goncalopinto1 · goncalopinto1 · Feb 7, 2026 · Feb 7, 2026 · Feb 7, 2026
diff --git a/backend/admin_login.py b/backend/admin_login.py
@@ -1,17 +1,19 @@
 from fastapi.security import OAuth2PasswordRequestForm
 from jose import jwt
-from passlib.context import CryptContext
 from backend.database import SessionLocal
 from datetime import datetime, timedelta
-from fastapi import Depends, HTTPException, status
+from fastapi import Depends, HTTPException
 from backend.models import Users
 from dotenv import load_dotenv
 import os
-pwd_context = CryptContext(schemes=["argon2"], deprecated="auto")
+import bcrypt
 
 load_dotenv()
 
 SECRET_KEY = os.getenv("SECRET_KEY")
+if not SECRET_KEY:
+    raise RuntimeError("SECRET_KEY is not set")
+
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = 60
 
@@ -20,31 +22,26 @@ def admin_login(user_credentials: OAuth2PasswordRequestForm = Depends()):
     admin_password = user_credentials.password
 
     db = SessionLocal()
+    try:
+        user = db.query(Users).filter(Users.email == admin_email).first()
+        if not user:
+            raise HTTPException(status_code=401, detail="Invalid credentials")
 
-    user = db.query(Users).filter(
-        Users.email == admin_email
-    ).first()
-
-    if not user:
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND,
-            detail= "Invalid credentials"
-        )
-
-    if not pwd_context.verify(user_credentials.password, user.hashed_password):
-        raise HTTPException(
-            status_code=status.HTTP_404_NOT_FOUND,
-            detail= "Invalid credentials"
-        )
+        if not bcrypt.checkpw(
+            admin_password.encode("utf-8"),
+            user.hashed_password.encode("utf-8")
+        ):
+            raise HTTPException(status_code=401, detail="Invalid credentials")
 
-    expire = datetime.utcnow() + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
+        expire = datetime.utcnow() + timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
 
-    token_data = {
-        "sub": user.email, # sub = subject(who's token owner)
-        "exp": expire # exp = expiration
-    }
+        token_data = {
+            "sub": user.email,
+            "exp": expire
+        }
 
-    access_token = jwt.encode(token_data, SECRET_KEY, algorithm=ALGORITHM)
+        access_token = jwt.encode(token_data, SECRET_KEY, algorithm=ALGORITHM)
+        return {"access_token": access_token, "token_type": "bearer"}
 
-    db.close()
-    return {"access_token": access_token, "token_type": "bearer"}
+    finally:
+        db.close()
diff --git a/backend/main.py b/backend/main.py
@@ -109,38 +109,6 @@ def delete_post(post_id: int, user_credentials: str = Depends(verify_token)):
 def update_post(post_id: int, update: PostUpdate, user_credentials: str = Depends(verify_token)):
     return update_posts(post_id, update)
 
-# ⚠️ ENDPOINT TEMPORÁRIO - REMOVER DEPOIS!
-@app.post("/secret-setup-admin-xyz123")
-async def setup_admin(secret_key: str):
-    if secret_key != "meu-portfolio-2026-setup":
-        raise HTTPException(status_code=403)
-
-    import bcrypt  # ✅ Usa bcrypt direto
-    from backend.models import Users
-    from backend.database import SessionLocal
-
-    db = SessionLocal()
-
-    # Apaga se existir
-    existing = db.query(Users).filter(Users.email == "goncalo.luis.pinto@gmail.com").first()
-    if existing:
-        db.delete(existing)
-        db.commit()
-
-    # Hash com bcrypt direto (evita o bug do passlib)
-    password = "admin123"
-    salt = bcrypt.gensalt()
-    hashed = bcrypt.hashpw(password.encode('utf-8'), salt).decode('utf-8')
-
-    admin = Users(
-        email="goncalo.luis.pinto@gmail.com",
-        hashed_password=hashed
-    )
-    db.add(admin)
-    db.commit()
-    db.close()
-
-    return {"message": "✅ Admin criado!", "email": "goncalo.luis.pinto@gmail.com"}
 
 @app.get("/{page_name}", include_in_schema=False)
 async def serve_page(page_name: str, request: Request):