fix(profile): allow empty current password when setting password for first time

SSO users have no passwordHash and should be able to set a local password
without providing a current one. Users with an existing password still
must verify it. Removes the client-side required attribute and updates
the server-side logic accordingly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

App/app/(portal)/profile/actions.ts

@@ -12,7 +12,7 @@ type Result = { ok: true } | { error: string };
 // ── Change password ───────────────────────────────────────────────────────────
 
 const changePasswordSchema = z.object({
-  currentPassword: z.string().min(1, "Current password is required"),
+  currentPassword: z.string().optional(),
   newPassword: z.string().min(8, "New password must be at least 8 characters"),
 });
 
@@ -31,10 +31,12 @@ export async function changePassword(formData: FormData): Promise<Result> {
     select: { passwordHash: true },
   });
   if (!user) return { error: "User not found" };
-  if (!user.passwordHash) return { error: "Password change is not available for accounts that sign in via Microsoft 365." };
 
+  if (user.passwordHash) {
+    if (!parsed.data.currentPassword) return { error: "Current password is required." };
     const valid = await bcrypt.compare(parsed.data.currentPassword, user.passwordHash);
-  if (!valid) return { error: "Current password is incorrect" };
+    if (!valid) return { error: "Current password is incorrect." };
+  }
 
   const newHash = await bcrypt.hash(parsed.data.newPassword, 12);
   await db.user.update({

App/app/(portal)/profile/change-password-form.tsx

@@ -43,7 +43,6 @@ export function ChangePasswordForm() {
         <input
           type="password"
           name="currentPassword"
-          required
           autoComplete="current-password"
           className="w-full rounded-lg border border-neutral-300 px-3 py-2.5 text-sm focus:border-primary-500 focus:outline-none focus:ring-2 focus:ring-primary-500/20"
         />