webupdate

backend/routes/auth.js

@@ -20,14 +20,14 @@ const {
 } = require("../middleware/bruteForceProtection");
 const router = express.Router();
 
-const getUserByEmail = async (email) => {
+const getUserByEmailOrUsername = async (emailOrUsername) => {
   const result = await query(
     `SELECT u.id, u.email, u.username, u.passwordhash, u.role_id, u.isactive,
             r.name as role_name, r.permissions
      FROM adminusers u
      LEFT JOIN roles r ON u.role_id = r.id
-     WHERE u.email = $1`,
-    [email]
+     WHERE u.email = $1 OR u.username = $1`,
+    [emailOrUsername],
   );
   return result.rows[0] || null;
 };
@@ -58,10 +58,10 @@ router.post(
   asyncHandler(async (req, res) => {
     const { email, password } = req.body;
     const ip = req.ip || req.connection.remoteAddress;
-    const admin = await getUserByEmail(email);
+    const admin = await getUserByEmailOrUsername(email);
 
     if (!admin) {
-      logger.warn("Login attempt with invalid email", { email, ip });
+      logger.warn("Login attempt with invalid email/username", { email, ip });
       recordFailedAttempt(ip);
       return sendUnauthorized(res, "Invalid email or password");
     }
@@ -98,7 +98,7 @@ router.post(
       });
       sendSuccess(res, { user: req.session.user });
     });
-  })
+  }),
 );
 
 // Check session endpoint