Open Archmonger opened 3 years ago
aleksihakli
commented
3 years ago Hey @Archmonger, thanks for reporting! I think ASGI support would be essential to have as well. This would also be a good target for version 6.0.0.
Since we'd need to define a target setup that should work out-of-the-box or otherwise, would you mind posting example settings that should work with Axes and ASGI enabled?
Archmonger
commented
3 years ago This is the GitHub repository that I've been attempting to reach compatibility with https://github.com/Archmonger/Conreq. Repo only has python dependencies.
aleksihakli
commented
3 years ago That's good, let's go forward from there.
What other Django packages are you using by the way? It seems like the error is coming from here and the request should just be updated with the request.axes_attempt_time attribute, but it seems like the request is None. Where does that None request come from? Should we have a check for None request in user_logged_in similar to e.g. user_login_failed method?
Archmonger
commented
3 years ago The none value for request probably comes from the fact that Django channels refuses to work through multiple authentication backends.
If multiple backends are configured, it will force the user to define only one for every login call.
await login(
self.scope,
self.scope["user"],
backend="django.contrib.auth.backends.ModelBackend", # <<< This line right here
)So therefore the request never propagates up your Axes stack and all axes request attributes are never populated. Or at least that's my leading theory. I haven't looked at your team's source code and I'm not entirely familiar with the Django request stack.
Here's a list of django requirements I pulled out of my requirements.txt
awesome-django-timezones==0.3.0
channels==3.0.3
diskcache==5.1.0
django==3.1.5
django-htmlmin==0.11.0
django-solo==1.1.5
django-searchable-encrypted-fields==0.1.9
django-cleanup==5.1.0
daphne==3.0.1
django-project-version[git]==0.13.0
pwned-passwords-django==1.4.1
whitenoise[brotli]==5.2.0Just had a thought. Perhaps the to solution to "only one auth backend can be set" within channels is having the axes backend wrap one or more backends. For example a through a AXES_AUTH_BACKENDS variable.
aleksihakli
commented
3 years ago @Archmonger wrapping is actually a nice idea, if it can be done cleanly! Would you be interested in inspecting this on the code level? The authentication backend API specification from Django docs would need to be followed and ASGI implementation checked as well.
Archmonger
commented
3 years ago Sure. I'll consider a PR on axes as a part of my task list. I have a few higher priority cards so I'll get to it within roughly a month.
Archmonger
commented
3 years ago My work schedule slowed down my OSS work. Still aiming to tackle this as a PR but unsure what my timeline looks like.
aleksihakli
commented
3 years ago Roger that @Archmonger 👍 No need to worry about timelines since Axes is a voluntary FOSS project.
Archmonger
commented
3 years ago Just jotting down some ideas I had today in regards to the implementation of this future PR...
We can automate the whole AUTHENTICATION_BACKENDS wrapper idea.
1) Remove instructions for adding in a custom value to AUTHENTICATION_BACKENDS from the docs.
2) Read os.environ["DJANGO_SETTINGS_MODULE"] and forcibly set AUTHENTICATION_BACKENDS to an array containing only axes.backends.AxesBackend
django.conf. Will need testing to see what doesn't break Django.
3) axes.backends.AxesBackend will perform login functionality identical to the way Django internally handles it based on the original value of AUTHENTICATION_BACKENDS.AUTHENTICATION_BACKENDS array (essentially as a wrapper for all auth backends)aleksihakli
commented
3 years ago Forcibly setting the backend could lead to hard-to-debug problems in some stacks. Could there be alternatives to this approach or could we e.g. introduce a new flag for configuring another authentication backend separately in Axes that we could then invoke from e.g. a new Axes ASGI authentication wrapper backend?
Archmonger
commented
3 years ago Forcibly setting the values isn't necessary, I just thought it might be a clever way to automate some setup.
The alternative is:
AUTHENTICATION_BACKENDS = ['axes.backends.AxesBackend']
AXES_BACKENDS = [ 'example.one', 'example.two' ]Reusing the axes.backends.AxesBackend for this would be backwards compatible, as we can preserve old behavior if AXES_BACKENDS is not set.
This wouldn't really improve debug capabilities though, I'd say it's equivalent to the last method except isn't not automating the configuration.
I don't really think adding axes in the loop in either scenarios would affect stack traces in any harmful way. The user would just see an axes stack preceding the authentication stack that suffers from an exception.
aleksihakli
commented
3 years ago I'd rather have an added configuration key in the settings and think that "explicit is better than implicit" in this case. If we are using ASGI and have added the extra Axes settings, it might also be feasible to add system checks in the Django checks framework for making sure that the user has correctly configured the authentication stack i.e. has the AUTHENTICATION_BACKENDS and AXES_AUTHENTICATION_BACKENDS configured with correct looking types and values.
Archmonger
commented
3 years ago Agreed, adding some checks would be a good addition. We definitely want to raise django.core.exceptions.ImproperlyConfigured if the settings are bad.
Currently, Django Axes results in an exception when used with the login functionality within Django-Channels
channels.auth.If multiple backends are defined in
settings.py, Django Channels requires the user to define a backend to authenticate with. For example,But when the user defines this backend, it breaks the Axes authentication stack.
Perhaps it's worth discussing with the Django Channels team whether a workaround can be reached with their
loginfunction.