feat: settings page exercises the password-change endpoint

The 0.10.0 backend endpoint had no UI caller — the audit flagged it as either-ship-a-form-or-remove-the-endpoint dead code. Shipping the form, plus the bearer-token-keeps-working regression test the audit asked for to pin the docstring contract. Backend: - New test change_password_via_bearer_leaves_bearer_working asserts that PATCH /me/password called with Authorization: Bearer wipes cookie sessions but leaves the bearer (api_token) intact and usable — matches the docstring claim that bot tokens are opt-in to revoke. Frontend: - lib/api/auth.ts: new changePassword(input) wrapping PATCH /v1/auth/me/password. Vitest covers happy 204, 401 unauthenticated (wrong current), 400 invalid_input (weak new) — same envelope parsing shape used elsewhere. - routes/settings/+page.svelte: minimal form with current / new / confirm fields, derived passwordsMatch + canSubmit guards (submit stays disabled until current is filled, new is ≥8 chars, new == confirm). Shows the API's message inline on failure. Documents the "other devices signed out, bot tokens stay" UX in a short hint. - routes/+layout.svelte: new "Settings" link in the session-aware nav (between username and Logout) for authed users only. - e2e/settings.spec.ts (5 cases): nav link reaches the form, successful change shows confirmation + clears the form, 401 surfaces inline, password mismatch keeps submit disabled, anonymous user gets a sign-in prompt instead of the form. Lockstep version bump to 0.11.0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-17 00:16:21 +02:00
parent 49f6d4d213
commit c7cb689984
8 changed files with 390 additions and 2 deletions
--- a/frontend/src/lib/api/auth.test.ts
+++ b/frontend/src/lib/api/auth.test.ts
@@ -12,6 +12,7 @@ import {
    login,
    logout,
    me,
+    changePassword,
    createToken,
    deleteToken
 } from './auth';
@@ -110,6 +111,38 @@ describe('auth api client', () => {
        await expect(me()).rejects.toMatchObject({ status: 500 });
    });

+    it('changePassword PATCHes /v1/auth/me/password and handles 204', async () => {
+        fetchSpy.mockResolvedValueOnce(noContent());
+        await expect(
+            changePassword({
+                current_password: 'hunter2hunter2',
+                new_password: 'freshpassfreshpass'
+            })
+        ).resolves.toBeUndefined();
+        const url = fetchSpy.mock.calls[0][0] as string;
+        expect(url).toMatch(/\/v1\/auth\/me\/password$/);
+        const init = fetchSpy.mock.calls[0][1] as RequestInit;
+        expect(init.method).toBe('PATCH');
+        expect(JSON.parse(init.body as string)).toEqual({
+            current_password: 'hunter2hunter2',
+            new_password: 'freshpassfreshpass'
+        });
+    });
+
+    it('changePassword surfaces 401 (wrong current) via ApiError', async () => {
+        fetchSpy.mockResolvedValueOnce(envelope(401, 'unauthenticated', 'unauthenticated'));
+        await expect(
+            changePassword({ current_password: 'wrong', new_password: 'freshpassfreshpass' })
+        ).rejects.toMatchObject({ status: 401, code: 'unauthenticated' });
+    });
+
+    it('changePassword surfaces 400 (weak new) via ApiError', async () => {
+        fetchSpy.mockResolvedValueOnce(envelope(400, 'invalid_input', 'password must be at least 8 characters'));
+        await expect(
+            changePassword({ current_password: 'hunter2hunter2', new_password: 'short' })
+        ).rejects.toMatchObject({ status: 400, code: 'invalid_input' });
+    });
+
    it('createToken POSTs to /v1/auth/tokens and returns CreatedToken with bearer', async () => {
        fetchSpy.mockResolvedValueOnce(
            ok(
--- a/frontend/src/lib/api/auth.ts
+++ b/frontend/src/lib/api/auth.ts
@@ -35,6 +35,28 @@ export async function logout(): Promise<void> {
    await request<void>('/v1/auth/logout', { method: 'POST' });
 }

+export type ChangePassword = {
+    current_password: string;
+    new_password: string;
+};
+
+/**
+ * Rotates the password. Backend signs out every other session for this
+ * user and mints a fresh cookie for the caller (returned as Set-Cookie,
+ * applied automatically by the browser). Bot tokens are left alone.
+ *
+ * Throws ApiError with `status=401, code='unauthenticated'` for wrong
+ * `current_password`; `status=400, code='invalid_input'` for a weak new
+ * password.
+ */
+export async function changePassword(input: ChangePassword): Promise<void> {
+    await request<void>('/v1/auth/me/password', {
+        method: 'PATCH',
+        headers: { 'content-type': 'application/json' },
+        body: JSON.stringify(input)
+    });
+}
+
 /**
 * Returns the current user, or `null` if no valid session.
 * Re-throws any non-401 error.