fix:Change Password Route - Switch from PUT to POST #1238
Description
Describe the bug
The change password route in api/v1/routes/auth.py currently accepts a PUT request to update a user's password.
This is not aligned with REST best practices. According to REST guidelines, PUT is meant for idempotent resource updates, whereas changing a password is a non-idempotent action, better suited for a POST request.
Why is this a concern?
PUT is intended for idempotent updates to a resource.
Password changes are often not idempotent (changing to the same password twice may trigger different security events like logging out sessions).
Security best practices often prefer POST for password changes, treating it as an action rather than a resource update.
To Reproduce
Open an API client like Postman.
Send a PUT request to:
PUT /api/v1/auth/passwordwith a body request
{
"old_Password": "oldPass123",
"new_Password": "newPass456"
"confirm_new_password":"newPass456"
}Observe that the request works successfully (indicating that PUT is currently accepted).
This behavior is inconsistent with REST best practices, as a POST should be used for this type of sensitive action.
Expected behavior
The endpoint should accept:
POST /api/v1/auth/passwordwith the same request body.
This follows standard conventions where POST is used for non-idempotent actions, especially for security-related operations such as changing passwords.
Additionally, the documentation should reflect this change so that integrators are aware of the correct method to use.
Desktop (please complete the following information):
- OS: Windows
- Browser Chrome
- Version latest
Additional context
This change will improve the clarity and maintainability of the API.
Many security frameworks and API design guidelines recommend using POST for password changes to emphasize the non-idempotent nature of the operation.
Documentation and client implementations may need to be updated alongside this fix.