From ca1247a96808a01618bd04f528706de5efd5f8c9 Mon Sep 17 00:00:00 2001 From: Ryan Salazar Date: Sat, 9 May 2026 02:57:29 +0000 Subject: [PATCH] wp-login: skip phpass when legacy row is already linked to auth user MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Previously the route ran phpass validation against wp_legacy_users. wp_hashed_password before checking auth_user_id, even for users who had already been migrated. That meant any user whose Supabase password diverged from the original WP hash (e.g., curated migration users like ryan.salazar@relevantmediaproperties.com — wp_id=1 'broadcastbeat', where the hash on the legacy row is from the migration template, not the user's current password) would get 401 even with the correct Supabase password. Fix: if auth_user_id is set OR password_upgraded is true, skip phpass and go directly to supabase.auth.signInWithPassword. The legacy hash is only authoritative for the first-ever login (when neither flag is set). Returns legacy:true so the client can distinguish from the fully-native signInWithPassword fallback (legacy:false). --- src/app/api/auth/wp-login/route.ts | 25 +++++++++++++++++++++++-- 1 file changed, 23 insertions(+), 2 deletions(-) diff --git a/src/app/api/auth/wp-login/route.ts b/src/app/api/auth/wp-login/route.ts index 87c76c8..7c2e2b1 100644 --- a/src/app/api/auth/wp-login/route.ts +++ b/src/app/api/auth/wp-login/route.ts @@ -47,13 +47,34 @@ export async function POST(request: NextRequest) { ); } - // 3. Validate the phpass hash + // 3. If the legacy row is already linked to an auth user (password upgraded + // via a previous successful login, or relinked manually), skip phpass + // entirely — the legacy hash is stale once a Supabase password exists. + if (legacyUser.auth_user_id || legacyUser.password_upgraded) { + const { data: signInData, error: signInError } = await supabase.auth.signInWithPassword({ + email: email.toLowerCase().trim(), + password, + }); + if (signInError || !signInData.session) { + return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 }); + } + return NextResponse.json({ + success: true, + session: signInData.session, + user: signInData.user, + migrated: true, + legacy: true, + }); + } + + // 4. First-time login for a never-migrated WP user — validate phpass. const passwordValid = await validatePhpassPassword(password, legacyUser.wp_hashed_password); if (!passwordValid) { return NextResponse.json({ error: 'Invalid credentials' }, { status: 401 }); } - // 4. If user already has a Supabase auth account, sign them in + // (legacy fallthrough — auth_user_id is null at this point, but keep the + // shape of the prior post-validation branch for code readability.) if (legacyUser.auth_user_id) { // User already migrated — sign in normally const { data: signInData, error: signInError } = await supabase.auth.signInWithPassword({