sessionTenant->identifier(); $identifier = $this->sessionIdentity->mailAddress(); if ($tenantId === null || $identifier === null) { return new JsonResponse(['error' => 'Invalid session state'], 400); } $credential = $this->credentialStore->fetchByIdentifier($tenantId, $identifier); if (!$credential) { return new JsonResponse(['error' => 'No password set'], 400); } if (!$this->crypto->verifyPassword($current_password, $credential['secret'])) { return new JsonResponse(['error' => 'Invalid current password'], 400); } $newHash = $this->crypto->hashPassword($new_password); $this->credentialStore->updateSecret($tenantId, $identifier, $newHash); return new JsonResponse(['success' => true]); } /** * Admin endpoint: Get credential status for a user */ #[AuthenticatedRoute('/admin/status/{uid}', name: 'password.admin.status', methods: ['GET'])] public function getStatus(string $uid): JsonResponse { $tenantId = $this->sessionTenant->identifier(); if ($tenantId === null) { return new JsonResponse(['error' => 'Invalid session state'], 400); } // TODO: Add permission check for admin operations $hasCredentials = $this->provider->hasCredentials($tenantId, $uid); return new JsonResponse([ 'enrolled' => $hasCredentials, 'provider' => 'password', ]); } /** * Admin endpoint: Set/reset user password */ #[AuthenticatedRoute('/admin/reset', name: 'password.admin.reset', methods: ['POST'])] public function adminReset(string $uid, string $password): JsonResponse { $tenantId = $this->sessionTenant->identifier(); if ($tenantId === null) { return new JsonResponse(['error' => 'Invalid session state'], 400); } // TODO: Add permission check for admin operations if (strlen($password) < 8) { return new JsonResponse(['error' => 'Password must be at least 8 characters'], 400); } $success = $this->provider->setCredential($tenantId, $uid, $password); if (!$success) { return new JsonResponse(['error' => 'Failed to set password'], 500); } return new JsonResponse(['success' => true]); } /** * Admin endpoint: Remove user password */ #[AuthenticatedRoute('/admin/remove/{uid}', name: 'password.admin.remove', methods: ['DELETE'])] public function adminRemove(string $uid): JsonResponse { $tenantId = $this->sessionTenant->identifier(); if ($tenantId === null) { return new JsonResponse(['error' => 'Invalid session state'], 400); } // TODO: Add permission check for admin operations $this->credentialStore->delete($tenantId, $uid); return new JsonResponse(['success' => true]); } }