Upgrade django-axes to latest version

Signed-off-by: tdruez <[email protected]>

Author: tdruez

dejacode/settings.py

@@ -658,9 +658,8 @@ def get_fake_redis_connection(config, use_strict_redis):
 AXES_FAILURE_LIMIT = env.int("AXES_FAILURE_LIMIT", default=5)
 # If set, specifies a template to render when a user is locked out.
 AXES_LOCKOUT_TEMPLATE = env.str("AXES_LOCKOUT_TEMPLATE", default="axes_lockout.html")
-# If True, only lock based on username, and never lock based on IP
-# if attempts to exceed the limit.
-AXES_ONLY_USER_FAILURES = True
+# Lock based on username
+AXES_LOCKOUT_PARAMETERS = ["username"]
 # If True, a successful login will reset the number of failed logins.
 AXES_RESET_ON_SUCCESS = True
 # If True, disable writing login and logout access logs to database,

dje/tests/test_access.py

@@ -419,7 +419,7 @@ def test_user_locked_out_on_unsuccessful_login_attempts(self):
         self.assertEqual(1, attempt.failures_since_start)
 
         response = self.client.post(login_url, data=credentials)
-        self.assertContains(response, "Account locked", status_code=403)
+        self.assertContains(response, "Account locked", status_code=429)
         attempt = AccessAttempt.objects.get(username=credentials["username"])
         self.assertEqual(2, attempt.failures_since_start)
 
@@ -434,7 +434,7 @@ def test_user_locked_out_on_unsuccessful_login_attempts(self):
         self.assertEqual(1, attempt.failures_since_start)
 
         response = self.client.post(login_url, data=credentials)
-        self.assertContains(response, "Account locked", status_code=403)
+        self.assertContains(response, "Account locked", status_code=429)
         attempt = AccessAttempt.objects.get(username=credentials["username"])
         self.assertEqual(2, attempt.failures_since_start)
 
@@ -457,7 +457,7 @@ def test_notification_on_unsuccessful_login_attempts(self, method_mock):
         }
         self.client.post(login_url, data=credentials)
         response = self.client.post(login_url, data=credentials)
-        self.assertEqual(403, response.status_code)
+        self.assertEqual(429, response.status_code)
 
         subject = "[DejaCode] Login attempt on locked account requires review!"
         self.assertEqual(1, len(mail.outbox))
@@ -487,7 +487,7 @@ def test_notification_on_unsuccessful_login_attempts(self, method_mock):
         response = self.client.post(login_url, data=credentials)
         self.assertEqual(200, response.status_code)
         response = self.client.post(login_url, data=credentials)
-        self.assertEqual(403, response.status_code)
+        self.assertEqual(429, response.status_code)
         self.assertIn(
             '"real_user" is an existing DejaCode user in Dataspace "nexB"', mail.outbox[2].body
         )

setup.cfg

@@ -77,10 +77,8 @@ install_requires =
     itypes==1.2.0
     Jinja2==3.1.6
     uritemplate==4.1.1
-    # Access log
-    django-axes==5.35.0
-    django-appconf==1.1.0
-    django-ipware==7.0.1
+    # Track failed login attempts
+    django-axes==8.0.0
     # Multi-factor authentication
     django-otp==1.6.0
     qrcode==8.2