fix: allow patching some /credentials sub-paths

We still need to disallow `/credentials/oidc`, because patching this would lead to subtle bugs.

identity/handler.go

@@ -916,7 +916,7 @@ func (h *Handler) patch(w http.ResponseWriter, r *http.Request, ps httprouter.Pa
 
 	patchedIdentity := WithAdminMetadataInJSON(*identity)
 
-	if err := jsonx.ApplyJSONPatch(requestBody, &patchedIdentity, "/id", "/stateChangedAt", "/credentials", "/credentials/**"); err != nil {
+	if err := jsonx.ApplyJSONPatch(requestBody, &patchedIdentity, "/id", "/stateChangedAt", "/credentials", "/credentials/oidc/**"); err != nil {
 		h.r.Writer().WriteError(w, r, errors.WithStack(
 			herodot.
 				ErrBadRequest.

identity/handler_test.go

@@ -1227,7 +1227,7 @@ func TestHandler(t *testing.T) {
 		}
 	})
 
-	t.Run("case=PATCH should fail to update credential password", func(t *testing.T) {
+	t.Run("case=PATCH should allow to update credential password", func(t *testing.T) {
 		uuid := x.NewUUID().String()
 		email := uuid + "@ory.sh"
 		password := "ljanf123akf"
@@ -1247,9 +1247,12 @@ func TestHandler(t *testing.T) {
 					{"op": "replace", "path": "/credentials/password/config/hashed_password", "value": "foo"},
 				}
 
-				res := send(t, ts, "PATCH", "/identities/"+i.ID.String(), http.StatusBadRequest, &patch)
+				send(t, ts, "PATCH", "/identities/"+i.ID.String(), http.StatusOK, &patch)
 
-				assert.EqualValues(t, "patch includes denied path: /credentials/password/config/hashed_password", res.Get("error.message").String(), "%s", res.Raw)
+				updated, err := reg.PrivilegedIdentityPool().GetIdentityConfidential(ctx, i.ID)
+				require.NoError(t, err)
+				assert.Equal(t, "foo",
+					gjson.GetBytes(updated.Credentials[identity.CredentialsTypePassword].Config, "hashed_password").String())
 			})
 		}
 	})