Rails expire password within 24 hours

Question

In my rails 3.1 application, I want to create and expire random password for users.I am using devise gem for that.Any plugin available for expiring password withing some duration?
Or else Please give me some logical advice to implement this feature.
Please consider me as a newbie.

Answer 1

It sounds like you just want to expire the password once. If you're looking to do it at regular intervals (e.g. every couple of months) or if you want to prevent users from re-using passwords, it gets more complicated.

Taken from an app I'm working on:

app/models/user.rb (assuming that's what you name your model):

def password_should_expire?
  # your logic goes here, remember it should return false after the password has been reset
end

app/controllers/application_controller.rb

before_filter :check_password_expiry
def check_password_expiry
  return if !current_user || ["sessions","passwords"].include?(controller_name)
  # do nothing if not logged in, or viewing an account-related page
  # otherwise you might lock them out completely without being able to change their password
  if current_user.password_should_expire?
    @expiring_user = current_user # save him for later
    @expiring_user.generate_reset_password_token! # this is a devise method
    sign_out(current_user) # log them out and force them to use the reset token to create a new password
    redirect_to edit_password_url(@expiring_user, :reset_password_token => @expiring_user.reset_password_token, :forced_reset => true)
  end
end

Answer 2

When you create a password, note the time it was created. Then, when the password is being used, check that the password was created less than 24 hours ago.

Depending on what frameworks you are using, this functionality (or something similar) may already exist within the framework, or perhaps as a plugin. If not, it isn't particularly difficult to implement. All you would need is an extra column in your data store to hold the password creation date/time, and a bit of extra logic on password creation and on password use.

Answer 3

Check out the Devise Security Extension gem:

https://github.com/phatworx/devise_security_extension

I've been using it for expiring passwords and archiving passwords (to make sure an old password is not reused) with no problems.

Answer 4

@Jeriko's answer contains some old code, here are the edits

In model/user.rb:

  def password_should_expire?
    if DateTime.now() > password_changed_at + 30.seconds
      return true;
    else
      return false;
    end
  end

In Application Controller:

    before_filter :check_password_expiry
    def check_password_expiry
      return if !current_user || ["sessions","passwords"].include?(controller_name)
      # do nothing if not logged in, or viewing an account-related page
      # otherwise you might lock them out completely without being able to change their password
      if current_user.password_should_expire?
        @expiring_user = current_user # save him for later
        @expiring_user.set_reset_password_token! # this is a devise method
        sign_out(current_user) # log them out and force them to use the reset token to create a new password
        redirect_to edit_password_url(@expiring_user, :reset_password_token => @expiring_user.reset_password_token, :forced_reset => true)
      end
    end