When using django-axes same response for locked users and authentication failures.

Tivix / django-rest-auth

This app makes it extremely easy to build Django powered SPA's (Single Page App) or Mobile apps exposing all registration and authentication related functionality as CBV's (Class Base View) and REST (JSON)

MIT License

2.4k stars 662 forks source link

Hello,

I am using these packages:

Django==1.11
django-axes==5.0.1
django-rest-auth==0.9.5
djangorestframework==3.7.0

If I use DRF login views it works as expected, locked out users will see lockout template page.

When using django-rest-auth how to know if wrong credentials provided or user locked out by django-axes. Before using django-axes it was easy because repsonse was HTTP 400 for failed logins, now even when good credentials provided if user has been locked out by django-axes I will get HTTP 400.

Maybe django-rest-auth should listen for signal to catch this ?

django-axes/handlers/database

 if failures_since_start >= settings.AXES_FAILURE_LIMIT:
            log.warning('AXES: Locking out %s after repeated login failures.', client_str)

            user_locked_out.send(
                'axes',
                request=request,
                username=username,
                ip_address=request.axes_ip_address,
            )

try: user = self._validate_username_email(username, '', password) except AxesSignalPermissionDenied: blocked_by_axes = True # Did we get back an active user? if user: if not user.is_active: msg = _('User account is disabled.') raise exceptions.ValidationError(msg) else: if blocked_by_axes: msg = _('Access denied due the {max_attempts} login failures.'.format(max_attempts=settings.AXES_FAILURE_LIMIT)) else: msg = _('Unable to log in with provided credentials.') raise exceptions.ValidationError(msg)

Tivix / django-rest-auth

When using django-axes same response for locked users and authentication failures. #532