https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=42926 --- Comment #1 from Thibaud Guillot (thibaud_g) <thibaud.guillot@biblibre.com> --- Created attachment 201055 --> https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=201055&action=edit Bug 42926: REST API - Return passwordmustchange flag when patron password is expired When a patron's password is expired (whether due to ForcePasswordResetWhenSetByStaff or natural expiration), the REST API now returns a structured 403 response with a `passwordmustchange` boolean flag. Before: - Basic auth returned 403 "Password has expired" - Cookie session with an expired password fell through to "Unexpected authentication status" After: - Both auth methods return 403 { "error": "Password must be changed", "passwordmustchange": true } - A dedicated Koha::Exceptions::Authentication::PasswordMustChange exception handles this case Test plan: 1. Enable syspref RESTBasicAuth 2. Create a patron with a password 3. Set password_expiration_date to yesterday: UPDATE borrowers SET password_expiration_date = DATE_SUB(NOW(), INTERVAL 1 DAY) WHERE userid = 'testuser'; 4. HTTP 403 with "passwordmustchange:true" into the body GET /api/v1/patrons 5. Enable syspref ForcePasswordResetWhenSetByStaff 6. Create a new patron WITH a password via the full patron add form (not quick add to set password during creation, not separately) 7. HTTP 403 with "passwordmustchange:true" into the body GET /api/v1/patrons 8. With the expired patron from step 3: POST /api/v1/public/patrons/{patron_id}/password via Basic auth Body: { "old_password": "...", "password": "NewPass!", "password_repeated": "NewPass!" } 9. HTTP 200 on GET /api/v1/patrons with new password prove -v t/db_dependent/api/v1/auth_basic.t Sponsored-by: BibLibre -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug.