Skip to content

feat: implement password_reset_required flag and enforcement logic#16252

Open
BasavarajBankolli wants to merge 4 commits intoansible:develfrom
BasavarajBankolli:force-password-reset
Open

feat: implement password_reset_required flag and enforcement logic#16252
BasavarajBankolli wants to merge 4 commits intoansible:develfrom
BasavarajBankolli:force-password-reset

Conversation

@BasavarajBankolli
Copy link

@BasavarajBankolli BasavarajBankolli commented Jan 28, 2026

SUMMARY

This PR implements a "Force Password Reset" feature. It adds a password_reset_required boolean field to the User model, allowing administrators to flag accounts that must change their password before they can access the rest of the API.

Design Decisions:

  • Storage: Injected the field directly into the auth.User model via add_to_class in awx/main/models/__init__.py to ensure it is a native attribute of the user.
  • Enforcement: Overrode the get method in UserDetail view. If the flag is True, the API returns a 403 Forbidden with a JSON body indicating a reset is required. This signal allows the frontend to redirect the user to the password change page.
ISSUE TYPE
  • New or Enhanced Feature
COMPONENT NAME
  • API
ADDITIONAL INFORMATION

This change provides a way for security administrators to ensure credentials are rotated when suspected compromise occurs or as part of a standard security policy.

Verification performed:

  1. Created a manual migration (0205_add_password_reset_flag.py) to handle the database schema update.
  2. Updated UserSerializer to ensure the field is accessible and writable by administrators.
# Verbatim logic added to UserDetail:
if getattr(obj, 'password_reset_required', False):
    return Response({
        "detail": _("Password reset is required before you can continue."),
        "password_reset_required": True
    }, status=status.HTTP_403_FORBIDDEN)

AlanCoding
AlanCoding reviewed Jan 28, 2026
View reviewed changes
awx/main/migrations/0205_add_password_reset_flag.py
Copy link
Member

@AlanCoding AlanCoding Jan 28, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't actually believe this works. The model is auth.User, meaning that it comes from the django.contrib app. And this migration is for the main app, basically the AWX app.

The User model being in an app we don't control has been a major thorn in our sides for a long time. But it is difficult to change.

Copy link
Author

@BasavarajBankolli BasavarajBankolli Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for catching that, @AlanCoding. You're right trying to migrate a field into django.contrib.auth from the main app is asking for trouble.
To avoid fighting the built-in User model, I'll pivot to creating a UserProfile (or similar) model in the main app with a OneToOneField to User. This keeps the migration within our control while still allowing us to track the password_reset_required flag. I’ll update the enforcement logic to check user.profile.password_reset_required instead.

@mattclay
Copy link
Member

mattclay commented Feb 12, 2026

@BasavarajBankolli I'm not involved in this project.

@BasavarajBankolli
Copy link
Author

BasavarajBankolli commented Feb 13, 2026

@AlanCoding
sir, any other ways to resolve this issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@AlanCoding AlanCoding Awaiting requested review from AlanCoding

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

community component:api

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@BasavarajBankolli @mattclay @AlanCoding