django-oauth-toolkit compatibility

[nickdjones]

I feel like I'm being stupid here as these are both Jazzband projects but I can't get my head around how to get django-axes working with django-oauth-toolkit.

If I try and authenticate without changing anything, it will complain that

File "/home/user/.virtualenvs/project/lib/python3.6/site-packages/oauth2_provider/oauth2_validators.py", line 520, in validate_user
    u = authenticate(username=username, password=password)
  File "/home/user/.virtualenvs/project/lib/python3.6/site-packages/django/contrib/auth/__init__.py", line 70, in authenticate
    user = _authenticate_with_backend(backend, backend_path, request, credentials)
  File "/home/user/.virtualenvs/project/lib/python3.6/site-packages/django/contrib/auth/__init__.py", line 116, in _authenticate_with_backend
    return backend.authenticate(*args, **credentials)
  File "/home/user/.virtualenvs/project/lib/python3.6/site-packages/axes/backends.py", line 37, in authenticate
    raise AxesModelBackend.RequestParameterRequired()
axes.backends.AxesModelBackend.RequestParameterRequired: AxesModelBackend requires calls to authenticate to pass `request` as an argument.

The cause of this can be seen quite clearly in the stacktrace - because of this call in oauth2_validators: https://github.com/jazzband/django-oauth-toolkit/blob/master/oauth2_provider/oauth2_validators.py#L615

However if I then customise DOT and set a custom validator including request in authenticate() as follows:

OAUTH2_PROVIDER = {
    'OAUTH2_VALIDATOR_CLASS': 'custom.app.MyOAuth2Validator',
    'SCOPES': {'read': 'Read scope', 'write': 'Write scope'},
}
class MyOAuth2Validator(OAuth2Validator):
    def validate_user(self, username, password, client, request, *args, **kwargs):
        """
        Check username and password correspond to a valid and active User
        """
        u = authenticate(request=request, username=username, password=password)
        if u is not None and u.is_active:
            request.user = u
            return True
        return False

it then throws the error:

File "/home/user/.virtualenvs/project/lib/python3.6/site-packages/axes/attempts.py", line 178, in is_already_locked
    ip = get_client_ip(request)
  File "/home/user/.virtualenvs/project/lib/python3.6/site-packages/axes/utils.py", line 69, in get_client_ip
    request_header_order=settings.AXES_META_PRECEDENCE_ORDER,
  File "/home/user/.virtualenvs/project/lib/python3.6/site-packages/ipware/ip2.py", line 25, in get_client_ip
    value = util.get_request_meta(request, key)
  File "/home/user/.virtualenvs/project/lib/python3.6/site-packages/ipware/utils.py", line 66, in get_request_meta
    value = request.META.get(key, request.META.get(key.replace('_', '-'), '')).strip()
  File "/home/user/.virtualenvs/project/lib/python3.6/site-packages/oauthlib/common.py", line 435, in __getattr__
    raise AttributeError(name)
AttributeError: META

This again makes sense, because the Request inside the validator is from oauthlib.common and not from Django and therefore doesn't have any META data.

How on earth are these supposed to work together??

[aleksihakli]

Hi @HCNick! You are right that these are both Jazzband projects. However, Jazzband is not an organization that aims to offer projects that all work with each other out of the box. It offers shared maintenance for projects where multiple maintainers can help each other out in keeping different Python and Django projects up-to-date. Please check out the Jazzband website at https://jazzband.co/

At the moment django-oauth-toolkit is unfortunately not officially supported by django-axes. If you would like to improve the situation, django-axes and django-oauth-toolkit are open for contributions.

To the problem at hand, however. The main thing here is that django-axes uses some Django HTTP request object properties to fetch necessary information to function correctly. The attributes in themselves are strictly not necessary for functioning, although they should be correctly configured, if you want the lockout behaviour to work as intended.

