What shell we do with the old users?

[MAH1987]

Django will remove md5 and sha1 Hash-Algorythm in 2 years.

https://github.com/orgs/inyokaproject/projects/9/views/1?pane=issue&itemId=41169023

[encbladexp]

do we know when they had last been active?

[chris34]

• in general we should have User.last_login

• according to git blame PBKDF2PasswordHasher was introduced in https://github.com/inyokaproject/inyoka/commit/61a0f74573fdc0cd651fd4ec5d59da87e0288dbb#diff-39a31fdf66bd42277710d0a60056ece24bf14970c19c736bc69906be216a3bfc \ → IMO we can assume that the affected users did not login for more than 11 years (otherwise the password hash would be upgraded on login automatically)

  ---

  The question is whether we should

  • try in development/staging what happens, if we drop those hasher back-ends (can affected users just reset their password, if they still own the mail account?)
  • try to reach those users via mail before we drop the backends. (what about not existing mailboxes?)
  • we could also try to backport the hasher classes to inyoka
  • dont care and just accept that a bunch of old accounts can not login any more
  • (... insert more ideas here...)

[encbladexp]

Let's lock them out, either by mistake or actively. It does not make sense to reach out to people who most likely used their account >10y ago. Maybe we should write a Ikhaya article, just for transparency reasons (I doubt anybody affected will read it).

[chris34]

We have now two approaches:

• 1316

• 1317

I'll wait on the results of the internal discussion.

Feel free to comment also on the PRs.

[encbladexp]

Deprecation is enough for me, let's keep it simple.

[chris34]

(At least both the internal team discussion and this one preferred the same solution → on staging now)