FEATURE: Allow site admin to mark a user's password as expired (#27314)

This commit adds the ability for site administrators to mark users'
passwords as expired. Note that this commit does not add any client side
interface to mark a user's password as expired.

The following changes are introduced in this commit:

1. Adds a `user_passwords` table and `UserPassword` model. While the
   `user_passwords` table is currently used to only store expired
   passwords, it will be used in the future to store a user's current
   password as well.

2. Adds a `UserPasswordExpirer.expire_user_password` method which can
   be used from the Rails console to mark a user's password as expired.

3. Updates `SessionsController#create` to check that the user's current
   password has not been marked as expired after confirming the
   password. If the password is determined to be expired based on the
   existence of a `UserPassword` record with the `password_expired_at`
   column set, we will not log the user in and will display a password
   expired notice. A forgot password email is automatically send out to
   the user as well.

app/models/user.rb

@@ -77,6 +77,7 @@ class User < ActiveRecord::Base
           dependent: :destroy
   has_one :invited_user, dependent: :destroy
   has_one :user_notification_schedule, dependent: :destroy
+  has_many :passwords, class_name: "UserPassword", dependent: :destroy
 
   # delete all is faster but bypasses callbacks
   has_many :bookmarks, dependent: :delete_all
@@ -926,6 +927,15 @@ class User < ActiveRecord::Base
     PasswordValidator.new(attributes: :password).validate_each(self, :password, @raw_password)
   end
 
+  def password_expired?(password)
+    passwords
+      .where("password_expired_at IS NOT NULL AND password_expired_at < ?", Time.zone.now)
+      .any? do |user_password|
+        user_password.password_hash ==
+          hash_password(password, user_password.password_salt, user_password.password_algorithm)
+      end
+  end
+
   def confirm_password?(password)
     return false unless password_hash && salt && password_algorithm
     confirmed = self.password_hash == hash_password(password, salt, password_algorithm)

app/models/user_password.rb

@@ -0,0 +1,37 @@
+# frozen_string_literal: true
+
+class UserPassword < ActiveRecord::Base
+  validates :user_id, presence: true
+
+  validates :user_id,
+            uniqueness: {
+              scope: :password_expired_at,
+            },
+            if: -> { password_expired_at.nil? }
+
+  validates :password_hash, presence: true, length: { is: 64 }, uniqueness: { scope: :user_id }
+  validates :password_salt, presence: true, length: { is: 32 }
+  validates :password_algorithm, presence: true, length: { maximum: 64 }
+
+  belongs_to :user
+end
+
+# == Schema Information
+#
+# Table name: user_passwords
+#
+#  id                  :integer          not null, primary key
+#  user_id             :integer          not null
+#  password_hash       :string(64)       not null
+#  password_salt       :string(32)       not null
+#  password_algorithm  :string(64)       not null
+#  password_expired_at :datetime
+#  created_at          :datetime         not null
+#  updated_at          :datetime         not null
+#
+# Indexes
+#
+#  idx_user_passwords_on_user_id_and_expired_at_and_hash  (user_id,password_expired_at,password_hash)
+#  index_user_passwords_on_user_id                        (user_id) UNIQUE WHERE (password_expired_at IS NULL)
+#  index_user_passwords_on_user_id_and_password_hash      (user_id,password_hash) UNIQUE
+#