First of all, apologies in advance if this is not the right place for this or if this topic has already been brought up. Long time listener, first time caller.
I would like to propose having some sort of password validation layer that can be activated every time a user's password is created or changed.
Here's the core of my problem:
I've worked on a few different Django-based applications. Where possible, we've tried to leverage the contrib.auth module when it comes to user management. Eventually, we will fall under some sort of compliance (SOX, PCI, HIPAA, etc.) and need to enact the security best practices. These
always include enforcing password length, complexity, etc..
My problem is there ends up being a bunch of places were the password can be changed: our website via emailed password reset, our website via password change form, the admin console, our REST api for mobile, etc.. I end up needing to create a bunch of custom overrides forms and functions. And make sure our other team members know to do the same.
I've come up with a few solutions that I'd love to share them with the community. However, the level that they are implemented at make them difficult to just include in Django as a separate third-party module / application.
Anyway, looking through various forums, I see that I'm not the first person to have this problem. I was wondering what people thought about having a configurable password validation function that gets called within auth every time a password is changed?
In settings.py it could look like this:
AUTH_PASSWORD_VALIDATION = 'account_mgnt.validators.password'
by default it would be
AUTH_PASSWORD_VALIDATION = None