enforce password change if password is changeme

2025-05-27 15:13:36 +02:00
parent 071b8ca2aa
commit 149487195b
12 changed files with 132 additions and 42 deletions
--- a/routes/auth.py
+++ b/routes/auth.py
@@ -1,6 +1,16 @@
 from flask import render_template, request, flash, redirect, url_for
 from flask_login import login_user, logout_user, login_required, current_user
 from models import db, User
+from functools import wraps
+
+def require_password_change(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if current_user.is_authenticated and current_user.check_password('changeme'):
+            flash('Please change your password before continuing.', 'warning')
+            return redirect(url_for('auth.change_password'))
+        return f(*args, **kwargs)
+    return decorated_function

 def init_routes(auth_bp):
    @auth_bp.route('/login', methods=['GET', 'POST'])
@@ -18,8 +28,14 @@ def init_routes(auth_bp):
            if not user or not user.check_password(password):
                flash('Please check your login details and try again.', 'danger')
                return redirect(url_for('auth.login'))
-                
+            
            login_user(user, remember=remember)
+            
+            # Check if user is using default password
+            if password == 'changeme':
+                flash('Please change your password before continuing.', 'warning')
+                return redirect(url_for('auth.change_password'))
+            
            next_page = request.args.get('next')
            if next_page:
                return redirect(next_page)
@@ -62,4 +78,27 @@ def init_routes(auth_bp):
    @login_required
    def logout():
        logout_user()
-        return redirect(url_for('auth.login')) 
+        return redirect(url_for('auth.login'))
+
+    @auth_bp.route('/change-password', methods=['GET', 'POST'])
+    @login_required
+    def change_password():
+        if request.method == 'POST':
+            current_password = request.form.get('current_password')
+            new_password = request.form.get('new_password')
+            confirm_password = request.form.get('confirm_password')
+            
+            if not current_user.check_password(current_password):
+                flash('Current password is incorrect.', 'danger')
+                return redirect(url_for('auth.change_password'))
+                
+            if new_password != confirm_password:
+                flash('New passwords do not match.', 'danger')
+                return redirect(url_for('auth.change_password'))
+                
+            current_user.set_password(new_password)
+            db.session.commit()
+            flash('Password changed successfully!', 'success')
+            return redirect(url_for('main.dashboard'))
+            
+        return render_template('auth/change_password.html')