Indicate user locked state and allow unlocking from users admin

[a-camacho]

Hi guys,

No information about how to unlock users after some login attempts.

Finally found the information in Google.
What I did is I downloaded sqlite database, and removed all access_logs from AXES table, and it works.

Could you maybe create a script or at least document it in documentation ?

Thanks a lot !

[cdubz]

@a-camacho sorry for the delay on this -- it would be ideal to add this to the users management area of the app instead of relying Django's backend so I'm going to treat his issue as a feature request for that (as opposed to documentation).

[a-camacho]

Thanks for your reply, good idea ;)

[five2seven]

Somehow all 3 of my users are locked out, which leaves me with no way of getting in to fix. Would be super helpful if there was some type of documentation on how to deal with this.

[cdubz]

@five2seven Unfortunately Baby Buddy doesn't have any built-in tools that will help here 😞 Ideally we should add a management command to create users that can be used in a pinch like this.

In the mean time if you can get a shell in your BB application environment you can start a python interactive session and run the following commands:

from django.contrib.auth.models import User
user = User.objects.create_user("recovery", password="recovery")
user.is_superuser = True
user.is_staff = True
user.save()

This will create a new super user with the username and password recovery.

[Node815]

I followed the above work around in python after connecting to the container and I am getting the following error:

root@4f094c7f3448:/# python3
Python 3.9.5 (default, Nov 24 2021, 21:19:13) 
[GCC 10.3.1 20210424] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from django.contrib.auth.models import User
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "/usr/lib/python3.9/site-packages/django/contrib/auth/models.py", line 3, in <module>
    from django.contrib.auth.base_user import AbstractBaseUser, BaseUserManager
  File "/usr/lib/python3.9/site-packages/django/contrib/auth/base_user.py", line 49, in <module>
    class AbstractBaseUser(models.Model):
  File "/usr/lib/python3.9/site-packages/django/db/models/base.py", line 127, in __new__
    app_config = apps.get_containing_app_config(module)
  File "/usr/lib/python3.9/site-packages/django/apps/registry.py", line 260, in get_containing_app_config
    self.check_apps_ready()
  File "/usr/lib/python3.9/site-packages/django/apps/registry.py", line 137, in check_apps_ready
    settings.INSTALLED_APPS
  File "/usr/lib/python3.9/site-packages/django/conf/__init__.py", line 92, in __getattr__
    self._setup(name)
  File "/usr/lib/python3.9/site-packages/django/conf/__init__.py", line 72, in _setup
    raise ImproperlyConfigured(
django.core.exceptions.ImproperlyConfigured: Requested setting INSTALLED_APPS, but settings are not configured. You must either define the environment variable DJANGO_SETTINGS_MODULE or call settings.configure() before accessing settings.

[cdubz]

@PDXUser if you’re on the latest version that is a management command now you can use to create a new user for recovering. See https://docs.baby-buddy.net/user-guide/managing-users/#creating-a-user-from-the-command-line.

[jonezy35]

@PDXUser if you’re on the latest version that is a management command now you can use to create a new user for recovering. See https://docs.baby-buddy.net/user-guide/managing-users/#creating-a-user-from-the-command-line.

@cdubz I tried the intructions on this page and it's just erroring out. I need to be able to login but my user accounts are locked. Anything I can do from here?

Getting the following error:

python manage.py createuser --username recovery --password recovery --is-staff
No Django settings specified.
Unknown command: 'createuser'
Type 'manage.py help' for usage.

[cdubz]

@jonezy35 you need to set the DJANGO_SETTINGS_MODULE env var to the settings you are using before running the command. This isn't well covered in the docs because how it is handled will depend on how you have Baby Buddy installed.

[poldim]

@cdubz
I ran into an issue where one of my users was locked out but due to the reverse proxy settings in the container, it blocks all users from logging it as it appears to be doing a temporary ip ban. Here is what happens when I try to login after another user's account was temporarily locked after too many login attempts.

[2023-09-03 20:05:36 -0400] [228] [INFO] Starting gunicorn 21.2.0
[2023-09-03 20:05:36 -0400] [228] [INFO] Listening at: http://127.0.0.1:3000 (228)
[2023-09-03 20:05:36 -0400] [228] [INFO] Using worker: gthread
[2023-09-03 20:05:36 -0400] [247] [INFO] Booting worker with pid: 247
[2023-09-03 20:05:36 -0400] [248] [INFO] Booting worker with pid: 248
[ls.io-init] done.
AXES: Repeated login failure by {username: "poldim", ip_address: "127.0.0.1", user_agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", path_info: "/login/"}. Updated existing record in the database.
AXES: Locking out {username: "poldim", ip_address: "127.0.0.1", user_agent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36", path_info: "/login/"} after repeated login failures.```

[cdubz]

@poldim I think this is worth a separate issues if you want to open one.

Looks like axes by default ignores IP address headers: https://django-axes.readthedocs.io/en/latest/4_configuration.html?highlight=X-Forwarded-For#configuring-reverse-proxies