c7cb689984
The 0.10.0 backend endpoint had no UI caller — the audit flagged it as either-ship-a-form-or-remove-the-endpoint dead code. Shipping the form, plus the bearer-token-keeps-working regression test the audit asked for to pin the docstring contract. Backend: - New test change_password_via_bearer_leaves_bearer_working asserts that PATCH /me/password called with Authorization: Bearer wipes cookie sessions but leaves the bearer (api_token) intact and usable — matches the docstring claim that bot tokens are opt-in to revoke. Frontend: - lib/api/auth.ts: new changePassword(input) wrapping PATCH /v1/auth/me/password. Vitest covers happy 204, 401 unauthenticated (wrong current), 400 invalid_input (weak new) — same envelope parsing shape used elsewhere. - routes/settings/+page.svelte: minimal form with current / new / confirm fields, derived passwordsMatch + canSubmit guards (submit stays disabled until current is filled, new is ≥8 chars, new == confirm). Shows the API's message inline on failure. Documents the "other devices signed out, bot tokens stay" UX in a short hint. - routes/+layout.svelte: new "Settings" link in the session-aware nav (between username and Logout) for authed users only. - e2e/settings.spec.ts (5 cases): nav link reaches the form, successful change shows confirmation + clears the form, 401 surfaces inline, password mismatch keeps submit disabled, anonymous user gets a sign-in prompt instead of the form. Lockstep version bump to 0.11.0. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
18 KiB
18 KiB