CartoDB / cartodb

Location Intelligence & Data Visualization tool
http://carto.com
BSD 3-Clause "New" or "Revised" License
2.75k stars 650 forks source link

User passwords to expire after a period of time #13794

Closed danicarrion closed 6 years ago

danicarrion commented 6 years ago

User passwords need to expire after a period of time. Such period of time will be configurable on a per-organization basis. For users that do not belong to any organization, a site wide default value will apply.

If a given user is logged in when their password is meant to expire, they will be logged out of their sessions. They will be forced to log in again and will be prompted for a new password immediately after.

In detail:

ivanmalagon commented 6 years ago

For the 4th point we can reuse / adapt the forgot password page.

image

ivanmalagon commented 6 years ago

Correct me if I'm wrong @javitonino

Session expiration must be performed by Rails session management, right?

The other part, redirecting if the user logs in and the password is expired is also meant to be performed by backend. Is the target password change page hosted in Central or in Builder?

javitonino commented 6 years ago

Frontend wise, you'll need to prepare all API requests to redirect to login on 403. Imagine that you open Builder and a minute later your session expires, we need to be able to handle that.

The change password part will need to be both in central and cartodb, to support SaaS and custom installs.

javitonino commented 6 years ago

@danicarrion There are two possible ways to count expiration: - Time since last login - Time since last activity

Which are we implementing? We could also do both (and expire whenever one of the two expire) for pretty much the same cost.

Never mind, this is just about password expiration. We can do session expiration in the bonus GDPR track.

javitonino commented 6 years ago

Closing this for now. We are only missing setting the default and there is a separate ticket for that.