django-axes
===========
.. image:: https://jazzband.co/static/img/badge.svg
:target: https://jazzband.co/
:alt: Jazzband
.. image:: https://img.shields.io/github/stars/jazzband/django-axes.svg?label=Stars&style=socialcA
:target: https://github.com/jazzband/django-axes
:alt: GitHub
.. image:: https://img.shields.io/pypi/v/django-axes.svg
:target: https://pypi.org/project/django-axes/
:alt: PyPI release
.. image:: https://img.shields.io/pypi/pyversions/django-axes.svg
:target: https://pypi.org/project/django-axes/
:alt: Supported Python versions
.. image:: https://img.shields.io/pypi/djversions/django-axes.svg
:target: https://pypi.org/project/django-axes/
:alt: Supported Django versions
.. image:: https://img.shields.io/readthedocs/django-axes.svg
:target: https://django-axes.readthedocs.io/
:alt: Documentation
.. image:: https://github.com/jazzband/django-axes/workflows/Test/badge.svg
:target: https://github.com/jazzband/django-axes/actions
:alt: GitHub Actions
.. image:: https://codecov.io/gh/jazzband/django-axes/branch/master/graph/badge.svg
:target: https://codecov.io/gh/jazzband/django-axes
:alt: Coverage
Axes is a Django plugin for keeping track of suspicious
login attempts for your Django based website
and implementing simple brute-force attack blocking.
The name is sort of a geeky pun, since it can be interpreted as:
* ``access``, as in monitoring access attempts, or
* ``axes``, as in tools you can use to hack (generally on wood).
Functionality
-------------
Axes records login attempts to your Django powered site and prevents attackers
from attempting further logins to your site when they exceed the configured attempt limit.
Axes can track the attempts and persist them in the database indefinitely,
or alternatively use a fast and DDoS resistant cache implementation.
Axes can be configured to monitor login attempts by
IP address, username, user agent, or their combinations.
Axes supports cool off periods, IP address whitelisting and blacklisting,
user account whitelisting, and other features for Django access management.
Documentation
-------------
For more information on installation and configuration see the documentation at:
https://django-axes.readthedocs.io/
Issues
------
If you have questions or have trouble using the app please file a bug report at:
https://github.com/jazzband/django-axes/issues
Contributions
-------------
All contributions are welcome!
It is best to separate proposed changes and PRs into small, distinct patches
by type so that they can be merged faster into upstream and released quicker.
One way to organize contributions would be to separate PRs for e.g.
* bugfixes,
* new features,
* code and design improvements,
* documentation improvements, or
* tooling and CI improvements.
Merging contributions requires passing the checks configured
with the CI. This includes running tests and linters successfully
on the currently officially supported Python and Django versions.
The test automation is run automatically with GitHub Actions, but you can
run it locally with the ``tox`` command before pushing commits.
Please note that this is a `Jazzband <https://jazzband.co>`_ project.
By contributing you agree to abide by the
`Contributor Code of Conduct <https://jazzband.co/about/conduct>`_
and follow the `guidelines <https://jazzband.co/about/guidelines>`_.
Changes
=======
5.27.0 (2021-11-04)
-------------------
- Fix ``pkg_resources`` missing for package version resolution on runtime
due to ``setuptools`` not being a runtime dependency.
[asherf]
- Add Python 3.10 and Django 3.2 support.
[hramezani]
5.26.0 (2021-10-11)
-------------------
- Fix ``AXES_USERNAME_CALLABLE`` not receiving ``credentials`` attribute
in Axes middleware lockout response when user is locked out.
[rootart]
5.25.0 (2021-09-19)
-------------------
- Fix duplicated AccessAttempts
with updated database model ``unique_together`` constraints
and data and schema migration.
[PetrDlouhy]
5.24.0 (2021-09-09)
-------------------
- Use atomic transaction for updating AccessAttempts in database handler.
[okapies]
5.23.0 (2021-09-02)
-------------------
- Pass ``request`` as argument to ``AXES_CLIENT_STR_CALLABLE``.
[sarahboyce]
5.22.0 (2021-08-31)
-------------------
- Improve ``failures_since_start`` handling by moving the counter incrementation
from non-atomic Python code call to atomic database function.
[okapies]
- Add publicly available ``request.axes_failures_since_start`` attribute.
[okapies]
5.21.0 (2021-08-19)
-------------------
- Add configurable lockout HTTP status code responses
with the new ``AXES_HTTP_RESPONSE_CODE`` setting.
[phil-bell]
5.20.0 (2021-06-29)
-------------------
- Improve race condition handling in e.g. multi-process environments by using
``get_or_create`` for access attempt fetching and updates.
[uli-klank]
5.19.0 (2021-06-16)
-------------------
- Add Polish locale.
[Quadric]
5.18.0 (2021-06-09)
-------------------
- Fix ``default_auto_field`` warning.
[zkanda]
5.17.0 (2021-06-05)
-------------------
- Fix ``default_app_config`` deprecation.
Django 3.2 automatically detects ``AppConfig`` and therefore this setting is no longer required.
[nikolaik]
5.16.0 (2021-05-19)
-------------------
- Add ``AXES_CLIENT_STR_CALLABLE`` setting.
[smtydn]
5.15.0 (2021-05-03)
-------------------
- Add option to cleanse sensitive GET and POST params in database handler
with the ``AXES_SENSITIVE_PARAMETERS`` setting.
[mcoconnor]
5.14.0 (2021-04-06)
-------------------
- Improve message formatting for lockout message and translations.
[ashokdelphia]
- Remove support for Django 3.0.
[hramezani]
- Add support for Django 3.2.
[hramezani]
5.13.1 (2021-02-22)
-------------------
- Default ``AXES_VERBOSE`` to ``AXES_ENABLED`` configuration setting,
disabling verbose startup logging when Axes itself is disabled.
[christianbundy]
- Update documentation.
[KStenK]
5.13.0 (2021-02-15)
-------------------
- Add support for resetting attempts with cache backend.
[nattyg93]
5.12.0 (2021-01-07)
-------------------
- Clean up test structure and migrate tests outside
the main package for a smaller wheel distributions.
[aleksihakli]
- Move configuration to pyproject.toml for cleaner layout.
[aleksihakli]
- Clean up test settings override configuration.
[hramezani]
5.11.1 (2021-01-06)
-------------------
- Fix cache entry creations for None username.
[cabarnes]
5.11.0 (2021-01-05)
-------------------
- Add lockout view CORS support with ``AXES_ALLOWED_CORS_ORIGINS`` configuration flag.
[vladox]
- Add missing ``@wraps`` decorator to ``axes.decorators.axes_dispatch``.
[aleksihakli]
5.10.1 (2021-01-04)
-------------------
- Add ``DEFAULT_AUTO_FIELD`` to test settings.
[hramezani]
- Fix documentation language.
[danielquinn]
- Fix Python package version specifiers and remove redundant imports.
[aleksihakli]
5.10.0 (2020-12-18)
-------------------
- Deprecate stock DRF support from 5.8.0,
require users to set it up per project.
Check the documentation for more information.
[aleksihakli]
5.9.1 (2020-12-02)
------------------
- Move tests to GitHub Actions
[jezdez]
- Fix running Axes code in middleware when ``AXES_ENABLED`` is ``False``.
[ashokdelphia]
5.9.0 (2020-11-05)
------------------
- Add Python 3.9 support.
[hramezani]
- Prevent ``AccessAttempt`` creation with database handler when
username is not set and ``AXES_ONLY_USER_FAILURES`` setting is not set.
[hramezani]
5.8.0 (2020-10-16)
------------------
- Improve Django REST Framework (DRF) integration.
[Anatoly]
5.7.1 (2020-09-27)
------------------
- Adjust settings import and handling chain
for cleaner module import and invocation order.
[aleksihakli]
- Adjust the use of ``AXES_ENABLED`` flag so that
imports are always done the same way and initial log
is written regardless of the setting and it only affects
code that is decorated or wrapped with ``toggleable``.
[alekshakli]
5.7.0 (2020-09-26)
------------------
- Deprecate ``AXES_LOGGER`` Axes setting and move to ``__name__``
based logging and fully qualified Python module name log identifiers.
[aleksihakli]
5.6.2 (2020-09-20)
------------------
- Fix regression in ``axes_reset_user`` management command.
[aleksihakli]
5.6.1 (2020-09-17)
------------------
- Improve test dependency management and upgrade black code formatter.
[smithdc1]
5.6.0 (2020-09-12)
------------------
- Add proper development ``subTest`` support via ``pytest-subtests`` package.
[smithdc1]
- Deprecate ``django-appconf`` and use plain settings for Axes.
[aleksihakli]
5.5.2 (2020-09-11)
------------------
- Update deprecating use of the ``request.is_ajax`` method.
[smithdc1]
5.5.1 (2020-09-10)
------------------
- Update deprecated uses of Django modules and members.
