如何在django自定义身份验证后端访问请求?

时间:2021-12-20 23:18:14

I want to do the following with django's authentication:

我想用django的身份验证执行以下操作:

  • Log incorrect log-in attempts
  • 记录不正确的登录尝试
  • Temporarily lock accounts after 'x' number of incorrect log-in attempts
  • 在'x'次错误登录尝试后临时锁定帐户
  • Log successful log-ins.
  • 记录成功登录。

I thought a custom auth backend would be the solution.

我认为自定义auth后端将是解决方案。

I can do most of what i want, but I want to log the IP and REMOTE_HOST of the user making the attempt.

我可以完成我想要的大部分工作,但我想记录进行尝试的用户的IP和REMOTE_HOST。

how can I access the request object in the auth backend?

如何在auth后端访问请求对象?

Thanks

谢谢

1 个解决方案

#1


10  

The authentication backend can take any number of custom parameters for the authenticate() method. For example:

身份验证后端可以为authenticate()方法获取任意数量的自定义参数。例如:

class MyBackend:
    def authenticate(self, username=None, password=None, request=None):
         # check username, password
         if request is not None:
             # log values from request object

If you are calling authenticate in your own view, you can pass the request object:

如果您在自己的视图中调用authenticate,则可以传递请求对象:

from django.contrib.auth import authenticate

def login(request):
    # discover username and password
    authenticate(username=username, password=password, request=request)
    # continue as normal

If you're using django's login view (or the admin login), you wont have the extra information. Put simply, you'll have to use your own custom login view.

如果您使用的是django的登录视图(或管理员登录),则您将无法获得额外信息。简而言之,您必须使用自己的自定义登录视图。

Also, be careful when automatically locking accounts: you allow someone to deliberately lock one of your user's accounts (denial of service). There are ways around this. Also, make sure your log of incorrect attempts doesn't contain any attempted passwords.

此外,在自动锁定帐户时要小心:您允许某人故意锁定您的某个用户帐户(拒绝服务)。有办法解决这个问题。此外,请确保您的错误尝试日志不包含任何尝试的密码。

#1


10  

The authentication backend can take any number of custom parameters for the authenticate() method. For example:

身份验证后端可以为authenticate()方法获取任意数量的自定义参数。例如:

class MyBackend:
    def authenticate(self, username=None, password=None, request=None):
         # check username, password
         if request is not None:
             # log values from request object

If you are calling authenticate in your own view, you can pass the request object:

如果您在自己的视图中调用authenticate,则可以传递请求对象:

from django.contrib.auth import authenticate

def login(request):
    # discover username and password
    authenticate(username=username, password=password, request=request)
    # continue as normal

If you're using django's login view (or the admin login), you wont have the extra information. Put simply, you'll have to use your own custom login view.

如果您使用的是django的登录视图(或管理员登录),则您将无法获得额外信息。简而言之,您必须使用自己的自定义登录视图。

Also, be careful when automatically locking accounts: you allow someone to deliberately lock one of your user's accounts (denial of service). There are ways around this. Also, make sure your log of incorrect attempts doesn't contain any attempted passwords.

此外,在自动锁定帐户时要小心:您允许某人故意锁定您的某个用户帐户(拒绝服务)。有办法解决这个问题。此外,请确保您的错误尝试日志不包含任何尝试的密码。