From e9db2d96314f429278a0436b72b5222f107cd90a Mon Sep 17 00:00:00 2001 From: Ronny Vedrilla Date: Thu, 27 Jul 2023 09:25:08 +0200 Subject: [PATCH] #1093: "AXES_SENSITIVE_PARAMETERS" now have sensible defaults to follow "privacy-by-design" --- axes/conf.py | 2 +- docs/4_configuration.rst | 2 +- tests/test_helpers.py | 3 +++ 3 files changed, 5 insertions(+), 2 deletions(-) diff --git a/axes/conf.py b/axes/conf.py index daf1c70..2751445 100644 --- a/axes/conf.py +++ b/axes/conf.py @@ -124,7 +124,7 @@ settings.AXES_ALLOWED_CORS_ORIGINS = getattr(settings, "AXES_ALLOWED_CORS_ORIGIN settings.AXES_SENSITIVE_PARAMETERS = getattr( settings, "AXES_SENSITIVE_PARAMETERS", - [], + ["username", "ip_address"], ) # set the callable for the readable string that can be used in diff --git a/docs/4_configuration.rst b/docs/4_configuration.rst index a2f3abe..f64320e 100644 --- a/docs/4_configuration.rst +++ b/docs/4_configuration.rst @@ -59,7 +59,7 @@ The following ``settings.py`` options are available for customizing Axes behavio +------------------------------------------------------+----------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | AXES_PASSWORD_FORM_FIELD | 'password' | The name of the form or credentials field that contains your users password. | +------------------------------------------------------+----------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ -| AXES_SENSITIVE_PARAMETERS | [] | Configures POST and GET parameter values (in addition to the value of ``AXES_PASSWORD_FORM_FIELD``) to mask in login attempt logging. | +| AXES_SENSITIVE_PARAMETERS | ["username", "ip_address"] | Configures POST and GET parameter values (in addition to the value of ``AXES_PASSWORD_FORM_FIELD``) to mask in login attempt logging. Defaults enable privacy-by-design. | +------------------------------------------------------+----------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | AXES_NEVER_LOCKOUT_GET | False | If ``True``, Axes will never lock out HTTP GET requests. | +------------------------------------------------------+----------------------------------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ diff --git a/tests/test_helpers.py b/tests/test_helpers.py index 60f9128..0201fbb 100644 --- a/tests/test_helpers.py +++ b/tests/test_helpers.py @@ -82,6 +82,7 @@ class TimestampTestCase(AxesTestCase): self.assertEqual(get_cool_off_iso8601(delta), iso_duration) +@override_settings(AXES_SENSITIVE_PARAMETERS=[]) class ClientStringTestCase(AxesTestCase): @staticmethod def get_expected_client_str(*args, **kwargs): @@ -1020,6 +1021,7 @@ class AxesCleanseParamsTestCase(AxesTestCase): "other_sensitive_data": "sensitive", } + @override_settings(AXES_SENSITIVE_PARAMETERS=[]) def test_cleanse_parameters(self): cleansed = cleanse_parameters(self.parameters) self.assertEqual("test_user", cleansed["username"]) @@ -1041,6 +1043,7 @@ class AxesCleanseParamsTestCase(AxesTestCase): self.assertEqual("********************", cleansed["password"]) self.assertEqual("********************", cleansed["other_sensitive_data"]) + @override_settings(AXES_SENSITIVE_PARAMETERS=[]) @override_settings(AXES_PASSWORD_FORM_FIELD=None) def test_cleanse_parameters_override_empty(self): cleansed = cleanse_parameters(self.parameters)