Example #1
0
    def clean(self):
        username = self.cleaned_data.get('username')
        password = self.cleaned_data.get('password')

        if not (username and password):
            raise forms.ValidationError(
                self.error_messages['invalid_login'] %
                {'username': self.username_field.verbose_name}
            )

        if self.is_rate_limited():
            logger.info(
                'user.auth.rate-limited',
                extra={
                    'ip_address': self.request.META['REMOTE_ADDR'],
                    'username': username,
                }
            )
            raise forms.ValidationError(self.error_messages['rate_limited'])

        self.user_cache = authenticate(username=username, password=password)
        if self.user_cache is None:
            raise forms.ValidationError(
                self.error_messages['invalid_login'] %
                {'username': self.username_field.verbose_name}
            )

        self.check_for_test_cookie()
        return self.cleaned_data
Example #2
0
def get_user(request):
    if not hasattr(request, '_cached_user'):
        user = auth_get_user(request)
        # If the user bound to this request matches a real user,
        # we need to validate the session's nonce. This nonce is
        # to make sure that the session is valid for effectively the
        # current "version" of the user. When security related
        # actions take place, this nonce will rotate causing a
        # mismatch here forcing the session to be logged out and
        # requiring re-validation.
        if user.is_authenticated():
            # We only need to check the nonce if there is a nonce
            # currently set on the User. By default, the value will
            # be None until the first action has been taken, at
            # which point, a nonce will always be required.
            if user.session_nonce and request.session.get('_nonce', '') != user.session_nonce:
                # If the nonces don't match, this session is anonymous.
                logger.info(
                    'user.auth.invalid-nonce',
                    extra={
                        'ip_address': request.META['REMOTE_ADDR'],
                        'user_id': user.id,
                    }
                )
                user = AnonymousUser()
            else:
                UserIP.log(user, request.META['REMOTE_ADDR'])
        request._cached_user = user
    return request._cached_user