mirror of
https://github.com/freedombox/FreedomBox.git
synced 2026-01-28 08:03:36 +00:00
770974c8ce
- Add explicit dependency on django-ipware >=3. django-axes >= 6 adds only and optional dependency on django-ipware. Adding explicit dependency make the behavior safer. - Depend on django-axes >= 5 where the authentication backend and other features are available. The new code won't work with older versions. The new approach uses and authentication backend to deny access to the login form on lockout and a middleware to redirect user to locked out form when limit of attempts have been reached. - Drop old code used for compatibility with django-axes 3.x. - Suppress verbose and debug messages as django-axes is too chatty. - Re-implment the CAPTCHA form entirely. In the old style, we have a login form with CAPTCHA field. That would not work with the new django-axes authentication middle. On submission of the form, auth.authenticate() will be called. This call invokes various authentication backends include django-axes authentication backend. This backend's behavior is to reject all authentication attempts when the IP is listed in locked table. The new approach is to provide a simple CAPTCHA form with just the CAPTCHA field. If the form is successfully validated (correct CAPTCHA is provided), then the lock on the IP address is reset. The user is then free to perform 3 more attempts to login. - Update firstboot form to send the request parameter when using auth.authenticate() method. This needed by Django axes' authentication method which will be triggered. Tests: - Run tests on Debian Bookworm and Debian testing. - Axes verbose messages and debug messages are not printed on the console when running FreedomBox in debug mode. - Only three invalid attempts are allowed at the login page. After the final incorrect attempt, user is redirected to CAPTCHA page. Visiting the login page using the URL works but entering the correct credentials still takes the user to CAPTCHA page. - CAPTCHA form appears as expected. Clicking the CAPTCHA images downloads the audio file corresponding to the image. Incorrect CAPTCHA shows an error. Correct CAPTCHA takes the user to login form where they are able to login with correct credentials. Entering incorrect credentials 3 times will take the user again to CAPTCHA page. - Creating user account during firstboot works. - Blocked IP address the IP of the client such as 10.42.0.1 and not the local IP address 127.0.0.1 according the django-axes log messages. While one client IP address is blocked, another IP is able to login to the same user account that was attempted by the blocked client. Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
208 lines
5.9 KiB
Python
208 lines
5.9 KiB
Python
#
|
|
# This file is part of FreedomBox.
|
|
#
|
|
# This program is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU Affero General Public License as
|
|
# published by the Free Software Foundation, either version 3 of the
|
|
# License, or (at your option) any later version.
|
|
#
|
|
# This program is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU Affero General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
"""
|
|
Basic settings for Django web framework.
|
|
|
|
During initialization of the service, these settings are overridden before
|
|
Django is initialized. However, this file has been written in this format to
|
|
let Django initialization easier in other situations such as test cases,
|
|
documentation generation, debugging etc.
|
|
|
|
See: https://docs.djangoproject.com/en/dev/ref/settings/
|
|
|
|
"""
|
|
|
|
ALLOWED_HOSTS = ['*']
|
|
|
|
_pwd = 'django.contrib.auth.password_validation'
|
|
|
|
AUTH_PASSWORD_VALIDATORS = [
|
|
{
|
|
'NAME': '{}.UserAttributeSimilarityValidator'.format(_pwd),
|
|
},
|
|
{
|
|
'NAME': '{}.MinimumLengthValidator'.format(_pwd),
|
|
'OPTIONS': {
|
|
'min_length': 8,
|
|
}
|
|
},
|
|
{
|
|
'NAME': '{}.CommonPasswordValidator'.format(_pwd),
|
|
},
|
|
{
|
|
'NAME': '{}.NumericPasswordValidator'.format(_pwd),
|
|
},
|
|
]
|
|
|
|
AUTHENTICATION_BACKENDS = [
|
|
# AxesStandaloneBackend should be the first backend. If the user is locked
|
|
# out due to too many attempts, the backend denies further attempts untill
|
|
# unlocked by a CAPTCHA form.
|
|
'axes.backends.AxesStandaloneBackend',
|
|
|
|
# Django ModelBackend is the default authentication backend.
|
|
'django.contrib.auth.backends.ModelBackend',
|
|
]
|
|
|
|
AXES_LOCKOUT_URL = 'locked/'
|
|
|
|
AXES_RESET_ON_SUCCESS = True
|
|
|
|
AXES_VERBOSE = False
|
|
|
|
CACHES = {
|
|
'default': {
|
|
'BACKEND': 'django.core.cache.backends.dummy.DummyCache'
|
|
}
|
|
}
|
|
|
|
CAPTCHA_FONT_PATH = ['/usr/share/fonts/truetype/ttf-bitstream-vera/Vera.ttf']
|
|
|
|
CAPTCHA_LENGTH = 6
|
|
|
|
CAPTCHA_FLITE_PATH = '/usr/bin/flite'
|
|
|
|
DATABASES = {
|
|
'default': {
|
|
'ENGINE': 'django.db.backends.sqlite3',
|
|
'OPTIONS': {
|
|
'timeout': 30
|
|
},
|
|
# Overridden based on the configuration key store_file
|
|
'NAME': '/var/lib/plinth/plinth.sqlite3'
