add passwordchangerequired in listUsers API response, it will be used in UI to render reset password form

Author: sudo87

api/src/main/java/org/apache/cloudstack/api/response/UserResponse.java

@@ -132,6 +132,10 @@ public class UserResponse extends BaseResponse implements SetResourceIconRespons
     @Param(description = "whether api key access is Enabled, Disabled or set to Inherit (it inherits the value from the parent)", since = "4.20.1.0")
     ApiConstants.ApiKeyAccess apiKeyAccess;
 
+    @SerializedName(value = ApiConstants.PASSWORD_CHANGE_REQUIRED)
+    @Param(description = "Is User required to change password on next login.", since = "4.23.0")
+    private Boolean passwordChangeRequired;
+
     @Override
     public String getObjectId() {
         return this.getId();
@@ -317,4 +321,12 @@ public void set2FAmandated(Boolean is2FAmandated) {
     public void setApiKeyAccess(Boolean apiKeyAccess) {
         this.apiKeyAccess = ApiConstants.ApiKeyAccess.fromBoolean(apiKeyAccess);
     }
+
+    public Boolean isPasswordChangeRequired() {
+        return passwordChangeRequired;
+    }
+
+    public void setPasswordChangeRequired(Boolean passwordChangeRequired) {
+        this.passwordChangeRequired = passwordChangeRequired;
+    }
 }

engine/schema/src/main/resources/META-INF/db/views/cloud.user_view.sql

@@ -53,7 +53,8 @@ select
     async_job.uuid job_uuid,
     async_job.job_status job_status,
     async_job.account_id job_account_id,
-    user.is_user_2fa_enabled is_user_2fa_enabled
+    user.is_user_2fa_enabled is_user_2fa_enabled,
+   `user_details`.`value` AS `password_change_required`
 from
     `cloud`.`user`
         inner join
@@ -63,4 +64,7 @@ from
         left join
     `cloud`.`async_job` ON async_job.instance_id = user.id
         and async_job.instance_type = 'User'
-        and async_job.job_status = 0;
+        and async_job.job_status = 0
+        left join
+    `cloud`.`user_details` AS `user_details` ON `user_details`.`user_id` = `user`.`id`
+        and `user_details`.`name` = 'PasswordChangeRequired';

server/src/main/java/com/cloud/api/query/dao/UserAccountJoinDaoImpl.java

@@ -73,6 +73,7 @@ public UserResponse newUserResponse(ResponseView view, UserAccountJoinVO usr) {
         userResponse.setSecretKey(usr.getSecretKey());
         userResponse.setIsDefault(usr.isDefault());
         userResponse.set2FAenabled(usr.isUser2faEnabled());
+        userResponse.setPasswordChangeRequired(usr.isPasswordChangeRequired());
         long domainId = usr.getDomainId();
         boolean is2FAmandated = Boolean.TRUE.equals(AccountManagerImpl.enableUserTwoFactorAuthentication.valueIn(domainId)) && Boolean.TRUE.equals(AccountManagerImpl.mandateUserTwoFactorAuthentication.valueIn(domainId));
         userResponse.set2FAmandated(is2FAmandated);

server/src/main/java/com/cloud/api/query/vo/UserAccountJoinVO.java

@@ -136,6 +136,9 @@ public class UserAccountJoinVO extends BaseViewVO implements InternalIdentity, I
     @Column(name = "api_key_access")
     Boolean apiKeyAccess;
 
+    @Column(name = "password_change_required")
+    Boolean passwordChangeRequired;
+
     public UserAccountJoinVO() {
     }
 
@@ -288,4 +291,8 @@ public boolean isUser2faEnabled() {
     public Boolean getApiKeyAccess() {
         return apiKeyAccess;
     }
+
+    public Boolean isPasswordChangeRequired() {
+        return passwordChangeRequired;
+    }
 }

ui/public/locales/en.json

@@ -3124,6 +3124,7 @@
 "message.change.offering.for.volume.failed": "Change offering for the volume failed",
 "message.change.offering.for.volume.processing": "Changing offering for the volume...",
 "message.change.password": "Please change your password.",
+"message.change.password.required": "You are required to change your password.",
 "message.change.scope.failed": "Scope change failed",
 "message.change.scope.processing": "Scope change in progress",
 "message.change.service.offering.sharedfs.failed": "Failed to change service offering for the Shared FileSystem.",
@@ -3673,6 +3674,7 @@
 "message.please.confirm.remove.user.data": "Please confirm that you want to remove this User Data",
 "message.please.enter.valid.value": "Please enter a valid value.",
 "message.please.enter.value": "Please enter values.",
+"message.please.login.new.password": "Please log in again with your new password",
 "message.please.wait.while.autoscale.vmgroup.is.being.created": "Please wait while your AutoScaling Group is being created; this may take a while...",
 "message.please.wait.while.zone.is.being.created": "Please wait while your Zone is being created; this may take a while...",
 "message.pod.dedicated": "Pod dedicated.",

