From 5c59c53e91b75ad3d9d0281b5504b0f88ac6f953 Mon Sep 17 00:00:00 2001
From: cmeng <cmenginnz@gmail.com>
Date: Thu, 30 Nov 2023 17:46:57 +1300
Subject: [PATCH] fix(password): force change password EE-6382 (#10708)

---
 api/http/handler/users/user_inspect_me.go | 15 ++++++++++++---
 api/jwt/jwt.go                            |  9 +++++----
 2 files changed, 17 insertions(+), 7 deletions(-)

diff --git a/api/http/handler/users/user_inspect_me.go b/api/http/handler/users/user_inspect_me.go
index 47f5fd96f..a199fda84 100644
--- a/api/http/handler/users/user_inspect_me.go
+++ b/api/http/handler/users/user_inspect_me.go
@@ -30,6 +30,11 @@ type CurrentUserInspectResponse struct {
 // @failure 500 "Server error"
 // @router /users/me [get]
 func (handler *Handler) userInspectMe(w http.ResponseWriter, r *http.Request) *httperror.HandlerError {
+	tokenData, err := security.RetrieveTokenData(r)
+	if err != nil {
+		return httperror.InternalServerError("Unable to retrieve user authentication token", err)
+	}
+
 	securityContext, err := security.RetrieveRestrictedRequestContext(r)
 	if err != nil {
 		return httperror.InternalServerError("Unable to retrieve info from request context", err)
@@ -42,8 +47,12 @@ func (handler *Handler) userInspectMe(w http.ResponseWriter, r *http.Request) *h
 		return httperror.InternalServerError("Unable to find a user with the specified identifier inside the database", err)
 	}
 
-	forceChangePassword := !handler.passwordStrengthChecker.Check(user.Password)
-
 	hideFields(user)
-	return response.JSON(w, &CurrentUserInspectResponse{User: user, ForceChangePassword: forceChangePassword})
+	return response.JSON(
+		w,
+		&CurrentUserInspectResponse{
+			User:                user,
+			ForceChangePassword: tokenData.ForceChangePassword,
+		},
+	)
 }
diff --git a/api/jwt/jwt.go b/api/jwt/jwt.go
index 88f7f2172..5fb031cfd 100644
--- a/api/jwt/jwt.go
+++ b/api/jwt/jwt.go
@@ -126,10 +126,11 @@ func (service *Service) ParseAndVerifyToken(token string) (*portainer.TokenData,
 			}
 
 			return &portainer.TokenData{
-				ID:       portainer.UserID(cl.UserID),
-				Username: cl.Username,
-				Role:     portainer.UserRole(cl.Role),
-				Token:    token,
+				ID:                  portainer.UserID(cl.UserID),
+				Username:            cl.Username,
+				Role:                portainer.UserRole(cl.Role),
+				Token:               token,
+				ForceChangePassword: cl.ForceChangePassword,
 			}, nil
 		}
 	}