Fix forced password change not redirecting on MVC pages (#8101)

DawoudIO · web-flow · commit 59f585ea5094 · 2026-03-01T12:59:33.000-08:00
## Problem

When a user had (first login after setup), the MVC (legacy) pages would
not redirect to the password change form. The user could bypass the
forced password change by directly accessing any MVC page, allowing them
to continue with a password that must be changed.

## Root Cause

The authentication check in `AuthMiddleware` only called
`ensureAuthentication()` (which checks and calls `header()` redirects)
when the user was **not** authenticated. For authenticated users with an
active session, it did nothing, meaning any required redirect steps
(like forced password change) were skipped.

## Solution

### 1. AuthMiddleware Enhancement
([AuthMiddleware.php](src/ChurchCRM/Slim/Middleware/AuthMiddleware.php#L51-L57))
- For authenticated browser requests (not background/API), call
`validateUserSessionIsActive(true)` to check for required redirect steps
- Use PSR-15 response redirect (302 to `nextSte
When a user had  (first login after setup), the MVC (lenon
## Root Cause

The authentication check in `AuthMiddleware` only called
`ensureAuthentication()` (which checks and calls `header()` redirects)
when the user was **not** authenticated. For authenticated users with an
active session, it did nothing, meaning any required redirect sted
diff --git a/cypress/e2e/new-system/01-setup-wizard.spec.js b/cypress/e2e/new-system/01-setup-wizard.spec.js
@@ -130,7 +130,7 @@ describe('01 - Setup Wizard', () => {
             cy.get('input[name=Password]').type(adminCredentials.password + '{enter}');
             
             // Should redirect away from login
-            cy.url({ timeout: 15000 }).should('not.include', '/login');
+            cy.url({ timeout: 15000 }).should('not.include', '/session/begin');
             
             // Should be on some page (dashboard or admin)
             cy.get('body').should('exist');
@@ -140,22 +140,24 @@ describe('01 - Setup Wizard', () => {
             cy.visit('/login');
             cy.get('input[name=User]').type(adminCredentials.username);
             cy.get('input[name=Password]').type(adminCredentials.password + '{enter}');
-            cy.url({ timeout: 15000 }).should('not.include', '/login');
+            cy.url({ timeout: 15000 }).should('not.include', '/session/begin');
             
             // Fresh system should show admin dashboard (no people yet)
             // The system may redirect to admin or v2/dashboard
+            // If the admin was created with NeedPasswordChange=true, may land on forced change-password page
             cy.url().then((url) => {
                 cy.log('Redirected to: ' + url);
-                // Just verify we're logged in and not on login page
-                cy.get('.main-sidebar, .wrapper, .content-wrapper').should('exist');
+                // Verify we're logged in and not on login page.
+                // Accept either the full dashboard layout or the forced change-password minimal layout (.login-box).
+                cy.get('.main-sidebar, .wrapper, .content-wrapper, .login-box').should('exist');
             });
         });
 
         it('should verify system is empty (no people/families)', () => {
             cy.visit('/login');
             cy.get('input[name=User]').type(adminCredentials.username);
             cy.get('input[name=Password]').type(adminCredentials.password + '{enter}');
-            cy.url({ timeout: 15000 }).should('not.include', '/login');
+            cy.url({ timeout: 15000 }).should('not.include', '/session/begin');
             
             // Check people API - should return mostly empty (only admin user)
             cy.request({
diff --git a/cypress/e2e/new-system/02-demo-import.spec.js b/cypress/e2e/new-system/02-demo-import.spec.js
@@ -17,12 +17,26 @@ describe('02 - Demo Data Import', () => {
         password: 'changeme'
     };
 
-    // Helper function to login
+    // Helper function to login, handling forced password-change redirect on first login
     const loginAsAdmin = () => {
+        const password = Cypress.env('newSystemAdminPassword') || adminCredentials.password;
         cy.visit('/login');
         cy.get('input[name=User]').type(adminCredentials.username);
-        cy.get('input[name=Password]').type(adminCredentials.password + '{enter}');
-        cy.url({ timeout: 15000 }).should('not.include', '/login');
+        cy.get('input[name=Password]').type(password + '{enter}');
+        cy.url({ timeout: 15000 }).should('not.include', '/session/begin');
+
+        // Fresh-install admin has NeedPasswordChange=true; complete the forced form if needed
+        cy.url().then((url) => {
+            if (url.includes('/changepassword')) {
+                const newPassword = 'Cypress@01!';
+                cy.get('#OldPassword').type(password);
+                cy.get('#NewPassword1').type(newPassword);
+                cy.get('#NewPassword2').type(newPassword);
+                cy.get('button[type=submit]').click();
+                cy.contains('Password Changed', { timeout: 10000 }).should('be.visible');
+                Cypress.env('newSystemAdminPassword', newPassword);
+            }
+        });
     };
 
     describe('Import Demo Data via Admin UI', () => {
@@ -226,5 +240,23 @@ describe('02 - Demo Data Import', () => {
             // Should see the finance dashboard title
             cy.contains('Finance Dashboard').should('be.visible');
         });
+
+        it('should reset admin password back to changeme for subsequent tests', () => {
+            // Tests 03-04 expect 'changeme' as the default password
+            // Change password from 'Cypress@01!' back to 'changeme'
+            cy.visit('/v2/user/current/changepassword');
+
+            const currentPassword = 'Cypress@01!';
+            const newPassword = 'changeme';
+
+            // Fill in change password form
+            cy.get('#OldPassword').type(currentPassword);
+            cy.get('#NewPassword1').type(newPassword);
+            cy.get('#NewPassword2').type(newPassword);
+            cy.get('input[type=submit]').click();
+
+            // Should show success message
+            cy.contains('Password Change Successful', { timeout: 10000 }).should('be.visible');
+        });
     });
 });
diff --git a/cypress/e2e/new-system/03-backup-restore.spec.js b/cypress/e2e/new-system/03-backup-restore.spec.js
@@ -19,12 +19,14 @@ describe('03 - Backup and Restore', () => {
         password: 'changeme'
     };
 
-    // Helper function to login
+    // Helper function to login, handling forced password-change redirect on first login
     const loginAsAdmin = () => {
+        // Test 02 resets password back to 'changeme' after testing forced change
+        const password = adminCredentials.password;
         cy.visit('/login');
         cy.get('input[name=User]').type(adminCredentials.username);
-        cy.get('input[name=Password]').type(adminCredentials.password + '{enter}');
-        cy.url({ timeout: 15000 }).should('not.include', '/login');
+        cy.get('input[name=Password]').type(password + '{enter}');
+        cy.url({ timeout: 15000 }).should('not.include', '/session/begin');
     };
 
     describe('Step 6: Create Backup', () => {
@@ -104,12 +106,12 @@ describe('03 - Backup and Restore', () => {
         it('should restore seed.sql file', () => {
             cy.visit('/admin/system/restore');
             
-            // The seed SQL file path (relative to cypress project root)
-            const seedSqlPath = 'cypress/data/seed.sql';
+            // The demo SQL file path (relative to cypress project root)
+            const demoSqlPath = 'cypress/data/seed.sql';
             
             // Use cy.selectFile to upload the file
             // The file input is hidden, so we need to force the action
-            cy.get('#restoreFile').selectFile(seedSqlPath, { force: true });
+            cy.get('#restoreFile').selectFile(demoSqlPath, { force: true });
             
             // File info should show
             cy.get('#fileInfo').should('be.visible');
diff --git a/cypress/e2e/new-system/04-system-reset.spec.js b/cypress/e2e/new-system/04-system-reset.spec.js
@@ -21,17 +21,32 @@ describe('04 - System Reset', () => {
         password: 'changeme'
     };
 
-    // Helper to manually login (skip session caching for this test)
+    // Helper to manually login, handling forced password-change redirect after a DB reset
     const manualLogin = () => {
         cy.clearCookies();
         cy.clearLocalStorage();
+        // Admin password is 'changeme'. After a DB reset NeedPasswordChange=true,
+        // which forces a redirect to /changepassword on first login.
+        const password = adminCredentials.password;
         cy.visit('/login');
         cy.get('input[name=User]', { timeout: 15000 }).type(adminCredentials.username);
-        cy.get('input[name=Password]').type(adminCredentials.password);
+        cy.get('input[name=Password]').type(password);
         cy.get('input[name=Password]').type('{enter}');
-        cy.url({ timeout: 30000 }).should('not.include', '/login');
+        cy.url({ timeout: 30000 }).should('not.include', '/session/begin');
         // Give the session time to establish
         cy.wait(1000);
+
+        // After a DB reset the admin has NeedPasswordChange=true; complete the forced form if needed.
+        // The forced form uses button[type=submit] (login-box layout, not card layout).
+        cy.url().then((url) => {
+            if (url.includes('/changepassword')) {
+                cy.get('#OldPassword').type(password);
+                cy.get('#NewPassword1').type('Cypress@01!');
+                cy.get('#NewPassword2').type('Cypress@01!');
+                cy.get('button[type=submit]').click();
+                cy.contains('Password Changed', { timeout: 10000 }).should('be.visible');
+            }
+        });
     };
 
     describe('Step 10a: Navigate to Reset Page', () => {
@@ -69,7 +84,7 @@ describe('04 - System Reset', () => {
     describe('Step 10b: Perform System Reset', () => {
         it('should reset the database via API', () => {
             manualLogin();
-            
+
             // Perform reset via API
             cy.request({
                 method: 'DELETE',
@@ -117,11 +132,18 @@ describe('04 - System Reset', () => {
         });
 
         it('should login with default credentials after reset', () => {
-            // Fresh login after reset (no session caching)
+            // manualLogin() uses 'changeme', detects forced /changepassword redirect,
+            // and completes it — leaving password as 'Cypress@01!' with NeedPasswordChange=false.
             manualLogin();
-            
-            // Should be redirected to admin dashboard (blank system)
-            cy.url().should('include', '/admin');
+
+            // Now change it back to 'changeme' so Steps 10d/10e can login cleanly.
+            // NeedPasswordChange=false so this shows the voluntary form (input[type=submit]).
+            cy.visit('/v2/user/current/changepassword');
+            cy.get('#OldPassword').type('Cypress@01!');
+            cy.get('#NewPassword1').type('changeme');
+            cy.get('#NewPassword2').type('changeme');
+            cy.get('input[type=submit]').click();
+            cy.contains('Password Change Successful', { timeout: 10000 }).should('be.visible');
         });
     });
 
diff --git a/src/ChurchCRM/Slim/Middleware/AuthMiddleware.php b/src/ChurchCRM/Slim/Middleware/AuthMiddleware.php
@@ -48,7 +48,14 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
                 // since /background operations do not connotate user activity.
 
                 // User with an active browser session is still authenticated.
-                // don't really need to do anything here...
+                // For browser requests (non-background), enforce any required redirect steps (e.g. forced password change).
+                // Use a PSR-15 response redirect rather than calling ensureAuthentication() which exits via header().
+                if ($this->isBrowserRequest($request) && !$this->isPath($request, 'background')) {
+                    $result = AuthenticationManager::getAuthenticationProvider()->validateUserSessionIsActive(true);
+                    if ($result->nextStepURL !== null) {
+                        return (new Response())->withStatus(302)->withHeader('Location', $result->nextStepURL);
+                    }
+                }
             } else {
                 $logger = LoggerUtils::getAppLogger();
                 $logger->warning('No authenticated user or session', [
@@ -73,12 +80,10 @@ public function process(ServerRequestInterface $request, RequestHandlerInterface
 
     private function isPath(ServerRequestInterface $request, string $pathPart): bool
     {
+        // explode produces an empty string at index 0 for paths starting with '/',
+        // so use in_array to check if the segment exists anywhere in the path
         $pathAry = explode('/', $request->getUri()->getPath());
-        if ($pathAry[0] === $pathPart) {
-            return true;
-        }
-
-        return false;
+        return in_array($pathPart, $pathAry, true);
     }
 
     /**
diff --git a/src/v2/routes/user-current.php b/src/v2/routes/user-current.php
@@ -41,6 +41,7 @@ function changepassword(Request $request, Response $response, array $args): Resp
     $pageArgs = [
         'sRootPath' => SystemURLs::getRootPath(),
         'user'      => $curUser,
+        'isForced'  => $curUser->getNeedPasswordChange(),
     ];
 
     if ($authenticationProvider instanceof LocalAuthentication) {
diff --git a/src/v2/templates/common/success-changepassword.php b/src/v2/templates/common/success-changepassword.php
@@ -2,10 +2,54 @@
 
 use ChurchCRM\dto\SystemURLs;
 
+$isForced = $isForced ?? false;
 $sPageTitle = gettext("Change Password") . ": " . $user->getFullName();
-require SystemURLs::getDocumentRoot() . '/Include/Header.php';
+if ($isForced) {
+    require SystemURLs::getDocumentRoot() . '/Include/HeaderNotLoggedIn.php';
+} else {
+    require SystemURLs::getDocumentRoot() . '/Include/Header.php';
+}
 ?>
-Password Change Successful
+
+<?php if ($isForced): ?>
+<div class="login-box">
+    <div class="card card-outline card-success">
+        <div class="card-header text-center">
+            <a href="<?= SystemURLs::getRootPath() ?>" class="h1">
+                <img src="<?= SystemURLs::getRootPath() ?>/Images/logo-churchcrm-350.jpg" alt="ChurchCRM" style="max-width:280px; height:auto;" />
+            </a>
+        </div>
+        <div class="card-body text-center">
+            <p class="login-box-msg">
+                <i class="fa fa-check-circle text-success" style="font-size:2rem;"></i><br>
+                <strong><?= gettext('Password Changed') ?></strong><br>
+                <small class="text-muted"><?= gettext('Your password has been updated successfully.') ?></small>
+            </p>
+            <a href="<?= SystemURLs::getRootPath() ?>/v2/dashboard" class="btn btn-success btn-block">
+                <?= gettext('Continue to Dashboard') ?>
+            </a>
+        </div>
+    </div>
+</div>
+<?php else: ?>
+<div class="row">
+    <div class="col-md-6">
+        <div class="card card-success">
+            <div class="card-header">
+                <h3 class="card-title"><?= gettext('Password Change Successful') ?></h3>
+            </div>
+            <div class="card-body">
+                <p><?= sprintf(gettext('The password for %s has been updated.'), $user->getFullName()) ?></p>
+                <a href="<?= SystemURLs::getRootPath() ?>/v2/dashboard" class="btn btn-success"><?= gettext('Go to Dashboard') ?></a>
+            </div>
+        </div>
+    </div>
+</div>
+<?php endif; ?>
 
 <?php
-require SystemURLs::getDocumentRoot() . '/Include/Footer.php';
+if ($isForced) {
+    require SystemURLs::getDocumentRoot() . '/Include/FooterNotLoggedIn.php';
+} else {
+    require SystemURLs::getDocumentRoot() . '/Include/Footer.php';
+}
diff --git a/src/v2/templates/user/changepassword.php b/src/v2/templates/user/changepassword.php
@@ -5,9 +5,55 @@
 use ChurchCRM\Utils\CSRFUtils;
 
 $sPageTitle = gettext("Change Password") . ": " . $user->getFullName();
-require SystemURLs::getDocumentRoot() . '/Include/Header.php';
+if ($isForced) {
+    require SystemURLs::getDocumentRoot() . '/Include/HeaderNotLoggedIn.php';
+} else {
+    require SystemURLs::getDocumentRoot() . '/Include/Header.php';
+}
 ?>
 
+<?php if ($isForced): ?>
+<div class="login-box">
+    <div class="card card-outline card-warning">
+        <div class="card-header text-center">
+            <a href="<?= SystemURLs::getRootPath() ?>" class="h1">
+                <img src="<?= SystemURLs::getRootPath() ?>/Images/logo-churchcrm-350.jpg" alt="ChurchCRM" style="max-width:280px; height:auto;" />
+            </a>
+        </div>
+        <div class="card-body">
+            <p class="login-box-msg">
+                <strong><?= gettext('Password Change Required') ?></strong><br>
+                <small class="text-muted"><?= gettext('You must set a new password before continuing.') ?></small>
+            </p>
+            <form method="post" action="<?= SystemURLs::getRootPath() ?>/v2/user/current/changepassword" id="passwordChangeForm">
+                <?= CSRFUtils::getTokenInputField('user_change_password') ?>
+                <div class="input-group mb-3">
+                    <input type="password" name="OldPassword" id="OldPassword" class="form-control" placeholder="<?= gettext('Current Password') ?>" autofocus>
+                    <div class="input-group-append"><div class="input-group-text"><i class="fa fa-lock"></i></div></div>
+                    <?php if (!empty($sOldPasswordError ?? '')): ?>
+                        <span class="form-field-error"><?= $sOldPasswordError ?></span>
+                    <?php endif; ?>
+                </div>
+                <div class="input-group mb-3">
+                    <input type="password" name="NewPassword1" id="NewPassword1" class="form-control" placeholder="<?= gettext('New Password') ?>">
+                    <div class="input-group-append"><div class="input-group-text"><i class="fa fa-key"></i></div></div>
+                </div>
+                <div class="input-group mb-3">
+                    <input type="password" name="NewPassword2" id="NewPassword2" class="form-control" placeholder="<?= gettext('Confirm New Password') ?>">
+                    <div class="input-group-append"><div class="input-group-text"><i class="fa fa-key"></i></div></div>
+                    <?php if (!empty($sNewPasswordError ?? '')): ?>
+                        <span class="form-field-error"><?= $sNewPasswordError ?></span>
+                    <?php endif; ?>
+                </div>
+                <p class="text-muted small mb-3">
+                    <?= gettext('Passwords must be at least') ?> <?= SystemConfig::getValue('iMinPasswordLength') ?> <?= gettext('characters in length.') ?>
+                </p>
+                <button type="submit" name="Submit" class="btn btn-warning btn-block"><?= gettext('Set New Password') ?></button>
+            </form>
+        </div>
+    </div>
+</div>
+<?php else: ?>
 <div class="row">
     <!-- left column -->
     <div class="col-md-8">
@@ -22,15 +68,15 @@
                 <div class="card-body">
                     <div class="form-group">
                         <label for="OldPassword"><?= gettext('Old Password') ?>:</label>
-                        <input type="password" name="OldPassword" id="OldPassword" class="form-control" value="<?= $sOldPassword ?>" autofocus><span id="oldPasswordError" class="form-field-error"><?= $sOldPasswordError ?></span>
+                        <input type="password" name="OldPassword" id="OldPassword" class="form-control" autofocus><span id="oldPasswordError" class="form-field-error"><?= $sOldPasswordError ?? '' ?></span>
                     </div>
                     <div class="form-group">
                             <label for="NewPassword1"><?= gettext('New Password') ?>:</label>
-                        <input type="password" name="NewPassword1" id="NewPassword1" class="form-control" value="<?= $sNewPassword1 ?>">
+                        <input type="password" name="NewPassword1" id="NewPassword1" class="form-control">
                     </div>
                     <div class="form-group">
                         <label for="NewPassword2"><?= gettext('Confirm New Password') ?>:</label>
-                        <input type="password" name="NewPassword2" id="NewPassword2"  class="form-control" value="<?= $sNewPassword2 ?>"><span id="NewPasswordError" class="form-field-error"><?= $sNewPasswordError ?></span>
+                        <input type="password" name="NewPassword2" id="NewPassword2"  class="form-control"><span id="NewPasswordError" class="form-field-error"><?= $sNewPasswordError ?? '' ?></span>
                     </div>
                 </div>
 
@@ -41,6 +87,11 @@
         </div>
     </div>
 </div>
+<?php endif; ?>
 <script src="<?= SystemURLs::assetVersioned('/skin/js/PasswordChange.js') ?>"></script>
 <?php
-require SystemURLs::getDocumentRoot() . '/Include/Footer.php';
+if ($isForced) {
+    require SystemURLs::getDocumentRoot() . '/Include/FooterNotLoggedIn.php';
+} else {
+    require SystemURLs::getDocumentRoot() . '/Include/Footer.php';
+}
