Add force_password_change_first_login config setting

Author: manisandro

schemas/qwc-db-auth.json

@@ -131,6 +131,10 @@
         "ip_blacklist_max_attempt_count": {
           "description": "After how many failed login attempts an IP will be blacklisted. Should be less than max_login_attempts. See also ip_blacklist_duration. Default: 10",
           "type": "integer"
+        },
+        "force_password_change_first_login": {
+          "description": "Whether to force users to change the password on first login. Default: `false`",
+          "type": "boolean"
         }
       },
       "required": [

src/db_auth.py

@@ -96,6 +96,7 @@ def __init__(self, tenant, mail, app):
         self.totp_issuer_name = config.get('totp_issuer_name', 'QWC Services')
         self.ip_blacklist_duration = config.get('ip_blacklist_duration', 300)
         self.ip_blacklist_max_attempt_count = config.get('ip_blacklist_max_attempt_count', 10)
+        self.force_password_change_first_login = config.get('force_password_change_first_login', False)
 
         db_engine = DatabaseEngine()
         self.config_models = ConfigModels(
@@ -184,8 +185,9 @@ def login(self):
                 # force password change on first sign in of default admin user
                 # NOTE: user.last_sign_in_at will be set after successful auth
                 force_password_change = (
-                    user and user.name == self.DEFAULT_ADMIN_USER
-                    and user.last_sign_in_at is None
+                    user and user.last_sign_in_at is None and (
+                        user.name == self.DEFAULT_ADMIN_USER or self.force_password_change_first_login
+                    )
                 )
 
                 # check if password has expired