I want a brute force protector for logins that will:
1.
block based on username(eventually add ip)
2.
store info about failed login to db(username, pwd, user-agent, etc)
3.
When locked will tell user that they are locked out
I looked at the following apps:
1.
http://code.google.com/p/django-brutebuster/ In decorators.py the
method returns None when locked so the user gets the "Please enter a
correct username and password. Note that both fields are
case-sensitive". I want the user to know the account is locked out.
2.
https://github.com/alexkuhl/django-failedloginblocker In
decorators.py the method raises an exception which means if
debug=False the user will see a 500 error.
3.
http://code.google.com/p/django-axes/ This doesn't include the user
(has ip and user-agent). In decorators.py I'm not sure how to get
the user name. Also I'm concerned about the approach of trying to
log someone in and then logging them out if the account is locked. I
like the approaches of #1 and #2 where they first check if the
account is locked before trying to log them in.
For #1 and #2 I looked into adding the error to the form and I found
this post Django - Error Message in Custom Auth Backend
<http://stackoverflow.com/questions/5523928/django-error-message-in-custom-auth-backend>
that says overwrite django.contrib.auth.forms.AuthenticationForm but I'm
not sure how to incorporate the new form in the apps.
Does anyone have suggestions about writing a brute force protector that
will do the things I want?
I posted this on stackoverflow
<http://stackoverflow.com/questions/12135422/django-brute-force-protection>
but didn't get a response.
Brian
--
You received this message because you are subscribed to the Google Groups "Django
users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.
