search

formtools / core

The Form Tools Core.
https://formtools.org
207 stars 78 forks source link

Account Password Expiration #234

Open T1mClark opened 6 years ago

T1mClark commented 6 years ago

It would be nice if account passwords could expire and require changing. This is almost a necessity in this day and age and a requirement for most organizations who may want to use Form Tools.

nelsondcosta23 commented 6 years ago

yap actually its a good ideia :)

kubajal commented 4 years ago

I know this is an old topic but I had a very similar problem and I am working on my own solution. Imho such a functionality is crucial for any Formtools installation with more than one user due to GDPR and general security concerns.

I know two possibilities of how to implement password expiration mechanism

The first one was proposed by Ben Keen at https://docs.formtools.org/modules/hooks_manager/examples/add_code_hook/.

The second one is my custom plugin which does something similar - it exposes a new flag to the admin for each client which when set blocks the user and forces them to change their password: https://github.com/kubajal/module-force_password_change. Version 0.0.1 doesn't provide automatic password expiration functionality yet but you as the admin can set expiration of passwords manually per user. Automatic expiration of passwords will be the next thing that I will implement (in version 0.0.2).

The difference between my solution and https://docs.formtools.org/modules/hooks_manager/examples/add_code_hook/ is that my solution actually lets the user log in and change their password to a custom one but prevents viewing any submissions as long as they don't change the password whereas https://docs.formtools.org/modules/hooks_manager/examples/add_code_hook/ prevents logging in and effectively forces the admin or the system to send a temporary password to the user which later may or may not be change by the user (well, obviously it would be preferred that they change their password to a custom one, wouldn't it?).

So the question would be what do you mean by "Account Password Expiration"? Do you mean that when a password expires: 1) the client may log in to their panel 2) they are forced to change their password to a new one (does not involve sending a temporary password)

or do you mean that:

1) the client cannot log into the Formtools installation at all, 2) a new temporary password must be sent to them (most probably by an e-mail as open text which is a security flaw), 3) the client may or may not change the temporary password to a new one (because there is no mechanism in Formtools that would force them to do so).

The former variant is (will be) implemented in my plugin. The latter variant is implemented in https://docs.formtools.org/modules/hooks_manager/examples/add_code_hook/.