Hello! I did some manual testing of the patch, and found a few more issues / questions.
I think it would be a good idea to add a tap test at this point to make sure that every corner case works properly. 1. CheckPasswordExpiration doesn't verify that the connection uses password authentication or not, it always updates the valid date and starts enforcing it - it should have an additional check at the beginning to only continue if password_valid_until_timestamp > 0, otherwise it should just reset AuthCheckNeeded For example, currently: * I created a user with a password expiration in the past, logged in using trust authentication - login worked without problems * Changed the password expiration of another user, the previous session got terminated because of the expired password 2. it is triggered if any user gets changed, not just the current user - on a server with many users, this could be a performance issue as we'll end up doing unnecessary syscache lookups. This could be optimized by caching the syscache hash in a variable. (but this is based on what do you think about the next point) Again see the previous example problem - I changed the expiration date of one user, and another user was kicked out because of this, while that user didn't receive any updates 3. The check is based on GetUserId() and not GetSessionUserId() - if I change roles with SET ROLE, password expiration checks will verify the role user, and not the logged in user. This seems strange to me: if we logged in with a password, after a SET ROLE, we'll enforce password expiration based on the new role - but we never actually used the password of that role. Are you sure this is how it should work?
