Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Leveraging django-axes?

See original GitHub issue

First of all: thanks for releasing and maintaining djoser, it has made our life easy…!

I am trying to implement django-axes in front of djoser and things appear to be mostly working, although the error that bubbles back from JWT create is the normal error:

No active account found with the given credentials

Is there any (simple way) to get a “you’ve been ratelimited” message back? If I try to login through the normal /admin pages I get a clear lockout message.

Relates to #7

Issue Analytics

State:
Created 4 years ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

ckcollabcommented, Nov 28, 2019

OK got this working! Here’s how I did it:

# login_viewsets.py

# Custom view overriding simple_jwt view
from axes.decorators import axes_dispatch
from django.utils.decorators import method_decorator
from django.views.decorators.csrf import csrf_exempt
from rest_framework_simplejwt.views import TokenObtainPairView

@method_decorator(axes_dispatch, name='dispatch')
@method_decorator(csrf_exempt, name='dispatch')
class DjangoAxesTokenObtainPairView(TokenObtainPairView):
    pass

# urls.py

urlpatterns = [
    # Special override for generating JWT tokens, must be BEFORE other `api/auth` endpoints
    # this is needed for django-axes to properly raise ratelimit warnings
    url(r"^api/auth/jwt/create/?", DjangoAxesTokenObtainPairView.as_view(), name="jwt-create"),
    path('api/auth/', include('djoser.urls.jwt')),
]

And then, bonus, to get my frontend to render JSON easily I made a template and made django-axes point to it.

templates/lockout_error.json

{"detail": "Account locked: too many login attempts. Contact an admin to unlock your account."}

# settings.py

AXES_LOCKOUT_TEMPLATE = 'lockout_error.json'

Downsides:

Misses out on translation, could do translation in your .json template?

1reaction

ckcollabcommented, Oct 20, 2019

I setup a small example project here: https://github.com/ckcollab/djoserdjangoaxesexample

I tested with the normal admin, after a few attempts I’m blocked and displayed a message properly: http://127.0.0.1:8000/admin/login/

And for token creation, I am ratelimited but it’s not clear: http://127.0.0.1:8000/auth/jwt/create

Response I get from JWT endpoint even with correct credentials (no indication I am ratelimited):

{
    "detail": "No active account found with the given credentials"
}

Thanks for the help! I hope this benefits the next guy down the line as well 😃

Top Results From Across the Web

6. Integration - django-axes documentation - Read the Docs

Axes is intended to be pluggable and usable with custom authentication solutions. This document describes the integration with some popular 3rd party packages ......

django-axes - Python Package Health Analysis - Snyk

Learn more about django-axes: package health score, popularity, security, maintenance, ... Easily fix your code by leveraging automatically generated PRs.

Throttling brute force login attacks in Django - Stack Overflow

If you are using DRF, then you don't need an additional library (axes, ratelimit, etc.) because DRF already has the throttling functionality ...

Django Defender: Prevent Brute force Attempts to Log in

The django-axes login speed, will probably be the slowest of the three since it does more checks and does a lot of database...

django-sudo alternatives - Linux Security Expert

It leverages the django-otp tooling together with Django's authentication framework. ... Project details. django-axes is written in Python.