ui/src/store/modules/user.js

@@ -332,13 +332,6 @@ const user = {
 
     GetInfo ({ commit }, switchDomain) {
       return new Promise((resolve, reject) => {
-        // A. Restore Lock State
-        const loginSource = vueProps.$localStorage.get(LOGIN_SOURCE)
-        const isPwdChangeRequired = vueProps.$localStorage.get(PASSWORD_CHANGE_REQUIRED) === 'true'
-        // Only lock if source was password
-        const isLocked = (loginSource === 'password' && isPwdChangeRequired)
-        commit('SET_PASSWORD_CHANGE_REQUIRED', isLocked)
-
         const cachedApis = switchDomain ? {} : vueProps.$localStorage.get(APIS, {})
         const cachedZones = vueProps.$localStorage.get(ZONES, [])
         const cachedTimezoneOffset = vueProps.$localStorage.get(TIMEZONE_OFFSET, 0.0)
@@ -355,28 +348,22 @@ const user = {
         commit('SET_DARK_MODE', darkMode)
         commit('SET_LATEST_VERSION', latestVersion)
 
-        if (isLocked) {
-          console.log('Password change required. Fetching user info only.')
-
-          // We MUST fetch listUsers so the UI Header (Avatar/Name) works
+        // This block is to enforce password change for first time login after admin resets password
+        const loginSource = vueProps.$localStorage.get(LOGIN_SOURCE)
+        const isPwdChangeRequired = vueProps.$localStorage.get(PASSWORD_CHANGE_REQUIRED) === 'true'
+        const isPwdChangeRequiredForLogin = (loginSource === 'password' && isPwdChangeRequired)
+        commit('SET_PASSWORD_CHANGE_REQUIRED', isPwdChangeRequiredForLogin)
+        if (isPwdChangeRequiredForLogin) {
           getAPI('listUsers', { id: Cookies.get('userid') }).then(response => {
             const result = response.listusersresponse.user[0]
-
-            // Populate State
             commit('SET_INFO', result)
             commit('SET_NAME', result.firstname + ' ' + result.lastname)
             if (result.icon?.base64image) commit('SET_AVATAR', result.icon.base64image)
-
-            // DO NOT fetch Apis
-            // DO NOT fetch Zones
-            // DO NOT call GenerateRoutes
-
-            resolve({}) // Resolve empty to signal permission.js to proceed
+            resolve({})
           }).catch(error => {
             reject(error)
           })
-
-          return // Stop execution
+          return
         }
 
         if (hasAuth) {

ui/src/views/iam/ForceChangePassword.vue

@@ -24,17 +24,38 @@
             <div style="text-align: center; font-size: 18px; font-weight: bold;">
               {{ $t('label.action.change.password') }}
             </div>
-            <div style="text-align: center; font-size: 14px; color: #666; margin-top: 5px;">
-              {{ $t('message.change.password') }}
+            <div v-if="!isSubmitted" style="text-align: center; font-size: 14px; color: #666; margin-top: 5px;">
+              {{ $t('message.change.password.required') }}
             </div>
           </template>
+          <a-spin :spinning="loading">
+          <div v-if="isSubmitted" class="success-state">
+            <div class="success-icon">✓</div>
+            <div class="success-text">
+              {{ $t('message.success.change.password') }}
+            </div>
+            <div class="success-subtext">
+               {{ $t('message.please.login.new.password') }}
+            </div>
+            <a-button
+              type="primary"
+              size="large"
+              block
+              @click="handleLogout"
+              style="margin-top: 20px;"
+            >
+              {{ $t('label.login') }}
+            </a-button>
+          </div>
 
