initial commit

server/api/me/password.put.js

@@ -0,0 +1,40 @@
+import { getDb } from '../../utils/db.js'
+import { requireAuth } from '../../utils/authHelpers.js'
+import { hashPassword, verifyPassword } from '../../utils/password.js'
+
+export default defineEventHandler(async (event) => {
+  const currentUser = requireAuth(event)
+  const body = await readBody(event).catch(() => ({}))
+  const currentPassword = body?.currentPassword
+  const newPassword = body?.newPassword
+
+  if (typeof currentPassword !== 'string' || currentPassword.length < 1) {
+    throw createError({ statusCode: 400, message: 'Current password is required' })
+  }
+  if (typeof newPassword !== 'string' || newPassword.length < 1) {
+    throw createError({ statusCode: 400, message: 'New password cannot be empty' })
+  }
+
+  const { get, run } = await getDb()
+  const user = await get(
+    'SELECT id, password_hash, auth_provider FROM users WHERE id = ?',
+    [currentUser.id],
+  )
+  if (!user) {
+    throw createError({ statusCode: 404, message: 'User not found' })
+  }
+  const authProvider = user.auth_provider ?? 'local'
+  if (authProvider !== 'local') {
+    throw createError({
+      statusCode: 400,
+      message: 'Password change is only for local accounts. Use your identity provider to change password.',
+    })
+  }
+  if (!verifyPassword(currentPassword, user.password_hash)) {
+    throw createError({ statusCode: 400, message: 'Current password is incorrect' })
+  }
+
+  const passwordHash = hashPassword(newPassword)
+  await run('UPDATE users SET password_hash = ? WHERE id = ?', [passwordHash, currentUser.id])
+  return { ok: true }
+})