Feature YG-1071 enumeration-attack-proof email signup

[maltherd]

• Update django-axes
• Adapt django-axes settings in order to avoid unwanted locked users
• ⚠️ Adapt .env config

[monodo]

@maltherd the easy login buttons do no longer work locally, could yo take a look ? I think you need to adapt the element name in the js login function that is called upon click on the role login buttons:

[monodo]

@maltherd @rbovard should we not display (readonly ?) the username (if exists) and the email in the /profile/edit/ view ?

[monodo]

@maltherd rename the placeholder to "Email ou Identifiant" in order to avoid confusion by user who might try to write [email protected]/johny ?

[rbovard]

@maltherd @rbovard should we not display (readonly ?) the username (if exists) and the email in the /profile/edit/ view ?

Of course, even editable like now, no? Because how can I update my email if I want to?

[rbovard]

@maltherd rename the placeholder to "Email ou Identifiant" in order to avoid confusion by user who might try to write [email protected]/johny ?

+1 I would suggest "Email ou identifiant" (with i)

[monodo]

@maltherd @rbovard should we not display (readonly ?) the username (if exists) and the email in the /profile/edit/ view ?

Of course, even editable like now, no? Because how can I update my email if I want to?

Only email, right ? Don't display username if None and read username readonly, as we don't want to use it in the future, right ?

[rbovard]

Only email, right ? Don't display username if None and read username readonly, as we don't want to use it in the future, right ?

+1

And which value is displayed on the top right menu?

[maltherd]

@maltherd the easy login buttons do no longer work locally, could yo take a look ? I think you need to adapt the element name in the js login function that is called upon click on the role login buttons:

The js login function is provided in the APPLICATION_DESCRIPTION constance setting which is provided by the fixturize management command. The issue is due to the field changing name (id_username → id_email_or_username).

The fixturize code was patched (see here) but for existing installations, the only choice (I think) is to rerun fixturize or to change the constance setting. There aren't constance migrations, are there ?

[maltherd]

Only email, right ? Don't display username if None and read username readonly, as we don't want to use it in the future, right ?

+1

And which value is displayed on the top right menu?

In this PR's code, the full name (first name + last name) is currently displayed in the top right (see here)

[maltherd]

Solved comments have been reacted to with 👍

[monodo]

@maltherd it looks like with the new login system, tested on preprod instance, Django-Axes lockout configuration AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP (https://django-axes.readthedocs.io/en/latest/4_configuration.html ) does not manage to discriminate between users and locks any account coming from the same IP address after 3 failing attemps.
Would you adapt the login system or configure Django-Axes differently ?