[smithdc1]
5.5.0 (2020-08-21)
------------------
- Add support for locking requests based on
username OR IP address with inclusive or
using the ``LOCK_OUT_BY_USER_OR_IP`` flag.
[PetrDlouhy]
- Deprecate Signal ``providing_args`` for Django 3.1 support.
[coredumperror]
5.4.3 (2020-08-06)
------------------
- Add Django 3.1 support.
[hramezani]
5.4.2 (2020-07-28)
------------------
- Add ABC or abstract base class implementation for handlers.
[jorlugaqui]
5.4.1 (2020-07-03)
------------------
- Fix code styling for linters.
[aleksihakli]
5.4.0 (2020-07-03)
------------------
- Propagate username to lockout view in URL parameters.
[PetrDlouhy]
- Update CAPTCHA examples.
[PetrDlouhy]
- Upgrade django-ipware to version 3.
[hramezani,mnislam01]
5.3.5 (2020-07-02)
------------------
- Restrict ipware version for version compatibility.
[aleksihakli]
5.3.4 (2020-06-09)
------------------
- Deprecate Django 1.11 LTS support.
[aleksihakli]
5.3.3 (2020-05-22)
------------------
- Fix ``AXES_ONLY_ADMIN_SITE`` functionality when
no default admin site is defined in the URL configuration.
[igor-shevchenko]
5.3.2 (2020-05-15)
------------------
- Fix AppConf settings prefix for Fargate.
[marksweb]
5.3.1 (2020-03-23)
------------------
- Fix null byte ValueError bug in ORM.
[ddimmich]
5.3.0 (2020-03-10)
------------------
- Improve Django REST Framework compatibility.
[I0x4dI]
5.2.2 (2020-01-08)
------------------
- Add missing proxy implementation for
``axes.handlers.proxy.AxesProxyHandler.get_failures``.
[aleksihakli]
5.2.1 (2020-01-08)
------------------
- Add django-reversion compatibility notes.
[mark-mishyn]
- Add pluggable lockout responses and the
``AXES_LOCKOUT_CALLABLE`` configuration flag.
[aleksihakli]
5.2.0 (2020-01-01)
------------------
- Add a test handler.
[aidanlister]
5.1.0 (2019-12-29)
------------------
- Add pluggable user account whitelisting and the
``AXES_WHITELIST_CALLABLE`` configuration flag.
[aleksihakli]
5.0.20 (2019-12-01)
-------------------
- Fix django-allauth compatibility issue.
[hramezani]
- Improve tests for login attempt monitoring.
[hramezani]
- Add reverse proxy documentation.
[ckcollab]
- Update OAuth documentation examples.
[aleksihakli]
5.0.19 (2019-11-06)
-------------------
- Optimize access attempt fetching in database handler.
[hramezani]
- Optimize request data fetching in proxy handler.
[hramezani]
5.0.18 (2019-10-17)
-------------------
- Add ``cooloff_timedelta`` context variable to lockout responses.
[jstockwin]
5.0.17 (2019-10-15)
-------------------
- Safer string formatting for user input.
[aleksihakli]
5.0.16 (2019-10-15)
-------------------
- Fix string formatting bug in logging.
[zerolab]
5.0.15 (2019-10-09)
-------------------
- Add ``AXES_ENABLE_ADMIN`` flag.
[flannelhead]
5.0.14 (2019-09-28)
-------------------
- Docs, CI pipeline, and code formatting improvements
[aleksihakli]
5.0.13 (2019-08-30)
-------------------
- Python 3.8 and PyPy support.
[aleksihakli]
- Migrate to ``setuptools_scm`` and automatic versioning.
[aleksihakli]
5.0.12 (2019-08-05)
-------------------
- Support callables for ``AXES_COOLOFF_TIME`` setting.
[DariaPlotnikova]
5.0.11 (2019-07-25)
-------------------
- Fix typo in rST formatting that prevented 5.0.10 release to PyPI.
[aleksihakli]
5.0.10 (2019-07-25)
-------------------
- Refactor type checks for ``axes.helpers.get_client_cache_key``
for framework compatibility, fixes #471.
[aleksihakli]
5.0.9 (2019-07-11)
------------------
- Add better handling for attempt and log resets by moving them
into handlers which allows customization and more configurability.
Unimplemented handlers raise ``NotImplementedError`` by default.
[aleksihakli]
- Add Python 3.8 dev version and PyPy to the Travis test matrix.
[aleksihakli]
5.0.8 (2019-07-09)
------------------
- Add ``AXES_ONLY_ADMIN_SITE`` flag for only running Axes on admin site.
[hramezani]
- Add ``axes_reset_logs`` command for removing old AccessLog records.
[tlebrize]
- Allow ``AxesBackend`` subclasses to pass the ``axes.W003`` system check.
[adamchainz]
5.0.7 (2019-06-14)
------------------
- Fix lockout message showing when lockout is disabled
with the ``AXES_LOCK_OUT_AT_FAILURE`` setting.
[mogzol]
- Add support for callable ``AXES_FAILURE_LIMIT`` setting.
[bbayles]
5.0.6 (2019-05-25)
------------------
- Deprecate ``AXES_DISABLE_SUCCESS_ACCESS_LOG`` flag in favour of
``AXES_DISABLE_ACCESS_LOG`` which has mostly the same functionality.
Update documentation to better reflect the behaviour of the flag.
[aleksihakli]
5.0.5 (2019-05-19)
------------------
- Change the lockout response calculation to request flagging
instead of exception throwing in the signal handler and middleware.
Move request attribute calculation from middleware to handler layer.
Deprecate ``axes.request.AxesHttpRequest`` object type definition.
[aleksihakli]
- Deprecate the old version 4.x ``axes.backends.AxesModelBackend`` class.
[aleksihakli]
- Improve documentation on attempt tracking, resets, Axes customization,
project and component compatibility and integrations, and other things.
[aleksihakli]
5.0.4 (2019-05-09)
------------------
- Fix regression with OAuth2 authentication backends not having remote
IP addresses set and throwing an exception in cache key calculation.
[aleksihakli]
5.0.3 (2019-05-08)
------------------
- Fix ``django.contrib.auth`` module ``login`` and ``logout`` functionality
so that they work with the handlers without the an ``AxesHttpRequest``
to improve cross compatibility with other Django applications.
[aleksihakli]
- Change IP address resolution to allow empty or missing addresses.
[aleksihakli]
- Add error logging for missing request attributes in the handler layer
so that users get better indicators of misconfigured applications.
[aleksihakli]
5.0.2 (2019-05-07)
------------------
- Add ``AXES_ENABLED`` setting for disabling Axes with e.g. tests
that use Django test client ``login``, ``logout``, and ``force_login``
methods, which do not supply the ``request`` argument to views,
preventing Axes from functioning correctly in certain test setups.
[aleksihakli]
5.0.1 (2019-05-03)
------------------
- Add changelog to documentation.
[aleksihakli]
5.0 (2019-05-01)
----------------
- Deprecate Python 2.7, 3.4 and 3.5 support.
[aleksihakli]
- Remove automatic decoration and monkey-patching of Django views and forms.
Decorators are available for login function and method decoration as before.
[aleksihakli]
- Use backend, middleware, and signal handlers for tracking
login attempts and implementing user lockouts.
[aleksihakli, jorlugaqui, joshua-s]
- Add ``AxesDatabaseHandler``, ``AxesCacheHandler``, and ``AxesDummyHandler``
handler backends for processing user login and logout events and failures.
Handlers are configurable with the ``AXES_HANDLER`` setting.
[aleksihakli, jorlugaqui, joshua-s]
- Improve management commands and separate commands for resetting
all access attempts, attempts by IP, and attempts by username.
New command names are ``axes_reset``, ``axes_reset_ip`` and ``axes_reset_username``.
[aleksihakli]
- Add support for string import for ``AXES_USERNAME_CALLABLE``
that supports dotted paths in addition to the old
callable type such as a function or a class method.
[aleksihakli]
- Deprecate one argument call signature for ``AXES_USERNAME_CALLABLE``.
From now on, the callable needs to accept two arguments,
the HttpRequest and credentials that are supplied to the
Django ``authenticate`` method in authentication backends.
[aleksihakli]
- Move ``axes.attempts.is_already_locked`` function to ``axes.handlers.AxesProxyHandler.is_locked``.
Various other previously undocumented methods have been deprecated and moved inside the project.
The new documented public APIs can be considered as stable and can be safely utilized by other projects.
[aleksihakli]
- Improve documentation layouting and contents. Add public API reference section.
[aleksihakli]
4.5.4 (2019-01-15)
------------------
- Improve README and documentation
[aleksihakli]
4.5.3 (2019-01-14)
------------------
- Remove the unused ``AccessAttempt.trusted`` flag from models
[aleksihakli]
- Improve README and Travis CI setups
[aleksihakli]
4.5.2 (2019-01-12)
------------------
- Added Turkish translations
[obayhan]
4.5.1 (2019-01-11)
------------------
- Removed duplicated check that was causing issues when using APIs.
