Merge remote-tracking branch 'origin/master'

svc/main.go

@@ -207,6 +207,23 @@ func InitRoutes(pgDB *sql.DB, mssql *sql.DB, ml *mailer.GraphMailer) *mux.Router
 		routes.AuthRefreshHandler(pgDB),
 	)
 
+	// Password reset flow (public)
+	bindV3(r, pgDB,
+		"/api/password/forgot", "POST",
+		"auth", "update",
+		routes.ForgotPasswordHandler(pgDB, ml),
+	)
+	bindV3(r, pgDB,
+		"/api/password/reset/validate/{token}", "GET",
+		"auth", "view",
+		routes.ValidatePasswordResetTokenHandler(pgDB),
+	)
+	bindV3(r, pgDB,
+		"/api/password/reset", "POST",
+		"auth", "update",
+		routes.CompletePasswordResetHandler(pgDB),
+	)
+
 	// ============================================================
 	// SYSTEM
 	// ============================================================

svc/routes/password_forgot.go

@@ -73,7 +73,7 @@ func ForgotPasswordHandler(
 		_, _ = db.Exec(`
 			INSERT INTO dfusr_password_reset (
 				dfusr_id,
-				token,
+				token_hash,
 				expires_at
 			)
 			VALUES ($1, $2, $3)

svc/routes/password_reset_complete.go

@@ -43,9 +43,9 @@ func CompletePasswordResetHandler(db *sql.DB) http.HandlerFunc {
 		var expiresAt time.Time
 
 		err := db.QueryRow(`
-			SELECT mk_dfusr_id, expires_at
-			FROM mk_dfusr_password_reset
-			WHERE token = $1
+			SELECT dfusr_id, expires_at
+			FROM dfusr_password_reset
+			WHERE token_hash = $1
 			  AND used_at IS NULL
 		`, tokenHash).Scan(&userID, &expiresAt)
 
@@ -84,9 +84,10 @@ func CompletePasswordResetHandler(db *sql.DB) http.HandlerFunc {
 
 		// token tüket
 		if _, err := tx.Exec(`
-			UPDATE mk_dfusr_password_reset
+			UPDATE dfusr_password_reset
 			SET used_at = now()
-			WHERE token = $1
+			WHERE token_hash = $1
+			  AND used_at IS NULL
 		`, tokenHash); err != nil {
 			http.Error(w, "token update failed", http.StatusInternalServerError)
 			return

svc/routes/password_reset_validate.go

@@ -1,9 +1,8 @@
 package routes
 
 import (
-	"crypto/sha256"
+	"bssapp-backend/internal/security"
 	"database/sql"
-	"encoding/hex"
 	"net/http"
 	"time"
 
@@ -21,8 +20,7 @@ func ValidatePasswordResetTokenHandler(db *sql.DB) http.HandlerFunc {
 		}
 
 		// 🔐 plain token -> hash
-		h := sha256.Sum256([]byte(token))
-		tokenHash := hex.EncodeToString(h[:])
+		tokenHash := security.HashToken(token)
 
 		var (
 			userID    int64
@@ -31,8 +29,8 @@ func ValidatePasswordResetTokenHandler(db *sql.DB) http.HandlerFunc {
 		)
 
 		err := db.QueryRow(`
-			SELECT user_id, expires_at, used_at
-			FROM password_reset_tokens
+			SELECT dfusr_id, expires_at, used_at
+			FROM dfusr_password_reset
 			WHERE token_hash = $1
 			LIMIT 1
 		`, tokenHash).Scan(&userID, &expiresAt, &usedAt)

svc/routes/user_detail.go

@@ -456,7 +456,7 @@ func SendPasswordResetMailHandler(
 
 		// 💾 DB → SADECE HASH
 		_, _ = db.Exec(`
-			INSERT INTO dfusr_password_reset (dfusr_id, token, expires_at)
+			INSERT INTO dfusr_password_reset (dfusr_id, token_hash, expires_at)
 			VALUES ($1,$2,$3)
 		`, userID, hash, expires)