Completed 403 forbidden /api/graphql for a specific user

Hi, I need help to troubleshoot a problem with a specific user. I already test with other user and everything work perfectly.

This is what I got when I try to access a repository with the user in question. Something wrong with graphql API.

Processing by GraphqlController#execute as */*
  Parameters: {"operationName"=>"pathLastCommit", "variables"=>"[FILTERED]", "query"=>"query pathLastCommit($projectPath: ID!, $path: String, $ref: String!) {\n  project(fullPath: $projectPath) {\n    __typename\n    repository {\n      __typename\n      tree(path: $path, ref: $ref) {\n        __typename\n        lastCommit {\n          __typename\n          sha\n          title\n          titleHtml\n          descriptionHtml\n          message\n          webPath\n          authoredDate\n          authorName\n          authorGravatar\n          author {\n            __typename\n            name\n            avatarUrl\n            webPath\n          }\n          signatureHtml\n          pipelines(ref: $ref, first: 1) {\n            __typename\n            edges {\n              __typename\n              node {\n                __typename\n                detailedStatus {\n                  __typename\n                  detailsPath\n                  icon\n                  tooltip\n                  text\n                  group\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n", "graphql"=>{"operationName"=>"pathLastCommit", "variables"=>"[FILTERED]", "query"=>"query pathLastCommit($projectPath: ID!, $path: String, $ref: String!) {\n  project(fullPath: $projectPath) {\n    __typename\n    repository {\n      __typename\n      tree(path: $path, ref: $ref) {\n        __typename\n        lastCommit {\n          __typename\n          sha\n          title\n          titleHtml\n          descriptionHtml\n          message\n          webPath\n          authoredDate\n          authorName\n          authorGravatar\n          author {\n            __typename\n            name\n            avatarUrl\n            webPath\n          }\n          signatureHtml\n          pipelines(ref: $ref, first: 1) {\n            __typename\n            edges {\n              __typename\n              node {\n                __typename\n                detailedStatus {\n                  __typename\n                  detailsPath\n                  icon\n                  tooltip\n                  text\n                  group\n                }\n              }\n            }\n          }\n        }\n      }\n    }\n  }\n}\n"}}
Started POST "/api/graphql" for 0.0.0.0 (IP) at 2021-06-03 13:28:24 -0400
Filter chain halted as :authorize_access_api! rendered or redirected
Processing by Gitlab::RequestForgeryProtection::Controller#index as HTML
Completed 403 Forbidden in 6ms (Views: 1.8ms | ActiveRecord: 0.7ms | Elasticsearch: 0.0ms | Allocations: 1822)

Setting database password_expires_at to NULL can fix this problems.
Run this query in gitlab pgsql;
update users set password_expires_at = NULL where email = ‘xxxxx’;

Your solution sorted out for us! Thanks!

We started getting this after upgrading to GitLab 13.12.2.

The user also had issue browsing repos with error “An error occurred while fetching folder content.” (for anyone searching this issue…)

This is a known issue and a merge request to fix this is underway: Fix Password expired error on git fetch via SSH for LDAP user (!63466) · Merge requests · GitLab.org / GitLab · GitLab

The immediate workaround is to reset the password_expires_at setting for affected users in the database using gitlab-rails dbconsole

UPDATE users SET password_expires_at = null where username='username';

Or if this is affecting multiple users:

UPDATE users SET password_expires_at = null WHERE password_expires_at IS NOT null;

Same as klo.
Thanks DuonaZhou

FYI - i had also a problem with the git pull command, after the upgade to 13.12.3 - with this showing on my work station:

$ git pull -ff

remote:
remote: ========================================================================
remote:
remote: Your password expired. Please access GitLab from a web browser to update your password.
remote:
remote: ========================================================================
remote:
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

and this in gitlab-shell.log

{"correlation_id":"01F7TVN5PB40A1NNJR72QNHAZK","duration_ms":34,"error":"Your password expired. Please access GitLab from a web browser to update your password.","level":"error","method":"POST","msg":"Internal API error","status":401,"time":"2021-06-10T13:41:56+02:00","url":"http://unix/gitlab/api/v4/internal/allowed"}

Odd thing was that my account was the only one with an expiration date (2019-02-04) - but all other users had a ‘null’ value in the ‘password_expires_at’ field.

Anyway - this problem was also solved by the workaround.