Summary

Implemented Djblet's rate-limiting feature in ReviewBoard's authentication form.

Review Request #8768 — Created Feb. 20, 2017 and submitted May 25, 2017, 12:40 p.m.

Information

Owner

rkdhatt

Repository

Review Board

Branch

master

Bugs

Depends On

~~8698~~

Commit

c44726c...

Reviewers

Groups

reviewboard, students

People

Description

There has been a request to implement a rate-limiting feature in
ReviewBoard's authentication form by tracking the number of failed login
attempts per IP/username in the cache, along with the last login time,
and prevent further logins until some amount of time has passed.

Testing Done

This has been tested manually by attempting to log into reviewboard with
an existing username but incorrect password until the maximum number of
attempts has been reached. In addition, the number of login attempts and
time left before rate limit is over was also tracked during this process
using print statements in djblet's ratelimit.py file (more specifically,
the dictionary returned from the get_usage_count() method in ratelimit.py).

Issues

Description	From	Last Updated
RR dependencies should live in the depends on field, not the description.	brennie	April 6, 2017, 2:43 p.m.
Col: 80 E501 line too long (85 > 79 characters)	reviewbot	Feb. 23, 2017, 3:58 p.m.
Col: 80 E501 line too long (89 > 79 characters)	reviewbot	Feb. 23, 2017, 3:58 p.m.
Col: 9 E303 too many blank lines (2)	reviewbot	Feb. 23, 2017, 3:58 p.m.
Missing a docstring for the function here?	szhang	March 1, 2017, 10:46 a.m.
Multi-line strings should use parenthesis, according to: https://www.notion.so/reviewboard/Python-Coding-Style-Guide-f9a0e51ee0cf40379fcbbae40bbbec04#ec5a472e3610412ea99d0835a1faf2c0	szhang	March 1, 2017, 10:44 a.m.
Correct me if I'm wrong: I don't think we need a blank line here.	szhang	March 1, 2017, 10:51 a.m.
Can these two if statements be merged into one? A question I would have with this is if, for the …	szhang	March 1, 2017, 10:51 a.m.
I don't think the call is long enough to warrant this? I think if request started on the same line …	szhang	March 1, 2017, 10:51 a.m.
A parenthesis instead of a backslash?	szhang	March 1, 2017, 10:51 a.m.
'settings' imported but unused	reviewbot	March 1, 2017, 4:41 p.m.
'DEFAULT_KEY' imported but unused	reviewbot	March 1, 2017, 4:41 p.m.
Col: 17 E128 continuation line under-indented for visual indent	reviewbot	March 1, 2017, 4:41 p.m.
Col: 17 E128 continuation line under-indented for visual indent	reviewbot	March 1, 2017, 4:41 p.m.
'settings' imported but unused	reviewbot	March 1, 2017, 4:42 p.m.
'DEFAULT_KEY' imported but unused	reviewbot	March 1, 2017, 4:42 p.m.
Col: 17 E128 continuation line under-indented for visual indent	reviewbot	March 1, 2017, 4:42 p.m.
Col: 17 E128 continuation line under-indented for visual indent	reviewbot	March 1, 2017, 4:42 p.m.
Col: 25 E128 continuation line under-indented for visual indent	reviewbot	March 1, 2017, 4:45 p.m.
Col: 25 E128 continuation line under-indented for visual indent	reviewbot	March 1, 2017, 4:45 p.m.
This should be marked for translation with ugettext.	brennie	March 12, 2017, 1:13 p.m.
Same comment wrt your djblets change.	brennie	March 13, 2017, 11:17 a.m.
No blank line here, since from the point of view of the Review Board codebase, djblets is a third-party module.	chipx86	March 14, 2017, 5:08 p.m.
"informs the user" "have been exceeded."	chipx86	March 14, 2017, 5:09 p.m.
This doesn't validate the clean field, but rather validates the form. These docs also need a "Returns" section, like: """ …	chipx86	March 14, 2017, 5:10 p.m.
"Djblets's"	chipx86	March 14, 2017, 5:11 p.m.
"if the number" "were already exceeded"	chipx86	March 14, 2017, 5:11 p.m.
Alignment is off. In this case, it's best to wrap like: raise forms.ValidationError( _('...'))	chipx86	March 14, 2017, 5:12 p.m.
Blank line between these.	chipx86	March 14, 2017, 5:12 p.m.
Throwing away all validation errors will mean that things like username or password validation will go away, and we'll allow …	chipx86	March 18, 2017, 5:03 p.m.
"for a given user"	chipx86	March 14, 2017, 5:13 p.m.
We're calling this a second time, which we don't want to do. The parent clean() should only be called once. …	chipx86	March 18, 2017, 5:03 p.m.
Col: 80 E501 line too long (80 > 79 characters)	reviewbot	March 17, 2017, 11:24 a.m.
local variable 'result' is assigned to but never used	reviewbot	March 18, 2017, 5:05 p.m.
Col: 80 E501 line too long (81 > 79 characters)	reviewbot	March 18, 2017, 5:06 p.m.
local variable 'e' is assigned to but never used	reviewbot	March 22, 2017, 11:29 a.m.
Technically, this should be self.cleaned_data = super(...).clean()	brennie	March 30, 2017, 6:26 p.m.
is None	brennie	March 30, 2017, 7:01 p.m.

