Users having "Force password change upon next login" cannot be impersonated

[marc-farre]

Steps to reproduce:

1. In the "REST Configuration", in the "Bearer Auth" tab, add an Access Token for a specific user
2. Edit this user, and in the "Password" tab, enter a new password and check "Force password change upon next login"
3. Try to read a post:

curl -X GET -H 'Content-Type: application/json' -H 'Authorization: Bearer xxxxxxxxxxxxxxxxxx' https://my-humhub.com/api/v1/post/1

Returns null instead of the post.

Original discussion: https://community.humhub.com/content/perma?id=277066

[ArchBlood]

I'm not sure just adding this would help fix the issue as I'm seeing authByUserAndPassword() mentions only the $username and $password and makes no checks for mustChangePassword().

https://github.com/humhub/rest/blob/0cda082cda7a360b40db452d0a83a2a9b188f5e5/controllers/auth/AuthController.php#L38-L70

// Check if password change is required
if ($user->mustChangePassword()) {
    return $this->returnError(401, 'Password change required');
}

https://github.com/humhub/rest/blob/0cda082cda7a360b40db452d0a83a2a9b188f5e5/controllers/auth/AuthController.php#L73-L82

[luke-]

@gevorgmansuryan Can you please take a look into this?

[gevorgmansuryan]

@luke- yeah, there is a bug related with impersonated user in rest. But steps described in @marc-farre 's comment isn't related with impersonate, bearer tokens created from "Bearer Auth" tab are just like regular login, and should work like regular login. I'll fix it for /auth/impersonate only. https://marketplace.humhub.com/module/rest/docs/html/auth.html#tag/User/paths/~1auth~1impersonate/get