def do_increment(request):
return is_ratelimited(request,
increment=True,
method=is_ratelimited.ALL,
key='ip',
rate='1/m',
group='a')
def middleware(request):
# TODO: DISCLAIMER!!! THIS IS A TEMPORARY HACK TO ESCAPE FROM CURRENT "DDOS ATTACK"
# WE MUST IMPLEMENT RATE LIMIT CONTROL IN NGINX OR CLOUDFARE SO WE DON'T HAVE TO RELY ON DJANGO TO DO THAT
agent = request.META.get("HTTP_USER_AGENT", "").lower().strip()
if not agent or agent in settings.BLOCKED_WEB_AGENTS:
_raise_exception(request)
path = request.path
if settings.APPEND_SLASH and not path.endswith("/"):
path += "/"
if is_valid_path(path):
match = resolve(path)
if getattr(match.func, RATELIMITED_VIEW_ATTR, None):
# based in ratelimit decorator
# https://github.com/jsocol/django-ratelimit/blob/main/ratelimit/decorators.py#L13
if settings.RATELIMIT_ENABLE and is_ratelimited(
request=request,
group=None,
fn=match.func,
key=ratelimit_key,
rate=settings.RATELIMIT_RATE,
method=ALL,
increment=True,
):
_raise_exception(request)
return get_response(request)
def middleware(request):
# Code to be executed for each request before the view (and later middleware)
# are called.
# We need to provide a group because we don't have the view func available here
# to do it automatically, plus, this is a good opportunity to split admin users
# from non-admins, so we can offer different throttling rates.
_group = _get_group(request)
# We need to pick an appropriate rate so that Wagtail Admin users aren't
# adversely affected in some places, such as the Wagtail Image Chooser
_rate = _get_appropriate_rate(_group)
old_limited = getattr(request, "limited", False)
ratelimited = is_ratelimited(
request=request,
group=_group,
key="ip",
rate=_rate,
increment=True,
method=ALL, # ie include GET, not just ratelimit.UNSAFE methods
)
request.limited = ratelimited or old_limited
if ratelimited:
raise Ratelimited()
response = get_response(request)
return response
def _wrapped(request, *args, **kw):
old_limited = getattr(request, 'limited', False)
ratelimited = is_ratelimited(request=request, group=group, fn=fn,
key=key, rate=rate, method=method,
increment=True)
request.limited = ratelimited or old_limited
if ratelimited and block:
raise Ratelimited()
return fn(request, *args, **kw)
def login(self, request, user, data):
if user.is_authenticated:
return self._ok_response(user, request.META['CSRF_COOKIE'])
if is_ratelimited(request, **self.ratelimit_config, increment=False):
raise Ratelimited()
username = input_to_username(data.get('username'))
password = data.get('password')
user = authenticate(request, username=username, password=password)
if not user:
is_ratelimited(request, **self.ratelimit_config, increment=True)
logger.info({'event': 'login_failed', 'username': username})
raise AuthenticationFailed()
login(request, user)
logger.info({'event': 'login_success', 'username': user.username})
return self._ok_response(user, request.META['CSRF_COOKIE'])
def admin_login(request, **kwargs):
ratelimit_config['fn'] = login_wrapper
if is_ratelimited(request, **ratelimit_config, increment=False):
username = request.POST.get('username')
log_ratelimit(request, username=username)
return HttpResponse(
'Too many failed login attemps. Please try again later.',
status=status.HTTP_429_TOO_MANY_REQUESTS)
response = login_func(request, **kwargs)
if isinstance(response, HttpResponseRedirect):
return response
form = response.context_data['form']
if form.is_bound and not form.is_valid():
is_ratelimited(request, **ratelimit_config, increment=True)
return response
def _wrapped(request, *args, **kw):
_block = getattr(settings, 'RATE_LIMITER_BLOCK', block)
_rate = getattr(settings, 'RATE_LIMITER_RATE', rate)
_lockout = getattr(settings, 'RATE_LIMITER_ACCOUNT_LOCKOUT', False)
old_limited = getattr(request, 'limited', False)
ratelimited = is_ratelimited(request=request,
fn=fn,
key=key,
rate=_rate,
method=method,
increment=True)
request.limited = ratelimited or old_limited
if ratelimited and _block:
if _lockout:
username = request.POST.get('username', None)
if username:
dojo_user = Dojo_User.objects.filter(
username=username).first()
if dojo_user:
Dojo_User.enable_force_password_rest(dojo_user)
raise Ratelimited()
return fn(request, *args, **kw)
def middleware(request):
# Code to be executed for each request before
# the view (and later middleware) are called.
# Set an arbitrary catch-all group name, because we need to provide
# a group because we don't have the view func available here.
group = "all_requests"
old_limited = getattr(request, "limited", False)
ratelimited = is_ratelimited(
request=request,
group=group,
key="ip",
rate=settings.DEVPORTAL_RATELIMIT_DEFAULT_LIMIT,
increment=True,
method=ALL, # ie include GET, not just ratelimit.UNSAFE methods
)
request.limited = ratelimited or old_limited
if ratelimited:
raise Ratelimited()
response = get_response(request)
return response
def do_increment(request):
return is_ratelimited(request, increment=True,
method=is_ratelimited.ALL, key='ip',
rate='1/m', group='a')
