From ec4a099f182629d86a7421af7d4899a655be684e Mon Sep 17 00:00:00 2001
From: 0livd <github@destras.fr>
Date: Sun, 20 Aug 2017 12:37:12 +0200
Subject: Protect admin endpoints against brute force attacks (#249)

* Protect admin endpoints against brute force attacks

Add a throttling mechanism to prevent a client brute
forcing the authentication form, based on its ip address
Closes #245

* Reset attempt counters if they get memory hungry
---
 ihatemoney/run.py | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'ihatemoney/run.py')

diff --git a/ihatemoney/run.py b/ihatemoney/run.py
index 22cf235..1d02405 100644
--- a/ihatemoney/run.py
+++ b/ihatemoney/run.py
@@ -7,6 +7,7 @@ from flask_babel import Babel
 from flask_mail import Mail
 from flask_migrate import Migrate, upgrade, stamp
 from raven.contrib.flask import Sentry
+from werkzeug.contrib.fixers import ProxyFix
 
 from ihatemoney.api import api
 from ihatemoney.models import db
@@ -104,6 +105,11 @@ def create_app(configuration=None, instance_path='/etc/ihatemoney',
     load_configuration(app, configuration)
     app.wsgi_app = PrefixedWSGI(app)
 
+    # Get client's real IP
+    # Note(0livd): When running in a non-proxy setup, is vulnerable to requests
+    # with a forged X-FORWARDED-FOR header
+    app.wsgi_app = ProxyFix(app.wsgi_app)
+
     validate_configuration(app)
     app.register_blueprint(web_interface)
     app.register_blueprint(api)
-- 
cgit v1.1