[camilonova]
- Added Russian translations
[lubicz-sielski]
4.5.0 (2018-12-25)
------------------
- Improve support for custom authentication credentials using the
``AXES_USERNAME_FORM_FIELD`` and ``AXES_USERNAME_CALLABLE`` settings.
[mastacheata]
- Updated behaviour for fetching username from request or credentials:
If no ``AXES_USERNAME_CALLABLE`` is configured, the optional
``credentials`` that are supplied to the axes utility methods
are now the default source for client username and the HTTP
request POST is the fallback for fetching the user information.
``AXES_USERNAME_CALLABLE`` implements an alternative signature with two
arguments ``request, credentials`` in addition to the old ``request``
call argument signature in a backwards compatible fashion.
[aleksihakli]
- Add official support for the Django 2.1 version and Python 3.7.
[aleksihakli]
- Improve the requirements, documentation, tests, and CI setup.
[aleksihakli]
4.4.3 (2018-12-08)
------------------
- Fix MANIFEST.in missing German translations
[aleksihakli]
- Add `AXES_RESET_ON_SUCCESS` configuration flag
[arjenzijlstra]
4.4.2 (2018-10-30)
------------------
- fix missing migration and add check to prevent it happening again.
[markddavidoff]
4.4.1 (2018-10-24)
------------------
- Add a German translation
[adonig]
- Documentation wording changes
[markddavidoff]
- Use `get_client_username` in `log_user_login_failed` instead of credentials
[markddavidoff]
- pin prospector to 0.12.11, and pin astroid to 1.6.5
[hsiaoyi0504]
4.4.0 (2018-05-26)
------------------
- Added AXES_USERNAME_CALLABLE
[jaadus]
4.3.1 (2018-04-21)
------------------
- Change custom authentication backend failures from error to warning log level
[aleksihakli]
- Set up strict code linting for CI pipeline that fails builds if linting does not pass
[aleksihakli]
- Clean up old code base and tests based on linter errors
[aleksihakli]
4.3.0 (2018-04-21)
------------------
- Refactor and clean up code layout
[aleksihakli]
- Add prospector linting and code checks to toolchain
[aleksihakli]
- Clean up log message formatting and refactor type checks
[EvaSDK]
- Fix faulty user locking with user agent when AXES_ONLY_USER_FAILURES is set
[EvaSDK]
4.2.1 (2018-04-18)
------------------
- Fix unicode string interpolation on Python 2.7
[aleksihakli]
4.2.0 (2018-04-13)
------------------
- Add configuration flags for client IP resolving
[aleksihakli]
- Add AxesModelBackend authentication backend
[markdaviddoff]
4.1.0 (2018-02-18)
------------------
- Add AXES_CACHE setting for configuring `axes` specific caching.
[JWvDronkelaar]
- Add checks and tests for faulty LocMemCache usage in application setup.
[aleksihakli]
4.0.2 (2018-01-19)
------------------
- Improve Windows compatibility on Python < 3.4 by utilizing win_inet_pton
[hsiaoyi0504]
- Add documentation on django-allauth integration
[grucha]
- Add documentation on known AccessAttempt caching configuration problems
when using axes with the `django.core.cache.backends.locmem.LocMemCache`
[aleksihakli]
- Refactor and improve existing AccessAttempt cache reset utility
[aleksihakli]
4.0.1 (2017-12-19)
------------------
- Fixes issue when not using `AXES_USERNAME_FORM_FIELD`
[camilonova]
4.0.0 (2017-12-18)
------------------
- *BREAKING CHANGES*. `AXES_BEHIND_REVERSE_PROXY` `AXES_REVERSE_PROXY_HEADER`
`AXES_NUM_PROXIES` were removed in order to use `django-ipware` to get
the user ip address
[camilonova]
- Added support for custom username field
[kakulukia]
- Customizing Axes doc updated
[pckapps]
- Remove filtering by username
[camilonova]
- Fixed logging failed attempts to authenticate using a custom authentication
backend.
[D3X]
3.0.3 (2017-11-23)
------------------
- Test against Python 2.7.
[mbaechtold]
- Test against Python 3.4.
[pope1ni]
3.0.2 (2017-11-21)
------------------
- Added form_invalid decorator. Fixes #265
[camilonova]
3.0.1 (2017-11-17)
------------------
- Fix DeprecationWarning for logger warning
[richardowen]
- Fixes global lockout possibility
[joeribekker]
- Changed the way output is handled in the management commands
[ataylor32]
3.0.0 (2017-11-17)
------------------
- BREAKING CHANGES. Support for Django >= 1.11 and signals, see issue #215.
Drop support for Python < 3.6
[camilonova]
2.3.3 (2017-07-20)
------------------
- Many tweaks and handles successful AJAX logins.
[Jack Sullivan]
- Add tests for proxy number parametrization
[aleksihakli]
- Add AXES_NUM_PROXIES setting
[aleksihakli]
- Log failed access attempts regardless of settings
[jimr]
- Updated configuration docs to include AXES_IP_WHITELIST
[Minkey27]
- Add test for get_cache_key function
[jorlugaqui]
- Delete cache key in reset command line
[jorlugaqui]
- Add signals for setting/deleting cache keys
[jorlugaqui]
2.3.2 (2016-11-24)
------------------
- Only look for lockable users on a POST
[schinckel]
- Fix and add tests for IPv4 and IPv6 parsing
[aleksihakli]
2.3.1 (2016-11-12)
------------------
- Added settings for disabling success accesslogs
[Minkey27]
- Fixed illegal IP address string passed to inet_pton
[samkuehn]
2.3.0 (2016-11-04)
------------------
- Fixed ``axes_reset`` management command to skip "ip" prefix to command
arguments.
[EvaMarques]
- Added ``axes_reset_user`` management command to reset lockouts and failed
login records for given users.
[vladimirnani]
- Fixed Travis-PyPI release configuration.
[jezdez]
- Make IP position argument optional.
[aredalen]
- Added possibility to disable access log
[svenhertle]
- Fix for IIS used as reverse proxy adding port number
[Dmitri-Sintsov]
- Made the signal race condition safe.
[Minkey27]
- Added AXES_ONLY_USER_FAILURES to support only looking at the user ID.
[lip77us]
2.2.0 (2016-07-20)
------------------
- Improve the logic when using a reverse proxy to avoid possible attacks.
[camilonova]
2.1.0 (2016-07-14)
------------------
- Add `default_app_config` so you can just use `axes` in `INSTALLED_APPS`
[vdboor]
2.0.0 (2016-06-24)
------------------
- Removed middleware to use app_config
[camilonova]
- Lots of cleaning
[camilonova]
- Improved test suite and versions
[camilonova]
1.7.0 (2016-06-10)
------------------
- Use render shortcut for rendering LOCKOUT_TEMPLATE
[Radoslaw Luter]
- Added app_label for RemovedInDjango19Warning
[yograterol]
- Add iso8601 translator.
[mullakhmetov]
- Edit json response. Context now contains ISO 8601 formatted cooloff time
[mullakhmetov]
- Add json response and iso8601 tests.
[mullakhmetov]
- Fixes issue 162: UnicodeDecodeError on pip install
[joeribekker]
- Added AXES_NEVER_LOCKOUT_WHITELIST option to prevent certain IPs from being locked out.
[joeribekker]
1.6.1 (2016-05-13)
------------------
- Fixes whitelist check when BEHIND_REVERSE_PROXY
[Patrick Hagemeister]
- Made migrations py3 compatible
[mvdwaeter]
- Fixing #126, possibly breaking compatibility with Django<=1.7
[int-ua]
- Add note for upgrading users about new migration files
[kelseyq]
- Fixes #148
[camilonova]
- Decorate auth_views.login only once
[teeberg]
- Set IP public/private classifier to be compliant with RFC 1918.
[SilasX]
- Issue #155. Lockout response status code changed to 403.
[Arthur Mullahmetov]
- BUGFIX: Missing migration
[smeinel]
1.6.0 (2016-01-07)
------------------
- Stopped using render_to_response so that other template engines work
[tarkatronic]
- Improved performance & DoS prevention on query2str
[tarkatronic]
- Immediately return from is_already_locked if the user is not lockable
[jdunck]
- Iterate over ip addresses only once
[annp89]
- added initial migration files to support django 1.7 &up. Upgrading users should run migrate --fake-initial after update
[ibaguio]
- Add db indexes to CommonAccess model
[Schweigi]
1.5.0 (2015-09-11)
------------------
- Fix #_get_user_attempts to include username when filtering AccessAttempts if AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP is True
[afioca]
1.4.0 (2015-08-09)
------------------
- Send the user_locked_out signal. Fixes #94.
[toabi]
1.3.9 (2015-02-11)
------------------
- Python 3 fix (#104)
1.3.8 (2014-10-07)
------------------
- Rename GitHub organization from django-security to django-pci to emphasize focus on providing assistance with building PCI compliant websites with Django.
