prepare("SELECT password_hash FROM users WHERE id = ?"); $stmt->execute([$user['id']]); $row = $stmt->fetch(); if (!password_verify($currentPass, $row['password_hash'])) { apiError('Current password is incorrect.', 401); } $hash = password_hash($newPass, PASSWORD_BCRYPT, ['cost' => 12]); $db->prepare("UPDATE users SET password_hash = ? WHERE id = ?")->execute([$hash, $user['id']]); // Invalidate all other tokens $db->prepare("DELETE FROM user_tokens WHERE user_id = ? AND token != ?")->execute([$user['id'], post('token')]); apiSuccess([], 'Password changed successfully.');