Django Password Expiry

If HR add a user with first_name, last_name, email, username, and password.
after setting the password the password must only access for 5 minutes, after the time period the password is not usable for login purpose.

Does anyone know how to solve this problem in django

here is my code

models.py

class RegisterUser(models.Model):
    user = models.ForeignKey(User, on_delete=models.CASCADE)
    mobile = models.CharField(max_length=100)
    password_expiry = models.DateTimeField(null=True, blank=True)

settings.py

PASSWORD_RESET_TIMEOUT_MINUTES = 5

views.py

from Password_Expiry.settings import PASSWORD_RESET_TIMEOUT_MINUTES

def register(request):
    if request.method == 'POST':
        fname = request.POST['fname']
        lname = request.POST['lname']
        mobile = request.POST['mobile']
        email = request.POST['email']
        uname = request.POST['uname']
        pwd = request.POST['pwd']
        user = User.objects.create(first_name=fname, last_name=lname, email=email, username=uname)
        user.set_password(pwd)
        user.save()
        reg_user = RegisterUser(user=user, mobile=mobile)
        reg_user.password_expiry = datetime.datetime.now() + timedelta(minutes=PASSWORD_RESET_TIMEOUT_MINUTES)
        reg_user.save()
        return redirect('/')
        return render(request, 'register.html')

def login(request):
    if request.method == 'POST':
        uname = request.POST['uname']
        pwd = request.POST['pwd']
        
        user = authenticate(username=uname, password=pwd)
        if user is not None:
            if user.is_active:
                auth.login(request, user)
                return redirect('home')
            else:
                messages.error(request, 'this account is disabled. please contact admin.')
                return redirect('login')
        else:
            messages.error(request, 'invalid username or password')
            return redirect('login')
    else:
        return render(request, 'login.html',{'message':messages})

In your login view function, you could validate that the current time is less than the password_expiry property in your model. If it has been less than 5 minutes, log the user in, otherwise you could make use of PasswordResetView and Django’s mailing backend to send password reset email to the user. See the docs for more details:
https://docs.djangoproject.com/en/4.2/topics/auth/default/

Once user resets the password, you need to remember to update/extend password_expiry property in the model, so they are not prevented from logging in.

Is RegisterUser model only used to store the user’s mobile number and password expiry time? If so, why not just extend the User model with the desired fields? Also, you have two return statements in your register function, meaning the second one is never called.

I would also suggest creating appropriate Login/Register forms in forms.py, and using them in your view functions. You would then be able to call the .is_valid() method to validate data from the form.

Since the registration form maps closely to your User model, you could use django’s ModelForm, and then use .save() to create and save the database object, as opposed to creating the object manually in your view function.
https://docs.djangoproject.com/en/4.1/topics/forms/modelforms/

// forms.py
class SignUpForm(ModelForm):
   class Meta:
      model = User
	…


// views.py
def register(request):
   if request.method == ‘POST’:
      form = SignUpForm(request.POST)
      ...
    
      if form.is_valid():
         # data valid
         ...
         form.save() # User is saved to database