An app to manage (and remove) both student-specific and IP-based locks in the Open edX platform.
The edX Platform has two types of security rate limits to avoid stealing user passwords using brute-force attacks:
- IP-based rate limits: Using django-ratelimit-backend to rate-limit subsequent incorrect requests and block the requester IP address for a period of time. IP-based locks are stored on the cache backend.
- Student-account locks: This an optional edX platform feature. It works on the login screen and locks user-accounts (regardless of the IP address) for a period of time. Student-locks are stored on the
LoginFailure
model (in the database).
UnlockerX stores the IP-based rate limits in the database once a lock occurs in RateLimitedIP
model. Additionally UnlockerX exposes both of LoginFailure
and RateLimitedIP
in an admin interface in which a superuser can remove the locks and rate-limits, which is handy to support learners quickly.
- Install the pip package
$ pip install -e git+git@github.com:appsembler/unlockerX.git#egg=unlockerx
- Add
unlockerx
toADDL_INSTALLED_APPS
in thelms.env.json
file (or inserver-vars.yml
). - Since the student-specific locks are disabled by default, enable it via
FEATURES['ENABLE_MAX_FAILED_LOGIN_ATTEMPTS'] = True
. More on account lockout from edX. - Migrate and run the server.
- Go to
/admin/unlockerx/
- Pick either one of
RateLimitedIP
orStudentAccountLock
- Select a limit (using the checkbox)
- Click on the action dropdown and remove the limit.
- Make the learner happy!
This module monkey-patches the edX platform in two ways:
- Changes the
RateLimitMixin.requests
to 100 to be a bit more permissive for mass-students logging in from a shared university IP. - Adds the UnlockerX rate-limit middleware to
MIDDLEWARE_CLASSES
to log blocked requests to the database.
The code in this repository is licensed under the MIT License unless otherwise noted.
Please see LICENSE.txt
for details.
The original code was developed at Edraak and used to be licensed with AGPL 3.0. This repo has been re-licensed to MIT after Edraak's permission.
Contributions are very welcome. We're happy to accept pull requests. TravisCI will check your code for you, and we should have a reviewer in a couple of days.
Please do not report security issues in public. Please email security@appsembler.org.