h$dZddlmZddlZddlZddlmZddlmZddZ ddZ dd Z e d d Z e d d Z e dd Zejdddk(ZdZddZddZd dZd!dZd"dZd#dZd$dZd%dZd%dZy)&a rate_limit.py Purpose: Implements robust, database-backed login rate limiting and lockout to mitigate credential stuffing and brute-force attacks. Tracks failed login attempts per (username, ip) pair with a sliding window and enforces a temporary lock after too many failures. How it works: - On each login POST, `is_login_allowed(username, ip)` is called. - If an active lock exists (locked_until > now), it returns (False, retry_s). - On password failure, `record_login_failure(username, ip)`: - Resets the window if last_failed_at is outside the window. - Increments fail_count and, when threshold is reached, sets locked_until. - On success, `record_login_success(username, ip)` resets counters. Defense-in-depth: - Also enforces an IP-level limiter (`is_ip_allowed(ip)`) to avoid trivial bypass by switching usernames. Both username+ip and ip-only checks must pass. Configuration (env vars): - LOGIN_MAX_FAILS: max failures in the window before lock (default: 5) - LOGIN_WINDOW_SECONDS: sliding window duration in seconds (default: 900) - LOGIN_LOCK_SECONDS: lock duration after threshold exceeded (default: 900) ) annotationsN)Tuple)get_dbc<ttjSN)inttimeIC:\Users\algun\Documents\ceba web\Ceba - Github\app_modules\rate_limit.py_now_tsr%s tyy{ r c@|syhd}||vry|jdryy)zMCheck if the IP address is localhost and should be exempt from rate limiting.F>::10.0.0.0 127.0.0.1 localhostTz127.) startswith)ip localhost_ipss r _is_localhost_ipr)s0 M ] }}V r cv ttj|t|S#t$r|cYSwxYwr)r osgetenvstr Exception)namedefaults r _cfg_intr@s5299T3w<011 s '* 88LOGIN_MAX_FAILS LOGIN_WINDOW_SECONDSi,LOGIN_LOCK_SECONDSLOGIN_LOCK_IP_ON_ACCOUNT_LOCK1ct}|jd|j|jd|jy)Na{ CREATE TABLE IF NOT EXISTS login_attempts ( id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL, ip TEXT NOT NULL, fail_count INTEGER NOT NULL DEFAULT 0, last_failed_at INTEGER NOT NULL DEFAULT 0, locked_until INTEGER NOT NULL DEFAULT 0, UNIQUE(username, ip) ) a  CREATE TABLE IF NOT EXISTS login_ip_attempts ( ip TEXT PRIMARY KEY, fail_count INTEGER NOT NULL DEFAULT 0, last_failed_at INTEGER NOT NULL DEFAULT 0, locked_until INTEGER NOT NULL DEFAULT 0 ) rexecutecommit)dbs r _ensure_schemar+MsC BJJ  IIKJJ  IIKr c^t}|jd||f}|jS)NzaSELECT fail_count, last_failed_at, locked_until FROM login_attempts WHERE username = ? AND ip = ?rr(fetchone)usernamerr*curs r _get_rowr1ls/ B **k 2 C <<>r c\t}|jd|f}|jS)NzSSELECT fail_count, last_failed_at, locked_until FROM login_ip_attempts WHERE ip = ?r-)rr*r0s r _get_ip_rowr3us- B **]  C <<>r cft}|jd|||||f|jy)NaC INSERT INTO login_attempts (username, ip, fail_count, last_failed_at, locked_until) VALUES (?, ?, ?, ?, ?) ON CONFLICT(username, ip) DO UPDATE SET fail_count=excluded.fail_count, last_failed_at=excluded.last_failed_at, locked_until=excluded.locked_until r')r/r fail_countlast_failed_at locked_untilr*s r _upsert_rowr8~s5 BJJ  2z><@ IIKr cdt}|jd||||f|jy)Na/ INSERT INTO login_ip_attempts (ip, fail_count, last_failed_at, locked_until) VALUES (?, ?, ?, ?) ON CONFLICT(ip) DO UPDATE SET fail_count=excluded.fail_count, last_failed_at=excluded.last_failed_at, locked_until=excluded.locked_until r')rr5r6r7r*s r _upsert_ip_rowr:s3 BJJ  Z6 IIKr c "t|rytt||}t}|rt |dxsd}||kDrd||z fSt |dxsdt k\rt |dxsdt z|kDr|tz}t||t |dxsdt |dxsd|trHt|}t |r|dndxsd}||kr"t|t |r|dndxsd||dtfSy)z&Return (allowed, retry_after_seconds).Trr7rFr5r6) rr+r1rr r r"r#r8LOCK_IP_ON_ACCOUNT_LOCKr3r:)r/rrownowr7 lock_untilip_rowexistings r is_login_allowedrCs) 8R C )C 3~.3!4 # ,,, , s< %A &/ 9c#FVBWB\[\>]`t>twz>z11J "c#l*;*@q&A3sK[G\Ga`aCbdn o&$R&~ 6aMANj("2sFF<,@PQ+WVW'XZ]_ij,, , r c~t|rytt|}t}|rt |dxsd}||kDrd||z fSt |dxsdt k\rYt |dxsdt z|kDr=t|t |dxsdt |dxsd|tzdtfSy)Nr<r7rFr5r6) rr+r3rr r r"r:r#)rr>r?r7s r is_ip_allowedrEs b/C )C 3~.3!4 # ,,, , s< %A &/ 9c#FVBWB\[\>]`t>twz>z 2s3|#4#9:CDT@U@ZYZ<[]`cu]u v,, , r cRt|rytt}t|}|st |d|dyt |dxsd}t |dxsd}t |dxsd}|t z|krd}|dz }|}|tk\r |tz}t ||||y)zIncrement only the IP-level counters. Used for attempts blocked before credential verification to escalate to IP lock across usernames.Nrrr5r6r7) rr+rr3r:r r"r r#)rr?r>faillastlocks r record_ip_failurerJs )C b/C r1c1% s< %A &D s#$) *D s>"'a (D ""S(AID D ''2tT4(r cft|rytt}t||}|st ||d|dnlt |dxsd}t |dxsd}t |dxsd}|t z|krd}|dz }|}|tk\r |tz}t |||||t|}|st|d|dyt |dxsd}t |dxsd} t |dxsd} | t z|krd}|dz }|} |tk\r |tz} t||| | y)Nrrr5r6r7) rr+rr1r8r r"r r#r3r:) r/rr?r>r5r6r7rAip_failip_lastip_locks r record_login_failurerOsZ )C 8R C Hb!S!,\*/a0 S!127a83~.3!4  0 03 6Ja   (!33LHb*nlK_F r1c1%&&+!,G&)*/a0G&(-A.G%%+ qLGG/!**2w1r cttt}|jd||f|jy)Nz8DELETE FROM login_attempts WHERE username = ? AND ip = ?)r+rr(r))r/rr*s r record_login_successrQs. BJJIHVX>ZIIKr )returnr )rrrRbool)rrrr rRr )r/rrr)rr) r/rrrr5r r6r r7r )rrr5r r6r r7r )r/rrrrRTuple[bool, int])rrrRrT)rrrRNone)r/rrrrRrU)__doc__ __future__rrr typingrr*rrrrr r"r#rr=r+r1r3r8r:rCrErJrOrQr r r rYs6# .,b1 6<2C8#"))$CSISP>   8$)2*2Zr