Feature/auth change password#40
Conversation
DenizAltunkapan
left a comment
There was a problem hiding this comment.
Thanks for the focused PR. The actual change-password implementation looks reasonable: it resolves the authenticated user from the security context, verifies the old password with BCrypt, stores the new hash, and includes useful integration coverage.
I would not merge this version yet because the PR also changes unrelated project/build/runtime configuration. Please address the inline comments first. After that, this should be close to approval.
Non-blocking follow-up: after a password change, we may also want to invalidate existing refresh tokens for that user so old sessions cannot keep refreshing indefinitely. That can be handled here or in a separate security-hardening PR.
- Restore goal to 'check' - Restore default DB port (5432) and sql.init.mode (never)
|
@DenizAltunkapan I've addressed both points ready for another look, thanks. |
DenizAltunkapan
left a comment
There was a problem hiding this comment.
@tidianecs thank you for your contribution
What
Implements the
/auth/change-passwordendpoint, one of the fiveendpoints originally requested in #32.
Why
Per discussion on #32 with @DenizAltunkapan, I'm splitting this
issue into smaller, focused PRs instead of one large PR covering
all five endpoints. This PR covers
change-passwordonly; happyto pick up the remaining endpoints in follow-up PRs.
Changes
ChangePasswordRequestDTO (oldPassword,newPassword), withthe same password strength validation used in registration
AuthService#changePassword: identifies the current user fromthe JWT via the security context, verifies
oldPasswordagainstthe stored hash, then hashes and persists
newPasswordPOST /auth/change-password(protected endpoint, requires avalid access token)
on a subsequent login
How to test
POST /auth/registerthenPOST /auth/loginto obtain anaccess token
POST /auth/change-passwordwithAuthorization: Bearer <token>and
{ "oldPassword": "...", "newPassword": "..." }the old one
Notes
This is my first contribution to this project — feedback very
welcome, happy to make changes.