feat(auth): allow local account users to change their password

[shahargl]

Summary

Closes #6608

Local (DB) accounts had no way to change their password after an admin created them. This PR adds self-service password changes for local users, plus an admin-side password reset.

• Self-service endpoint PUT /auth/users/me/password — verifies the current password before updating, so any authenticated local user (admin or noc) can change their own password.
• DbIdentityManager.update_user now supports password/role updates (previously raised NotImplementedError), enabling admins to reset a local user's password via PUT /auth/users/{username}.
• update_user_password DB helper added in keep/api/core/db.py.
• UI: a "Change Password" item in the user dropdown (shown only for AUTH_TYPE=DB) that opens a modal with current/new/confirm fields and client-side validation.
• UI: optional "Reset Password" field for existing users in the admin Users sidebar (DB/Keycloak).

For non-DB auth types the self-service endpoint returns 501 (password is managed by the external IdP).

Test plan

Backend (tests/test_change_password.py):

• User can change their own password; old password stops working, new one works, hash updated in DB
• Wrong current password → 403
• Empty/whitespace new password → 422
• Unauthenticated request → 401
• Non-admin (noc) user can change their own password
• Admin can reset another user's password via PUT /auth/users/{username}

Frontend (keep-ui/components/navbar/__tests__/ChangePasswordModal.test.tsx):

• Submits change and closes on success
• Error when new/confirm passwords don't match
• Error when new password equals current
• Surfaces API error message on failure

Run:

• Backend: python -m pytest tests/test_change_password.py
• Frontend: cd keep-ui && npm run test -- components/navbar/__tests__/ChangePasswordModal.test.tsx

Made with Cursor