Andal.LND/edx-platform
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
87ef27166f4648eaba915e50453f8564bee2cfd6
edx-platform/openedx/core/djangoapps/util/ratelimit.py
Waheed Ahmad fb604e4345 fix: login endpoint username param rate limiting (#30673) 
The username was allowed in the login endpoint alongside the email address
but rate-limiting logic was not updated to rate limit on the new POST
param `email_or_username`.

VAN-1003
2022-06-30 15:24:19 +05:00

75 lines
2.4 KiB
Python
Raw Blame History

"""
Code to get ip from request.
"""
from uuid import uuid4
from openedx.core.djangoapps.util import ip
def real_ip(group, request): # pylint: disable=unused-argument
"""
Get a client IP suitable for use in rate-limiting.
To prevent evasion of rate-limiting, use the safest (rightmost) IP in the
external IP chain.
(Intended to be called by ``django-ratelimit``, hence the unused argument.)
"""
if ip.USE_LEGACY_IP.is_enabled():
return ip.get_legacy_ip(request)
else:
return ip.get_safest_client_ip(request)
def request_post_email(group, request) -> str: # pylint: disable=unused-argument
"""
Return the the email post param if it exists, otherwise return a
random id.
If the request doesn't have an email post body param, treat it as
a unique key. This will probably mean that it will not get rate limited.
This ratelimit key function is meant to be used with the user_authn/views/login.py::login_user
function. To rate-limit any first party auth. For 3rd party auth, there is separate rate limiting
currently in place so we don't do any rate limiting for that case here.
"""
email = request.POST.get('email')
if not email:
email = str(uuid4())
return email
def request_data_email(group, request) -> str: # pylint: disable=unused-argument
"""
Return the the email data param if it exists, otherwise return a
random id.
"""
email = request.data.get('email')
if not email:
email = str(uuid4())
return email
def request_post_email_or_username(group, request) -> str: # pylint: disable=unused-argument
"""
Return the the email or email_or_username post param if it exists, otherwise return a
random id.
If the request doesn't have an email or email_or_username post body param, treat it as
a unique key. This will probably mean that it will not get rate limited.
This ratelimit key function is meant to be used with the user_authn/views/login.py::login_user
function. To rate-limit any first party auth. For 3rd party auth, there is separate rate limiting
currently in place so we don't do any rate limiting for that case here.
"""
email_or_username = request.POST.get('email_or_username') or request.POST.get('email')
if not email_or_username:
email_or_username = str(uuid4())
return email_or_username
Reference in New Issue View Git Blame Copy Permalink