[
https://issues.apache.org/jira/browse/FINERACT-2003?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18054141#comment-18054141
]
Krishna Mewara commented on FINERACT-2003:
------------------------------------------
Hi mentors, I would like to work on this issue.
*Implementation Plan:* To ensure this feature is robust and
configuration-driven:
# *Schema:* Introduce an explicit {{password_reset_required}} boolean column
in the {{m_appuser}} table (default {{{}false{}}}) to track state
deterministically.
# *Configuration:* Add a new Global Configuration toggle (e.g.,
{{{}force-password-reset-on-first-login{}}}) to enable or disable this policy
system-wide without code changes.
# *Logic:* Modify the Authentication Service to intercept the login flow. If
the policy is enabled and the flag is set, the system will block the token
issuance.
*Clarification:* Given Fineract's headless architecture, I assume the
"redirect" described implies returning a specific error response (e.g., {{403
Forbidden}} with a distinct application error code) that instructs the
consuming frontend to route the user to the password reset screen.
I am starting work on this now.
> Enforce change of password on first logon
> -----------------------------------------
>
> Key: FINERACT-2003
> URL: https://issues.apache.org/jira/browse/FINERACT-2003
> Project: Apache Fineract
> Issue Type: New Feature
> Reporter: John Ruhiu
> Priority: Major
>
> Add the ability to force the user to reset their password on the first logon
> and when a password has been reset by admin or using forgot password feature.
> If its the first time the user is login in, the system should ask them to
> reset the password and send them to the password reset page where they will
> enter a new password(and repeat).
> The system will process the request and redirect them to the login page where
> they will enter the new password to gain access.
> Note: the password reset feature already exists under user/profile/change
> password on the mifos UI
>
> {*}ASSUMPTIONS{*}:
> 1. Email is configured in fineract (SMTP config) Admin>System>External
> Services>External Services (Email Config)
> That means the email is working (when a new user is created, an email with
> attached sample is sent to the user).
>
> 2. Password validation already exists (Admin>Organisation>Password preference)
> 3. Endpoint for password change already exists
> 4. We are not sending deep link nor generating a link for the user to change
> to change their password. We are assuming the user has received their
> credentials and they know the fineract / mifos link from which they can login.
>
> *WHAT WE NEED TO DO:*
> # Add to global configuration an option to allow first login password change
> # On logon detect if the global configuration for first login password
> change is enabled. If True then detect whether the user is logging in for the
> first time. If true force the user to change their password.
> # On the screen for password change only allow them to enter new password
> and repeat. Ensure the password complies with the password policies (see
> assumption No.2).
> # After successful change of password redirect the user to login password to
> allow them login.
> *OUT SCOPE:*
> # Multifactor authentication.
> {{}}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
