Merge remote-tracking branch 'origin/master'

svc/routes/login.go

@@ -30,6 +30,12 @@ type LoginRequest struct {
 	Password string `json:"password"`
 }
 
+func looksLikeBcryptHash(value string) bool {
+	return strings.HasPrefix(value, "$2a$") ||
+		strings.HasPrefix(value, "$2b$") ||
+		strings.HasPrefix(value, "$2y$")
+}
+
 func ensureLegacyUserReadyForSession(db *sql.DB, legacyUser *models.User) (int64, error) {
 	desiredID := int64(legacyUser.ID)
 
@@ -148,19 +154,36 @@ func LoginHandler(db *sql.DB) http.HandlerFunc {
 		if err == nil {
 
 			// mk_dfusr authoritative
-			if strings.TrimSpace(mkUser.PasswordHash) != "" {
+			mkHash := strings.TrimSpace(mkUser.PasswordHash)
+			if mkHash != "" {
+				if looksLikeBcryptHash(mkHash) {
+					cmpErr := bcrypt.CompareHashAndPassword(
+						[]byte(mkHash),
+						[]byte(pass),
+					)
+					if cmpErr == nil {
+						_ = mkRepo.TouchLastLogin(mkUser.ID)
+						writeLoginResponse(w, db, mkUser)
+						return
+					}
 
-				if bcrypt.CompareHashAndPassword(
-					[]byte(mkUser.PasswordHash),
-					[]byte(pass),
-				) != nil {
-					http.Error(w, "Kullanıcı adı veya parola hatalı", http.StatusUnauthorized)
-					return
+					if !mkUser.ForcePasswordChange {
+						http.Error(w, "invalid credentials", http.StatusUnauthorized)
+						return
+					}
+
+					log.Printf(
+						"LOGIN FALLBACK legacy allowed (force_password_change=true) username=%s id=%d",
+						mkUser.Username,
+						mkUser.ID,
+					)
+				} else {
+					log.Printf(
+						"LOGIN FALLBACK legacy allowed (non-bcrypt mk hash) username=%s id=%d",
+						mkUser.Username,
+						mkUser.ID,
+					)
 				}
-
-				_ = mkRepo.TouchLastLogin(mkUser.ID)
-				writeLoginResponse(w, db, mkUser)
-				return
 			}
 			// password_hash boşsa legacy fallback
 		} else if err != repository.ErrMkUserNotFound {