Tool: Pyflakes
Processed Files:
    reviewboard/accounts/forms/auth.py



Tool: PEP8 Style Checker
Processed Files:
    reviewboard/accounts/forms/auth.py

Commit:

a993762e1c5e1c9c1e947c3e30c3be69e9bed56d

a8b9d1e3724bdc396807aaac2a387f6d7baa666c

Diff:

~		Implementing rate-limiting feature in ReviewBoard's authentication form. In progress (Need to fix bug where authentication is not working -- AnonymousUser has noattribute 'backend' whenever trying to log in; cannot get information from self.cache_user whether authenticated or not.)
	~	There has been a request to implement a rate-limiting feature in ReviewBoard's authentication form by tracking the number of failed login attempts per IP/username in the cache, along with the last login time, and prevent further logins until some amount of time has passed. This also relates to review request 8698, where the ratelimiting has been implemented in djblets.

~		None at the moment.
	~	This has been tested manually by attempting to log into reviewboard with an existing username but incorrect password until the maximum number of attempts has been reached. In addition, the number of login attempts and time left before rate limit is over was also tracked during this process using print statements in djblet's ratelimit.py file (more specifically, the dictionary returned from the get_usage_count() method in ratelimit.py).

~		There has been a request to implement a rate-limiting feature in ReviewBoard's authentication form by tracking the number of failed login attempts per IP/username in the cache, along with the last login time, and prevent further logins until some amount of time has passed. This is dependent on review request 8698, where the ratelimiting has been implemented in djblets.
	~	There has been a request to implement a rate-limiting feature in
	+	ReviewBoard's authentication form by tracking the number of failed login
	+	attempts per IP/username in the cache, along with the last login time,
	+	and prevent further logins until some amount of time has passed.
	+	This is dependent on review request 8698, where the ratelimiting has
	+	been implemented in djblets.

~		This has been tested manually by attempting to log into reviewboard with an existing username but incorrect password until the maximum number of attempts has been reached. In addition, the number of login attempts and time left before rate limit is over was also tracked during this process using print statements in djblet's ratelimit.py file (more specifically, the dictionary returned from the get_usage_count() method in ratelimit.py).
	~	This has been tested manually by attempting to log into reviewboard with
	+	an existing username but incorrect password until the maximum number of
	+	attempts has been reached. In addition, the number of login attempts and
	+	time left before rate limit is over was also tracked during this process
	+	using print statements in djblet's ratelimit.py file (more specifically,
	+	the dictionary returned from the get_usage_count() method in ratelimit.py).

	reviewboard/webapi/base.py
	reviewboard/webapi/tests/test_base.py

Implemented Djblet's rate-limiting feature in ReviewBoard's authentication form.

Information

Reviewers

Checks run (3 succeeded)

Checks run (3 succeeded)

Checks run (2 succeeded, 1 failed with error)