6fb93463a8
We use django-ratelimit to limit per IP login attempts, and then we use django-ratelimit-backend to limit per username login attempts. This change replaces the usage of django-ratelimit-backend with another instance of django-ratelimit so that both limits can be managed by one library. This is the first step in being able to fully excise django-ratelimit-backend from edx-platform. Note that we're still using the `RateLimitMixin` in openedx/core/djangoapps/oauth_dispatch/dot_overrides/backends.py because studio and the admin UI still relies on that for rate limiting. Those login paths will have to be updated before we can remove the mixin from our auth backend.
33 lines
901 B
Python
33 lines
901 B
Python
"""
|
|
Code to get ip from request.
|
|
"""
|
|
|
|
|
|
from uuid import uuid4
|
|
|
|
from ipware.ip import get_ip
|
|
|
|
|
|
def real_ip(group, request): # pylint: disable=unused-argument
|
|
return get_ip(request)
|
|
|
|
|
|
def request_post_email(group, request) -> str: # pylint: disable=unused-argument
|
|
"""
|
|
Return the the email post param if it exists, otherwise return a
|
|
random id.
|
|
|
|
If the request doesn't have an email post body param, treat it as
|
|
a unique key. This will probably mean that it will not get rate limited.
|
|
|
|
This ratelimit key function is meant to be used with the user_authn/views/login.py::login_user
|
|
function. To rate-limit any first party auth. For 3rd party auth, there is separate rate limiting
|
|
currently in place so we don't do any rate limiting for that case here.
|
|
"""
|
|
|
|
email = request.POST.get('email')
|
|
if not email:
|
|
email = str(uuid4())
|
|
|
|
return email
|