Password setup for new users. Fixes #37

2020-11-16 15:39:58 +01:00 · 2020-11-16 15:39:58 +01:00 · 88bdfed443
commit 88bdfed443
parent 9a14b2e1fe
10 changed files with 386 additions and 109 deletions
--- a/canaille/account.py
+++ b/canaille/account.py
@ -48,13 +48,16 @@ def login():
    form = LoginForm(request.form or None)

    if request.form:
+        user = User.get(form.login.data)
+        if user and not user.has_password():
+            return redirect(url_for("canaille.account.firstlogin", uid=user.uid[0]))
+
        if not form.validate() or not User.authenticate(
            form.login.data, form.password.data, True
        ):
            flash(_("Login failed, please check your information"), "error")
            return render_template("login.html", form=form)

-        user = User.get(form.login.data)
        flash(_("Connection successful. Welcome %(user)s", user=user.name), "success")
        return redirect(url_for("canaille.account.index"))

@ -73,6 +76,67 @@ def logout():
    return redirect("/")


+@bp.route("/firstlogin/<uid>", methods=("GET", "POST"))
+def firstlogin(uid):
+    user = User.get(uid)
+    user and not user.has_password() or abort(404)
+
+    form = ForgottenPasswordForm(request.form or None, data={"login": uid})
+    if not request.form:
+        return render_template("firstlogin.html", form=form, uid=uid)
+
+    if not form.validate():
+        flash(_("Could not send the password initialization link."), "error")
+        return render_template("firstlogin.html", form=form, uid=uid)
+
+    base_url = url_for("canaille.account.index", _external=True)
+    reset_url = url_for(
+        "canaille.account.reset",
+        uid=user.uid[0],
+        hash=profile_hash(
+            user.uid[0], user.userPassword[0] if user.has_password() else ""
+        ),
+        _external=True,
+    )
+    logo, logo_extension = base64logo()
+
+    subject = _("Password initialization on {website_name}").format(
+        website_name=current_app.config.get("NAME", reset_url)
+    )
+    text_body = render_template(
+        "mail/firstlogin.txt",
+        site_name=current_app.config.get("NAME", reset_url),
+        site_url=base_url,
+        reset_url=reset_url,
+    )
+    html_body = render_template(
+        "mail/firstlogin.html",
+        site_name=current_app.config.get("NAME", reset_url),
+        site_url=base_url,
+        reset_url=reset_url,
+        logo=logo,
+        logo_extension=logo_extension,
+    )
+
+    success = send_email(
+        subject=subject,
+        sender=current_app.config["SMTP"]["FROM_ADDR"],
+        recipient=user.mail,
+        text=text_body,
+        html=html_body,
+    )
+
+    if success:
+        flash(
+            _("A password initialization link has been sent at your email address."),
+            "success",
+        )
+    else:
+        flash(_("Could not send the password initialization email"), "error")
+
+    return render_template("firstlogin.html", form=form, uid=uid)
+
+
@bp.route("/users")
@moderator_needed()
 def users(user):
@ -215,12 +279,13 @@ def forgotten():
        )
        return render_template("forgotten-password.html", form=form)

-    recipient = user.mail
    base_url = url_for("canaille.account.index", _external=True)
    reset_url = url_for(
        "canaille.account.reset",
        uid=user.uid[0],
-        hash=profile_hash(user.uid[0], user.userPassword[0]),
+        hash=profile_hash(
+            user.uid[0], user.userPassword[0] if user.has_password() else ""
+        ),
        _external=True,
    )
    logo, logo_extension = base64logo()
@ -228,7 +293,6 @@ def forgotten():
    subject = _("Password reset on {website_name}").format(
        website_name=current_app.config.get("NAME", reset_url)
    )
-
    text_body = render_template(
        "mail/reset.txt",
        site_name=current_app.config.get("NAME", reset_url),
@ -247,7 +311,7 @@ def forgotten():
    success = send_email(
        subject=subject,
        sender=current_app.config["SMTP"]["FROM_ADDR"],
-        recipient=recipient,
+        recipient=user.mail,
        text=text_body,
        html=html_body,
    )
@ -267,7 +331,9 @@ def reset(uid, hash):
    form = PasswordResetForm(request.form)
    user = User.get(uid)

-    if not user or hash != profile_hash(user.uid[0], user.userPassword[0]):
+    if not user or hash != profile_hash(
+        user.uid[0], user.userPassword[0] if user.has_password() else ""
+    ):
        flash(
            _("The password reset link that brought you here was invalid."),
            "error",
--- a/canaille/models.py
+++ b/canaille/models.py
@ -69,6 +69,9 @@ class User(LDAPObject):
        except KeyError:
            pass

+    def has_password(self):
+        return bool(self.userPassword)
+
    def check_password(self, password):
        conn = ldap.initialize(current_app.config["LDAP"]["URI"])
        try:
--- a/canaille/templates/mail/reset.txt
+++ b/canaille/templates/mail/reset.txt
@ -1,6 +1,6 @@
-# {% trans %}Password reinitialisation{% endtrans %}
+# {% trans %}Password initialization{% endtrans %}

-{% trans %}Someone, probably you, asked for a password reinitialization link at {{ site_name }}. If you did not asked for this email, please ignore it. I you need to reset your password, please click on the link below and follow the instructions.{% endtrans %}
+{% trans %}In order to finalize your account configuration at {{ site_name }}, we need to setup your password. Please click on the blue button below and follow the instructions.{% endtrans %}

-{% trans %}Reset password{% endtrans %}: {{ reset_url }}
+{% trans %}Initialize password{% endtrans %}: {{ reset_url }}
 {{ site_name }}: {{ site_url }}
--- a/canaille/translations/README.md
+++ b/canaille/translations/README.md
@ -1,7 +1,7 @@
 Extract the messages with:

 ```
-pybabel extract --mapping-file canaille/translations/babel.cfg --output-file canaille/translations/messages.pot .
+pybabel extract --mapping-file canaille/translations/babel.cfg --output-file canaille/translations/messages.pot canaille
 ```

 Add a new language with:
--- a/canaille/translations/fr/LC_MESSAGES/messages.mo
+++ b/canaille/translations/fr/LC_MESSAGES/messages.mo
--- a/canaille/translations/fr/LC_MESSAGES/messages.po
+++ b/canaille/translations/fr/LC_MESSAGES/messages.po
@ -8,8 +8,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PROJECT VERSION\n"
 "Report-Msgid-Bugs-To: contact@yaal.fr\n"
-"POT-Creation-Date: 2020-11-02 11:37+0100\n"
-"PO-Revision-Date: 2020-11-02 11:38+0100\n"
+"POT-Creation-Date: 2020-11-16 15:36+0100\n"
+"PO-Revision-Date: 2020-11-16 15:36+0100\n"
 "Last-Translator: Éloi Rivard <eloi@yaal.fr>\n"
 "Language: fr_FR\n"
 "Language-Team: French - France <equipe@yaal.fr>\n"
@ -17,65 +17,82 @@ msgstr ""
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Generated-By: Babel 2.8.0\n"
+"Generated-By: Babel 2.8.1\n"
 "X-Generator: Gtranslator 3.38.0\n"

-#: canaille/account.py:51 canaille/oauth.py:58
+#: canaille/account.py:58 canaille/oauth.py:58
 msgid "Login failed, please check your information"
 msgstr "La connexion a échoué, veuillez vérifier vos informations."

-#: canaille/account.py:55
+#: canaille/account.py:61
 #, python-format
 msgid "Connection successful. Welcome %(user)s"
 msgstr "Connexion réussie. Bienvenue %(user)s"

-#: canaille/account.py:66
+#: canaille/account.py:72
 #, python-format
 msgid "You have been disconnected. See you next time %(user)s"
 msgstr "Vous avez été déconnectés. À bientôt %(user)s"

-#: canaille/account.py:92
+#: canaille/account.py:89
+msgid "Could not send the password initialization link."
+msgstr "Impossible d'envoyer le courriel d'initialisation de mot de passe."
+
+#: canaille/account.py:103
+msgid "Password initialization on {website_name}"
+msgstr "Initialisation de votre mot de passe sur {website_name}"
+
+#: canaille/account.py:131
+msgid "A password initialization link has been sent at your email address."
+msgstr ""
+"Un lien d'initialisation de mot de passe a été envoyé à votre adresse email."
+
+#: canaille/account.py:135
+msgid "Could not send the password initialization email"
+msgstr "Impossible d'envoyer le courriel d'initialisation de mot de passe."
+
+#: canaille/account.py:159
 msgid "User creation failed."
 msgstr "La création de l'utilisateur a échoué."

