如何在太多身份验证失败后锁定IP地址?

时间:2013-04-25 13:37:25

标签: django-rest-framework

在太多身份验证失败后,是否存在锁定IP地址的方法?我没有看到内置限制将如何实现这一点,因为限制只会在身份验证和权限成功后启动。

2 个答案:

答案 0 :(得分:8)

谢谢汤姆。我使用以下代码进行了子认证:

def authenticate(self, request):

    #
    # first check to see that IP address is not locked out
    # due to too many failed authentication requests.
    #
    auth_failure_key = 'LOGIN_FAILURES_AT_%s' % request.META.get('REMOTE_ADDR')

    auth_failures = cache.get(auth_failure_key) or 0

    # allow up to 3 failures per hour
    if auth_failures >= 3:
        raise exceptions.AuthenticationFailed('Locked out: too many authentication failures')

    try:
        return super(TokenAuthentication, self).authenticate(request)
    except exceptions.AuthenticationFailed as e:

        # update cache
        cache.set(auth_failure_key, auth_failures + 1, 3600)

        raise e

答案 1 :(得分:5)

没有开箱即用,没有。您需要子类化其中一个身份验证类,并在自定义身份验证类中自己实现该行为。