Add change-password API and dynamic 404 redirect

Introduce ChangePasswordRequest DTO and a new ChangePassword endpoint in AuthController that validates input, changes the user's password via UserManager, updates the security stamp, signs out the user to invalidate sessions, and returns localized messages. Add a simple authorized AppUserController stub (GET /auth/user). Update the 404 view to resolve auth status via fetchCurrentUser, show a dynamic CTA/icon (Dashboard vs Home), auto-redirect after a short delay with proper timer cleanup, and adjust navigation behavior. Update codexInfo.md to document the 404 behavior change.
2026-04-20 19:39:43 +02:00
parent f830fe4967
commit bd261b6868
5 changed files with 146 additions and 6 deletions
@@ -67,5 +67,51 @@ namespace API.Controllers.Auth
                MustChangePassword = user.MustChangePassword
            });
        }
+
+        [HttpPost("password")]
+        [Authorize]
+        public async Task<IActionResult> ChangePassword([FromBody] ChangePasswordRequest pwChangeDto)
+        {
+            var user = await userManager.GetUserAsync(User);
+            if (user is null)
+                return Unauthorized();
+
+            if (string.IsNullOrWhiteSpace(pwChangeDto.NewPassword) ||
+                string.IsNullOrWhiteSpace(pwChangeDto.OldPassword) ||
+                string.IsNullOrWhiteSpace(pwChangeDto.NewPasswordConfirm))
+            {
+                return BadRequest(new { message = "Alle Passwörter müssen einen Wert enthalten." });
+            }
+
+            if (pwChangeDto.NewPassword != pwChangeDto.NewPasswordConfirm)
+            {
+                return BadRequest(new { message = "Die neuen Passwörter stimmen nicht überein." });
+            }
+
+            var result = await userManager.ChangePasswordAsync(
+                user,
+                pwChangeDto.OldPassword,
+                pwChangeDto.NewPassword
+            );
+
+            if (!result.Succeeded)
+            {
+                return BadRequest(new
+                {
+                    message = "Passwort konnte nicht geändert werden.",
+                    errors = result.Errors.Select(e => e.Description)
+                });
+            }
+
+            var stampResult = await userManager.UpdateSecurityStampAsync(user);
+            if (!stampResult.Succeeded)
+            {
+                return StatusCode(500, new { message = "Passwort geändert, aber Sessions konnten nicht invalidiert werden." });
+            }
+
+            await signInManager.SignOutAsync();
+
+            return Ok(new { message = "Passwort geändert. Du wurdest auf allen Geräten abgemeldet." });
+        }
    }
-}
+}