diff options
| author | 0livd <github@destras.fr> | 2017-08-20 12:37:12 +0200 |
|---|---|---|
| committer | Alexis Metaireau <alexis@notmyidea.org> | 2017-08-20 12:37:12 +0200 |
| commit | ec4a099f182629d86a7421af7d4899a655be684e (patch) | |
| tree | f5b72f89a3fca31f5a74b393a508d0153344a0fc /ihatemoney/run.py | |
| parent | 68e411473540c136dfdb269af888ceddbd0d403b (diff) | |
| download | ihatemoney-mirror-ec4a099f182629d86a7421af7d4899a655be684e.zip ihatemoney-mirror-ec4a099f182629d86a7421af7d4899a655be684e.tar.gz ihatemoney-mirror-ec4a099f182629d86a7421af7d4899a655be684e.tar.bz2 | |
Protect admin endpoints against brute force attacks (#249)
* Protect admin endpoints against brute force attacks
Add a throttling mechanism to prevent a client brute
forcing the authentication form, based on its ip address
Closes #245
* Reset attempt counters if they get memory hungry
Diffstat (limited to 'ihatemoney/run.py')
| -rw-r--r-- | ihatemoney/run.py | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/ihatemoney/run.py b/ihatemoney/run.py index 22cf235..1d02405 100644 --- a/ihatemoney/run.py +++ b/ihatemoney/run.py @@ -7,6 +7,7 @@ from flask_babel import Babel from flask_mail import Mail from flask_migrate import Migrate, upgrade, stamp from raven.contrib.flask import Sentry +from werkzeug.contrib.fixers import ProxyFix from ihatemoney.api import api from ihatemoney.models import db @@ -104,6 +105,11 @@ def create_app(configuration=None, instance_path='/etc/ihatemoney', load_configuration(app, configuration) app.wsgi_app = PrefixedWSGI(app) + # Get client's real IP + # Note(0livd): When running in a non-proxy setup, is vulnerable to requests + # with a forged X-FORWARDED-FOR header + app.wsgi_app = ProxyFix(app.wsgi_app) + validate_configuration(app) app.register_blueprint(web_interface) app.register_blueprint(api) |