joyent / conch-api

Datacenter build and management service
Mozilla Public License 2.0
22 stars 11 forks source link

should force new user to change password immediately #975

Closed karenetheridge closed 4 years ago

karenetheridge commented 4 years ago

When creating a new user, force_password_change should be set to true on the user record.

When a user with this flag logs in, we are presently returning HTTP 200 with a Location header pointing to /user/me/password. Clients are not currently handling this condition, therefore if a change is made now, new users will be unable to use clients at all, therefore defer this fix until after 3.0.0.

karenetheridge commented 4 years ago

current state:

Therefore it is safe to create a user with force_password_change=true, so the password on user creation is now just a temporary password.