search

sissbruecker / linkding

Self-hosted bookmark manager that is designed be to be minimal, fast, and easy to set up using Docker.
MIT License
5.33k stars 261 forks source link

bug: a bad login attempt does not log a 401 HTTP error but a 200 (problem for fail2ban) #677

Closed marc0janssen closed 3 months ago

marc0janssen commented 3 months ago

Hi there,

Awesome software.... I changed from a paid pinboard.in to this in a 1 sec,

But

A bad login attemp is logged with a HTTP 200 instead of a HTTP 401 error.. This makes it that I can't use Fail2ban because I can't filter 401's!

No other mention of a failed attempt in the log either....

please log the 401's!!

sissbruecker commented 3 months ago

Awesome software.... I changed from a paid pinboard.in to this in a 1 sec,

Cool!

A bad login attemp is logged with a HTTP 200 instead of a HTTP 401 error..

It's debatable whether that is a bug or not. This is how the Django framework used by linkding, and tons of other web apps, choses to implement their login view. This SO answer explains it quite well: https://stackoverflow.com/questions/25839434/django-login-with-wrong-credentials-returns-200-not-401/25840166#25840166

Now I get that this doesn't help if you want to implement fail2ban, but I'll probably not change the defaults. Rather there should be an option for returning a different status code, or a feature for logging failed attempts to the Docker logs. Both should be fairly easy to implement, so contributions are welcome.

Apart from that fail2ban support was already requested in https://github.com/sissbruecker/linkding/issues/489, so let me close this in favor of that.

marc0janssen commented 3 months ago

Hi Sascha,

Thanks for explaining all of this, I will dive into this and see if I can find a solution (if it is in my power). Fair enough this is not a bug, as you explain de Django framework is like this.

This software is still awesome… I love everything about it… as said I turned away from pinboard.in 1 sec. I’ve been there for 12 years…. But this is so nice…

It there a way I can make a donation to you for your hard work?

Best regards, Marco

Op 3 apr 2024, om 01:55 heeft Sascha Ißbrücker @.***> het volgende geschreven:

Awesome software.... I changed from a paid pinboard.in to this in a 1 sec,

Cool!

A bad login attemp is logged with a HTTP 200 instead of a HTTP 401 error..

It's debatable whether that is a bug or not. This is how the Django framework used by linkding, and tons of other web apps, choses to implement their login view. This SO answer explains it quite well: https://stackoverflow.com/questions/25839434/django-login-with-wrong-credentials-returns-200-not-401/25840166#25840166

Now I get that this doesn't help if you want to implement fail2ban, but I'll probably not change the defaults. Rather there should be an option for returning a different status code, or a feature for logging failed attempts to the Docker logs. Both should be fairly easy to implement, so contributions are welcome.

Apart from that fail2ban support was already requested in #489 https://github.com/sissbruecker/linkding/issues/489, so let me close this in favor of that.

— Reply to this email directly, view it on GitHub https://github.com/sissbruecker/linkding/issues/677#issuecomment-2033297142, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABMFKPA7GAAOYJVD7F7KHSTY3NAQHAVCNFSM6AAAAABFUEDL5CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZTGI4TOMJUGI. You are receiving this because you authored the thread.

sissbruecker commented 3 months ago

The linked SO question contains some pointers on how to customize the login view to return a different status code. The other part of the task would be to add a new option in base.py for customizing the status code, and then use that in the custom login view.

It there a way I can make a donation to you for your hard work?

Currently I have no plans to profit from this project and as such don't accept donations. If you want you can donate to the Internet Archive, which receives some additional traffic from linkding. So helping them compensate for that, and their useful service in general, is a nice thing to do. Or, you know, invest some time, dig into the code base and add this feature 🙂.

marc0janssen commented 3 months ago

Donated to Internet Archive like you said!

Have a great weekend! Marco On 3 apr 2024, 22:11 +0200, Sascha Ißbrücker @.***>, wrote:

The linked SO question contains some pointers on how to customize the login view to return a different status code. The other part of the task would be to add a new option in base.py for customizing the status code, and then use that in the custom login view.

It there a way I can make a donation to you for your hard work? Currently I have no plans to profit from this project and as such don't accept donations. If you want you can donate to the Internet Archive, which receives some additional traffic from linkding. So helping them compensate for that, and their useful service in general, is a nice thing to do. Or, you know, invest some time, dig into the code base and add this feature 🙂. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>