def create(self, request, *args, **kwargs): username = self.request.data.get('username') ip = self.request.data.get('remote_addr', None) ip = ip or get_request_ip(self.request) user = None try: self.check_is_block(username, ip) user = self.check_user_valid() if user.otp_enabled: raise MFARequiredError() self.send_auth_signal(success=True, user=user) clean_failed_count(username, ip) return super().create(request, *args, **kwargs) except AuthFailedError as e: increase_login_failed_count(username, ip) self.send_auth_signal(success=False, user=user, username=username, reason=str(e)) return Response({'msg': str(e)}, status=401) except MFARequiredError: msg = _("MFA required") seed = uuid.uuid4().hex cache.set(seed, user.username, 300) resp = {'msg': msg, "choices": ["otp"], "req": seed} return Response(resp, status=300)
def check_user_auth(self): self.check_is_block() request = self.request if hasattr(request, 'data'): username = request.data.get('username', '') password = request.data.get('password', '') public_key = request.data.get('public_key', '') else: username = request.POST.get('username', '') password = request.POST.get('password', '') public_key = request.POST.get('public_key', '') user, error = check_user_valid(username=username, password=password, public_key=public_key) ip = self.get_request_ip() if not user: raise errors.CredentialError(username=username, error=error, ip=ip, request=request) clean_failed_count(username, ip) request.session['auth_password'] = 1 request.session['user_id'] = str(user.id) auth_backend = getattr(user, 'backend', 'django.contrib.auth.backends.ModelBackend') request.session['auth_backend'] = auth_backend return user
def post(self, request): # limit login username = request.data.get('username') ip = request.data.get('remote_addr', None) ip = ip or get_request_ip(request) if is_block_login(username, ip): msg = _("Log in frequently and try again later") logger.warn(msg + ': ' + username + ':' + ip) return Response({'msg': msg}, status=401) user, msg = self.check_user_valid(request) if not user: username = request.data.get('username', '') exist = User.objects.filter(username=username).first() reason = LoginLog.REASON_PASSWORD if exist else LoginLog.REASON_NOT_EXIST self.send_auth_signal(success=False, username=username, reason=reason) increase_login_failed_count(username, ip) return Response({'msg': msg}, status=401) if user.password_has_expired: self.send_auth_signal(success=False, username=username, reason=LoginLog.REASON_PASSWORD_EXPIRED) msg = _("The user {} password has expired, please update.".format( user.username)) logger.info(msg) return Response({'msg': msg}, status=401) if not user.otp_enabled: self.send_auth_signal(success=True, user=user) # 登陆成功,清除原来的缓存计数 clean_failed_count(username, ip) token = user.create_bearer_token(request) return Response({ 'token': token, 'user': self.serializer_class(user).data }) seed = uuid.uuid4().hex cache.set(seed, user, 300) return Response( { 'code': 101, 'msg': _('Please carry seed value and ' 'conduct MFA secondary certification'), 'otp_url': reverse('api-auth:user-otp-auth'), 'seed': seed, 'user': self.serializer_class(user).data }, status=300)
def post(self, request): # limit login username = request.data.get('username') ip = request.data.get('remote_addr', None) ip = ip or get_request_ip(request) if is_block_login(username, ip): msg = _("Log in frequently and try again later") logger.warn(msg + ': ' + username + ':' + ip) return Response({'msg': msg}, status=401) user, msg = self.check_user_valid(request) if not user: username = request.data.get('username', '') exist = User.objects.filter(username=username).first() reason = LoginLog.REASON_PASSWORD if exist else LoginLog.REASON_NOT_EXIST self.send_auth_signal(success=False, username=username, reason=reason) increase_login_failed_count(username, ip) return Response({'msg': msg}, status=401) if user.password_has_expired: self.send_auth_signal( success=False, username=username, reason=LoginLog.REASON_PASSWORD_EXPIRED ) msg = _("The user {} password has expired, please update.".format( user.username)) logger.info(msg) return Response({'msg': msg}, status=401) if not user.otp_enabled: self.send_auth_signal(success=True, user=user) # 登陆成功,清除原来的缓存计数 clean_failed_count(username, ip) token = user.create_bearer_token(request) return Response( {'token': token, 'user': self.serializer_class(user).data} ) seed = uuid.uuid4().hex cache.set(seed, user, 300) return Response( { 'code': 101, 'msg': _('Please carry seed value and ' 'conduct MFA secondary certification'), 'otp_url': reverse('api-auth:user-otp-auth'), 'seed': seed, 'user': self.serializer_class(user).data }, status=300 )
