Remove axes dependency to use only allauth's rate limiter

docker-app/qfieldcloud/core/apps.py

@@ -3,6 +3,3 @@
 
 class CoreConfig(AppConfig):
     name = "qfieldcloud.core"
-
-    def ready(self):
-        from qfieldcloud.core import signals  # noqa

docker-app/qfieldcloud/settings.py

@@ -11,7 +11,6 @@
 """
 
 import os
-from datetime import timedelta
 
 import sentry_sdk
 from sentry_sdk.integrations.django import DjangoIntegration
@@ -58,7 +57,6 @@
 WEB_HTTPS_PORT = os.environ.get("WEB_HTTPS_PORT")
 
 AUTHENTICATION_BACKENDS = [
-    "axes.backends.AxesBackend",
     # custom QFC backend that extends the `allauth` specific authentication methods
     # such as login by email, but restricting who can login to only regular users
     "qfieldcloud.authentication.auth_backends.AuthenticationBackend",
@@ -112,7 +110,6 @@
     "qfieldcloud.authentication",
     # 3rd party - keep at bottom to allow overrides
     "notifications",
-    "axes",
     "migrate_sql",
     "constance",
     "constance.backends.database",
@@ -135,7 +132,6 @@
     "auditlog.middleware.AuditlogMiddleware",
     "qfieldcloud.core.middleware.timezone.TimezoneMiddleware",
     "qfieldcloud.core.middleware.test.TestMiddleware",
-    "axes.middleware.AxesMiddleware",
     "allauth.account.middleware.AccountMiddleware",
 ]
 
@@ -360,6 +356,10 @@ def before_send(event, hint):
 ACCOUNT_EMAIL_CONFIRMATION_EXPIRE_DAYS = 3
 ACCOUNT_EMAIL_SUBJECT_PREFIX = ""
 
+# Django allauth's RateLimiter configuration
+# https://docs.allauth.org/en/latest/account/rate_limits.html
+ACCOUNT_RATE_LIMITS = {"login_failed": "10/m/ip,5/m/key"}
+
 # Choose one of "mandatory", "optional", or "none".
 # For local development and test use "optional" or "none"
 ACCOUNT_EMAIL_VERIFICATION = os.environ.get("ACCOUNT_EMAIL_VERIFICATION")
@@ -368,18 +368,6 @@ def before_send(event, hint):
 ACCOUNT_ADAPTER = "qfieldcloud.core.adapters.AccountAdapter"
 ACCOUNT_LOGOUT_ON_GET = True
 
-# Django axes configuration
-# https://django-axes.readthedocs.io/en/latest/4_configuration.html
-###########################
-# The integer number of login attempts allowed before a record is created for the failed logins. Default: 3
-AXES_FAILURE_LIMIT = 5
-# If True, only lock based on username, and never lock based on IP if attempts exceed the limit. Otherwise utilize the existing IP and user locking logic. Default: False
-AXES_ONLY_USER_FAILURES = True
-# If set, defines a period of inactivity after which old failed login attempts will be cleared. If an integer, will be interpreted as a number of hours. Default: None
-AXES_COOLOFF_TIME = timedelta(minutes=30)
-# If True, a successful login will reset the number of failed logins. Default: False
-AXES_RESET_ON_SUCCESS = True
-
 # Django email configuration
 EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend"
 EMAIL_HOST = os.environ.get("EMAIL_HOST")

docker-app/requirements/requirements.in

@@ -4,7 +4,6 @@ deprecated==1.2.14
 django==4.2.16
 django-allauth==65.3.0
 django-auditlog==3.0.0
-django-axes==5.40.1
 django-bootstrap4==24.3
 django-classy-tags==4.1.0
 django-common-helpers==0.9.2

docker-app/requirements/requirements.txt

@@ -46,7 +46,6 @@ django==4.2.16
     #   django-allauth
     #   django-appconf
     #   django-auditlog
-    #   django-axes
     #   django-bootstrap4
     #   django-classy-tags
     #   django-common-helpers
@@ -77,8 +76,6 @@ django-appconf==1.0.6
     # via django-cryptography
 django-auditlog==3.0.0
     # via -r /requirements/requirements.in
-django-axes==5.40.1
-    # via -r /requirements/requirements.in
 django-bootstrap4==24.3
     # via -r /requirements/requirements.in
 django-classy-tags==4.1.0