fix: move implementation to "internal" package

internal/service/auth.go

@@ -0,0 +1,510 @@
+package service
+
+import (
+	"context"
+	"crypto/subtle"
+	"errors"
+	"net/mail"
+	"spend-sparrow/internal/db"
+	"spend-sparrow/internal/log"
+	mailTemplate "spend-sparrow/internal/template/mail"
+	"spend-sparrow/internal/types"
+	"strings"
+	"time"
+
+	"github.com/google/uuid"
+	"golang.org/x/crypto/argon2"
+)
+
+var (
+	ErrInvalidCredentials = errors.New("invalid email or password")
+	ErrInvalidPassword    = errors.New("the password needs to be 8 characters long, contain at least one number, one special, one uppercase and one lowercase character")
+	ErrInvalidEmail       = errors.New("invalid email")
+	ErrAccountExists      = errors.New("account already exists")
+	ErrSessionIdInvalid   = errors.New("session ID is invalid")
+	ErrTokenInvalid       = errors.New("token is invalid")
+)
+
+type Auth interface {
+	SignUp(email string, password string) (*types.User, error)
+	SendVerificationMail(userId uuid.UUID, email string)
+	VerifyUserEmail(token string) error
+
+	SignIn(session *types.Session, email string, password string) (*types.Session, *types.User, error)
+	SignInSession(sessionId string) (*types.Session, *types.User, error)
+	SignInAnonymous() (*types.Session, error)
+	SignOut(sessionId string) error
+
+	DeleteAccount(user *types.User, currPass string) error
+
+	ChangePassword(user *types.User, sessionId string, currPass, newPass string) error
+
+	SendForgotPasswordMail(email string) error
+	ForgotPassword(token string, newPass string) error
+
+	IsCsrfTokenValid(tokenStr string, sessionId string) bool
+	GetCsrfToken(session *types.Session) (string, error)
+}
+
+type AuthImpl struct {
+	db             db.Auth
+	random         Random
+	clock          Clock
+	mail           Mail
+	serverSettings *types.Settings
+}
+
+func NewAuth(db db.Auth, random Random, clock Clock, mail Mail, serverSettings *types.Settings) *AuthImpl {
+	return &AuthImpl{
+		db:             db,
+		random:         random,
+		clock:          clock,
+		mail:           mail,
+		serverSettings: serverSettings,
+	}
+}
+
+func (service AuthImpl) SignIn(session *types.Session, email string, password string) (*types.Session, *types.User, error) {
+	user, err := service.db.GetUserByEmail(email)
+	if err != nil {
+		if errors.Is(err, db.ErrNotFound) {
+			return nil, nil, ErrInvalidCredentials
+		} else {
+			return nil, nil, types.ErrInternal
+		}
+	}
+
+	hash := GetHashPassword(password, user.Salt)
+
+	if subtle.ConstantTimeCompare(hash, user.Password) == 0 {
+		return nil, nil, ErrInvalidCredentials
+	}
+
+	err = service.cleanUpSessionWithTokens(session)
+	if err != nil {
+		return nil, nil, types.ErrInternal
+	}
+
+	session, err = service.createSession(user.Id)
+	if err != nil {
+		return nil, nil, types.ErrInternal
+	}
+
+	return session, user, nil
+}
+
+func (service AuthImpl) SignInSession(sessionId string) (*types.Session, *types.User, error) {
+	if sessionId == "" {
+		return nil, nil, ErrSessionIdInvalid
+	}
+
+	session, err := service.db.GetSession(sessionId)
+	if err != nil {
+		return nil, nil, types.ErrInternal
+	}
+	if session.ExpiresAt.Before(service.clock.Now()) {
+		_ = service.db.DeleteSession(sessionId)
+		return nil, nil, nil
+	}
+
+	if session.UserId == uuid.Nil {
+		return session, nil, nil
+	}
+
+	user, err := service.db.GetUser(session.UserId)
+	if err != nil {
+		return nil, nil, types.ErrInternal
+	}
+
+	return session, user, nil
+}
+
+func (service AuthImpl) SignInAnonymous() (*types.Session, error) {
+	session, err := service.createSession(uuid.Nil)
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	log.Info("Anonymous session created: %v", session.Id)
+
+	return session, nil
+}
+
+func (service AuthImpl) SignUp(email string, password string) (*types.User, error) {
+	_, err := mail.ParseAddress(email)
+	if err != nil {
+		return nil, ErrInvalidEmail
+	}
+
+	if !isPasswordValid(password) {
+		return nil, ErrInvalidPassword
+	}
+
+	userId, err := service.random.UUID()