|
|
}
|
|
}
|
|
|
|
# Overridden based on command line argument --develop
|
|
DEBUG = False
|
|
|
|
# This is already the default (Django 3.2), however, setting it explicitly
|
|
# seems to avoid a warning while running 'django-admin makemigrations'.
|
|
DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
|
|
|
|
# Overridden based on the configuration key server_dir
|
|
FORCE_SCRIPT_NAME = '/plinth'
|
|
|
|
# FreedomBox apps are appended to this list
|
|
INSTALLED_APPS = [
|
|
'axes',
|
|
'captcha',
|
|
'bootstrapform',
|
|
'django.contrib.auth',
|
|
'django.contrib.contenttypes',
|
|
'django.contrib.messages',
|
|
'django.contrib.sessions',
|
|
'stronghold',
|
|
'plinth',
|
|
]
|
|
|
|
# Overridden based on configuration key use_x_forwarded_host
|
|
IPWARE_META_PRECEDENCE_ORDER = ('REMOTE_ADDR', )
|
|
|
|
# Overridden by get_languages()
|
|
LANGUAGES = [('en', 'English')]
|
|
|
|
# Overridden by log configuration in log.py
|
|
LOGGING = {'version': 1}
|
|
|
|
LOGIN_URL = 'users:login'
|
|
|
|
LOGIN_REDIRECT_URL = 'index'
|
|
|
|
# Overridden before initialization
|
|
MESSAGE_TAGS = {}
|
|
|
|
MIDDLEWARE = (
|
|
'django.middleware.security.SecurityMiddleware',
|
|
'django.contrib.sessions.middleware.SessionMiddleware',
|
|
'django.middleware.locale.LocaleMiddleware',
|
|
'django.middleware.common.CommonMiddleware',
|
|
'django.middleware.csrf.CsrfViewMiddleware',
|
|
'django.contrib.auth.middleware.AuthenticationMiddleware',
|
|
'django.contrib.messages.middleware.MessageMiddleware',
|
|
'django.middleware.clickjacking.XFrameOptionsMiddleware',
|
|
'stronghold.middleware.LoginRequiredMiddleware',
|
|
'plinth.middleware.AdminRequiredMiddleware',
|
|
'plinth.middleware.FirstSetupMiddleware',
|
|
'plinth.modules.first_boot.middleware.FirstBootMiddleware',
|
|
'plinth.middleware.SetupMiddleware',
|
|
|
|
# AxesMiddleware should be the last middleware. It only formats user
|
|
# lockout messages and renders Axes lockout responses on failed user
|
|
# authentication attempts from login views.
|
|
'axes.middleware.AxesMiddleware',
|
|
)
|
|
|
|
PASSWORD_HASHERS = [
|
|
'plinth.hashers.Argon2PasswordHasherLowMemory',
|
|
'django.contrib.auth.hashers.PBKDF2PasswordHasher',
|
|
'django.contrib.auth.hashers.PBKDF2SHA1PasswordHasher',
|
|
'django.contrib.auth.hashers.BCryptSHA256PasswordHasher',
|
|
]
|
|
|
|
ROOT_URLCONF = 'plinth.urls'
|
|
|
|
SECURE_CONTENT_TYPE_NOSNIFF = True
|
|
|
|
# Overridden based configuration key secure_proxy_ssl_header
|
|
SECURE_PROXY_SSL_HEADER = None
|
|
|
|
SESSION_ENGINE = 'django.contrib.sessions.backends.file'
|
|
|
|
SESSION_FILE_PATH = '/var/lib/plinth/sessions'
|
|
|
|
# Overridden based on configuration key server_dir
|
|
STATIC_URL = '/plinth/static/'
|
|
|
|
# STRONGHOLD_PUBLIC_URLS=(r'^captcha/', )
|
|
|
|
STRONGHOLD_PUBLIC_NAMED_URLS = (
|
|
'captcha-image',
|
|
'captcha-image-2x',
|
|
'captcha-audio',
|
|
'captcha-refresh',
|
|
)
|
|
|
|
TEMPLATES = [
|
|
{
|
|
'BACKEND': 'django.template.backends.django.DjangoTemplates',
|
|
'APP_DIRS': True,
|
|
'OPTIONS': {
|
|
'context_processors': [
|
|
'django.contrib.auth.context_processors.auth',
|
|
'django.template.context_processors.debug',
|
|
'django.template.context_processors.i18n',
|
|
'django.template.context_processors.media',
|
|
'django.template.context_processors.request',
|
|
'django.template.context_processors.static',
|
|
'django.template.context_processors.tz',
|
|
'django.contrib.messages.context_processors.messages',
|
|
'plinth.context_processors.common',
|
|
],
|
|
},
|
|
},
|
|
]
|
|
|
|
TIME_ZONE = 'UTC'
|
|
|
|
USE_L10N = True
|
|
|
|
USE_TZ = True
|
|
|
|
# Overridden by configuration setting use_x_forwarded_host
|
|
USE_X_FORWARDED_HOST = False
|