ilk

svc/middlewares/force_password_change.go

@@ -0,0 +1,66 @@
+package middlewares
+
+import (
+	"bssapp-backend/auth"
+	"database/sql"
+	"log"
+	"net/http"
+	"strings"
+)
+
+// 🔓 force_password_change=true iken izinli endpoint prefixleri
+var passwordChangeAllowlist = []string{
+	"/api/password/change",
+	"/api/password/reset",
+	"/api/password/reset/validate",
+	"/api/auth/refresh",
+}
+
+func ForcePasswordChangeGuard(db *sql.DB) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+			claims, ok := auth.GetClaimsFromContext(r.Context())
+			if !ok || claims == nil {
+				log.Println("❌ FPC GUARD: claims NOT FOUND")
+				http.Error(w, "Unauthorized", http.StatusUnauthorized)
+				return
+			}
+
+			log.Printf(
+				"🛡️ FPC GUARD user=%s force=%v path=%s",
+				claims.Username,
+				claims.ForcePasswordChange,
+				r.URL.Path,
+			)
+
+			// 🔓 Şifre değişimi zorunlu DEĞİL → serbest
+			if !claims.ForcePasswordChange {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// 🔐 Şifre değişimi ZORUNLU → allowlist kontrolü
+			for _, allowed := range passwordChangeAllowlist {
+				if strings.HasPrefix(r.URL.Path, allowed) {
+					log.Printf(
+						"✅ FPC GUARD PASS user=%s path=%s",
+						claims.Username,
+						r.URL.Path,
+					)
+					next.ServeHTTP(w, r)
+					return
+				}
+			}
+
+			// ⛔ Zorunlu ama yanlış endpoint
+			log.Printf(
+				"⛔ FPC GUARD BLOCK user=%s path=%s",
+				claims.Username,
+				r.URL.Path,
+			)
+
+			http.Error(w, "password change required", http.StatusUnauthorized)
+		})
+	}
+}