Make it possible to disable ratelimiter

Update APScheduler
Error message on missing flask-limiter
This commit is contained in:
Ozzie Isaacs 2023-02-05 13:43:35 +01:00
parent 4b7a0f3662
commit fb42f6bfff
8 changed files with 51 additions and 126 deletions

View File

@ -28,7 +28,6 @@ import mimetypes
from flask import Flask from flask import Flask
from .MyLoginManager import MyLoginManager from .MyLoginManager import MyLoginManager
from flask_principal import Principal from flask_principal import Principal
from flask_limiter import Limiter
from . import logger from . import logger
from .cli import CliParameter from .cli import CliParameter
@ -42,6 +41,11 @@ from . import config_sql
from . import cache_buster from . import cache_buster
from . import ub, db from . import ub, db
try:
from flask_limiter import Limiter
limiter_present = True
except ImportError:
limiter_present = False
try: try:
from flask_wtf.csrf import CSRFProtect from flask_wtf.csrf import CSRFProtect
wtf_present = True wtf_present = True
@ -97,7 +101,10 @@ web_server = WebServer()
updater_thread = Updater() updater_thread = Updater()
if limiter_present:
limiter = Limiter(key_func=True, headers_enabled=True, auto_check=False, swallow_errors=True) limiter = Limiter(key_func=True, headers_enabled=True, auto_check=False, swallow_errors=True)
else:
limiter = None
def create_app(): def create_app():
if csrf: if csrf:
@ -115,21 +122,13 @@ def create_app():
if error: if error:
log.error(error) log.error(error)
lm.login_view = 'web.login' if not limiter:
lm.anonymous_user = ub.Anonymous log.info('*** "flask-limiter" is needed for calibre-web to run. '
lm.session_protection = 'strong' if config.config_session == 1 else "basic" 'Please install it using pip: "pip install flask-limiter" ***')
print('*** "flask-limiter" is needed for calibre-web to run. '
db.CalibreDB.update_config(config) 'Please install it using pip: "pip install flask-limiter" ***')
db.CalibreDB.setup_db(config.config_calibre_dir, cli_param.settings_path) web_server.stop(True)
calibre_db.init_db() sys.exit(8)
updater_thread.init_updater(config, web_server)
# Perform dry run of updater and exit afterwards
if cli_param.dry_run:
updater_thread.dry_run()
sys.exit(0)
updater_thread.start()
if sys.version_info < (3, 0): if sys.version_info < (3, 0):
log.info( log.info(
'*** Python2 is EOL since end of 2019, this version of Calibre-Web is no longer supporting Python2, ' '*** Python2 is EOL since end of 2019, this version of Calibre-Web is no longer supporting Python2, '
@ -146,6 +145,22 @@ def create_app():
'Please install it using pip: "pip install flask-WTF" ***') 'Please install it using pip: "pip install flask-WTF" ***')
web_server.stop(True) web_server.stop(True)
sys.exit(7) sys.exit(7)
lm.login_view = 'web.login'
lm.anonymous_user = ub.Anonymous
lm.session_protection = 'strong' if config.config_session == 1 else "basic"
db.CalibreDB.update_config(config)
db.CalibreDB.setup_db(config.config_calibre_dir, cli_param.settings_path)
calibre_db.init_db()
updater_thread.init_updater(config, web_server)
# Perform dry run of updater and exit afterwards
if cli_param.dry_run:
updater_thread.dry_run()
sys.exit(0)
updater_thread.start()
for res in dependency_check() + dependency_check(True): for res in dependency_check() + dependency_check(True):
log.info('*** "{}" version does not meet the requirements. ' log.info('*** "{}" version does not meet the requirements. '
'Should: {}, Found: {}, please consider installing required version ***' 'Should: {}, Found: {}, please consider installing required version ***'
@ -157,8 +172,6 @@ def create_app():
if os.environ.get('FLASK_DEBUG'): if os.environ.get('FLASK_DEBUG'):
cache_buster.init_cache_busting(app) cache_buster.init_cache_busting(app)
log.info('Starting Calibre Web...') log.info('Starting Calibre Web...')
limiter.init_app(app)
# limiter.limit("2/minute")(parent)
Principal(app) Principal(app)
lm.init_app(app) lm.init_app(app)
app.secret_key = os.getenv('SECRET_KEY', config_sql.get_flask_session_key(ub.session)) app.secret_key = os.getenv('SECRET_KEY', config_sql.get_flask_session_key(ub.session))
@ -179,6 +192,10 @@ def create_app():
config.config_goodreads_api_secret_e, config.config_goodreads_api_secret_e,
config.config_use_goodreads) config.config_use_goodreads)
config.store_calibre_uuid(calibre_db, db.Library_Id) config.store_calibre_uuid(calibre_db, db.Library_Id)
# Configure rate limiter
app.config.update(RATELIMIT_ENABLED=config.config_ratelimiter)
limiter.init_app(app)
# Register scheduled tasks # Register scheduled tasks
from .schedule import register_scheduled_tasks, register_startup_tasks from .schedule import register_scheduled_tasks, register_startup_tasks
register_scheduled_tasks(config.schedule_reconnect) register_scheduled_tasks(config.schedule_reconnect)

View File

@ -22,7 +22,6 @@
import os import os
import re import re
import base64
import json import json
import operator import operator
import time import time
@ -104,7 +103,6 @@ def before_request():
if not ub.check_user_session(current_user.id, flask_session.get('_id')) and 'opds' not in request.path: if not ub.check_user_session(current_user.id, flask_session.get('_id')) and 'opds' not in request.path:
logout_user() logout_user()
g.constants = constants g.constants = constants
# g.user = current_user
g.google_site_verification = os.getenv('GOOGLE_SITE_VERIFICATION','') g.google_site_verification = os.getenv('GOOGLE_SITE_VERIFICATION','')
g.allow_registration = config.config_public_reg g.allow_registration = config.config_public_reg
g.allow_anonymous = config.config_anonbrowse g.allow_anonymous = config.config_anonbrowse
@ -1802,6 +1800,7 @@ def _configuration_update_helper():
_config_checkbox(to_save, "config_password_special") _config_checkbox(to_save, "config_password_special")
_config_int(to_save, "config_password_min_length") _config_int(to_save, "config_password_min_length")
reboot_required |= _config_int(to_save, "config_session") reboot_required |= _config_int(to_save, "config_session")
reboot_required |= _config_checkbox(to_save, "config_ratelimiter")
# Rarfile Content configuration # Rarfile Content configuration
_config_string(to_save, "config_rarfile_location") _config_string(to_save, "config_rarfile_location")

View File

@ -161,108 +161,12 @@ class _Settings(_Base):
config_password_upper = Column(Boolean, default=True) config_password_upper = Column(Boolean, default=True)
config_password_special = Column(Boolean, default=True) config_password_special = Column(Boolean, default=True)
config_session = Column(Integer, default=1) config_session = Column(Integer, default=1)
config_ratelimiter = Column(Boolean, default=True)
def __repr__(self): def __repr__(self):
return self.__class__.__name__ return self.__class__.__name__
class MailConfigSQL(object):
def __init__(self):
self.__dict__["dirty"] = list()
def init_config(self, session, secret_key):
self._session = session
self._settings = None
self._fernet = Fernet(secret_key)
self.load()
def _read_from_storage(self):
if self._settings is None:
log.debug("_MailConfigSQL._read_from_storage")
self._settings = self._session.query(_Mail_Settings).first()
return self._settings
def to_dict(self):
storage = {}
for k, v in self.__dict__.items():
if k[0] != '_' and not k.endswith("password") and not k.endswith("secret") and not k == "cli":
storage[k] = v
return storage
def load(self):
"""Load all configuration values from the underlying storage."""
s = self._read_from_storage() # type: _Settings
for k, v in s.__dict__.items():
if k[0] != '_':
if v is None:
# if the storage column has no value, apply the (possible) default
column = s.__class__.__dict__.get(k)
if column.default is not None:
v = column.default.arg
if k.endswith("enc") and v is not None:
try:
setattr(s, k, self._fernet.decrypt(v).decode())
except cryptography.exceptions.InvalidKey:
setattr(s, k, None)
else:
setattr(self, k, v)
self.__dict__["dirty"] = list()
def save(self):
"""Apply all configuration values to the underlying storage."""
s = self._read_from_storage() # type: _Settings
for k in self.dirty:
if k[0] == '_':
continue
if hasattr(s, k):
if k.endswith("enc"):
setattr(s, k, self._fernet.encrypt(self.__dict__[k].encode()))
else:
setattr(s, k, self.__dict__[k])
log.debug("_MailConfigSQL updating storage")
self._session.merge(s)
try:
self._session.commit()
except OperationalError as e:
log.error('Database error: %s', e)
self._session.rollback()
self.load()
def set_from_dictionary(self, dictionary, field, convertor=None, default=None, encode=None):
"""Possibly updates a field of this object.
The new value, if present, is grabbed from the given dictionary, and optionally passed through a convertor.
:returns: `True` if the field has changed value
"""
new_value = dictionary.get(field, default)
if new_value is None:
return False
if field not in self.__dict__:
log.warning("_ConfigSQL trying to set unknown field '%s' = %r", field, new_value)
return False
if convertor is not None:
if encode:
new_value = convertor(new_value.encode(encode))
else:
new_value = convertor(new_value)
current_value = self.__dict__.get(field)
if current_value == new_value:
return False
setattr(self, field, new_value)
return True
def __setattr__(self, attr_name, attr_value):
super().__setattr__(attr_name, attr_value)
self.__dict__["dirty"].append(attr_name)
# Class holds all application specific settings in calibre-web # Class holds all application specific settings in calibre-web
class ConfigSQL(object): class ConfigSQL(object):
# pylint: disable=no-member # pylint: disable=no-member

