Add fix for admin users with a pending password change

Issue fixed with later versions of Decidim but applying the fix
to the module 0.27 version for now as well, see:
decidim/decidim#13354

app/controllers/decidim/helsinki_profile/omniauth_callbacks_controller.rb

@@ -91,6 +91,19 @@ def first_login_and_not_authorized?(_user)
 
       private
 
+      # Fixes an issue with the login if the user has a pending change password.
+      #
+      # For further details, see:
+      # https://github.com/decidim/decidim/pull/13354
+      #
+      # This can be removed after the above mentioned PR is merged to the core
+      # and the fix is shipped in a release.
+      #
+      # Issue has been fixed in versions 0.27.6 and 0.28.1.
+      def change_password_path
+        decidim.change_password_path
+      end
+
       def authorize_user(user)
         authenticator.authorize_user!(user)
       rescue Decidim::HelsinkiProfile::Authentication::AuthorizationBoundToOtherUserError

spec/controllers/decidim/helsinki_profile/omniauth_callbacks_controller_spec.rb

@@ -135,6 +135,18 @@
           expect(user.email).to eq(email)
           expect(user.unconfirmed_email).to be_nil
         end
+
+        context "when the user is an admin with a pending password change request" do
+          let!(:user) { create(:user, :admin, organization: organization, email: email, sign_in_count: 1, password_updated_at: 1.year.ago) }
+
+          it "redirects to the password change path" do
+            get(
+              "/users/auth/helsinki/callback?code=#{code}&state=#{omniauth_state}"
+            )
+
+            expect(response).to redirect_to("/change_password")
+          end
+        end
       end
 
       context "when email is unverified according to the authenticator" do