Hopiu/django-axes
1
0
Fork 0
mirror of https://github.com/jazzband/django-axes.git synced 2026-03-16 22:30:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Merge pull request #54 from visualspace/cooloff

Browse source 
Cool off period
This commit is contained in:
Alex Clark ☺ 2013-08-15 07:41:05 -07:00
commit d075f8174e
3 changed files with 81 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

26
axes/decorators.py
View file

@ -144,13 +144,12 @@ def is_user_lockable(request):
else:
return True
def get_user_attempts(request):
def _get_user_attempts(request):
"""Returns access attempt record if it exists.
Otherwise return None.
"""
ip = get_ip(request)
username = request.POST.get('username', None)
if USE_USER_AGENT:
@ -174,11 +173,26 @@ def get_user_attempts(request):
params['username'] = username
attempts |= AccessAttempt.objects.filter(**params)
return attempts
def get_user_attempts(request):
objects_deleted = False
attempts = _get_user_attempts(request)
if COOLOFF_TIME:
for attempt in attempts:
if attempt.attempt_time + COOLOFF_TIME < datetime.now() \
and attempt.trusted is False:
attempt.delete()
if attempt.attempt_time + COOLOFF_TIME < datetime.now():
if attempt.trusted:
attempt.failures_since_start = 0
attempt.save()
else:
attempt.delete()
objects_deleted = True
# If objects were deleted, we need to update the queryset to reflect this,
# so force a reload.
if objects_deleted:
attempts = _get_user_attempts(request)
return attempts

3
axes/test_settings.py
View file

@ -38,3 +38,6 @@ SECRET_KEY = 'too-secret-for-test'
LOGIN_REDIRECT_URL = '/admin'
AXES_LOGIN_FAILURE_LIMIT = 10
from datetime import timedelta
AXES_COOLOFF_TIME=timedelta(seconds = 2)

61
axes/tests.py
View file

@ -1,14 +1,15 @@
import random
import string
import time
from django.test import TestCase
from django.test.client import Client
from django.contrib.auth.models import User
from django.core.urlresolvers import reverse
from django.test.utils import override_settings
from axes.decorators import FAILURE_LIMIT
from axes.decorators import LOGIN_FORM_KEY
from axes.models import AccessLog
from axes.decorators import FAILURE_LIMIT, COOLOFF_TIME, LOGIN_FORM_KEY
from axes.models import AccessLog, AccessAttempt
class AccessAttemptTest(TestCase):
@ -107,6 +108,60 @@ class AccessAttemptTest(TestCase):
self.assertNotIn(LOGIN_FORM_KEY, response.content)
def _successful_login(self, username, password):
c = Client()
response = c.post('/admin/', {
'username': username,
'password': username,
'this_is_the_login_form': 1,
})
return response
def _unsuccessful_login(self, username):
c = Client()
response = c.post('/admin/', {
'username': username,
'password': 'wrong',
'this_is_the_login_form': 1,
})
return response
def test_cooling_off_for_trusted_user(self):
valid_username = self._random_username(existing_username=True)
# Test successful login, this makes the user trusted.
response = self._successful_login(valid_username, valid_username)
self.assertNotIn(LOGIN_FORM_KEY, response.content)
self.test_cooling_off(username=valid_username)
def test_cooling_off(self, username=None):
if username:
valid_username = username
else:
valid_username = self._random_username(existing_username=True)
# Test unsuccessful login and stop just before lockout happens
for i in range(0, FAILURE_LIMIT):
response = self._unsuccessful_login(valid_username)
# Check if we are in the same login page
self.assertIn(LOGIN_FORM_KEY, response.content)
# Lock out the user
response = self._unsuccessful_login(valid_username)
self.assertIn(self.LOCKED_MESSAGE, response.content)
# Wait for the cooling off period
time.sleep(COOLOFF_TIME.total_seconds())
# It should be possible to login again, make sure it is.
response = self._successful_login(valid_username, valid_username)
self.assertNotIn(self.LOCKED_MESSAGE, response.content)
def test_valid_logout(self):
"""Tests a valid logout and make sure the logout_time is updated
"""