wp-login: skip phpass when legacy row is already linked to auth user

Previously the route ran phpass validation against wp_legacy_users.
wp_hashed_password before checking auth_user_id, even for users who had
already been migrated. That meant any user whose Supabase password
diverged from the original WP hash (e.g., curated migration users like
ryan.salazar@relevantmediaproperties.com — wp_id=1 'broadcastbeat',
where the hash on the legacy row is from the migration template, not
the user's current password) would get 401 even with the correct
Supabase password.

Fix: if auth_user_id is set OR password_upgraded is true, skip phpass
and go directly to supabase.auth.signInWithPassword. The legacy hash
is only authoritative for the first-ever login (when neither flag is
set). Returns legacy:true so the client can distinguish from the
fully-native signInWithPassword fallback (legacy:false).
This commit is contained in:
Ryan Salazar
2026-05-09 02:57:29 +00:00
parent e7f434305d
commit ca1247a968

View File

@@ -47,13 +47,34 @@ export async function POST(request: NextRequest) {
);
}
// 3. Validate the phpass hash
// 3. If the legacy row is already linked to an auth user (password upgraded
// via a previous successful login, or relinked manually), skip phpass
// entirely — the legacy hash is stale once a Supabase password exists.
if (legacyUser.auth_user_id || legacyUser.password_upgraded) {
const { data: signInData, error: signInError } = await supabase.auth.signInWithPassword({
email: email.toLowerCase().trim(),
password,
});
if (signInError || !signInData.session) {
return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 });
}
return NextResponse.json({
success: true,
session: signInData.session,
user: signInData.user,
migrated: true,
legacy: true,
});
}
// 4. First-time login for a never-migrated WP user — validate phpass.
const passwordValid = await validatePhpassPassword(password, legacyUser.wp_hashed_password);
if (!passwordValid) {
return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 });
}
// 4. If user already has a Supabase auth account, sign them in
// (legacy fallthrough — auth_user_id is null at this point, but keep the
// shape of the prior post-validation branch for code readability.)
if (legacyUser.auth_user_id) {
// User already migrated — sign in normally
const { data: signInData, error: signInError } = await supabase.auth.signInWithPassword({