issue jazzband#200 fix successful login should not add failure attemp…

…t or block user
ashrafemad · Jan 18, 2022 · 1269d4a · 1269d4a
1 parent 43e6fcd
commit 1269d4a
Show file tree

Hide file tree

Showing 2 changed files with 26 additions and 1 deletion.
diff --git a/defender/decorators.py b/defender/decorators.py
@@ -37,7 +37,7 @@ def wrapper(request, *args, **kwargs):
                     # always to True so the first 2 will decide the result.
                     login_unsuccessful = (
                         response
-                        and response.status_code == status_code
+                        and response.status_code != status_code
                         and msg in response.content.decode("utf-8")
                     )
 

diff --git a/defender/tests.py b/defender/tests.py
@@ -926,6 +926,31 @@ def fake_api_401_login_view_without_msg(request):
             data_out = utils.get_blocked_ips()
             self.assertEqual(data_out, [])
 
+    @patch("defender.config.BEHIND_REVERSE_PROXY", True)
+    @patch("defender.config.IP_FAILURE_LIMIT", 3)
+    def test_successful_login_does_not_block_user(self):
+        """
+        Check that a successful login with custom status code (200) should not block the user
+        """
+
+        @watch_login(status_code=200)
+        def fake_api_200_login_view_without_msg(request):
+            """ Fake the api login with 200 """
+            return HttpResponse(status=200)
+
+        request_factory = RequestFactory()
+        request = request_factory.post("api/login")
+        request.user = AnonymousUser()
+        request.session = SessionStore()
+
+        request.META["HTTP_X_FORWARDED_FOR"] = "192.168.24.24"
+
+        for _ in range(3):
+            fake_api_200_login_view_without_msg(request)
+        fake_api_200_login_view_without_msg(request)
+        data_out = utils.get_blocked_ips()
+        self.assertEqual(data_out, [])
+
 
 class SignalTest(DefenderTestCase):
     """ Test that signals are properly sent when blocking usernames and IPs.