-#: canaille/account.py:109
+#: canaille/account.py:176
 msgid "User creation succeed."
 msgstr "La création de l'utilisateur a réussi."

-#: canaille/account.py:151
+#: canaille/account.py:218
 msgid "Profile edition failed."
 msgstr "L'édition du profil a échoué."

-#: canaille/account.py:165
+#: canaille/account.py:232
 msgid "Profile updated successfuly."
 msgstr "Le profil a été mis à jour avec succès."

-#: canaille/account.py:181
+#: canaille/account.py:248
 #, python-format
 msgid "The user %(user)s has been sucessfuly deleted"
 msgstr "L'utilisateur %(user)s a bien été supprimé"

-#: canaille/account.py:204
+#: canaille/account.py:271
 msgid "Could not send the password reset link."
 msgstr "Impossible d'envoyer le lien de réinitialisation."

-#: canaille/account.py:211 canaille/account.py:284
+#: canaille/account.py:278 canaille/account.py:321
 msgid "A password reset link has been sent at your email address."
 msgstr "Un lien de réinitialisation vous a été envoyé à votre adresse."

-#: canaille/account.py:233
+#: canaille/account.py:293
 msgid "Password reset on {website_name}"
 msgstr "Réinitialisation du mot de passe sur {website_name}"

-#: canaille/account.py:278
+#: canaille/account.py:324
 msgid "Could not reset your password"
 msgstr "Impossible de réinitialiser votre mot de passe"

-#: canaille/account.py:297
+#: canaille/account.py:338
 msgid "The password reset link that brought you here was invalid."
 msgstr "Le lien de réinitialisation qui vous a amené ici est invalide."

-#: canaille/account.py:306
+#: canaille/account.py:347
 msgid "Your password has been updated successfuly"
 msgstr "Votre mot de passe a correctement été mis à jour."

@ -160,7 +177,7 @@ msgstr "Votre adresse postale."
 msgid "Your phone number."
 msgstr "Votre numéro de téléphone."

-#: canaille/oauth.py:96
+#: canaille/oauth.py:97
 msgid "You have been successfully logged out."
 msgstr "Vous avez été déconnectés."

@ -241,25 +258,46 @@ msgstr "Le client n'a pas été édité. Veuillez vérifier vos informations."
 msgid "The client has been edited."
 msgstr "Le client a été édité."

-#: canaille/templates/authorize.html:10
-#, python-format
-msgid "You are logged id as: %(name)s"
-msgstr "Vous êtes identifiés en tant que : %(name)s"
+#: canaille/templates/about.html:14
+msgid "About canaille"
+msgstr "À propos de canaille"

-#: canaille/templates/authorize.html:13
+#: canaille/templates/about.html:16
+msgid "Free and open-source identity provider."
+msgstr "Fournisseur d'identité numérique libre"
+
+#: canaille/templates/about.html:19
+#, python-format
+msgid "Version %(version)s"
+msgstr "Version %(version)s"
+
+#: canaille/templates/about.html:20
+msgid "Source code"
+msgstr "Code source"
+
+#: canaille/templates/about.html:21
+msgid "Documentation"
+msgstr "Documentation"
+
+#: canaille/templates/authorize.html:9
 #, python-format
 msgid "The application %(name)s is requesting access to:"
 msgstr "L'application %(name)s demande un accès à :"

-#: canaille/templates/authorize.html:37
+#: canaille/templates/authorize.html:32
+#, python-format
+msgid "You are logged id as: %(name)s"
+msgstr "Vous êtes identifiés en tant que : %(name)s"
+
+#: canaille/templates/authorize.html:39
 msgid "Deny"
 msgstr "Refuser"

-#: canaille/templates/authorize.html:40
+#: canaille/templates/authorize.html:42
 msgid "Switch user"
 msgstr "Changer d'utilisateur"