[aclark4life]
1.3.7 (2014-10-05)
------------------
- Explain common issues where Axes fails silently
[cericoda]
- Allow for user-defined username field for lookup in POST data
[SteveByerly]
- Log out only if user was logged in
[zoten]
- Support for floats in cooloff time (i.e: 0.1 == 6 minutes)
[marianov]
- Limit amount of POST data logged (#73). Limiting the length of value is not enough, as there could be arbitrary number of them, or very long key names.
[peterkuma]
- Improve get_ip to try for real ip address
[7wonders]
- Change IPAddressField to GenericIPAddressField. When using a PostgreSQL database and the client does not pass an IP address you get an inet error. This is a known problem with PostgreSQL and the IPAddressField. https://code.djangoproject.com/ticket/5622. It can be fixed by using a GenericIPAddressField instead.
[polvoblanco]
- Get first X-Forwarded-For IP
[tutumcloud]
- White listing IP addresses behind reverse proxy. Allowing some IP addresses to have direct access to the app even if they are behind a reverse proxy. Those IP addresses must still be on a white list.
[ericbulloch]
- Reduce logging of reverse proxy IP lookup and use configured logger. Fixes #76. Instead of logging the notice that django.axes looks for a HTTP header set by a reverse proxy on each attempt, just log it one-time on first module import. Also use the configured logger (by default axes.watch_login) for the message to be more consistent in logging.
[eht16]
- Limit the length of the values logged into the database. Refs #73
[camilonova]
- Refactored tests to be more stable and faster
[camilonova]
- Clean client references
[camilonova]
- Fixed admin login url
[camilonova]
- Added django 1.7 for testing
[camilonova]
- Travis file cleanup
[camilonova]
- Remove hardcoded url path
[camilonova]
- Fixing tests for django 1.7
[Andrew-Crosio]
- Fix for django 1.7 exception not existing
[Andrew-Crosio]
- Removed python 2.6 from testing
[camilonova]
- Use django built-in six version
[camilonova]
- Added six as requirement
[camilonova]
- Added python 2.6 for travis testing
[camilonova]
- Replaced u string literal prefixes with six.u() calls
[amrhassan]
- Fixes object type issue, response is not an string
[camilonova]
- Python 3 compatibility fix for db_reset
[nicois]
- Added example project and helper scripts
[barseghyanartur]
- Admin command to list login attemps
[marianov]
- Replaced six imports with django.utils.six ones
[amrhassan]
- Replaced u string literal prefixes with six.u() calls to make it compatible with Python 3.2
[amrhassan]
- Replaced `assertIn`s and `assertNotIn`s with `assertContains` and `assertNotContains`
[fcurella]
- Added py3k to travis
[fcurella]
- Update test cases to be python3 compatible
[nicois]
- Python 3 compatibility fix for db_reset
[nicois]
- Removed trash from example urls
[barseghyanartur]
- Added django installer
[barseghyanartur]
- Added example project and helper scripts
[barseghyanartur]
1.3.6 (2013-11-23)
------------------
- Added AttributeError in case get_profile doesn't exist
[camilonova]
- Improved axes_reset command
[camilonova]
1.3.5 (2013-11-01)
------------------
- Fix an issue with __version__ loading the wrong version
[graingert]
1.3.4 (2013-11-01)
------------------
- Update README.rst for PyPI
[marty, camilonova, graingert]
- Add cooloff period
[visualspace]
1.3.3 (2013-07-05)
------------------
- Added 'username' field to the Admin table
[bkvirendra]
- Removed fallback logging creation since logging cames by default on django 1.4 or later,
if you don't have it is because you explicitly wanted. Fixes #45
[camilonova]
1.3.2 (2013-03-28)
------------------
- Fix an issue when a user logout
[camilonova]
- Match pypi version
[camilonova]
- Better User model import method
[camilonova]
- Use only one place to get the version number
[camilonova]
- Fixed an issue when a user on django 1.4 logout
[camilonova]
- Handle exception if there is not user profile model set
[camilonova]
- Made some cleanup and remove a pokemon exception handling
[camilonova]
- Improved tests so it really looks for the rabbit in the hole
[camilonova]
- Match pypi version
[camilonova]
1.3.1 (2013-03-19)
------------------
- Add support for Django 1.5
[camilonova]
1.3.0 (2013-02-27)
------------------
- Bug fix: get_version() format string
[csghormley]
1.2.9 (2013-02-20)
------------------
- Add to and improve test cases
[camilonova]
1.2.8 (2013-01-23)
------------------
- Increased http accept header length
[jslatts]
1.2.7 (2013-01-17)
------------------
- Reverse proxy support
[rmagee]
- Clean up README
[martey]
1.2.6 (2012-12-04)
------------------
- Remove unused import
[aclark4life]
1.2.5 (2012-11-28)
------------------
- Fix setup.py
[aclark4life]
- Added ability to flag user accounts as unlockable.
[kencochrane]
- Added ipaddress as a param to the user_locked_out signal.
[kencochrane]
- Added a signal receiver for user_logged_out.
[kencochrane]
- Added a signal for when a user gets locked out.
[kencochrane]
- Added AccessLog model to log all access attempts.
[kencochrane]
Raw data
{
"_id": null,
"home_page": "https://github.com/youssef3laa/django-axes/tree/fork-5.27.0",
"name": "django-axes-forked",
"maintainer": "Jazzband",
"docs_url": null,
"requires_python": "~=3.6",
"maintainer_email": "security@jazzband.co",
"keywords": "authentication django pci security",
"author": "Josh VanderLinden, Philip Neustrom, Michael Blume, Alex Clark, Camilo Nova, Aleksi Hakli",
"author_email": "security@jazzband.co",
"download_url": "https://files.pythonhosted.org/packages/82/40/d42c75dd17423122c7520c1a30bf036c5e30a8371a5d45e654e65100cfdb/django-axes-forked-5.27.1.tar.gz",
"platform": null,
"description": "\ndjango-axes\n===========\n\n.. image:: https://jazzband.co/static/img/badge.svg\n :target: https://jazzband.co/\n :alt: Jazzband\n\n.. image:: https://img.shields.io/github/stars/jazzband/django-axes.svg?label=Stars&style=socialcA\n :target: https://github.com/jazzband/django-axes\n :alt: GitHub\n\n.. image:: https://img.shields.io/pypi/v/django-axes.svg\n :target: https://pypi.org/project/django-axes/\n :alt: PyPI release\n\n.. image:: https://img.shields.io/pypi/pyversions/django-axes.svg\n :target: https://pypi.org/project/django-axes/\n :alt: Supported Python versions\n\n.. image:: https://img.shields.io/pypi/djversions/django-axes.svg\n :target: https://pypi.org/project/django-axes/\n :alt: Supported Django versions\n\n.. image:: https://img.shields.io/readthedocs/django-axes.svg\n :target: https://django-axes.readthedocs.io/\n :alt: Documentation\n\n.. image:: https://github.com/jazzband/django-axes/workflows/Test/badge.svg\n :target: https://github.com/jazzband/django-axes/actions\n :alt: GitHub Actions\n\n.. image:: https://codecov.io/gh/jazzband/django-axes/branch/master/graph/badge.svg\n :target: https://codecov.io/gh/jazzband/django-axes\n :alt: Coverage\n\n\nAxes is a Django plugin for keeping track of suspicious\nlogin attempts for your Django based website\nand implementing simple brute-force attack blocking.\n\nThe name is sort of a geeky pun, since it can be interpreted as:\n\n* ``access``, as in monitoring access attempts, or\n* ``axes``, as in tools you can use to hack (generally on wood).\n\n\nFunctionality\n-------------\n\nAxes records login attempts to your Django powered site and prevents attackers\nfrom attempting further logins to your site when they exceed the configured attempt limit.\n\nAxes can track the attempts and persist them in the database indefinitely,\nor alternatively use a fast and DDoS resistant cache implementation.\n\nAxes can be configured to monitor login attempts by\nIP address, username, user agent, or their combinations.\n\nAxes supports cool off periods, IP address whitelisting and blacklisting,\nuser account whitelisting, and other features for Django access management.\n\n\nDocumentation\n-------------\n\nFor more information on installation and configuration see the documentation at:\n\nhttps://django-axes.readthedocs.io/\n\n\nIssues\n------\n\nIf you have questions or have trouble using the app please file a bug report at:\n\nhttps://github.com/jazzband/django-axes/issues\n\n\nContributions\n-------------\n\nAll contributions are welcome!