Skip to main content

Overview

This endpoint allows authenticated users to change their password. It requires the current password for verification and a new password with confirmation.
This endpoint requires authentication. Include a valid JWT token in the Authorization header.
For security reasons, the current password must be provided and validated before the password can be changed.

Endpoint

PUT /user/password

Authentication

This endpoint requires authentication using a JWT Bearer token. 
Authorization: Bearer {token}

Request Body

old_password
string
required
The user’s current password
  • Minimum length: 8 characters
  • Validation: Required, must match the user’s current password
  • Custom Rule: CheckPasswordRule validates that this matches the current password in the database
password
string
required
The new password
  • Minimum length: 8 characters
  • Validation: Required, must be confirmed
  • Security: Will be hashed using bcrypt before storage
password_confirmation
string
required
Confirmation of the new password
  • Validation: Must match the password field exactly

Response

success
boolean
required
Indicates whether the request was successful
message
string
required
A message describing the result (localized based on Accept-Language header)
data
null
required
This endpoint does not return user data for security reasons

Example Request

curl -X PUT https://api.servitech.com/en/user/password \
  -H "Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9..." \
  -H "Accept-Language: en" \
  -H "Content-Type: application/json" \
  -d '{
    "old_password": "currentPassword123",
    "password": "newSecurePassword456",
    "password_confirmation": "newSecurePassword456"
  }'

Example Response

200 - Success
{
  "success": true,
  "message": "Password updated successfully",
  "data": null
}
401 - Unauthorized
{
  "success": false,
  "message": "Unauthenticated",
  "data": null
}
422 - Validation Error (Invalid Current Password)
{
  "success": false,
  "message": "The given data was invalid",
  "data": {
    "errors": {
      "old_password": [
        "The current password is incorrect."
      ]
    }
  }
}
422 - Validation Error (Password Mismatch)
{
  "success": false,
  "message": "The given data was invalid",
  "data": {
    "errors": {
      "password": [
        "The password confirmation does not match."
      ]
    }
  }
}
422 - Validation Error (Password Too Short)
{
  "success": false,
  "message": "The given data was invalid",
  "data": {
    "errors": {
      "password": [
        "The password must be at least 8 characters."
      ],
      "old_password": [
        "The old password must be at least 8 characters."
      ]
    }
  }
}
500 - Server Error
{
  "success": false,
  "message": "An error occurred while updating the password",
  "data": null
}

Validation Rules

The following validation rules are applied to the request:
FieldRulesDescription
old_passwordrequired, min:8, CheckPasswordRuleCurrent password (must match existing password)
passwordrequired, confirmed, min:8New password (minimum 8 characters)
password_confirmationrequired (implicit)Must match the password field
The CheckPasswordRule is a custom validation rule that verifies the provided old_password matches the user’s current password in the database.

Security Features

  1. Current Password Verification: The CheckPasswordRule custom validator ensures the user knows their current password
  2. Password Confirmation: The new password must be confirmed to prevent typos
  3. Bcrypt Hashing: The new password is hashed using bcrypt before being stored in the database
  4. Minimum Length: Both current and new passwords must be at least 8 characters
  5. No Password Return: For security, the response does not include the new password

Implementation Details

This endpoint is implemented in UserController.php:88 and uses the following:
  • Controller Method: UserController::updatePassword()
  • Request Validation: UpdatePasswordRequest (defined in app/Http/Requests/User/UpdatePasswordRequest.php:23)
  • Custom Validation Rule: CheckPasswordRule (validates current password)
  • Password Hashing: bcrypt() function (defined at UserController.php:97)
  • Authentication Guard: auth('api')
  • Route Name: user.password.update
After successfully changing the password, the user’s JWT token remains valid. Consider implementing token refresh or re-authentication for enhanced security.

Build docs developers (and LLMs) love

Get started for freeTalk to us