feat(auth): add POST /api/auth/change-password endpoint

API/ROLAC.API/Controllers/AuthController.cs

@@ -154,6 +154,38 @@ public class AuthController : ControllerBase
         return NoContent();
     }
 
+    // -------------------------------------------------------------------------
+    // POST /api/auth/change-password
+    // -------------------------------------------------------------------------
+
+    /// <summary>
+    /// Changes the current user's password. Requires the correct current password and a
+    /// new password meeting the configured policy. On success the user's *other* sessions
+    /// are revoked while the current session stays active.
+    /// </summary>
+    [HttpPost("change-password")]
+    [Authorize]
+    [ProducesResponseType(StatusCodes.Status204NoContent)]
+    [ProducesResponseType(StatusCodes.Status400BadRequest)]
+    public async Task<IActionResult> ChangePassword([FromBody] ChangePasswordRequest request)
+    {
+        var userId = User.FindFirstValue(ClaimTypes.NameIdentifier) ?? User.FindFirstValue("sub");
+        if (string.IsNullOrEmpty(userId))
+            return Unauthorized();
+
+        var currentRefresh = Request.Cookies[CookieName];
+        var result = await _authService.ChangePasswordAsync(
+            userId, request.CurrentPassword, request.NewPassword, currentRefresh);
+
+        if (!result.Succeeded)
+            return BadRequest(new
+            {
+                message = string.Join(" ", result.Errors.Select(error => error.Description)),
+            });
+
+        return NoContent();
+    }
+
     // -------------------------------------------------------------------------
     // Private helpers
     // -------------------------------------------------------------------------