document bcrypt support

README.md

@@ -137,7 +137,7 @@ Here is a full example showing the default config:
 For each account the following properties can be configured:
 
 - `username` 
-- `password` used for password authentication. The password will be stored using argon2id hashing algo
+- `password` used for password authentication. For users created using SFTPGo REST API the password will be stored using argon2id hashing algo. SFTPGo supports checking passwords stored with bcrypt too. Currently, as fallback, there is a clear text password checking but you should not store passwords as clear text and this support could be removed at any time, so please don't depend on it. 
 - `public_key` used for public key authentication. At least one between password and public key is mandatory
 - `home_dir` The user cannot upload or download files outside this directory. Must be an absolute path
 - `uid`, `gid`. If sftpgo runs as root then the created files and directories will be assigned to this system uid/gid. Ignored on windows and if sftpgo runs as non root user: in this case files and directories for all SFTP users will be owned by the system user that runs sftpgo.

dataprovider/sqlcommon.go

@@ -46,15 +46,12 @@ func sqlCommonValidateUserAndPass(username string, password string) (User, error
 				logger.Warn(logSender, "error comparing password with argon hash: %v", err)
 				return user, err
 			}
-
+		} else if strings.HasPrefix(user.Password, bcryptPwdPrefix) {
-		} else if strings.HasPrefix(user.Password, bcryptPwdPrefix){
+			if err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password)); err != nil {
-			err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
-			if err != nil {
 				logger.Warn(logSender, "error comparing password with bcrypt hash: %v", err)
 				return user, err
-			}else{
-				match = true
 			}
+			match = true
 		} else {
 			// clear text password match
 			match = (user.Password == password)