Django app to harden the security around login
Project Description
Django Secure Login
=======================
[](https://travis-ci.org/agiliq/django-secure-login)
[](https://coveralls.io/r/agiliq/django-secure-login)
Overview
------------
Django secure login provides utilities to add simple security steps around login and registration. It provides two mixins, `SecureLoginBackendMixin` and `SecureFormMixin` which check for common vulnerabilities while logging in.
* `SecureLoginBackendMixin` can be used with any Backend which has a concept of username and password
* `SecureFormMixin` can be used with any Form which has a concept of username and password. (eg login form, registration form etc)
Settings
-----------
* `SECURE_LOGIN_CHECKERS`: A list of strings which can be evaluated to callables. The callable should return True if it wants the authentication to go through.
* `SECURE_LOGIN_ON_FAIL`: A list of strings which can be evaluated to callables. Can take any action appropriate to a failed login.
* `SECURE_LOGIN_MAX_HOURLY_ATTEMPTS`: Max failed attempts per hour before the user is locked out.
Features
---------
* Works with any Backend and Form which has usename-y and password-y attributes.
* Ensure that passwords have a minimum length (default 6)
* Ensure that the password is not in the list of known weak passwords.
* Ensure username is not same as password
* Email user on a failed login attempt for them.
* Lockout after 10 failed attempts within an hour.
Usage
-----------
Simple
===========
Set
AUTHENTICATION_BACKENDS = ("secure_login.backends.SecureLoginBackend", )
Which will run all the default checkers.
Advanced
===========
AUTHENTICATION_BACKENDS = ("secure_login.backends.SecureLoginBackend", )
And
SECURE_LOGIN_CHECKERS = [
"secure_login.checkers.no_weak_passwords",
"secure_login.checkers.no_short_passwords",
]
`SECURE_LOGIN_CHECKERS` should be a list of callables. Each callable should only return true if it wants the authentication to go through.
And
SECURE_LOGIN_ON_FAIL = [
"secure_login.on_fail.email_user",
"secure_login.on_fail.populate_failed_requests",
]
`SECURE_LOGIN_ON_FAIL` should be a list of callables. Each callable would be called in order if the authentication falls.
Writing new secure backends.
=================================
If you have an existing backend `FooBackend`, you can add SecureBackend like this.
class SecureFooLoginBackend(SecureLoginBackendMixin, FooBackend):
pass
If this backend has `email` as an username like identifier.
class SecureFooLoginBackend(SecureLoginBackendMixin, FooBackend):
def username_fieldname(self):
return "email"
Secure Form
============
Use the `SecureFormMixin` with your usual forms. If you have an existing for `FooForm`
class SecureFooForm(SecureFormMixin, FooForm):
pass
If this form uses email as username lke identifier
class SecureFooForm(SecureFormMixin, FooForm):
def username_fieldname(self):
return "email"
`SECURE_LOGIN_CHECKERS` will be tested in the the clean method.
TODO
---------
* Rate limits login attempts per IP.
* Rate limits login attempts per user.
* Emails admins on X failed attempts.
* Integrate with fail2ban.
* Support 2F authentication
=======================
[](https://travis-ci.org/agiliq/django-secure-login)
[](https://coveralls.io/r/agiliq/django-secure-login)
Overview
------------
Django secure login provides utilities to add simple security steps around login and registration. It provides two mixins, `SecureLoginBackendMixin` and `SecureFormMixin` which check for common vulnerabilities while logging in.
* `SecureLoginBackendMixin` can be used with any Backend which has a concept of username and password
* `SecureFormMixin` can be used with any Form which has a concept of username and password. (eg login form, registration form etc)
Settings
-----------
* `SECURE_LOGIN_CHECKERS`: A list of strings which can be evaluated to callables. The callable should return True if it wants the authentication to go through.
* `SECURE_LOGIN_ON_FAIL`: A list of strings which can be evaluated to callables. Can take any action appropriate to a failed login.
* `SECURE_LOGIN_MAX_HOURLY_ATTEMPTS`: Max failed attempts per hour before the user is locked out.
Features
---------
* Works with any Backend and Form which has usename-y and password-y attributes.
* Ensure that passwords have a minimum length (default 6)
* Ensure that the password is not in the list of known weak passwords.
* Ensure username is not same as password
* Email user on a failed login attempt for them.
* Lockout after 10 failed attempts within an hour.
Usage
-----------
Simple
===========
Set
AUTHENTICATION_BACKENDS = ("secure_login.backends.SecureLoginBackend", )
Which will run all the default checkers.
Advanced
===========
AUTHENTICATION_BACKENDS = ("secure_login.backends.SecureLoginBackend", )
And
SECURE_LOGIN_CHECKERS = [
"secure_login.checkers.no_weak_passwords",
"secure_login.checkers.no_short_passwords",
]
`SECURE_LOGIN_CHECKERS` should be a list of callables. Each callable should only return true if it wants the authentication to go through.
And
SECURE_LOGIN_ON_FAIL = [
"secure_login.on_fail.email_user",
"secure_login.on_fail.populate_failed_requests",
]
`SECURE_LOGIN_ON_FAIL` should be a list of callables. Each callable would be called in order if the authentication falls.
Writing new secure backends.
=================================
If you have an existing backend `FooBackend`, you can add SecureBackend like this.
class SecureFooLoginBackend(SecureLoginBackendMixin, FooBackend):
pass
If this backend has `email` as an username like identifier.
class SecureFooLoginBackend(SecureLoginBackendMixin, FooBackend):
def username_fieldname(self):
return "email"
Secure Form
============
Use the `SecureFormMixin` with your usual forms. If you have an existing for `FooForm`
class SecureFooForm(SecureFormMixin, FooForm):
pass
If this form uses email as username lke identifier
class SecureFooForm(SecureFormMixin, FooForm):
def username_fieldname(self):
return "email"
`SECURE_LOGIN_CHECKERS` will be tested in the the clean method.
TODO
---------
* Rate limits login attempts per IP.
* Rate limits login attempts per user.
* Emails admins on X failed attempts.
* Integrate with fail2ban.
* Support 2F authentication
Release history Release notifications
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Filename, size & hash SHA256 hash help | File type | Python version | Upload date |
---|---|---|---|
django-secure-login-0.3.4.tar.gz (6.6 kB) Copy SHA256 hash SHA256 | Source | None | Mar 3, 2014 |