diff --git a/tests/test_login.py b/tests/test_login.py index 94d870f..07d594f 100644 --- a/tests/test_login.py +++ b/tests/test_login.py @@ -182,10 +182,11 @@ class DatabaseLoginTestCase(AxesTestCase): self.assertContains(response, self.LOCKED_MESSAGE, status_code=self.BLOCKED) self.assertTrue(self.attempt_count()) - @override_settings(AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=[("username", "ip_address")]) def test_lockout_by_combination_user_and_ip(self): """ - Test login failure when AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP is True. + Test login failure when lockout parameters is combination + of username and ip_address. """ # test until one try before the limit @@ -199,10 +200,10 @@ class DatabaseLoginTestCase(AxesTestCase): response = self.login(is_valid_username=True, is_valid_password=False) self.assertContains(response, self.LOCKED_MESSAGE, status_code=429) - @override_settings(AXES_ONLY_USER_FAILURES=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username"]) def test_lockout_by_only_user_failures(self): """ - Test login failure when AXES_ONLY_USER_FAILURES is True. + Test login failure when lockout parameter is username. """ # test until one try before the limit @@ -274,7 +275,7 @@ class DatabaseLoginTestCase(AxesTestCase): # Test for true and false positives when blocking by user only. # Cache disabled. When AXES_ONLY_USER_FAILURES = True - @override_settings(AXES_ONLY_USER_FAILURES=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username"]) def test_lockout_by_user_blocks_when_same_user_same_ip_without_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -283,7 +284,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_1, self.VALID_PASSWORD, ip_addr=self.IP_1) self.assertEqual(response.status_code, self.BLOCKED) - @override_settings(AXES_ONLY_USER_FAILURES=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username"]) def test_lockout_by_user_blocks_when_same_user_diff_ip_without_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -292,7 +293,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_1, self.VALID_PASSWORD, ip_addr=self.IP_2) self.assertEqual(response.status_code, self.BLOCKED) - @override_settings(AXES_ONLY_USER_FAILURES=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username"]) def test_lockout_by_user_allows_when_diff_user_same_ip_without_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -301,7 +302,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_2, self.VALID_PASSWORD, ip_addr=self.IP_1) self.assertEqual(response.status_code, self.ALLOWED) - @override_settings(AXES_ONLY_USER_FAILURES=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username"]) def test_lockout_by_user_allows_when_diff_user_diff_ip_without_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -310,7 +311,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_2, self.VALID_PASSWORD, ip_addr=self.IP_2) self.assertEqual(response.status_code, self.ALLOWED) - @override_settings(AXES_ONLY_USER_FAILURES=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username"]) def test_lockout_by_user_with_empty_username_allows_other_users_without_cache(self): # User with empty username is locked out from IP 1. self._lockout_user_from_ip(username="", ip_addr=self.IP_1) @@ -321,7 +322,7 @@ class DatabaseLoginTestCase(AxesTestCase): # Test for true and false positives when blocking by user and IP together. # Cache disabled. When LOCK_OUT_BY_COMBINATION_USER_AND_IP = True - @override_settings(AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=[("username", "ip_address")]) def test_lockout_by_user_and_ip_blocks_when_same_user_same_ip_without_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -330,7 +331,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_1, self.VALID_PASSWORD, ip_addr=self.IP_1) self.assertEqual(response.status_code, self.BLOCKED) - @override_settings(AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=[("username", "ip_address")]) def test_lockout_by_user_and_ip_allows_when_same_user_diff_ip_without_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -339,7 +340,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_1, self.VALID_PASSWORD, ip_addr=self.IP_2) self.assertEqual(response.status_code, self.ALLOWED) - @override_settings(AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=[("username", "ip_address")]) def