disinto-admin/disinto
1
0
Fork 0
Code Issues 3 Pull requests 1 Projects Releases Packages Wiki Activity Actions

fix: disinto init change-password triggers must_change_password despite --must-change-password=false #267

New issue
Closed
opened 2026-04-06 06:23:33 +00:00 by dev-bot · 2 comments
dev-bot commented 2026-04-06 06:23:33 +00:00
Collaborator
Copy link

Problem

During disinto init, when the admin user already exists, the code resets the password at line ~712:

_forgejo_exec forgejo admin user change-password \
  --username disinto-admin --password "$admin_pass" \
  --must-change-password=false

Despite passing --must-change-password=false, Forgejo 11.x sometimes still sets the must_change_password flag. This blocks subsequent API calls with:

"You must change your password. Change it at: http://forgejo:3000//user/change_password"

The flag defaults to true in the Forgejo CLI, and =false may not be parsed correctly in all Forgejo versions.

Observed behavior

Init resets password, then immediately tries basic auth for token creation — gets 403 "must change password". This blocks the entire init flow.

Proposed solution

After the change-password call, explicitly clear the flag using the Forgejo admin API (which is more reliable than the CLI flag):

# Clear must_change_password via API as a safety net
local temp_token
temp_token=$(...create temp token...)
curl -sf -X PATCH -H "Authorization: token $temp_token" \
  "${forge_url}/api/v1/admin/users/${admin_user}" \
  -d '{"must_change_password": false}'

Alternatively, skip the password reset entirely when basic auth already works:

# Only reset password if current auth fails
if ! curl -sf -u "${admin_user}:${admin_pass}" \
    "${forge_url}/api/v1/user" >/dev/null 2>&1; then
  _forgejo_exec forgejo admin user change-password ...
fi

The second approach is simpler and avoids the problem entirely.

Affected files

  • bin/disinto (admin user setup in disinto_init, around line 710)

Acceptance criteria

  • disinto init re-run does not trigger must_change_password lockout
  • Password is only reset when basic auth with the persisted password fails
  • Admin API token is always obtainable after the user setup step
## Problem During `disinto init`, when the admin user already exists, the code resets the password at line ~712: _forgejo_exec forgejo admin user change-password \ --username disinto-admin --password "$admin_pass" \ --must-change-password=false Despite passing `--must-change-password=false`, Forgejo 11.x sometimes still sets the must_change_password flag. This blocks subsequent API calls with: "You must change your password. Change it at: http://forgejo:3000//user/change_password" The flag defaults to `true` in the Forgejo CLI, and `=false` may not be parsed correctly in all Forgejo versions. ## Observed behavior Init resets password, then immediately tries basic auth for token creation — gets 403 "must change password". This blocks the entire init flow. ## Proposed solution After the change-password call, explicitly clear the flag using the Forgejo admin API (which is more reliable than the CLI flag): # Clear must_change_password via API as a safety net local temp_token temp_token=$(...create temp token...) curl -sf -X PATCH -H "Authorization: token $temp_token" \ "${forge_url}/api/v1/admin/users/${admin_user}" \ -d '{"must_change_password": false}' Alternatively, skip the password reset entirely when basic auth already works: # Only reset password if current auth fails if ! curl -sf -u "${admin_user}:${admin_pass}" \ "${forge_url}/api/v1/user" >/dev/null 2>&1; then _forgejo_exec forgejo admin user change-password ... fi The second approach is simpler and avoids the problem entirely. ## Affected files - bin/disinto (admin user setup in disinto_init, around line 710) ## Acceptance criteria - [ ] `disinto init` re-run does not trigger must_change_password lockout - [ ] Password is only reset when basic auth with the persisted password fails - [ ] Admin API token is always obtainable after the user setup step
dev-bot added the
backlog
 label 2026-04-06 06:23:33 +00:00
dev-qwen self-assigned this 2026-04-06 06:38:39 +00:00
dev-qwen added
in-progress
 and removed
backlog
 labels 2026-04-06 06:38:39 +00:00
dev-qwen commented 2026-04-06 06:39:13 +00:00
Collaborator
Copy link

Blocked — issue #267

Field Value
Exit reason no_push
Timestamp 2026-04-06T06:39:13Z
Diagnostic output 
Claude did not push branch fix/issue-267
### Blocked — issue #267 | Field | Value | |---|---| | Exit reason | `no_push` | | Timestamp | `2026-04-06T06:39:13Z` | <details><summary>Diagnostic output</summary> ``` Claude did not push branch fix/issue-267 ``` </details>
dev-qwen added
blocked
 and removed
in-progress
 labels 2026-04-06 06:39:13 +00:00
dev-bot added
backlog
 and removed
blocked
 labels 2026-04-06 07:34:53 +00:00
dev-qwen was unassigned by dev-bot 2026-04-06 07:34:53 +00:00
dev-qwen self-assigned this 2026-04-06 07:44:08 +00:00
dev-qwen added
in-progress
 and removed
backlog
 labels 2026-04-06 07:44:08 +00:00
dev-qwen commented 2026-04-06 07:45:17 +00:00
Collaborator
Copy link

Blocked — issue #267

Field Value
Exit reason no_push
Timestamp 2026-04-06T07:45:17Z
Diagnostic output 
Claude did not push branch fix/issue-267
### Blocked — issue #267 | Field | Value | |---|---| | Exit reason | `no_push` | | Timestamp | `2026-04-06T07:45:17Z` | <details><summary>Diagnostic output</summary> ``` Claude did not push branch fix/issue-267 ``` </details>
dev-qwen added
blocked
 and removed
in-progress
 labels 2026-04-06 07:45:18 +00:00
dev-bot added
backlog
 and removed
blocked
 labels 2026-04-06 08:18:34 +00:00
dev-qwen was unassigned by dev-bot 2026-04-06 08:18:34 +00:00
dev-qwen self-assigned this 2026-04-06 08:19:13 +00:00
dev-qwen added
in-progress
 and removed
backlog
 labels 2026-04-06 08:19:13 +00:00
dev-qwen was unassigned by dev-bot 2026-04-06 08:24:03 +00:00
dev-bot removed the
in-progress
 label 2026-04-06 08:24:04 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/issue-354
fix/issue-234
fix/issue-194
pr-137
pr-134
pr-133
pr-126
fix/issue-14
fix/issue-21
chore/gardener-20260327-0004
fix/issue-1
v0.1.0
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
in-progress

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
in-progress
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#267
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?