hyperswitch

ae42e67f - fix(users): prevent password requirement bypass on reactivated user signin

fix(users): prevent password requirement bypass on reactivated user signin Previously, when a deleted user was re-invited and attempted to use the invitation link to sign in, they were not prompted to set a password and could directly log in. However, after logging out, they were unable to log back in due to missing password credentials. The root cause was in the reactivation logic, which unconditionally updated the last_password_modified_at field even when no password was being set. This caused the decision_manager to incorrectly assume the password was recently modified and skip the password rotation requirement. This fix ensures that: - last_password_modified_at is only set when a password is actually provided during reactivation - is_password_rotate_required() performs an early check to return true if no password exists - the ReactivateUserUpdate struct now accepts an optional last_password_modified_at field for explicit control