HUE-2014 [core] Lock Hue for nth failed log-in attempts for a user

Review Request #4260 — Created March 18, 2014 and updated

abec
old-hue-rw
HUE-2014
hue
enricoberti, romain
commit 000f45f888bd81698d55b3940c8729fab338b223
Author: Abraham Elmahrek <abraham@elmahrek.com>
Date:   Tue Mar 4 14:02:25 2014 -0800

    HUE-2014 [core] Lock Hue for nth failed log-in attempts for a user
    
    Lock users out after 'nth' attempt per username per session.
    This means that every new user will have 'n' attempts per username.
    Provide a switch for locking superusers out.

:100644 100644 7e2d1a1... 76cee4c... M	desktop/conf.dist/hue.ini
:100644 100644 58ab0ec... 12666ed... M	desktop/conf/pseudo-distributed.ini.tmpl
:100644 100644 6d82d7f... 91505e8... M	desktop/core/src/desktop/auth/views.py
:100644 100644 0c56c6c... af5756e... M	desktop/core/src/desktop/auth/views_test.py
:100644 100644 336713e... cf204ed... M	desktop/core/src/desktop/conf.py
Provided new tests to verify this.
  • 0
  • 0
  • 2
  • 1
  • 3
Description From Last Updated
romain
  1. Nice! Just wondering about the end user XP?
  2. desktop/core/src/desktop/auth/views.py (Diff revision 1)
     
     
    I think we should delete the key on success if there is one?
  3. desktop/core/src/desktop/auth/views.py (Diff revision 1)
     
     
     
     
    Are we showing back something to the user?
    
    a 301 could be nice that way navigator can catch it?
  4. 
      
abec
Review request changed
romain
  1. 
      
  2. desktop/core/src/desktop/auth/forms.py (Diff revision 2)
     
     
    I was looking at some middlewares or apps that provide do this, in the logic they also check for the IP that way I can't have you blocked if I know your username. Do we do something like that (ideally stick to one anonymous session by user)?
    
    e.g.
    https://www.djangopackages.com/grids/g/security/
    1. They do it by IP address so that they simply don't clear their session and retry. I wanted to avoid this for now as it would require database changes. It's definitely a possibility though.
  3. desktop/core/src/desktop/templates/login.mako (Diff revision 2)
     
     
     
     
    Do we still display that if needed? (the login page is getting complicated)
    1. There's a condition above this one that will display the errors only if the form has errors.
  4. 
      
Loading...