Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vlUY4-00D1vt-1J for pgsql-hackers@arkaria.postgresql.org; Thu, 29 Jan 2026 16:07:13 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vlUY3-00AFmC-1h for pgsql-hackers@arkaria.postgresql.org; Thu, 29 Jan 2026 16:07:11 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vlUY3-00AFm3-0c for pgsql-hackers@lists.postgresql.org; Thu, 29 Jan 2026 16:07:11 +0000 Received: from 10.mo582.mail-out.ovh.net ([87.98.157.236]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.98.2) (envelope-from ) id 1vlUXz-000000001kG-3Mra for pgsql-hackers@lists.postgresql.org; Thu, 29 Jan 2026 16:07:10 +0000 Received: from director9.ghost.mail-out.ovh.net (unknown [10.109.249.122]) by mo582.mail-out.ovh.net (Postfix) with ESMTP id 4f23tf0C1Bz5yfj for ; Thu, 29 Jan 2026 16:07:05 +0000 (UTC) Received: from ghost-submission-7d8d68f679-g6hcj (unknown [10.110.168.250]) by director9.ghost.mail-out.ovh.net (Postfix) with ESMTPS id A8443815AE for ; Thu, 29 Jan 2026 16:07:05 +0000 (UTC) Received: from darold.net ([37.59.142.98]) by ghost-submission-7d8d68f679-g6hcj with ESMTPSA id PiG7GqmFe2nWrgkA72SrkA (envelope-from ) for ; Thu, 29 Jan 2026 16:07:05 +0000 Authentication-Results:garm.ovh; auth=pass (GARM-98R002913f6408-21bb-4e8f-85ab-085cfe07727b, 0999A824C40F323C13D32124FEF93155D3D7C273) smtp.auth=gilles@darold.net X-OVh-ClientIp:90.38.194.7 Message-ID: Date: Thu, 29 Jan 2026 17:07:04 +0100 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Pasword expiration warning To: pgsql-hackers@lists.postgresql.org References: <129bcfbf-47a6-e58a-190a-62fc21a17d03@migops.com> <7aa9c67e-c423-43c4-89e8-4fbe8f5019d2@darold.net> <3002ddbd-64b5-499e-b15c-e1c1720cc356@darold.net> <94634e38-7184-42a1-b9e1-7611076e1c08@darold.net> Content-Language: en-US From: Gilles Darold Autocrypt: addr=gilles@darold.net; keydata= xsBNBEyscTYBCADOHjxbECHbFaVEA8fKAh8gtdRMKCXPhYwgrhIq+435c824l0NkxxT6xAq/ U2embiCGSBy13yVT016bzcxOnOqxgw4dJgXPE1P6RYLgjd17c5Xt7uzkbn4ChO1LOVtx+7y/ uf8GV1fiPTtnilzGQvWdXMDDTNaFbyfIsebE6rB2p47Ns0m+cj46hS22pmEWELM4RilmQ2MX X7vNZPxQ/C6SKQDgeGZSHrvw9OLzFty8yY7HnExfUmCzfN4asAH3q/lCu1YQgud84bCC6hXz Cbw/DvR7pW8QK/ej/UkNzeGUWsWX6GYDF26P3wO9Zqk5T8JixrveiCaWA/e4DR5yr2bTABEB AAHNIUdpbGxlcyBEYXJvbGQgPGdpbGxlc0BkYXJvbGQubmV0PsLAjgQTAQoAOBYhBEnFnv37 SNFcBZKyn3AqzJ89qW5hBQJfxQsiAhsjBQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJEHAq zJ89qW5hjXsIAI53R1IdrgOia4DCtL1hK3+nbqPYYAhHAbQa54V/oHFEuXubH5F+mEBRT12M XNibbPvOCVUHTa46CuYLyBY6GZZ83fYpPZ3IQIavCDiLmpANR7rOoVmGERKs8VLVnQuJ1a+q BObwo1WKOFiqR1UEeT3hfytsmJVan8l2GzNFA+OOwIGEPdLLEpuSO9K3uyEa5FMNxXVWDROR MIHWvcS/RLlJby9GgLUIbLCXYXNrxncQajPs4P/TLS7fsW36laBPHIBoGbIBkgGIlpXhuTj2 PY95YOfyFelXW3AL6oXOncmV9SkfaE2iIpc33FIrN3pEbIC4XEqMANKjidFXcdM3+JfOwE0E TKxxNgEIALVvukwz2p2Vw37pnMk2CGWCgoj76Lnts/3sG42Jw6Ewjvjg7u9SGg2fJJ4dzywc oBW5ufJlZalghO3RpbZqDwT2432CUdGG500GLLzYrHIhGBw8h9SkoJqnfel3MOjGy/HZMymK mCy/uqx3ti3Tp0l0Is38C7GK/lG3NKnYUwQuFaM2pDkIoIx3hyogGXEMwV+IHtYpvFroCBVi CgkYubsOEfqJti40BMXJfKv74ecDk43I7x9V6Pzt0j0rfmj4vFbSKHF6ptJNeZBrXrNSeTmf AJXaPD/olDLEStWu6cr5XyMmYxYE9D2eMOQHhFb7UOZdh++HhWcPxMMyKNNB2YsAEQEAAcLA XwQYAQIACQUCTKxxNgIbDAAKCRBwKsyfPaluYZETB/91iP031oHNFMU62RC8x+bERW5x6Dpu 7Kk9rOSKf7ChcSWElBQ2A7OnNAACgPNbJgYyuEquYHTdXLP43phNDJ93EhL+af5z2BLx1gkd V+1rotlzbzIaUv9uofRWU6UJ/emgL3kn1TRmf3PKWWgJkHRlePqKDeNVc53uApbXHoNrS4ul uiwD88mx3+xgZqteCQO2DhEpAckzki82S4n4Ww6fRFB3KIGyafO7fzHFK8cFuT4za4YUFQN9 Ix6WTABleoRLz3Cn+Jde049Zhg1222l0N07KWRS3ZZxAhwr3rv+pg3cJdbNf/rDszym92rig 79SbGEEuL3nFCUXmA/QRIE+v In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Ovh-Tracer-Id: 9631229279543336573 X-VR-SPAMSTATE: OK X-VR-SPAMSCORE: 0 X-VR-SPAMCAUSE: