Apache Allura™

Forge software for hosting software projects

Brought to you by: alexluberg, brondsem, deshani, dill0wn, and 10 others

#7432 Password expiration

Milestone: v1.2.0

Status: closed

Owner: nobody

Labels: 42cc (432)

Component: General

Reviewer: Dave Brondsema

Updated: 2015-08-20

Created: 2014-06-02

Creator: Dave Brondsema

Private: No

Site administrators should be able to control password expiration rules for accounts. I think there are 2 ways we should support now: a number of days since last changed (e.g. auth.pwdexpire.days = 180) and a force reset for everyone before a certain time (e.g. auth.pwdexpire.before = 1401742705). They should be complimentary, so both settings could potentially be used at the same time. Default to no expirations.

This should rely on the AuthenticationProvider interface, so different implementations can record the field for last time a password was changed in their own way. I'm thinking perhaps each provider should be responsible for setting it within their set_password and then have a new method to get that value for a given user. Then the logic & forms of this new feature can work with any auth provider. Implement as a mongo field for the LocalAuthenticationProvider. I think for the LDAP provider, we should use the same mongo field on the User model (storing in LDAP would be nice, but could require an LDAP schema change for admins and we have a mongo user record for everyone anyway).

Upon successful login, if a password is expired, require the user to change their password before continuing anywhere in the site. Using the existing password_change_form seems good: requiring entering old password again and new one twice.

Related

Tickets: ~~#7436~~

Discussion

Igor Bondarenko - 2014-06-05

status: in-progress --> code-review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Igor Bondarenko - 2014-06-05

Closed #598. je/42cc_7432

A new options:

auth.pwdexpire.days = 1 auth.pwdexpire.before = 1401949912

For testing LDAP provider on sandbox use 'allura' theme, since password_change_form availabele only there (will be fixed in [#7436], I think)

Related

Tickets: ~~#7436~~
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Igor Bondarenko - 2014-06-06

Rebased to branch from [#7436] and force-pushed. See details in my comment on [#7436]

Related

Tickets: ~~#7436~~

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2014-06-06

status: code-review --> in-progress

QA: Dave Brondsema
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2014-06-06

TestLocalAuthenticationProvider and TestAuthenticationProvider probably would be better in test_plugin.py

The expired password page should have text to explain to the user what is happening. E.g. "Your {{site_name}} password has expired - You must now choose a new password before logging into the site"

redirecting to / isn't that great. The login form keeps a return_to hidden field. Could that technique be used through the pwd_expired form too?

Also it would be good to have commented-out examples of these new config options in development.ini so that admins can find out that it is available to them.

Thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Igor Bondarenko - 2014-06-17

Closed #602. Force-pushed je/42cc_7432 (rebase)

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Igor Bondarenko - 2014-06-17

status: in-progress --> code-review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2014-06-18

All changes looking good. I did find one new issue: the change password form lets you re-enter the same password as your current password. That should not be allowed though.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2014-06-18

status: code-review --> in-progress
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Igor Bondarenko - 2014-06-20

status: in-progress --> code-review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Igor Bondarenko - 2014-06-20

Closed #506. Updated je/42cc_7432

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2014-06-20

status: code-review --> closed

Milestone: limbo --> forge-jun-27
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2015-01-05

Milestone: unreleased --> asf_release_1.2.0
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.