feat: add change password endpoint for authenticated users

- Implemented PUT /api/auth/email/change-password to allow users to change their password.
- Added request validation using Zod schema for current and new passwords.
- Integrated password hashing and verification using Argon2.
- Created comprehensive error handling for various scenarios (e.g., incorrect current password, unauthorized access).
- Added OpenAPI documentation for the new endpoint in api-spec.json and api-spec.yaml.
- Developed end-to-end tests for the password change functionality.
- Created unit tests for the change password route to ensure proper functionality and error handling.

Author: Lasim

services/backend/api-spec.json

@@ -6237,6 +6237,178 @@
         }
       }
     },
+    "/api/auth/email/change-password": {
+      "put": {
+        "summary": "Change user password",
+        "tags": [
+          "Authentication"
+        ],
+        "description": "Allows authenticated users to change their password by providing their current password and a new password. Requires an active session.",
+        "requestBody": {
+          "content": {
+            "application/json": {
+              "schema": {
+                "type": "object",
+                "properties": {
+                  "current_password": {
+                    "type": "string",
+                    "minLength": 1
+                  },
+                  "new_password": {
+                    "type": "string",
+                    "minLength": 8,
+                    "maxLength": 100
+                  }
+                },
+                "required": [
+                  "current_password",
+                  "new_password"
+                ],
+                "additionalProperties": false
+              }
+            }
+          },
+          "required": true
+        },
+        "security": [
+          {
+            "cookieAuth": []
+          }
+        ],
+        "responses": {
+          "200": {
+            "description": "Password changed successfully",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates if the password change was successful"
+                    },
+                    "message": {
+                      "type": "string",
+                      "description": "Success message"
+                    }
+                  },
+                  "required": [
+                    "success",
+                    "message"
+                  ],
+                  "additionalProperties": false,
+                  "description": "Password changed successfully"
+                }
+              }
+            }
+          },
+          "400": {
+            "description": "Bad Request - Invalid input or incorrect current password",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates if the operation was successful (false for errors)",
+                      "default": false
+                    },
+                    "error": {
+                      "type": "string",
+                      "description": "Error message describing what went wrong"
+                    }
+                  },
+                  "required": [
+                    "error"
+                  ],
+                  "additionalProperties": false,
+                  "description": "Bad Request - Invalid input or incorrect current password"
+                }
+              }
+            }
+          },
+          "401": {
+            "description": "Unauthorized - Authentication required",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates if the operation was successful (false for errors)",
+                      "default": false
+                    },
+                    "error": {
+                      "type": "string",
+                      "description": "Error message describing what went wrong"
+                    }
+                  },
+                  "required": [
+                    "error"
+                  ],
+                  "additionalProperties": false,
+                  "description": "Unauthorized - Authentication required"
+                }
+              }
+            }
+          },
+          "403": {
+            "description": "Forbidden - Cannot change password for non-email users",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates if the operation was successful (false for errors)",
+                      "default": false
+                    },
+                    "error": {
+                      "type": "string",
+                      "description": "Error message describing what went wrong"
+                    }
+                  },
+                  "required": [
+                    "error"
+                  ],
+                  "additionalProperties": false,
+                  "description": "Forbidden - Cannot change password for non-email users"
+                }
+              }
+            }
+          },
+          "500": {
+            "description": "Internal Server Error - Password change failed",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "type": "object",
+                  "properties": {
+                    "success": {
+                      "type": "boolean",
+                      "description": "Indicates if the operation was successful (false for errors)",
+                      "default": false
+                    },
+                    "error": {
+                      "type": "string",
+                      "description": "Error message describing what went wrong"
+                    }
+                  },
+                  "required": [
+                    "error"
+                  ],
+                  "additionalProperties": false,
+                  "description": "Internal Server Error - Password change failed"
+                }
+              }
+            }
+          }
+        }
+      }
+    },
     "/api/auth/github/login": {
       "get": {
         "summary": "Initiate GitHub OAuth login",

services/backend/api-spec.yaml

@@ -4352,6 +4352,124 @@ paths:
                   - error
                 additionalProperties: false
                 description: Internal Server Error - An unexpected error occurred on the server.
+  /api/auth/email/change-password:
+    put:
+      summary: Change user password
+      tags:
+        - Authentication
+      description: Allows authenticated users to change their password by providing
+        their current password and a new password. Requires an active session.
+      requestBody:
+        content:
+          application/json:
+            schema:
+              type: object
+              properties:
+                current_password:
+                  type: string
+                  minLength: 1
+                new_password:
+                  type: string
+                  minLength: 8
+                  maxLength: 100
+              required:
+                - current_password
+                - new_password
+              additionalProperties: false
+        required: true
+      security:
+        - cookieAuth: []
+      responses:
+        "200":
+          description: Password changed successfully
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
+                    description: Indicates if the password change was successful
+                  message:
+                    type: string
+                    description: Success message
+                required:
+                  - success
+                  - message
+                additionalProperties: false
+                description: Password changed successfully
+        "400":
+          description: Bad Request - Invalid input or incorrect current password
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
+                    description: Indicates if the operation was successful (false for errors)
+                    default: false
+                  error:
+                    type: string
+                    description: Error message describing what went wrong
+                required:
+                  - error
+                additionalProperties: false
+                description: Bad Request - Invalid input or incorrect current password
+        "401":
+          description: Unauthorized - Authentication required
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
+                    description: Indicates if the operation was successful (false for errors)
+                    default: false
+                  error:
+                    type: string
+                    description: Error message describing what went wrong
+                required:
+                  - error
+                additionalProperties: false
+                description: Unauthorized - Authentication required
+        "403":
+          description: Forbidden - Cannot change password for non-email users
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
+                    description: Indicates if the operation was successful (false for errors)
+                    default: false
+                  error:
+                    type: string
+                    description: Error message describing what went wrong
+                required:
+                  - error
+                additionalProperties: false
+                description: Forbidden - Cannot change password for non-email users
+        "500":
+          description: Internal Server Error - Password change failed
+          content:
+            application/json:
+              schema:
+                type: object
+                properties:
+                  success:
+                    type: boolean
+                    description: Indicates if the operation was successful (false for errors)
+                    default: false
+                  error:
+                    type: string
+                    description: Error message describing what went wrong
+                required:
+                  - error
+                additionalProperties: false
+                description: Internal Server Error - Password change failed
   /api/auth/github/login:
     get:
       summary: Initiate GitHub OAuth login

services/backend/src/hooks/authHook.ts

@@ -1,4 +1,4 @@
-import type { FastifyRequest, FastifyReply, HookHandlerDoneFunction } from 'fastify';
+import type { FastifyRequest, FastifyReply } from 'fastify';
 import { getLucia } from '../lib/lucia';
 import { getDbStatus, getSchema, getDb } from '../db';
 import { eq } from 'drizzle-orm';
@@ -127,12 +127,11 @@ export async function authHook(
 // Example of a hook that requires authentication
 export async function requireAuthHook(
   request: FastifyRequest,
-  reply: FastifyReply,
-  done: HookHandlerDoneFunction
+  reply: FastifyReply
 ) {
   // This hook assumes authHook has already run and populated request.user/session
   if (!request.user || !request.session) {
     return reply.status(401).send({ error: 'Unauthorized: Authentication required.' });
   }
-  return done();
+  // No need to call done() in modern Fastify async hooks
 }