Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/agiliq/django-secure-login
https://github.com/agiliq/django-secure-login
Last synced: about 1 month ago
JSON representation
- Host: GitHub
- URL: https://github.com/agiliq/django-secure-login
- Owner: agiliq
- License: bsd-3-clause
- Created: 2013-11-20T07:45:29.000Z (almost 11 years ago)
- Default Branch: master
- Last Pushed: 2021-06-10T19:00:40.000Z (over 3 years ago)
- Last Synced: 2024-07-21T21:37:14.045Z (about 2 months ago)
- Language: Python
- Size: 60.5 KB
- Stars: 21
- Watchers: 21
- Forks: 7
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
- License: LICENSE.txt
Awesome Lists containing this project
- starred-awesome - django-secure-login - (Python)
README
Django Secure Login
=======================
[](https://travis-ci.org/agiliq/django-secure-login)
[](https://coveralls.io/r/agiliq/django-secure-login)
Overview
------------
Django secure login provides utilities to add simple security steps around login and registration. It provides two mixins, `SecureLoginBackendMixin` and `SecureFormMixin` which check for common vulnerabilities while logging in.
* `SecureLoginBackendMixin` can be used with any Backend which has a concept of username and password
* `SecureFormMixin` can be used with any Form which has a concept of username and password. (eg login form, registration form etc)
Settings
-----------
* `SECURE_LOGIN_CHECKERS`: A list of strings which can be evaluated to callables. The callable should return True if it wants the authentication to go through.
* `SECURE_LOGIN_ON_FAIL`: A list of strings which can be evaluated to callables. Can take any action appropriate to a failed login.
* `SECURE_LOGIN_MAX_HOURLY_ATTEMPTS`: Max failed attempts per hour before the user is locked out.
Features
---------
* Works with any Backend and Form which has usename-y and password-y attributes.
* Ensure that passwords have a minimum length (default 6)
* Ensure that the password is not in the list of known weak passwords.
* Ensure username is not same as password
* Email user on a failed login attempt for them.
* Lockout after 10 failed attempts within an hour.
Usage
-----------
Simple
===========
Set
AUTHENTICATION_BACKENDS = ("secure_login.backends.SecureLoginBackend", )
Which will run all the default checkers.
Advanced
===========
AUTHENTICATION_BACKENDS = ("secure_login.backends.SecureLoginBackend", )
And
SECURE_LOGIN_CHECKERS = [
"secure_login.checkers.no_weak_passwords",
"secure_login.checkers.no_short_passwords",
]
`SECURE_LOGIN_CHECKERS` should be a list of callables. Each callable should only return true if it wants the authentication to go through.
And
SECURE_LOGIN_ON_FAIL = [
"secure_login.on_fail.email_user",
"secure_login.on_fail.populate_failed_requests",
]
`SECURE_LOGIN_ON_FAIL` should be a list of callables. Each callable would be called in order if the authentication falls.
Writing new secure backends.
=================================
If you have an existing backend `FooBackend`, you can add SecureBackend like this.
class SecureFooLoginBackend(SecureLoginBackendMixin, FooBackend):
pass
If this backend has `email` as an username like identifier.
class SecureFooLoginBackend(SecureLoginBackendMixin, FooBackend):
def username_fieldname(self):
return "email"
Secure Form
============
Use the `SecureFormMixin` with your usual forms. If you have an existing for `FooForm`
class SecureFooForm(SecureFormMixin, FooForm):
pass
If this form uses email as username lke identifier
class SecureFooForm(SecureFormMixin, FooForm):
def username_fieldname(self):
return "email"
`SECURE_LOGIN_CHECKERS` will be tested in the the clean method.
TODO
---------
* Rate limits login attempts per IP.
* Rate limits login attempts per user.
* Emails admins on X failed attempts.
* Integrate with fail2ban.
* Support 2F authentication