feat: password change endpoint with full session rotation

Adds the pre-1.0 password-change story flagged by the audit. Browser users and bot owners both go through PATCH /api/v1/auth/me/password with the current + new password in the body. Implementation in `api::auth::change_password`: - CurrentUser-gated: 401 if unauthenticated. - Verifies current_password against the stored argon2 hash. Wrong current → 401 unauthenticated, matching the login contract. - new_password runs through the same `validate_password` used at registration (≥8 chars). Weak → 400 invalid_input. - On success, wraps the swap in a single transaction: - UPDATE users.password_hash with a fresh argon2 hash. - DELETE every session for this user (signs out other devices — any cookie stolen before the change is dead now). - INSERT a new session and mint a fresh cookie so the caller stays logged in. - 204 + Set-Cookie on success. Bot tokens (api_tokens) are intentionally left alone. They're explicit opt-in credentials that the user can already audit and revoke individually via DELETE /auth/tokens/{id}; rotating them on every password change would surprise CI scripts. Repo refactor: `repo::session::create` accepts `impl PgExecutor<'_>` (same pattern feat/uploads used for chapters), and a new `session::delete_all_for_user` covers the "sign out everywhere" write. The existing `delete_by_token_hash` (used by logout) is unchanged. Coverage in tests/api_auth.rs (4 cases): - change_password_rotates_sessions_and_swaps_credentials — happy path asserts the new cookie differs from the original, that both the original cookie AND a second-device cookie become invalid, that the new cookie keeps working, that login with the old password fails (401) and login with the new password succeeds. - change_password_rejects_wrong_current_with_401 — wrong current password returns 401 unauthenticated. - change_password_rejects_weak_new_password — new_password "short" returns 400 invalid_input. - change_password_requires_authentication — no cookie returns 401. README updated with the new endpoint in the auth table. Lockstep version bump to 0.10.0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 23:52:53 +02:00
parent d81aca42a0
commit 69eca21fb5
7 changed files with 242 additions and 7 deletions
--- a/README.md
+++ b/README.md
@@ -96,6 +96,7 @@ Everything is namespaced under `/api/v1/`. `/api/*` outside the version prefix i
 | POST   | `/api/v1/auth/login`                                    | Same shape; rotates to a fresh session.                |
 | POST   | `/api/v1/auth/logout`                                   | Invalidates the session, clears the cookie.            |
 | GET    | `/api/v1/auth/me`                                       | Current user, or 401 if anonymous.                     |
+| PATCH  | `/api/v1/auth/me/password`                              | `{current_password,new_password}` → 401 on wrong current; on success deletes **all** of the user's sessions and mints a fresh one for the caller. Bot tokens stay (use DELETE /tokens/{id} to revoke). |
 | POST   | `/api/v1/auth/tokens`                                   | `{name}` → bot bearer token (returned once).           |
 | DELETE | `/api/v1/auth/tokens/{id}`                              | Revoke a bot token (owner-only).                       |
 | POST   | `/api/v1/mangas`                                        | Multipart: `metadata` JSON + optional `cover` image.   |