feat: set password via mutation (#3745)

Author: rebelchris

__tests__/users.ts

@@ -215,6 +215,16 @@ jest.mock('../src/cio', () => ({
   syncNotificationFlagsToCio: jest.fn(),
 }));
 
+const mockSetPassword = jest.fn();
+jest.mock('../src/betterAuth', () => ({
+  ...(jest.requireActual('../src/betterAuth') as Record<string, unknown>),
+  getBetterAuth: () => ({
+    api: {
+      setPassword: mockSetPassword,
+    },
+  }),
+}));
+
 beforeAll(async () => {
   con = await createOrGetConnection();
   state = await initializeGraphQLTesting(
@@ -8150,3 +8160,50 @@ describe('query userPostsAnalyticsHistory', () => {
     });
   });
 });
+
+describe('mutation setPassword', () => {
+  const MUTATION = `
+    mutation SetPassword($newPassword: String!) {
+      setPassword(newPassword: $newPassword) {
+        _
+      }
+    }
+  `;
+
+  it('should not authorize when not logged in', () =>
+    testMutationErrorCode(
+      client,
+      {
+        mutation: MUTATION,
+        variables: { newPassword: 'newPassword123!' },
+      },
+      'UNAUTHENTICATED',
+    ));
+
+  it('should set password via better auth api', async () => {
+    loggedUser = '1';
+    mockSetPassword.mockResolvedValueOnce({ status: true });
+
+    const res = await client.mutate(MUTATION, {
+      variables: { newPassword: 'newPassword123!' },
+    });
+
+    expect(res.errors).toBeFalsy();
+    expect(mockSetPassword).toHaveBeenCalledWith({
+      body: { newPassword: 'newPassword123!' },
+      headers: expect.any(Headers),
+    });
+  });
+
+  it('should propagate error when better auth api fails', async () => {
+    loggedUser = '1';
+    mockSetPassword.mockRejectedValueOnce(new Error('Password too weak'));
+
+    const res = await client.mutate(MUTATION, {
+      variables: { newPassword: 'weak' },
+    });
+
+    expect(res.errors).toBeTruthy();
+    expect(res.errors[0].message).toBe('Password too weak');
+  });
+});

src/routes/betterAuth.ts

@@ -92,54 +92,6 @@ export const callBetterAuth = async ({
 };
 
 const betterAuthRoute = async (fastify: FastifyInstance): Promise<void> => {
-  // BetterAuth's setPassword is a server-only API (no HTTP route registered),
-  // so we expose it as a custom route that delegates to auth.api.setPassword().
-  fastify.route({
-    method: 'POST',
-    url: '/auth/set-password',
-    handler: async (request, reply) => {
-      try {
-        const { newPassword } =
-          (request.body as { newPassword?: string }) ?? {};
-        if (!newPassword) {
-          return reply.status(400).send({ error: 'newPassword is required' });
-        }
-
-        const headers = fromNodeHeaders(
-          request.headers as Record<string, string | string[] | undefined>,
-        );
-        const result = await getBetterAuth().api.setPassword({
-          body: { newPassword },
-          headers,
-        });
-
-        return reply.send(result);
-      } catch (error) {
-        request.log.error(
-          { err: formatError(error) },
-          'BetterAuth set-password failed',
-        );
-        if (!reply.sent) {
-          const status =
-            error &&
-            typeof error === 'object' &&
-            'statusCode' in error &&
-            typeof error.statusCode === 'number'
-              ? error.statusCode
-              : 500;
-          const message =
-            error &&
-            typeof error === 'object' &&
-            'message' in error &&
-            typeof error.message === 'string'
-              ? error.message
-              : 'Failed to set password';
-          return reply.status(status).send({ error: message });
-        }
-      }
-    },
-  });
-
   fastify.route({
     method: ['GET', 'POST'],
     url: '/auth/*',

src/schema/users.ts

@@ -107,6 +107,8 @@ import {
   getUserCoresRole,
   hasUserProfileAnalyticsPermissions,
 } from '../common/user';
+import { getBetterAuth } from '../betterAuth';
+import { fromNodeHeaders } from 'better-auth/node';
 import { randomInt, randomUUID } from 'crypto';
 import { ArrayContains, DataSource, In, IsNull, QueryRunner } from 'typeorm';
 import { DisallowHandle } from '../entity/DisallowHandle';
@@ -1689,6 +1691,11 @@ export const typeDefs = /* GraphQL */ `
     Update user's notification preferences
     """
     updateNotificationSettings(notificationFlags: JSON!): EmptyResponse @auth
+
+    """
+    Set a password for the authenticated user (Better Auth)
+    """
+    setPassword(newPassword: String!): EmptyResponse @auth
   }
 `;
 
@@ -3858,6 +3865,29 @@ export const resolvers: IResolvers<unknown, BaseContext> = {
 
       return { _: true };
     },
+    setPassword: async (
+      _,
+      { newPassword }: { newPassword: string },
+      ctx: AuthContext,
+    ): Promise<GQLEmptyResponse> => {
+      const headers = fromNodeHeaders(
+        (ctx.req.raw?.headers as Record<
+          string,
+          string | string[] | undefined
+        >) ?? {},
+      );
+      try {
+        await getBetterAuth().api.setPassword({
+          body: { newPassword },
+          headers,
+        });
+      } catch (error) {
+        const message =
+          error instanceof Error ? error.message : 'Failed to set password';
+        throw new ValidationError(message);
+      }
+      return { _: true };
+    },
   },
   User: {
     image: (user: GQLUser): GQLUser['image'] => mapCloudinaryUrl(user.image),