Level 52
Yes. Populate the date with null and when logging in ask for a new password. You already have a very powerful mind set up on the process itself, middleware is the way to go.
Good work.
3 likes
Dec 5, 2015
11
Level 50
Force user to change password on first login
I've got a project where I'll be bulk-creating users from data coming in from Excel (yes, pity me). It'll create a random password as it creates their account which will be emailed to them at some point in the process. Has anyone done this kind of thing before (I've had a quick search around and nothing much is leaping out at me).
At the moment I'm thinking of something like a middleware that checks a datetime field of last_password_change which defaults to null (and could then be re-used later if the site admins need to enforce password changes after $some_time).
Does that seem sensible?
Level 50
Phew - just wanted to sanity check myself :-) Thanks! :-)
Level 52
@ohffs Glad to be of any help!
Level 41
Please don't email the passwords, @ohffs. Send them a password reset link instead. Not a generic one; explain why they're getting it (new system), so they don't get suspicious.
The rest of the process seems on the money. Maybe even just a boolean flag on the user row that says must_change_password, then on successful login, if the flag is true, your middleware can catch that and redirect the user to reset their password.
If you want to get tricky, you can tie a message in so the user knows why they're being told to reset their password.
7 likes
Level 50
@deringer the users are all internal to a single organisation so the passwords wouldn't cross the net - but I may well use the password reset thing all the same - thanks! I've never used laravel for an app that wasn't tied to LDAP for auth outside of some side-project stuff where I'm the sole user so I entirely forgot about the reset system :-) Doh! :-)
I think I'll keep the flag as a datetime though. The code will be getting deployed in China behind the firewall so I'd rather there was a tiny bit of flexibility there in case they need to mess around with it - I'd rather not have to fly out to China to run an alter table :-)
Level 41
Well as long as they're paying for the round trip ;)
That aside, whether the passwords are crossing the internet or not, I still wouldn't be emailing them out at any size. If you can't show your users you're going to protect their passwords, it might make some uneasy about what other data you're not being overly cautious with (not suggesting that you are, mind you).
The password reset option would certainly be preferred in most cases, I would have thought, and it's available right out of the box.
I might need to do some LDAP stuff shortly; I know who to come looking for if I need help now!
Level 50
I shall spend today making my LDAP code less embarrassing to share then! ;-) This project was originally going to be using LDAP - right up until yesterday when they told me it was being deployed in China and not our local site. Love these minor details that you find out part-way through... ;-)
1 like
Level 41
Nothing like a last minute change to send you running around like a chook with your head chopped off. Good luck!
Level 52
Something along the lines of a link to "Create your account password" would be great. No password is set (NULL in your table), so your middleware can catch that the user's account has either a reset_required_date < NOW() OR password IS NULL, if so, redirect them to the password create page. Store a token in another table linked to the user account, token is the one you send through with the link in the email.
Level 5
I have a similar requirement in my current project. I need to prompt the user to choose a password of his/her choice immediately after a payment transaction is approved. I'm logging in the user manually (within code) and then redirecting to dashboard. The dashboard route handler (controller method) loads correct view based on a field value.
I went ahead and added a new field to users table called password_on_login and then check within all controller methods and render password change view whenever password_on_loginis set to true. Then again, if for some reason user fails to set the password or forgets to do so, he/she will be left with no way of doing it again. So, looks like I can easily make use of password reset that comes out of the box and linked to user's email address. I'm going to give it a try.
I may come back to you guys for help if I get stuck :)
Level 1
Good stuff guys, I solved this by putting a check in my base controller, which is extended for all other controllers that are used while the user is authenticated. I would love to see how you would approach doing this using the middleware?
EDIT: I think I got it figured out, it was easy enough
class CheckFirstTimeLogin
{
public function handle($request, Closure $next)
{
if (Auth::user()->password_change_at == null)
{
return redirect('/password/change');
}
return $next($request);
}
}
just tell me if I am doing this right or not please :)
Please or to participate in this conversation.