Quote:
$password = password_hash($npassword, PASSWORD_DEFAULT);
$query = "UPDATE users SET
password = '$npassword'
WHERE username = '$username'";
$stmt2 = $conn->prepare($query);
You store the hashed password in
$password
(the hashed password), but you set the password in the database to
$npassword
(the plain-text password).
But you really need to sort out the
SQL Injection vulnerabilities[
^] in your code. Until you do, you might as well not have any authentication on your site.