Problem Statement
backend/app/routers/auth.py exposes /auth/signup, /auth/login, and /auth/me but
there is no endpoint for changing a password. A user who wants to rotate their credentials
after a compromise, or who simply wants to update their password, has no supported path to
do so — their only option is to create a new account with a different email.
Proposed Solution
Add a PATCH /auth/password endpoint (requires a valid JWT):
class PasswordChangeRequest(BaseModel):
current_password: str
new_password: str = Field(..., min_length=8)
@router.patch("/password", status_code=204)
def change_password(
payload: PasswordChangeRequest,
current_user: User = Depends(get_current_user),
db: Session = Depends(get_db),
):
if not verify_password(payload.current_password, current_user.password_hash):
raise HTTPException(status_code=400, detail="Current password is incorrect")
current_user.password_hash = hash_password(payload.new_password)
db.commit()This is a self-contained change: no new models, no migrations (password_hash column already
exists), and it reuses the existing hash_password / verify_password helpers from
backend/app/security.py.
Files affected
backend/app/routers/auth.py
backend/app/schemas.py (add PasswordChangeRequest)
Problem Statement
backend/app/routers/auth.pyexposes/auth/signup,/auth/login, and/auth/mebutthere is no endpoint for changing a password. A user who wants to rotate their credentials
after a compromise, or who simply wants to update their password, has no supported path to
do so — their only option is to create a new account with a different email.
Proposed Solution
Add a
PATCH /auth/passwordendpoint (requires a valid JWT):This is a self-contained change: no new models, no migrations (password_hash column already
exists), and it reuses the existing
hash_password/verify_passwordhelpers frombackend/app/security.py.Files affected
backend/app/routers/auth.pybackend/app/schemas.py(addPasswordChangeRequest)