Start creating and storing UserUniqueLogin.ip_address_id (#19123)

di · web-flow · commit 4e7e68a8ce9c · 2025-12-02T17:45:18.000Z
diff --git a/tests/unit/accounts/test_services.py b/tests/unit/accounts/test_services.py
@@ -2045,6 +2045,7 @@ def test_device_is_not_known(self, user_service, monkeypatch):
                 )
             },
             find_service=lambda *a, **kw: token_service,
+            ip_address=IpAddressFactory.create(ip_address=REMOTE_ADDR),
         )
 
         assert not user_service.device_is_known(user.id, user_service.request)
@@ -2114,6 +2115,7 @@ def test_device_is_pending_and_expired(self, user_service, monkeypatch):
                 )
             },
             find_service=lambda *a, **kw: token_service,
+            ip_address=IpAddressFactory.create(ip_address=REMOTE_ADDR),
         )
 
         assert not user_service.device_is_known(user.id, user_service.request)
@@ -2143,6 +2145,7 @@ def test_device_is_not_known_bad_user_agent(
             remote_addr=REMOTE_ADDR,
             headers=headers,
             find_service=lambda *a, **kw: token_service,
+            ip_address=IpAddressFactory.create(ip_address=REMOTE_ADDR),
         )
 
         assert not user_service.device_is_known(user.id, user_service.request)
diff --git a/warehouse/accounts/services.py b/warehouse/accounts/services.py
@@ -764,7 +764,8 @@ def device_is_known(self, userid, request):
         if not unique_login:
             unique_login = UserUniqueLogin(
                 user_id=userid,
-                ip_address=request.remote_addr,
+                ip_address=str(request.ip_address.ip_address),
+                ip_address_id=request.ip_address.id,
                 status=UniqueLoginStatus.PENDING,
                 expires=datetime.datetime.now(datetime.UTC)
                 + datetime.timedelta(seconds=token_service.max_age),
@@ -826,7 +827,7 @@ def device_is_known(self, userid, request):
         send_unrecognized_login_email(
             request,
             user,
-            ip_address=request.remote_addr,
+            ip_address=str(request.ip_address.ip_address),
             user_agent=user_agent_info.display(),
             token=token,
         )
diff --git a/warehouse/accounts/views.py b/warehouse/accounts/views.py
@@ -1030,7 +1030,7 @@ def _error(message):
     if unique_login is None:
         return _error(request._("Invalid login attempt."))
 
-    if unique_login.ip_address != request.remote_addr:
+    if unique_login.ip_address != str(request.ip_address.ip_address):
         return _error(
             request._(
                 "Device details didn't match, please try again from the device "
@@ -1548,7 +1548,7 @@ def _login_user(request, userid, two_factor_method=None, two_factor_label=None):
         request.db.query(UserUniqueLogin)
         .filter(
             UserUniqueLogin.user_id == userid,
-            UserUniqueLogin.ip_address == request.remote_addr,
+            UserUniqueLogin.ip_address == str(request.ip_address.ip_address),
         )
         .one_or_none()
     )
@@ -1560,7 +1560,8 @@ def _login_user(request, userid, two_factor_method=None, two_factor_label=None):
         # if this is non-phishable.
         unique_login = UserUniqueLogin(
             user_id=userid,
-            ip_address=request.remote_addr,
+            ip_address=str(request.ip_address.ip_address),
+            ip_address_id=request.ip_address.id,
             status=UniqueLoginStatus.CONFIRMED,
         )
         request.db.add(unique_login)
diff --git a/warehouse/locale/messages.pot b/warehouse/locale/messages.pot
@@ -333,35 +333,35 @@ msgstr ""
 msgid "You are now ${role} of the '${project_name}' project."
 msgstr ""
 
-#: warehouse/accounts/views.py:1588
+#: warehouse/accounts/views.py:1589
 #, python-brace-format
 msgid "Please review our updated <a href=\"${tos_url}\">Terms of Service</a>."
 msgstr ""
 
-#: warehouse/accounts/views.py:1800 warehouse/accounts/views.py:2054
+#: warehouse/accounts/views.py:1801 warehouse/accounts/views.py:2055
 #: warehouse/manage/views/oidc_publishers.py:126
 #: warehouse/manage/views/organizations.py:1805
 msgid ""
 "Trusted publishing is temporarily disabled. See https://pypi.org/help"
 "#admin-intervention for details."
 msgstr ""
 
