backend-php/controllers/UserChangePasswordController.php

<?php

namespace Controllers;

use Libs\ResponseLib;
use Models\UserModel;
use Psr\Http\Message\ServerRequestInterface;

class UserChangePasswordController
{
    public function __invoke(ServerRequestInterface $request)
    {
        $userId = (int)($request->getAttribute('api_user_id') ?? 0);
        if ($userId <= 0) {
            return ResponseLib::sendFail('Unauthorized', [], 'E_VALIDATE')->withStatus(401);
        }

        $body = json_decode((string)$request->getBody(), true) ?? [];
        $current = $body['current_password'] ?? '';
        $new = $body['new_password'] ?? '';

        if ($current === '' || $new === '' || strlen($new) < 8) {
            return ResponseLib::sendFail('Validation failed: invalid passwords', [], 'E_VALIDATE')->withStatus(400);
        }
        if ($current === $new) {
            return ResponseLib::sendFail('New password must be different from current password', [], 'E_VALIDATE')->withStatus(400);
        }

        $model = new UserModel();
        $ok = $model->changePassword($userId, $current, $new);
        if (!$ok) {
            return ResponseLib::sendFail('Invalid current password or update failed', [], 'E_VALIDATE')->withStatus(400);
        }

        return ResponseLib::sendOk(['user_id' => $userId], 'S_UPDATED');
    }
}