fix(account/adapter): Prevent login attempts casing bypass

pennersr · Nov 25, 2020 · 2fa7038 · 2fa7038
1 parent 701d8ff
commit 2fa7038
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 5 deletions.
diff --git a/ChangeLog.rst b/ChangeLog.rst
@@ -1,10 +1,12 @@
 0.44.0 (unreleased)
 *******************
 
-Note worthy changes
--------------------
+Security notice
+---------------
 
-- ...
+In previous versions, the mechanism to prevent too many failed login attempts
+(``ACCOUNT_LOGIN_ATTEMPTS_LIMIT``) could be bypassed by changing the casing of
+the login.
 
 
 Backwards incompatible changes

diff --git a/allauth/account/adapter.py b/allauth/account/adapter.py
@@ -471,7 +471,7 @@ def respond_email_verification_sent(self, request, user):
 
     def _get_login_attempts_cache_key(self, request, **credentials):
         site = get_current_site(request)
-        login = credentials.get("email", credentials.get("username", ""))
+        login = credentials.get("email", credentials.get("username", "")).lower()
         login_key = hashlib.sha256(login.encode("utf8")).hexdigest()
         return "allauth/login_attempts@{site_id}:{login}".format(
             site_id=site.pk, login=login_key

diff --git a/allauth/account/tests.py b/allauth/account/tests.py
@@ -587,7 +587,7 @@ def test_login_failed_attempts_exceeded(self):
             resp = self.client.post(
                 reverse("account_login"),
                 {
-                    "login": "john",
+                    "login": ["john", "John", "JOHN", "JOhn", "joHN"][i],
                     "password": ("doe" if is_valid_attempt else "wrong"),
                 },
             )