[bug 971000] Protect login with django-axes.

.gitmodules

@@ -172,6 +172,3 @@
 [submodule "vendor/src/django-axes"]
 	path = vendor/src/django-axes
 	url = https://github.com/django-security/django-axes.git
-[submodule "vendor/src/django-taggit"]
-	path = vendor/src/django-taggit
-	url = https://github.com/alex/django-taggit.git

docs/hacking_howto.rst

@@ -226,6 +226,9 @@ Start with this::
     LESS_PREPROCESS = True
     LESS_BIN = '/path/to/kitsune/node_modules/less/bin/lessc'
 
+    # Tells django-axes we aren't behind a reverse proxy.
+    AXES_BEHIND_REVERSE_PROXY = False
+
 
 Don't forget to change ``<YOUR_PASSWORD>`` and update ``LESS_BIN``
 based on your setup.

kitsune/settings.py

@@ -449,6 +449,7 @@ MIDDLEWARE_CLASSES = (
     'commonware.middleware.StrictTransportMiddleware',
     'commonware.middleware.XSSProtectionHeader',
     'commonware.middleware.RobotsTagHeader',
+    'axes.middleware.FailedLoginMiddleware'
 )
 
 # Auth
@@ -540,6 +541,7 @@ INSTALLED_APPS = (
     'kitsune.products',
     'rest_framework',
     'statici18n',
+    'axes',
 
     # App for Sentry:
     'raven.contrib.django',
@@ -877,3 +879,11 @@ BROWSERID_AUDIENCES = [
 REST_FRAMEWORK = {
     'DEFAULT_FILTER_BACKENDS': ('rest_framework.filters.DjangoFilterBackend',)
 }
+
+# Django-axes settings.
+AXES_LOGIN_FAILURE_LIMIT = 10
+AXES_LOCK_OUT_AT_FAILURE = True
+AXES_USE_USER_AGENT = False
+AXES_COOLOFF_TIME = 1  # hour
+AXES_BEHIND_REVERSE_PROXY = True
+AXES_REVERSE_PROXY_HEADER = 'HTTP_X_CLUSTER_CLIENT_IP'

kitsune/users/views.py

@@ -20,6 +20,7 @@ from django_browserid.auth import BrowserIDBackend
 from django_browserid.base import get_audience
 from django_browserid.forms import BrowserIDForm
 
+from axes.decorators import watch_login
 from mobility.decorators import mobile_template
 from session_csrf import anonymous_csrf
 from statsd import statsd
@@ -77,6 +78,7 @@ def user_auth(request, contributor=False, register_form=None, login_form=None):
 
 @ssl_required
 @anonymous_csrf
+@watch_login
 @mobile_template('users/{mobile/}login.html')
 def login(request, template):
     """Try to log the user in."""

migrations/236-install-django-axes.sql

@@ -0,0 +1,25 @@
+CREATE TABLE `axes_accessattempt` (
+    `id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY,
+    `user_agent` varchar(255) NOT NULL,
+    `ip_address` char(15),
+    `username` varchar(255),
+    `trusted` bool NOT NULL,
+    `http_accept` varchar(1025) NOT NULL,
+    `path_info` varchar(255) NOT NULL,
+    `attempt_time` datetime NOT NULL,
+    `get_data` longtext NOT NULL,
+    `post_data` longtext NOT NULL,
+    `failures_since_start` integer UNSIGNED NOT NULL
+) ENGINE=InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;
+
+CREATE TABLE `axes_accesslog` (
+    `id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY,
+    `user_agent` varchar(255) NOT NULL,
+    `ip_address` char(15),
+    `username` varchar(255),
+    `trusted` bool NOT NULL,
+    `http_accept` varchar(1025) NOT NULL,
+    `path_info` varchar(255) NOT NULL,
+    `attempt_time` datetime NOT NULL,
+    `logout_time` datetime
+) ENGINE=InnoDB CHARACTER SET utf8 COLLATE utf8_general_ci;

settings_test.py

@@ -35,3 +35,6 @@ if 'DJANGO_LIVE_TEST_SERVER_ADDRESS' not in os.environ:
 import logging
 import south.logger
 logging.getLogger('south').setLevel(logging.INFO)
+
+# Tells django-axes we aren't behind a reverse proxy.
+AXES_BEHIND_REVERSE_PROXY = False