password change feature

src/routes/hunts.js

@@ -1,5 +1,6 @@
 const express = require('express');
 const router = express.Router();
+const { requireAuth } = require('../middleware/auth');
 const { Hunts, Packages, Scans, Users } = require('../models');
 
 // ─── Hunt profile ─────────────────────────────────────────
@@ -95,6 +96,36 @@ router.get('/player/:username', (req, res) => {
   });
 });
 
+// ─── Change password (own profile) ────────────────────────
+router.post('/player/:username/password', requireAuth, (req, res) => {
+  const user = Users.findByUsername(req.params.username);
+  if (!user || user.id !== req.session.userId) {
+    return res.status(403).render('error', { title: 'Forbidden', message: 'You can only change your own password.' });
+  }
+
+  const { current_password, new_password, new_password_confirm } = req.body;
+
+  const fullUser = Users.findByUsername(user.username);
+  if (!Users.verifyPassword(fullUser, current_password)) {
+    req.session.flash = { type: 'danger', message: 'Current password is incorrect.' };
+    return res.redirect(`/player/${user.username}`);
+  }
+
+  if (!new_password || new_password.length < 6) {
+    req.session.flash = { type: 'danger', message: 'New password must be at least 6 characters.' };
+    return res.redirect(`/player/${user.username}`);
+  }
+
+  if (new_password !== new_password_confirm) {
+    req.session.flash = { type: 'danger', message: 'New passwords do not match.' };
+    return res.redirect(`/player/${user.username}`);
+  }
+
+  Users.setPassword(user.id, new_password);
+  req.session.flash = { type: 'success', message: 'Password changed successfully.' };
+  res.redirect(`/player/${user.username}`);
+});
+
 // ─── Browse all hunts ─────────────────────────────────────
 router.get('/hunts', (req, res) => {
   const hunts = Hunts.getAll();