[Exploratory] Dynamic security settings configuration #216
Description
Description
EXPLORATORY TICKET - Research making django-allauth security settings configurable through admin interface.
Current State
Security settings hardcoded in settings.py:
ACCOUNT_PREVENT_ENUMERATION = TrueACCOUNT_RATE_LIMITS = {...}- Session and redirect settings
Research Areas
- Rate Limiting: Dynamic rate limit adjustments
- User Enumeration: Toggle enumeration protection
- Session Control: Dynamic session timeouts
- Redirect Behavior: Configurable post-auth redirects
Security Considerations
- Rate Limits: Changes affect brute force protection
- Enumeration: Impacts user privacy and security
- Sessions: May affect active user sessions
- Redirects: Open redirect vulnerabilities possible
Research Questions
- Can rate limits be safely changed at runtime?
- What's the security impact of dynamic enumeration settings?
- Do session changes affect logged-in users?
- How to validate redirect URLs securely?
Implementation Risks
- High: Security misconfigurations
- Medium: Performance impact of dynamic lookups
- Medium: Compatibility with existing security measures
Proceed Only If
- Security implications are fully understood
- Changes can be validated and tested thoroughly
- Rollback mechanisms are in place
- Performance impact is acceptable
Labels: research, django-allauth, security, high-risk, complexity-warning
Priority: Low (Security review required)