Skip to content

FINERACT-2003: Enforce password reset on first login #5387

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
DeathGun44 wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

FINERACT-2003: Enforce password reset on first login #5387

DeathGun44 wants to merge 1 commit into from
+253 −12

Conversation

@DeathGun44
Copy link
Contributor

@DeathGun44 DeathGun44 commented Jan 25, 2026

Description

Implemented FINERACT-2003: Enforce password reset on first login.
This PR adds a configurable policy forcing users to change their password upon first login or after an admin reset.

Key Changes

  • Database: Added password_reset_required column to m_appuser. System user mifos is explicitly exempted.
  • Configuration: Added force-password-reset-on-first-login global flag.
  • Security: Implemented PlatformUserDetailsChecker to enforce the check post-authentication, replacing custom DaoAuthenticationProvider inheritance.
  • Logic:
    • Trigger: Flag set to true on User Creation and Admin Password Reset.
    • Clear: Flag set to false on successful Self Password Change.
    • Loop Prevention: Logic prevents reset loops during self-updates.
  • API: Throws PasswordResetRequiredException (HTTP 403) to signal the UI.

Checklist

Note:
I have temporarily included the fix from PR #5384 (GlobalConfigurationHelper.java) to unblock the integration tests (avoids IndexOutOfBoundsException). I will remove this file via rebase once PR #5384 is merged.

IOhacker
IOhacker requested changes Jan 25, 2026
View reviewed changes
...ovider/src/main/resources/db/changelog/tenant/parts/0208_add_force_password_reset_config.xml
</addColumn>
</changeSet>

<changeSet author="fineract" id="2" context="postgresql">
Copy link
Contributor

@IOhacker IOhacker Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you please add a context for MariaDb?

Copy link
Contributor Author

@DeathGun44 DeathGun44 Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi Victor, thank you for the review!

I looked into this to be sure, and since the c_configuration table is defined with autoIncrement="true" in the initial schema, MariaDB and MySQL automatically handle the ID counter updates when we insert new rows.

The setval command included here is specifically to manually sync the PostgreSQL sequence, which doesn't update automatically in the same way. I believe we don't need an equivalent step for MariaDB, but please let me know if you'd prefer I handle it differently!

Copy link
Contributor

@IOhacker IOhacker Jan 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you

IOhacker
IOhacker approved these changes Jan 25, 2026
View reviewed changes
Copy link
Contributor

@IOhacker IOhacker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@DeathGun44
Copy link
Contributor Author

DeathGun44 commented Jan 25, 2026

@IOhacker I looked into the failed tests ,failures are in LoanDelayedScheduleCaptures and LoanMerchantIssuedRefund but these appear to be unrelated to the Authentication changes in this PR. could you please re-run them?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@IOhacker IOhacker IOhacker approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DeathGun44 @IOhacker