check for outdated password

apps/login/src/lib/server/password.ts

@@ -6,6 +6,7 @@ import {
 } from "@/lib/server/cookie";
 import {
   getLoginSettings,
+  getPasswordExpirySettings,
   getSession,
   getUserByID,
   listAuthenticationMethodTypes,
@@ -141,8 +142,13 @@ export async function sendPassword(command: UpdateSessionCommand) {
 
   const humanUser = user.type.case === "human" ? user.type.value : undefined;
 
+  const expirySettings = await getPasswordExpirySettings(
+    command.organization ?? session.factors?.user?.organizationId,
+  );
+
   // check if the user has to change password first
   const passwordChangedCheck = checkPasswordChangeRequired(
+    expirySettings,
     session,
     humanUser,
     command.organization,

apps/login/src/lib/verify-helper.ts

@@ -1,15 +1,29 @@
+import { timestampDate } from "@zitadel/client";
 import { Session } from "@zitadel/proto/zitadel/session/v2/session_pb";
 import { LoginSettings } from "@zitadel/proto/zitadel/settings/v2/login_settings_pb";
+import { PasswordExpirySettings } from "@zitadel/proto/zitadel/settings/v2/password_settings_pb";
 import { HumanUser } from "@zitadel/proto/zitadel/user/v2/user_pb";
 import { AuthenticationMethodType } from "@zitadel/proto/zitadel/user/v2/user_service_pb";
+import moment from "moment";
 
 export function checkPasswordChangeRequired(
+  expirySettings: PasswordExpirySettings | undefined,
   session: Session,
   humanUser: HumanUser | undefined,
   organization?: string,
   authRequestId?: string,
 ) {
-  if (humanUser?.passwordChangeRequired) {
+  let isOutdated = false;
+  if (expirySettings?.maxAgeDays && humanUser?.passwordChanged) {
+    const maxAgeDays = Number(expirySettings.maxAgeDays); // Convert bigint to number
+    const passwordChangedDate = moment(
+      timestampDate(humanUser.passwordChanged),
+    );
+    const outdatedPassword = passwordChangedDate.add(maxAgeDays, "days");
+    isOutdated = moment().isAfter(outdatedPassword);
+  }
+
+  if (humanUser?.passwordChangeRequired || isOutdated) {
     const params = new URLSearchParams({
       loginName: session.factors?.user?.loginName as string,
     });

apps/login/src/lib/zitadel.ts

@@ -81,6 +81,14 @@ export async function getLoginSettings(orgId?: string) {
   return useCache ? cacheWrapper(callback) : callback;
 }
 
+export async function getPasswordExpirySettings(orgId?: string) {
+  const callback = settingsService
+    .getPasswordExpirySettings({ ctx: makeReqCtx(orgId) }, {})
+    .then((resp) => (resp.settings ? resp.settings : undefined));
+
+  return useCache ? cacheWrapper(callback) : callback;
+}
+
 export async function listIDPLinks(userId: string) {
   return userService.listIDPLinks(
     {