Skip to content

Bhanditz/UnlockerX

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits

.github

.github

 
 

.tx

.tx

 
 

docs

docs

 
 

locale

locale

 
 

requirements

requirements

 
 

tests

tests

 
 

unlockerx

unlockerx

 
 

.coveragerc

.coveragerc

 
 

.gitignore

.gitignore

 
 

.travis.yml

.travis.yml

 
 

AUTHORS

AUTHORS

 
 

CHANGELOG.rst

CHANGELOG.rst

 
 

LICENSE.txt

LICENSE.txt

 
 

MANIFEST.in

MANIFEST.in

 
 

Makefile

Makefile

 
 

README.rst

README.rst

 
 

admin.png

admin.png

 
 

codecov.yml

codecov.yml

 
 

manage.py

manage.py

 
 

pylintrc

pylintrc

 
 

pylintrc_tweaks

pylintrc_tweaks

 
 

setup.cfg

setup.cfg

 
 

setup.py

setup.py

 
 

test_settings.py

test_settings.py

 
 

tox.ini

tox.ini

 
 

Repository files navigation

UnlockerX

Travis Codecov Documentation

An app to manage (and remove) both student-specific and IP-based locks in the Open edX platform.

Overview

The edX Platform has two types of security rate limits to avoid stealing user passwords using brute-force attacks:

  • IP-based rate limits: Using django-ratelimit-backend to rate-limit subsequent incorrect requests and block the requester IP address for a period of time. IP-based locks are stored on the cache backend.
  • Student-account locks: This an optional edX platform feature. It works on the login screen and locks user-accounts (regardless of the IP address) for a period of time. Student-locks are stored on the LoginFailure model (in the database).

UnlockerX stores the IP-based rate limits in the database once a lock occurs in RateLimitedIP model. Additionally UnlockerX exposes both of LoginFailure and RateLimitedIP in an admin interface in which a superuser can remove the locks and rate-limits, which is handy to support learners quickly.

How to Install

  • Install the pip package $ pip install -e git+git@github.com:appsembler/unlockerX.git#egg=unlockerx
  • Add unlockerx to ADDL_INSTALLED_APPS in the lms.env.json file (or in server-vars.yml).
  • Since the student-specific locks are disabled by default, enable it via FEATURES['ENABLE_MAX_FAILED_LOGIN_ATTEMPTS'] = True. More on account lockout from edX.
  • Migrate and run the server.

How to Use

  • Go to /admin/unlockerx/
  • Pick either one of RateLimitedIP or StudentAccountLock
  • Select a limit (using the checkbox)
  • Click on the action dropdown and remove the limit. admin-screenshot
  • Make the learner happy!

Monkey Patching

This module monkey-patches the edX platform in two ways:

  • Changes the RateLimitMixin.requests to 100 to be a bit more permissive for mass-students logging in from a shared university IP.
  • Adds the UnlockerX rate-limit middleware to MIDDLEWARE_CLASSES to log blocked requests to the database.

License

The code in this repository is licensed under the MIT License unless otherwise noted.

Please see LICENSE.txt for details.

The original code was developed at Edraak and used to be licensed with AGPL 3.0. This repo has been re-licensed to MIT after Edraak's permission.

How To Contribute

Contributions are very welcome. We're happy to accept pull requests. TravisCI will check your code for you, and we should have a reviewer in a couple of days.

Reporting Security Issues

Please do not report security issues in public. Please email security@appsembler.org.

About

An app to manage (and remove) both student-specific and IP-based locks in the Open edX platform.

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 90.3%
  • Makefile 9.7%