openwisp/openwisp-users

[feature] Password expiration

Closed this issue · 1 comments

nemesifier commented

We need to implement an optional feature which allows to implement password expiration for end-users.

Define settings to enable or disable this feature

  • Setting and admin UI field to enable/disable feature (and specify how many months), disabled by default
  • Setting and admin UI field to enable/disable feature (and specify how many months) also for staff users
  • Add fields to user model: password updated date field, allowed to be None, shall remain None for users who use social login or SAML
  • Add filter in admin to show password expired users according to the setting
    (the filter shall be shown only if the setting is enabled, it's going to be a boolean and if true it must look for users which have the password update date older than the months specified in the settings)

Changes in allauth views

Other changes needed to allow expired users to change their password:

  • LOGIN_REDIRECT_URL must point by default to a new view with these characteristics:
    • if the password has not expired and the user is is_staff=True, redirect to admin
    • if the password has expired or if it has not expired and the user is not staff (is_staff=False), redirect to change password

Celery tasks

We have discussed adding a background task for celery beat running daily at 1:00 AM by default.

Look for users (use use iterator() ORM method) who are member of at least one of the enabled organizations and:

  • have a usable password (hence excluding social login / SAML)
  • have the password updated date older than X
  • have a verified email address - (since we need to send emails)
  • are not staff user (is_staff=False) if the feature is disabled for staff users

If the password is about to expire in exactly 7 days, send an email notification with a warning that the password is about to expire and a call to action link to change the password.

These changes will require updating ansible-openwisp2 to include this task to the celery beat settings.

Other changes

This is how we planned the implementation of this feature:

  • Override User.set_password method to update the password_updated date field if feature is enabled

  • Modify auth backend so that (if the feature is enabled) it checks whether the user has a usable password and if the password is expired returns false (adds also a warning message with the message framework which says "Your password has expired, please update your password" with a link to the password change view of allauth).
    Add another alternative auth backend, eg: UsersAllowExpiredPassBackend, which we'll use in the allauth accounts adapter for the non-admin pages, this backend shall authenticate users also if their password is expired.

  • Add backend attribute to allauth adapter which points to the UsersAllowExpiredPassBackend

Other modules

Ansible OpenWISP 2: openwisp/ansible-openwisp2#449
OpenWISP RADIUS: openwisp/openwisp-radius#491
WiFi Login Pages: openwisp/openwisp-wifi-login-pages#713

pandafy commented

@nemesifier and I discussed the complexities arising due to adding organization fields for configuring password expiration time and decided to only support project level settings right now. We would implement organization fields later if needs arise.