Adiciona rate limiter em login

5 years ago · 8d52bdadb2
3 changed files with 14 additions and 5 deletions
--- a/requirements/requirements.txt
+++ b/requirements/requirements.txt
@ -34,3 +34,4 @@ whitenoise==5.1.0

 git+https://github.com/interlegis/trml2pdf
 git+https://github.com/interlegis/django-admin-bootstrapped
+django-ratelimit==3.0.1
--- a/sapl/base/urls.py
+++ b/sapl/base/urls.py
@ -17,7 +17,7 @@ from sapl.settings import EMAIL_SEND_USER, MEDIA_URL, LOGOUT_REDIRECT_URL

 from .apps import AppConfig
 from .forms import LoginForm, NovaSenhaForm, RecuperarSenhaForm
-from .views import (AlterarSenha, AppConfigCrud, CasaLegislativaCrud, CreateUsuarioView, DeleteUsuarioView,
+from .views import (LoginSapl, AlterarSenha, AppConfigCrud, CasaLegislativaCrud, CreateUsuarioView, DeleteUsuarioView,
                    EditUsuarioView, HelpTopicView, PesquisarUsuarioView, LogotipoView, RelatorioAtasView,
                    RelatorioAudienciaView, RelatorioDataFimPrazoTramitacaoView, RelatorioHistoricoTramitacaoView,
                    RelatorioMateriasPorAnoAutorTipoView, RelatorioMateriasPorAutorView,
@ -185,8 +185,7 @@ urlpatterns = [
        (TemplateView.as_view(template_name='sistema.html')),
        name='sistema'),

-    url(r'^login/$', views.LoginView.as_view(template_name='base/login.html', authentication_form=LoginForm),
-        name='login'),
+    url(r'^login/$', LoginSapl.as_view(), name='login'),
    url(r'^logout/$', views.LogoutView.as_view(),
        {'next_page': LOGOUT_REDIRECT_URL}, name='logout'),

--- a/sapl/base/views.py
+++ b/sapl/base/views.py
@ -6,7 +6,7 @@ import logging
 import os

 from django.contrib import messages
-from django.contrib.auth import get_user_model
+from django.contrib.auth import get_user_model, views
 from django.contrib.auth.mixins import PermissionRequiredMixin
 from django.contrib.auth.models import Group, User
 from django.contrib.auth.tokens import default_token_generator
@ -22,6 +22,7 @@ from django.template import TemplateDoesNotExist
 from django.template.loader import get_template
 from django.urls import reverse, reverse_lazy
 from django.utils import timezone
+from django.utils.decorators import method_decorator
 from django.utils.encoding import force_bytes
 from django.utils.http import urlsafe_base64_decode, urlsafe_base64_encode
 from django.utils.translation import ugettext_lazy as _
@ -31,12 +32,13 @@ from django.views.generic.base import RedirectView, TemplateView
 from django_filters.views import FilterView
 from haystack.query import SearchQuerySet
 from haystack.views import SearchView
+from ratelimit.decorators import ratelimit
 from rest_framework.authtoken.models import Token

 from sapl import settings
 from sapl.audiencia.models import AudienciaPublica, TipoAudienciaPublica
 from sapl.base.forms import (AutorForm, AutorFormForAdmin, TipoAutorForm, AutorFilterSet, RecuperarSenhaForm,
-                             NovaSenhaForm)
+                             NovaSenhaForm, LoginForm)
 from sapl.base.models import Autor, TipoAutor
 from sapl.comissoes.models import Comissao, Reuniao
 from sapl.crud.base import CrudAux, make_pagination
@ -84,6 +86,13 @@ class IndexView(TemplateView):
        return TemplateView.get(self, request, *args, **kwargs)


+@method_decorator(ratelimit(key='ip', rate='20/m',
+                            method=ratelimit.UNSAFE, block=True), name='dispatch')
+class LoginSapl(views.LoginView):
+    template_name = 'base/login.html'
+    authentication_form = LoginForm
+
+
 class ConfirmarEmailView(TemplateView):
    template_name = "email/confirma.html"