[SECURITY] Move password update to client-side Supabase API (Phase 3)

## Context

`SupabaseUserDatastore.updatePassword` was calling `adminApi.updateUserById()` (service-role key) to set a user's password server-side, bypassing current-password verification. This is a security risk — the server should not be responsible for password management using the admin API.

## Change

- Complete `AuthServiceImpl.changePassword` to use `auth.updateUser { password = newPassword.reveal() }` directly after verifying the current password via `auth.signInWith(Email)`

## Notes

- Current password is verified by re-authenticating via Supabase before calling `auth.updateUser` — this ensures only the account owner can change the password
- The `canPasswordAuth` flag in `authMetadata` (previously updated server-side after password change) is no longer updated as part of this flow. A follow-up ticket should determine the correct place to set this flag (e.g., a lightweight server endpoint called after client-side `auth.updateUser` succeeds, or a Supabase webhook/trigger)

## What type of task is this?
Security / Bug Fix

Related to #215 


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SECURITY] Move password update to client-side Supabase API (Phase 3) #447

Context

Change

Notes

What type of task is this?

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[SECURITY] Move password update to client-side Supabase API (Phase 3) #447

Description

Context

Change

Notes

What type of task is this?

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions