Lockout and docs

.travis.yml

@@ -15,7 +15,7 @@ install:
 script: coverage run setup.py test
 
 before_script:
-    - pep8 --ignore=E501 secure_login/ example/
+    - pep8 --ignore=E501 secure_login/
 
 after_success: coveralls
 

README.md

@@ -11,13 +11,13 @@ Working
 * Ensure that the password is not in the list of known weak passwords.
 * Ensure username is not same as password
 * Email user on a failed login attempt for them.
+* Lockout after 10 failed attemps within an hour.
 
 TODO
 ---------
 
 * Rate limits login attempts per IP.
 * Rate limits login attempts per user.
-* Lockout after X failed attemps.
 * Emails admins on X failed attempts.
 * Integrate with fail2ban.
 * Support 2F authentication

docs/usage.md

@@ -22,10 +22,30 @@ And
         "secure_login.checkers.no_short_passwords",
     ]
 
-`SECURE_LOGIN_CHECKERS` should be a list of callables. Each callable should only return true if it wants the authetication to go through.
+`SECURE_LOGIN_CHECKERS` should be a list of callables. Each callable should only return true if it wants the authentication to go through.
 
 And
 
     SECURE_LOGIN_ON_FAIL = [
         "secure_login.on_fail.email_user",
-    ]
+        "secure_login.on_fail.populate_failed_requests",
+    ]
+
+`SECURE_LOGIN_ON_FAIL` should be a list of callables. Each callable would be called in order if the authentication falls.
+
+Writing new secure backends.
+-----------------------------------
+
+If you have an existing backend `FooBackend`, you can add SecureBackend like this.
+
+    class SecureFooLoginBackend(SecureLoginBackendMixin, FooBackend):
+        pass
+
+
+Secure Form
+-----------------
+
+Use the `SecureFormMixin` with your usual forms. The forms must have username and password fields.
+
+`SECURE_LOGIN_CHECKERS` will be tested in the the clean method.
+

secure_login/backends.py

@@ -2,13 +2,7 @@
 from django.conf import settings
 
 
-def get_callable(callable_str):
-    path = callable_str.split(".")
-    module_name = ".".join(path[:-1])
-    callable_name = path[-1]
-    module = __import__(module_name, {}, {}, [callable_name])
-    callable_ = getattr(module, callable_name)
-    return callable_
+from .utils import get_callable
 
 
 class SecureLoginBackendMixin(object):
@@ -19,6 +13,7 @@ def authenticate(self, username=None, password=None, **kwargs):
                             "secure_login.checkers.no_username_password_same"]
 
         checkers = getattr(settings, "SECURE_LOGIN_CHECKERS", DEFAULT_CHECKERS)
+        request = kwargs.pop('request', None)
 
         DEFAULT_ON_FAIL = ["secure_login.on_fail.email_user", ]
         on_fail_callables = getattr(settings,

secure_login/forms.py

@@ -0,0 +1,26 @@
+from django.conf import settings
+from django.contrib.auth.forms import AuthenticationForm
+from django import forms
+
+from .utils import get_callable
+
+DEFAULT_ERROR_MESSAGE = "Please review the username and password"
+
+
+class SecureFormMixin(object):
+
+    def clean(self):
+        DEFAULT_CHECKERS = ["secure_login.checkers.no_weak_passwords",
+                            "secure_login.checkers.no_short_passwords",
+                            "secure_login.checkers.no_username_password_same"]
+
+        checkers = getattr(settings, "SECURE_LOGIN_CHECKERS", DEFAULT_CHECKERS)
+        for checker in checkers:
+            checker_ = get_callable(checker)
+            if not checker_(**self.cleaned_data):
+                raise forms.ValidationError(getattr(checker_, "error_message", DEFAULT_ERROR_MESSAGE))
+        return super(SecureFormMixin, self).clean()
+
+
+class SecureLoginForm(SecureFormMixin, AuthenticationForm):
+    pass

secure_login/models.py

@@ -1,3 +1,9 @@
 from django.db import models
 
-# Create your models here.
+from django.contrib.auth.models import User
+
+
+class FailedLogin(models.Model):
+    attempted_at = models.DateTimeField(auto_now=True)
+    for_user = models.ForeignKey(User, null=True, blank=True)
+    ip = models.GenericIPAddressField(null=True, blank=True)

secure_login/on_fail.py

@@ -3,6 +3,10 @@
 from django.core.mail import send_mail
 from django.conf import settings
 
+from .models import FailedLogin
+
+import datetime
+
 
 def email_user(username, password, **kwargs):
     try:
@@ -15,3 +19,39 @@ def email_user(username, password, **kwargs):
 
     except User.DoesNotExist:
         pass
+
+
+def populate_failed_requests(username, password, **kwargs):
+    request = kwargs.get("request")
+    if request and get_client_ip(request):
+        ip = get_client_ip(request)
+    else:
+        ip = None
+    try:
+        user = User.objects.get(username=username)
+    except User.DoesNotExist:
+        user = None
+    FailedLogin.objects.create(for_user=user, ip=ip)
+
+
+def lockout_on_many_wrong_password(username, password, **kwargs):
+    try:
+        user = User.objects.get(username=username)
+        one_hour_ago = datetime.datetime.now() - datetime.timedelta(hours=1)
+        failed_logins = FailedLogin.objects.filter(for_user=user, attempted_at__gte=one_hour_ago).count()
+        max_hourly_attempts = getattr(settings, "SECURE_LOGIN_MAX_HOURLY_ATTEMPTS", 10)
+        if failed_logins >= max_hourly_attempts:
+            user.is_active = False
+            user.save()
+    except User.DoesNotExist:
+        pass
+
+
+def get_client_ip(request):
+    x_forwarded_for = request.META.get('HTTP_X_FORWARDED_FOR')
+    ip = None
+    if x_forwarded_for:
+        ip = x_forwarded_for.split(',')[0]
+    else:
+        ip = request.META.get('REMOTE_ADDR')
+    return ip