fix: allow display name updates without requiring the current password

Author: q4speed

scheduler-server/src/api/routes/auth.py

@@ -27,7 +27,7 @@ class AuthUserRead(BaseModel):
 
 class ProfileUpdateRequest(BaseModel):
     display_name: str = Field(min_length=1, max_length=120)
-    current_password: str = Field(min_length=1, max_length=255)
+    current_password: str | None = Field(default=None, min_length=1, max_length=255)
     new_password: str | None = Field(default=None, min_length=8, max_length=255)
 
 
@@ -81,10 +81,17 @@ def update_profile(
     user = get_current_user_from_request(request, db)
     if user is None:
         raise HTTPException(status_code=401, detail="Authentication required")
-    if not verify_password(payload.current_password, user.password_hash):
-        raise HTTPException(status_code=401, detail="Invalid username or password")
+    display_name = payload.display_name.strip()
+    if not display_name:
+        raise HTTPException(status_code=400, detail="Display name is required")
+
+    if payload.new_password is not None:
+        if not payload.current_password or not verify_password(payload.current_password, user.password_hash):
+            raise HTTPException(status_code=401, detail="Invalid username or password")
+        if not payload.new_password.strip():
+            raise HTTPException(status_code=400, detail="New password cannot be empty")
 
-    user.display_name = payload.display_name.strip()
+    user.display_name = display_name
     if payload.new_password:
         user.password_hash = hash_password(payload.new_password)
     db.commit()

scheduler-server/tests/test_stage1_backend.py

@@ -225,6 +225,29 @@ def test_auth_profile_update_changes_display_name_and_password(self) -> None:
         self.assertEqual(new_login.json()["display_name"], "Owner")
         self.assertFalse(new_login.json()["using_default_password"])
 
+    def test_auth_profile_update_allows_display_name_change_without_current_password(self) -> None:
+        self.client.cookies.clear()
+        login_response = self.client.post(
+            "/api/auth/login",
+            json={"username": "admin", "password": "admin123456"},
+        )
+        self.assertEqual(login_response.status_code, 200)
+
+        update_response = self.client.put(
+            "/api/auth/profile",
+            json={"display_name": "Owner Only"},
+        )
+        self.assertEqual(update_response.status_code, 200)
+        self.assertEqual(update_response.json()["display_name"], "Owner Only")
+        self.assertTrue(update_response.json()["using_default_password"])
+
+        login_again = self.client.post(
+            "/api/auth/login",
+            json={"username": "admin", "password": "admin123456"},
+        )
+        self.assertEqual(login_again.status_code, 200)
+        self.assertEqual(login_again.json()["display_name"], "Owner Only")
+
     def test_health_remains_public_without_login(self) -> None:
         self.client.cookies.clear()
         response = self.client.get("/api/health")

web-client/src/api/auth.ts

@@ -14,7 +14,7 @@ export type LoginPayload = {
 
 export type UpdateProfilePayload = {
     display_name: string;
-    current_password: string;
+    current_password?: string;
     new_password?: string;
 };
 

web-client/src/components/common/AccountDialog.vue

@@ -1,11 +1,14 @@
 <template>
   <el-dialog
     :model-value="visible"
-    :title="t('auth.account')"
+    :title="t('auth.accountSettings')"
     width="460px"
     @close="emit('update:visible', false)"
   >
     <el-form label-position="top">
+      <el-form-item :label="t('auth.username')">
+        <div class="account-dialog__static-value">{{ username }}</div>
+      </el-form-item>
       <el-form-item :label="t('auth.displayName')">
         <el-input v-model="form.display_name" maxlength="120" />
       </el-form-item>
@@ -37,14 +40,15 @@ import { useI18n } from "@/composables/useI18n";
 const props = defineProps<{
     visible: boolean;
     submitting: boolean;
+    username: string;
     displayName: string;
 }>();
 
 const emit = defineEmits<{
     "update:visible": [value: boolean];
     submit: [{
         display_name: string;
-        current_password: string;
+        current_password?: string;
         new_password?: string;
     }];
 }>();
@@ -76,11 +80,15 @@ function handleSave() {
     const newPassword = form.new_password.trim();
     const confirmPassword = form.confirm_password.trim();
 
-    if (!displayName || !currentPassword) {
+    if (!displayName) {
         ElMessage.error(t("auth.accountRequired"));
         return;
     }
     if (newPassword || confirmPassword) {
+        if (!currentPassword) {
+            ElMessage.error(t("auth.currentPasswordRequired"));
+            return;
+        }
         if (newPassword !== confirmPassword) {
             ElMessage.error(t("auth.passwordMismatch"));
             return;
@@ -93,7 +101,7 @@ function handleSave() {
 
     emit("submit", {
         display_name: displayName,
-        current_password: currentPassword,
+        current_password: currentPassword || undefined,
         new_password: newPassword || undefined,
     });
 }
@@ -105,4 +113,9 @@ function handleSave() {
   justify-content: flex-end;
   gap: 8px;
 }
+
+.account-dialog__static-value {
+  color: #303133;
+  line-height: 32px;
+}
 </style>

web-client/src/components/common/AppTopNav.vue

@@ -46,7 +46,7 @@
         </el-button>
         <template #dropdown>
           <el-dropdown-menu>
-            <el-dropdown-item command="account">{{ t("auth.account") }}</el-dropdown-item>
+            <el-dropdown-item command="account">{{ t("auth.accountSettings") }}</el-dropdown-item>
             <el-dropdown-item divided command="logout">{{ t("auth.logout") }}</el-dropdown-item>
           </el-dropdown-menu>
         </template>
@@ -57,6 +57,7 @@
   <AccountDialog
     :visible="accountDialogVisible"
     :submitting="accountSubmitting"
+    :username="authStore.user?.username ?? ''"
     :display-name="authStore.user?.display_name ?? ''"
     @update:visible="accountDialogVisible = $event"
     @submit="handleAccountSubmit"
@@ -104,7 +105,7 @@ async function handleCommand(command: string) {
 
 async function handleAccountSubmit(payload: {
   display_name: string;
-  current_password: string;
+  current_password?: string;
   new_password?: string;
 }) {
   accountSubmitting.value = true;

web-client/src/i18n/en.ts

@@ -20,13 +20,15 @@ export const en = {
         displayName: "Display name",
         password: "Password",
         account: "Account",
+        accountSettings: "Account Settings",
         accountUpdated: "Account updated",
         currentPassword: "Current password",
         newPassword: "New password",
         confirmPassword: "Confirm password",
         passwordMismatch: "The new passwords do not match",
         passwordTooShort: "The new password must be at least 8 characters",
-        accountRequired: "Username and current password are required",
+        accountRequired: "Display name is required",
+        currentPasswordRequired: "Current password is required to change the password",
     },
     messagesPage: {
         eyebrow: "Messages",

web-client/src/i18n/zh-CN.ts

@@ -20,13 +20,15 @@ export const zhCN = {
         displayName: "显示名",
         password: "密码",
         account: "账户",
+        accountSettings: "账号管理",
         accountUpdated: "账户信息已更新",
         currentPassword: "当前密码",
         newPassword: "新密码",
         confirmPassword: "确认新密码",
         passwordMismatch: "两次输入的新密码不一致",
         passwordTooShort: "新密码至少需要 8 位",
-        accountRequired: "用户名和当前密码不能为空",
+        accountRequired: "显示名不能为空",
+        currentPasswordRequired: "修改密码时必须填写当前密码",
     },
     messagesPage: {
         eyebrow: "消息",