If AllowAccountReset is set to false, the user can not change the password even if it expires so he can not log in anymore

[faustogut]

Describe the bug
When domain.passwordrequirements.reset is set to X and domain.passwordrequirements.allowaccountreset is set to 'false' then X days after user creation the user cannot log in anymore (because once he enters his credentials he will be prompted to change his password but later the new password he entered does not work)

NOTE: According to meshcentral-config-schema.json
domain.passwordrequirements.reset = Number of days after which the user is required to change the account password.
domain.passwordrequirements.allowaccountreset = If set to false, the account reset option on the login screen will not be available to users.

To Reproduce
Steps to reproduce the behaviour:

1. In config.json set domain.passwordrequirements.reset = 1
2. In config.json set domain.passwordrequirements.allowaccountreset = false
3. Restart the program to apply config changes
4. Create a user
5. Wait for the password to expire (pe. wait for 2 days)
6. Try to log in with that user and you can see the problem (you enter your current credentials, you enter your new password, and finally you try to log in with new credentials and it does not work)

Expected behaviour
With this config, a user can not change his password unless the password expires.
When the password expires, you'll be prompted to enter a new one. Then the new password works.

Workaround
Setting domain.passwordrequirements.allowaccountreset = true avoids the problem.
Maybe there is no need to fix this scenario, but improve documentation (meshcentral-config-schema.json descriptions) this way (or similar):

domain.passwordrequirements.reset = Number of days after which the user is required to change the account password. 0 means the password never expires. NOTE: If you set this to a non-zero value, please be sure to set domain.passwordrequirements.allowaccountreset to true.

domain.passwordrequirements.allowaccountreset = If set to false, the account reset option on the login screen will not be available to users. NOTE: Set to true if you set domain.passwordrequirements.reset to a non-zero value.

[si458]

you didnt quite follow the bug template report
can you share your config.json?
what meshcentral version are you using?
what nodejs version?
what server os?
what web browser?
do you use external auth at all like ldap/saml/azure?

[si458]

also can you run node node_modules/meshcentral --debug web and share the output after 1 day?
it will show you a few debug lines for the web and also what function is causing it to fail changing the password
(if thats the case)

[faustogut]

Server Software

• Virtualization: Docker version 24.0.7, build afdd53b on Ubuntu 22.04.3 LTS as the host (using portainer)
• OS: The one the docker image use: Linux 0276ef3915c2 5.15.0-94-generic WSMAN Parsing Error AMT v9.1.41 #104-Ubuntu SMP Tue Jan 9 15:25:40 UTC 2024 x86_64 Linux
• Network: traefik reverse proxy as a Docker image: traefik:v2.11.0 (running in the same machine)
• Version: Docker image: ghcr.io/ylianst/meshcentral:1.1.24
• Node: The one the docker image use: v20.12.1
• npm: The one the docker image use: 10.8.0

Client Device

• Device: Desktop
• OS: Windows 11
• Network: Internet
• Browser: Google Chrome v126.0.6478.114 (64 bits)
• MeshCentralRouter Version: not applicable

Do you use external auth at all like ldap/saml/azure?
No

Your config.json file

{
  "$schema": "https://raw.githubusercontent.com/Ylianst/MeshCentral/master/meshcentral-config-schema.json",
  "settings": {
    "plugins": {
      "enabled": false
    },
    "mongoDb": "mongodb://mongodbadmin:thisisnotmyrealmongodbpasswd@mongodb:27017",
    "mongoDbName": "meshcentral",
    "mongoDbChangeStream": false,
    "mongoDbBulkOperations": true,
    "cert": "thisisnotmyrealdomainname",
    "sessionKey": "thisisnotthesessionkey",
    "port": 4430,
    "aliasPort": 443,
    "redirPort": 800,
    "redirAliasPort": 80,
    "AgentPong": 300,
    "tlsOffload": "traefik-reverse-proxy",
    "SelfUpdate": false,
    "AllowFraming": false,
    "WebRTC": true,
    "agentPong": 55,
    "autoBackup": {
      "backupIntervalHours": 60,
      "keepLastDaysBackup": 1
    }
  },
  "domains": {
    "": {
      "minify": true,
      "NewAccounts": false,
      "localSessionRecording": false,
      "certUrl": "thisisnotmyrealserveripaddress:443",
      "passwordRequirements": {
        "min": 14,
        "max": 128,
        "upper": 1,
        "lower": 1,
        "numeric": 1,
        "nonalpha": 1,
        "reset": 365,
        "email2factor": true,
        "sms2factor": false,
        "push2factor": false,
        "otp2factor": true,
        "msg2factor": false,
        "backupcode2factor": true,
        "single2factorWarning": true,
        "lock2factor": false,
        "force2factor": true,
        "skip2factor": "thisisnotmyrealipaddress",
        "oldPasswordBan": 5,
        "banCommonPasswords": true,
        "loginTokens": false,
        "twoFactorTimeout": 300,
        "autofido2fa": false,
        "maxfidokeys": null,
        "allowaccountreset": false
      },
      "twoFactorCookieDurantionDays": 0
    }
  },
  "smtp": {
    "host": "thisisnotmyrealsmtpserverurl",
    "port": 465,
    "from": "thisisnotmyrealemailaccount@ispprovider.com",
    "user": "thisisnotmyrealemailaccount@ispprovider.com",
    "pass": "thisisnotmyrealemailaccountpassword",
    "tls": true
  }
}

[si458]

Thank u :)

I will have a look when I get chance for you!

I have a feeling it's calling the password reset function, and that function has a checker for allowaccountreset==false,

so it might be returning false and not actually changing the password.

Can u try logging in, resetting pass, login with new pass, then login with old pass?

Does it still let u login with old pass after u change it to new pass Or does it just go back to the u need to change password screen?