def form_valid(self, form): if not self.request.session.test_cookie_worked(): return HttpResponse(_("Please enable cookies and try again.")) user = form.get_user() # user password expired if user.password_has_expired: reason = LoginLog.REASON_PASSWORD_EXPIRED self.send_auth_signal(success=False, username=user.username, reason=reason) return self.render_to_response(self.get_context_data(password_expired=True)) set_tmp_user_to_cache(self.request, user) username = form.cleaned_data.get('username') ip = get_request_ip(self.request) # 登陆成功,清除缓存计数 clean_failed_count(username, ip) return redirect(self.get_success_url())
def check_user_auth(self, decrypt_passwd=False): self.check_is_block() request = self.request if hasattr(request, 'data'): data = request.data else: data = request.POST username = data.get('username', '') password = data.get('password', '') challenge = data.get('challenge', '') public_key = data.get('public_key', '') ip = self.get_request_ip() CredentialError = partial(errors.CredentialError, username=username, ip=ip, request=request) if decrypt_passwd: password = self.decrypt_passwd(password) if not password: raise CredentialError( error=errors.reason_password_decrypt_failed) user = authenticate(request, username=username, password=password + challenge.strip(), public_key=public_key) if not user: raise CredentialError(error=errors.reason_password_failed) elif user.is_expired: raise CredentialError(error=errors.reason_user_inactive) elif not user.is_active: raise CredentialError(error=errors.reason_user_inactive) elif user.password_has_expired: raise CredentialError(error=errors.reason_password_expired) self._check_passwd_is_too_simple(user, password) clean_failed_count(username, ip) request.session['auth_password'] = 1 request.session['user_id'] = str(user.id) auth_backend = getattr(user, 'backend', 'django.contrib.auth.backends.ModelBackend') request.session['auth_backend'] = auth_backend return user
def post(self, request): # limit login username = request.data.get('username') ip = request.data.get('remote_addr', None) ip = ip or get_request_ip(request) if is_block_login(username, ip): msg = _("Log in frequently and try again later") logger.warn(msg + ': ' + username + ':' + ip) return Response({'msg': msg}, status=401) user, msg = self.check_user_valid(request) if not user: username = request.data.get('username', '') self.send_auth_signal(success=False, username=username, reason=msg) increase_login_failed_count(username, ip) return Response({'msg': msg}, status=401) if not user.otp_enabled: self.send_auth_signal(success=True, user=user) # 登陆成功,清除原来的缓存计数 clean_failed_count(username, ip) token, expired_at = user.create_bearer_token(request) return Response({ 'token': token, 'user': self.get_serializer(user).data }) seed = uuid.uuid4().hex cache.set(seed, user, 300) return Response( { 'code': 101, 'msg': _('Please carry seed value and ' 'conduct MFA secondary certification'), 'otp_url': reverse('api-auth:user-otp-auth'), 'seed': seed, 'user': self.get_serializer(user).data }, status=300)
def check_user_auth(self, decrypt_passwd=False): self.check_is_block() request = self.request username, password, public_key, ip, auto_login = self.get_auth_data( decrypt_passwd=decrypt_passwd) self._check_only_allow_exists_user_auth(username) user = self._check_auth_user_is_valid(username, password, public_key) # 校验login-acl规则 self._check_login_acl(user, ip) self._check_password_require_reset_or_not(user) self._check_passwd_is_too_simple(user, password) clean_failed_count(username, ip) request.session['auth_password'] = 1 request.session['user_id'] = str(user.id) request.session['auto_login'] = auto_login request.session['auth_backend'] = getattr(user, 'backend', settings.AUTH_BACKEND_MODEL) return user
def check_user_auth(self, decrypt_passwd=False): self.check_is_block() request = self.request username, password, public_key, ip, auto_login = self.get_auth_data( decrypt_passwd=decrypt_passwd) self._check_only_allow_exists_user_auth(username) user = self._check_auth_user_is_valid(username, password, public_key) # 校验login-acl规则 self._check_login_acl(user, ip) # 限制只能从认证来源登录 auth_backend = getattr(user, 'backend', 'django.contrib.auth.backends.ModelBackend') self._check_auth_source_is_valid(user, auth_backend) self._check_password_require_reset_or_not(user) self._check_passwd_is_too_simple(user, password) clean_failed_count(username, ip) request.session['auth_password'] = 1 request.session['user_id'] = str(user.id) request.session['auto_login'] = auto_login request.session['auth_backend'] = auth_backend return user