To ensure Super Users are really the people they claim to be, when a Super User attempts to sign in for the first time after a long break (eg. one year?) then we ask the Super User to re-validate their email address by clicking on a link.
Idea from twitter: https://twitter.com/simonw/status/1084601178954944512
I could pick up and prepare PR for that issue.
I was thinking about make two new settings in .ini config: boolean
revalidate_superusers_password to toggle the feature (default to
1) and integer
revalidate_superusers_password_after with default set to
I see that there is already
last_seen option that can be used for that but what about users that don't have
last_seen? I see that could happen in two situations:
last_seensaved: do you maybe know how long ago it was added? is is something I should worry about? if so, what to do?
What do you think about that approach?
Wonder if we even need a setting or could just revalidate after 1 year or 6 months or so?
Something to keep in mind though that makes this flow a bit buggy is that we don't validate an email address when adding an account. So the super user email may not actually exist and can therefore not be validated afterwards. It should be edge case though and we could just have an FAQ explaining how t o change the email address or so in the DB.