Secure Heroku

accounts/views.py

@@ -6,6 +6,8 @@
 from django.contrib.auth.models import User
 from django.urls import reverse
 from accounts.models import AuthToggle,PassPhrase
+import time
+import threading 
 
 def register(request):
     if request.method == "POST":
@@ -71,6 +73,15 @@ def login(request):
 '''def dashboard(request):
     return render(request, 'landings/portal.html')'''
 
+global attempts, maxAttempts, enableTimer
+
+attempts = 0
+
+maxAttempts = 20
+
+enableTimer = False
+
+
 def index(request):
     if request.method == "POST":
 
@@ -80,16 +91,37 @@ def index(request):
 
         protection = AuthToggle.objects.first().enable_protection
 
+        global attempts, maxAttempts, enableTimer
+
         if passphrase:
             # check for all passphrase values in the database 
             for x in PassPhrase.objects.all().values():
-                if passphrase == x['passphrase'] and protection:
+                if passphrase == x['passphrase'] and protection and not enableTimer:
                     gateway = True
                     break
         if gateway:        
             return redirect('portal')
         else:
-            messages.error(request, 'Invalid credentials')
+            attempts += 1
+
+            def start_timeout():
+                global attempts, enableTimer
+                messages.error(request, 'Timeout Reached: you had attempted ' + str(attempts) + " attempts please wait 1 hour to continue")
+                # Time in seconds
+                time.sleep(3600)
+                attempts = 0
+                enableTimer = False
+
+            t1 = threading.Thread(target=start_timeout)
+
+            if attempts >= maxAttempts and not enableTimer:
+                t1.start()
+                enableTimer = True
+            elif enableTimer:
+                messages.error(request, 'Timeout Reached: please wait 1 hour to continue')
+            else:
+                messages.error(request, 'Invalid credentials: attempts left: ' + str(maxAttempts - attempts))
+
             return render(request, 'landings/gateway.html')
     else:
         return render(request, 'landings/gateway.html')

tarot_juicer/settings.py

@@ -28,14 +28,27 @@
 # SECURITY WARNING: keep the secret key used in production secret!
 
 # SECRET_KEY = os.environ['DJANGO_SECRET_KEY']
-
+# tarot!7l=5rh&^(_uug%qd845^^(b40e)bl6kyww$z89f-m#tu=8k&tjuicer
 SECRET_KEY = str(os.getenv('SECRET_KEY'))
 
 # SECURITY WARNING: don't run with debug turned on in production!
-DEBUG = os.environ.get('DEBUG')
-
-ALLOWED_HOSTS = ['*']
 
+if os.environ.get('DJANGO_DEBUG', '') != 'False':
+    DEBUG = True
+    SECURE_HSTS_SECONDS = 10
+    SECURE_SSL_REDIRECT = False
+    SESSION_COOKIE_SECURE = False
+    CSRF_COOKIE_SECURE = False
+else:
+    DEBUG = False
+    SECURE_HSTS_SECONDS = 10
+    SECURE_SSL_REDIRECT = True
+    SESSION_COOKIE_SECURE = True
+    CSRF_COOKIE_SECURE = True
+
+ALLOWED_HOSTS = os.environ.get('ALLOWED_HOSTS').split(' ')  if 'ALLOWED_HOSTS' in os.environ else ['*']
+
+ADMIN_PATH = os.environ.get('ADMIN_PATH')+'/' if 'ADMIN_PATH' in os.environ else 'admin/'
 
 # Application definition
 

tarot_juicer/urls.py

@@ -11,7 +11,7 @@
     path('', include('accounts.urls')),
     # path('', include('generators.urls')),
     # path('', include('landings.urls')),
-    path('admin/', admin.site.urls),
+    path(settings.ADMIN_PATH, admin.site.urls),
 ] + static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)
 
 """tarot_juicer URL Configuration