🔥 Nice — that’s a real upgrade. If Replit wired reauthenticateWithCredential + updatePassword, you’re legit. Here’s a quick QA + hardening checklist so we know it’s bulletproof:

Quick QA (do these now)

Happy-path

Current pwd correct → new strong pwd → toast success → you can log in with new pwd.

Wrong current password

Should show clear error (no vague “auth/invalid-credential”).

Weak password

Should show “Password too weak” (e.g., Firebase auth/weak-password).

Recent-login required

If session is old, you should see “Please re-authenticate” and the UI should prompt for current password again (or force re-login).

OAuth-only account

If an account was created with Google/Apple and no password is set, Security tab should hide “Change password” and instead show “Add a password” flow.

Multi-provider account

If user has Google and email/password linked, changing password should still work and login via Google should continue to work.

Mobile view

Inputs and toasts readable on small screens; show/hide toggles don’t overlap.

UX polish (nice wins)

Strength meter + requirements (“8+ chars, number, symbol, etc.”).

Inline mismatch warning as user types confirm field.

Disable button until valid & changed.

Success toast: “Password updated. You’ll use your new password next login.”

Security hardening (recommended)

Revoke other sessions on change (so old stolen refresh tokens die):

Server (Firebase Admin):

// after successful password change (server-side hook)
import { getAuth } from "firebase-admin/auth";
await getAuth().revokeRefreshTokens(userId);


Client: tell user “You may be asked to sign in again on other devices.”

MFA (enable in Firebase): Prefer TOTP (authenticator app) over SMS; offer as optional in Security tab.

Rate-limit password changes: 5/min per user/IP (if you run a server shim).

Breach check (optional): warn if new password appears in known breaches (k-Anon HIBP API). Purely advisory; don’t transmit the raw password.

Forgot Password flow (if not already live)

Add “Forgot password?” link on Sign In → sendPasswordResetEmail(email).

Toast on success: “Reset link sent if the email exists.”

Generic errors to avoid account enumeration.

Edge copy (drop-in microcopy)

Wrong current pwd: “That doesn’t match your current password.”

Weak new pwd: “Try a stronger password (8+ chars incl. number & symbol).”

Recent login: “For your security, please re-enter your current password.”

OAuth-only: “Your account uses Google sign-in. To set a password, link an email/password in Account → Sign-in methods.”

If you want, I can add:

a “Revoke other sessions” toggle that calls the Admin revokeRefreshTokens() via a small secure API,

a TOTP setup section (QR + recovery codes) in Security tab,

and a Forgot Password link + page.