I don't know what HTTP method to use, when an API endpoint specifically targets one field or one "action", which is part of a larger entity.
I've read into other similar questions about using PUT vs PATCH, like Use of PUT vs PATCH methods in REST API real life scenarios. Most of these refer to updating an entire entity, for example:
PATCH /user/1
But what is the HTTP method to use if the API endpoint specifies a distinct field / action, but that field is still only part of a larger entity and not its own entity?
PUT /user/1/password vs PATCH /user/1/password
The action itself is idempotent as far as I understand the general concept. It also replaces the whole "password" entry - so it should be a PUT. But then, the password is just one of many fields in the user table, so it may be a PATCH? But in a way, using PATCH here would also give away the implementation (as it suggests that the password field is part of another table and not its own entity).
I'm using password as an easy to understand example here, but this could apply to other concepts where the implementation isn't so obvious, like locking an account:
PUT /user/1/lock vs PATCH /user/1/lock
"Locking" a user could be a flag, or an entirely separate entry in another table.
So, essentially, my confusion here is: I think these specific endpoints should use PUT, since the API endpoint shouldn't care about the implementation and its an idempotent action. But my research implies it may be a PATCH. What method should be used here?
