Make the `django_ipware` an optional dependency

Question

Make the `django_ipware` an optional dependency

hirotasoshu opened this issue a year ago · comments

Discussed in #1021

Aleksi Häkli · Answer 1 · Wed Apr 26 2023 01:23:22 GMT+0800 (China Standard Time)

Thanks for opening 👍 I made a prerelease for 6.0.0 marked as 6.0.0b1 to PyPI that we can test this in when implemented; we can bake another 6.0.0b2 from this.

Maksim Zayakin · Answer 2 · Wed Apr 26 2023 01:55:34 GMT+0800 (China Standard Time)

@aleksihakli Can we just return request.META.get('REMOTE_ADDR') by default and require users to implement custom get_client_ip method or use django-ipware if more complex logic is required?

The order of preference for address resolution will be:

If configured, use AXES_CLIENT_IP_CALLABLE
If installed, use django-ipware package
Return request.META.get('REMOTE_ADDR')

In that case, all django-ipware related settings should have prefix AXES_IPWARE or smth like that

Aleksi Häkli · Answer 3 · Wed Apr 26 2023 23:34:54 GMT+0800 (China Standard Time)

This is just my personal hunch / opinion but using plain REMOTE_ADDR on a site that has a potential to be in production has a bunch of issues:

Usually contains the reverse proxy IP set by the WSGI server implementation
Usually people forget to configure the proxy IP settings
Is implicit; not explicit

I'd prefer to just raising an error on a missing value and requiring people to install (and hopefully configure) django-ipware as an extra dependency for sane defaults.

Rewriting the django-ipware related configuration flags as AXES_IPWARE_ instead of just AXES_ would indeed be a bit more explicit. I'm wondering how this would be best implemented in terms of backwards compatibility and old flag deprecation? Just document deprecation, document and raise errors on misconfiguration, or implement logic for supporting the old values, too?

Aleksi Häkli · Answer 4 · Wed Apr 26 2023 23:46:24 GMT+0800 (China Standard Time)

I sketched out one option for the optional deps pattern so that we have some basis for further discussion, would appreciate if you can check and highlight any issues or faults you detect in it. All improvement ideas are welcome :)

Aleksi Häkli · Answer 5 · Fri Apr 28 2023 04:10:19 GMT+0800 (China Standard Time)

Well after some pondering the default idea in ipware, too, seems to be to just use request.META["REMOTE_ADDR"] if nothing better is configured and available, and for ease-of-use I'd assume that defaulting to that if we make django-ipware optional would be a good option? I changed the PR draft to use that approach, do check if it seems OK.

Aleksi Häkli · Answer 6 · Fri Apr 28 2023 19:25:16 GMT+0800 (China Standard Time)

This has been implemented and published in the prerelease version 6.0.0b2 to enable feature testing.