From ec60bcbfbcf94e6e69d0f29fae50c8ea78e26d90 Mon Sep 17 00:00:00 2001
From: Pawel <p.wlodarski@ctrlo.com>
Date: Wed, 14 Jan 2026 12:35:55 +0000
Subject: [PATCH] Upgraded Password Validation/Rehashing in API.pm

---
 lib/GADS.pm     |  2 +-
 lib/GADS/API.pm | 16 ++++++++++++++--
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/lib/GADS.pm b/lib/GADS.pm
index 62ba1fa71..d992b0987 100644
--- a/lib/GADS.pm
+++ b/lib/GADS.pm
@@ -86,7 +86,7 @@ use WWW::Mechanize::Chrome;
 use Dancer2; # Last to stop Moo generating conflicting namespace
 use Dancer2::Plugin::DBIC;
 use Dancer2::Plugin::Auth::Extensible;
-use Dancer2::Plugin::Auth::Extensible::Provider::DBIC 0.623;
+use Dancer2::Plugin::Auth::Extensible::Provider::DBIC 0.625;
 use Dancer2::Plugin::LogReport 'linkspace';
 
 use GADS::API; # API routes
diff --git a/lib/GADS/API.pm b/lib/GADS/API.pm
index c0a92b940..329aed9cf 100644
--- a/lib/GADS/API.pm
+++ b/lib/GADS/API.pm
@@ -28,6 +28,7 @@ use URI::Escape qw/uri_escape_utf8/;
 
 use Dancer2 appname => 'GADS';
 use Dancer2::Plugin::Auth::Extensible;
+use Dancer2::Plugin::CryptPassphrase;
 use Dancer2::Plugin::DBIC;
 use Dancer2::Plugin::LogReport 'linkspace';
 
@@ -56,8 +57,19 @@ my $verify_user_password_sub = sub {
         username => $args{username},
     })->next;
 
-    $user && Crypt::SaltedHash->validate($user->password, $args{password})
-        and return ($client->id, undef, undef, $user->id);
+    if ($user) {
+        my $stored = $user->password;
+
+        if (crypt_passphrase->verify_password($args{password}, $stored)) {
+            return ($client->id, undef, undef, $user->id);
+        }
+        if (Crypt::SaltedHash->validate($stored, $args{password})) {
+            my $new_hash = crypt_passphrase->hash_password($args{password});
+            $user->update({ password => $new_hash });
+
+            return ($client->id, undef, undef, $user->id);
+        }
+    }
 
     return (0, 'access_denied');
 };