From d090ff44f20151cabdbb87de8253ccc2d3023f0a Mon Sep 17 00:00:00 2001
From: makearmy <alex@makearmy.io>
Date: Tue, 30 Sep 2025 22:45:42 -0400
Subject: [PATCH] change password bug fix

---
 app/api/account/password/route.ts | 29 +++++++++++++++--------------
 1 file changed, 15 insertions(+), 14 deletions(-)

diff --git a/app/api/account/password/route.ts b/app/api/account/password/route.ts
index 046584a6..954473ea 100644
--- a/app/api/account/password/route.ts
+++ b/app/api/account/password/route.ts
@@ -18,8 +18,8 @@ async function handle(req: Request) {
     if (!current || !next) return bad("Missing current and/or new password");
     if (next.length < 8) return bad("Password must be at least 8 characters");
 
-    // 1) Load the current user to get email + provider
-    const meRes = await fetch(`${API}/users/me?fields=id,email,provider`, {
+    // 1) Load current user to get provider + identifiers
+    const meRes = await fetch(`${API}/users/me?fields=id,email,username,provider`, {
         headers: { Authorization: `Bearer ${bearer}`, Accept: "application/json" },
         cache: "no-store",
     });
@@ -31,15 +31,9 @@ async function handle(req: Request) {
         );
     }
 
-    const email: string | undefined = me?.data?.email ?? me?.email;
     const provider: string = me?.data?.provider ?? me?.provider ?? "local";
-
-    if (!email) {
-        return NextResponse.json(
-            { error: "User email not available", debug: "users/me returned no email" },
-            { status: 400 }
-        );
-    }
+    const email: string | undefined = me?.data?.email ?? me?.email ?? undefined;
+    const username: string | undefined = me?.data?.username ?? me?.username ?? undefined;
 
     if (provider !== "local") {
         return NextResponse.json(
@@ -48,15 +42,22 @@ async function handle(req: Request) {
         );
     }
 
-    // 2) Verify the CURRENT password by logging in to Directus
-    const auth = await loginDirectus(email, current).catch(() => null);
+    // 2) Verify CURRENT password by logging in with email OR username
+    const identifier = email || username;
+    if (!identifier) {
+        return NextResponse.json(
+            { error: "No login identifier available for this user", debug: "missing email and username" },
+            { status: 400 }
+        );
+    }
+
+    const auth = await loginDirectus(identifier, current).catch(() => null);
     const access = auth?.access_token ?? auth?.data?.access_token;
     if (!access) {
-        // We’ve confirmed the “current” really doesn’t match
         return NextResponse.json({ error: "Current password is incorrect" }, { status: 401 });
     }
 
-    // 3) Update password using ONLY the 'password' field (avoid non-existent keys)
+    // 3) Update password using ONLY the 'password' field
     const patchRes = await fetch(`${API}/users/me`, {
         method: "PATCH",
         headers: {