View File

@ -62,7 +62,7 @@ def main():
app.register_blueprint(tasks) app.register_blueprint(tasks)
app.register_blueprint(web) app.register_blueprint(web)
app.register_blueprint(opds) app.register_blueprint(opds)
limiter.limit("10/minute",key_func=request_username)(opds) limiter.limit("3/minute",key_func=request_username)(opds)
app.register_blueprint(jinjia) app.register_blueprint(jinjia)
app.register_blueprint(about) app.register_blueprint(about)
app.register_blueprint(shelf) app.register_blueprint(shelf)
@ -74,7 +74,7 @@ def main():
if kobo_available: if kobo_available:
app.register_blueprint(kobo) app.register_blueprint(kobo)
app.register_blueprint(kobo_auth) app.register_blueprint(kobo_auth)
limiter.limit("10/minute", key_func=get_remote_address)(kobo) limiter.limit("3/minute", key_func=get_remote_address)(kobo)
if oauth_available: if oauth_available:
app.register_blueprint(oauth) app.register_blueprint(oauth)
success = web_server.start() success = web_server.start()

View File

@ -364,6 +364,10 @@
</div> </div>
<div id="collapsesix" class="panel-collapse collapse"> <div id="collapsesix" class="panel-collapse collapse">
<div class="panel-body"> <div class="panel-body">
<div class="form-group">
<input type="checkbox" id="config_ratelimiter" name="config_ratelimiter" {% if config.config_ratelimiter %}checked{% endif %}>
<label for="config_ratelimiter">{{_('Limit failed login attempts')}}</label>
</div>
<div class="form-group"> <div class="form-group">
<label for="config_session">{{_('Session protection')}}</label> <label for="config_session">{{_('Session protection')}}</label>
<select name="config_session" id="config_session" class="form-control"> <select name="config_session" id="config_session" class="form-control">

View File

@ -23,7 +23,7 @@ from werkzeug.security import check_password_hash
from flask_login import login_required, login_user from flask_login import login_required, login_user
from flask import request, Response from flask import request, Response
from . import lm, ub, config, constants, services, logger from . import lm, ub, config, constants, services, logger, limiter
log = logger.create() log = logger.create()
@ -65,8 +65,9 @@ def requires_basic_auth_if_no_ano(f):
def _load_user_from_auth_header(username, password): def _load_user_from_auth_header(username, password):
limiter.check()
user = _fetch_user_by_name(username) user = _fetch_user_by_name(username)
if bool(user and check_password_hash(str(user.password), password)): if bool(user and check_password_hash(str(user.password), password)) and user.name != "Guest":
login_user(user) login_user(user)
return user return user
else: else:

View File

@ -1315,17 +1315,17 @@ def login():
@limiter.limit("40/day", key_func=lambda: request.form.get('username', "").strip().lower()) @limiter.limit("40/day", key_func=lambda: request.form.get('username', "").strip().lower())
@limiter.limit("3/minute", key_func=lambda: request.form.get('username', "").strip().lower()) @limiter.limit("3/minute", key_func=lambda: request.form.get('username', "").strip().lower())
def login_post(): def login_post():
form = request.form.to_dict()
try: try:
limiter.check() limiter.check()
except RateLimitExceeded: except RateLimitExceeded:
flash(_(u"Wait one minute"), category="error") flash(_(u"Please wait one minute before next login"), category="error")
return render_login() return render_login(form.get("username", ""), form.get("password", ""))
if current_user is not None and current_user.is_authenticated: if current_user is not None and current_user.is_authenticated:
return redirect(url_for('web.index')) return redirect(url_for('web.index'))
if config.config_login_type == constants.LOGIN_LDAP and not services.ldap: if config.config_login_type == constants.LOGIN_LDAP and not services.ldap:
log.error(u"Cannot activate LDAP authentication") log.error(u"Cannot activate LDAP authentication")
flash(_(u"Cannot activate LDAP authentication"), category="error") flash(_(u"Cannot activate LDAP authentication"), category="error")
form = request.form.to_dict()
user = ub.session.query(ub.User).filter(func.lower(ub.User.name) == form.get('username', "").strip().lower()) \ user = ub.session.query(ub.User).filter(func.lower(ub.User.name) == form.get('username', "").strip().lower()) \
.first() .first()
remember_me = bool(form.get('remember_me')) remember_me = bool(form.get('remember_me'))

View File

@ -1,4 +1,4 @@
APScheduler>=3.6.3,<3.10.0 APScheduler>=3.6.3,<3.11.0
werkzeug<2.1.0 werkzeug<2.1.0
Babel>=1.3,<3.0 Babel>=1.3,<3.0
Flask-Babel>=0.11.1,<3.1.0 Flask-Babel>=0.11.1,<3.1.0