Add change password (Preferences > Change Password)

internal/api/handlers.go

@@ -92,6 +92,34 @@ func (s *Server) handleLogout(w http.ResponseWriter, r *http.Request) {
 	writeJSON(w, 200, map[string]string{"status": "ok"})
 }
 
+func (s *Server) handleChangePassword(w http.ResponseWriter, r *http.Request) {
+	var req struct {
+		CurrentPassword string `json:"current_password"`
+		NewPassword     string `json:"new_password"`
+	}
+	if err := decodeBody(r, &req); err != nil || req.CurrentPassword == "" || req.NewPassword == "" {
+		writeJSON(w, 400, map[string]string{"error": "current_password and new_password required"})
+		return
+	}
+
+	userID := getUserID(r)
+	var hash string
+	s.db.QueryRow("SELECT password_hash FROM users WHERE id = ?", userID).Scan(&hash)
+	if !auth.CheckPassword(hash, req.CurrentPassword) {
+		writeJSON(w, 401, map[string]string{"error": "current password is incorrect"})
+		return
+	}
+
+	newHash, err := auth.HashPassword(req.NewPassword)
+	if err != nil {
+		writeJSON(w, 500, map[string]string{"error": "failed to hash password"})
+		return
+	}
+
+	s.db.Exec("UPDATE users SET password_hash = ?, updated_at = datetime('now') WHERE id = ?", newHash, userID)
+	writeJSON(w, 200, map[string]string{"status": "password changed"})
+}
+
 // ─── Users ───────────────────────────────────────────────────────────────────
 
 func (s *Server) handleCreateUser(w http.ResponseWriter, r *http.Request) {

internal/api/router.go

@@ -27,6 +27,7 @@ func NewRouter(db *sql.DB, dataDir, secret string) http.Handler {
 	// Users (admin)
 	mux.HandleFunc("POST /api/users/create", s.requireAdmin(s.handleCreateUser))
 	mux.HandleFunc("POST /api/users/list", s.requireAdmin(s.handleListUsers))
+	mux.HandleFunc("POST /api/auth/change-password", s.requireAuth(s.handleChangePassword))
 
 	// Files
 	mux.HandleFunc("POST /api/files/list", s.requireAuth(s.handleListFiles))