You could hack your validator code to pass the necessary request attributes to django-axes so that the necessary request attributes can be fetched the from the request object. django-axes requires the following request parameter attributes to be accessible:

• request.GET which is a QueryDict
• request.POST which is also a QueryDict
• request.META which is a normal Python dictionary

You could try the following snippet for compatibility. Refer to the Django HttpRequest and QueryDict source code for inspiration.

from django.http.request import QueryDict

OAUTH2_PROVIDER = {
    'OAUTH2_VALIDATOR_CLASS': 'custom.app.MyOAuth2Validator',
    'SCOPES': {'read': 'Read scope', 'write': 'Write scope'},
}
class MyOAuth2Validator(OAuth2Validator):
    def validate_user(self, username, password, client, request, *args, **kwargs):
        """
        Check username and password correspond to a valid and active User
        """

        # Set defaults for necessary request object attributes for django-axes compatibility
        setattr(request, 'GET', getattr(request, 'GET', QueryDict()))
        setattr(request, 'POST', getattr(request, 'POST', QueryDict()))
        setattr(request, 'META', getattr(request, 'META', dict()))

        u = authenticate(request=request, username=username, password=password)
        if u is not None and u.is_active:
            request.user = u
            return True
        return False

Please note that the end user IP address is fetched with the [django-ipware](https://github.com/un33k/django-ipware] package by the helpers module.

django-axes/axes/helpers.py

Lines 137 to 153 in 59da387

	def get_client_ip_address(request: HttpRequest) -> str:
	"""
	Get client IP address as configured by the user.
	The django-ipware package is used for address resolution
	and parameters can be configured in the Axes package.
	"""
	client_ip_address, _ = ipware.ip2.get_client_ip(
	request,
	proxy_order=settings.AXES_PROXY_ORDER,
	proxy_count=settings.AXES_PROXY_COUNT,
	proxy_trusted_ips=settings.AXES_PROXY_TRUSTED_IPS,
	request_header_order=settings.AXES_META_PRECEDENCE_ORDER,
	)
	return str(ip_address(client_ip_address))

The request.META['REMOTE_ADDR'] attribute is used as the default source for the client IP. This attribute should ideally be set, if it is somehow available.

[aleksihakli]

Closing as the above should fix the problem and there has been no further discussion on the issue.

[BeOleg]

@aleksihakli
I have implemented the above yet I get the following error when trying to obtain an access token:

AxesBackendRequestParameterRequired at /en/api/v1/oAuth2/token/

Traceback

Environment:


Request Method: POST
Request URL: http://localhost:8000/en/api/v1/oAuth2/token/

Django Version: 2.2.4
Python Version: 3.8.0
Installed Applications:
['django.contrib.sites',
 'django.contrib.admin',
 'django.contrib.auth',
 'django.contrib.contenttypes',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'django.contrib.humanize',
 'bootstrap3',
 'rest_framework',
 'corsheaders',
 'core',
 'ticker',
 'accounts',
 'orders',
 'referrals',
 'payments',
 'articles',
 'verification',
 'ico',
 'session_security',
 'axes',
 'guardian',
 'nexchange',
 'support',
 'loginurl',
 'social_django',
 'django_fsm',
 'risk_management',
 'audit',
 'oauth2_provider',
 'django_otp',
 'django_otp.plugins.otp_totp',
 'sorl.thumbnail',
 'newsletter',
 'email_log',
 'nested_admin',
 'constance',
 'rangefilter',
 'debug_toolbar',
 'django_extensions']
Installed Middleware:
['django.middleware.security.SecurityMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.middleware.locale.LocaleMiddleware',
 'corsheaders.middleware.CorsMiddleware',
 'django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'session_security.middleware.SessionSecurityMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware',
 'referrals.middleware.ReferralMiddleWare',
 'core.middleware.TimezoneMiddleware',
 'core.middleware.LastSeenMiddleware',
 'social_django.middleware.SocialAuthExceptionMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django_otp.middleware.OTPMiddleware',
 'audit_log.middleware.UserLoggingMiddleware',
 'axes.middleware.AxesMiddleware',
 'debug_toolbar.middleware.DebugToolbarMiddleware']



Traceback:

File "/usr/local/lib/python3.8/site-packages/django/core/handlers/exception.py" in inner
  34.             response = get_response(request)

File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py" in _get_response
  115.                 response = self.process_exception_by_middleware(e, request)

File "/usr/local/lib/python3.8/site-packages/django/core/handlers/base.py" in _get_response
  113.                 response = wrapped_callback(request, *callback_args, **callback_kwargs)

File "/usr/local/lib/python3.8/site-packages/newrelic/hooks/framework_django.py" in wrapper
  539.                 return wrapped(*args, **kwargs)

