Alternatively if you don’t want to go the cron-route since it’s not really easy to implement, you could go the dirty route and just add the field and check it when requests come in (extend the users-permissions plugin) and return an error while also clearing the expire date.