feat: password age policy (#8132)

# Which Problems Are Solved Some organizations / customers have the requirement, that there users regularly need to change their password. ZITADEL already had the possibility to manage a `password age policy` ( thought the API) with the maximum amount of days a password should be valid, resp. days after with the user should be warned of the upcoming expiration. The policy could not be managed though the Console UI and was not checked in the Login UI. # How the Problems Are Solved - The policy can be managed in the Console UI's settings sections on an instance and organization level. - During an authentication in the Login UI, if a policy is set with an expiry (>0) and the user's last password change exceeds the amount of days set, the user will be prompted to change their password. - The prompt message of the Login UI can be customized in the Custom Login Texts though the Console and API on the instance and each organization. - The information when the user last changed their password is returned in the Auth, Management and User V2 API. - The policy can be retrieved in the settings service as `password expiry settings`. # Additional Changes None. # Additional Context - closes #8081 --------- Co-authored-by: Tim Möhlmann <tim+github@zitadel.com>
2025-08-12 07:17:34 +00:00 · 2024-06-18 13:27:44 +02:00
parent 65f787cc02
commit fb8cd18f93
93 changed files with 1250 additions and 487 deletions
--- a/internal/api/grpc/settings/v2/settings.go
+++ b/internal/api/grpc/settings/v2/settings.go
@@ -35,7 +35,22 @@ func (s *Server) GetPasswordComplexitySettings(ctx context.Context, req *setting
 		return nil, err
 	}
 	return &settings.GetPasswordComplexitySettingsResponse{
-		Settings: passwordSettingsToPb(current),
+		Settings: passwordComplexitySettingsToPb(current),
+		Details: &object_pb.Details{
+			Sequence:      current.Sequence,
+			ChangeDate:    timestamppb.New(current.ChangeDate),
+			ResourceOwner: current.ResourceOwner,
+		},
+	}, nil
+}
+
+func (s *Server) GetPasswordExpirySettings(ctx context.Context, req *settings.GetPasswordExpirySettingsRequest) (*settings.GetPasswordExpirySettingsResponse, error) {
+	current, err := s.query.PasswordAgePolicyByOrg(ctx, true, object.ResourceOwnerFromReq(ctx, req.GetCtx()), false)
+	if err != nil {
+		return nil, err
+	}
+	return &settings.GetPasswordExpirySettingsResponse{
+		Settings: passwordExpirySettingsToPb(current),
 		Details: &object_pb.Details{
 			Sequence:      current.Sequence,
 			ChangeDate:    timestamppb.New(current.ChangeDate),
--- a/internal/api/grpc/settings/v2/settings_converter.go
+++ b/internal/api/grpc/settings/v2/settings_converter.go
@@ -91,7 +91,7 @@ func multiFactorTypeToPb(typ domain.MultiFactorType) settings.MultiFactorType {
 	}
 }

-func passwordSettingsToPb(current *query.PasswordComplexityPolicy) *settings.PasswordComplexitySettings {
+func passwordComplexitySettingsToPb(current *query.PasswordComplexityPolicy) *settings.PasswordComplexitySettings {
 	return &settings.PasswordComplexitySettings{
 		MinLength:         current.MinLength,
 		RequiresUppercase: current.HasUppercase,
@@ -102,6 +102,14 @@ func passwordSettingsToPb(current *query.PasswordComplexityPolicy) *settings.Pas
 	}
 }

+func passwordExpirySettingsToPb(current *query.PasswordAgePolicy) *settings.PasswordExpirySettings {
+	return &settings.PasswordExpirySettings{
+		MaxAgeDays:        current.MaxAgeDays,
+		ExpireWarnDays:    current.ExpireWarnDays,
+		ResourceOwnerType: isDefaultToResourceOwnerTypePb(current.IsDefault),
+	}
+}
+
 func brandingSettingsToPb(current *query.LabelPolicy, assetPrefix string) *settings.BrandingSettings {
 	return &settings.BrandingSettings{
 		LightTheme:          themeToPb(current.Light, assetPrefix, current.ResourceOwner),
--- a/internal/api/grpc/settings/v2/settings_converter_test.go
+++ b/internal/api/grpc/settings/v2/settings_converter_test.go
@@ -213,7 +213,7 @@ func Test_multiFactorTypeToPb(t *testing.T) {
 	}
 }

