Login using device_cookie, ip_address

dotbit · November 1, 2023, 8:09am

I have never managed to log in using device_cookie or ip_address.

[session]
authentication_ip_network = 2a02:x:x:x::x/128,10.1.1.2/32
authentications = ip_address,device_cookie,password

I am asked for password each time I log on using tryton.
My questions are as follows:

Why can I only log in by password?
Since I can only log in by password, it seems ip_address is failing.
Why is device_cookie failing.

I have tested all manner of formatting ip addresses, all fail.
ipv6, ipv4

dot ~$ tryton -v 
INFO:tryton.rpc:common.authentication.services()
INFO:tryton.rpc:common.server.version(None, None)
INFO:tryton.common.common:Check URL: https://downloads.tryton.org/7.0/tryton-7.0.1.tar.gz
INFO:tryton.rpc:common.db.login(dotbit, xxxxxxxxxx, en)
INFO:tryton.rpc:common.db.login(dotbit, xxxxxxxxxx, en)
INFO:tryton.rpc:model.res.user.device.renew('<device_cookie>', {'client': 'x'})
INFO:tryton.rpc:model.res.user.get_preferences(True, {'client': 'x'})

I can find the <device_cookie> in res.user.device.

trytond traceback:

93793 16489289061952 [2023-11-01 08:02:00,012] DEBUG trytond.cache clearing cache 'carrier.selection.get_carriers' of 'test'
93793 16489289061952 [2023-11-01 08:02:00,013] DEBUG trytond.backend.postgresql.database b'SELECT COUNT(\'*\') FROM "res_user_login_attempt" AS "a" WHERE (("a"."ip_network" = \'10.1.1.2/32\') AND ("a"."create_date" >= \'2023-11-01T07:57:00.013320\'::timestamp))'
93793 16489289061952 [2023-11-01 08:02:00,015] DEBUG trytond.backend.postgresql.database b'SELECT "a"."id" AS "id", "a"."cookie" AS "cookie", "a"."create_date" AS "create_date", "a"."create_uid" AS "create_uid", "a"."login" AS "login", "a"."write_date" AS "write_date", "a"."write_uid" AS "write_uid", CAST(EXTRACT(\'EP
93793 16489289061952 [2023-11-01 08:02:00,016] DEBUG trytond.backend.postgresql.database b'SELECT COUNT(\'*\') FROM "res_user_login_attempt" AS "a" WHERE ((("a"."login" = \'dotbit\') AND ("a"."device_cookie" = \'f0da536fb2d44127b455eaccad5fb0e1\')) AND ("a"."create_date" >= \'2023-11-01T07:57:00.016654\'::timestamp))'
93793 16489289061952 [2023-11-01 08:02:00,017] INFO trytond.res.user Missing login method: ip_address
93793 16489289061952 [2023-11-01 08:02:00,017] INFO trytond.res.user Missing login method: device_cookie
93793 16489289061952 [2023-11-01 08:02:00,017] DEBUG trytond.backend.postgresql.database b'SELECT "a"."id" AS "id", "a"."create_date" AS "create_date", "a"."create_uid" AS "create_uid", "a"."db_id" AS "db_id", "a"."fs_id" AS "fs_id", "a"."fs_values" AS "fs_values", "a"."model" AS "model", "a"."module" AS "module", "a"
93793 16489289061952 [2023-11-01 08:02:00,018] DEBUG trytond.backend.postgresql.database b'SELECT "a"."write_date" AS "write_date", "a"."db_id" AS "db_id", "a"."id" AS "id" FROM "ir_model_data" AS "a" WHERE (("a"."id" IN (666)))'
93793 16489289061952 [2023-11-01 08:02:00,019] DEBUG trytond.backend.postgresql.database b'SELECT "a"."text" AS "text", "a"."write_date" AS "write_date", "a"."id" AS "id" FROM "ir_message" AS "a" WHERE (("a"."id" IN (103)))'
93793 16489289061952 [2023-11-01 08:02:00,020] DEBUG trytond.backend.postgresql.database b'SELECT "a"."id" AS "id", "a"."create_date" AS "create_date", "a"."create_uid" AS "create_uid", "a"."fuzzy" AS "fuzzy", "a"."lang" AS "lang", "a"."module" AS "module", "a"."name" AS "name", "a"."overriding_module" AS "overriding_
93793 16489289061952 [2023-11-01 08:02:00,026] DEBUG trytond.wsgi Exception when processing <JSONRequest 10.1.1.2 'http://10.1.1.2:8000/test/' [POST] common.db.login>
Traceback (most recent call last):
  File "/var/tryton/7.0/lib/python3.11/site-packages/trytond/wsgi.py", line 109, in dispatch_request
    return endpoint(request, **request.view_args)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/tryton/7.0/lib/python3.11/site-packages/trytond/protocols/dispatcher.py", line 43, in rpc
    return methods.get(request.rpc_method, _dispatch)(
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/tryton/7.0/lib/python3.11/site-packages/trytond/protocols/dispatcher.py", line 53, in login
    session = security.login(
              ^^^^^^^^^^^^^^^
  File "/var/tryton/7.0/lib/python3.11/site-packages/trytond/security.py", line 33, in login
    user_id = User.get_login(loginname, parameters)
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/tryton/7.0/lib/python3.11/site-packages/trytond/res/user.py", line 705, in get_login
    user_ids.add(func(login, parameters))
                 ^^^^^^^^^^^^^^^^^^^^^^^
  File "/var/tryton/7.0/lib/python3.11/site-packages/trytond/res/user.py", line 748, in _login_password
    raise LoginException('password', msg, type='password')
trytond.exceptions.LoginException: ('LoginException', ('password', 'Password for dotbit', 'password'))
93793 16489289061952 [2023-11-01 08:02:00,028] INFO werkzeug 10.1.1.2 - - [01/Nov/2023 08:02:00] "POST /test/ HTTP/1.1" 200 -

dotbit · November 1, 2023, 8:15am

https://docs.tryton.org/projects/server/en/latest/topics/configuration.html#session

"
A comma separated list of the authentication methods to try when attempting to verify a user’s identity. Each method is tried in turn, following the order of the list, until one succeeds. In order to allow multi-factor authentication, individual methods can be combined together using a plus (+) symbol.
"
My understanding is that first ip_address is tested, then device_cookie and if both fail password is tested.
If ip_address succeeded, then the others would not be tried.

ced · November 1, 2023, 8:23am

ip_address is not authentication method but option for any login method that restrict the login to an IP network that must be configured with authentication_ip_network.

device_cookie is also a login option that requires a device cookie. It is part of protection mechanism against brute force attack that is always activated.

For example:

[session]
authentications = password?ip_address:device_cookie
authentication_ip_network = 127.0.0.1/24

dotbit · November 1, 2023, 8:33am

Understood. Which is already documented by:
By default, Tryton only supports the password method.

I wonder if the wording could be tweaked.

I interpreted it as “The default authentication method is password, unless changed in the config file”.

while the meaning is actually: “The only authentication method that is supported out of the box unless a module implementing other authentication methods is activated.”.

But I guess my interpretation was incorrect.
Thank you Cedric!

system · November 1, 2023, 8:34pm

This topic was automatically closed 12 hours after the last reply. New replies are no longer allowed.