snapshot: preserve session hardening and account surface

backend/config/settings.py

@@ -1,4 +1,5 @@
 import os
+import sys
 from pathlib import Path
 
 BASE_DIR = Path(__file__).resolve().parent.parent
@@ -25,6 +26,28 @@ CSRF_COOKIE_SECURE = _secure_cookies
 DATA_UPLOAD_MAX_MEMORY_SIZE = int(os.getenv('DJANGO_DATA_UPLOAD_MAX_MEMORY_SIZE', str(10 * 1024 * 1024)))
 FILE_UPLOAD_MAX_MEMORY_SIZE = int(os.getenv('DJANGO_FILE_UPLOAD_MAX_MEMORY_SIZE', str(5 * 1024 * 1024)))
 
+CACHES = {
+    'default': {
+        'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
+        'LOCATION': 'workdock-default-cache',
+    }
+}
+
+SESSION_COOKIE_AGE = int(os.getenv('DJANGO_SESSION_COOKIE_AGE', str(60 * 60 * 8)))
+SESSION_SAVE_EVERY_REQUEST = os.getenv('DJANGO_SESSION_SAVE_EVERY_REQUEST', '1') == '1'
+SESSION_EXPIRE_AT_BROWSER_CLOSE = os.getenv('DJANGO_SESSION_EXPIRE_AT_BROWSER_CLOSE', '1') == '1'
+SESSION_IDLE_TIMEOUT_SECONDS = int(os.getenv('SESSION_IDLE_TIMEOUT_SECONDS', str(60 * 30)))
+SENSITIVE_ACTION_REAUTH_SECONDS = int(os.getenv('SENSITIVE_ACTION_REAUTH_SECONDS', str(60 * 20)))
+
+RATE_LIMIT_LOGIN_LIMIT = int(os.getenv('RATE_LIMIT_LOGIN_LIMIT', '8'))
+RATE_LIMIT_LOGIN_WINDOW = int(os.getenv('RATE_LIMIT_LOGIN_WINDOW', '300'))
+RATE_LIMIT_PASSWORD_RESET_LIMIT = int(os.getenv('RATE_LIMIT_PASSWORD_RESET_LIMIT', '5'))
+RATE_LIMIT_PASSWORD_RESET_WINDOW = int(os.getenv('RATE_LIMIT_PASSWORD_RESET_WINDOW', '600'))
+RATE_LIMIT_ADMIN_ACTION_LIMIT = int(os.getenv('RATE_LIMIT_ADMIN_ACTION_LIMIT', '20'))
+RATE_LIMIT_ADMIN_ACTION_WINDOW = int(os.getenv('RATE_LIMIT_ADMIN_ACTION_WINDOW', '300'))
+RATE_LIMIT_ENABLED = os.getenv('RATE_LIMIT_ENABLED', '1') == '1'
+RUN_SECURITY_CHECKS_DURING_TESTS = os.getenv('RUN_SECURITY_CHECKS_DURING_TESTS', '0') == '1'
+
 INSTALLED_APPS = [
     'django.contrib.admin',
     'django.contrib.auth',
@@ -41,8 +64,10 @@ MIDDLEWARE = [
     'django.middleware.locale.LocaleMiddleware',
     'django.middleware.common.CommonMiddleware',
     'workflows.middleware.RequestIDMiddleware',
+    'workflows.middleware.RateLimitMiddleware',
     'django.middleware.csrf.CsrfViewMiddleware',
     'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'workflows.middleware.AuthSessionHardeningMiddleware',
     'django.contrib.messages.middleware.MessageMiddleware',
     'django.middleware.clickjacking.XFrameOptionsMiddleware',
     'workflows.middleware.TrialModeMiddleware',
@@ -72,9 +97,9 @@ ASGI_APPLICATION = 'config.asgi.application'
 DATABASES = {
     'default': {
         'ENGINE': 'django.db.backends.postgresql',
-        'NAME': os.getenv('POSTGRES_DB', 'onoff'),
-        'USER': os.getenv('POSTGRES_USER', 'onoff'),
-        'PASSWORD': os.getenv('POSTGRES_PASSWORD', 'onoff'),
+        'NAME': os.getenv('POSTGRES_DB', 'workdock'),
+        'USER': os.getenv('POSTGRES_USER', 'workdock'),
+        'PASSWORD': os.getenv('POSTGRES_PASSWORD', 'workdock'),
         'HOST': os.getenv('POSTGRES_HOST', 'db'),
         'PORT': int(os.getenv('POSTGRES_PORT', '5432')),
     }

backend/config/urls.py

@@ -4,7 +4,7 @@ from django.contrib import admin
 from django.contrib.auth import views as auth_views
 from django.urls import include, path
 
-from workflows.forms import AppAuthenticationForm, AppPasswordResetForm, AppSetPasswordForm
+from workflows.forms import AppAuthenticationForm, AppPasswordChangeForm, AppPasswordResetForm, AppSetPasswordForm
 
 urlpatterns = [
     path('admin/', admin.site.urls),
@@ -24,6 +24,19 @@ urlpatterns = [
         auth_views.PasswordResetView.as_view(template_name='workflows/auth/password_reset_form.html', form_class=AppPasswordResetForm),
         name='password_reset',
     ),
+    path(
+        'accounts/password_change/',
+        auth_views.PasswordChangeView.as_view(
+            template_name='workflows/auth/password_change_form.html',
+            form_class=AppPasswordChangeForm,
+        ),
+        name='password_change',
+    ),
+    path(
+        'accounts/password_change/done/',
+        auth_views.PasswordChangeDoneView.as_view(template_name='workflows/auth/password_change_done.html'),
+        name='password_change_done',
+    ),
     path(
         'accounts/password_reset/done/',
         auth_views.PasswordResetDoneView.as_view(template_name='workflows/auth/password_reset_done.html'),