Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vlWDh-0009Sj-0O for pgsql-hackers@arkaria.postgresql.org; Thu, 29 Jan 2026 17:54:17 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vlWCf-0009mC-0q for pgsql-hackers@arkaria.postgresql.org; Thu, 29 Jan 2026 17:53:14 +0000 Received: from makus.postgresql.org ([2001:4800:3e1:1::229]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vlWCe-0009m3-2v for pgsql-hackers@lists.postgresql.org; Thu, 29 Jan 2026 17:53:13 +0000 Received: from mail-oo1-xc2f.google.com ([2607:f8b0:4864:20::c2f]) by makus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vlWCc-002xei-39 for pgsql-hackers@postgresql.org; Thu, 29 Jan 2026 17:53:12 +0000 Received: by mail-oo1-xc2f.google.com with SMTP id 006d021491bc7-6610f407959so376427eaf.2 for ; Thu, 29 Jan 2026 09:53:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1769709191; x=1770313991; darn=postgresql.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to; bh=3izXI6TRvUIeD1DtutEnoMLo14EhNMbTEJ1ZSvHtJuM=; b=ggYOWswCX84Vaz6ycFmDdW/5p99Il5N4xQfKPiPmQz9I+zVJxyp2YFMkk+d3VhBtCg AkEmRSmv4qVoXGo+i3v/w3WoDHYhM1ybhTU2MRJ1lRXkrd5sfwxww7BNhUlvaKB1fXSD hwMLFqsahGb/WfZQFHGIm1T7uzDjHC6VFQHLA7XuG69HHBSFQtxjqNU8auaF8ORCsMFK +ItnbbmB5BrK9RDCuwbdmuISICgMaOVLe4/r2Pwv4i2OGeus7QFFA82nIvvr3UajLcOq vhvvhvp/PfwJG21DgzrCqCKDnruUs2zkJGgMzvsTMDZFrNwUM6093c2spye3DCnf5WJD aUVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1769709191; x=1770313991; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3izXI6TRvUIeD1DtutEnoMLo14EhNMbTEJ1ZSvHtJuM=; b=u53tALdZMit+aRQaZKjXECQQtpneQpu4xwuHWsKYRo24ag93Zk3WdJcdZV6fQfi9j5 UdQY6SFK/TxWdzMEMqyFXeZ1qOxErRP5/shOXWCsYOvs/Gozt/twdf61OcOJmq8GX0Oh TNeLjR0Yy0cBVSAxXL9Ejx0wbC/WDdrgVB3af/BElGEJWKL7sp1ZUALc04tyReGImJEi MHLoCwHy3hTlGrcYyM4opVKimUpndvtepmnpEbkeIpUMn6SRRUKupahuq3NjcDNwoVDk 3yPEuyWJDMdh9cmLXGC0pFLUSITIt+TVfMtTIEroQQf2xMDA4kgVrBNtxFgA/Ht2eqe3 +62w== X-Forwarded-Encrypted: i=1; AJvYcCXlrCTY8h5XeIxI8MTtAuPh3BRbeOT4oogmq+mgFlHarVKFqBiWcYet5NsTQ4hL7mq4jw8lrStNlJqz12rt@postgresql.org X-Gm-Message-State: AOJu0YzmjbmXK5Pq4SpZaeRZoOs5gUB+zxTnFpu3KcxyGJBLUx6jiPjD aHIGahAkFfgxrE/ZXa/SYg/dAC3G12VJi98+USRWX+Lae/j/EM92L3+K X-Gm-Gg: AZuq6aLoCBsZzM09SIAo0Gg50AsmEI4FzycYo4kIe0XTy4K1jjgBzPg7s6PQpBe3MD3 fGCAn/W+97tZKCYds6vr0pFrUdLQTmIkTRMr0BYnS706O1QDkwhKsAX/2+pkmz8wB52wfJCeygM C+AL4jUtmnBkloH1ZDZA2rAqoZvDk1uQ4Usq4zF/TCClhe0SmbbaLPjV2lAOHBF9pau2hira5ri guwFw3IpgSnPTaxqDRLAJF1fJJe1LiJnELrTjX29fxwHlBrTpUjliP++vPZvZ+ge0KyjFUYszKJ sPc3EOoiiZEFPZYdJtjpPoXhFd45R0VhS5rRej4lQcLT8y1NLbD7seuzQwvZDYITHOyBwIObah4 VsB9Nna5yYzA+/pU1ZEfnjNfWbMX12+PmJ0AnXgQG0bBjM3O4IYQUnhh0WumxiN1LdH59sSccJJ w9gr8E/uINzaPhMHlwMXgg48ptUvbhDA9ZQgXc9nR5i68N6bVpCkzaWGvc69aJpFinbkg4Kq+9D mbgrqKqdB8Z0bA= X-Received: by 2002:a05:6820:1793:b0:662:f0cb:84cd with SMTP id 006d021491bc7-6630f34f5ffmr107278eaf.30.1769709190939; Thu, 29 Jan 2026 09:53:10 -0800 (PST) Received: from nathan (162-195-168-172.lightspeed.stlsmo.sbcglobal.net. [162.195.168.172]) by smtp.gmail.com with ESMTPSA id 586e51a60fabf-409575b0a89sm4215050fac.20.2026.01.29.09.53.09 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 29 Jan 2026 09:53:10 -0800 (PST) Date: Thu, 29 Jan 2026 11:53:08 -0600 From: Nathan Bossart To: Zsolt Parragi Cc: Japin Li , Gilles Darold , Yuefei Shi , songjinzhou , PostgreSQL Hackers , Andrew Dunstan , Tom Lane , liu xiaohui , Steven Niu Subject: Re: Pasword expiration warning Message-ID: References: <94634e38-7184-42a1-b9e1-7611076e1c08@darold.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk Sorry, I haven't been following the discussion, but I took a brief look at the latest patch in the thread. + Controls how much time (in seconds) before a role's password expiration + a WARNING message is sent to the client upon successful + connection. It requires that a VALID UNTIL date is set + for the role. A value of 0d disable this behavior. The + default value is 7d and the maximum value 30d. I'm not sure we should subject folks to these warnings by default, and I don't see a reason to restrict the maximum value to 30 days. IMHO we should have this disabled by default and the maximum value should be INT_MAX. + if (password_expire_warning > 0 && vuntil < PG_INT64_MAX) + { + TimestampTz result = (vuntil - now) / USECS_PER_SEC; /* in seconds */ + + if (result <= (TimestampTz) password_expire_warning) + { + MyClientConnectionInfo.warning_message = + psprintf(_("your password will expire in %d day(s)"), + (int) (result / SECS_PER_DAY)); + } + } nitpick: I suspect we could simplify this code a bit, but I haven't tried. Also, IMO we should be more precise about the expiration time. There is a reasonable difference between a password expiring in 1 second as opposed to 23 hours, 59 minutes, 59 seconds, but in both cases this message would say "0 days". You might be able to borrow from psql/common.c's PrintTiming() function to add more detail here. + /* + * Emit a warning message to the client when set, for example + * to warn the user that the password will expire. + */ + if (MyClientConnectionInfo.warning_message) + ereport(WARNING, (errmsg("%s", MyClientConnectionInfo.warning_message))); Having a variable for warning messages could come in handy later. For example, we might add a warning about using MD5 passwords at some point. In my draft patch for this [0], I put the warning after closing the transaction, whereas this patch puts it just before. I'm not sure I had a principled reason for doing so, but it's an interesting difference between the two patches. [0] https://postgr.es/m/attachment/177167/v2-0002-WIP-add-warning-upon-authentication-with-MD5-pass.patch -- nathan