1 files changed, 27 insertions, 1 deletions

diff --git a/spec/requests/api/graphql_spec.rb b/spec/requests/api/graphql_spec.rb
index b8f7af29a9f..da0c87fcefe 100644
--- a/spec/requests/api/graphql_spec.rb
+++ b/spec/requests/api/graphql_spec.rb
@@ -253,7 +253,7 @@ RSpec.describe 'GraphQL' do
     end
 
     context 'with token authentication' do
-      let(:token) { create(:personal_access_token) }
+      let(:token) { create(:personal_access_token, user: user) }
 
       it 'authenticates users with a PAT' do
         stub_authentication_activity_metrics(debug: false)
@@ -276,6 +276,32 @@ RSpec.describe 'GraphQL' do
         expect(graphql_errors).to include({ 'message' => /API not accessible/ })
       end
 
+      context 'when user with expired password' do
+        let_it_be(:user) { create(:user, password_expires_at: 2.minutes.ago) }
+
+        it 'does not authenticate user' do
+          post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })
+
+          expect(response).to have_gitlab_http_status(:ok)
+
+          expect(graphql_data['echo']).to eq('nil says: Hello world')
+        end
+      end
+
+      context 'when password expiration is not applicable' do
+        context 'when ldap user' do
+          let_it_be(:user) { create(:omniauth_user, provider: 'ldap', password_expires_at: 2.minutes.ago) }
+
+          it 'authenticates user' do
+            post_graphql(query, headers: { 'PRIVATE-TOKEN' => token.token })
+
+            expect(response).to have_gitlab_http_status(:ok)
+
+            expect(graphql_data['echo']).to eq("\"#{token.user.username}\" says: Hello world")
+          end
+        end
+      end
+
       context 'when the personal access token has no api scope' do
         it 'does not log the user in' do
           token.update!(scopes: [:read_user])