Files
Nexus/server/infrastructure/database/admin_repo.py
T
Your Name 928e3c5fdb fix: 登录白名单 IP 绕过防暴破锁定
白名单内 IP 跳过失败次数锁定;失败仅审计不计数;成功登录清除该用户历史失败记录。

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-02 01:37:22 +08:00

62 lines
2.3 KiB
Python

"""Nexus — Admin & LoginAttempt Repository (Async SQLAlchemy)"""
from typing import Optional
from sqlalchemy import select, func, delete
from sqlalchemy.ext.asyncio import AsyncSession
from server.domain.models import Admin, LoginAttempt
class AdminRepositoryImpl:
def __init__(self, session: AsyncSession):
self.session = session
async def get_by_id(self, id: int) -> Optional[Admin]:
result = await self.session.execute(select(Admin).where(Admin.id == id))
return result.scalar_one_or_none()
async def get_by_username(self, username: str) -> Optional[Admin]:
result = await self.session.execute(select(Admin).where(Admin.username == username))
return result.scalar_one_or_none()
async def create(self, admin: Admin) -> Admin:
self.session.add(admin)
await self.session.commit()
return admin
async def update(self, admin: Admin) -> Admin:
await self.session.commit()
return admin
class LoginAttemptRepositoryImpl:
def __init__(self, session: AsyncSession):
self.session = session
async def create(self, attempt: LoginAttempt) -> LoginAttempt:
self.session.add(attempt)
await self.session.commit()
return attempt
async def count_recent_failures(self, username: str, ip_address: str, minutes: int = 15) -> int:
from datetime import datetime, timedelta, timezone
cutoff = datetime.now(timezone.utc) - timedelta(minutes=minutes)
# Lock by username (primary) OR by IP (secondary) — whichever is over threshold.
# Using IP-only for counting means an attacker can rotate IPs to bypass;
# we count all IPs that attempted this username so rotating IPs doesn't help.
result = await self.session.execute(
select(func.count(LoginAttempt.id))
.where(LoginAttempt.username == username)
.where(LoginAttempt.success == False)
.where(LoginAttempt.attempted_at >= cutoff)
)
return result.scalar_one() or 0
async def clear_failures_for_username(self, username: str) -> int:
result = await self.session.execute(
delete(LoginAttempt)
.where(LoginAttempt.username == username)
.where(LoginAttempt.success == False)
)
await self.session.commit()
return result.rowcount or 0