-#: canaille/templates/authorize.html:43
+#: canaille/templates/authorize.html:45
 msgid "Accept"
 msgstr "Accepter"

@ -344,8 +382,43 @@ msgstr "Page non trouvée"
 msgid "Technical problem"
 msgstr "Problème technique"

+#: canaille/templates/firstlogin.html:12
+msgid "First login"
+msgstr "Première connexion"
+
+#: canaille/templates/firstlogin.html:19
+msgid ""
+"\n"
+"        It seems this is the first time you are logging here. In order to "
+"finalize your\n"
+"        account configuration, you need to set a password to your account. "
+"We will send\n"
+"        you an email containing a link that will allow you to set a "
+"password. Please click\n"
+"        on the blue button below to send the email.\n"
+"        "
+msgstr ""
+"\n"
+"        Il semblerait que ce soit la première fois que vous vous connectez "
+"ici. Afin de finaliser\n"
+"        la configuration de votre compte, vous devez choisir un mot de "
+"passe. Nous allons vous\n"
+"        envoyer un courriel contenant un lien qui vous permettra de choisir "
+"un mot de passe.\n"
+"        Veuillez cliquer sur le bouton bleu ci-dessous pour envoyer le "
+"courriel."
+
+#: canaille/templates/firstlogin.html:35
+msgid "Send the initialization email"
+msgstr "Envoyer le courriel d'initialisation"
+
+#: canaille/templates/firstlogin.html:36
+#: canaille/templates/forgotten-password.html:37
+msgid "Login page"
+msgstr "Page de connexion"
+
 #: canaille/templates/forgotten-password.html:12
-#: canaille/templates/login.html:34
+#: canaille/templates/login.html:36
 msgid "Forgotten password"
 msgstr "Mot de passe oublié"

@ -371,20 +444,16 @@ msgstr ""
 msgid "Send"
 msgstr "Envoyer"

-#: canaille/templates/forgotten-password.html:37
-msgid "Login page"
-msgstr "Page de connexion"
-
-#: canaille/templates/login.html:15
+#: canaille/templates/login.html:17
 #, python-format
 msgid "Sign in at %(website)s"
 msgstr "Connexion à %(website)s"

-#: canaille/templates/login.html:17
+#: canaille/templates/login.html:19
 msgid "Log-in and manage your authorizations."
 msgstr "Connectez-vous et gérez vos autorisations."

-#: canaille/templates/login.html:33
+#: canaille/templates/login.html:35
 msgid "Sign in"
 msgstr "Se connecter"

@ -515,10 +584,52 @@ msgstr "URL"
 msgid "View a token"
 msgstr "Voir un jeton"

-#: canaille/templates/mail/reset.html:28 canaille/templates/mail/reset.txt:1
+#: canaille/templates/mail/firstlogin.html:28
+#: canaille/templates/mail/reset.txt:1
+msgid "Password initialization"
+msgstr "Initialisation du mot de passe"
+
+#: canaille/templates/mail/firstlogin.html:33
+#: canaille/templates/mail/reset.txt:3
+#, python-format
+msgid ""
+"In order to finalize your account configuration at %(site_name)s, we need to "
+"setup your password. Please click on the blue button below and follow the "
+"instructions."
+msgstr ""
+"Afin de finaliser la configuration de votre compte sur %(site_name)s, nous "
+"devons mettre en place un mot de passe. Veuillez cliquer sur le bouton bleu, "
+"et suivre les instructions qui vous seront présentées."
+
+#: canaille/templates/mail/firstlogin.html:40
+#: canaille/templates/mail/reset.txt:5
+msgid "Initialize password"
+msgstr "Initialiser mon mot de passe"
+
+#: canaille/templates/mail/firstlogin.txt:1
+#: canaille/templates/mail/reset.html:28
 msgid "Password reinitialisation"
 msgstr "Réinitialisation du mot de passe"

