feat(security): #286 implement csrf middleware
This commit is contained in:
@@ -1,6 +1,7 @@
|
||||
package handler
|
||||
|
||||
import (
|
||||
"me-fit/handler/middleware"
|
||||
"me-fit/log"
|
||||
"me-fit/service"
|
||||
"me-fit/template/auth"
|
||||
@@ -58,9 +59,9 @@ var (
|
||||
|
||||
func (handler AuthImpl) handleSignInPage() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
|
||||
if user != nil {
|
||||
if !user.EmailVerified {
|
||||
session := middleware.GetSession(r)
|
||||
if session != nil {
|
||||
if !session.User.EmailVerified {
|
||||
utils.DoRedirect(w, r, "/auth/verify")
|
||||
} else {
|
||||
utils.DoRedirect(w, r, "/")
|
||||
@@ -121,10 +122,10 @@ func (handler AuthImpl) handleSignIn() http.HandlerFunc {
|
||||
|
||||
func (handler AuthImpl) handleSignUpPage() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
|
||||
session := middleware.GetSession(r)
|
||||
|
||||
if user != nil {
|
||||
if !user.EmailVerified {
|
||||
if session != nil {
|
||||
if !session.User.EmailVerified {
|
||||
utils.DoRedirect(w, r, "/auth/verify")
|
||||
} else {
|
||||
utils.DoRedirect(w, r, "/")
|
||||
@@ -139,33 +140,34 @@ func (handler AuthImpl) handleSignUpPage() http.HandlerFunc {
|
||||
|
||||
func (handler AuthImpl) handleSignUpVerifyPage() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
|
||||
if user == nil {
|
||||
session := middleware.GetSession(r)
|
||||
if session == nil {
|
||||
utils.DoRedirect(w, r, "/auth/signin")
|
||||
return
|
||||
}
|
||||
|
||||
if user.EmailVerified {
|
||||
if session.User.EmailVerified {
|
||||
utils.DoRedirect(w, r, "/")
|
||||
return
|
||||
}
|
||||
|
||||
signIn := auth.VerifyComp()
|
||||
handler.render.RenderLayout(r, w, signIn, user)
|
||||
handler.render.RenderLayout(r, w, signIn, session.User)
|
||||
}
|
||||
}
|
||||
|
||||
func (handler AuthImpl) handleVerifyResendComp() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
|
||||
if err != nil {
|
||||
session := middleware.GetSession(r)
|
||||
if session == nil {
|
||||
utils.DoRedirect(w, r, "/auth/signin")
|
||||
return
|
||||
}
|
||||
|
||||
user := session.User
|
||||
go handler.service.SendVerificationMail(user.Id, user.Email)
|
||||
|
||||
_, err = w.Write([]byte("<p class=\"mt-8\">Verification email sent</p>"))
|
||||
_, err := w.Write([]byte("<p class=\"mt-8\">Verification email sent</p>"))
|
||||
if err != nil {
|
||||
log.Error("Could not write response: %v", err)
|
||||
}
|
||||
@@ -219,11 +221,14 @@ func (handler AuthImpl) handleSignUp() http.HandlerFunc {
|
||||
|
||||
func (handler AuthImpl) handleSignOut() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
err := handler.service.SignOut(utils.GetSessionID(r))
|
||||
if err != nil {
|
||||
utils.TriggerToast(w, r, "error", "Internal Server Error")
|
||||
http.Error(w, err.Error(), http.StatusInternalServerError)
|
||||
return
|
||||
session := middleware.GetSession(r)
|
||||
|
||||
if session != nil {
|
||||
err := handler.service.SignOut(session.Id)
|
||||
if err != nil {
|
||||
http.Error(w, "An error occurred", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
c := http.Cookie{
|
||||
@@ -243,34 +248,34 @@ func (handler AuthImpl) handleSignOut() http.HandlerFunc {
|
||||
|
||||
func (handler AuthImpl) handleDeleteAccountPage() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
// An unverified email should be able to delete their account
|
||||
user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
|
||||
if err != nil {
|
||||
session := middleware.GetSession(r)
|
||||
if session == nil {
|
||||
utils.DoRedirect(w, r, "/auth/signin")
|
||||
return
|
||||
}
|
||||
|
||||
comp := auth.DeleteAccountComp()
|
||||
handler.render.RenderLayout(r, w, comp, user)
|
||||
handler.render.RenderLayout(r, w, comp, session.User)
|
||||
}
|
||||
}
|
||||
|
||||
func (handler AuthImpl) handleDeleteAccountComp() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
|
||||
if err != nil {
|
||||
session := middleware.GetSession(r)
|
||||
if session == nil {
|
||||
utils.DoRedirect(w, r, "/auth/signin")
|
||||
return
|
||||
}
|
||||
|
||||
password := r.FormValue("password")
|
||||
|
||||
_, err = handler.service.SignIn(user.Email, password)
|
||||
_, err := handler.service.SignIn(session.User.Email, password)
|
||||
if err != nil {
|
||||
utils.TriggerToast(w, r, "error", "Password not correct")
|
||||
return
|
||||
}
|
||||
|
||||
err = handler.service.DeleteAccount(user)
|
||||
err = handler.service.DeleteAccount(session.User)
|
||||
if err != nil {
|
||||
utils.TriggerToast(w, r, "error", "Internal Server Error")
|
||||
return
|
||||
@@ -285,23 +290,23 @@ func (handler AuthImpl) handleChangePasswordPage() http.HandlerFunc {
|
||||
|
||||
isPasswordReset := r.URL.Query().Has("token")
|
||||
|
||||
user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
|
||||
session := middleware.GetSession(r)
|
||||
|
||||
if user == nil && !isPasswordReset {
|
||||
if session == nil && !isPasswordReset {
|
||||
utils.DoRedirect(w, r, "/auth/signin")
|
||||
return
|
||||
}
|
||||
|
||||
comp := auth.ChangePasswordComp(isPasswordReset)
|
||||
handler.render.RenderLayout(r, w, comp, user)
|
||||
handler.render.RenderLayout(r, w, comp, session.User)
|
||||
}
|
||||
}
|
||||
|
||||
func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
|
||||
if err != nil {
|
||||
session := middleware.GetSession(r)
|
||||
if session == nil {
|
||||
utils.DoRedirect(w, r, "/auth/signin")
|
||||
return
|
||||
}
|
||||
@@ -309,7 +314,7 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
|
||||
currPass := r.FormValue("current-password")
|
||||
newPass := r.FormValue("new-password")
|
||||
|
||||
err = handler.service.ChangePassword(user, currPass, newPass)
|
||||
err := handler.service.ChangePassword(session.User, currPass, newPass)
|
||||
if err != nil {
|
||||
utils.TriggerToast(w, r, "error", "Password not correct")
|
||||
return
|
||||
@@ -322,14 +327,14 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
|
||||
func (handler AuthImpl) handleResetPasswordPage() http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
|
||||
user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
|
||||
if err != nil {
|
||||
session := middleware.GetSession(r)
|
||||
if session == nil {
|
||||
utils.DoRedirect(w, r, "/auth/signin")
|
||||
return
|
||||
}
|
||||
|
||||
comp := auth.ResetPasswordComp()
|
||||
handler.render.RenderLayout(r, w, comp, user)
|
||||
handler.render.RenderLayout(r, w, comp, session.User)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user