From 0b3c70e6085a9ff2b8b47c496b71766ac9609903 Mon Sep 17 00:00:00 2001 From: UmarGit Date: Fri, 12 Mar 2021 02:16:33 +0500 Subject: [PATCH] Secure Heroku Secure Heroku --- accounts/views.py | 36 ++++++++++++++++++++++++++++++++++-- tarot_juicer/settings.py | 21 +++++++++++++++++---- tarot_juicer/urls.py | 2 +- 3 files changed, 52 insertions(+), 7 deletions(-) diff --git a/accounts/views.py b/accounts/views.py index 5c52e0cb..9fb83ef6 100644 --- a/accounts/views.py +++ b/accounts/views.py @@ -6,6 +6,8 @@ from django.contrib.auth.models import User from django.urls import reverse from accounts.models import AuthToggle,PassPhrase +import time +import threading def register(request): if request.method == "POST": @@ -71,6 +73,15 @@ def login(request): '''def dashboard(request): return render(request, 'landings/portal.html')''' +global attempts, maxAttempts, enableTimer + +attempts = 0 + +maxAttempts = 20 + +enableTimer = False + + def index(request): if request.method == "POST": @@ -80,16 +91,37 @@ def index(request): protection = AuthToggle.objects.first().enable_protection + global attempts, maxAttempts, enableTimer + if passphrase: # check for all passphrase values in the database for x in PassPhrase.objects.all().values(): - if passphrase == x['passphrase'] and protection: + if passphrase == x['passphrase'] and protection and not enableTimer: gateway = True break if gateway: return redirect('portal') else: - messages.error(request, 'Invalid credentials') + attempts += 1 + + def start_timeout(): + global attempts, enableTimer + messages.error(request, 'Timeout Reached: you had attempted ' + str(attempts) + " attempts please wait 1 hour to continue") + # Time in seconds + time.sleep(3600) + attempts = 0 + enableTimer = False + + t1 = threading.Thread(target=start_timeout) + + if attempts >= maxAttempts and not enableTimer: + t1.start() + enableTimer = True + elif enableTimer: + messages.error(request, 'Timeout Reached: please wait 1 hour to continue') + else: + messages.error(request, 'Invalid credentials: attempts left: ' + str(maxAttempts - attempts)) + return render(request, 'landings/gateway.html') else: return render(request, 'landings/gateway.html') diff --git a/tarot_juicer/settings.py b/tarot_juicer/settings.py index 004aa389..f77e3f86 100644 --- a/tarot_juicer/settings.py +++ b/tarot_juicer/settings.py @@ -28,14 +28,27 @@ # SECURITY WARNING: keep the secret key used in production secret! # SECRET_KEY = os.environ['DJANGO_SECRET_KEY'] - +# tarot!7l=5rh&^(_uug%qd845^^(b40e)bl6kyww$z89f-m#tu=8k&tjuicer SECRET_KEY = str(os.getenv('SECRET_KEY')) # SECURITY WARNING: don't run with debug turned on in production! -DEBUG = os.environ.get('DEBUG') - -ALLOWED_HOSTS = ['*'] +if os.environ.get('DJANGO_DEBUG', '') != 'False': + DEBUG = True + SECURE_HSTS_SECONDS = 10 + SECURE_SSL_REDIRECT = False + SESSION_COOKIE_SECURE = False + CSRF_COOKIE_SECURE = False +else: + DEBUG = False + SECURE_HSTS_SECONDS = 10 + SECURE_SSL_REDIRECT = True + SESSION_COOKIE_SECURE = True + CSRF_COOKIE_SECURE = True + +ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS').split(' ') if 'ALLOWED_HOSTS' in os.environ else ['*'] + +ADMIN_PATH = os.environ.get('ADMIN_PATH')+'/' if 'ADMIN_PATH' in os.environ else 'admin/' # Application definition diff --git a/tarot_juicer/urls.py b/tarot_juicer/urls.py index 7e497928..ef093404 100644 --- a/tarot_juicer/urls.py +++ b/tarot_juicer/urls.py @@ -11,7 +11,7 @@ path('', include('accounts.urls')), # path('', include('generators.urls')), # path('', include('landings.urls')), - path('admin/', admin.site.urls), + path(settings.ADMIN_PATH, admin.site.urls), ] + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT) """tarot_juicer URL Configuration