Project

General

Profile

Feature #24655

mgr/dashboard: Enforce password change upon first login

Added by Lenz Grimmer about 2 years ago. Updated 2 days ago.

Status:
Closed
Priority:
Urgent
Assignee:
Category:
dashboard/usermgmt
Target version:
% Done:

20%

Source:
Tags:
dashboard
Backport:
Reviewed:
Affected Versions:
Pull request ID:

Description

For local user accounts, it should be possible to enforce a password change upon the first login to the dashboard. This could be determined by either having a flag associated with the user (e.g. "reset_password"), or by checking a "last login" timestamp (which would also make it possible to enforce a password change after a certain period of time). With regards to issue #24654 it might actually be feasible to have the "reset_password" flag as well.


Related issues

Related to mgr - Feature #40248: mgr/dashboard: As a user, I want to change my password Closed
Related to mgr - Feature #25229: mgr/dashboard: Provide user enable/disable capability Closed
Related to mgr - Feature #25232: mgr/dashboard: Support minimum password complexity rules Closed
Related to mgr - Feature #40329: mgr/dashboard: It should be possible to set an expiration date for the user password Closed
Related to mgr - Feature #39999: mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts New 05/22/2019
Copied to mgr - Backport #46837: nautilus: mgr/dashboard: user management improvements (password change, password complexity, ...) Rejected

History

#1 Updated by Lenz Grimmer about 2 years ago

  • Assignee deleted (Lenz Grimmer)
  • Tags set to dashboard

#2 Updated by Lenz Grimmer about 2 years ago

  • Category changed from dashboard/general to dashboard/usermgmt

#3 Updated by Elzbieta Dziomdziora over 1 year ago

  • Assignee set to Elzbieta Dziomdziora

#4 Updated by Elzbieta Dziomdziora over 1 year ago

  • Status changed from New to Fix Under Review
  • % Done changed from 0 to 100

#5 Updated by Elzbieta Dziomdziora over 1 year ago

  • % Done changed from 100 to 80

#6 Updated by Lenz Grimmer over 1 year ago

  • Pull request ID set to 28405

#7 Updated by Tiago Melo over 1 year ago

I think we need to improve a few aspects of this process.
Here are the steps I would recommend:

1. The admin should be able to enable a field requiring the users to change his password next time he tries to log in.
This can be done during creation or update of the user.

2. When a user tries to login and the "reset password" flag is enabled, the login should fail.
The backend should respond with a special token that will be used to reset the password.
This token should have a TTL and be stored.
Maybe we could use the same field as the SSO, and send the redirect URL.

2.1 If a user tries to login again and there is already a reset token that has expired, the user should be disabled.

3. The user should be redirected to page, similar to login, where it does not need to be logged in.
The URL of this page should contain the token sent by the backend.
p.e.: localhost/#/reset/<TOKEN>

4. For extra security we should ask the user to type twice the new password.
After the user types the passwords and press "submit", we should attach the token to the request.

6. The backend will verify all the data and then change the user password.
If the TTL has expired, we should disabled the user account and show a message telling the user to contact an admin.

#8 Updated by Lenz Grimmer about 1 year ago

  • Tags set to security
  • Target version set to v15.0.0

#9 Updated by Lenz Grimmer about 1 year ago

  • Related to Feature #40248: mgr/dashboard: As a user, I want to change my password added

#10 Updated by Lenz Grimmer about 1 year ago

  • Related to Feature #25229: mgr/dashboard: Provide user enable/disable capability added

#11 Updated by Lenz Grimmer about 1 year ago

  • Related to Feature #25232: mgr/dashboard: Support minimum password complexity rules added

#12 Updated by Lenz Grimmer about 1 year ago

  • Related to Feature #40329: mgr/dashboard: It should be possible to set an expiration date for the user password added

#13 Updated by Lenz Grimmer about 1 year ago

  • Related to Feature #39999: mgr/dashboard: Prevent brute-force/dictionary attacks against existing local user accounts added

#14 Updated by Elzbieta Dziomdziora about 1 year ago

My plan for this ticket is to create a checkbox, where admin can decide whether the user has to or doesnt has to change the password. The value is set in access_control file under name forceCheckPwd, and it is going to be checked during login phase.
According to the ticket 40329, it will have expiration date, which will be checked when the forceCheckPwd is true.
When the time for changing password will expire,there will be massage to contact the admin.
When it will be possible to change password then the user will be navigate to the changePassword page.

#15 Updated by Lenz Grimmer 12 months ago

  • Pull request ID changed from 28405 to 29529

#16 Updated by Tatjana Dehler 9 months ago

  • Status changed from Fix Under Review to In Progress
  • Assignee changed from Elzbieta Dziomdziora to Tatjana Dehler
  • % Done changed from 80 to 20
  • Pull request ID deleted (29529)

#17 Updated by Tatjana Dehler 9 months ago

  • Pull request ID set to 32543

#18 Updated by Tatjana Dehler 8 months ago

  • Assignee changed from Tatjana Dehler to Volker Theile

#19 Updated by Volker Theile 8 months ago

  • Priority changed from Normal to Urgent

#20 Updated by Lenz Grimmer 7 months ago

  • Status changed from In Progress to Resolved

#21 Updated by Ernesto Puerta about 2 months ago

  • Copied to Backport #46837: nautilus: mgr/dashboard: user management improvements (password change, password complexity, ...) added

#22 Updated by Ernesto Puerta about 2 months ago

  • Status changed from Resolved to Pending Backport
  • Backport set to nautilus

#23 Updated by Ernesto Puerta 2 days ago

  • Status changed from Pending Backport to Closed
  • Backport deleted (nautilus)

For clean/safe backport it requires more than 11 additionall PRs

Closing.

Also available in: Atom PDF