feat(api): implement /api/user/me/password endpoint

add an endpoint to allow the user to change his password
2025-06-23 09:51:06 +02:00 · 2025-06-23 09:51:06 +02:00 · 280fa57e45
commit 280fa57e45
parent be1502a4ac
3 changed files with 171 additions and 0 deletions
--- a/src/app/api/user/me/password/route.ts
+++ b/src/app/api/user/me/password/route.ts
@ -0,0 +1,119 @@
 import { auth } from '@/auth';
 import { prisma } from '@/prisma';
 import { updateUserPasswordServerSchema } from '../validation';
 import {
  returnZodTypeCheckedResponse,
  userAuthenticated,
 } from '@/lib/apiHelpers';
 import { FullUserResponseSchema } from '../../validation';
 import {
  ErrorResponseSchema,
  ZodErrorResponseSchema,
 } from '@/app/api/validation';
 import bcrypt from 'bcryptjs';
 export const PATCH = auth(async function PATCH(req) {
  const authCheck = userAuthenticated(req);
  if (!authCheck.continue)
    return returnZodTypeCheckedResponse(
      ErrorResponseSchema,
      authCheck.response,
      authCheck.metadata,
    );
  const body = await req.json();
  const parsedBody = updateUserPasswordServerSchema.safeParse(body);
  if (!parsedBody.success)
    return returnZodTypeCheckedResponse(
      ZodErrorResponseSchema,
      {
        success: false,
        message: 'Invalid request data',
        errors: parsedBody.error.issues,
      },
      { status: 400 },
    );
  const { current_password, new_password } = parsedBody.data;
  const dbUser = await prisma.user.findUnique({
    where: {
      id: authCheck.user.id,
    },
    include: {
      accounts: true,
    },
  });
  if (!dbUser)
    return returnZodTypeCheckedResponse(
      ErrorResponseSchema,
      {
        success: false,
        message: 'User not found',
      },
      { status: 404 },
    );
  if (!dbUser.password_hash)
    return returnZodTypeCheckedResponse(
      ErrorResponseSchema,
      {
        success: false,
        message: 'User does not have a password set',
      },
      { status: 400 },
    );
  if (dbUser.accounts.length === 0 || dbUser.accounts[0].provider !== 'credentials')
    return returnZodTypeCheckedResponse(
      ErrorResponseSchema,
      {
        success: false,
        message: 'Credentials login is not enabled for this user',
      },
      { status: 400 },
    );
  const isCurrentPasswordValid = await bcrypt.compare(
    current_password,
    dbUser.password_hash || '',
  );
  if (!isCurrentPasswordValid)
    return returnZodTypeCheckedResponse(
      ErrorResponseSchema,
      {
        success: false,
        message: 'Current password is incorrect',
      },
      { status: 401 },
    );
  const hashedNewPassword = await bcrypt.hash(new_password, 10);
  const updatedUser = await prisma.user.update({
    where: {
      id: dbUser.id,
    },
    data: {
      password_hash: hashedNewPassword,
    },
    select: {
      id: true,
      name: true,
      first_name: true,
      last_name: true,
      email: true,
      image: true,
      timezone: true,
      created_at: true,
      updated_at: true,
    },
  });
  return returnZodTypeCheckedResponse(FullUserResponseSchema, {
    success: true,
    user: updatedUser,
  });
 });
--- a/src/app/api/user/me/password/swagger.ts
+++ b/src/app/api/user/me/password/swagger.ts
@ -0,0 +1,43 @@
 import { OpenAPIRegistry } from '@asteasolutions/zod-to-openapi';
 import { FullUserResponseSchema } from '../../validation';
 import { updateUserPasswordServerSchema } from '../validation';
 import {
  invalidRequestDataResponse,
  notAuthenticatedResponse,
  serverReturnedDataValidationErrorResponse,
  userNotFoundResponse,
 } from '@/lib/defaultApiResponses';
 export default function registerSwaggerPaths(registry: OpenAPIRegistry) {
  registry.registerPath({
    method: 'patch',
    path: '/api/user/me/password',
    description: 'Update the password of the currently authenticated user',
    request: {
      body: {
        description: 'User password update request body',
        required: true,
        content: {
          'application/json': {
            schema: updateUserPasswordServerSchema,
          },
        },
      },
    },
    responses: {
      200: {
        description: 'User information updated successfully',
        content: {
          'application/json': {
            schema: FullUserResponseSchema,
          },
        },
      },
      ...invalidRequestDataResponse,
      ...notAuthenticatedResponse,
      ...userNotFoundResponse,
      ...serverReturnedDataValidationErrorResponse,
    },
    tags: ['User'],
  });
 }
--- a/src/app/api/user/me/validation.ts
+++ b/src/app/api/user/me/validation.ts
@ -4,6 +4,7 @@ import {
  lastNameSchema,
  newUserEmailServerSchema,
  newUserNameServerSchema,
  passwordSchema,
 } from '@/app/api/user/validation';
 // ----------------------------------------
@ -19,3 +20,11 @@ export const updateUserServerSchema = zod.object({
  image: zod.string().optional(),
  timezone: zod.string().optional(),
 });
 export const updateUserPasswordServerSchema = zod.object({
  current_password: zod.string().min(1, 'Current password is required'),
  new_password: passwordSchema,
  confirm_new_password: passwordSchema,
 }).refine((data) => data.new_password === data.confirm_new_password, {
  message: 'New password and confirm new password must match',
 });