-func Test_passwordSettingsToPb(t *testing.T) {
+func Test_passwordComplexitySettingsToPb(t *testing.T) {
 	arg := &query.PasswordComplexityPolicy{
 		MinLength:    12,
 		HasUppercase: true,
@@ -231,10 +231,29 @@ func Test_passwordSettingsToPb(t *testing.T) {
 		ResourceOwnerType: settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
 	}

-	got := passwordSettingsToPb(arg)
+	got := passwordComplexitySettingsToPb(arg)
 	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
 	if !proto.Equal(got, want) {
-		t.Errorf("passwordSettingsToPb() =\n%v\nwant\n%v", got, want)
+		t.Errorf("passwordComplexitySettingsToPb() =\n%v\nwant\n%v", got, want)
+	}
+}
+
+func Test_passwordExpirySettingsToPb(t *testing.T) {
+	arg := &query.PasswordAgePolicy{
+		ExpireWarnDays: 80,
+		MaxAgeDays:     90,
+		IsDefault:      true,
+	}
+	want := &settings.PasswordExpirySettings{
+		ExpireWarnDays:    80,
+		MaxAgeDays:        90,
+		ResourceOwnerType: settings.ResourceOwnerType_RESOURCE_OWNER_TYPE_INSTANCE,
+	}
+
+	got := passwordExpirySettingsToPb(arg)
+	grpc.AllFieldsSet(t, got.ProtoReflect(), ignoreTypes...)
+	if !proto.Equal(got, want) {
+		t.Errorf("passwordExpirySettingsToPb() =\n%v\nwant\n%v", got, want)
 	}
 }

--- a/internal/api/grpc/text/custom_text.go
+++ b/internal/api/grpc/text/custom_text.go
@@ -316,6 +316,7 @@ func PasswordChangeScreenTextToPb(text domain.PasswordChangeScreenText) *text_pb
 	return &text_pb.PasswordChangeScreenText{
 		Title:                   text.Title,
 		Description:             text.Description,
+		ExpiredDescription:      text.ExpiredDescription,
 		OldPasswordLabel:        text.OldPasswordLabel,
 		NewPasswordLabel:        text.NewPasswordLabel,
 		NewPasswordConfirmLabel: text.NewPasswordConfirmLabel,
@@ -784,6 +785,7 @@ func PasswordChangeScreenTextPbToDomain(text *text_pb.PasswordChangeScreenText)
 	return domain.PasswordChangeScreenText{
 		Title:                   text.Title,
 		Description:             text.Description,
+		ExpiredDescription:      text.ExpiredDescription,
 		OldPasswordLabel:        text.OldPasswordLabel,
 		NewPasswordLabel:        text.NewPasswordLabel,
 		NewPasswordConfirmLabel: text.NewPasswordConfirmLabel,
--- a/internal/api/grpc/user/converter.go
+++ b/internal/api/grpc/user/converter.go
@@ -1,6 +1,8 @@
 package user

 import (
+	"google.golang.org/protobuf/types/known/timestamppb"
+
 	"github.com/zitadel/zitadel/internal/api/grpc/object"
 	"github.com/zitadel/zitadel/internal/domain"
 	"github.com/zitadel/zitadel/internal/eventstore/v1/models"
@@ -48,6 +50,10 @@ func UserTypeToPb(user *query.User, assetPrefix string) user_pb.UserType {
 }

 func HumanToPb(view *query.Human, assetPrefix, owner string) *user_pb.Human {
+	var passwordChanged *timestamppb.Timestamp
+	if !view.PasswordChanged.IsZero() {
+		passwordChanged = timestamppb.New(view.PasswordChanged)
+	}
 	return &user_pb.Human{
 		Profile: &user_pb.Profile{
 			FirstName:         view.FirstName,
@@ -66,6 +72,7 @@ func HumanToPb(view *query.Human, assetPrefix, owner string) *user_pb.Human {
 			Phone:           string(view.Phone),
 			IsPhoneVerified: view.IsPhoneVerified,
 		},
+		PasswordChanged: passwordChanged,
 	}
 }