-#: warehouse/accounts/views.py:1821
+#: warehouse/accounts/views.py:1822
 #: warehouse/manage/views/organizations.py:1828
 msgid "disabled. See https://pypi.org/help#admin-intervention for details."
 msgstr ""
 
-#: warehouse/accounts/views.py:1837
+#: warehouse/accounts/views.py:1838
 msgid ""
 "You must have a verified email in order to register a pending trusted "
 "publisher. See https://pypi.org/help#openid-connect for details."
 msgstr ""
 
-#: warehouse/accounts/views.py:1850
+#: warehouse/accounts/views.py:1851
 msgid "You can't register more than 3 pending trusted publishers at once."
 msgstr ""
 
-#: warehouse/accounts/views.py:1865
+#: warehouse/accounts/views.py:1866
 #: warehouse/manage/views/oidc_publishers.py:308
 #: warehouse/manage/views/oidc_publishers.py:423
 #: warehouse/manage/views/oidc_publishers.py:539
@@ -371,7 +371,7 @@ msgid ""
 "again later."
 msgstr ""
 
-#: warehouse/accounts/views.py:1875
+#: warehouse/accounts/views.py:1876
 #: warehouse/manage/views/oidc_publishers.py:321
 #: warehouse/manage/views/oidc_publishers.py:436
 #: warehouse/manage/views/oidc_publishers.py:552
@@ -380,23 +380,23 @@ msgstr ""
 msgid "The trusted publisher could not be registered"
 msgstr ""
 
-#: warehouse/accounts/views.py:1890
+#: warehouse/accounts/views.py:1891
 msgid ""
 "This trusted publisher has already been registered. Please contact PyPI's"
 " admins if this wasn't intentional."
 msgstr ""
 
-#: warehouse/accounts/views.py:1924
+#: warehouse/accounts/views.py:1925
 #: warehouse/manage/views/organizations.py:1893
 msgid "Registered a new pending publisher to create "
 msgstr ""
 
-#: warehouse/accounts/views.py:2067 warehouse/accounts/views.py:2080
-#: warehouse/accounts/views.py:2087
+#: warehouse/accounts/views.py:2068 warehouse/accounts/views.py:2081
+#: warehouse/accounts/views.py:2088
 msgid "Invalid publisher ID"
 msgstr ""
 
-#: warehouse/accounts/views.py:2094
+#: warehouse/accounts/views.py:2095
 msgid "Removed trusted publisher for project "
 msgstr ""
 
diff --git a/warehouse/utils/wsgi.py b/warehouse/utils/wsgi.py
@@ -154,6 +154,7 @@ def _ip_address(request):
     except NoResultFound:
         ip_address = IpAddress(ip_address=request.remote_addr)
         request.db.add(ip_address)
+        request.db.flush()  # To get the id if newly added
 
     ip_address.hashed_ip_address = request.remote_addr_hashed
     ip_address.geoip_info = {

Original file line number	Diff line number	Diff line change
`@@ -2045,6 +2045,7 @@ def test_device_is_not_known(self, user_service, monkeypatch):`
`2045`	`2045`	`)`
`2046`	`2046`	`},`
`2047`	`2047`	`find_service=lambda a, *kw: token_service,`
	`2048`	`+ ip_address=IpAddressFactory.create(ip_address=REMOTE_ADDR),`
`2048`	`2049`	`)`
`2049`	`2050`
`2050`	`2051`	`assert not user_service.device_is_known(user.id, user_service.request)`
`@@ -2114,6 +2115,7 @@ def test_device_is_pending_and_expired(self, user_service, monkeypatch):`
`2114`	`2115`	`)`
`2115`	`2116`	`},`
`2116`	`2117`	`find_service=lambda a, *kw: token_service,`
	`2118`	`+ ip_address=IpAddressFactory.create(ip_address=REMOTE_ADDR),`
`2117`	`2119`	`)`
`2118`	`2120`
`2119`	`2121`	`assert not user_service.device_is_known(user.id, user_service.request)`
`@@ -2143,6 +2145,7 @@ def test_device_is_not_known_bad_user_agent(`
`2143`	`2145`	`remote_addr=REMOTE_ADDR,`
`2144`	`2146`	`headers=headers,`
`2145`	`2147`	`find_service=lambda a, *kw: token_service,`
	`2148`	`+ ip_address=IpAddressFactory.create(ip_address=REMOTE_ADDR),`
`2146`	`2149`	`)`
`2147`	`2150`
`2148`	`2151`	`assert not user_service.device_is_known(user.id, user_service.request)`