brutasse / django-ratelimit-backend Goto Github PK

When used with OAuth 2 bearer tokens as provided by django-oauth-toolkit, a bad or missing token causes a 500 server error instead of a 403 unauthorized as expected:

Internal Server Error: /v2/folders/all
Traceback (most recent call last):
  File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py", line 108, in get_response
    response = middleware_method(request)
  File "/usr/local/lib/python2.7/dist-packages/oauth2_provider/middleware.py", line 38, in process_request
    user = authenticate(request=request)
  File "/usr/local/lib/python2.7/dist-packages/django/contrib/auth/__init__.py", line 74, in authenticate
    user = backend.authenticate(**credentials)
  File "/usr/local/lib/python2.7/dist-packages/ratelimitbackend/backends.py", line 25, in authenticate
    username = kwargs[self.username_key]
KeyError: 'username'

I already have a fix for this so I'll open a PR.

I have been trying to get django ratelimit backend work with django reCAPTCHA but it won't work. Do you have any idea on how to make it work with django reCAPTCHA @brutasse @almet @magopian @treyhunner @timgraham

Thanks

Hi: I've scanned the source once, but I'm not sure I have the answer to my question.

I'd like to implement a soft lockout where after (say) 3 failed attempts, I add a captcha to the form.

Is it possible to inject this behavior into what django-ratelimit-backend provides?

Thanks

I installed Django-CMS and was wondering why the cms doesn't appear in the admin.

I finally removed the import in urls.py:

from ratelimitbackend import admin

and added back:

from django.contrib import admin

Seems the autodiscover() isn't working properly. =(

The docs say "If you use django.contrib.auth.forms.AuthenticationForm directly, replace it with ratelimitbackend.forms.AuthenticationForm and always pass it the request object."

On this topic, they should also say "If you use django.contrib.auth.authenticate, pass it the request object.".

From the documentation:

Whenever you use django.contrib.admin, use ratelimitbackend.admin
instead.

In your urls.py:

  from ratelimitbackend import admin

  admin.autodiscover()

  urlpatterns += patterns('',
      (r'^admin/', include(admin.site.urls)),
  )

In your apps' admin.py files:

  from ratelimitbackend import admin

  from .models import SomeModel

  admin.site.register(SomeModel)

1. Why should the admin imports in admin.py files be replaced?
2. How should admin imports in the admin.py files of third party apps be replaced?

Almost none of the modules are usable and importable... this package needs bug fixes on different areas. Seems that developers of this package don't care about Django deprecation warnings for a while!

Before adding new features make sure your package is usable!

It looks like there haven't been any commits in 20 months, and there are a few reasonable-looking PRs that haven't received any reply. @brutasse , are you still maintaining this repository? If not, are you open to handing over to a new maintainer and/or helping facilitate a clean transition to a new fork?

Asking because I'm currently using a fork that we had hoped would be temporary, but are now looking at needing to update it for new Django versions, CI improvements, etc. (and our last submitted PR is among the ones awaiting a reply).

Using a git URL is slow.

I followed the instructions and replaced the django admin imports with from ratelimitbackend import admin.

As a result I don't see the admins of third party apps like django-cms any more when I call admin.autodiscover() in my urls.py.

Does this mean django-ratelimit-backend can only be used in a project where I have full control over all apps and their models and admins?

Since 1edd166, pip install django-ratelimit-backend==1.0 installs the package's tests in site-packages/tests which isn't desirable.

What would be the accepted method to stop this from happening during mocked auth unit tests?

• Wrap tests with ignore UserWarning?
• Add setting to turn UserWarning on/off?

Thanks

Could you enable squash merging for a cleaner commit history?

need to fix some stuff in module to work on Django 4.2.

I suggest to replace:

from ratelimitbackend import admin

admin.autodiscover()

urlpatterns += patterns('',
    (r'^admin/', include(admin.site.urls)),
)

with:

from ratelimitbackend import admin

urlpatterns += [
    (r'^admin/', include(admin.site.urls)),
]

which is the recommended style as of Django 1.7, the oldest currently
supported Django version.

Following https://django-ratelimit-backend.readthedocs.io/en/latest/usage.html#customizing-rate-limiting-criteria

  File "/usr/local/lib/python3.7/site-packages/ratelimitbackend/backends.py", line 33, in authenticate
    counts = self.get_counters(request)
  File "/usr/local/lib/python3.7/site-packages/ratelimitbackend/backends.py", line 60, in get_counters
    return cache.get_many(self.keys_to_check(request))
  File "/usr/local/lib/python3.7/site-packages/ratelimitbackend/backends.py", line 68, in keys_to_check
    ) for minute in range(self.minutes + 1)
  File "/usr/local/lib/python3.7/site-packages/ratelimitbackend/backends.py", line 68, in <listcomp>
    ) for minute in range(self.minutes + 1)
  File ".../settings/ratelimit.py", line 15, in key
    return f'{request.POST[self.username_key][:max_username_length]}-{dt}'
  File "/usr/local/lib/python3.7/site-packages/django/utils/datastructures.py", line 79, in __getitem__
    raise MultiValueDictKeyError(key)
django.utils.datastructures.MultiValueDictKeyError: 'username'

from backends.py/RateLimitMixin:

    def authenticate(self, request=None, **kwargs):
        username = None
        try:
            username = kwargs[self.username_key]
        except KeyError:
            if not self.no_username:
                raise

So username is expected to be passed through **kwargs, not request. Can't make the example work without override-ing authenticate, get_counters, get_cache_key, key.