[auth] add captcha to prevent brute force attack

2025-09-19 10:26:17 +00:00 · 2013-10-20 00:37:41 +08:00
parent 75372ce351
commit 00c9e33145
6 changed files with 45 additions and 1 deletions
--- a/seahub/auth/forms.py
+++ b/seahub/auth/forms.py
@@ -9,6 +9,8 @@ from seahub.auth import authenticate
 from seahub.auth.tokens import default_token_generator
 from seahub.utils import IS_EMAIL_CONFIGURED

+from captcha.fields import CaptchaField
+
 class AuthenticationForm(forms.Form):
    """
    Base class for authenticating users. Extend this to get a form that accepts
@@ -26,7 +28,10 @@ class AuthenticationForm(forms.Form):
        """
        self.request = request
        self.user_cache = None
+        use_captcha = kwargs.pop('use_captcha', False)
        super(AuthenticationForm, self).__init__(*args, **kwargs)
+        if use_captcha:
+            self.fields['captcha'] = CaptchaField()

    def clean(self):
        username = self.cleaned_data.get('username')
--- a/seahub/auth/views.py
+++ b/seahub/auth/views.py
@@ -21,6 +21,9 @@ from seahub.auth.forms import PasswordResetForm, SetPasswordForm, PasswordChange
 from seahub.auth.tokens import default_token_generator

 from seahub.base.accounts import User
+from seahub.base.models import UserLoginAttempt
+from settings import LOGIN_ATTEMPT_LIMIT, LOGIN_ATTEMPT_TIMEOUT
+from datetime import datetime

 # Get an instance of a logger
 logger = logging.getLogger(__name__)
@@ -37,9 +40,19 @@ def login(request, template_name='registration/login.html',
        return HttpResponseRedirect(reverse(redirect_if_logged_in))

    redirect_to = request.REQUEST.get(redirect_field_name, '')
+    username = request.REQUEST.get('username', '')
+    if username:
+        login_attempt, created = UserLoginAttempt.objects.get_or_create(username=username)
+        if login_attempt.last_attempt_time + LOGIN_ATTEMPT_TIMEOUT < datetime.now():
+            login_attempt.delete()
+            login_attempt = UserLoginAttempt.objects.create(username=username)
+        if login_attempt.failed_attempts >= LOGIN_ATTEMPT_LIMIT:
+            use_captcha = True
+        else:
+            use_captcha = False
    
    if request.method == "POST":
-        form = authentication_form(data=request.POST)
+        form = authentication_form(data=request.POST, use_captcha=use_captcha)
        if form.is_valid():
            # Light security check -- make sure redirect_to isn't garbage.
            if not redirect_to or ' ' in redirect_to:
@@ -58,7 +71,13 @@ def login(request, template_name='registration/login.html',
            if request.session.test_cookie_worked():
                request.session.delete_test_cookie()

+            login_attempt.delete()
            return HttpResponseRedirect(redirect_to)
+        else:
+            login_attempt.failed_attempts += 1
+            login_attempt.save()
+            if login_attempt.failed_attempts == LOGIN_ATTEMPT_LIMIT:
+                form = authentication_form(data=request.POST, use_captcha=True)

    else:
        form = authentication_form(request)
--- a/seahub/base/models.py
+++ b/seahub/base/models.py
@@ -322,3 +322,11 @@ class InnerPubMsgReply(models.Model):
 #                              msg_type='innerpubmsg_reply',
 #                              detail=msg_id)
 #         n.save()
+
+class UserLoginAttempt(models.Model):
+    username = models.CharField(max_length=255)
+    last_attempt_time = models.DateTimeField(auto_now_add=True)
+    failed_attempts = models.IntegerField(default=0)
+
+    class Meta:
+        ordering = ['-last_attempt_time']
--- a/seahub/settings.py
+++ b/seahub/settings.py
@@ -160,6 +160,7 @@ INSTALLED_APPS = (
    'django.contrib.messages',

    'registration',
+    'captcha',

    'seahub.api2',
    'seahub.avatar',
@@ -339,6 +340,11 @@ LOGGING = {
    }
 }

+#Login Attempt
+import datetime
+LOGIN_ATTEMPT_LIMIT = 3
+LOGIN_ATTEMPT_TIMEOUT = datetime.timedelta(minutes=15)
+
 #################
 # Email sending #
 #################
--- a/seahub/templates/registration/login.html
+++ b/seahub/templates/registration/login.html
@@ -9,9 +9,14 @@
 	<input type="text" id="id_email" name="username" value="" />
 	<label for="password">{% trans "Password" %}</label>
 	<input type="password" id="id_password" name="password" value="" />
+    {{ form.captcha }}
    <input type="hidden" name="next" value="{% if next %}{{ next|escape }}{% else %}{{ SITE_ROOT }}{% endif %}" />
    {% if form.errors %}
+    {% if form.captcha.errors %}
+	<p class="error">{% trans "Incorrect CAPTCHA" %}</p>
+    {% else %}
 	<p class="error">{% trans "Incorrect email or password" %}</p>
+    {% endif %}
    {% else %}
 	<p class="error hide"></p>
    {% endif %}
--- a/seahub/urls.py
+++ b/seahub/urls.py
@@ -145,6 +145,7 @@ urlpatterns = patterns('',
    (r'^message/', include('seahub.message.urls')),     
    (r'^profile/', include('seahub.profile.urls')),
    (r'^share/', include('seahub.share.urls')),
+    url(r'^captcha/', include('captcha.urls')),

    ### system admin ###                       
    url(r'^sys/seafadmin/$', sys_repo_admin, name='sys_repo_admin'),