\n\nIt is best to separate proposed changes and PRs into small, distinct patches\nby type so that they can be merged faster into upstream and released quicker.\n\nOne way to organize contributions would be to separate PRs for e.g.\n\n* bugfixes,\n* new features,\n* code and design improvements,\n* documentation improvements, or\n* tooling and CI improvements.\n\nMerging contributions requires passing the checks configured\nwith the CI. This includes running tests and linters successfully\non the currently officially supported Python and Django versions.\n\nThe test automation is run automatically with GitHub Actions, but you can\nrun it locally with the ``tox`` command before pushing commits.\n\nPlease note that this is a `Jazzband <https://jazzband.co>`_ project.\nBy contributing you agree to abide by the\n`Contributor Code of Conduct <https://jazzband.co/about/conduct>`_\nand follow the `guidelines <https://jazzband.co/about/guidelines>`_.\n\n\nChanges\n=======\n\n\n5.27.0 (2021-11-04)\n-------------------\n\n- Fix ``pkg_resources`` missing for package version resolution on runtime\n due to ``setuptools`` not being a runtime dependency.\n [asherf]\n- Add Python 3.10 and Django 3.2 support.\n [hramezani]\n\n\n5.26.0 (2021-10-11)\n-------------------\n\n- Fix ``AXES_USERNAME_CALLABLE`` not receiving ``credentials`` attribute\n in Axes middleware lockout response when user is locked out.\n [rootart]\n\n\n5.25.0 (2021-09-19)\n-------------------\n\n- Fix duplicated AccessAttempts\n with updated database model ``unique_together`` constraints\n and data and schema migration.\n [PetrDlouhy]\n\n\n5.24.0 (2021-09-09)\n-------------------\n\n- Use atomic transaction for updating AccessAttempts in database handler.\n [okapies]\n\n\n5.23.0 (2021-09-02)\n-------------------\n\n- Pass ``request`` as argument to ``AXES_CLIENT_STR_CALLABLE``.\n [sarahboyce]\n\n\n5.22.0 (2021-08-31)\n-------------------\n\n- Improve ``failures_since_start`` handling by moving the counter incrementation\n from non-atomic Python code call to atomic database function.\n [okapies]\n- Add publicly available ``request.axes_failures_since_start`` attribute.\n [okapies]\n\n\n5.21.0 (2021-08-19)\n-------------------\n\n- Add configurable lockout HTTP status code responses\n with the new ``AXES_HTTP_RESPONSE_CODE`` setting.\n [phil-bell]\n\n\n5.20.0 (2021-06-29)\n-------------------\n\n- Improve race condition handling in e.g. multi-process environments by using\n ``get_or_create`` for access attempt fetching and updates.\n [uli-klank]\n\n\n5.19.0 (2021-06-16)\n-------------------\n\n- Add Polish locale.\n [Quadric]\n\n\n5.18.0 (2021-06-09)\n-------------------\n\n- Fix ``default_auto_field`` warning.\n [zkanda]\n\n\n5.17.0 (2021-06-05)\n-------------------\n\n- Fix ``default_app_config`` deprecation.\n Django 3.2 automatically detects ``AppConfig`` and therefore this setting is no longer required.\n [nikolaik]\n\n\n5.16.0 (2021-05-19)\n-------------------\n\n- Add ``AXES_CLIENT_STR_CALLABLE`` setting.\n [smtydn]\n\n\n5.15.0 (2021-05-03)\n-------------------\n\n- Add option to cleanse sensitive GET and POST params in database handler\n with the ``AXES_SENSITIVE_PARAMETERS`` setting.\n [mcoconnor]\n\n\n5.14.0 (2021-04-06)\n-------------------\n\n- Improve message formatting for lockout message and translations.\n [ashokdelphia]\n- Remove support for Django 3.0.\n [hramezani]\n- Add support for Django 3.2.\n [hramezani]\n\n\n5.13.1 (2021-02-22)\n-------------------\n\n- Default ``AXES_VERBOSE`` to ``AXES_ENABLED`` configuration setting,\n disabling verbose startup logging when Axes itself is disabled.\n [christianbundy]\n- Update documentation.\n [KStenK]\n\n\n5.13.0 (2021-02-15)\n-------------------\n\n- Add support for resetting attempts with cache backend.\n [nattyg93]\n\n\n5.12.0 (2021-01-07)\n-------------------\n\n- Clean up test structure and migrate tests outside\n the main package for a smaller wheel distributions.\n [aleksihakli]\n- Move configuration to pyproject.toml for cleaner layout.\n [aleksihakli]\n- Clean up test settings override configuration.\n [hramezani]\n\n\n5.11.1 (2021-01-06)\n-------------------\n\n- Fix cache entry creations for None username.\n [cabarnes]\n\n\n5.11.0 (2021-01-05)\n-------------------\n\n- Add lockout view CORS support with ``AXES_ALLOWED_CORS_ORIGINS`` configuration flag.\n [vladox]\n- Add missing ``@wraps`` decorator to ``axes.decorators.axes_dispatch``.\n [aleksihakli]\n\n\n5.10.1 (2021-01-04)\n-------------------\n\n- Add ``DEFAULT_AUTO_FIELD`` to test settings.\n [hramezani]\n- Fix documentation language.\n [danielquinn] \n- Fix Python package version specifiers and remove redundant imports.\n [aleksihakli]\n\n\n5.10.0 (2020-12-18)\n-------------------\n\n- Deprecate stock DRF support from 5.8.0,\n require users to set it up per project.\n Check the documentation for more information.\n [aleksihakli]\n\n\n5.9.1 (2020-12-02)\n------------------\n\n- Move tests to GitHub Actions\n [jezdez]\n- Fix running Axes code in middleware when ``AXES_ENABLED`` is ``False``.\n [ashokdelphia]\n\n\n5.9.0 (2020-11-05)\n------------------\n\n- Add Python 3.9 support.\n [hramezani]\n- Prevent ``AccessAttempt`` creation with database handler when\n username is not set and ``AXES_ONLY_USER_FAILURES`` setting is not set.\n [hramezani]\n\n\n5.8.0 (2020-10-16)\n------------------\n\n- Improve Django REST Framework (DRF) integration.\n [Anatoly]\n\n\n5.7.1 (2020-09-27)\n------------------\n\n- Adjust settings import and handling chain\n for cleaner module import and invocation order.\n [aleksihakli]\n- Adjust the use of ``AXES_ENABLED`` flag so that\n imports are always done the same way and initial log\n is written regardless of the setting and it only affects\n code that is decorated or wrapped with ``toggleable``.\n [alekshakli]\n\n\n5.7.0 (2020-09-26)\n------------------\n\n- Deprecate ``AXES_LOGGER`` Axes setting and move to ``__name__``\n based logging and fully qualified Python module name log identifiers.\n [aleksihakli]\n\n\n5.6.2 (2020-09-20)\n------------------\n\n- Fix regression in ``axes_reset_user`` management command.\n [aleksihakli]\n\n\n5.6.1 (2020-09-17)\n------------------\n\n- Improve test dependency management and upgrade black code formatter.\n [smithdc1]\n\n\n5.6.0 (2020-09-12)\n------------------\n\n- Add proper development ``subTest`` support via ``pytest-subtests`` package.\n [smithdc1]\n- Deprecate ``django-appconf`` and use plain settings for Axes.\n [aleksihakli]\n\n\n5.5.2 (2020-09-11)\n------------------\n\n- Update deprecating use of the ``request.is_ajax`` method.\n [smithdc1]\n\n\n5.5.1 (2020-09-10)\n------------------\n\n- Update deprecated uses of Django modules and members.\n [smithdc1]\n\n\n5.5.0 (2020-08-21)\n------------------\n\n- Add support for locking requests based on\n username OR IP address with inclusive or\n using the ``LOCK_OUT_BY_USER_OR_IP`` flag.\n [PetrDlouhy]\n- Deprecate Signal ``providing_args`` for Django 3.1 support.\n [coredumperror]\n\n\n5.4.3 (2020-08-06)\n------------------\n\n- Add Django 3.1 support.\n [hramezani]\n\n\n5.4.2 (2020-07-28)\n------------------\n\n- Add ABC or abstract base class implementation for handlers.\n [jorlugaqui]\n\n\n5.4.1 (2020-07-03)\n------------------\n\n- Fix code styling for linters.\n [aleksihakli]\n\n\n5.4.0 (2020-07-03)\n------------------\n\n- Propagate username to lockout view in URL parameters.\n [PetrDlouhy]\n- Update CAPTCHA examples.\n [PetrDlouhy]\n- Upgrade django-ipware to version 3.\n [hramezani,mnislam01]\n\n\n5.3.5 (2020-07-02)\n------------------\n\n- Restrict ipware version for version compatibility.\n [aleksihakli]\n\n\n5.3.4 (2020-06-09)\n------------------\n\n- Deprecate Django 1.11 LTS support.\n [aleksihakli]\n\n\n5.3.3 (2020-05-22)\n------------------\n\n- Fix ``AXES_ONLY_ADMIN_SITE`` functionality when\n no default admin site is defined in the URL configuration.