Furnic/usernames

crates/spec-forest-app/src/main.rs

@@ -68,6 +68,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
         db_path: cli.db_path,
         sync_url: cli.sync_url,
         log_prompts: cli.log_prompts,
+        user_name: None,
     };
 
     let (app, ct, _state) = spec_forest::build_server(config).await?;

crates/spec-forest-protocol/src/lib.rs

@@ -226,6 +226,10 @@ pub enum ClientMessage {
     Refresh {
         token: String,
     },
+    ChangePassword {
+        current_password: String,
+        new_password: String,
+    },
     GrantAccess {
         spec_name: String,
         username: String,
@@ -275,6 +279,7 @@ pub enum ServerMessage {
     AuthToken {
         token: String,
     },
+    PasswordChanged,
     TokenExpiring {
         remaining_secs: u64,
     },
@@ -594,4 +599,29 @@ mod tests {
             _ => panic!("wrong variant"),
         }
     }
+
+    #[test]
+    fn test_change_password_roundtrip() {
+        let msg = ClientMessage::ChangePassword {
+            current_password: "old123".into(),
+            new_password: "new456".into(),
+        };
+        let json = serde_json::to_string(&msg).unwrap();
+        let decoded: ClientMessage = serde_json::from_str(&json).unwrap();
+        match decoded {
+            ClientMessage::ChangePassword { current_password, new_password } => {
+                assert_eq!(current_password, "old123");
+                assert_eq!(new_password, "new456");
+            }
+            _ => panic!("wrong variant"),
+        }
+    }
+
+    #[test]
+    fn test_password_changed_roundtrip() {
+        let msg = ServerMessage::PasswordChanged;
+        let json = serde_json::to_string(&msg).unwrap();
+        let decoded: ServerMessage = serde_json::from_str(&json).unwrap();
+        assert!(matches!(decoded, ServerMessage::PasswordChanged));
+    }
 }

crates/spec-forest-sync/src/server/handlers/auth_handlers.rs

@@ -138,6 +138,66 @@ async fn login_user(
     Ok((token, claims))
 }
 
+pub async fn handle_change_password(
+    ctx: &mut HandlerContext<'_>,
+    current_password: String,
+    new_password: String,
+) -> Result<AuthTransition, SyncError> {
+    let username = ctx.require_auth()?.to_string();
+
+    if new_password.len() < 8 {
+        return Err(SyncError::Auth("New password must be at least 8 characters".into()));
+    }
+
+    let state = Arc::clone(ctx.state);
+    let db = state.db.lock().await;
+
+    if db.is_account_locked(&username)? {
+        return Err(SyncError::Auth(
+            "Account is temporarily locked due to too many failed attempts".into(),
+        ));
+    }
+
+    let user = db
+        .get_user(&username)?
+        .ok_or_else(|| SyncError::Auth("User not found".into()))?;
+
+    let valid = crate::auth::verify_password(&user.password_hash, &current_password)
+        .map_err(|e| SyncError::PasswordHash(format!("{e}")))?;
+
+    if !valid {
+        if let Err(e) = db.record_login_failure(&username) {
+            tracing::error!(username = %username, "Failed to record login failure: {e}");
+        }
+        return Err(SyncError::Auth("Current password is incorrect".into()));
+    }
+
+    if let Err(e) = db.reset_login_failures(&username) {
+        tracing::error!(username = %username, "Failed to reset login failures: {e}");
+    }
+
+    let new_hash = crate::auth::hash_password(&new_password)
+        .map_err(|e| SyncError::PasswordHash(format!("{e}")))?;
+
+    db.update_password(&username, &new_hash)
+        .map_err(|e| SyncError::Auth(format!("Failed to update password: {e}")))?;
+    drop(db);
+
+    try_send_msg(ctx.ws, &ServerMessage::PasswordChanged).await?;
+
+    // Issue a fresh token since the old one is now stale (password_changed_at updated)
+    let token = ctx.auth_config.create_token(&username)?;
+    let claims = ctx.auth_config.validate_token(&token)?;
+    try_send_msg(ctx.ws, &ServerMessage::AuthToken { token }).await?;
+
+    let token_exp = claims.exp;
+    *ctx.session = Session::Authenticated {
+        username: username.clone(),
+        token_exp,
+    };
+    Ok(AuthTransition::Refreshed { token_exp })
+}
+
 async fn refresh_token(
     state: &Arc<SyncState>,
     auth_config: &AuthConfig,

crates/spec-forest-sync/src/server/handlers/mod.rs

@@ -51,6 +51,13 @@ pub async fn dispatch(ctx: &mut HandlerContext<'_>, msg: ClientMessage) -> AuthT
         ClientMessage::Refresh { token } => {
             (auth_handlers::handle_refresh(ctx, token).await, None)
         }
+        ClientMessage::ChangePassword {
+            current_password,
+            new_password,
+        } => (
+            auth_handlers::handle_change_password(ctx, current_password, new_password).await,
+            None,
+        ),
         ClientMessage::Subscribe {
             spec_name,
             from_seq,

