create([ 'password' => Hash::make('OldPassword123!'), ]); $currentToken = $user->createToken('current-device'); $otherToken = $user->createToken('other-device'); $this ->withHeader('Authorization', 'Bearer '.$currentToken->plainTextToken) ->patchJson('/api/auth/me/password', [ 'currentPassword' => 'OldPassword123!', 'password' => 'NewPassword123!', 'passwordConfirmation' => 'NewPassword123!', ]) ->assertOk() ->assertJsonPath('message', __('api.auth.password_updated')); expect(Hash::check('NewPassword123!', $user->fresh()->password))->toBeTrue(); $this->assertDatabaseHas('personal_access_tokens', [ 'id' => $currentToken->accessToken->getKey(), ]); $this->assertDatabaseMissing('personal_access_tokens', [ 'id' => $otherToken->accessToken->getKey(), ]); }); it('rejects an invalid current password', function () { $user = User::factory()->create([ 'password' => Hash::make('OldPassword123!'), ]); $currentToken = $user->createToken('current-device'); $this ->withHeader('Authorization', 'Bearer '.$currentToken->plainTextToken) ->patchJson('/api/auth/me/password', [ 'currentPassword' => 'wrong-password', 'password' => 'NewPassword123!', 'passwordConfirmation' => 'NewPassword123!', ]) ->assertUnprocessable() ->assertJsonValidationErrors(['current_password']); expect(Hash::check('OldPassword123!', $user->fresh()->password))->toBeTrue(); }); it('requires authentication to update the password', function () { $this ->patchJson('/api/auth/me/password', [ 'currentPassword' => 'OldPassword123!', 'password' => 'NewPassword123!', 'passwordConfirmation' => 'NewPassword123!', ]) ->assertUnauthorized(); });