+#: canaille/templates/mail/firstlogin.txt:3
+#, python-format
+msgid ""
+"Someone, probably you, asked for a password reinitialization link at "
+"%(site_name)s. If you did not asked for this email, please ignore it. I you "
+"need to reset your password, please click on the link below and follow the "
+"instructions."
+msgstr ""
+"Quelqu'un, probablement vous, a demandé un lien de réinitialisation de votre "
+"mot de passe pour le site %(site_name)s. Si vous n'êtes pas à l'origine de "
+"ce message, veuillez l'ignorer. Si vous voulez réinitialiser votre mot de "
+"passe, veuillez cliquer sur le lien ci-dessous, et suivre les instructions "
+"qui vous seront soumises."
+
+#: canaille/templates/mail/firstlogin.txt:5
+#: canaille/templates/mail/reset.html:40
+msgid "Reset password"
+msgstr "Réinitialiser votre mot de passe"
+
 #: canaille/templates/mail/reset.html:33
 #, python-format
 msgid ""
@ -537,24 +648,6 @@ msgstr ""
 "dessous, et suivre les instructions qui vous seront soumises.\n"
 "               "

-#: canaille/templates/mail/reset.html:40 canaille/templates/mail/reset.txt:5
-msgid "Reset password"
-msgstr "Réinitialiser votre mot de passe"
-
-#: canaille/templates/mail/reset.txt:3
-#, python-format
-msgid ""
-"Someone, probably you, asked for a password reinitialization link at "
-"%(site_name)s. If you did not asked for this email, please ignore it. I you "
-"need to reset your password, please click on the link below and follow the "
-"instructions."
-msgstr ""
-"Quelqu'un, probablement vous, a demandé un lien de réinitialisation de votre "
-"mot de passe pour le site %(site_name)s. Si vous n'êtes pas à l'origine de "
-"ce message, veuillez l'ignorer. Si vous voulez réinitialiser votre mot de "
-"passe, veuillez cliquer sur le lien ci-dessous, et suivre les instructions "
-"qui vous seront soumises."
-
 #~ msgid "Logged in as"
 #~ msgstr "Connecté en tant que"

--- a/canaille/translations/messages.pot
+++ b/canaille/translations/messages.pot
@ -8,71 +8,87 @@ msgid ""
 msgstr ""
 "Project-Id-Version: PROJECT VERSION\n"
 "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
-"POT-Creation-Date: 2020-11-02 11:37+0100\n"
+"POT-Creation-Date: 2020-11-16 15:36+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=utf-8\n"
 "Content-Transfer-Encoding: 8bit\n"
-"Generated-By: Babel 2.8.0\n"
+"Generated-By: Babel 2.8.1\n"

-#: canaille/account.py:51 canaille/oauth.py:58
+#: canaille/account.py:58 canaille/oauth.py:58
 msgid "Login failed, please check your information"
 msgstr ""

-#: canaille/account.py:55
+#: canaille/account.py:61
 #, python-format
 msgid "Connection successful. Welcome %(user)s"
 msgstr ""

-#: canaille/account.py:66
+#: canaille/account.py:72
 #, python-format
 msgid "You have been disconnected. See you next time %(user)s"
 msgstr ""

-#: canaille/account.py:92
+#: canaille/account.py:89
+msgid "Could not send the password initialization link."
+msgstr ""
+
+#: canaille/account.py:103
+msgid "Password initialization on {website_name}"
+msgstr ""
+
+#: canaille/account.py:131
+msgid "A password initialization link has been sent at your email address."
+msgstr ""
+
+#: canaille/account.py:135
+msgid "Could not send the password initialization email"
+msgstr ""
+
+#: canaille/account.py:159
 msgid "User creation failed."
 msgstr ""

-#: canaille/account.py:109
+#: canaille/account.py:176
 msgid "User creation succeed."
 msgstr ""

-#: canaille/account.py:151
+#: canaille/account.py:218
 msgid "Profile edition failed."
 msgstr ""

-#: canaille/account.py:165
+#: canaille/account.py:232
 msgid "Profile updated successfuly."
 msgstr ""

-#: canaille/account.py:181
+#: canaille/account.py:248
 #, python-format
 msgid "The user %(user)s has been sucessfuly deleted"
 msgstr ""

-#: canaille/account.py:204
+#: canaille/account.py:271
 msgid "Could not send the password reset link."
 msgstr ""

-#: canaille/account.py:211 canaille/account.py:284
+#: canaille/account.py:278 canaille/account.py:321
 msgid "A password reset link has been sent at your email address."
 msgstr ""

