Use a non 200 code for failed login attempts

Question

Use a non 200 code for failed login attempts

AnderssonPeter opened this issue 3 months ago · comments

Is your feature request related to a problem? Please describe.

Security

Describe the solution you'd like

Hi I'm trying to lock down my network by using a fail2ban plugin for my reverse proxy (Traefik), but for it to be able to detect incorrect singin attempts it would need a non http 200 code.

Is there someway to configure it to return something different than 200 when the username or password is incorrect?

Describe alternatives you've considered

No response

Additional context

No response

Peter · Answer 1 · Sun Mar 24 2024 01:26:48 GMT+0800 (China Standard Time)

If i read the codebase corretly its based on Django? i found the following post providing a possible solution: https://code.djangoproject.com/ticket/24465 but I'm a bit unsure where to add it.

smilerz · Answer 2 · Sun Mar 24 2024 04:05:34 GMT+0800 (China Standard Time)

Unlikely to change the default Django behavior.

Peter · Answer 3 · Sun Mar 24 2024 04:35:36 GMT+0800 (China Standard Time)

@smilerz It could be hidden behind a cli or environment flag if that helps?

vabene1111 · Answer 4 · Mon Mar 25 2024 14:51:45 GMT+0800 (China Standard Time)

auth is provided by https://docs.allauth.org/en/latest/ in tandoor. Feel free to take a look if they have a setting for status codes and I can implement them, altough I am pretty sure that somebody had a reason to choose the status code they did so please also evaluate whats best practice in this field.

Also allauth already has build in rate limiting functionality so putting fail2ban in front of it is not really necessary.