tags:

views:

93

answers:

1
Q: 

how to access the request in a django custom authentication backend?

I want to do the following with django's authentication:

  • Log incorrect log-in attempts
  • Temporarily lock accounts after 'x' number of incorrect log-in attempts
  • Log successful log-ins.

I thought a custom auth backend would be the solution.

I can do most of what i want, but I want to log the IP and REMOTE_HOST of the user making the attempt.

how can I access the request object in the auth backend?

Thanks

+1  A: 

The authentication backend can take any number of custom parameters for the authenticate() method. For example:

class MyBackend:
    def authenticate(self, username=None, password=None, request=None):
         # check username, password
         if request is not None:
             # log values from request object

If you are calling authenticate in your own view, you can pass the request object:

from django.contrib.auth import authenticate

def login(request):
    # discover username and password
    authenticate(username=username, password=password, request=request)
    # continue as normal

If you're using django's login view (or the admin login), you wont have the extra information. Put simply, you'll have to use your own custom login view.

Also, be careful when automatically locking accounts: you allow someone to deliberately lock one of your user's accounts (denial of service). There are ways around this. Also, make sure your log of incorrect attempts doesn't contain any attempted passwords.

Will Hardy  2010-08-15 17:19:02
i'm extending the ModelBackend - python doesn't allow me to overload methods does it? What would be a good way of achieving this? Just rename the 'authenticate' method and call that in my view?
Roger  2010-08-15 17:28:23
what do i need to put in the login view? just copy the whole of the current contrib.auth login view? I don't understand because that method never calls 'authenticate'...
Roger  2010-08-15 20:10:47
You can certainly overload in python. `contrib.auth` requires the backends to have an `authenticate` method, so you'll have to call it that.
Will Hardy  2010-08-16 00:17:47
Django's view calls `authenticate()` when validating its `AuthenticationForm` (in `contrib.auth.forms`). Django's login view also supports a number of other features which you wont need. It's not too difficult to put it in your own view, just call `authenticate` and login if all is good. Doing this in form validation is of course nicer, but you'll need to pass the request.
Will Hardy  2010-08-16 00:23:32

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication