Only use the username if it is actually provided (#112)

* Only use the username if it is actually provided

* Test that unspecified usernames cannot be blocked

* Added test to prevent Coveralls from complaining about a coverage regression.

defender/tests.py

@@ -226,6 +226,23 @@ class AccessAttemptTest(DefenderTestCase):
         self.assertNotIn(UPPER_USERNAME, utils.get_blocked_usernames())
         self.assertIn(UPPER_USERNAME.lower(), utils.get_blocked_usernames())
 
+    def test_empty_username_cannot_be_blocked(self):
+        """
+        Test that an empty username, or one that is None, cannot be blocked.
+        """
+        for username in ["", None]:
+            for i in range(0, config.FAILURE_LIMIT + 2):
+                ip = '74.125.239.{0}.'.format(i)
+                self._login(username=username, remote_addr=ip)
+
+            self.assertNotIn(username, utils.get_blocked_usernames())
+
+    def test_lowercase(self):
+        """
+        Test that the lowercase(None) returns None.
+        """
+        self.assertEquals(utils.lower_username(None), None)
+
     def test_cooling_off(self):
         """ Tests if the cooling time allows a user to login
         """

defender/utils.py

@@ -202,7 +202,7 @@ def record_failed_attempt(ip_address, username):
             ip_block = True
 
     user_block = False
-    if not config.DISABLE_USERNAME_LOCKOUT:
+    if username and not config.DISABLE_USERNAME_LOCKOUT:
         user_count = increment_key(get_username_attempt_cache_key(username))
         # if over the limit, add to block
         if user_count > config.FAILURE_LIMIT: