# Task 15 — Profile Change Password

Tiny task — finish the profile pages with a working change-password form.

## Files

```
apps/web/src/components/profile/change-password-form.tsx
```

Then drop the component into both:
```
apps/web/src/app/captain/profile/page.tsx
apps/web/src/app/volunteer/profile/page.tsx
```

## Form

| Field | Validation |
|---|---|
| Current password | required |
| New password | min 8 |
| Confirm new | must match new |

POST to `/api/auth/change-password` with `{ oldPassword, newPassword }`.

On success: toast "Password changed successfully". Optionally force re-login
by clearing the session cookie and redirecting to login (recommended).

## Layout

Inline form inside a Card on the profile page. Three password inputs stacked,
single Submit button.

## Acceptance

1. Captain or volunteer opens profile.
2. Sees the change-password card.
3. Enters wrong current password → error "Old password is incorrect".
4. Enters mismatched confirm → form-level validation error.
5. Enters good current + valid new → success toast, logged out, redirect to login.
6. Login with new password works.

## Gotchas

- Don't show the password field as autocomplete='current-password' on the new fields —
  use 'new-password' so password managers store the new one.
- Server returns 204 on success. Don't try to parse the body.
- Show password strength meter? Phase 2 if at all — keeps form simple now.

## Out of scope

- Forgot password / email reset — Phase 2 (captain manually resets via Volunteer Master)
- 2FA — Phase 3