8.0 add auth track and prevent brut force

[legalsylvain]

Add a module to limit brut force attack on authentication.
Define an ir.config_parameter that mentions max attempts.
Once this maximum reached, the remote user will be blocked. (by IP).

See readme file for the whole description.

Thanks for your review.

[pedrobaeza]

Very interesting module. I think the name can be shorten to auth_brute_force, because we don't need to put the full title on the name 😉

[pedrobaeza]

s/Brut Force/Brut-force attacks

[pedrobaeza]

Does that call delay the login? It should be then put on Known issues, or prepare an asynchronous call for that

[legalsylvain]

The call is done when the user is banned. So it doesn't delay the login...

[pedrobaeza]

Good icon! Do you have the SVG version? Can you remove blank background from it and let it transparent?

[pedrobaeza]

Please put also icon reference on credits (ensuring it can be used - CC license?)

[pedrobaeza]

Sorry for bothering you again. In last commit you have changed references to auth_brut_force instead of auth_brute_force

[legalsylvain]

hi @pedrobaeza ! Thanks for your review !

• About what odoo returns, I updated the description. This point is pretty important, the module don't change the behaviour. Odoo will simply indicates that the combination is bad (even if the attacker finally find the good combination of login / password)
• About logging, log can be used by a system that parse logs, or by sentry system, when table will not. (or not so easy). But I can understand that it is redundant.
• About the image, I have to fix it;

I changed the rest according to your other comments.

[elicoidal]

Suggestion:
Tracks Authentication Attempts and Prevents Brute-force Attacks
or
Authentication Tracking and Brute-force Attacks Prevention
=> 2 verbs or 2 nouns. I prefer the first one.

[pedrobaeza]

One minor remark:

access_res_authentication_attempt,access_res_authentication_attempt,model_res_authentication_attempt,,1,0,0,0 

The rest seems 👍 (code review)

[legalsylvain]

Thanks for your review, @pedrobaeza.
I added security file, giving read access to all users, and write / Delete access to "config / settting" members. (admin, by default).
Kind regards.

[max3903]

👍

[rafaelbn]

Hi @legalsylvain , I would like to ash about this module after reading README. Does it notify to any user in Odoo to take care about? (notify -> email). Thanks!

[dreispt]

But this is expected to be the usual case, isn't it?
I'm a little out of step here, be shouldn't we also look into X-Forwarded-For?

[alexis-via]

I think it's a kind of privacy flaw to allow all users to read res.authentication.attempt. And it's not needed to give that right to all users.

[legalsylvain]

You're probably right. (the same for model_res_banned_remote I guess)
feel free to propose a PR, I'll review it quickly. (you can too replace by xml, as yml is now deprecated)