6ea3.tar.bz2 Ishtar-eddc473c05d4913dfcb8b7e747a94b22968f6ea3.zip