[PR] FINERACT-2003: Enforce password reset on first login [fineract]

Sun, 25 Jan 2026 09:35:06 -0800 


DeathGun44 opened a new pull request, #5387:
URL: https://github.com/apache/fineract/pull/5387

   
   ## Description
   Implemented **FINERACT-2003: Enforce password reset on first login**.
   This PR adds a configurable policy forcing users to change their password 
upon first login or after an admin reset.
   
   ## Key Changes
   * **Database:** Added `password_reset_required` column to `m_appuser`. 
System user `mifos` is explicitly exempted.
   * **Configuration:** Added `force-password-reset-on-first-login` global flag.
   * **Security:** Implemented `PlatformUserDetailsChecker` to enforce the 
check post-authentication, replacing custom `DaoAuthenticationProvider` 
inheritance.
   * **Logic:**
       * **Trigger:** Flag set to `true` on User Creation and Admin Password 
Reset.
       * **Clear:** Flag set to `false` on successful Self Password Change.
       * **Loop Prevention:** Logic prevents reset loops during self-updates.
   * **API:** Throws `PasswordResetRequiredException` (HTTP 403) to signal the 
UI.
   
   ## Checklist
   - [x] Write the commit message as per [our 
guidelines](https://github.com/apache/fineract/blob/develop/CONTRIBUTING.md#pull-requests)
   - [x] Acknowledge that we will not review PRs that are not passing the build 
_("green")_
   - [x] Create/update [unit or integration 
tests](https://fineract.apache.org/docs/current/#_testing)
   - [x] Follow our [coding 
conventions](https://cwiki.apache.org/confluence/display/FINERACT/Coding+Conventions)
   - [ ] Add required Swagger annotation and update API documentation
   - [x] [This PR must not be a "code 
dump"](https://cwiki.apache.org/confluence/display/FINERACT/Pull+Request+Size+Limit)
   > **Note:**
   > I have temporarily included the fix from **PR #5384** 
(`GlobalConfigurationHelper.java`) to unblock the integration tests (avoids 
`IndexOutOfBoundsException`). I will remove this file via rebase once **PR 
#5384** is merged.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to