\n [igor-shevchenko]\n\n\n5.3.2 (2020-05-15)\n------------------\n\n- Fix AppConf settings prefix for Fargate.\n [marksweb]\n\n\n5.3.1 (2020-03-23)\n------------------\n\n- Fix null byte ValueError bug in ORM.\n [ddimmich]\n\n\n5.3.0 (2020-03-10)\n------------------\n\n- Improve Django REST Framework compatibility.\n [I0x4dI]\n\n\n5.2.2 (2020-01-08)\n------------------\n\n- Add missing proxy implementation for\n ``axes.handlers.proxy.AxesProxyHandler.get_failures``.\n [aleksihakli]\n\n\n5.2.1 (2020-01-08)\n------------------\n\n- Add django-reversion compatibility notes.\n [mark-mishyn]\n- Add pluggable lockout responses and the\n ``AXES_LOCKOUT_CALLABLE`` configuration flag.\n [aleksihakli]\n\n\n5.2.0 (2020-01-01)\n------------------\n\n- Add a test handler.\n [aidanlister]\n\n\n5.1.0 (2019-12-29)\n------------------\n\n- Add pluggable user account whitelisting and the\n ``AXES_WHITELIST_CALLABLE`` configuration flag.\n [aleksihakli]\n\n\n5.0.20 (2019-12-01)\n-------------------\n\n- Fix django-allauth compatibility issue.\n [hramezani]\n- Improve tests for login attempt monitoring.\n [hramezani]\n- Add reverse proxy documentation.\n [ckcollab]\n- Update OAuth documentation examples.\n [aleksihakli]\n\n\n5.0.19 (2019-11-06)\n-------------------\n\n- Optimize access attempt fetching in database handler.\n [hramezani]\n- Optimize request data fetching in proxy handler.\n [hramezani]\n\n\n5.0.18 (2019-10-17)\n-------------------\n\n- Add ``cooloff_timedelta`` context variable to lockout responses.\n [jstockwin]\n\n\n5.0.17 (2019-10-15)\n-------------------\n\n- Safer string formatting for user input.\n [aleksihakli]\n\n\n5.0.16 (2019-10-15)\n-------------------\n\n- Fix string formatting bug in logging.\n [zerolab]\n\n\n5.0.15 (2019-10-09)\n-------------------\n\n- Add ``AXES_ENABLE_ADMIN`` flag.\n [flannelhead]\n\n\n5.0.14 (2019-09-28)\n-------------------\n\n- Docs, CI pipeline, and code formatting improvements\n [aleksihakli]\n\n\n5.0.13 (2019-08-30)\n-------------------\n\n- Python 3.8 and PyPy support.\n [aleksihakli]\n- Migrate to ``setuptools_scm`` and automatic versioning.\n [aleksihakli]\n\n\n5.0.12 (2019-08-05)\n-------------------\n\n- Support callables for ``AXES_COOLOFF_TIME`` setting.\n [DariaPlotnikova]\n\n\n5.0.11 (2019-07-25)\n-------------------\n\n- Fix typo in rST formatting that prevented 5.0.10 release to PyPI.\n [aleksihakli]\n\n\n5.0.10 (2019-07-25)\n-------------------\n\n- Refactor type checks for ``axes.helpers.get_client_cache_key``\n for framework compatibility, fixes #471.\n [aleksihakli]\n\n\n5.0.9 (2019-07-11)\n------------------\n\n- Add better handling for attempt and log resets by moving them\n into handlers which allows customization and more configurability.\n Unimplemented handlers raise ``NotImplementedError`` by default.\n [aleksihakli]\n- Add Python 3.8 dev version and PyPy to the Travis test matrix.\n [aleksihakli]\n\n\n5.0.8 (2019-07-09)\n------------------\n\n- Add ``AXES_ONLY_ADMIN_SITE`` flag for only running Axes on admin site.\n [hramezani]\n- Add ``axes_reset_logs`` command for removing old AccessLog records.\n [tlebrize]\n- Allow ``AxesBackend`` subclasses to pass the ``axes.W003`` system check.\n [adamchainz]\n\n\n5.0.7 (2019-06-14)\n------------------\n\n- Fix lockout message showing when lockout is disabled\n with the ``AXES_LOCK_OUT_AT_FAILURE`` setting.\n [mogzol]\n\n- Add support for callable ``AXES_FAILURE_LIMIT`` setting.\n [bbayles]\n\n\n5.0.6 (2019-05-25)\n------------------\n\n- Deprecate ``AXES_DISABLE_SUCCESS_ACCESS_LOG`` flag in favour of\n ``AXES_DISABLE_ACCESS_LOG`` which has mostly the same functionality.\n Update documentation to better reflect the behaviour of the flag.\n [aleksihakli]\n\n\n5.0.5 (2019-05-19)\n------------------\n\n- Change the lockout response calculation to request flagging\n instead of exception throwing in the signal handler and middleware.\n Move request attribute calculation from middleware to handler layer.\n Deprecate ``axes.request.AxesHttpRequest`` object type definition.\n [aleksihakli]\n\n- Deprecate the old version 4.x ``axes.backends.AxesModelBackend`` class.\n [aleksihakli]\n\n- Improve documentation on attempt tracking, resets, Axes customization,\n project and component compatibility and integrations, and other things.\n [aleksihakli]\n\n\n5.0.4 (2019-05-09)\n------------------\n\n- Fix regression with OAuth2 authentication backends not having remote\n IP addresses set and throwing an exception in cache key calculation.\n [aleksihakli]\n\n\n5.0.3 (2019-05-08)\n------------------\n\n- Fix ``django.contrib.auth`` module ``login`` and ``logout`` functionality\n so that they work with the handlers without the an ``AxesHttpRequest``\n to improve cross compatibility with other Django applications.\n [aleksihakli]\n\n- Change IP address resolution to allow empty or missing addresses.\n [aleksihakli]\n\n- Add error logging for missing request attributes in the handler layer\n so that users get better indicators of misconfigured applications.\n [aleksihakli]\n\n\n5.0.2 (2019-05-07)\n------------------\n\n- Add ``AXES_ENABLED`` setting for disabling Axes with e.g. tests\n that use Django test client ``login``, ``logout``, and ``force_login``\n methods, which do not supply the ``request`` argument to views,\n preventing Axes from functioning correctly in certain test setups.\n [aleksihakli]\n\n\n5.0.1 (2019-05-03)\n------------------\n\n- Add changelog to documentation.\n [aleksihakli]\n\n\n5.0 (2019-05-01)\n----------------\n\n- Deprecate Python 2.7, 3.4 and 3.5 support.\n [aleksihakli]\n\n- Remove automatic decoration and monkey-patching of Django views and forms.\n Decorators are available for login function and method decoration as before.\n [aleksihakli]\n\n- Use backend, middleware, and signal handlers for tracking\n login attempts and implementing user lockouts.\n [aleksihakli, jorlugaqui, joshua-s]\n\n- Add ``AxesDatabaseHandler``, ``AxesCacheHandler``, and ``AxesDummyHandler``\n handler backends for processing user login and logout events and failures.\n Handlers are configurable with the ``AXES_HANDLER`` setting.\n [aleksihakli, jorlugaqui, joshua-s]\n\n- Improve management commands and separate commands for resetting\n all access attempts, attempts by IP, and attempts by username.\n New command names are ``axes_reset``, ``axes_reset_ip`` and ``axes_reset_username``.\n [aleksihakli]\n\n- Add support for string import for ``AXES_USERNAME_CALLABLE``\n that supports dotted paths in addition to the old\n callable type such as a function or a class method.\n [aleksihakli]\n\n- Deprecate one argument call signature for ``AXES_USERNAME_CALLABLE``.\n From now on, the callable needs to accept two arguments,\n the HttpRequest and credentials that are supplied to the\n Django ``authenticate`` method in authentication backends.\n [aleksihakli]\n\n- Move ``axes.attempts.is_already_locked`` function to ``axes.handlers.AxesProxyHandler.is_locked``.\n Various other previously undocumented methods have been deprecated and moved inside the project.\n The new documented public APIs can be considered as stable and can be safely utilized by other projects.\n [aleksihakli]\n\n- Improve documentation layouting and contents. Add public API reference section.\n [aleksihakli]\n\n\n4.5.4 (2019-01-15)\n------------------\n\n- Improve README and documentation\n [aleksihakli]\n\n\n4.5.3 (2019-01-14)\n------------------\n\n- Remove the unused ``AccessAttempt.trusted`` flag from models\n [aleksihakli]\n\n- Improve README and Travis CI setups\n [aleksihakli]\n\n\n4.5.2 (2019-01-12)\n------------------\n\n- Added Turkish translations\n [obayhan]\n\n\n4.5.1 (2019-01-11)\n------------------\n\n- Removed duplicated check that was causing issues when using APIs.\n [camilonova]\n\n- Added Russian translations\n [lubicz-sielski]\n\n\n4.5.0 (2018-12-25)\n------------------\n\n- Improve support for custom authentication credentials using the\n ``AXES_USERNAME_FORM_FIELD`` and ``AXES_USERNAME_CALLABLE`` settings.\n [mastacheata]\n\n- Updated behaviour for fetching username from request or credentials:\n If no ``AXES_USERNAME_CALLABLE`` is configured, the optional\n ``credentials`` that are supplied to the axes utility methods\n are now the default source for client username and the HTTP\n request POST is the fallback for fetching the user information.\n ``AXES_USERNAME_CALLABLE`` implements an alternative signature with two\n arguments ``request, credentials`` in addition to the old ``request``\n call argument signature in a backwards compatible fashion.\n [aleksihakli]\n\n- Add official support for the Django 2.1 version and Python 3.7.\n [aleksihakli]\n\n- Improve the requirements, documentation, tests, and CI setup.\n [aleksihakli]\n\n\n4.4.3 (2018-12-08)\n------------------\n\n- Fix MANIFEST.in missing German translations\n [aleksihakli]\n\n- Add `AXES_RESET_ON_SUCCESS` configuration flag\n [arjenzijlstra]\n\n\n4.4.2 (2018-10-30)\n------------------\n\n- fix missing migration and add check to prevent it happening again.\n [markddavidoff]\n\n\n4.4.1 (2018-10-24)\n------------------\n\n- Add a German translation\n [adonig]\n\n- Documentation wording changes\n [markddavidoff]\n\n- Use `get_client_username` in `log_user_login_failed` instead of credentials\n [markddavidoff]\n\n- pin prospector to 0.12.11, and pin astroid to 1.6.5\n [hsiaoyi0504]\n\n\n4.4.0 (2018-05-26)\n------------------\n\n- Added AXES_USERNAME_CALLABLE\n [jaadus]\n\n\n4.3.1 (2018-04-21)\n------------------\n\n- Change custom authentication backend failures from error to warning log level\n [aleksihakli]\n\n- Set up strict code linting for CI pipeline that fails builds if linting does not pass\n [aleksihakli]\n\n- Clean up old code base and tests based on linter errors\n [aleksihakli]\n\n\n4.3.0 (2018-04-21)\n------------------\n\n- Refactor and clean up code layout\n [aleksihakli]\n\n- Add prospector linting and code checks to toolchain\n [aleksihakli]\n\n- Clean up log message formatting and refactor type checks\n [EvaSDK]\n\n- Fix faulty user locking with user agent when AXES_ONLY_USER_FAILURES is set\n [EvaSDK]\n\n\n4.2.1 (2018-04-18)\n------------------\n\n- Fix unicode string interpolation on Python 2.7\n [aleksihakli]\n\n\n4.2.0 (2018-04-13)\n------------------\n\n- Add configuration flags for client IP resolving\n [aleksihakli]\n\n- Add AxesModelBackend authentication backend\n [markdaviddoff]\n\n\n4.1.0 (2018-02-18)\n------------------\n\n- Add AXES_CACHE setting for configuring `axes` specific caching.\n [JWvDronkelaar]\n\n- Add checks and tests for faulty LocMemCache usage in application setup.\n [aleksihakli]\n\n\n4.0.2 (2018-01-19)\n------------------\n\n- Improve Windows compatibility on Python < 3.4 by utilizing win_inet_pton\n [hsiaoyi0504]\n\n- Add documentation on django-allauth integration\n [grucha]\n\n- Add documentation on known AccessAttempt caching configuration problems\n when using axes with the `django.core.cache.backends.locmem.LocMemCache`\n [aleksihakli]\n\n- Refactor and improve existing AccessAttempt cache reset utility\n [aleksihakli]\n\n\n4.0.1 (2017-12-19)\n------------------\n\n- Fixes issue when not using `AXES_USERNAME_FORM_FIELD`\n [camilonova]\n\n\n4.0.0 (2017-12-18)\n------------------\n\n- *BREAKING CHANGES*. `AXES_BEHIND_REVERSE_PROXY` `AXES_REVERSE_PROXY_HEADER`\n `AXES_NUM_PROXIES` were removed in order to use `django-ipware` to get\n the user ip address\n [camilonova]\n\n- Added support for custom username field\n [kakulukia]\n\n- Customizing Axes doc updated\n [pckapps]\n\n- Remove filtering by username\n [camilonova]\n\n- Fixed logging failed attempts to authenticate using a custom authentication\n backend.\n [D3X]\n\n\n3.0.3 (2017-11-23)\n------------------\n\n- Test against Python 2.7.\n [mbaechtold]\n\n- Test against Python 3.4.\n [pope1ni]\n\n\n3.0.2 (2017-11-21)\n------------------\n\n- Added form_invalid decorator. Fixes #265\n [camilonova]\n\n\n3.0.1 (2017-11-17)\n------------------\n\n- Fix DeprecationWarning for logger warning\n [richardowen]\n\n- Fixes global lockout possibility\n [joeribekker]\n\n- Changed the way output is handled in the management commands\n [ataylor32]\n\n\n3.0.0 (2017-11-17)\n------------------\n\n- BREAKING CHANGES. Support for Django >= 1.11 and signals, see issue #215.\n Drop support for Python < 3.6\n [camilonova]\n\n\n2.3.3 (2017-07-20)\n------------------\n\n- Many tweaks and handles successful AJAX logins.\n [Jack Sullivan]\n\n- Add tests for proxy number parametrization\n [aleksihakli]\n\n- Add AXES_NUM_PROXIES setting\n [aleksihakli]\n\n- Log failed access attempts regardless of settings\n [jimr]\n\n- Updated configuration docs to include AXES_IP_WHITELIST\n [Minkey27]\n\n- Add test for get_cache_key function\n [jorlugaqui]\n\n- Delete cache key in reset command line\n [jorlugaqui]\n\n- Add signals for setting/deleting cache keys\n [jorlugaqui]\n\n\n2.3.2 (2016-11-24)\n------------------\n\n- Only look for lockable users on a POST\n [schinckel]\n\n- Fix and add tests for IPv4 and IPv6 parsing\n [aleksihakli]\n\n\n2.3.1 (2016-11-12)\n------------------\n\n- Added settings for disabling success accesslogs\n [Minkey27]\n\n- Fixed illegal IP address string passed to inet_pton\n [samkuehn]\n\n\n2.3.0 (2016-11-04)\n------------------\n\n- Fixed ``axes_reset`` management command to skip \"ip\" prefix to command\n arguments.\n [EvaMarques]\n\n- Added ``axes_reset_user`` management command to reset lockouts and failed\n login records for given users.\n [vladimirnani]\n\n- Fixed Travis-PyPI release configuration.\n [jezdez]\n\n- Make IP position argument optional.\n [aredalen]\n\n- Added possibility to disable access log\n [svenhertle]\n\n- Fix for IIS used as reverse proxy adding port number\n [Dmitri-Sintsov]\n\n- Made the signal race condition safe.\n [Minkey27]\n\n- Added AXES_ONLY_USER_FAILURES to support only looking at the user ID.\n [lip77us]\n\n\n2.2.0 (2016-07-20)\n------------------\n\n- Improve the logic when using a reverse proxy to avoid possible attacks.\n [camilonova]\n\n\n2.1.0 (2016-07-14)\n------------------\n\n- Add `default_app_config` so you can just use `axes` in `INSTALLED_APPS`\n [vdboor]\n\n\n2.0.0 (2016-06-24)\n------------------\n\n- Removed middleware to use app_config\n [camilonova]\n\n- Lots of cleaning\n [camilonova]\n\n- Improved test suite and versions\n [camilonova]\n\n\n1.7.0 (2016-06-10)\n------------------\n\n- Use render shortcut for rendering LOCKOUT_TEMPLATE\n [Radoslaw Luter]\n\n- Added app_label for RemovedInDjango19Warning\n [yograterol]\n\n- Add iso8601 translator.\n [mullakhmetov]\n\n- Edit json response. Context now contains ISO 8601 formatted cooloff time\n [mullakhmetov]\n\n- Add json response and iso8601 tests.\n [mullakhmetov]\n\n- Fixes issue 162: UnicodeDecodeError on pip install\n [joeribekker]\n\n- Added AXES_NEVER_LOCKOUT_WHITELIST option to prevent certain IPs from being locked out.\n [joeribekker]\n\n\n1.6.1 (2016-05-13)\n------------------\n\n- Fixes whitelist check when BEHIND_REVERSE_PROXY\n [Patrick Hagemeister]\n\n- Made migrations py3 compatible\n [mvdwaeter]\n\n- Fixing #126, possibly breaking compatibility with Django<=1.7\n [int-ua]\n\n- Add note for upgrading users about new migration files\n [kelseyq]\n\n- Fixes #148\n [camilonova]\n\n- Decorate auth_views.login only once\n [teeberg]\n\n- Set IP public/private classifier to be compliant with RFC 1918.\n [SilasX]\n\n- Issue #155. Lockout response status code changed to 403.\n [Arthur Mullahmetov]\n\n- BUGFIX: Missing migration\n [smeinel]\n\n\n1.6.0 (2016-01-07)\n------------------\n\n- Stopped using render_to_response so that other template engines work\n [tarkatronic]\n\n- Improved performance & DoS prevention on query2str\n [tarkatronic]\n\n- Immediately return from is_already_locked if the user is not lockable\n [jdunck]\n\n- Iterate over ip addresses only once\n [annp89]\n\n- added initial migration files to support django 1.7 &up. Upgrading users should run migrate --fake-initial after update\n [ibaguio]\n\n- Add db indexes to CommonAccess model\n [Schweigi]\n\n\n1.5.0 (2015-09-11)\n------------------\n\n- Fix #_get_user_attempts to include username when filtering AccessAttempts if AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP is True\n [afioca]\n\n\n1.4.0 (2015-08-09)\n------------------\n\n- Send the user_locked_out signal. Fixes #94.