[Security][API] Legacy weak hash fallback should be disabled by default (MD5/SHA1/plaintext)

### Contact Details
security-automation@local

### This bug is related to UI or API?
API

### What happened?
ACL authentication logic had compatibility paths that accepted weak legacy primitives (MD5, SHA1, and plaintext fallback paths) as normal authentication behavior.

Expected behavior:
- Strong hashes only by default
- Legacy behavior behind explicit compatibility flags
- Successful legacy login should be migrated to bcrypt

Patch prepared:
- Added config flags and set secure defaults in `settings.example.py`
- Kept legacy compatibility optional, disabled by default
- Added on-success password upgrade path to bcrypt for legacy credentials

Reference branch/commit:
- Branch: `codex/sec-python-rescan-20260308`
- Commit: `5f0137d35`

### Version
newest

### What browsers are you seeing the problem on?
Chrome

### Relevant log output
```shell
Bandit findings before fix:
- api/lib/perm/acl/app.py:86 B324 HIGH/HIGH (MD5)
- api/models/acl.py:30 B324 HIGH/HIGH (SHA1)
- api/models/acl.py:175 B324 HIGH/HIGH (MD5)
- api/models/acl.py:236 B324 HIGH/HIGH (MD5)
```


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security][API] Legacy weak hash fallback should be disabled by default (MD5/SHA1/plaintext) #766

Contact Details

This bug is related to UI or API?

What happened?

Version

What browsers are you seeing the problem on?

Relevant log output

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Security][API] Legacy weak hash fallback should be disabled by default (MD5/SHA1/plaintext) #766

Description

Contact Details

This bug is related to UI or API?

What happened?

Version

What browsers are you seeing the problem on?

Relevant log output

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions