feat(auth): add password change endpoint#20
Merged
Conversation
* feature/swagger-edit-usermetadata: (29 commits) chore: udpate usermetadata for swagger v1.0.0-alpha.4 chore: update user reponse dto v1.0.0-alpha.3 chore: add type string to array chore: bump version to 1.0.0-alpha.2 chore: update versions chore: update yarn chore: update invitation acceptance validations chore: linting chore: improve security on invitation flow chore: update for test:ci chore: codacy update chore: update versions chore: lint chore: fix tests chore: codacy lint chore: linting chore: update usermetadata chore: linting ... Conflicts: examples/sample-server-auth/package.json examples/sample-server-auth/src/modules/user/dto/user-create.dto.ts examples/sample-server-auth/src/modules/user/dto/user-update.dto.ts examples/sample-server-auth/src/modules/user/dto/user.dto.ts examples/sample-server-auth/yarn.lock examples/sample-server/package.json examples/sample-server/yarn.lock lerna.json packages/rockets-server-auth/package.json packages/rockets-server-auth/src/domains/invitation/__tests__/invitation-flow.e2e-spec.ts packages/rockets-server-auth/src/domains/invitation/controllers/invitation.controller.ts packages/rockets-server-auth/src/domains/invitation/dto/rockets-auth-invitation-revoke.dto.ts packages/rockets-server-auth/src/domains/invitation/index.ts packages/rockets-server-auth/src/domains/invitation/interfaces/invitation-acceptance-data.interface.ts packages/rockets-server-auth/src/domains/role/services/rockets-auth-role.service.ts packages/rockets-server-auth/src/domains/user/modules/rockets-auth-signup.module.ts packages/rockets-server-auth/src/generate-swagger.ts packages/rockets-server-auth/src/shared/interfaces/rockets-auth-options-extras.interface.ts packages/rockets-server/package.json yarn.lock
|
To view this pull requests documentation preview, visit the following URL: Documentation is deployed and generated using docs.page. |
leoafarias
approved these changes
Jan 29, 2026
There was a problem hiding this comment.
Pull request overview
Adds an authenticated “change my password” endpoint to rockets-server-auth and expands configurability/Swagger metadata across packages.
Changes:
- Introduces
MePasswordController(+ DTO + unit tests) and wires it into controller creation with a disable flag. - Enhances controller creation in
rockets-serverto support disabling specific controllers via extras. - Updates Swagger/DTO metadata and bumps package versions / example lockfiles.
Reviewed changes
Copilot reviewed 31 out of 35 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| packages/rockets-server/src/rockets.module-definition.ts | Adds controller selection logic with disableController support. |
| packages/rockets-server/src/rockets.module-definition.spec.ts | Unit tests for controller selection/disable behavior. |
| packages/rockets-server/src/modules/user/user.dto.ts | Updates user roles Swagger shape (userRoles) and supporting DTOs. |
| packages/rockets-server/src/interfaces/rockets-options-extras.interface.ts | Adds disableController options interface and docs. |
| packages/rockets-server/src/index.ts | Re-exports new extras interface types. |
| packages/rockets-server/package.json | Version bump. |
| packages/rockets-server-auth/swagger/swagger.json | Regenerated/expanded Swagger output. |
| packages/rockets-server-auth/src/shared/interfaces/rockets-auth-options-extras.interface.ts | Adds mePassword controller disable flag. |
| packages/rockets-server-auth/src/rockets-auth.module-definition.ts | Registers MePasswordController based on disable flags. |
| packages/rockets-server-auth/src/rockets-auth.module-definition.spec.ts | Updates expected controller lists to include MePasswordController. |
| packages/rockets-server-auth/src/generate-swagger.ts | Expands Swagger generation model/DTO setup for user metadata and invitations. |
| packages/rockets-server-auth/src/domains/user/modules/rockets-auth-admin.relations.e2e-spec.ts | Adjusts e2e expectations around metadata validation (null vs empty string). |
| packages/rockets-server-auth/src/domains/user/dto/rockets-auth-user.dto.ts | Adds userMetadata Swagger decorators on base user DTO. |
| packages/rockets-server-auth/src/domains/user/dto/rockets-auth-user-update.dto.ts | Documentation update for overriding userMetadata. |
