Requirements

This plugin requires:

• OctoberCMS v4.x
• RainLab.User plugin

The plugin has no purpose without RainLab.User and assumes frontend authentication is handled by it.

Core Concept

The plugin works with a dedicated database table:

snipi_requirepasswordreset_items

Each row represents an active password reset enforcement for a specific user.

Active enforcement

A user is considered restricted if a record exists with:

• user_id = X
• fullfiled_at IS NULL

Enforcement resolution

The enforcement is automatically resolved when the user changes their password. At that moment, the plugin sets:

• fullfiled_at = CURRENT_TIMESTAMP

No manual cleanup is required.

Middleware Behavior

The plugin registers a frontend middleware that runs on CMS requests.

The middleware performs the following steps:

1. Detects the authenticated frontend user (Auth::user()).
2. Checks for an active enforcement record.
3. If enforcement exists:
   • Allows only whitelisted URLs.
   • Redirects all other requests to a single forced CMS page.

The middleware:

• Supports custom backend URL prefixes (from .env / backend.uri).
• Supports OctoberCMS multisite.
• Prevents redirect loops.
• Does not interfere with backend authentication.

Settings

The plugin provides a Settings page under System → Settings → RequirePasswordReset.

Redirect Page

• Type: pagefinder
• Stored value: october://...
• Determines the CMS page users are redirected to.
• Resolved at runtime using Cms\Classes\PageManager::url().

Ignore Backend

• When enabled, backend routes are ignored by the middleware.
• Backend URI is resolved from the backend.uri configuration value.

Whitelist Paths

• One path per line.
• Supports * wildcards.
• These paths remain accessible even during enforcement.

Show Alert Message

• Enables a frontend alert message during redirect.

Alert Message

• Message text shown to the user.
• Delivered via October Flash messages.

Backend User Integration (RainLab.User)

The plugin extends the RainLab.User backend Users form.

Checkbox: Request password change on first login

• Available on user create and update.
• UI-only field (never persisted to the users table).
• Marked as purgeable on the User model.

When enabled:

• An enforcement record is created after saving the user.
• The user is redirected on the next frontend request.

Password Change Detection

The plugin listens to the RainLab.User model lifecycle.

On model.afterSave:

• If the user password was changed:
  • Any active enforcement record is automatically fulfilled.
  • Redirect enforcement stops immediately.

This works for:

• Frontend password changes.
• Backend password changes.
• API-driven user updates.

Database Structure

Table: snipi_requirepasswordreset_items

Columns:

• id (primary key)
• user_id (RainLab.User ID)
• fullfiled_at (timestamp when password change was completed)
• lock_on_password_form (reserved for future use)
• created_at
• updated_at
• deleted_at

Flash Messages

If enabled in settings, the plugin sets a Flash message during redirect.

To display it on the frontend, the active layout must include:

{% flash %} {{ message }} {% endflash %}

Alternatively, the message can be rendered using oc.flashMsg if the October AJAX framework is loaded.

Multisite Support

• Fully compatible with OctoberCMS multisite.
• Redirect page resolution respects the active site context.
• Backend URI detection respects site configuration.

Summary

RequirePasswordReset provides:

• Deterministic password change enforcement.
• Backend-controlled activation.
• Automatic deactivation after password change.
• Pagefinder-based redirect selection.
• Middleware-level access control.
• No schema changes to the users table.