django-defender/defender/decorators.py

from . import utils

import functools


def watch_login(status_code=302, msg="", get_username=utils.get_username_from_request):
    """
    Used to decorate the django.contrib.admin.site.login method or
    any other function you want to protect by brute forcing.
    To make it work on normal functions just pass the status code that should
    indicate a failure and/or a string that will be checked within the
    response body.
    """

    def decorated_login(func):
        @functools.wraps(func)
        def wrapper(request, *args, **kwargs):
            # if the request is currently under lockout, do not proceed to the
            # login function, go directly to lockout url, do not pass go,
            # do not collect messages about this login attempt
            username = get_username(request)

            if utils.is_already_locked(request, username=username):
                return utils.lockout_response(request, username=username)

            # call the login function
            response = func(request, *args, **kwargs)

            if request.method == "POST":
                # see if the login was successful
                if status_code == 302:  # standard Django login view
                    login_unsuccessful = (
                        response
                        and not response.has_header("location")
                        and response.status_code != status_code
                    )
                else:
                    # If msg is not passed the last condition will be evaluated
                    # always to True so the first 2 will decide the result.
                    login_unsuccessful = (
                        response
                        and response.status_code == status_code
                        and msg in response.content.decode("utf-8")
                    )

                # ideally make this background task, but to keep simple,
                # keeping it inline for now.
                utils.add_login_attempt_to_db(
                    request, not login_unsuccessful, username=username
                )

                if utils.check_request(request, login_unsuccessful, username=username):
                    return response

                return utils.lockout_response(request, username=username)

            return response

        return wrapper

    return decorated_login
refactored the code a little, and updated readme to include missing config 2014-12-31 22:00:45 +00:00			`from . import utils`
initial checkin 2014-09-24 00:31:17 +00:00
Allow decoration of functions beyond the admin login (#86) * Allow decoration of functions beyond the admin login * Exclude tests file from coverage * Allow installing django 1.11 * Add python 3.6 for testing 2017-06-26 16:23:23 +00:00			`import functools`
initial checkin 2014-09-24 00:31:17 +00:00
Allow decoration of functions beyond the admin login (#86) * Allow decoration of functions beyond the admin login * Exclude tests file from coverage * Allow installing django 1.11 * Add python 3.6 for testing 2017-06-26 16:23:23 +00:00
PEP8 formatting (#147) Run black with Python 2.7 as target version to unify the code styling and make it more linter and style guide compliant 2019-11-15 18:22:14 +00:00			`def watch_login(status_code=302, msg="", get_username=utils.get_username_from_request):`
initial checkin 2014-09-24 00:31:17 +00:00			`"""`
Allow decoration of functions beyond the admin login (#86) * Allow decoration of functions beyond the admin login * Exclude tests file from coverage * Allow installing django 1.11 * Add python 3.6 for testing 2017-06-26 16:23:23 +00:00			`Used to decorate the django.contrib.admin.site.login method or`
			`any other function you want to protect by brute forcing.`
			`To make it work on normal functions just pass the status code that should`
			`indicate a failure and/or a string that will be checked within the`
			`response body.`
initial checkin 2014-09-24 00:31:17 +00:00			`"""`
PEP8 formatting (#147) Run black with Python 2.7 as target version to unify the code styling and make it more linter and style guide compliant 2019-11-15 18:22:14 +00:00
Allow decoration of functions beyond the admin login (#86) * Allow decoration of functions beyond the admin login * Exclude tests file from coverage * Allow installing django 1.11 * Add python 3.6 for testing 2017-06-26 16:23:23 +00:00			`def decorated_login(func):`
			`@functools.wraps(func)`
			`def wrapper(request, args, *kwargs):`
			`# if the request is currently under lockout, do not proceed to the`
Add possibility to use custom `utils.get_username_from_request` function (#122) * Add `DEFENDER_GET_USERNAME_FROM_REQUEST_PATH` setting This setting allow to override default `get_username_from_request` function. * Add `get_username` argument to `watch_login` To be able to propagate this argument to other utils functions calls * Minor code-style fixes * Add example of use of `DEFENDER_GET_USERNAME_FROM_REQUEST_PATH` setting * Update docs 2018-05-29 14:32:08 +00:00			`# login function, go directly to lockout url, do not pass go,`
			`# do not collect messages about this login attempt`
Fix `watch_login` with custom username (#228) Previously using of custom `get_username` function with disabled IP lockout caused unhandled exception Exception("Invalid state requested") 2023-11-09 12:41:49 +00:00			`username = get_username(request)`