\n [toabi]\n\n\n1.3.9 (2015-02-11)\n------------------\n\n- Python 3 fix (#104)\n\n\n1.3.8 (2014-10-07)\n------------------\n\n- Rename GitHub organization from django-security to django-pci to emphasize focus on providing assistance with building PCI compliant websites with Django.\n [aclark4life]\n\n\n1.3.7 (2014-10-05)\n------------------\n\n- Explain common issues where Axes fails silently\n [cericoda]\n\n- Allow for user-defined username field for lookup in POST data\n [SteveByerly]\n\n- Log out only if user was logged in\n [zoten]\n\n- Support for floats in cooloff time (i.e: 0.1 == 6 minutes)\n [marianov]\n\n- Limit amount of POST data logged (#73). Limiting the length of value is not enough, as there could be arbitrary number of them, or very long key names.\n [peterkuma]\n\n- Improve get_ip to try for real ip address\n [7wonders]\n\n- Change IPAddressField to GenericIPAddressField. When using a PostgreSQL database and the client does not pass an IP address you get an inet error. This is a known problem with PostgreSQL and the IPAddressField. https://code.djangoproject.com/ticket/5622. It can be fixed by using a GenericIPAddressField instead.\n [polvoblanco]\n\n- Get first X-Forwarded-For IP\n [tutumcloud]\n\n- White listing IP addresses behind reverse proxy. Allowing some IP addresses to have direct access to the app even if they are behind a reverse proxy. Those IP addresses must still be on a white list.\n [ericbulloch]\n\n- Reduce logging of reverse proxy IP lookup and use configured logger. Fixes #76. Instead of logging the notice that django.axes looks for a HTTP header set by a reverse proxy on each attempt, just log it one-time on first module import. Also use the configured logger (by default axes.watch_login) for the message to be more consistent in logging.\n [eht16]\n\n- Limit the length of the values logged into the database. Refs #73\n [camilonova]\n\n- Refactored tests to be more stable and faster\n [camilonova]\n\n- Clean client references\n [camilonova]\n\n- Fixed admin login url\n [camilonova]\n\n- Added django 1.7 for testing\n [camilonova]\n\n- Travis file cleanup\n [camilonova]\n\n- Remove hardcoded url path\n [camilonova]\n\n- Fixing tests for django 1.7\n [Andrew-Crosio]\n\n- Fix for django 1.7 exception not existing\n [Andrew-Crosio]\n\n- Removed python 2.6 from testing\n [camilonova]\n\n- Use django built-in six version\n [camilonova]\n\n- Added six as requirement\n [camilonova]\n\n- Added python 2.6 for travis testing\n [camilonova]\n\n- Replaced u string literal prefixes with six.u() calls\n [amrhassan]\n\n- Fixes object type issue, response is not an string\n [camilonova]\n\n- Python 3 compatibility fix for db_reset\n [nicois]\n\n- Added example project and helper scripts\n [barseghyanartur]\n\n- Admin command to list login attemps\n [marianov]\n\n- Replaced six imports with django.utils.six ones\n [amrhassan]\n\n- Replaced u string literal prefixes with six.u() calls to make it compatible with Python 3.2\n [amrhassan]\n\n- Replaced `assertIn`s and `assertNotIn`s with `assertContains` and `assertNotContains`\n [fcurella]\n\n- Added py3k to travis\n [fcurella]\n\n- Update test cases to be python3 compatible\n [nicois]\n\n- Python 3 compatibility fix for db_reset\n [nicois]\n\n- Removed trash from example urls\n [barseghyanartur]\n\n- Added django installer\n [barseghyanartur]\n\n- Added example project and helper scripts\n [barseghyanartur]\n\n\n1.3.6 (2013-11-23)\n------------------\n\n- Added AttributeError in case get_profile doesn't exist\n [camilonova]\n\n- Improved axes_reset command\n [camilonova]\n\n\n1.3.5 (2013-11-01)\n------------------\n\n- Fix an issue with __version__ loading the wrong version\n [graingert]\n\n\n1.3.4 (2013-11-01)\n------------------\n\n- Update README.rst for PyPI\n [marty, camilonova, graingert]\n\n- Add cooloff period\n [visualspace]\n\n\n1.3.3 (2013-07-05)\n------------------\n\n- Added 'username' field to the Admin table\n [bkvirendra]\n\n- Removed fallback logging creation since logging cames by default on django 1.4 or later,\n if you don't have it is because you explicitly wanted. Fixes #45\n [camilonova]\n\n\n1.3.2 (2013-03-28)\n------------------\n\n- Fix an issue when a user logout\n [camilonova]\n\n- Match pypi version\n [camilonova]\n\n- Better User model import method\n [camilonova]\n\n- Use only one place to get the version number\n [camilonova]\n\n- Fixed an issue when a user on django 1.4 logout\n [camilonova]\n\n- Handle exception if there is not user profile model set\n [camilonova]\n\n- Made some cleanup and remove a pokemon exception handling\n [camilonova]\n\n- Improved tests so it really looks for the rabbit in the hole\n [camilonova]\n\n- Match pypi version\n [camilonova]\n\n\n1.3.1 (2013-03-19)\n------------------\n\n- Add support for Django 1.5\n [camilonova]\n\n\n1.3.0 (2013-02-27)\n------------------\n\n- Bug fix: get_version() format string\n [csghormley]\n\n\n1.2.9 (2013-02-20)\n------------------\n\n- Add to and improve test cases\n [camilonova]\n\n\n1.2.8 (2013-01-23)\n------------------\n\n- Increased http accept header length\n [jslatts]\n\n\n1.2.7 (2013-01-17)\n------------------\n\n- Reverse proxy support\n [rmagee]\n\n- Clean up README\n [martey]\n\n\n1.2.6 (2012-12-04)\n------------------\n\n- Remove unused import\n [aclark4life]\n\n\n1.2.5 (2012-11-28)\n------------------\n\n- Fix setup.py\n [aclark4life]\n\n- Added ability to flag user accounts as unlockable.\n [kencochrane]\n\n- Added ipaddress as a param to the user_locked_out signal.\n [kencochrane]\n\n- Added a signal receiver for user_logged_out.\n [kencochrane]\n\n- Added a signal for when a user gets locked out.\n [kencochrane]\n\n- Added AccessLog model to log all access attempts.\n [kencochrane]\n\n\n",
"bugtrack_url": null,
"license": "MIT",
"summary": "Keep track of failed login attempts in Django-powered sites.",
"version": "5.27.1",
"project_urls": {
"Documentation": "https://django-axes.readthedocs.io/",
"Homepage": "https://github.com/youssef3laa/django-axes/tree/fork-5.27.0",
"Source": "https://github.com/jazzband/django-axes",
"Tracker": "https://github.com/jazzband/django-axes/issues"
},
"split_keywords": [
"authentication",
"django",
"pci",
"security"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "1eb65ccd2539151038d9f76c077c22b9bd8012c57ea31cb366f154d42d5cd599",
"md5": "076016914b05b9971478e8ee441dfc51",
"sha256": "ba3c5687d7d552ebede2373412ac9ca83b34706e9be7492f9b813b98ec979079"
},
"downloads": -1,
"filename": "django_axes_forked-5.27.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "076016914b05b9971478e8ee441dfc51",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "~=3.6",
"size": 54554,
"upload_time": "2024-06-03T12:11:07",
"upload_time_iso_8601": "2024-06-03T12:11:07.086784Z",
"url": "https://files.pythonhosted.org/packages/1e/b6/5ccd2539151038d9f76c077c22b9bd8012c57ea31cb366f154d42d5cd599/django_axes_forked-5.27.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "8240d42c75dd17423122c7520c1a30bf036c5e30a8371a5d45e654e65100cfdb",
"md5": "693b3ae89a4558b755f3bb721785b057",
"sha256": "c5f2b580603fddbef2cf272fb6e603a878d78a24d78619598cdc5ac1a1903c95"
},
"downloads": -1,
"filename": "django-axes-forked-5.27.1.tar.gz",
"has_sig": false,
"md5_digest": "693b3ae89a4558b755f3bb721785b057",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "~=3.6",
"size": 227075,
"upload_time": "2024-06-03T12:11:09",
"upload_time_iso_8601": "2024-06-03T12:11:09.794184Z",
"url": "https://files.pythonhosted.org/packages/82/40/d42c75dd17423122c7520c1a30bf036c5e30a8371a5d45e654e65100cfdb/django-axes-forked-5.27.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-06-03 12:11:09",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "youssef3laa",
"github_project": "django-axes",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"lcname": "django-axes-forked"
}