- Add explicit dependency on django-ipware >=3. django-axes >= 6 adds
only and optional dependency on django-ipware. Adding explicit dependency make
the behavior safer.
- Depend on django-axes >= 5 where the authentication backend and other features
are available. The new code won't work with older versions. The new approach
uses and authentication backend to deny access to the login form on lockout and
a middleware to redirect user to locked out form when limit of attempts have
been reached.
- Drop old code used for compatibility with django-axes 3.x.
- Suppress verbose and debug messages as django-axes is too chatty.
- Re-implment the CAPTCHA form entirely. In the old style, we have a login form
with CAPTCHA field. That would not work with the new django-axes authentication
middle. On submission of the form, auth.authenticate() will be called. This
call invokes various authentication backends include django-axes authentication
backend. This backend's behavior is to reject all authentication attempts when
the IP is listed in locked table. The new approach is to provide a simple
CAPTCHA form with just the CAPTCHA field. If the form is successfully
validated (correct CAPTCHA is provided), then the lock on the IP address is
reset. The user is then free to perform 3 more attempts to login.
- Update firstboot form to send the request parameter when using
auth.authenticate() method. This needed by Django axes' authentication method
which will be triggered.
Tests:
- Run tests on Debian Bookworm and Debian testing.
- Axes verbose messages and debug messages are not printed on the console when
running FreedomBox in debug mode.
- Only three invalid attempts are allowed at the login page. After the final
incorrect attempt, user is redirected to CAPTCHA page. Visiting the login page
using the URL works but entering the correct credentials still takes the user to
CAPTCHA page.
- CAPTCHA form appears as expected. Clicking the CAPTCHA images downloads the
audio file corresponding to the image. Incorrect CAPTCHA shows an error. Correct
CAPTCHA takes the user to login form where they are able to login with correct
credentials. Entering incorrect credentials 3 times will take the user again to
CAPTCHA page.
- Creating user account during firstboot works.
- Blocked IP address the IP of the client such as 10.42.0.1 and not the local IP
address 127.0.0.1 according the django-axes log messages. While one client IP
address is blocked, another IP is able to login to the same user account that
was attempted by the blocked client.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- This prevents CSRF attacks that allow adversarial websites from logging out
users from FreedomBox. Django itself has made this change in 4.x releases.
Tests:
- Logout works with the menu item in drop-down when Javascript is enabled. The
menu item appears similar to other drop-down menu items.
- Logout works with the menu item when JavaScript is disabled on the page. The
menu item appears similar to other menu items.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Tests:
- Functional tests succeed
- Initial setup run during first setup successfully
- A key pair is created in /etc/apache2/auth-pubtkt-keys
- User is able successfully login to web UI.
- A non-admin user who has permission to access an app via group membership is
able to access the app's web interface.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Closes: #2178.
- Don't bother with the redirection to the next page using the ?next= URL
parameter. Always redirect to the home (index) page.
- Show a message that logout was successful.
- Ensure that SSO cookie is removed.
Tests:
- Logout and notice that redirection has been performed to the home page.
- "Logged out successfully." message is shown.
- When logged as a user with a language set, logging out preserves the language
of the user who was just logged out.
- Login. Click logout while having browser developer tool open. Notice that
Logout request has SSO cookie. The response does not have the cookie set. The
next request is to the home page and it does not have SSO cookie in the request.
- Login to tt-rss app that needs SSO to work. Logout from FreedomBox interface
using another page. Refresh the tt-rss page and notice that user was logged out
and redirect to FreedomBox login page.
- Logout. Again, manually visit the URL
https://10.42.0.203/plinth/accounts/logout/. The page is still required to home
page and success is still shown even though the user is already logged out.
- Repeat the logout test as non-admin user.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
This patch only ensures that response object is send along with set_language()
call. In later changes, response object can be used by set_language() to set the
language cookie.
Tests:
- Relevant functional tests pass.
- Login, user's language is set when the language is set to non-browser sent
language.
- Logout, user's language is retained when set to non-browser sent language.
- Login, user's language is set when the language is set to browser sent
language.
- Logout, user's language is retained when set to browser sent language.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Remove the need to pass all the individual information elements to the AppView
separately. This eliminates many issues with elements that were mistakenly not
sent to AppView. Also reduces a lot of code duplication.
- Create App classes for power and sso for consistency.
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Set autocapitalization='none' and autocomplete='username' on the username field.
Latest Django version uses those attributes by default on the username field.
Closes#1207
Signed-off-by: Veiko Aasa <veiko17@disroot.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Use the X-Forwarded-For header only if specified in the configuration. This
makes FreedomBox safe to use when not behind a reverse proxy server (although
we are unlikely to do this).
- When fetching the IP address to reset after successful login, use the
X-Forwarded-For header only if specified in the configuration.
- Minor flake8 refactorings.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
Use the user_logged_in signal provided by Django to log the user in. This keeps
the login code simple and uncluttered.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
When a logged-in user is logs out, keep the language preference of the user who
was just logged in. This is Django behavior, don't overwrite it.
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- UserProfile model is created, it has one-to-one relationship with User.
- Language selection dropdown added to UserCreate and UserUpdate forms.
- Adds None to language selection dropdown to explicitly unselect.
- LANGUAGE_SESSION_KEY is set to User's preferred language on LogIn activity.
- LANGUAGE_SESSION_KEY is deleted on User's LogOut activity.
Signed-off-by: Sai Kiran Naragam <saikiran.rguiiit@gmail.com>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
- Change sso refresh url to refresh-pubtkt since refresh was conflicting with
captcha's image refresh url.
- Fix datetime.timedelta calculation for refresh interval. Now validity of
ticket is 30 seconds as it was intended to be. It was wrongly set to 30 days
earlier.
Signed-off-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
(django-axes + django-simple-captcha) with sso is working at this point.
Signed-off-by: Joseph Nuthalpati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- clearing ip address correctly is not implemented yet
- currently clearing all ip addresses
Signed-off-by: Joseph Nuthalpati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
User will be shown captcha in the second attempt to login if login
fails in the first attempt.
Signed-off-by: Joseph Nuthalpati <njoseph@thoughtworks.com>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
- Removed key generation for mod_auth_pubtkt from first boot.
- Running setup every time plinth starts so that new essential modules
can be setup properly.
Partially fixes#875
- Install mod_auth_pubtkt and generate public/private key-pair.
- Redirect user to login page if no cookie is presented.
- Add check for authenticated user for login page.
- Temporarily switched to DSA because of a bug in mod_auth_pubtkt
which causes it to accept only DSA and not RSA. Also had to use SHA1
instead of SHA256.
- Enabled SSO for Syncthing, Repro and TT-RSS.
- Using tokens to authorize by user groups.
- Generate keys during first boot.
