feat: add self-service password change page at /account/password

Validates current password, enforces 8-char minimum, links from
EasyAdmin user menu. Also fixes route loader (attribute scan instead
of broken easyadmin.routes type).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

config/routes.yaml

@@ -8,4 +8,7 @@
 #   bin/console debug:router
 
 controllers:
-    resource: routing.controllers
+    resource:
+        path: ../src/Infrastructure/Http/Controller/
+        namespace: App\Infrastructure\Http\Controller
+    type: attribute

config/routes/easyadmin.yaml

@@ -0,0 +1,3 @@
+_security_logout:
+    resource: security.route_loader.logout
+    type: service

src/Domain/Auth/User.php

@@ -5,13 +5,16 @@ declare(strict_types=1);
 namespace App\Domain\Auth;
 
 use Doctrine\ORM\Mapping as ORM;
+use Scheb\TwoFactorBundle\Model\Totp\TotpConfiguration;
+use Scheb\TwoFactorBundle\Model\Totp\TotpConfigurationInterface;
+use Scheb\TwoFactorBundle\Model\Totp\TwoFactorInterface as TotpTwoFactorInterface;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Uid\Uuid;
 
 #[ORM\Entity]
 #[ORM\Table(name: 'users', schema: 'app')]
-class User implements UserInterface, PasswordAuthenticatedUserInterface
+class User implements UserInterface, PasswordAuthenticatedUserInterface, TotpTwoFactorInterface
 {
     #[ORM\Id]
     #[ORM\Column(type: 'uuid')]
@@ -73,6 +76,27 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     {
     }
 
+    public function isTotpAuthenticationEnabled(): bool
+    {
+        return null !== $this->totpSecret;
+    }
+
+    public function getTotpAuthenticationUsername(): string
+    {
+        \assert('' !== $this->email);
+
+        return $this->email;
+    }
+
+    public function getTotpAuthenticationConfiguration(): ?TotpConfigurationInterface
+    {
+        if (null === $this->totpSecret) {
+            return null;
+        }
+
+        return new TotpConfiguration($this->totpSecret, TotpConfiguration::ALGORITHM_SHA1, 30, 6);
+    }
+
     public function getTotpSecret(): ?string
     {
         return $this->totpSecret;
@@ -88,6 +112,11 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
         return $this->isActive;
     }
 
+    public function setPasswordHash(string $passwordHash): void
+    {
+        $this->passwordHash = $passwordHash;
+    }
+
     public function setIsActive(bool $active): void
     {
         $this->isActive = $active;

src/Infrastructure/Http/Controller/Admin/DashboardController.php

@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Infrastructure\Http\Controller\Admin;
+
+use EasyCorp\Bundle\EasyAdminBundle\Config\Dashboard;
+use EasyCorp\Bundle\EasyAdminBundle\Config\MenuItem;
+use EasyCorp\Bundle\EasyAdminBundle\Config\UserMenu;
+use EasyCorp\Bundle\EasyAdminBundle\Controller\AbstractDashboardController;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[IsGranted('ROLE_USER')]
+final class DashboardController extends AbstractDashboardController
+{
+    #[Route('/admin', name: 'easyadmin')]
+    public function index(): Response
+    {
+        return $this->render('admin/dashboard.html.twig');
+    }
+
+    public function configureUserMenu(UserInterface $user): UserMenu
+    {
+        return parent::configureUserMenu($user)
+            ->addMenuItems([
+                MenuItem::linkToRoute('Passwort ändern', 'fa fa-key', 'app_change_password'),
+            ]);
+    }
+
+    public function configureDashboard(): Dashboard
+    {
+        return Dashboard::new()->setTitle('SuperSeller3000');
+    }
+
+    public function configureMenuItems(): iterable
+    {
+        yield MenuItem::linkToDashboard('Dashboard', 'fa fa-home');
+        yield MenuItem::linkTo(ArticleCrudController::class, 'Articles', 'fa fa-box');
+        yield MenuItem::linkTo(ArticleTypeCrudController::class, 'Article Types', 'fa fa-tags');
+        yield MenuItem::linkTo(AIPipelineJobCrudController::class, 'AI Pipeline Jobs', 'fa fa-robot');
+        yield MenuItem::linkTo(UserCrudController::class, 'Users', 'fa fa-users');
+        yield MenuItem::linkTo(LogEntryCrudController::class, 'Logs', 'fa fa-list');
+        yield MenuItem::section('Verkauf');
+        yield MenuItem::linkTo(OrderCrudController::class, 'Bestellungen', 'fa fa-shopping-cart');
+        yield MenuItem::linkTo(CustomerCrudController::class, 'Kunden', 'fa fa-users');
+        yield MenuItem::linkTo(InvoiceCrudController::class, 'Rechnungen', 'fa fa-file-invoice');
+    }
+}

