FEATURE: Allow site admin to mark a user's password as expired (#27314)

This commit adds the ability for site administrators to mark users'
passwords as expired. Note that this commit does not add any client side
interface to mark a user's password as expired.

The following changes are introduced in this commit:

1. Adds a `user_passwords` table and `UserPassword` model. While the
   `user_passwords` table is currently used to only store expired
   passwords, it will be used in the future to store a user's current
   password as well.

2. Adds a `UserPasswordExpirer.expire_user_password` method which can
   be used from the Rails console to mark a user's password as expired.

3. Updates `SessionsController#create` to check that the user's current
   password has not been marked as expired after confirming the
   password. If the password is determined to be expired based on the
   existence of a `UserPassword` record with the `password_expired_at`
   column set, we will not log the user in and will display a password
   expired notice. A forgot password email is automatically send out to
   the user as well.

db/migrate/20240603234529_create_user_passwords.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+class CreateUserPasswords < ActiveRecord::Migration[7.0]
+  def change
+    create_table :user_passwords, id: :integer do |t|
+      t.integer :user_id, null: false
+      t.string :password_hash, limit: 64, null: false
+      t.string :password_salt, limit: 32, null: false
+      t.string :password_algorithm, limit: 64, null: false
+      t.datetime :password_expired_at, null: true
+
+      t.timestamps
+    end
+
+    add_index :user_passwords, %i[user_id], unique: true, where: "password_expired_at IS NULL"
+
+    add_index :user_passwords, %i[user_id password_hash], unique: true
+
+    add_index :user_passwords,
+              %i[user_id password_expired_at password_hash],
+              name: "idx_user_passwords_on_user_id_and_expired_at_and_hash"
+  end
+end