Closed marc0janssen closed 3 months ago
Awesome software.... I changed from a paid pinboard.in to this in a 1 sec,
Cool!
A bad login attemp is logged with a HTTP 200 instead of a HTTP 401 error..
It's debatable whether that is a bug or not. This is how the Django framework used by linkding, and tons of other web apps, choses to implement their login view. This SO answer explains it quite well: https://stackoverflow.com/questions/25839434/django-login-with-wrong-credentials-returns-200-not-401/25840166#25840166
Now I get that this doesn't help if you want to implement fail2ban, but I'll probably not change the defaults. Rather there should be an option for returning a different status code, or a feature for logging failed attempts to the Docker logs. Both should be fairly easy to implement, so contributions are welcome.
Apart from that fail2ban support was already requested in https://github.com/sissbruecker/linkding/issues/489, so let me close this in favor of that.
Hi Sascha,
Thanks for explaining all of this, I will dive into this and see if I can find a solution (if it is in my power). Fair enough this is not a bug, as you explain de Django framework is like this.
This software is still awesome… I love everything about it… as said I turned away from pinboard.in 1 sec. I’ve been there for 12 years…. But this is so nice…
It there a way I can make a donation to you for your hard work?
Best regards, Marco
Op 3 apr 2024, om 01:55 heeft Sascha Ißbrücker @.***> het volgende geschreven:
Awesome software.... I changed from a paid pinboard.in to this in a 1 sec,
Cool!
A bad login attemp is logged with a HTTP 200 instead of a HTTP 401 error..
It's debatable whether that is a bug or not. This is how the Django framework used by linkding, and tons of other web apps, choses to implement their login view. This SO answer explains it quite well: https://stackoverflow.com/questions/25839434/django-login-with-wrong-credentials-returns-200-not-401/25840166#25840166
Now I get that this doesn't help if you want to implement fail2ban, but I'll probably not change the defaults. Rather there should be an option for returning a different status code, or a feature for logging failed attempts to the Docker logs. Both should be fairly easy to implement, so contributions are welcome.
Apart from that fail2ban support was already requested in #489 https://github.com/sissbruecker/linkding/issues/489, so let me close this in favor of that.
— Reply to this email directly, view it on GitHub https://github.com/sissbruecker/linkding/issues/677#issuecomment-2033297142, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABMFKPA7GAAOYJVD7F7KHSTY3NAQHAVCNFSM6AAAAABFUEDL5CVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMZTGI4TOMJUGI. You are receiving this because you authored the thread.
The linked SO question contains some pointers on how to customize the login view to return a different status code. The other part of the task would be to add a new option in base.py
for customizing the status code, and then use that in the custom login view.
It there a way I can make a donation to you for your hard work?
Currently I have no plans to profit from this project and as such don't accept donations. If you want you can donate to the Internet Archive, which receives some additional traffic from linkding. So helping them compensate for that, and their useful service in general, is a nice thing to do. Or, you know, invest some time, dig into the code base and add this feature 🙂.
Donated to Internet Archive like you said!
Have a great weekend! Marco On 3 apr 2024, 22:11 +0200, Sascha Ißbrücker @.***>, wrote:
The linked SO question contains some pointers on how to customize the login view to return a different status code. The other part of the task would be to add a new option in base.py for customizing the status code, and then use that in the custom login view.
It there a way I can make a donation to you for your hard work? Currently I have no plans to profit from this project and as such don't accept donations. If you want you can donate to the Internet Archive, which receives some additional traffic from linkding. So helping them compensate for that, and their useful service in general, is a nice thing to do. Or, you know, invest some time, dig into the code base and add this feature 🙂. — Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you authored the thread.Message ID: @.***>
Hi there,
Awesome software.... I changed from a paid pinboard.in to this in a 1 sec,
But
A bad login attemp is logged with a HTTP 200 instead of a HTTP 401 error.. This makes it that I can't use Fail2ban because I can't filter 401's!
No other mention of a failed attempt in the log either....
please log the 401's!!