Force new password after password reset via API

2017-02-02 12:46:14 +02:00 · 2017-02-02 12:46:14 +02:00 · 19dda1606b
commit 19dda1606b
parent fabdcf818b
3 changed files with 12 additions and 0 deletions
--- a/changelogs/unreleased/24606-force-password-reset-on-next-login.yml
+++ b/changelogs/unreleased/24606-force-password-reset-on-next-login.yml
@ -0,0 +1,4 @@
+---
+title: Force new password after password reset via API
+merge_request:
+author: George Andrinopoulos
--- a/lib/api/users.rb
+++ b/lib/api/users.rb
@ -160,6 +160,8 @@ module API
          end
        end

+        user_params.merge!(password_expires_at: Time.now) if user_params[:password].present?
+
        if user.update_attributes(user_params.except(:extern_uid, :provider))
          present user, with: Entities::UserPublic
        else
--- a/spec/requests/api/users_spec.rb
+++ b/spec/requests/api/users_spec.rb
@ -305,6 +305,12 @@ describe API::Users, api: true  do
      expect(user.reload.bio).to eq('new test bio')
    end

+    it "updates user with new password and forces reset on next login" do
+      put api("/users/#{user.id}", admin), { password: '12345678' }
+      expect(response).to have_http_status(200)
+      expect(user.reload.password_expires_at).to be < Time.now
+    end
+
    it "updates user with organization" do
      put api("/users/#{user.id}", admin), { organization: 'GitLab' }