def decor(*args, **kwargs): # Import here to avoid AppRegistryNotReady("Apps aren't loaded yet.") Exception from BruteBuster.models import FailedAttempt from BruteBuster.middleware import get_request """ This is the wrapper that gets installed around the default authentication function. """ user = kwargs.get('username', '') if not user: raise ValueError( 'BruteBuster cannot work with authenticate functions that do not include "username" as an argument' ) request = get_request() if request: # try to get the remote address from thread locals IP_ADDR = request.META.get('REMOTE_ADDR', None) else: IP_ADDR = None try: fa = FailedAttempt.objects.filter(username=user, IP=IP_ADDR)[0] if fa.recent_failure(): if fa.too_many_failures(): # we block the authentication attempt because # of too many recent failures fa.failures += 1 fa.save() return None else: # the block interval is over, so let's start # with a clean sheet fa.failures = 0 fa.save() except IndexError: # No previous failed attempts fa = None result = auth_func(*args, **kwargs) if result: # if login is success we clear failures field if exists if fa: fa.failures = 0 fa.save() # the authentication was successful - we do nothing # special return result # the authentication was kaput, we should record this fa = fa or FailedAttempt(username=user, IP=IP_ADDR, failures=0) fa.failures += 1 fa.save() # return with unsuccessful auth return None
def decor(*args, **kwargs): """ This is the wrapper that gets installed around the default authentication function. """ user = kwargs.get('username', '') if not user: # We need to deactivate this exception due to auth2 which doesn't # use username in the authentication function return None # raise ValueError ('BruteBuster cannot work with authenticate # functions that do not include 'username' as an argument') " request = get_request() if request: # try to get the remote address from thread locals IP_ADDR = request.META.get('REMOTE_ADDR', None) else: IP_ADDR = None try: fa = FailedAttempt.objects.filter(username=user, IP=IP_ADDR)[0] if fa.recent_failure(): if fa.too_many_failures(): # we block the authentication attempt because # of too many recent failures fa.failures += 1 fa.save() return None else: # the block interval is over, so let's start # with a clean sheet fa.failures = 0 fa.save() except IndexError: # No previous failed attempts fa = None result = auth_func(*args, **kwargs) if result: # the authentication was successful - we do nothing # special return result # the authentication was kaput, we should record this fa = fa or FailedAttempt(username=user, IP=IP_ADDR, failures=0) fa.failures += 1 fa.save() # return with unsuccessful auth return None
def decor(*args, **kwargs): user = get_username(**kwargs) if not user: raise ValueError('BruteBuster could not find a username in the authenticate kwargs') request = get_request() if request: # try to get the remote address from thread locals # First check if the client IP is captured in a different header # by a forwarding proxy. ip_list = request.META.get('HTTP_X_FORWARDED_FOR', '').split(',') IP_ADDR = ip_list[0].strip() if not IP_ADDR: # Otherwise, use the basic REMOTE_ADDR header. IP_ADDR = request.META.get('REMOTE_ADDR', None) else: IP_ADDR = None try: fa = FailedAttempt.objects.filter(username=user, IP=IP_ADDR)[0] if fa.recent_failure(): if fa.too_many_failures(): # we block the authentication attempt because # of too many recent failures fa.failures += 1 fa.save() # Raise validation error raise ValidationError(LOCKOUT_MESSAGE) else: # the block interval is over, so let's start # with a clean sheet fa.failures = 0 fa.save() except IndexError: # No previous failed attempts fa = None result = auth_func(*args, **kwargs) if result: # the authentication was successful - we do nothing # special return result # the authentication was kaput, we should record this fa = fa or FailedAttempt(username=user, IP=IP_ADDR, failures=0) fa.failures += 1 fa.save() # return with unsuccessful auth return None