I want a brute force protector for logins that will:
block based on username(eventually add ip)
store info about failed login to db(username, pwd, user-agent, etc)
When locked will tell user that they are locked out
I looked at the following apps:
http://code.google.com/p/django-brutebuster/ In decorators.py the method returns None when locked so the user gets the “Please enter a correct username and password. Note that both fields are case-sensitive”. I want the user to know the account is locked out.
https://github.com/alexkuhl/django-failedloginblocker In decorators.py the method raises an exception which means if debug=False the user will see a 500 error.
http://code.google.com/p/django-axes/ This doesn't include the user (has ip and user-agent). In decorators.py I'm not sure how to get the user name. Also I'm concerned about the approach of trying to log someone in and then logging them out if the account is locked. I like the approaches of #1 and #2 where they first check if the account is locked before trying to log them in.
For #1 and #2 I looked into adding the error to the form and I found this post Django - Error Message in Custom Auth Backend that says overwrite django.contrib.auth.forms.AuthenticationForm but I'm not sure how to incorporate the new form in the apps.
Does anyone have suggestions about writing a brute force protector that will do the things I want?
I posted this on stackoverflow but didn't get a response.
Brian
--To view this discussion on the web visit https://groups.google.com/d/msg/django-users/-/UxXiAVZKxe0J.
You received this message because you are subscribed to the Google Groups "Django users" group.
To post to this group, send email to django...@googlegroups.com.
To unsubscribe from this group, send email to django-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/django-users?hl=en.
For my long term plans I want it to be app based. To start with I want to give 3 tries and then lockout. For my use case this will work. Long term I like to add IP and move over to a captcha after 3 tries and a delay like 2^tryNumber.