Merge pull request #1103 from opengisch/QF-4848-bump-axes-to-v6

Bump `django-axes` to v7.0.1 and `django-allauth` to 65.3.1
opengisch · Jan 14, 2025 · 41543e6 · 41543e6
2 parents e91f06b + 1df65b5
commit 41543e6
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 31 deletions.
diff --git a/docker-app/qfieldcloud/settings.py b/docker-app/qfieldcloud/settings.py
@@ -136,6 +136,7 @@
     "qfieldcloud.core.middleware.timezone.TimezoneMiddleware",
     "qfieldcloud.core.middleware.test.TestMiddleware",
     "axes.middleware.AxesMiddleware",
+    "allauth.account.middleware.AccountMiddleware",
 ]
 
 CRON_CLASSES = [
@@ -359,6 +360,10 @@ def before_send(event, hint):
 ACCOUNT_EMAIL_CONFIRMATION_EXPIRE_DAYS = 3
 ACCOUNT_EMAIL_SUBJECT_PREFIX = ""
 
+# Django allauth's RateLimiter configuration
+# https://docs.allauth.org/en/latest/account/rate_limits.html
+ACCOUNT_RATE_LIMITS = False
+
 # Choose one of "mandatory", "optional", or "none".
 # For local development and test use "optional" or "none"
 ACCOUNT_EMAIL_VERIFICATION = os.environ.get("ACCOUNT_EMAIL_VERIFICATION")
@@ -372,10 +377,10 @@ def before_send(event, hint):
 ###########################
 # The integer number of login attempts allowed before a record is created for the failed logins. Default: 3
 AXES_FAILURE_LIMIT = 5
-# If True, only lock based on username, and never lock based on IP if attempts exceed the limit. Otherwise utilize the existing IP and user locking logic. Default: False
-AXES_ONLY_USER_FAILURES = True
+# Configures the limiter to handle username only (see https://django-axes.readthedocs.io/en/latest/2_installation.html#version-7-breaking-changes-and-upgrading-from-django-axes-version-6)
+AXES_LOCKOUT_PARAMETERS = ["username"]
 # If set, defines a period of inactivity after which old failed login attempts will be cleared. If an integer, will be interpreted as a number of hours. Default: None
-AXES_COOLOFF_TIME = timedelta(minutes=30)
+AXES_COOLOFF_TIME = lambda _request: timedelta(minutes=30)  # noqa: E731
 # If True, a successful login will reset the number of failed logins. Default: False
 AXES_RESET_ON_SUCCESS = True
 

diff --git a/docker-app/requirements/requirements.in b/docker-app/requirements/requirements.in
@@ -1,9 +1,10 @@
 boto3-stubs==1.35.90
 boto3==1.35.90
 deprecated==1.2.15
-django-allauth==0.44.0
+django==4.2.16
+django-allauth==65.3.1
 django-auditlog==3.0.0
-django-axes==5.40.1
+django-axes==7.0.1
 django-bootstrap4==24.4
 django-classy-tags==4.1.0
 django-common-helpers==0.9.2

diff --git a/docker-app/requirements/requirements.txt b/docker-app/requirements/requirements.txt
@@ -7,6 +7,8 @@
 asgiref==3.8.1
     # via
     #   django
+    #   django-allauth
+    #   django-axes
     #   django-countries
 attrs==24.2.0
     # via
@@ -33,11 +35,7 @@ cffi==1.17.0
 charset-normalizer==3.3.2
     # via requests
 cryptography==44.0.0
-    # via
-    #   django-cryptography
-    #   pyjwt
-defusedxml==0.7.1
-    # via python3-openid
+    # via django-cryptography
 deprecated==1.2.15
     # via -r /requirements/requirements.in
 django==4.2.17
@@ -71,13 +69,13 @@ django==4.2.17
     #   djangorestframework
     #   drf-spectacular
     #   jsonfield
-django-allauth==0.44.0
+django-allauth==65.3.1
     # via -r /requirements/requirements.in
 django-appconf==1.0.6
     # via django-cryptography
 django-auditlog==3.0.0
     # via -r /requirements/requirements.in
-django-axes==5.40.1
+django-axes==7.0.1
     # via -r /requirements/requirements.in
 django-bootstrap4==24.4
     # via -r /requirements/requirements.in
@@ -103,8 +101,6 @@ django-filter==24.3
     # via -r /requirements/requirements.in
 django-invitations==2.1.0
     # via -r /requirements/requirements.in
-django-ipware==7.0.1
-    # via django-axes
 django-jazzmin==3.0.1
     # via -r /requirements/requirements.in
 django-log-request-id==2.1.0
@@ -155,26 +151,18 @@ jsonschema-specifications==2023.12.1
     # via jsonschema
 mypy-boto3-s3==1.35.81
     # via -r /requirements/requirements.in
-oauthlib==3.2.2
-    # via requests-oauthlib
 phonenumbers==8.13.52
     # via -r /requirements/requirements.in
 psycopg2==2.9.10
     # via -r /requirements/requirements.in
 pycparser==2.22
     # via cffi
-pyjwt[crypto]==2.9.0
-    # via django-allauth
 pymemcache==4.0.0
     # via -r /requirements/requirements.in
 python-dateutil==2.9.0.post0
     # via
     #   botocore
     #   django-auditlog
-python-ipware==3.0.0
-    # via django-ipware
-python3-openid==3.2.0
-    # via django-allauth
 pytz==2024.1
     # via django-notifications-hq
 pyyaml==6.0.2
@@ -184,12 +172,7 @@ referencing==0.35.1
     #   jsonschema
     #   jsonschema-specifications
 requests==2.32.3
-    # via
-    #   django-allauth
-    #   requests-oauthlib
-    #   stripe
-requests-oauthlib==2.0.0
-    # via django-allauth
+    # via stripe
 rpds-py==0.20.0
     # via
     #   jsonschema
@@ -229,6 +212,3 @@ urllib3==1.26.20
     #   sentry-sdk
 wrapt==1.16.0
     # via deprecated
-
-# The following packages are considered to be unsafe in a requirements file:
-# setuptools