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	salt, err := service.random.Bytes(16)
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	hash := GetHashPassword(password, salt)
+
+	user := types.NewUser(userId, email, false, nil, false, hash, salt, service.clock.Now())
+
+	err = service.db.InsertUser(user)
+	if err != nil {
+		if errors.Is(err, db.ErrAlreadyExists) {
+			return nil, ErrAccountExists
+		} else {
+			return nil, types.ErrInternal
+		}
+	}
+
+	return user, nil
+}
+
+func (service AuthImpl) SendVerificationMail(userId uuid.UUID, email string) {
+	tokens, err := service.db.GetTokensByUserIdAndType(userId, types.TokenTypeEmailVerify)
+	if err != nil && !errors.Is(err, db.ErrNotFound) {
+		return
+	}
+
+	var token *types.Token
+
+	if len(tokens) > 0 {
+		token = tokens[0]
+	}
+
+	if token == nil {
+		newTokenStr, err := service.random.String(32)
+		if err != nil {
+			return
+		}
+
+		token = types.NewToken(
+			userId,
+			"",
+			newTokenStr,
+			types.TokenTypeEmailVerify,
+			service.clock.Now(),
+			service.clock.Now().Add(24*time.Hour))
+
+		err = service.db.InsertToken(token)
+		if err != nil {
+			return
+		}
+	}
+
+	var w strings.Builder
+	err = mailTemplate.Register(service.serverSettings.BaseUrl, token.Token).Render(context.Background(), &w)
+	if err != nil {
+		log.Error("Could not render welcome email: %v", err)
+		return
+	}
+
+	service.mail.SendMail(email, "Welcome to spend-sparrow", w.String())
+}
+
+func (service AuthImpl) VerifyUserEmail(tokenStr string) error {
+	if tokenStr == "" {
+		return types.ErrInternal
+	}
+
+	token, err := service.db.GetToken(tokenStr)
+	if err != nil {
+		return types.ErrInternal
+	}
+
+	user, err := service.db.GetUser(token.UserId)
+	if err != nil {
+		return types.ErrInternal
+	}
+
+	if token.Type != types.TokenTypeEmailVerify {
+		return types.ErrInternal
+	}
+
+	now := service.clock.Now()
+
+	if token.ExpiresAt.Before(now) {
+		return types.ErrInternal
+	}
+
+	user.EmailVerified = true
+	user.EmailVerifiedAt = &now
+
+	err = service.db.UpdateUser(user)
+	if err != nil {
+		return types.ErrInternal
+	}
+
+	_ = service.db.DeleteToken(token.Token)
+	return nil
+}
+
+func (service AuthImpl) SignOut(sessionId string) error {
+	return service.db.DeleteSession(sessionId)
+}
+
+func (service AuthImpl) DeleteAccount(user *types.User, currPass string) error {
+	userDb, err := service.db.GetUser(user.Id)
+	if err != nil {
+		return types.ErrInternal
+	}
+
+	currHash := GetHashPassword(currPass, userDb.Salt)
+	if subtle.ConstantTimeCompare(currHash, userDb.Password) == 0 {
+		return ErrInvalidCredentials
+	}
+
+	err = service.db.DeleteUser(user.Id)
+	if err != nil {
+		return err
+	}
+
+	service.mail.SendMail(user.Email, "Account deleted", "Your account has been deleted")
+
+	return nil
+}
+
+func (service AuthImpl) ChangePassword(user *types.User, sessionId string, currPass, newPass string) error {
+	if !isPasswordValid(newPass) {
+		return ErrInvalidPassword
+	}
+
+	if currPass == newPass {
+		return ErrInvalidPassword
+	}
+
+	currHash := GetHashPassword(currPass, user.Salt)
+
+	if subtle.ConstantTimeCompare(currHash, user.Password) == 0 {
+		return ErrInvalidCredentials
+	}
+
+	newHash := GetHashPassword(newPass, user.Salt)
+	user.Password = newHash
+
+	err := service.db.UpdateUser(user)
+	if err != nil {
+		return err
+	}
+
+	sessions, err := service.db.GetSessions(user.Id)
+	if err != nil {
+		return types.ErrInternal
+	}
+	for _, s := range sessions {
+		if s.Id != sessionId {
+			err = service.db.DeleteSession(s.Id)
+			if err != nil {
+				return types.ErrInternal
+			}
+		}
+	}
+
+	return nil
+}
+
+func (service AuthImpl) SendForgotPasswordMail(email string) error {
+	tokenStr, err := service.random.String(32)
+	if err != nil {
+		return err
+	}
+
+	user, err := service.db.GetUserByEmail(email)
+	if err != nil {
+		if errors.Is(err, db.ErrNotFound) {
+			return nil
+		} else {
+			return types.ErrInternal
+		}
+	}
+
+	token := types.NewToken(
+		user.Id,
+		"",
+		tokenStr,
+		types.TokenTypePasswordReset,
+		service.clock.Now(),
+		service.clock.Now().Add(15*time.Minute))
+