test_lockout_by_user_and_ip_allows_when_diff_user_same_ip_without_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -348,7 +349,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_2, self.VALID_PASSWORD, ip_addr=self.IP_1) self.assertEqual(response.status_code, self.ALLOWED) - @override_settings(AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=[("username", "ip_address")]) def test_lockout_by_user_and_ip_allows_when_diff_user_diff_ip_without_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -357,7 +358,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_2, self.VALID_PASSWORD, ip_addr=self.IP_2) self.assertEqual(response.status_code, self.ALLOWED) - @override_settings(AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=[("username", "ip_address")]) def test_lockout_by_user_and_ip_with_empty_username_allows_other_users_without_cache( self, ): @@ -368,7 +369,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self.client.get(reverse("admin:login"), REMOTE_ADDR=self.IP_1) self.assertContains(response, self.LOGIN_FORM_KEY, status_code=200, html=True) - @override_settings(AXES_USE_USER_AGENT=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=[("ip_address", "user_agent")]) def test_lockout_by_user_still_allows_login_with_differnet_user_agent(self): # User with empty username is locked out with "test-browser" user agent. self._lockout_user_from_ip(username="username", ip_addr=self.IP_1, user_agent="test-browser") @@ -415,7 +416,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_2, self.VALID_PASSWORD, ip_addr=self.IP_2) self.assertEqual(response.status_code, self.ALLOWED) - @override_settings(AXES_ONLY_USER_FAILURES=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username"]) def test_lockout_by_user_with_empty_username_allows_other_users_using_cache(self): # User with empty username is locked out from IP 1. self._lockout_user_from_ip(username="", ip_addr=self.IP_1) @@ -426,7 +427,7 @@ class DatabaseLoginTestCase(AxesTestCase): # Test for true and false positives when blocking by user only. # With cache enabled. When AXES_ONLY_USER_FAILURES = True - @override_settings(AXES_ONLY_USER_FAILURES=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username"]) def test_lockout_by_user_blocks_when_same_user_same_ip_using_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -435,7 +436,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_1, self.VALID_PASSWORD, ip_addr=self.IP_1) self.assertEqual(response.status_code, self.BLOCKED) - @override_settings(AXES_ONLY_USER_FAILURES=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username"]) def test_lockout_by_user_blocks_when_same_user_diff_ip_using_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -444,7 +445,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_1, self.VALID_PASSWORD, ip_addr=self.IP_2) self.assertEqual(response.status_code, self.BLOCKED) - @override_settings(AXES_ONLY_USER_FAILURES=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username"]) def test_lockout_by_user_allows_when_diff_user_same_ip_using_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -453,7 +454,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_2, self.VALID_PASSWORD, ip_addr=self.IP_1) self.assertEqual(response.status_code, self.ALLOWED) - @override_settings(AXES_ONLY_USER_FAILURES=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username"]) def test_lockout_by_user_allows_when_diff_user_diff_ip_using_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -464,7 +465,7 @@ class DatabaseLoginTestCase(AxesTestCase): # Test for true and false positives when blocking by user and IP together. # With cache enabled. When LOCK_OUT_BY_COMBINATION_USER_AND_IP = True - @override_settings(AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=[("username", "ip_address")]) def test_lockout_by_user_and_ip_blocks_when_same_user_same_ip_using_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -473,7 +474,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_1, self.VALID_PASSWORD, ip_addr=self.IP_1) self.assertEqual(response.status_code, self.BLOCKED) - @override_settings(AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=[("username", "ip_address")]) def test_lockout_by_user_and_ip_allows_when_same_user_diff_ip_using_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -482,7 +483,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_1, self.VALID_PASSWORD, ip_addr=self.IP_2) self.assertEqual(response.status_code, self.ALLOWED) - @override_settings(AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=[("username", "ip_address")]) def