| packages/rockets-server-auth/src/domains/user/dto/rockets-auth-user-create.dto.ts | Documentation update for overriding userMetadata. |
| packages/rockets-server-auth/src/domains/auth/index.ts | Exports new controller + change-password DTO. |
| packages/rockets-server-auth/src/domains/auth/dto/rockets-auth-change-password.dto.ts | New DTO for authenticated password change. |
| packages/rockets-server-auth/src/domains/auth/controllers/me-password.controller.ts | New /me/password endpoint implementation. |
| packages/rockets-server-auth/src/domains/auth/controllers/me-password.controller.spec.ts | Unit tests for password change flow. |
| packages/rockets-server-auth/src/fixtures/user/dto/rockets-auth-user-metadata.dto.fixture.ts | Updates fixture metadata typing (nullable lastName). |
| packages/rockets-server-auth/src/fixtures/admin/app-module-admin-relations.fixture.ts | Switches admin-relations fixture to use fixture DTOs. |
| packages/rockets-server-auth/package.json | Version bump. |
| package.json | Adds lodash dependency. |
| lerna.json | Monorepo version bump. |
| examples/sample-server/yarn.lock | Lockfile updates for bumped workspace package versions. |
| examples/sample-server/package.json | Adds NestJS resolutions for examples. |
| examples/sample-server-auth/yarn.lock | Lockfile updates for bumped workspace package versions. |
| examples/sample-server-auth/src/modules/user/dto/user.dto.ts | Updates user DTO override pattern for userMetadata. |
| examples/sample-server-auth/src/modules/user/dto/user-update.dto.ts | Updates user update DTO override pattern for userMetadata. |
| examples/sample-server-auth/src/modules/user/dto/user-create.dto.ts | Updates user create DTO override pattern for userMetadata. |
| examples/sample-server-auth/package.json | Adds/extends dependency resolutions (and lodash). |
| .gitignore | Ignores generated SDK output folders. |
| .cursor/rules/testing.mdc | Adds Cursor “testing rules” guidance file. |
| .claude/settings.local.json | Expands allowed bash commands in Claude settings. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+33
to
+80
| @Controller('me') | ||
| @ApiTags('Me') | ||
| @ApiBearerAuth() | ||
| export class MePasswordController { | ||
| private readonly logger = new Logger(MePasswordController.name); | ||
|
|
||
| constructor( | ||
| @Inject(UserPasswordService) | ||
| private readonly userPasswordService: UserPasswordService, | ||
| @Inject(PasswordValidationService) | ||
| private readonly passwordValidationService: PasswordValidationService, | ||
| ) {} | ||
|
|
||
| @Patch('password') | ||
| @HttpCode(200) | ||
| @Throttle({ default: { limit: 5, ttl: 60000 } }) | ||
| @ApiOperation({ | ||
| summary: 'Change password', | ||
| description: | ||
| 'Allows authenticated user to change their own password by providing current and new password', | ||
| operationId: 'changeMyPassword', | ||
| }) | ||
| @ApiBody({ | ||
| type: RocketsAuthChangePasswordDto, | ||
| description: 'Current and new password', | ||
| examples: { | ||
| standard: { | ||
| value: { | ||
| currentPassword: 'CurrentP@ssw0rd', | ||
| newPassword: 'NewSecureP@ssw0rd', | ||
| }, | ||
| summary: 'Standard password change', | ||
| }, | ||
| }, | ||
| }) | ||
| @ApiOkResponse({ | ||
| description: 'Password changed successfully', | ||
| }) | ||
| @ApiUnauthorizedResponse({ | ||
| description: 'Invalid current password or authentication token', | ||
| }) | ||
| @ApiBadRequestResponse({ | ||
| description: 'New password does not meet requirements', | ||
| }) | ||
| async changePassword( | ||
| @AuthUser() user: RocketsAuthUserInterface, | ||
| @Body() changePasswordDto: RocketsAuthChangePasswordDto, | ||
| ): Promise<void> { |
There was a problem hiding this comment.
MePasswordController does not apply any auth guard (e.g., AuthJwtGuard) and the rockets-auth module explicitly notes it doesn’t register a global AuthGuard. As a result, @authuser() will be undefined unless the host app adds a global/controller guard, leading to runtime errors on user.id and leaving the route effectively unauthenticated by default. Add an explicit JWT/auth guard on this controller/route (or wire enableGlobalJWTGuard into module providers) to ensure /me/password is protected.
tnramalho
added a commit
to tnramalho/rockets-sdk
that referenced
this pull request
Jan 30, 2026
* main: feat(auth): add password change endpoint (btwld#20)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Test plan