			`if utils.is_already_locked(request, username=username):`
			`return utils.lockout_response(request, username=username)`
Allow decoration of functions beyond the admin login (#86) * Allow decoration of functions beyond the admin login * Exclude tests file from coverage * Allow installing django 1.11 * Add python 3.6 for testing 2017-06-26 16:23:23 +00:00
			`# call the login function`
			`response = func(request, args, *kwargs)`

PEP8 formatting (#147) Run black with Python 2.7 as target version to unify the code styling and make it more linter and style guide compliant 2019-11-15 18:22:14 +00:00			`if request.method == "POST":`
Allow decoration of functions beyond the admin login (#86) * Allow decoration of functions beyond the admin login * Exclude tests file from coverage * Allow installing django 1.11 * Add python 3.6 for testing 2017-06-26 16:23:23 +00:00			`# see if the login was successful`
			`if status_code == 302: # standard Django login view`
			`login_unsuccessful = (`
PEP8 formatting (#147) Run black with Python 2.7 as target version to unify the code styling and make it more linter and style guide compliant 2019-11-15 18:22:14 +00:00			`response`
			`and not response.has_header("location")`
			`and response.status_code != status_code`
Allow decoration of functions beyond the admin login (#86) * Allow decoration of functions beyond the admin login * Exclude tests file from coverage * Allow installing django 1.11 * Add python 3.6 for testing 2017-06-26 16:23:23 +00:00			`)`
			`else:`
			`# If msg is not passed the last condition will be evaluated`
			`# always to True so the first 2 will decide the result.`
			`login_unsuccessful = (`
PEP8 formatting (#147) Run black with Python 2.7 as target version to unify the code styling and make it more linter and style guide compliant 2019-11-15 18:22:14 +00:00			`response`
			`and response.status_code == status_code`
			`and msg in response.content.decode("utf-8")`
Allow decoration of functions beyond the admin login (#86) * Allow decoration of functions beyond the admin login * Exclude tests file from coverage * Allow installing django 1.11 * Add python 3.6 for testing 2017-06-26 16:23:23 +00:00			`)`

Add possibility to use custom `utils.get_username_from_request` function (#122) * Add `DEFENDER_GET_USERNAME_FROM_REQUEST_PATH` setting This setting allow to override default `get_username_from_request` function. * Add `get_username` argument to `watch_login` To be able to propagate this argument to other utils functions calls * Minor code-style fixes * Add example of use of `DEFENDER_GET_USERNAME_FROM_REQUEST_PATH` setting * Update docs 2018-05-29 14:32:08 +00:00			`# ideally make this background task, but to keep simple,`
			`# keeping it inline for now.`
PEP8 formatting (#147) Run black with Python 2.7 as target version to unify the code styling and make it more linter and style guide compliant 2019-11-15 18:22:14 +00:00			`utils.add_login_attempt_to_db(`
Fix `watch_login` with custom username (#228) Previously using of custom `get_username` function with disabled IP lockout caused unhandled exception Exception("Invalid state requested") 2023-11-09 12:41:49 +00:00			`request, not login_unsuccessful, username=username`
PEP8 formatting (#147) Run black with Python 2.7 as target version to unify the code styling and make it more linter and style guide compliant 2019-11-15 18:22:14 +00:00			`)`
Allow decoration of functions beyond the admin login (#86) * Allow decoration of functions beyond the admin login * Exclude tests file from coverage * Allow installing django 1.11 * Add python 3.6 for testing 2017-06-26 16:23:23 +00:00
Fix `watch_login` with custom username (#228) Previously using of custom `get_username` function with disabled IP lockout caused unhandled exception Exception("Invalid state requested") 2023-11-09 12:41:49 +00:00			`if utils.check_request(request, login_unsuccessful, username=username):`
Allow decoration of functions beyond the admin login (#86) * Allow decoration of functions beyond the admin login * Exclude tests file from coverage * Allow installing django 1.11 * Add python 3.6 for testing 2017-06-26 16:23:23 +00:00			`return response`

Fix `watch_login` with custom username (#228) Previously using of custom `get_username` function with disabled IP lockout caused unhandled exception Exception("Invalid state requested") 2023-11-09 12:41:49 +00:00			`return utils.lockout_response(request, username=username)`
Allow decoration of functions beyond the admin login (#86) * Allow decoration of functions beyond the admin login * Exclude tests file from coverage * Allow installing django 1.11 * Add python 3.6 for testing 2017-06-26 16:23:23 +00:00
			`return response`

			`return wrapper`
PEP8 formatting (#147) Run black with Python 2.7 as target version to unify the code styling and make it more linter and style guide compliant 2019-11-15 18:22:14 +00:00
initial checkin 2014-09-24 00:31:17 +00:00			`return decorated_login`