Add attr request in user_login_failed signal

[anonymous]

Add attr request in user_login_failed signal.
This will allow to see the IP of the person who brute force passwords.

[Claude Paroz]

I can understand the use case, however it will be difficult to implement in practice, because the authenticate method which fires the signal doesn't have access to the request.

I think that if you want to implement such mechanism, you should provide your own AuthenticationForm subclass (and customize the clean method), so this is something each developper can do without modifying Django itself.

[anonymous]

How, if form is not receive request?

contrib.auth.view:

@sensitive_post_parameters()
@csrf_protect
@never_cache
def login(request, template_name='registration/login.html',

redirect_field_name=REDIRECT_FIELD_NAME,
authentication_form=AuthenticationForm,
current_app=None, extra_context=None):

"""
Displays the login form and handles the login action.
"""
redirect_to = request.REQUEST.get(redirect_field_name, )

if request.method == "POST":

form = authentication_form(data=request.POST) # THIS NEED APPEND request
if form.is_valid():

...

[anonymous]

How, if form is not receive request?

contrib.auth.view:

@sensitive_post_parameters()
@csrf_protect
@never_cache
def login(request, template_name='registration/login.html',

redirect_field_name=REDIRECT_FIELD_NAME,
authentication_form=AuthenticationForm,
current_app=None, extra_context=None):

"""
Displays the login form and handles the login action.
"""
redirect_to = request.REQUEST.get(redirect_field_name, )

if request.method == "POST":

form = authentication_form(data=request.POST) # THIS NEED APPEND request
if form.is_valid():

...

[Alejandro Varas]

This doesn't solve the issue of request not being passed to the user_login_failed signal but solves request being passed to authentication_form and backs claudep argument.

https://code.djangoproject.com/ticket/15198

[Claude Paroz]

Yes, #15198 is the ticket to fix so as the request is available.