feat: add PATCH /auth/change-password endpoint#94
Conversation
Adds ChangePasswordRequest schema and PATCH /auth/change-password endpoint that allows authenticated users to change their password by providing current_password and new_password.
|
Hi @rubenxyz — thanks for adding this! An adversarial code review flagged one edge case worth handling before merge (verified against the branch head): 🟡 Medium — HTTP 500 for password-less (magic-code) users. A user who signed in via the magic-code flow and never called Suggested fix: guard before verifying — |
ravirajsinh45
left a comment
There was a problem hiding this comment.
Requesting changes: change_password returns HTTP 500 for magic-code users who never set a password (verify_password(current, None) → uncaught AttributeError). A password_hash is None guard (as /auth/login already does) resolves it. Details in the review comment above.
Magic-code users who never set a password have password_hash=None. verify_password(current, None) raises an uncaught AttributeError, resulting in HTTP 500. Add a null guard that returns 400 with a clear message directing users to /set-password. Reported-by: ravirajsinh45
What this adds
PATCH /auth/change-passwordendpoint so authenticated users can change their own password. The frontend was already coded to call this endpoint but it did not exist.Changes
schemas/auth.py— AddsChangePasswordRequestschema withcurrent_passwordandnew_passwordfields.routers/auth.py— AddsPATCH /auth/change-passwordendpoint. Validates the current password, then hashes and stores the new one. Returns an error if the current password is incorrect.Files changed
apps/api/schemas/auth.py— +4 linesapps/api/routers/auth.py— +15 lines