A middleware to force a password change.
If a password history exists the last change of password can easily be determined by just getting the newest entry. If the user has no password history it is assumed that the password was last changed when the user has or was registered.
Note
This only works on a GET HTTP method. Redirections on a HTTP POST are tricky, so the risk of messing up a POST is not taken...
To use this middleware you need to add it to the MIDDLEWARE_CLASSES list in a project’s settings:
MIDDLEWARE_CLASSES = (
'django.middleware.common.CommonMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'password_policies.middleware.PasswordChangeMiddleware',
# ... other middlewares ...
)
Note
The order of this middleware in the stack is important, it must be listed after the authentication AND the session middlewares.
Warning
This middleware does not try to redirect using the HTTPS protocol.