Password change prompt displayed even if initial auth fails
When a user has the "password must change at next login" flag turned on, the account has a temporary password. The standard workflow would be login with the temp password -> get the password change prompt -> login with the new password The issue is that we get the password change prompt even if we try to login with the wrong password. To reproduce :
- Create a user, set a password and "the password must change" flag
- Try to login on the portal with this login, and any password (!= from the password you set)
- You get the password change prompt
Of course, you can't change the password unless you know the current one, but the prompt should not be displayed at all if you try a wrong password
Environment :
- LL::NG 2.0.6
- CentOS 7 / nginx / MariaDB (for both conf and sessions)
- LDAP server is AD (samba4)