-#: canaille/account.py:233
+#: canaille/account.py:293
 msgid "Password reset on {website_name}"
 msgstr ""

-#: canaille/account.py:278
+#: canaille/account.py:324
 msgid "Could not reset your password"
 msgstr ""

-#: canaille/account.py:297
+#: canaille/account.py:338
 msgid "The password reset link that brought you here was invalid."
 msgstr ""

-#: canaille/account.py:306
+#: canaille/account.py:347
 msgid "Your password has been updated successfuly"
 msgstr ""

@ -157,7 +173,7 @@ msgstr ""
 msgid "Your phone number."
 msgstr ""

-#: canaille/oauth.py:96
+#: canaille/oauth.py:97
 msgid "You have been successfully logged out."
 msgstr ""

@ -238,25 +254,46 @@ msgstr ""
 msgid "The client has been edited."
 msgstr ""

-#: canaille/templates/authorize.html:10
-#, python-format
-msgid "You are logged id as: %(name)s"
+#: canaille/templates/about.html:14
+msgid "About canaille"
 msgstr ""

-#: canaille/templates/authorize.html:13
+#: canaille/templates/about.html:16
+msgid "Free and open-source identity provider."
+msgstr ""
+
+#: canaille/templates/about.html:19
+#, python-format
+msgid "Version %(version)s"
+msgstr ""
+
+#: canaille/templates/about.html:20
+msgid "Source code"
+msgstr ""
+
+#: canaille/templates/about.html:21
+msgid "Documentation"
+msgstr ""
+
+#: canaille/templates/authorize.html:9
 #, python-format
 msgid "The application %(name)s is requesting access to:"
 msgstr ""

-#: canaille/templates/authorize.html:37
+#: canaille/templates/authorize.html:32
+#, python-format
+msgid "You are logged id as: %(name)s"
+msgstr ""
+
+#: canaille/templates/authorize.html:39
 msgid "Deny"
 msgstr ""

-#: canaille/templates/authorize.html:40
+#: canaille/templates/authorize.html:42
 msgid "Switch user"
 msgstr ""

-#: canaille/templates/authorize.html:43
+#: canaille/templates/authorize.html:45
 msgid "Accept"
 msgstr ""

@ -340,8 +377,34 @@ msgstr ""
 msgid "Technical problem"
 msgstr ""

+#: canaille/templates/firstlogin.html:12
+msgid "First login"
+msgstr ""
+
+#: canaille/templates/firstlogin.html:19
+msgid ""
+"\n"
+"        It seems this is the first time you are logging here. In order to"
+" finalize your\n"
+"        account configuration, you need to set a password to your "
+"account. We will send\n"
+"        you an email containing a link that will allow you to set a "
+"password. Please click\n"
+"        on the blue button below to send the email.\n"
+"        "
+msgstr ""
+
+#: canaille/templates/firstlogin.html:35
+msgid "Send the initialization email"
+msgstr ""
+
+#: canaille/templates/firstlogin.html:36
+#: canaille/templates/forgotten-password.html:37
+msgid "Login page"
+msgstr ""
+
 #: canaille/templates/forgotten-password.html:12
-#: canaille/templates/login.html:34
+#: canaille/templates/login.html:36
 msgid "Forgotten password"
 msgstr ""

@ -361,20 +424,16 @@ msgstr ""
 msgid "Send"
 msgstr ""

-#: canaille/templates/forgotten-password.html:37
-msgid "Login page"
-msgstr ""
-
-#: canaille/templates/login.html:15
+#: canaille/templates/login.html:17
 #, python-format
 msgid "Sign in at %(website)s"
 msgstr ""

-#: canaille/templates/login.html:17
+#: canaille/templates/login.html:19
 msgid "Log-in and manage your authorizations."
 msgstr ""

-#: canaille/templates/login.html:33
+#: canaille/templates/login.html:35
 msgid "Sign in"
 msgstr ""

@ -503,10 +562,44 @@ msgstr ""
 msgid "View a token"
 msgstr ""

