django-allauth icon indicating copy to clipboard operation
django-allauth copied to clipboard

Published 20 hours ago verified publisher icon pennersr

Expire Password Feature

Open 9mido opened this issue 3 years ago • 1 comments

What does everyone think about an optional setting like ACCOUNT_PASSWORD_EXPIRE = True|False and ACCOUNT_PASSWORD_EXPIRE_DAYS = integer. This would allow for any website to have the ability to force users to change their password every X number of days.

Another possibility would be whether you would want to allow users to re-use their previous passwords again or not. But this can always be a future thing.

This stackoverflow answer uses a custom user model to do it so that would probably need to be written in the documentation with a custom user model example.

https://stackoverflow.com/questions/15571046/django-force-password-expiration

There is also:

https://github.com/pinax/django-user-accounts

But how would this tie into allauth?

9mido avatar May 03 '21 02:05 9mido

I would support this and any other feature that allows for the option of more security / privacy.

+1

derek-adair avatar Sep 18 '23 01:09 derek-adair

@pennersr I'll do it, will share the outline shortly with you.

varunsaral avatar Jan 27 '24 03:01 varunsaral

Coming back to this, will start scoping this.

varunsaral avatar Mar 14 '24 04:03 varunsaral

@pennersr . Can I take a look into this?

shoaib-moeen avatar May 17 '24 18:05 shoaib-moeen

Hey @shoaib-moeen apologise I'm late in this but I have already started working on this. I'll be very grateful if you can look into some other issues. Thank you. Sorry @pennersr for being late, I was busy in work

varunsaral avatar May 17 '24 18:05 varunsaral

Hello @pennersr, after going through the user model implementation here I could not find any field which tracks the last password update date, there's only date_joined. Since we are using EmailAddress mainly in account, can we add a field to track the last password change and use signal emitted signals (password_changed,password_reset,password_set) to update it. And probably while logging we can check from settings property if we have password expire turned on and if date.now - delta > limit then we can redirect to password set view. Please help to tell if i am thinking in right direction or am i completely lost.

varunsaral avatar Jul 26 '24 19:07 varunsaral

Expire password indeed requires a new field/model to keep track of state. When taking this on, the scope can increase considerably, as it is actually part of a bigger policies feature, where you could specify e.g. whether or not password expire, how many previous passwords to remember, whether or not 2FA is to be enforced, and so on. Perhaps, one day this could be taken into scope, but for now I think all of this is best explored in a project on its own.

pennersr avatar Jul 26 '24 19:07 pennersr

Understood @pennersr , so are we closing this issue for now or perhaps i can do some pocs in my fork and raise MR when it's mature enough? I can attempt it with your occasional reviews or maybe look into some other issue here.

varunsaral avatar Jul 26 '24 19:07 varunsaral