diff --git a/app/controllers/auth.controller.js b/app/controllers/auth.controller.js
index 7f7135d..85d005e 100644
--- a/app/controllers/auth.controller.js
+++ b/app/controllers/auth.controller.js
@@ -83,6 +83,15 @@ const getEffectivePermissions = (employeeDoc) => {
   return permissions;
 };
 
+const isEmployeeActive = (employeeDoc) => {
+  const rawStatus = employeeDoc?.status;
+  // Backward compatibility: older records may not have status set.
+  if (rawStatus === undefined || rawStatus === null || `${rawStatus}`.trim() === "") {
+    return true;
+  }
+  return `${rawStatus}`.trim().toLowerCase() === "active";
+};
+
 // Create and Save a new User
 exports.login = (req, res) => {
   var condition = {};
@@ -98,10 +107,11 @@ exports.login = (req, res) => {
     Employee.find(condition)
       .then(data => {
         if (data && data.length > 0) {
+          const activeEmployee = isEmployeeActive(data[0]);
           if (data.length === 1 && bcrypt.compareSync(
             req.body.password,
             data[0].password
-          ) && data[0]?.status === 'active') {
+          ) && activeEmployee) {
             var token = jwt.sign({id: data[0].id}, config.secret, {
               expiresIn: 86400 // 24 hours
             });
@@ -116,7 +126,7 @@ exports.login = (req, res) => {
               name_cn: data[0].name_cn
             } );
           } else {
-            if (data[0].status !== 'active') {
+            if (!activeEmployee) {
               throw(Error('User is not activated'));
             } else {
               throw(Error('Email or Password Is Invalid'));