From 612eeb357888603eff45324b933eb9c57fcb27cb Mon Sep 17 00:00:00 2001
From: Court Ewing <court@epixa.com>
Date: Tue, 20 Nov 2018 15:39:25 -0500
Subject: [PATCH] Use loginAttempt service for change password

---
 x-pack/plugins/security/server/routes/api/v1/users.js | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/x-pack/plugins/security/server/routes/api/v1/users.js b/x-pack/plugins/security/server/routes/api/v1/users.js
index 17b0cfe7e55678..0e2719e87707da 100644
--- a/x-pack/plugins/security/server/routes/api/v1/users.js
+++ b/x-pack/plugins/security/server/routes/api/v1/users.js
@@ -105,9 +105,8 @@ export function initUsersApi(server) {
 
         // Now we authenticate user with the new password again updating current session if any.
         if (isCurrentUser) {
-          const authenticationResult = await server.plugins.security.authenticate(
-            BasicCredentials.decorateRequest(request, username, newPassword)
-          );
+          request.loginAttempt().setCredentials(username, newPassword);
+          const authenticationResult = await server.plugins.security.authenticate(request);
 
           if (!authenticationResult.succeeded()) {
             throw Boom.unauthorized((authenticationResult.error));