Bump django-axes to v7.0.1
#1103
Conversation
|
Task linked: QF-4848 Bump django-axes to 6.0.0+ |
| # Configures the limiter to handle username only (see https://django-axes.readthedocs.io/en/latest/2_installation.html#version-7-breaking-changes-and-upgrading-from-django-axes-version-6) | ||
| AXES_LOCKOUT_PARAMETERS = ["username"] |
There was a problem hiding this comment.
Added a bit of space to improve readability.
| # Configures the limiter to handle username only (see https://django-axes.readthedocs.io/en/latest/2_installation.html#version-7-breaking-changes-and-upgrading-from-django-axes-version-6) | |
| AXES_LOCKOUT_PARAMETERS = ["username"] | |
| # Configures the limiter to handle username only. | |
| # See https://django-axes.readthedocs.io/en/latest/2_installation.html#version-7-breaking-changes-and-upgrading-from-django-axes-version-6 | |
| AXES_LOCKOUT_PARAMETERS = ["username"] | |
Why don't we ratelimit on email login too?
There was a problem hiding this comment.
Interesting : axes rate limiter's lockout allowed parameters seem to be only username, ip and useragent
I get this error when trying to add somehow email to the AXES_LOCKOUT_PARAMETERS :
'email' lockout parameter is not allowed. Allowed parameters: username, ip_address, user_agent
This comment looks interesting : I tried setting the AXES_USERNAME_FORM_FIELD = "email"
-> the rate limiter works fine with email :
But, axes rate limiter then doesn't work with username, and it looks like allauth's rate limiter is then activated :
Would it mean that axes's rate limiter works only with username OR email, and not both of them simultaneously ?
This PR bumps the dependency to its newest version.
axes's changelog: https://github.com/jazzband/django-axes/blob/master/CHANGES.rst#701-2024-12-02Notable breaking changes: https://django-axes.readthedocs.io/en/latest/2_installation.html#version-7-breaking-changes-and-upgrading-from-django-axes-version-6