Old password should be sent to update it.

Author: joselfonseca

graphql/auth.graphql

@@ -81,6 +81,7 @@ input VerifyEmailInput {
 }
 
 input UpdatePassword {
+    old_password: String!
     password: String! @rules(apply: ["required", "confirmed", "min:8"])
     password_confirmation: String!
 }

src/GraphQL/Mutations/UpdatePassword.php

@@ -5,6 +5,7 @@
 use GraphQL\Type\Definition\ResolveInfo;
 use Illuminate\Support\Facades\Hash;
 use Joselfonseca\LighthouseGraphQLPassport\Events\PasswordUpdated;
+use Joselfonseca\LighthouseGraphQLPassport\Exceptions\ValidationException;
 use Nuwave\Lighthouse\Support\Contracts\GraphQLContext;
 
 /**
@@ -23,6 +24,11 @@ class UpdatePassword
     public function resolve($rootValue, array $args, GraphQLContext $context = null, ResolveInfo $resolveInfo)
     {
         $user = $context->user();
+        if (!Hash::check($args['old_password'], $user->password)) {
+            throw new ValidationException([
+                'password' => _('Current password is incorrect')
+            ], 'Validation Exception');
+        }
         $user->password = Hash::make($args['password']);
         $user->save();
         event(new PasswordUpdated($user));

tests/Integration/GraphQL/Mutations/UpdatePasswordTest.php

@@ -3,6 +3,7 @@
 namespace Joselfonseca\LighthouseGraphQLPassport\Tests\Integration\GraphQL\Mutations;
 
 use Illuminate\Support\Facades\Event;
+use Illuminate\Support\Facades\Hash;
 use Joselfonseca\LighthouseGraphQLPassport\Events\PasswordUpdated;
 use Joselfonseca\LighthouseGraphQLPassport\Tests\TestCase;
 use Joselfonseca\LighthouseGraphQLPassport\Tests\User;
@@ -17,12 +18,13 @@ public function test_it_updates_logged_in_user_password()
         $user = User::create([
             'name'     => 'Jose Fonseca',
             'email'    => 'jose@example.com',
-            'password' => bcrypt('123456789qq'),
+            'password' => Hash::make('123456789qq'),
         ]);
         Passport::actingAs($user);
         $response = $this->postGraphQL([
             'query' => 'mutation {
                 updatePassword(input: {
+                    old_password: "123456789qq",
                     password: "newPassword123",
                     password_confirmation: "newPassword123"
                 }) {
@@ -52,6 +54,7 @@ public function test_it_validates_rules_for_password()
         $response = $this->postGraphQL([
             'query' => 'mutation {
                 updatePassword(input: {
+                    old_password: "123456789qq",
                     password: "newPassword123"
                 }) {
                     status
@@ -76,6 +79,7 @@ public function test_it_validates_logged_in_user()
         $response = $this->postGraphQL([
             'query' => 'mutation {
                 updatePassword(input: {
+                    old_password: "123456789qq",
                     password: "newPassword123",
                     password_confirmation: "newPassword123"
                 }) {
@@ -88,4 +92,32 @@ public function test_it_validates_logged_in_user()
         $this->assertArrayHasKey('errors', $responseBody);
         $this->assertEquals('Unauthenticated.', $responseBody['errors'][0]['message']);
     }
+
+    public function test_it_validates_old_password()
+    {
+        Event::fake([PasswordUpdated::class]);
+        $this->createClient();
+        $user = User::create([
+            'name'     => 'Jose Fonseca',
+            'email'    => 'jose@example.com',
+            'password' => Hash::make('123456789qq'),
+        ]);
+        Passport::actingAs($user);
+        $response = $this->postGraphQL([
+            'query' => 'mutation {
+                updatePassword(input: {
+                    old_password: "123456789erreqq",
+                    password: "newPassword123",
+                    password_confirmation: "newPassword123"
+                }) {
+                    status
+                    message
+                }
+            }',
+        ]);
+        $responseBody = json_decode($response->getContent(), true);
+        $this->assertArrayHasKey('errors', $responseBody);
+        $this->assertEquals('Validation Exception', $responseBody['errors'][0]['message']);
+        $this->assertEquals('Current password is incorrect', $responseBody['errors'][0]['extensions']['errors']['password']);
+    }
 }