+	err = service.db.InsertToken(token)
+	if err != nil {
+		return types.ErrInternal
+	}
+
+	var mail strings.Builder
+	err = mailTemplate.ResetPassword(service.serverSettings.BaseUrl, token.Token).Render(context.Background(), &mail)
+	if err != nil {
+		log.Error("Could not render reset password email: %v", err)
+		return types.ErrInternal
+	}
+	service.mail.SendMail(email, "Reset Password", mail.String())
+
+	return nil
+}
+
+func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
+	if !isPasswordValid(newPass) {
+		return ErrInvalidPassword
+	}
+
+	token, err := service.db.GetToken(tokenStr)
+	if err != nil {
+		return ErrTokenInvalid
+	}
+
+	err = service.db.DeleteToken(tokenStr)
+	if err != nil {
+		return err
+	}
+
+	if token.Type != types.TokenTypePasswordReset ||
+		token.ExpiresAt.Before(service.clock.Now()) {
+		return ErrTokenInvalid
+	}
+
+	user, err := service.db.GetUser(token.UserId)
+	if err != nil {
+		log.Error("Could not get user from token: %v", err)
+		return types.ErrInternal
+	}
+
+	passHash := GetHashPassword(newPass, user.Salt)
+
+	user.Password = passHash
+	err = service.db.UpdateUser(user)
+	if err != nil {
+		return err
+	}
+
+	sessions, err := service.db.GetSessions(user.Id)
+	if err != nil {
+		return types.ErrInternal
+	}
+
+	for _, session := range sessions {
+		err = service.db.DeleteSession(session.Id)
+		if err != nil {
+			return types.ErrInternal
+		}
+	}
+
+	return nil
+}
+
+func (service AuthImpl) IsCsrfTokenValid(tokenStr string, sessionId string) bool {
+	token, err := service.db.GetToken(tokenStr)
+	if err != nil {
+		return false
+	}
+
+	if token.Type != types.TokenTypeCsrf ||
+		token.SessionId != sessionId ||
+		token.ExpiresAt.Before(service.clock.Now()) {
+		return false
+	}
+
+	return true
+}
+
+func (service AuthImpl) GetCsrfToken(session *types.Session) (string, error) {
+	if session == nil {
+		return "", types.ErrInternal
+	}
+
+	tokens, _ := service.db.GetTokensBySessionIdAndType(session.Id, types.TokenTypeCsrf)
+
+	if len(tokens) > 0 {
+		return tokens[0].Token, nil
+	}
+
+	tokenStr, err := service.random.String(32)
+	if err != nil {
+		return "", types.ErrInternal
+	}
+
+	token := types.NewToken(
+		session.UserId,
+		session.Id,
+		tokenStr,
+		types.TokenTypeCsrf,
+		service.clock.Now(),
+		service.clock.Now().Add(8*time.Hour))
+	err = service.db.InsertToken(token)
+	if err != nil {
+		return "", types.ErrInternal
+	}
+
+	log.Info("CSRF-Token created: %v", tokenStr)
+
+	return tokenStr, nil
+}
+
+func (service AuthImpl) cleanUpSessionWithTokens(session *types.Session) error {
+	if session == nil {
+		return nil
+	}
+
+	err := service.db.DeleteSession(session.Id)
+	if err != nil {
+		return types.ErrInternal
+	}
+
+	tokens, err := service.db.GetTokensBySessionIdAndType(session.Id, types.TokenTypeCsrf)
+	if err != nil {
+		return types.ErrInternal
+	}
+	for _, token := range tokens {
+		err = service.db.DeleteToken(token.Token)
+		if err != nil {
+			return types.ErrInternal
+		}
+	}
+
+	return nil
+}
+
+func (service AuthImpl) createSession(userId uuid.UUID) (*types.Session, error) {
+	sessionId, err := service.random.String(32)
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	err = service.db.DeleteOldSessions(userId)
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	createAt := service.clock.Now()
+	expiresAt := createAt.Add(24 * time.Hour)
+
+	session := types.NewSession(sessionId, userId, createAt, expiresAt)
+
+	err = service.db.InsertSession(session)
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	return session, nil
+}
+
+func GetHashPassword(password string, salt []byte) []byte {
+	return argon2.IDKey([]byte(password), salt, 1, 64*1024, 1, 16)
+}
+
+func isPasswordValid(password string) bool {
+	if len(password) < 8 ||
+		!strings.ContainsAny(password, "0123456789") ||
+		!strings.ContainsAny(password, "ABCDEFGHIJKLMNOPQRSTUVWXYZ") ||
+		!strings.ContainsAny(password, "abcdefghijklmnopqrstuvwxyz") ||
+		!strings.ContainsAny(password, "!@#$%^&*()_+-=[]{}\\|;:'\",.<>/?") {
+		return false
+	} else {
+		return true
+	}
+}