'Admin' should not use default credential, he should be forced to update it the first time SonarQube detect that it's the case.
- Add ‘reset_password’ boolean flag to users table.
- Prepare migration which populates this value as ‘false’, except for admin user who still use admin as password.
* Local user after successful login which has ‘reset_password’ flag set as true, should be redirected to unskippable form with following fields:
- Title: Your password has been asked to be reset
- Old Password
- New password
- Confirm password
- With actionable button Change. After clicking on a button web should use api/users/change_password WS in order to change password of user.
- Update api/users/change_password in order to prevent updating to the same password
- Add warning in sonar.log when default admin credentials are detected
- Update docs about the SQL to reset admin password in order to set the reset_password column to true