           <a-form
+            v-else
             :ref="formRef"
             :model="form"
             :rules="rules"
             layout="vertical"
             @finish="handleSubmit"
+            v-ctrl-enter="handleSubmit"
           >
             <a-form-item name="currentpassword" :label="$t('label.currentpassword')">
               <a-input-password
@@ -77,6 +98,7 @@
               <a @click="handleLogout">{{ $t('label.logout') }}</a>
             </div>
           </a-form>
+          </a-spin>
         </a-card>
       </div>
     </div>
@@ -87,33 +109,34 @@
 import { ref, reactive, toRaw } from 'vue'
 import { postAPI } from '@/api'
 import Cookies from 'js-cookie'
+import { PASSWORD_CHANGE_REQUIRED } from '@/store/mutation-types'
 
 export default {
   name: 'ForceChangePassword',
   data () {
     return {
-      loading: false
+      loading: false,
+      isSubmitted: false
     }
   },
-  beforeCreate () {
-    this.apiParams = this.$getApiParams('updateUser')
-  },
   created () {
-    this.initForm()
+    this.formRef = ref()
+    this.form = reactive({})
+    this.isPasswordChangeRequired()
   },
-  methods: {
-    initForm () {
-      this.formRef = ref()
-      this.form = reactive({})
-      this.rules = reactive({
-        currentpassword: [{ required: true, message: this.$t('message.error.current.password') }],
-        password: [{ required: true, message: this.$t('message.error.new.password') }],
+  computed: {
+    rules () {
+      return {
+        currentpassword: [{ required: true, message: this.$t('message.error.current.password') || 'Please enter current password' }],
+        password: [{ required: true, message: this.$t('message.error.new.password') || 'Please enter new password' }],
         confirmpassword: [
-          { required: true, message: this.$t('message.error.confirm.password') },
-          { validator: this.validateTwoPassword }
+          { required: true, message: this.$t('message.error.confirm.password') || 'Please confirm new password' },
+          { validator: this.validateTwoPassword, trigger: 'change' }
         ]
-      })
-    },
+      }
+    }
+  },
+  methods: {
     async validateTwoPassword (rule, value) {
       if (!value || value.length === 0) {
         return Promise.resolve()
@@ -130,9 +153,6 @@ export default {
         return Promise.resolve()
       }
     },
-    isValidValueForKey (obj, key) {
-      return key in obj && obj[key] != null
-    },
     handleSubmit (e) {
       e.preventDefault()
       if (this.loading) return
@@ -147,9 +167,8 @@ export default {
           currentpassword: values.currentpassword
         }
         postAPI('updateUser', params).then(() => {
-          this.$message.success(this.$t('message.success.change.password'), 5)
-          console.log('Password changed successfully.')
-          this.handleLogout()
+          this.$message.success(this.$t('message.success.change.password'))
+          this.isSubmitted = true
         }).catch(error => {
           console.error(error)
           this.$notification.error({
@@ -164,17 +183,39 @@ export default {
         console.log('Validation failed:', error)
       })
     },
-    handleLogout () {
-      this.$store.dispatch('Logout').then(() => {
+    async handleLogout () {
+      try {
+        await this.$store.dispatch('Logout')
+      } catch (e) {
+        console.error('Logout failed:', e)
+      } finally {
         Cookies.remove('userid')
         Cookies.remove('token')
+        this.$localStorage.remove(PASSWORD_CHANGE_REQUIRED)
         this.$router.replace({ path: '/user/login' })
-      }).catch(err => {
-        this.$message.error({
-          title: 'Failed to Logout',
-          description: err.message
-        })
-      })
+      }
+    },
+    async isPasswordChangeRequired () {
+      try {
+        this.loading = true
+        const user = await this.getUserInfo()
+        if (user && !user.passwordchangerequired) {
+          this.isSubmitted = true
+          this.$router.replace({ path: '/user/login' })
+        }
+      } catch (e) {
+        console.error('Failed to resolve user info:', e)
+      } finally {
+        this.loading = false
+      }
+    },
+    async getUserInfo () {
+      const userInfo = this.$store.getters.userInfo
+      if (userInfo && userInfo.id) {
+        return userInfo
+      }
+      await this.$store.dispatch('GetInfo')
+      return this.$store.getters.userInfo
     }
   }
 }
@@ -217,4 +258,27 @@ export default {
     }
   }
 }
+
+.success-state {
+  text-align: center;
+  padding: 20px 0;
+
+  .success-icon {
+    font-size: 48px;
+    color: #52c41a;
+    margin-bottom: 16px;
+  }
+
+  .success-text {
+    font-size: 20px;
+    font-weight: 500;
+    color: #333;
+    margin-bottom: 8px;
+  }
+
+  .success-subtext {
+    font-size: 14px;
+    color: #666;
+  }
+}
 </style>