crates/spec-forest/src/api/sync_ops.rs

@@ -175,3 +175,21 @@ pub async fn sync_connect(
 
     Ok(())
 }
+
+pub async fn sync_change_password(
+    state: &Arc<AppState>,
+    current_password: &str,
+    new_password: &str,
+) -> Result<(), ApiError> {
+    let handle = state
+        .get_sync_handle()
+        .await
+        .ok_or_else(|| ApiError::Internal("Not connected to sync server".into()))?;
+    handle
+        .change_password(current_password, new_password)
+        .await
+        .map_err(|e| ApiError::Internal(e.to_string()))?;
+    // Update the in-memory cached password
+    state.set_sync_password(new_password.to_string());
+    Ok(())
+}

crates/spec-forest/src/http.rs

@@ -273,6 +273,7 @@ pub fn router(state: SharedState) -> Router {
         .route("/api/sync/register", post(sync_register))
         .route("/api/sync/login", post(sync_login))
         .route("/api/sync/connect", post(sync_connect))
+        .route("/api/sync/change-password", post(sync_change_password))
         .route("/api/sync/grant-access", post(sync_grant_access))
         .route("/api/sync/revoke-access", post(sync_revoke_access))
         .route("/api/sync/members", get(sync_list_members))
@@ -722,6 +723,20 @@ async fn sync_connect(
     Ok(Json(serde_json::json!({"status": "connected"})))
 }
 
+async fn sync_change_password(
+    State(state): State<SharedState>,
+    axum::Json(body): axum::Json<serde_json::Value>,
+) -> Result<Json<serde_json::Value>, AppError> {
+    let current = body["current_password"]
+        .as_str()
+        .ok_or_else(|| AppError::Internal("current_password required".into()))?;
+    let new_pw = body["new_password"]
+        .as_str()
+        .ok_or_else(|| AppError::Internal("new_password required".into()))?;
+    crate::api::sync_change_password(&state, current, new_pw).await?;
+    Ok(Json(serde_json::json!({"status": "password_changed"})))
+}
+
 async fn server_status(
     State(state): State<SharedState>,
 ) -> Json<serde_json::Value> {

crates/spec-forest/src/lib.rs

@@ -29,6 +29,7 @@ pub struct ServerConfig {
     pub db_path: String,
     pub sync_url: Option<String>,
     pub log_prompts: Option<String>,
+    pub user_name: Option<String>,
 }
 
 /// Creates an initialized AppState with the op_loop running, but without
@@ -46,8 +47,11 @@ pub async fn build_app_state(
         eprintln!("Logging AI prompts to {log_path}");
     }
 
-    // Load persisted username from the database
-    if let Ok(Some(user_name)) = state.db().get_setting("user_name") {
+    // CLI flag takes priority, then persisted DB setting
+    if let Some(ref name) = config.user_name {
+        state.set_user_name(name.clone());
+        let _ = state.db().set_setting("user_name", name);
+    } else if let Ok(Some(user_name)) = state.db().get_setting("user_name") {
         state.set_user_name(user_name);
     }
 

crates/spec-forest/src/main.rs

@@ -42,6 +42,7 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
         db_path: cli.db_path,
         sync_url: cli.sync_url,
         log_prompts: cli.log_prompts,
+        user_name: None,
     };
 
     let (app, ct, _state) = spec_forest::build_server(config).await?;

crates/spec-forest/src/sync/dispatch.rs

@@ -122,6 +122,10 @@ impl PendingRequests {
                 self.dispatch_member_list(members, creator, client_ref).await;
                 None
             }
+            ServerMessage::PasswordChanged => {
+                // Acknowledgment only — the subsequent AuthToken resolves the pending auth oneshot
+                None
+            }
             ServerMessage::TokenExpiring { remaining_secs } => {
                 eprintln!("sync: token expiring in {remaining_secs}s");
                 None

crates/spec-forest/src/sync/mod.rs

@@ -154,6 +154,35 @@ impl SyncHandle {
         }
     }
 
+    pub async fn change_password(
+        &self,
+        current_password: &str,
+        new_password: &str,
+    ) -> Result<(), SyncError> {
+        let (tx, rx) = oneshot::channel();
+        self.inner.pending.set_auth(tx).await;
+
+        let msg = ClientMessage::ChangePassword {
+            current_password: current_password.to_string(),
+            new_password: new_password.to_string(),
+        };
+        let result = request::send_and_wait_singleton(
+            &*self.inner.connection.lock().await,
+            &msg,
+            rx,
+            "change_password",
+        )
+        .await?;
+
+        match result {
+            Ok(token) => {
+                *self.inner.token.lock().await = Some(token);
+                Ok(())
+            }
+            Err(e) => Err(SyncError::AuthFailed(e)),
+        }
+    }
+
     // --- Subscriptions ---
 
     pub async fn subscribe(

crates/spec-forest/tests/integration.rs

@@ -22,6 +22,7 @@ impl TestServer {
             db_path,
             sync_url: None,
             log_prompts: None,
+            user_name: None,
         };
 
         let (router, ct, _state) = spec_forest::build_server(config).await.unwrap();
@@ -219,6 +220,7 @@ impl TestServer {
             db_path,
             sync_url: Some(sync_url.to_string()),
             log_prompts: None,
+            user_name: None,
         };
 
         let (router, ct, _state) = spec_forest::build_server(config).await.unwrap();