Re: Pasword expiration warning

Hi all,

Thank you for the updated patches.

On Tue, Jan 27, 2026 at 12:21 PM Gilles Darold <gilles(at)darold(dot)net> wrote:
>
> Le 09/01/2026 à 10:04, Japin Li a écrit :
> > Hi, Steven
> >
> > Thanks for the review.
> >
> > On Fri, 09 Jan 2026 at 07:36, Steven Niu <niushiji(at)gmail(dot)com> wrote:
> >> Hi, Jiapin,
> >>
> >> I reviewed the v9-0002-Add-TAP-test-for-password_expire_warning.patch
> >> and here are my comments:
> >>
> >> 1. I think we should add tow more cases. One case is for the feature is disbaled. And another is for no warning when >1d remaining.
> > Add in v10.
> >
> >> 2. The modification to pg_hba.conf is unnecessary as the default pg_hba.conf generated by initdb already allows local connections with appropriate methods.
> >> unlink($node->data_dir . '/pg_hba.conf');
> >> $node->append_conf('pg_hba.conf', "local all all scram-sha-256");
> > Yes, it allows local connections, but they are always in trust mode, so no
> > password is required (or used).
> >
> >> 3. Make the expected string to be more exact.
> >> qr/your password will expire in/);
> >> -->
> >> qr/your password will expire in 1d/);
> >>
> > Fixed. PFA.
> >
> > v10-0001 - No changes.
> > v10-0002 - Address review comments.
> >
>
> Here is a v11 version of the patch.
>
> v11-0001 - fix a miss on the typo fixes ( s/expire/expires/ in GUC
> description ) and add your name in the authors list.
>
> v11-0002 - Add a test with Infinity in VALID UNTIL value.

I went through the discussions and I applied the posted patches on the
current master branch and have completed testing.
Firstly, the conceptual approach of adding a server-side
password_expire_warning GUC in patch 0001 looks reasonable for me too
as it allows all clients to benefit from the warning.
Here, the password expiry enforcement is strictly tied to
password-based authentication. With md5 authentication explicitly
configured, expiry enforcement works as expected, login succeeds while
the password is valid and fails with “password has expired” once the
expiry timestamp is reached. This is confirmed via server logs showing
the md5 authentication path being exercised. When non-password
authentication methods (trust/peer) are used, password expiry is
bypassed. While expiry enforcement functions correctly after expiry,
no advance warning is emitted prior to expiry in the baseline
behavior, which matches the motivation for this change. The approach
in patch 0001 of adding a server-side password_expire_warning GUC and
adding the corresponding TAP coverage in patch 0002 seems
directionally correct.

Regards,
Soumya