use an authentication backend to check if user is locked out.

[markddavidoff]

@camilonova First Draft for input.

USAGE

settings.py

AUTHENTICATION_BACKENDS = [
    'axes.middleware.DjangoAxesAuthBackend',
    'django.contrib.auth.backends.ModelBackend',
]

login view call example

user = User.objects.get(email=form.cleaned_data['email'])
response_context = {}
user = authenticate(
    request=request,
    username=user.username,
    password=form.cleaned_data['password'],
    response_context=response_context
)
...
if 'error' not in context:
    # if don't have a more specific error, use a generic one.
    context['error'] = 'Incorrect Login Information'
render(request, 'log_in.html', context)

[markddavidoff]

Name suggestions?

[markddavidoff]

Its a bit weird to pass a context and expect a response value but its nice to get a "why" back.

[camilonova]

Looks good so far, please keep going.

[aleksihakli]

Does this mutate kwargs contents?

[markddavidoff]

It expects a dict called 'response_context' to be passed as a kwarg and mutates that if it is present.

I agree its a bit weird to pass a context and expect a value set but its nice to get a "why" back and I couldn't figure out a better way to do this that still complies with the django auth backend structure.

[aleksihakli]

Missing a newline.

[markddavidoff]

also missing a space on the =

[aleksihakli]

Missing a newline.

[aleksihakli]

Maybe AxesModelBackend would be a neater name?

[markddavidoff]

sure! I copy pasted a bunch of this from my subclass implementation and rushed to redact some of the naming and messages

[aleksihakli]

A more traditional import order would be to import Python core packages first, then Django packages and then custom packages. Something like

from django import ...

from axes import ...

[aleksihakli]

This file is not middleware - it should be backends.py so the import for this module would be something like axes.backends.AxesModelBackend.

[aleksihakli]

Looks good, the naming is a bit conflicting as this patchset implements an authentication backend instead of middleware (though it's easy to see it as middlewareish in functionality).

The approach, however, is very nice. An authentication backend denying logins is MUCH more neater and universal than monkey patching view dispatchers which is the current functionality.

If you could clean this up slightly and implement unit tests for the backend it would be nice to get this merged 👍

[camilonova]

@markddavidoff can we have this soon? Looks amazing.

[markddavidoff]

Yeah, i hope to get to this this week or next week.

…

On Wed, Mar 21, 2018, 9:56 AM Camilo Nova ***@***.***> wrote: @markddavidoff <https://github.com/markddavidoff> can we have this soon? Looks amazing. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#315 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABTCn2vSicLER5I7PJ9oPZvfdiMHh-cCks5tgoZAgaJpZM4SpIXo> .

[markddavidoff]

@camilonova @aleksihakli addressed pr concerns, but i have another query as to handle when request is None.

Django Rest Framework (which is very widely used) does not set request when passing it to authenticate, so things like @authentication_classes((BasicAuthentication,)) will error out.

options:

• Error out like this
• no-op if no request and log a warning

But i think we need to address this as just a no-op is a way that axes could not be called due to programmer error (and i think security type things should be on-by-default).

[aleksihakli]

I think this behaviour is fine for the time being. If someone wants to use this custom backend in their project they need to make sure it can function correctly.

[aleksihakli]

Looks good to me! I think this is ready for merging. I'll let @camilonova check and merge this :)

[markddavidoff]

moved the exception to a subclass and updated the documentation as well

[aleksihakli]

A few small cleanups could be used here :)

The RequestParameterRequired exception could maybe subclass the Django SuspiciousOperation exception?

This looks good for merging, though.

[aleksihakli]

This exception should really live in axes.exceptions as per good naming conventions. You just create that exceptions.py file. There is no need to put this inside the AxesModelBackend class, nesting classes just makes this harder to read and find.

[aleksihakli]

This doesn't seem like the right link.

[markddavidoff]

Woops. Will fix.

[aleksihakli]

This can also be just axes.exceptions.RequestParameterRequired.

[aleksihakli]

This should be moved into axes.exceptions file (you can just create that) as per good Django package conventions. Exceptions are easier to find when they are in standard locations.

[markddavidoff]

I strongly disagree eith moving the exception and using suspicious operation, although im always open to naming changes.

Moving indicates it is a failure on the module level, which i dont think applies here. The convention, to me, suggests a "Misconfigured" or "BadParameter" parent exc in exceptions.py that can be subclassed here, but i think the subclass should live here as it is tied to the backend not the module.

Is this a suspicious operation? I think its more programmer error?

[markddavidoff]

But maybe im thinking app as part of a big project wise and not standalone library wise

[aleksihakli]

OK, I think it's valid to have this here as well. Would be nice to have some tests for this, but I think we can implement those later.

[aleksihakli]

We could check for the request authentication status in the model backend and lock out if there are duplicate requests.

[markddavidoff]

Can you please clarify what you mean by 'check for the request authentication status'?

[aleksihakli]

Never mind, I think this is already handled by our signal handler - backend combination.

[aleksihakli]

I guess the big question is if we want to do the access checking and locking out in the model backend?

[markddavidoff]

@aleksihakli, you mean as the default recommended way?

[aleksihakli]

@markddavidoff yeah! I think the best place for all that checking is the AxesModelBackend introduced here. That way we could catch all authentication requests and check their authentication status neatly in one place instead of monkey patching any views or affecting any other code.

[markddavidoff]

@aleksihakli I'm still confused what you mean, i believe this does all the checking the monkeypatched view does already. Am i missing other logic?

[aleksihakli]

@markddavidoff if the Django authentication signals which have handlers defined in axes/signals.py fire correctly, then axes gets information about user login attempts and logouts. Then this backend should work nicely.

I wondered if we should attempt to do access attempt logging in the backend level, but I suppose that isn't necessary in the case all signals work correctly. We should be able to remove the monkey patching with this change from axes altogether if everything works nicely with this new backend.

I'll go ahead and merge this changeset, let's refine it further in a separate PR if necessary :)

[aleksihakli]

@markddavidoff I ran a bunch of tests on top of the new backend and it seems that authentication succesfully fails from the signals, but raising the PermissionDenied does not correctly produce a 403 code in the backend in our test setup :(

[aleksihakli]

It seems that authenticate does not indeed return a 403 but just skips the authentication:

https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L62

So we will either have to modify the tests that check response code on an attempted login, implement a custom middleware that returns the 403 code, or continue monkey patching stuff.

[markddavidoff]

This is meant to be used in conjunction with another middleware that actually authenicates like in the example i added to the docs. We can use modelbackend in the tests. Any suggestions to make that more clear in code and docs.

…

On Wed, Apr 11, 2018, 3:37 PM Aleksi Häkli ***@***.***> wrote: It seems that authenticate does not indeed return a 403 but just skips the authentication: https://github.com/django/django/blob/master/django/contrib/auth/__init__.py#L62 So we will either have to modify the tests that check response code on an attempted login, implement a custom middleware that returns the 403 code, or continue monkey patching stuff. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#315 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/ABTCn4ZPviLpglYq20gfgcYxxnGl-5eyks5tnluKgaJpZM4SpIXo> .