Django force password expiration

Question

Are there any django apps for force expiring the password of the user after certain interval like 30 days? I am using djangp's auth and want to extend it or use a community app.

What I have tried so far:

1. Added a field to user profile for storing the date of last password updated.
2. Extended the login method to check for this date and redirect the user to password change page.

What I am confused about:

1. To block the user accessing the site till the password is changed.
2. User should not be able to login or just type urls to access the page directly.

Please note that I don't want to use middleware as it will be a resource constraint.

Answer 1

You seem on the right track. Set the date of the last password updated, check if the timedelta is greater than 30 days, if so redirect to the change password page. Your Login view should essentially stay the same except don't actually login the user to the request object if the timedelta is greater than 30 days.

from datetime import date, timedelta
from django.contrib.auth import authenticate, login

def my_view(request):
    username = request.POST['username']
    password = request.POST['password']
    user = authenticate(username=username, password=password)
    if user is not None:
        if user.is_active:
            if date.today() - user.password_date > timedelta(days=30):
                # Redirect to password change page
            else:
                login(request, user)
                # Redirect to a success page.
        else:
            # Return a 'disabled account' error message
    else:
    # Return an 'invalid login' error message.

Answer 2

Well, there is django-passwords-policies, http://tarak.github.io/django-password-policies/topics/force.password.change.html