From 9eb145e89fc74318f785888ee8fefc76bda6d820 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Aleksi=20H=C3=A4kli?= <aleksi.hakli@iki.fi>
Date: Wed, 23 Apr 2025 16:38:41 +0300
Subject: [PATCH] fix: resolve credentials for clean_expired_user_attempts

---
 axes/handlers/database.py | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/axes/handlers/database.py b/axes/handlers/database.py
index c8e119d..9effa77 100644
--- a/axes/handlers/database.py
+++ b/axes/handlers/database.py
@@ -117,10 +117,10 @@ class AxesDatabaseHandler(AbstractAxesHandler, AxesBaseHandler):
         return attempt_count
 
     def user_login_failed(self, sender, credentials: dict, request=None, **kwargs):
-        """When user login fails, save AccessFailureLog record in database,
+        """
+        When user login fails, save AccessFailureLog record in database,
         save AccessAttempt record in database, mark request with
         lockout attribute and emit lockout signal.
-
         """
 
         log.info("AXES: User login failed, running database handler for failure.")
@@ -261,9 +261,6 @@ class AxesDatabaseHandler(AbstractAxesHandler, AxesBaseHandler):
         When user logs in, update the AccessLog related to the user.
         """
 
-        # 1. database query: Clean up expired user attempts from the database
-        clean_expired_user_attempts(request, credentials)
-
         username = user.get_username()
         credentials = get_credentials(username)
         client_str = get_client_str(
@@ -276,6 +273,9 @@ class AxesDatabaseHandler(AbstractAxesHandler, AxesBaseHandler):
 
         log.info("AXES: Successful login by %s.", client_str)
 
+        # 1. database query: Clean up expired user attempts from the database
+        clean_expired_user_attempts(request, credentials)
+
         if not settings.AXES_DISABLE_ACCESS_LOG:
             # 2. database query: Insert new access logs with login time
             AccessLog.objects.create(
@@ -304,10 +304,8 @@ class AxesDatabaseHandler(AbstractAxesHandler, AxesBaseHandler):
         When user logs out, update the AccessLog related to the user.
         """
 
-        # 1. database query: Clean up expired user attempts from the database
-        clean_expired_user_attempts(request)
-
         username = user.get_username() if user else None
+        credentials = get_credentials(username) if username else None
         client_str = get_client_str(
             username,
             request.axes_ip_address,
@@ -316,6 +314,9 @@ class AxesDatabaseHandler(AbstractAxesHandler, AxesBaseHandler):
             request,
         )
 
+        # 1. database query: Clean up expired user attempts from the database
+        clean_expired_user_attempts(request, credentials)
+
         log.info("AXES: Successful logout by %s.", client_str)
 
         if username and not settings.AXES_DISABLE_ACCESS_LOG: