karenetheridge
commented
3 years ago Note that when a user logs in and their user account is marked "must change password immediately", the POST /login includes a Location header of /user/me/password?clear_tokens=none (yes this is a lame way of indicating this.. but we have no 'GET /change_my_password' web page to redirect the user to in response), and the next request that comes from that authenticated user must be to POST /user/me/password to change the password, and it must occur within the next 10 minutes. The right thing to do in the shell here, after logging in and this response is received, is to issue another password prompt and then do the second POST to update the password.
Allow the user to change their own password so that when a password reset is issued or they simply want to change their password they can.