-#: canaille/templates/mail/reset.html:28 canaille/templates/mail/reset.txt:1
+#: canaille/templates/mail/firstlogin.html:28
+#: canaille/templates/mail/reset.txt:1
+msgid "Password initialization"
+msgstr ""
+
+#: canaille/templates/mail/firstlogin.html:33
+#: canaille/templates/mail/reset.txt:3
+#, python-format
+msgid ""
+"In order to finalize your account configuration at %(site_name)s, we need"
+" to setup your password. Please click on the blue button below and follow"
+" the instructions."
+msgstr ""
+
+#: canaille/templates/mail/firstlogin.html:40
+#: canaille/templates/mail/reset.txt:5
+msgid "Initialize password"
+msgstr ""
+
+#: canaille/templates/mail/firstlogin.txt:1
+#: canaille/templates/mail/reset.html:28
 msgid "Password reinitialisation"
 msgstr ""

+#: canaille/templates/mail/firstlogin.txt:3
+#, python-format
+msgid ""
+"Someone, probably you, asked for a password reinitialization link at "
+"%(site_name)s. If you did not asked for this email, please ignore it. I "
+"you need to reset your password, please click on the link below and "
+"follow the instructions."
+msgstr ""
+
+#: canaille/templates/mail/firstlogin.txt:5
+#: canaille/templates/mail/reset.html:40
+msgid "Reset password"
+msgstr ""
+
 #: canaille/templates/mail/reset.html:33
 #, python-format
 msgid ""
@ -518,16 +611,3 @@ msgid ""
 "                "
 msgstr ""

-#: canaille/templates/mail/reset.html:40 canaille/templates/mail/reset.txt:5
-msgid "Reset password"
-msgstr ""
-
-#: canaille/templates/mail/reset.txt:3
-#, python-format
-msgid ""
-"Someone, probably you, asked for a password reinitialization link at "
-"%(site_name)s. If you did not asked for this email, please ignore it. I "
-"you need to reset your password, please click on the link below and "
-"follow the instructions."
-msgstr ""
-
--- a/demo/README.md
+++ b/demo/README.md
@ -14,3 +14,6 @@ The canaille server has some default users:
 - A regular user which login and password are **user**;
 - A moderator user which login and password are **moderator**;
 - An admin user which admin and password are **admin**.
+- A new user which admin and password are **new**. This user has no password yet,
+  and his first attempt to log-in will result in sending a password initialization
+  email.
--- a/demo/ldif/bootstrap.ldif
+++ b/demo/ldif/bootstrap.ldif
@ -59,6 +59,17 @@ telephoneNumber: 555-000-001
 userPassword: {SSHA}Yr1ZxSljRsKyaTB30suY2iZ1KRTStF1X
 memberof: cn=users,ou=groups,dc=mydomain,dc=tld

+dn: cn=James Doe,ou=users,dc=mydomain,dc=tld
+objectclass: top
+objectclass: inetOrgPerson
+cn: James Doe
+gn: James
+sn: Doe
+uid: james
+mail: james@mydomain.tld
+telephoneNumber: 555-000-003
+memberof: cn=users,ou=groups,dc=mydomain,dc=tld
+
 dn: ou=oauth,dc=mydomain,dc=tld
 objectclass: organizationalUnit
 ou: oauth
--- a/tests/test_account.py
+++ b/tests/test_account.py
@ -1,5 +1,6 @@
 import mock
 from canaille.account import profile_hash
+from canaille.models import User


 def test_login_and_out(testclient, slapd_connection, user):
@ -62,6 +63,26 @@ def test_login_with_alternate_attribute(testclient, slapd_connection, user):
        assert user.dn == session.get("user_dn")


+def test_user_without_password_first_login(testclient, slapd_connection):
+    User.ocs_by_name(slapd_connection)
+    u = User(
+        objectClass=["inetOrgPerson"],
+        cn="Temp User",
+        sn="Temp",
+        uid="temp",
+        mail="john@doe.com",
+    )
+    u.save(slapd_connection)
+
+    res = testclient.get("/login", status=200)
+    res.form["login"] = "Temp User"
+    res.form["password"] = "anything"
+    res = res.form.submit(status=302).follow(status=200)
+
+    assert "First login" in res
+    u.delete(conn=slapd_connection)
+
+
@mock.patch("smtplib.SMTP")
 def test_password_forgotten(SMTP, testclient, slapd_connection, user):
    res = testclient.get("/reset", status=200)