test_lockout_by_user_and_ip_allows_when_diff_user_same_ip_using_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -491,7 +492,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_2, self.VALID_PASSWORD, ip_addr=self.IP_1) self.assertEqual(response.status_code, self.ALLOWED) - @override_settings(AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=[("username", "ip_address")]) def test_lockout_by_user_and_ip_allows_when_diff_user_diff_ip_using_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -501,7 +502,7 @@ class DatabaseLoginTestCase(AxesTestCase): self.assertEqual(response.status_code, self.ALLOWED) @override_settings( - AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP=True, AXES_FAILURE_LIMIT=2 + AXES_LOCKOUT_PARAMETERS=[("username", "ip_address")], AXES_FAILURE_LIMIT=2 ) def test_lockout_by_user_and_ip_allows_when_diff_user_same_ip_using_cache_multiple_attempts( self, @@ -530,7 +531,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_2, self.VALID_PASSWORD, ip_addr=self.IP_2) self.assertEqual(response.status_code, self.ALLOWED) - @override_settings(AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=[("username", "ip_address")]) def test_lockout_by_user_and_ip_with_empty_username_allows_other_users_using_cache( self, ): @@ -543,7 +544,7 @@ class DatabaseLoginTestCase(AxesTestCase): # Test for true and false positives when blocking by user or IP together. # With cache enabled. When AXES_LOCK_OUT_BY_USER_OR_IP = True - @override_settings(AXES_LOCK_OUT_BY_USER_OR_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username", "ip_address"]) def test_lockout_by_user_or_ip_blocks_when_same_user_same_ip_using_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -552,7 +553,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_1, self.VALID_PASSWORD, ip_addr=self.IP_1) self.assertEqual(response.status_code, self.BLOCKED) - @override_settings(AXES_LOCK_OUT_BY_USER_OR_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username", "ip_address"]) def test_lockout_by_user_or_ip_allows_when_same_user_diff_ip_using_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -561,7 +562,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_1, self.VALID_PASSWORD, ip_addr=self.IP_2) self.assertEqual(response.status_code, self.BLOCKED) - @override_settings(AXES_LOCK_OUT_BY_USER_OR_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username", "ip_address"]) def test_lockout_by_user_or_ip_allows_when_diff_user_same_ip_using_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -570,7 +571,9 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_2, self.VALID_PASSWORD, ip_addr=self.IP_1) self.assertEqual(response.status_code, self.BLOCKED) - @override_settings(AXES_LOCK_OUT_BY_USER_OR_IP=True, AXES_FAILURE_LIMIT=3) + @override_settings( + AXES_LOCKOUT_PARAMETERS=["username", "ip_address"], AXES_FAILURE_LIMIT=3 + ) def test_lockout_by_user_or_ip_allows_when_diff_user_same_ip_using_cache_multiple_attempts( self, ): @@ -600,7 +603,9 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_3, self.WRONG_PASSWORD, ip_addr=self.IP_1) self.assertContains(response, self.LOCKED_MESSAGE, status_code=self.BLOCKED) - @override_settings(AXES_LOCK_OUT_BY_USER_OR_IP=True, AXES_FAILURE_LIMIT=3) + @override_settings( + AXES_LOCKOUT_PARAMETERS=["username", "ip_address"], AXES_FAILURE_LIMIT=3 + ) def test_lockout_by_user_or_ip_allows_when_diff_user_same_ip_using_cache_multiple_failed_attempts( self, ): @@ -625,7 +630,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_2, self.VALID_PASSWORD, ip_addr=self.IP_2) self.assertEqual(response.status_code, self.ALLOWED) - @override_settings(AXES_LOCK_OUT_BY_USER_OR_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username", "ip_address"]) def test_lockout_by_user_or_ip_allows_when_diff_user_diff_ip_using_cache(self): # User 1 is locked out from IP 1. self._lockout_user1_from_ip1() @@ -634,7 +639,7 @@ class DatabaseLoginTestCase(AxesTestCase): response = self._login(self.USER_2, self.VALID_PASSWORD, ip_addr=self.IP_2) self.assertEqual(response.status_code, self.ALLOWED) - @override_settings(AXES_LOCK_OUT_BY_USER_OR_IP=True) + @override_settings(AXES_LOCKOUT_PARAMETERS=["username", "ip_address"]) def test_lockout_by_user_or_ip_with_empty_username_allows_other_users_using_cache( self, ):