def do_increment(request): return is_ratelimited(request, increment=True, method=is_ratelimited.ALL, key='ip', rate='1/m', group='a')
def middleware(request): # TODO: DISCLAIMER!!! THIS IS A TEMPORARY HACK TO ESCAPE FROM CURRENT "DDOS ATTACK" # WE MUST IMPLEMENT RATE LIMIT CONTROL IN NGINX OR CLOUDFARE SO WE DON'T HAVE TO RELY ON DJANGO TO DO THAT agent = request.META.get("HTTP_USER_AGENT", "").lower().strip() if not agent or agent in settings.BLOCKED_WEB_AGENTS: _raise_exception(request) path = request.path if settings.APPEND_SLASH and not path.endswith("/"): path += "/" if is_valid_path(path): match = resolve(path) if getattr(match.func, RATELIMITED_VIEW_ATTR, None): # based in ratelimit decorator # https://github.com/jsocol/django-ratelimit/blob/main/ratelimit/decorators.py#L13 if settings.RATELIMIT_ENABLE and is_ratelimited( request=request, group=None, fn=match.func, key=ratelimit_key, rate=settings.RATELIMIT_RATE, method=ALL, increment=True, ): _raise_exception(request) return get_response(request)
def middleware(request): # Code to be executed for each request before the view (and later middleware) # are called. # We need to provide a group because we don't have the view func available here # to do it automatically, plus, this is a good opportunity to split admin users # from non-admins, so we can offer different throttling rates. _group = _get_group(request) # We need to pick an appropriate rate so that Wagtail Admin users aren't # adversely affected in some places, such as the Wagtail Image Chooser _rate = _get_appropriate_rate(_group) old_limited = getattr(request, "limited", False) ratelimited = is_ratelimited( request=request, group=_group, key="ip", rate=_rate, increment=True, method=ALL, # ie include GET, not just ratelimit.UNSAFE methods ) request.limited = ratelimited or old_limited if ratelimited: raise Ratelimited() response = get_response(request) return response
def _wrapped(request, *args, **kw): old_limited = getattr(request, 'limited', False) ratelimited = is_ratelimited(request=request, group=group, fn=fn, key=key, rate=rate, method=method, increment=True) request.limited = ratelimited or old_limited if ratelimited and block: raise Ratelimited() return fn(request, *args, **kw)
def login(self, request, user, data): if user.is_authenticated: return self._ok_response(user, request.META['CSRF_COOKIE']) if is_ratelimited(request, **self.ratelimit_config, increment=False): raise Ratelimited() username = input_to_username(data.get('username')) password = data.get('password') user = authenticate(request, username=username, password=password) if not user: is_ratelimited(request, **self.ratelimit_config, increment=True) logger.info({'event': 'login_failed', 'username': username}) raise AuthenticationFailed() login(request, user) logger.info({'event': 'login_success', 'username': user.username}) return self._ok_response(user, request.META['CSRF_COOKIE'])
def admin_login(request, **kwargs): ratelimit_config['fn'] = login_wrapper if is_ratelimited(request, **ratelimit_config, increment=False): username = request.POST.get('username') log_ratelimit(request, username=username) return HttpResponse( 'Too many failed login attemps. Please try again later.', status=status.HTTP_429_TOO_MANY_REQUESTS) response = login_func(request, **kwargs) if isinstance(response, HttpResponseRedirect): return response form = response.context_data['form'] if form.is_bound and not form.is_valid(): is_ratelimited(request, **ratelimit_config, increment=True) return response
def _wrapped(request, *args, **kw): _block = getattr(settings, 'RATE_LIMITER_BLOCK', block) _rate = getattr(settings, 'RATE_LIMITER_RATE', rate) _lockout = getattr(settings, 'RATE_LIMITER_ACCOUNT_LOCKOUT', False) old_limited = getattr(request, 'limited', False) ratelimited = is_ratelimited(request=request, fn=fn, key=key, rate=_rate, method=method, increment=True) request.limited = ratelimited or old_limited if ratelimited and _block: if _lockout: username = request.POST.get('username', None) if username: dojo_user = Dojo_User.objects.filter( username=username).first() if dojo_user: Dojo_User.enable_force_password_rest(dojo_user) raise Ratelimited() return fn(request, *args, **kw)
def middleware(request): # Code to be executed for each request before # the view (and later middleware) are called. # Set an arbitrary catch-all group name, because we need to provide # a group because we don't have the view func available here. group = "all_requests" old_limited = getattr(request, "limited", False) ratelimited = is_ratelimited( request=request, group=group, key="ip", rate=settings.DEVPORTAL_RATELIMIT_DEFAULT_LIMIT, increment=True, method=ALL, # ie include GET, not just ratelimit.UNSAFE methods ) request.limited = ratelimited or old_limited if ratelimited: raise Ratelimited() response = get_response(request) return response