File "/usr/local/lib/python3.8/site-packages/django/views/generic/base.py" in view
  71.             return self.dispatch(request, *args, **kwargs)

File "/usr/local/lib/python3.8/site-packages/django/utils/decorators.py" in _wrapper
  45.         return bound_method(*args, **kwargs)

File "/usr/local/lib/python3.8/site-packages/django/views/decorators/csrf.py" in wrapped_view
  54.         return view_func(*args, **kwargs)

File "/usr/local/lib/python3.8/site-packages/newrelic/hooks/framework_django.py" in wrapper
  930.             return wrapped(*args, **kwargs)

File "/usr/local/lib/python3.8/site-packages/django/views/generic/base.py" in dispatch
  97.         return handler(request, *args, **kwargs)

File "/usr/local/lib/python3.8/site-packages/django/utils/decorators.py" in _wrapper
  45.         return bound_method(*args, **kwargs)

File "/usr/local/lib/python3.8/site-packages/django/views/decorators/debug.py" in sensitive_post_parameters_wrapper
  76.             return view(request, *args, **kwargs)

File "/usr/local/lib/python3.8/site-packages/oauth2_provider/views/base.py" in post
  206.         url, headers, body, status = self.create_token_response(request)

File "/usr/local/lib/python3.8/site-packages/oauth2_provider/views/mixins.py" in create_token_response
  123.         return core.create_token_response(request)

File "/usr/local/lib/python3.8/site-packages/oauth2_provider/oauth2_backends.py" in create_token_response
  137.         headers, body, status = self.server.create_token_response(uri, http_method, body,

File "/usr/local/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/endpoints/base.py" in wrapper
  116.             return f(endpoint, uri, *args, **kwargs)

File "/usr/local/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/endpoints/token.py" in create_token_response
  118.         return grant_type_handler.create_token_response(

File "/usr/local/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py" in create_token_response
  101.             self.validate_token_request(request)

File "/usr/local/lib/python3.8/site-packages/oauthlib/oauth2/rfc6749/grant_types/resource_owner_password_credentials.py" in validate_token_request
  183.         if not self.request_validator.validate_user(request.username,

File "/pipeline/source/nexchange/oauth2_validators.py" in validate_user
  29.         return super(AxesOAuth2Validator, self).validate_user(

File "/usr/local/lib/python3.8/site-packages/oauth2_provider/oauth2_validators.py" in validate_user
  594.         u = authenticate(username=username, password=password)

File "/usr/local/lib/python3.8/site-packages/django/contrib/auth/__init__.py" in authenticate
  73.             user = backend.authenticate(request, **credentials)

File "/usr/local/lib/python3.8/site-packages/axes/helpers.py" in inner
  408.             return func(*args, **kwargs)

File "/usr/local/lib/python3.8/site-packages/axes/backends.py" in authenticate
  33.             raise AxesBackendRequestParameterRequired('AxesBackend requires a request as an argument to authenticate')

Exception Type: AxesBackendRequestParameterRequired at /en/api/v1/oAuth2/token/
Exception Value: AxesBackend requires a request as an argument to authenticate

My nexchange/oauth2_validators.py code

from oauth2_provider.oauth2_validators import OAuth2Validator
from django.contrib.auth import authenticate
from django.http.request import QueryDict


class CustomOAuth2Validator(OAuth2Validator):
    def validate_user(self, username, password, client, request, *args, **kwargs):
        """
        Check username and password correspond to a valid and active User
        """
        u = authenticate(request=request, username=username, password=password)
        if u is not None and u.is_active:
            request.user = u
            return True
        return False


class AxesOAuth2Validator(OAuth2Validator):
    def validate_user(self, username, password,
                      client, request, *args, **kwargs):
        """
        Sets defaults for necessary request object
        attributes for django-axes compatibility
        """
        setattr(request, 'GET', getattr(request, 'GET', QueryDict()))
        setattr(request, 'POST', getattr(request, 'POST', QueryDict()))
        setattr(request, 'META', getattr(request, 'META', dict()))

        return super(AxesOAuth2Validator, self).validate_user(
            self, username, password, client, request, *args, **kwargs
        )

[aleksihakli]

Hk @BeOleg! Have you checked the OAuth2 validation examples in the current django-axes documentation? Your code example seems to be of a previous django-oauth-toolkit validator discussion and we have reworked the solution.