x/spend-sparrow
2
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat(auth): check password when deleting account #175

Browse Source
This commit is contained in:
Tim Wundenberg
2024-09-13 12:02:06 +02:00
parent 6a656b15f0
commit 6c1edcd0a8
2 changed files with 43 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
service/auth.go
View File

@@ -328,7 +328,31 @@ func HandleDeleteAccountComp(db *sql.DB) http.HandlerFunc {
return return
} }
_, err := db.Exec("DELETE FROM workout WHERE user_id = ?", user.Id) password := r.FormValue("password")
if password == "" {
utils.TriggerToast(w, r, "error", "Password is required")
return
}
var (
storedHash []byte
salt []byte
)
err := db.QueryRow("SELECT password, salt FROM user WHERE user_uuid = ?", user.Id).Scan(&storedHash, &salt)
if err != nil {
utils.LogError("Could not get password", err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
}
currHash := getHashPassword(password, salt)
if subtle.ConstantTimeCompare(currHash, storedHash) == 0 {
utils.TriggerToast(w, r, "error", "Password is not correct")
return
}
_, err = db.Exec("DELETE FROM workout WHERE user_id = ?", user.Id)
if err != nil { if err != nil {
utils.LogError("Could not delete workouts", err) utils.LogError("Could not delete workouts", err)
utils.TriggerToast(w, r, "error", "Internal Server Error") utils.TriggerToast(w, r, "error", "Internal Server Error")

30
template/auth/delete_account.templ
View File

@@ -1,16 +1,22 @@
package auth package auth
templ DeleteAccountComp() { templ DeleteAccountComp() {
<main class="h-full flex items-center justify-center"> <form
<div class="card bg-neutral text-neutral-content w-96"> class="max-w-xl px-2 mx-auto flex flex-col gap-4 h-full justify-center"
<div class="card-body items-center text-center"> hx-post="/api/auth/delete-account"
<h2 class="card-title">Delete Account</h2> hx-swap="none"
<p>Do you really want to delete all your data? This cannot be undone!</p> >
<div class="card-actions justify-end mt-4"> <h2 class="text-6xl mb-6">
<a href="/" class="btn btn-ghost">Cancel</a> Delete Account
<button hx-get="/api/auth/delete-account" class="btn btn-primary">Delete Account</button> </h2>
</div> <p class="text-xl text-red-500 mb-4">
</div> Are you sure you want to delete your account? This action is irreversible.
</div> </p>
</main> <label class="input input-bordered flex items-center gap-2">
<input type="password" class="grow" placeholder="Password" name="password"/>
</label>
<button class="btn btn-error self-end">
Delete Account
</button>
</form>
} }