Re: MFA (2FA)

[Yonas]

Hi Florian,

WebAuthn promotes password-less authentication, so let’s treat it as an 
alternative to the Django auth system while implementing 2FA for the 
password-based Django auth. 

On Friday, April 8, 2022 at 8:56:18 PM UTC+3 f.apo...@gmail.com wrote:

> Hi Yonas,
>
> On Friday, April 8, 2022 at 3:18:23 AM UTC+2 Yonas wrote:
>
>> There are multiple ways to implement MFA, as you mentioned. But the goal 
>> here is to provide a simple mechanism. It's "not necessary" to cover every 
>> use case, and I believe that's where third-party packages come in.
>>
>
> While it is not required to  cover every usecase, WebAuthn would be at the 
> top of the list. I do not think adding MFA to core without having support 
> for WebAuthn is going to  get much traction.
>
> Cheers,
> Florian
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/2f6fc6f6-859c-417e-9917-c8aa50323249n%40googlegroups.com.

Re: Ticket #21289 - Login rate limiting

[Florian Apolloner]

Hi Jacob,

I am afraid this does not help much at all. Assuming a malicious client 
wants to attack you, they can still just issue one request to get this 
"other hidden field". Then they wait 5 seconds and are free to send 
thousands of requests with that token (Well till it expires, then they need 
a new one. You can probably also not easily make a single use token because 
that would require state storage on the server -> back to square one). Even 
if we were to bind this token to source IPs etc, all you are doing is 
slowing down the whole attack by five seconds. And this is a static one 
time fee to pay for the client, which compared to the number of tries they 
need (over days or so) is not much.

Or do I miss something important here?

Cheers,
Florian

On Tuesday, April 5, 2022 at 4:04:54 PM UTC+2 jacob...@gmail.com wrote:

> How about this proposal?
>
> Someone opens the login page. In addition to the visible 
> fields username and password and the hidden field csrftoken we add another 
> hidden field. This field contains the earliest (server-)timestamp a user 
> might login, and lies in the near future, for instance now() + 
> timedelta(seconds=5). That value is cryptographically signed 
> 
> .
>
> In addition to this, we disable the submit button and add a small 
> Javascript function which sets an interval corresponding to the mandatory 
> login delay. After that interval expired, the submit button is enabled 
> again.
>
> A malicious client who bypasses the disabled button and attempts to submit 
> the login for, will receive a HTTP response with an error code > 400.
>
> What are the advantages?
>
>- Django doesn't have to store any state of users and/or IP addresses 
>attempting to log in.
>- Django doesn't have to delay itself to throttle requests. This btw. 
>is a DoS attack vector by blocking server threads.
>- We transfer responsibility for delaying login requests to the client 
>– who can't bypass them.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/3ca88e7e-70a9-4ba0-8521-cac5f231cb42n%40googlegroups.com.

Re: MFA (2FA)

[Florian Apolloner]

Hi Yonas,

On Friday, April 8, 2022 at 3:18:23 AM UTC+2 Yonas wrote:

> There are multiple ways to implement MFA, as you mentioned. But the goal 
> here is to provide a simple mechanism. It's "not necessary" to cover every 
> use case, and I believe that's where third-party packages come in.
>

While it is not required to  cover every usecase, WebAuthn would be at the 
top of the list. I do not think adding MFA to core without having support 
for WebAuthn is going to  get much traction.

Cheers,
Florian

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/797b982e-d5d9-4637-8f3e-5a29154a6aa3n%40googlegroups.com.

Re: Add YugabyteDB backend to the Django documentation

['Sfurti Sarah' via Django developers (Contributions to Django itself)]

Thank you for the information, we will incorporate the changes as per the 
recommendation and will raise a PR against the docs soon.

On Friday, April 8, 2022 at 12:54:07 PM UTC+5:30 Adam Johnson wrote:

> Hi
>
> I think the only process would be to open a pull request against that 
> documentation page.
>
> As to your package, it could do with some more documentation. I'm sure 
> there are some limitations. Have you tried running the Django test suite 
> with it?
>
> I would also recommend renaming it to 'django-yugabyte', with a module 
> name of django_yugabyte, to make it easier to discover.
>
> Thanks,
>
> Adam
>
>
> On Thu, Apr 7, 2022 at 8:48 AM 'Sfurti Sarah' via Django developers 
> (Contributions to Django itself)  wrote:
>
>> Hello,
>>
>> We at YugabyteDB have implemented a backend for Django that allow users 
>> to use Django with YugabyteDB better. We would love to get listed on here 
>> 
>>  with 
>> the other 3rd party backends. Our backend package is available here 
>>  on github and published on Pypi 
>> as well. Please let us know the procedure to be followed to get listed. 
>> Thanks!
>>
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Django developers (Contributions to Django itself)" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to django-develop...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/django-developers/0563eff8-5f30-4dab-b3ac-e66b38a937c6n%40googlegroups.com
>>  
>> 
>> .
>>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/794d53fa-6245-4294-a83b-a685b870d972n%40googlegroups.com.

Re: Add YugabyteDB backend to the Django documentation

['Adam Johnson' via Django developers (Contributions to Django itself)]

Hi

I think the only process would be to open a pull request against that
documentation page.

As to your package, it could do with some more documentation. I'm sure
there are some limitations. Have you tried running the Django test suite
with it?

I would also recommend renaming it to 'django-yugabyte', with a module name
of django_yugabyte, to make it easier to discover.

Thanks,

Adam


On Thu, Apr 7, 2022 at 8:48 AM 'Sfurti Sarah' via Django developers
(Contributions to Django itself)  wrote:

> Hello,
>
> We at YugabyteDB have implemented a backend for Django that allow users to
> use Django with YugabyteDB better. We would love to get listed on here
> 
>  with
> the other 3rd party backends. Our backend package is available here
>  on github and published on Pypi
> as well. Please let us know the procedure to be followed to get listed.
> Thanks!
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django developers (Contributions to Django itself)" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to django-developers+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/django-developers/0563eff8-5f30-4dab-b3ac-e66b38a937c6n%40googlegroups.com
> 
> .
>

-- 
You received this message because you are subscribed to the Google Groups 
"Django developers  (Contributions to Django itself)" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to django-developers+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/django-developers/CAMyDDM1U_3zDVbpwcscsjGVcBqVeb2T64_tVURNw0xKs8kwUdA%40mail.gmail.com.