Merge remote-tracking branch 'origin/master'

2026-02-20 15:58:47 +03:00
parent 4ca8abb52f
commit 47ca23f970
5 changed files with 29 additions and 13 deletions
--- a/svc/main.go
+++ b/svc/main.go
@@ -207,6 +207,23 @@ func InitRoutes(pgDB *sql.DB, mssql *sql.DB, ml *mailer.GraphMailer) *mux.Router
 		routes.AuthRefreshHandler(pgDB),
 	)
 	// Password reset flow (public)
 	bindV3(r, pgDB,
 		"/api/password/forgot", "POST",
 		"auth", "update",
 		routes.ForgotPasswordHandler(pgDB, ml),
 	)
 	bindV3(r, pgDB,
 		"/api/password/reset/validate/{token}", "GET",
 		"auth", "view",
 		routes.ValidatePasswordResetTokenHandler(pgDB),
 	)
 	bindV3(r, pgDB,
 		"/api/password/reset", "POST",
 		"auth", "update",
 		routes.CompletePasswordResetHandler(pgDB),
 	)
 	// ============================================================
 	// SYSTEM
 	// ============================================================
--- a/svc/routes/password_forgot.go
+++ b/svc/routes/password_forgot.go
@@ -73,7 +73,7 @@ func ForgotPasswordHandler(
 		_, _ = db.Exec(`
 			INSERT INTO dfusr_password_reset (
 				dfusr_id,
-				token,
+				token_hash,
 				expires_at
 			)
 			VALUES ($1, $2, $3)
--- a/svc/routes/password_reset_complete.go
+++ b/svc/routes/password_reset_complete.go
@@ -43,9 +43,9 @@ func CompletePasswordResetHandler(db *sql.DB) http.HandlerFunc {
 		var expiresAt time.Time
 		err := db.QueryRow(`
-			SELECT mk_dfusr_id, expires_at
+			SELECT dfusr_id, expires_at
-			FROM mk_dfusr_password_reset
+			FROM dfusr_password_reset
-			WHERE token = $1
+			WHERE token_hash = $1
 			  AND used_at IS NULL
 		`, tokenHash).Scan(&userID, &expiresAt)
@@ -84,9 +84,10 @@ func CompletePasswordResetHandler(db *sql.DB) http.HandlerFunc {
 		// token tüket
 		if _, err := tx.Exec(`
-			UPDATE mk_dfusr_password_reset
+			UPDATE dfusr_password_reset
 			SET used_at = now()
-			WHERE token = $1
+			WHERE token_hash = $1
 			  AND used_at IS NULL
 		`, tokenHash); err != nil {
 			http.Error(w, "token update failed", http.StatusInternalServerError)
 			return
--- a/svc/routes/password_reset_validate.go
+++ b/svc/routes/password_reset_validate.go
@@ -1,9 +1,8 @@
 package routes
 import (
-	"crypto/sha256"
+	"bssapp-backend/internal/security"
 	"database/sql"
 	"encoding/hex"
 	"net/http"
 	"time"
@@ -21,8 +20,7 @@ func ValidatePasswordResetTokenHandler(db *sql.DB) http.HandlerFunc {
 		}
 		// 🔐 plain token -> hash
-		h := sha256.Sum256([]byte(token))
+		tokenHash := security.HashToken(token)
 		tokenHash := hex.EncodeToString(h[:])
 		var (
 			userID    int64
@@ -31,8 +29,8 @@ func ValidatePasswordResetTokenHandler(db *sql.DB) http.HandlerFunc {
 		)
 		err := db.QueryRow(`
-			SELECT user_id, expires_at, used_at
+			SELECT dfusr_id, expires_at, used_at
-			FROM password_reset_tokens
+			FROM dfusr_password_reset
 			WHERE token_hash = $1
 			LIMIT 1
 		`, tokenHash).Scan(&userID, &expiresAt, &usedAt)
--- a/svc/routes/user_detail.go
+++ b/svc/routes/user_detail.go
@@ -456,7 +456,7 @@ func SendPasswordResetMailHandler(
 		// 💾 DB → SADECE HASH
 		_, _ = db.Exec(`
-			INSERT INTO dfusr_password_reset (dfusr_id, token, expires_at)
+			INSERT INTO dfusr_password_reset (dfusr_id, token_hash, expires_at)
 			VALUES ($1,$2,$3)
 		`, userID, hash, expires)