Add Users API endpoint to require a password reset

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

• Close this issue

Problem

Presently, the only way to require a user to change their password at next login without changing their current password is to use the Rails console to set their password expiration to a time in the past:

# Set password expiry to one day ago for all users
User.all.each do |user|
  user.password_expires_at = Date.today - 1
  user.save!
end

This is a problem because we (Support) typically try to avoid solving problems with the Rails console unless it's our last resort. Instead, we prefer to instruct customers to use the web UI or API where possible. This is because the Rails console can be potentially very destructive, and is often too dangerous for simple tasks like this.

It's possible to change a user's password using the Users API, which requires a user to update it after their next sign in. Unfortunately, this is not useful when doing bulk password resets, since you either need to give all users the same password, or manage the generation and distribution of unique passwords for each user.

This arose after a customer requested help with this process on ticket 320152 (GitLab internal).

Proposal

Instead, I ask that we extend the Users API with one or both of the following methods:

1. A boolean reset_password_at_login that, when set to true, requires users to change their password upon their next login
2. A date password_expiration that can be used to set a date and time that a user's password expires

Since we already have a flow for resetting passwords on sign-in when an admin changes their password, I'm hoping that it will be simple to add a method to set the flag without actually changing the user's password first.