dmFkZTEru14l7DcgDYGQz7lGs++aLMKpkqQWqeq3onTHjXz4/biKr7Gfj/plHSZzvr3nlT86J+Bq/gdg8ybTn/BhsALTqn14p08m1PVE8K0MRfsDFLUQqkmjCJYS8AvR3y3w9dT0nUEEmY49Bq0ozzc+i0CfT2eKmAfMqdGAwIri0VAlgjn1JHalN4QH5BFQdqIGtpfSnkJSY53HE4nbS6IhwnmWej52hdxLJHm6WMBSPzor2kYNr6ocn/xyf5a+UZfn6rtubmWFDIePfblVhgNOfzpgnqcZ7cO2Tgvni6s9EFYNjt7hpKztZFAPkl3OmCV7Pcv1+lsYuqbXpkwvx8rGAloOr7P23ZhwgF98wEpSCWrhtY8QrBSwhMhKcb41FsLy+I4x3eR41THeiL6zNrNHQLNrtwQd/YHe4wlP7kVHgNqmy2GDLpsCaPQW1q0Xl8J+xT2Nt/zMlEmf9LZoJY6uBOPYZC6C68bizVaWiU9GpadMG07/+Rm8I6lo2BjPfVQ1zdz0vFnQhzScdunqAVJxPRfS/751KWThflJMMH38oaesc66CpkwDMKWjKkrgBsjz3hP47ij1SO1+KWD5XzLC7NPATD+UKsLKwIUUKwQ9itdJkPeRGvI6xd0mdeQq1t0Bb3AjwKNdW0AM0Kwn8cPAX3fwrWpdLeSaWU3r9ml66yTwRw DKIM-Signature: a=rsa-sha256; bh=TqwjJvPG2OHijP2TFGFyBbwDtq1GRIaY99sN5/ufXYU=; c=relaxed/relaxed; d=darold.net; h=From; s=ovhmo452075-selector1; t=1769702826; v=1; b=PBJbi9xavCFgIrMHPYHfx5E3+IFW4jaqdJcGVg/LBhHPSDbRhaNQcverUu2D+JGxckUW7OxV TvLQiKgSNziF2AbvvouPSWWU4qrsgHoFvT+Kb5vxOk3V7FK9/LLDdJgnZ4sf2YZBf3SHfoBDr2v 3Yr9yfySNscL6Lifd+vbov7mTfadQ7NyX7HFGQ74njKMb170AitadhQZFQlfkc/Jc/f70RSsiQF eUd24M9zpbDfcw/y2LEwpybDB00e8TzfFekNFGP55bHRMciPiaUvzXRZ+DwTcBfxjbasmt574ep fdu3VYV6o45WOpwfOHETOMpog6bdOO3UWd9pv8IZ+mG7Q== List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Le 28/01/2026 à 20:25, Zsolt Parragi a écrit : > Hello! > > A first question: have you looked at the GoAway patch[1]? While that > isn't exactly about the same situation, it was already considered for > password expiration checks in[2], and the same idea could be useful > for this situation too, especially in the context of my last question > in this email. I don't know about this thread before you mention it. With a quick read of the thread it looks that this GoAway protocol addition is use to ask to the client to disconnect/reconnect. Here we just want to emit a warning at connection to inform the user that his password will expire and it don't need re-connection at all.  Anyway I will have a deeper look in this thread. > + /* > + * Message to send to the client in case of connection success. > + * When not NULL a WARNING message is sent to the client at end > + * of the connection in src/backend/utils/init/postinit.c at > + * enf of InitPostgres(). For example, it is use to show the > + * password expiration warning. > + */ > + const char *warning_message; > > Handling of this new variable is missing from > EstimateClientConnectionInfoSpace and SerializeClientConnectionInfo, > which the struct explicitly asks for a few lines above this change. > Even if you think that's not necessary for some reason, it should be > explained to avoid confusing readers. This is intentional because this message is only emitted at the main connection and don't needed to be in the MyClientConnectionInfo serialization. I forgot to add a comment, I will do. > + * Password OK, but check if rolvaliduntil is less than GUC > + * password_expire_warning days to send a warning to the client > + */ > + if (!isnull && password_expire_warning > 0 && vuntil < PG_INT64_MAX) > > Could this use TIMESTAMP_NOT_FINITE? Thanks, it will be fixed too. > And I think that "days" should be "seconds". > > + TimestampTz result = (vuntil - now) / USECS_PER_SEC; /* in seconds */ > > Maybe call this variable something more descriptive, like > seconds_until_expiration? > > + > + if (result <= (TimestampTz) password_expire_warning) > + { > + MyClientConnectionInfo.warning_message = > + psprintf(_("your password will expire in %d day(s)"), > + (int) (result / SECS_PER_DAY)); > + } > > This is not that useful on the last day - have you considered > displaying hours if the expiration date is within a day, or maybe > HH:MM? When you see that the password is about to expire in 0 day, do you really think that saying it will expire in 12h30m42s will encourage the user to change it now? If he don't do that in the previous days he will probably not do it in the hour too. Quite useless IMO but if there more vote to have HH:MM why not. -- Gilles Darold http://hexacluster.ai/