--- a/internal/api/grpc/user/v2/query.go
+++ b/internal/api/grpc/user/v2/query.go
@@ -4,6 +4,7 @@ import (
 	"context"

 	"github.com/muhlemmer/gu"
+	"google.golang.org/protobuf/types/known/timestamppb"

 	"github.com/zitadel/zitadel/internal/api/authz"
 	"github.com/zitadel/zitadel/internal/api/grpc/object/v2"
@@ -83,6 +84,10 @@ func userTypeToPb(userQ *query.User, assetPrefix string) user.UserType {
 }

 func humanToPb(userQ *query.Human, assetPrefix, owner string) *user.HumanUser {
+	var passwordChanged *timestamppb.Timestamp
+	if !userQ.PasswordChanged.IsZero() {
+		passwordChanged = timestamppb.New(userQ.PasswordChanged)
+	}
 	return &user.HumanUser{
 		Profile: &user.HumanProfile{
 			GivenName:         userQ.FirstName,
@@ -102,6 +107,7 @@ func humanToPb(userQ *query.Human, assetPrefix, owner string) *user.HumanUser {
 			IsVerified: userQ.IsPhoneVerified,
 		},
 		PasswordChangeRequired: userQ.PasswordChangeRequired,
+		PasswordChanged:        passwordChanged,
 	}
 }

--- a/internal/api/grpc/user/v2/query_integration_test.go
+++ b/internal/api/grpc/user/v2/query_integration_test.go
@@ -23,7 +23,7 @@ func TestServer_GetUserByID(t *testing.T) {
 	type args struct {
 		ctx context.Context
 		req *user.GetUserByIDRequest
-		dep func(ctx context.Context, username string, request *user.GetUserByIDRequest) error
+		dep func(ctx context.Context, username string, request *user.GetUserByIDRequest) (*timestamppb.Timestamp, error)
 	}
 	tests := []struct {
 		name    string
@@ -38,8 +38,8 @@ func TestServer_GetUserByID(t *testing.T) {
 				&user.GetUserByIDRequest{
 					UserId: "",
 				},
-				func(ctx context.Context, username string, request *user.GetUserByIDRequest) error {
-					return nil
+				func(ctx context.Context, username string, request *user.GetUserByIDRequest) (*timestamppb.Timestamp, error) {
+					return nil, nil
 				},
 			},
 			wantErr: true,
@@ -51,8 +51,8 @@ func TestServer_GetUserByID(t *testing.T) {
 				&user.GetUserByIDRequest{
 					UserId: "unknown",
 				},
-				func(ctx context.Context, username string, request *user.GetUserByIDRequest) error {
-					return nil
+				func(ctx context.Context, username string, request *user.GetUserByIDRequest) (*timestamppb.Timestamp, error) {
+					return nil, nil
 				},
 			},
 			wantErr: true,
@@ -62,10 +62,10 @@ func TestServer_GetUserByID(t *testing.T) {
 			args: args{
 				IamCTX,
 				&user.GetUserByIDRequest{},
-				func(ctx context.Context, username string, request *user.GetUserByIDRequest) error {
+				func(ctx context.Context, username string, request *user.GetUserByIDRequest) (*timestamppb.Timestamp, error) {
 					resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
 					request.UserId = resp.GetUserId()
-					return nil
+					return nil, nil
 				},
 			},
 			want: &user.GetUserByIDResponse{
@@ -106,11 +106,11 @@ func TestServer_GetUserByID(t *testing.T) {
 			args: args{
 				IamCTX,
 				&user.GetUserByIDRequest{},
-				func(ctx context.Context, username string, request *user.GetUserByIDRequest) error {
+				func(ctx context.Context, username string, request *user.GetUserByIDRequest) (*timestamppb.Timestamp, error) {
 					resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
 					request.UserId = resp.GetUserId()
-					Tester.SetUserPassword(ctx, resp.GetUserId(), integration.UserPassword, true)
-					return nil
+					changed := Tester.SetUserPassword(ctx, resp.GetUserId(), integration.UserPassword, true)
+					return changed, nil
 				},
 			},
 			want: &user.GetUserByIDResponse{
@@ -138,6 +138,7 @@ func TestServer_GetUserByID(t *testing.T) {
 								IsVerified: true,
 							},
 							PasswordChangeRequired: true,
+							PasswordChanged:        timestamppb.Now(),
 						},
 					},
 				},
@@ -151,7 +152,7 @@ func TestServer_GetUserByID(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			username := fmt.Sprintf("%d@mouse.com", time.Now().UnixNano())
-			err := tt.args.dep(tt.args.ctx, username, tt.args.req)
+			changed, err := tt.args.dep(tt.args.ctx, username, tt.args.req)
 			require.NoError(t, err)
 			retryDuration := time.Minute
 			if ctxDeadline, ok := CTX.Deadline(); ok {
@@ -173,6 +174,9 @@ func TestServer_GetUserByID(t *testing.T) {
 				tt.want.User.LoginNames = []string{username}
 				if human := tt.want.User.GetHuman(); human != nil {
 					human.Email.Email = username
+					if tt.want.User.GetHuman().GetPasswordChanged() != nil {
+						human.PasswordChanged = changed
+					}
 				}
 				assert.Equal(ttt, tt.want.User, got.User)
 				integration.AssertDetails(t, tt.want, got)
@@ -316,6 +320,7 @@ func TestServer_GetUserByID_Permission(t *testing.T) {
 type userAttr struct {
 	UserID   string
 	Username string
+	Changed  *timestamppb.Timestamp
 }

 func TestServer_ListUsers(t *testing.T) {
@@ -369,7 +374,7 @@ func TestServer_ListUsers(t *testing.T) {
 					for i, username := range usernames {
 						resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
 						userIDs[i] = resp.GetUserId()
-						infos[i] = userAttr{resp.GetUserId(), username}
+						infos[i] = userAttr{resp.GetUserId(), username, nil}
 					}
 					request.Queries = append(request.Queries, InUserIDsQuery(userIDs))
 					return infos, nil
@@ -423,8 +428,8 @@ func TestServer_ListUsers(t *testing.T) {
 					for i, username := range usernames {
 						resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
 						userIDs[i] = resp.GetUserId()
-						Tester.SetUserPassword(ctx, resp.GetUserId(), integration.UserPassword, true)
-						infos[i] = userAttr{resp.GetUserId(), username}
+						changed := Tester.SetUserPassword(ctx, resp.GetUserId(), integration.UserPassword, true)
+						infos[i] = userAttr{resp.GetUserId(), username, changed}
 					}
 					request.Queries = append(request.Queries, InUserIDsQuery(userIDs))
 					return infos, nil
@@ -457,6 +462,7 @@ func TestServer_ListUsers(t *testing.T) {
 									IsVerified: true,
 								},
 								PasswordChangeRequired: true,
+								PasswordChanged:        timestamppb.Now(),
 							},
 						},
 					},
@@ -479,7 +485,7 @@ func TestServer_ListUsers(t *testing.T) {
 					for i, username := range usernames {
 						resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
 						userIDs[i] = resp.GetUserId()
-						infos[i] = userAttr{resp.GetUserId(), username}
+						infos[i] = userAttr{resp.GetUserId(), username, nil}
 					}
 					request.Queries = append(request.Queries, InUserIDsQuery(userIDs))
 					return infos, nil
@@ -575,7 +581,7 @@ func TestServer_ListUsers(t *testing.T) {
 					for i, username := range usernames {
 						resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
 						userIDs[i] = resp.GetUserId()
-						infos[i] = userAttr{resp.GetUserId(), username}
+						infos[i] = userAttr{resp.GetUserId(), username, nil}
 						request.Queries = append(request.Queries, UsernameQuery(username))
 					}
 					return infos, nil
@@ -627,7 +633,7 @@ func TestServer_ListUsers(t *testing.T) {
 					infos := make([]userAttr, len(usernames))
 					for i, username := range usernames {
 						resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
-						infos[i] = userAttr{resp.GetUserId(), username}
+						infos[i] = userAttr{resp.GetUserId(), username, nil}
 					}
 					request.Queries = append(request.Queries, InUserEmailsQuery(usernames))
 					return infos, nil
@@ -679,7 +685,7 @@ func TestServer_ListUsers(t *testing.T) {
 					infos := make([]userAttr, len(usernames))
 					for i, username := range usernames {
 						resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
-						infos[i] = userAttr{resp.GetUserId(), username}
+						infos[i] = userAttr{resp.GetUserId(), username, nil}
 					}
 					request.Queries = append(request.Queries, InUserEmailsQuery(usernames))
 					return infos, nil
@@ -794,7 +800,7 @@ func TestServer_ListUsers(t *testing.T) {
 					infos := make([]userAttr, len(usernames))
 					for i, username := range usernames {
 						resp := Tester.CreateHumanUserVerified(ctx, orgResp.OrganizationId, username)
-						infos[i] = userAttr{resp.GetUserId(), username}
+						infos[i] = userAttr{resp.GetUserId(), username, nil}
 					}
 					request.Queries = append(request.Queries, OrganizationIdQuery(orgResp.OrganizationId))
 					request.Queries = append(request.Queries, InUserEmailsQuery(usernames))
@@ -910,6 +916,9 @@ func TestServer_ListUsers(t *testing.T) {
 					tt.want.Result[i].LoginNames = []string{infos[i].Username}
 					if human := tt.want.Result[i].GetHuman(); human != nil {
 						human.Email.Email = infos[i].Username
+						if tt.want.Result[i].GetHuman().GetPasswordChanged() != nil {
+							human.PasswordChanged = infos[i].Changed
+						}
 					}
 				}
 				for i := range tt.want.Result {
--- a/internal/api/ui/login/change_password_handler.go
+++ b/internal/api/ui/login/change_password_handler.go
@@ -40,9 +40,19 @@ func (l *Login) renderChangePassword(w http.ResponseWriter, r *http.Request, aut
 		errType, errMessage = l.getErrorMessage(r, err)
 	}
 	translator := l.getTranslator(r.Context(), authReq)
+	if authReq == nil || len(authReq.PossibleSteps) < 1 {
+		l.renderError(w, r, authReq, err)
+		return
+	}
+	step, ok := authReq.PossibleSteps[0].(*domain.ChangePasswordStep)
+	if !ok {
+		l.renderError(w, r, authReq, err)
+		return
+	}
 	data := passwordData{
 		baseData:    l.getBaseData(r, authReq, translator, "PasswordChange.Title", "PasswordChange.Description", errType, errMessage),
 		profileData: l.getProfileData(authReq),
+		Expired:     step.Expired,
 	}
 	policy := l.getPasswordComplexityPolicy(r, authReq.UserOrgID)
 	if policy != nil {
--- a/internal/api/ui/login/renderer.go
+++ b/internal/api/ui/login/renderer.go
@@ -683,6 +683,7 @@ type passwordData struct {
 	HasLowercase string
 	HasNumber    string
 	HasSymbol    string
+	Expired      bool
 }

 type userSelectionData struct {
--- a/internal/api/ui/login/static/i18n/bg.yaml
+++ b/internal/api/ui/login/static/i18n/bg.yaml
@@ -193,6 +193,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Промяна на паролата
  Description: 'Променете паролата си. '
+  ExpiredDescription: Паролата ви е изтекла и трябва да бъде променена. Въведете старата и новата си парола.
  OldPasswordLabel: Стара парола
  NewPasswordLabel: нова парола
  NewPasswordConfirmLabel: Потвърждение на парола
--- a/internal/api/ui/login/static/i18n/cs.yaml
+++ b/internal/api/ui/login/static/i18n/cs.yaml
@@ -190,6 +190,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Změna hesla
  Description: Změňte si heslo. Zadejte své staré a nové heslo.
+  ExpiredDescription: Heslo vypršelo a musí být změněno. Zadejte své staré a nové heslo.
  OldPasswordLabel: Staré heslo
  NewPasswordLabel: Nové heslo
  NewPasswordConfirmLabel: Potvrzení hesla
--- a/internal/api/ui/login/static/i18n/de.yaml
+++ b/internal/api/ui/login/static/i18n/de.yaml
@@ -190,6 +190,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Passwort ändern
  Description: Ändere dein Passwort indem du dein altes und dann dein neues Passwort eingibst.
+  ExpiredDescription: Dein Passwort ist abgelaufen und muss geändert werden. Gib dein altes und neues Passwort ein.
  OldPasswordLabel: Altes Passwort
  NewPasswordLabel: Neues Passwort
  NewPasswordConfirmLabel: Passwort wiederholen
--- a/internal/api/ui/login/static/i18n/en.yaml
+++ b/internal/api/ui/login/static/i18n/en.yaml
@@ -190,6 +190,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Change Password
  Description: Change your password. Enter your old and new password.
+  ExpiredDescription: You password has expired and has to be changed. Enter your old and new password.
  OldPasswordLabel: Old Password
  NewPasswordLabel: New Password
  NewPasswordConfirmLabel: Password confirmation
--- a/internal/api/ui/login/static/i18n/es.yaml
+++ b/internal/api/ui/login/static/i18n/es.yaml
@@ -190,6 +190,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Cambiar contraseña
  Description: Cambia tu contraseña. Introduce tu contraseña anterior y la nueva.
+  ExpiredDescription: Tu contraseña ha caducado y tiene que cambiarla. Introduzca tu contraseña anterior y la nueva.
  OldPasswordLabel: Contraseña anterior
  NewPasswordLabel: Nueva contraseña
  NewPasswordConfirmLabel: Confirmación de contraseña
--- a/internal/api/ui/login/static/i18n/fr.yaml
+++ b/internal/api/ui/login/static/i18n/fr.yaml
@@ -190,6 +190,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Changer le mot de passe
  Description: Changez votre mot de passe. Entrez votre ancien et votre nouveau mot de passe.
+  ExpiredDescription: Votre mot de passe a expiré et doit être modifié. Entrez votre ancien et votre nouveau mot de passe.
  OldPasswordLabel: Ancien mot de passe
  NewPasswordLabel: Nouveau mot de passe
  NewPasswordConfirmLabel: Confirmation du mot de passe
--- a/internal/api/ui/login/static/i18n/it.yaml
+++ b/internal/api/ui/login/static/i18n/it.yaml
@@ -190,6 +190,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Reimposta password
  Description: Cambia la tua password. Inserisci la tua vecchia e la nuova password.
+  ExpiredDescription: La password è scaduta e deve essere modificata. Inserisci la tua vecchia e la nuova password.
  OldPasswordLabel: Vecchia password
  NewPasswordLabel: Nuova password
  NewPasswordConfirmLabel: Conferma della password
--- a/internal/api/ui/login/static/i18n/ja.yaml
+++ b/internal/api/ui/login/static/i18n/ja.yaml
@@ -183,6 +183,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: パスワードの変更
  Description: 旧パスワードと新パスワードを入力し、パスワードを変更してください。
+  ExpiredDescription: パスワードの有効期限が切れたため、変更する必要があります。古いパスワードと新しいパスワードを入力してください。
  OldPasswordLabel: 旧パスワード
  NewPasswordLabel: 新パスワード
  NewPasswordConfirmLabel: 新パスワードの確認
--- a/internal/api/ui/login/static/i18n/mk.yaml
+++ b/internal/api/ui/login/static/i18n/mk.yaml
@@ -190,6 +190,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Промена на лозинка
  Description: Променете ја вашата лозинка. Внесете ја старата и новата лозинка.
+  ExpiredDescription: Вашата лозинка е истечена и мора да се смени. Внесете ја старата и новата лозинка.
  OldPasswordLabel: Стара лозинка
  NewPasswordLabel: Нова лозинка
  NewPasswordConfirmLabel: Потврда на лозинка
--- a/internal/api/ui/login/static/i18n/nl.yaml
+++ b/internal/api/ui/login/static/i18n/nl.yaml
@@ -190,6 +190,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Verander Wachtwoord
  Description: Verander uw wachtwoord. Voer uw oude en nieuwe wachtwoord in.
+  ExpiredDescription: Je wachtwoord is verlopen en moet worden gewijzigd. Voer uw oude en nieuwe wachtwoord in.
  OldPasswordLabel: Oud Wachtwoord
  NewPasswordLabel: Nieuw Wachtwoord
  NewPasswordConfirmLabel: Bevestig Wachtwoord
--- a/internal/api/ui/login/static/i18n/pl.yaml
+++ b/internal/api/ui/login/static/i18n/pl.yaml
@@ -190,6 +190,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Zmiana hasła
  Description: Zmień swoje hasło. Wprowadź swoje stare i nowe hasło.
+  ExpiredDescription: Twoje hasło wygasło i musi zostać zmienione. Wprowadź swoje stare i nowe hasło.
  OldPasswordLabel: Stare hasło
  NewPasswordLabel: Nowe hasło
  NewPasswordConfirmLabel: Potwierdzenie hasła
--- a/internal/api/ui/login/static/i18n/pt.yaml
+++ b/internal/api/ui/login/static/i18n/pt.yaml
@@ -186,6 +186,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Alterar senha
  Description: Altere sua senha. Insira sua senha antiga e nova.
+  ExpiredDescription: A sua palavra-passe expirou e tem de ser alterada. Insira sua senha antiga e nova.
  OldPasswordLabel: Senha antiga
  NewPasswordLabel: Nova senha
  NewPasswordConfirmLabel: Confirmação de senha
--- a/internal/api/ui/login/static/i18n/ru.yaml
+++ b/internal/api/ui/login/static/i18n/ru.yaml
@@ -189,6 +189,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Изменение пароля
  Description: Измените ваш пароль. Введите старый и новый пароли.
+  ExpiredDescription: Срок действия вашего пароля истек, и его необходимо изменить. Введите старый и новый пароль.
  OldPasswordLabel: Старый пароль
  NewPasswordLabel: Новый пароль
  NewPasswordConfirmLabel: Подтверждение пароля
--- a/internal/api/ui/login/static/i18n/sv.yaml
+++ b/internal/api/ui/login/static/i18n/sv.yaml
@@ -28,7 +28,7 @@ SelectAccount:
  SessionState1: Utloggad
  MustBeMemberOfOrg: Användaren måste finnas i organisationen {{.OrgName}}.

-Lösenord:
+Password:
  Title: Lösenord
  Description: Ange dina användaruppgifter.
  PasswordLabel: Lösenord
@@ -190,6 +190,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: Ändra lösenord
  Description: Ändra diit lösenord. Ange både ditt gamla och det nya lösenordet.
+  ExpiredDescription: Ditt lösenord har gått ut och måste bytas ut. Ange ditt gamla och nya lösenord.
  OldPasswordLabel: Gammalt lösenord
  NewPasswordLabel: Nytt lösenord
  NewPasswordConfirmLabel: Nytt lösenord igen
--- a/internal/api/ui/login/static/i18n/zh.yaml
+++ b/internal/api/ui/login/static/i18n/zh.yaml
@@ -190,6 +190,7 @@ PasswordlessRegistrationDone:
 PasswordChange:
  Title: 更改密码
  Description: 更改您的密码。输入您的旧密码和新密码。
+  ExpiredDescription: 您的密码已过期，需要更改。请输入您的新旧密码。
  OldPasswordLabel: 旧密码
  NewPasswordLabel: 新密码
  NewPasswordConfirmLabel: 确认密码
--- a/internal/api/ui/login/static/templates/change_password.html
+++ b/internal/api/ui/login/static/templates/change_password.html
@@ -4,7 +4,11 @@
    <h1>{{t "PasswordChange.Title"}}</h1>
    {{ template "user-profile" . }}

+    {{if .Expired}}
+    <p>{{t "PasswordChange.ExpiredDescription"}}</p>
+    {{else}}
    <p>{{t "PasswordChange.Description"}}</p>
+    {{end}}
 </div>

 <form action="{{ changePasswordUrl }}" method="POST">