diff --git a/app/Auth/CustomUserProvider.php b/app/Auth/CustomUserProvider.php
new file mode 100644
index 0000000..08c10bc
--- /dev/null
+++ b/app/Auth/CustomUserProvider.php
@@ -0,0 +1,35 @@
+<?php
+
+namespace App\Auth;
+
+use Illuminate\Auth\EloquentUserProvider;
+use Illuminate\Contracts\Auth\Authenticatable;
+
+class CustomUserProvider extends EloquentUserProvider
+{
+    public function validateCredentials(Authenticatable $user, array $credentials): bool
+    {
+        $plain = $credentials['password'];
+        $hashed = $user->getAuthPassword();
+
+        if ($this->isBcryptHash($hashed)) {
+            if ($this->hasher->check($plain, $hashed)) {
+                return true;
+            }
+        } else {
+            if (md5($plain) === $hashed) {
+                // Upgrade lên bcrypt
+                $user->password = $this->hasher->make($plain);
+                $user->save();
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    protected function isBcryptHash($hashedPassword): bool
+    {
+        return password_get_info($hashedPassword)['algo'] === PASSWORD_BCRYPT;
+    }
+}
diff --git a/app/Auth/PassportUserRepository.php b/app/Auth/PassportUserRepository.php
new file mode 100644
index 0000000..c65c16c
--- /dev/null
+++ b/app/Auth/PassportUserRepository.php
@@ -0,0 +1,49 @@
+<?php
+
+namespace App\Auth;
+
+use Laravel\Passport\Bridge\UserRepository;
+use League\OAuth2\Server\Entities\ClientEntityInterface;
+use Laravel\Passport\Bridge\User;
+use Illuminate\Support\Facades\Hash;
+use App\Models\User as UserModel;
+
+class PassportUserRepository extends UserRepository
+{
+    public function getUserEntityByUserCredentials(
+        $username,
+        $password,
+        $grantType,
+        ClientEntityInterface $clientEntity
+    ) {
+        $user = UserModel::where('email', $username)->first();
+
+        if (!$user) {
+            return null;
+        }
+
+        // Tránh lỗi Hash::check() với MD5
+        if ($this->isBcryptHash($user->password)) {
+            if (Hash::check($password, $user->password)) {
+                return new User($user->id);
+            }
+        } else {
+            // Hash không phải bcrypt, kiểm tra MD5 thủ công
+            if (md5($password) === $user->password) {
+                // Nâng cấp mật khẩu lên bcrypt
+                $user->password = Hash::make($password);
+                $user->save();
+
+                return new User($user->id);
+            }
+        }
+
+        return null;
+    }
+
+    // Thêm method kiểm tra thuật toán hash
+    protected function isBcryptHash($hashedPassword): bool
+    {
+        return password_get_info($hashedPassword)['algo'] === PASSWORD_BCRYPT;
+    }
+}
diff --git a/app/Providers/AuthServiceProvider.php b/app/Providers/AuthServiceProvider.php
index e6eaad1..5533526 100644
--- a/app/Providers/AuthServiceProvider.php
+++ b/app/Providers/AuthServiceProvider.php
@@ -5,8 +5,10 @@ namespace App\Providers;
 use Illuminate\Foundation\Support\Providers\AuthServiceProvider as ServiceProvider;
 use Laravel\Passport\Passport;
 use League\OAuth2\Server\AuthorizationServer;
-use Laravel\Passport\Bridge\UserRepository;
+use App\Auth\PassportUserRepository; // thêm dòng này
 use Laravel\Passport\Bridge\RefreshTokenRepository;
+use Illuminate\Support\Facades\Auth;
+use App\Auth\CustomUserProvider; // thêm dòng này
 use DateInterval;
 
 class AuthServiceProvider extends ServiceProvider
@@ -18,14 +20,20 @@ class AuthServiceProvider extends ServiceProvider
         Passport::tokensExpireIn(now()->addHour());
         Passport::refreshTokensExpireIn(now()->addMonth());
 
+        // Đăng ký CustomUserProvider cho login web
+        Auth::provider('custom', function ($app, array $config) {
+            return new CustomUserProvider($app['hash'], $config['model']);
+        });
+
+        // Passport custom repository cho API login
         $this->app->afterResolving(AuthorizationServer::class, function ($server) {
             $grant = new \League\OAuth2\Server\Grant\PasswordGrant(
-                app(UserRepository::class),
+                app(PassportUserRepository::class), // Custom Passport user repository
                 app(RefreshTokenRepository::class)
             );
-            $grant->setRefreshTokenTTL(new DateInterval('P1M')); // 1 tháng
+            $grant->setRefreshTokenTTL(new DateInterval('P1M')); // 1 tháng refresh token
 
-            $server->enableGrantType($grant, new DateInterval('PT1H')); // 1 giờ
+            $server->enableGrantType($grant, new DateInterval('PT1H')); // 1 giờ access token
         });
     }
 }
diff --git a/config/auth.php b/config/auth.php
index 6d9c511..77e5459 100644
--- a/config/auth.php
+++ b/config/auth.php
@@ -66,7 +66,8 @@ return [
 
     'providers' => [
         'users' => [
-            'driver' => 'eloquent',
+            // 'driver' => 'eloquent',
+            'driver' => 'custom',
             'model' => env('AUTH_MODEL', App\Models\User::class),
         ],