From 328496feaaa7625a8ea5b34850114594de0b23a1 Mon Sep 17 00:00:00 2001
From: Tiago Yamamoto <tiago.ribeiro@inventcloud.com.br>
Date: Wed, 24 Dec 2025 14:22:56 -0300
Subject: [PATCH] chore: add login verification scripts and update deps

---
 backend/tests/verify_login_test.go | 60 ++++++++++++++++++++++++++++++
 seeder-api/.env.example            |  1 -
 seeder-api/package.json            |  3 +-
 seeder-api/src/verify-login.js     | 47 +++++++++++++++++++++++
 4 files changed, 109 insertions(+), 2 deletions(-)
 create mode 100644 backend/tests/verify_login_test.go
 create mode 100644 seeder-api/src/verify-login.js

diff --git a/backend/tests/verify_login_test.go b/backend/tests/verify_login_test.go
new file mode 100644
index 0000000..20987c1
--- /dev/null
+++ b/backend/tests/verify_login_test.go
@@ -0,0 +1,60 @@
+package tests
+
+import (
+	"database/sql"
+	"fmt"
+	"testing"
+
+	_ "github.com/lib/pq"
+	"golang.org/x/crypto/bcrypt"
+)
+
+func TestVerifyLogin(t *testing.T) {
+	// 1. Config
+	dbURL := "postgres://yuki:xl1zfmr6e9bb@db-60059.dc-sp-1.absamcloud.com:26868/gohorsejobs_dev?sslmode=require"
+	pepper := "gohorse-pepper" // Using the simple pepper user agreed to
+	// Alternative: try the old one if needed, but let's stick to the latest instruction.
+	// If the user hasn't updated the seeder to 'gohorse-pepper' yet, this might fail unless I check what they actually used.
+	// The user claimed "variables are equal".
+	password := "Admin@2025!"
+
+	// 2. Connect DB
+	db, err := sql.Open("postgres", dbURL)
+	if err != nil {
+		t.Fatalf("Failed to connect: %v", err)
+	}
+	defer db.Close()
+
+	if err := db.Ping(); err != nil {
+		t.Fatalf("Failed to ping: %v", err)
+	}
+
+	// 3. Fetch User
+	var hash string
+	err = db.QueryRow("SELECT password_hash FROM users WHERE identifier = 'superadmin'").Scan(&hash)
+	if err != nil {
+		t.Fatalf("Failed to find user: %v", err)
+	}
+
+	fmt.Printf("found hash in DB: %s\n", hash)
+
+	// 4. Verify
+	passWithPepper := password + pepper
+	err = bcrypt.CompareHashAndPassword([]byte(hash), []byte(passWithPepper))
+	if err != nil {
+		t.Errorf("FAILED to verify with pepper '%s': %v", pepper, err)
+
+		// Try with the "old" random string pepper just in case
+		oldPepper := "some-random-string-for-password-hashing"
+		passWithOld := password + oldPepper
+		err2 := bcrypt.CompareHashAndPassword([]byte(hash), []byte(passWithOld))
+		if err2 == nil {
+			t.Logf("SUCCESS with OLD pepper: '%s'", oldPepper)
+		} else {
+			t.Logf("Failed with old pepper as well.")
+		}
+
+	} else {
+		t.Logf("SUCCESS! Password verifies with pepper '%s'", pepper)
+	}
+}
diff --git a/seeder-api/.env.example b/seeder-api/.env.example
index c4727b7..b3e815e 100644
--- a/seeder-api/.env.example
+++ b/seeder-api/.env.example
@@ -20,4 +20,3 @@ BACKEND_API_URL=http://localhost:8521/api/v1
 
 # MUST match backend PASSWORD_PEPPER for login to work
 PASSWORD_PEPPER=some-random-string-for-password-hashing
-PASSWORD_PEPPER=some-random-string-for-password-hashing
diff --git a/seeder-api/package.json b/seeder-api/package.json
index 53124c6..6e7e175 100644
--- a/seeder-api/package.json
+++ b/seeder-api/package.json
@@ -10,7 +10,8 @@
     "migrate": "node src/migrate.js",
     "seed:users": "node src/seeders/users.js",
     "seed:companies": "node src/seeders/companies.js",
-    "seed:jobs": "node src/seeders/jobs.js"
+    "seed:jobs": "node src/seeders/jobs.js",
+    "verify": "node src/verify-login.js"
   },
   "keywords": [
     "seeder",
diff --git a/seeder-api/src/verify-login.js b/seeder-api/src/verify-login.js
new file mode 100644
index 0000000..95989f9
--- /dev/null
+++ b/seeder-api/src/verify-login.js
@@ -0,0 +1,47 @@
+
+import { pool } from './db.js';
+import bcrypt from 'bcrypt';
+import dotenv from 'dotenv';
+dotenv.config();
+
+const PASSWORD_PEPPER = process.env.PASSWORD_PEPPER || '';
+
+async function verify() {
+    console.log('🔍 Verifying SuperAdmin credentials...');
+    console.log(`🌶️  Using Pepper: "${PASSWORD_PEPPER}"`);
+
+    try {
+        const res = await pool.query("SELECT password_hash FROM users WHERE identifier = 'superadmin'");
+        if (res.rows.length === 0) {
+            console.error('❌ SuperAdmin user not found in DB!');
+            return;
+        }
+
+        const hash = res.rows[0].password_hash;
+        const password = 'Admin@2025!';
+        const passwordWithPepper = password + PASSWORD_PEPPER;
+
+        const match = await bcrypt.compare(passwordWithPepper, hash);
+
+        if (match) {
+            console.log('✅ SUCCESS: Database hash matches (Password + Pepper)');
+            console.log('👉 If login fails on the server, the server likely has the WRONG pepper or NO pepper.');
+        } else {
+            console.error('❌ FAILURE: Database hash does NOT match local logic.');
+
+            // Try without pepper
+            const matchNoPepper = await bcrypt.compare(password, hash);
+            if (matchNoPepper) {
+                console.warn('⚠️  WARNING: Hash matches password WITHOUT pepper. The seeder ignored the pepper.');
+            } else {
+                console.error('❌ Hash matches neither.');
+            }
+        }
+    } catch (err) {
+        console.error('Error:', err);
+    } finally {
+        await pool.end();
+    }
+}
+
+verify();