feat(settings): add Security section with change password form (task 12.2)

- Add GET /api/auth/profile endpoint to expose user provider info - Settings page fetches provider on load to detect credentials vs OAuth - Credentials users: change password form (current/new/confirm) calling PUT /api/auth/password - OAuth (Google) users: "Signed in via Google — password cannot be changed" message - Client-side validation: min 8 chars, passwords-must-match before API call - Success and error feedback displayed inline in the Security card Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-20 13:35:19 +01:00 · 2026-02-20 13:35:19 +01:00 · 64b3bfd0d4
commit 64b3bfd0d4
parent 9514a987e3
3 changed files with 228 additions and 12 deletions
--- a/src/app/api/auth/profile/route.ts
+++ b/src/app/api/auth/profile/route.ts
@ -4,6 +4,30 @@ import { db } from '@/lib/db';
 import { users } from '@/lib/db/schema';
 import { getAuthUser } from '@/lib/auth';

+export async function GET() {
+  const user = await getAuthUser();
+  if (!user) {
+    return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+  }
+
+  const [dbUser] = await db
+    .select({
+      id: users.id,
+      email: users.email,
+      name: users.name,
+      provider: users.provider,
+    })
+    .from(users)
+    .where(eq(users.id, user.id))
+    .limit(1);
+
+  if (!dbUser) {
+    return NextResponse.json({ error: 'User not found' }, { status: 404 });
+  }
+
+  return NextResponse.json(dbUser, { status: 200 });
+}
+
 export async function PUT(request: NextRequest) {
  // Get authenticated user
  const user = await getAuthUser();