src/Infrastructure/Http/Controller/ChangePasswordController.php

@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace App\Infrastructure\Http\Controller;
+
+use App\Domain\Auth\Repository\UserRepositoryInterface;
+use App\Domain\Auth\User;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[IsGranted('ROLE_USER')]
+final class ChangePasswordController extends AbstractController
+{
+    public function __construct(
+        private readonly UserRepositoryInterface $users,
+        private readonly UserPasswordHasherInterface $hasher,
+    ) {
+    }
+
+    #[Route('/account/password', name: 'app_change_password', methods: ['GET', 'POST'])]
+    public function __invoke(Request $request): Response
+    {
+        /** @var User $user */
+        $user = $this->getUser();
+
+        $error = null;
+
+        if ($request->isMethod('POST')) {
+            $token = $request->request->getString('_csrf_token');
+            if (!$this->isCsrfTokenValid('change_password', $token)) {
+                $error = 'Ungültiges Formular-Token. Bitte erneut versuchen.';
+            } else {
+                $current = $request->request->getString('current_password');
+                $new = $request->request->getString('new_password');
+                $confirm = $request->request->getString('confirm_password');
+
+                if (!$this->hasher->isPasswordValid($user, $current)) {
+                    $error = 'Das aktuelle Passwort ist falsch.';
+                } elseif (mb_strlen($new) < 8) {
+                    $error = 'Das neue Passwort muss mindestens 8 Zeichen lang sein.';
+                } elseif ($new !== $confirm) {
+                    $error = 'Die neuen Passwörter stimmen nicht überein.';
+                } else {
+                    $user->setPasswordHash($this->hasher->hashPassword($user, $new));
+                    $this->users->save($user);
+
+                    $this->addFlash('success', 'Passwort erfolgreich geändert.');
+
+                    return $this->redirectToRoute('app_change_password');
+                }
+            }
+        }
+
+        return $this->render('security/change_password.html.twig', [
+            'error' => $error,
+        ]);
+    }
+}

templates/security/change_password.html.twig

@@ -0,0 +1,37 @@
+{% extends 'base.html.twig' %}
+
+{% block title %}Passwort ändern{% endblock %}
+
+{% block body %}
+<div style="max-width:400px;margin:4rem auto;font-family:sans-serif">
+    <h1>Passwort ändern</h1>
+
+    {% for message in app.flashes('success') %}
+        <div style="color:green;margin-bottom:1rem">{{ message }}</div>
+    {% endfor %}
+
+    {% if error %}
+        <div style="color:red;margin-bottom:1rem">{{ error }}</div>
+    {% endif %}
+
+    <form method="post">
+        <div style="margin-bottom:1rem">
+            <label for="current_password">Aktuelles Passwort</label><br>
+            <input id="current_password" type="password" name="current_password" required autofocus style="width:100%;padding:.5rem">
+        </div>
+        <div style="margin-bottom:1rem">
+            <label for="new_password">Neues Passwort</label><br>
+            <input id="new_password" type="password" name="new_password" required minlength="8" style="width:100%;padding:.5rem">
+        </div>
+        <div style="margin-bottom:1rem">
+            <label for="confirm_password">Neues Passwort bestätigen</label><br>
+            <input id="confirm_password" type="password" name="confirm_password" required minlength="8" style="width:100%;padding:.5rem">
+        </div>
+        <input type="hidden" name="_csrf_token" value="{{ csrf_token('change_password') }}">
+        <div style="display:flex;gap:1rem;align-items:center">
+            <button type="submit" style="padding:.5rem 1rem">Passwort ändern</button>
+            <a href="{{ path('easyadmin') }}" style="color:#666">Zurück zum Dashboard</a>
+        </div>
+    </form>
+</div>
+{% endblock %}