x/spend-sparrow
2
0
Fork 0
Code Issues 7 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

feat(security): #328 delete old sessions for change and forgot password

Browse Source
This commit is contained in:
Tim Wundenberg
2024-12-17 22:21:46 +01:00
parent 43d0a3d022
commit dcc5207272
13 changed files with 292 additions and 120 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
db/auth.go
View File

@@ -100,6 +100,7 @@ type Auth interface {
InsertSession(session *Session) error
GetSession(sessionId string) (*Session, error)
GetSessions(userId uuid.UUID) ([]*Session, error)
DeleteSession(sessionId string) error
DeleteOldSessions(userId uuid.UUID) error
}
@@ -416,9 +417,44 @@ func (db AuthSqlite) GetSession(sessionId string) (*Session, error) {
return NewSession(sessionId, userId, createdAt, expiresAt), nil
}
func (db AuthSqlite) GetSessions(userId uuid.UUID) ([]*Session, error) {
sessions, err := db.db.Query(`
SELECT session_id, created_at, expires_at
FROM session
WHERE user_id = ?`, userId)
if err != nil {
log.Error("Could not get sessions: %v", err)
return nil, types.ErrInternal
}
var result []*Session
for sessions.Next() {
var (
sessionId string
createdAt time.Time
expiresAt time.Time
)
err := sessions.Scan(&sessionId, &createdAt, &expiresAt)
if err != nil {
log.Error("Could not scan session: %v", err)
return nil, types.ErrInternal
}
session := NewSession(sessionId, userId, createdAt, expiresAt)
result = append(result, session)
}
return result, nil
}
func (db AuthSqlite) DeleteOldSessions(userId uuid.UUID) error {
// Delete old inactive sessions
_, err := db.db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_id = ?", userId)
_, err := db.db.Exec(`
DELETE FROM session
WHERE expires_at < datetime('now')
AND user_id = ?`, userId)
if err != nil {
log.Error("Could not delete old sessions: %v", err)
return types.ErrInternal

69
handler/auth.go
View File

@@ -48,9 +48,9 @@ func (handler AuthImpl) Handle(router *http.ServeMux) {
router.Handle("/auth/change-password", handler.handleChangePasswordPage())
router.Handle("/api/auth/change-password", handler.handleChangePasswordComp())
router.Handle("/auth/reset-password", handler.handleResetPasswordPage())
router.Handle("/api/auth/reset-password", handler.handleForgotPasswordComp())
router.Handle("/api/auth/reset-password-actual", handler.handleForgotPasswordResponseComp())
router.Handle("/auth/forgot-password", handler.handleForgotPasswordPage())
router.Handle("/api/auth/forgot-password", handler.handleForgotPasswordComp())
router.Handle("/api/auth/forgot-password-actual", handler.handleForgotPasswordResponseComp())
}
var (
@@ -93,12 +93,10 @@ func (handler AuthImpl) handleSignIn() http.HandlerFunc {
})
if err != nil {
if err == service.ErrInvaidCredentials {
utils.TriggerToast(w, r, "error", "Invalid email or password")
http.Error(w, "Invalid email or password", http.StatusUnauthorized)
if err == service.ErrInvalidCredentials {
utils.TriggerToast(w, r, "error", "Invalid email or password", http.StatusUnauthorized)
} else {
log.Error("Error signing in: %v", err)
http.Error(w, "An error occurred", http.StatusInternalServerError)
utils.TriggerToast(w, r, "error", "An error occurred", http.StatusInternalServerError)
}
return
}
@@ -198,16 +196,16 @@ func (handler AuthImpl) handleSignUp() http.HandlerFunc {
if err != nil {
if errors.Is(err, types.ErrInternal) {
utils.TriggerToast(w, r, "error", "An error occurred")
utils.TriggerToast(w, r, "error", "An error occurred", http.StatusInternalServerError)
return
} else if errors.Is(err, service.ErrInvalidEmail) {
utils.TriggerToast(w, r, "error", "The email provided is invalid")
utils.TriggerToast(w, r, "error", "The email provided is invalid", http.StatusBadRequest)
return
}
// If the "service.ErrAccountExists", then just continue
}
utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.")
utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.", http.StatusOK)
}
}
@@ -261,15 +259,13 @@ func (handler AuthImpl) handleDeleteAccountComp() http.HandlerFunc {
password := r.FormValue("password")
_, err := handler.service.SignIn(user.Email, password)
err := handler.service.DeleteAccount(user, password)
if err != nil {
utils.TriggerToast(w, r, "error", "Password not correct")
return
if err == service.ErrInvalidCredentials {
utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized)
} else {
utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
}
err = handler.service.DeleteAccount(user)
if err != nil {
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
}
@@ -297,8 +293,8 @@ func (handler AuthImpl) handleChangePasswordPage() http.HandlerFunc {
func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := middleware.GetUser(r)
if user == nil {
session := middleware.GetSession(r)
if session == nil || session.User == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
@@ -306,22 +302,22 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
currPass := r.FormValue("current-password")
newPass := r.FormValue("new-password")
err := handler.service.ChangePassword(user, currPass, newPass)
err := handler.service.ChangePassword(session, currPass, newPass)
if err != nil {
utils.TriggerToast(w, r, "error", "Password not correct")
utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized)
return
}
utils.TriggerToast(w, r, "success", "Password changed")
utils.TriggerToast(w, r, "success", "Password changed", http.StatusOK)
}
}
func (handler AuthImpl) handleResetPasswordPage() http.HandlerFunc {
func (handler AuthImpl) handleForgotPasswordPage() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := middleware.GetUser(r)
if user == nil {
utils.DoRedirect(w, r, "/auth/signin")
if user != nil {
utils.DoRedirect(w, r, "/")
return
}
@@ -335,15 +331,19 @@ func (handler AuthImpl) handleForgotPasswordComp() http.HandlerFunc {
email := r.FormValue("email")
if email == "" {
utils.TriggerToast(w, r, "error", "Please enter an email")
utils.TriggerToast(w, r, "error", "Please enter an email", http.StatusBadRequest)
return
}
_, err := utils.WaitMinimumTime(securityWaitDuration, func() (interface{}, error) {
err := handler.service.SendForgotPasswordMail(email)
return nil, err
})
if err != nil {
utils.TriggerToast(w, r, "error", "Internal Server Error")
utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
} else {
utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent")
utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent", http.StatusOK)
}
}
}
@@ -354,23 +354,18 @@ func (handler AuthImpl) handleForgotPasswordResponseComp() http.HandlerFunc {
pageUrl, err := url.Parse(r.Header.Get("HX-Current-URL"))
if err != nil {
log.Error("Could not get current URL: %v", err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
return
}
token := pageUrl.Query().Get("token")
if token == "" {
utils.TriggerToast(w, r, "error", "No token")
return
}
newPass := r.FormValue("new-password")
err = handler.service.ForgotPassword(token, newPass)
if err != nil {
utils.TriggerToast(w, r, "error", err.Error())
utils.TriggerToast(w, r, "error", err.Error(), http.StatusInternalServerError)
} else {
utils.TriggerToast(w, r, "success", "Password changed")
utils.TriggerToast(w, r, "success", "Password changed", http.StatusOK)
}
}
}

4
handler/middleware/cross_site_request_forgery.go
View File

@@ -61,7 +61,9 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
}
}
if session == nil && (strings.Contains(r.RequestURI, "/auth/signup") || strings.Contains(r.RequestURI, "/auth/signin")) {
// Always sign in anonymous
// This way, there is no way to forget creating a csrf token
if session == nil {
session, _ = auth.SignInAnonymous()
cookie := CreateSessionCookie(session.Id)

14
handler/middleware/security_headers.go
View File

@@ -14,13 +14,13 @@ func SecurityHeaders(serverSettings *types.Settings) func(http.Handler) http.Han
w.Header().Set("Access-Control-Allow-Origin", serverSettings.BaseUrl)
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
w.Header().Set("Content-Security-Policy",
"default-src 'none';"+
"script-src 'self' https://umami.me-fit.eu"+
"connect-src 'self' https://umami.me-fit.eu"+
"img-src 'self'"+
"style-src 'self'"+
"form-action 'self'"+
"frame-ancestors 'none'",
"default-src 'none'; "+
"script-src 'self' https://umami.me-fit.eu; "+
"connect-src 'self' https://umami.me-fit.eu; "+
"img-src 'self'; "+
"style-src 'self'; "+
"form-action 'self'; "+
"frame-ancestors 'none'; ",
)
w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")

15
handler/workout.go
View File

@@ -2,7 +2,6 @@ package handler
import (
"me-fit/handler/middleware"
"me-fit/log"
"me-fit/service"
"me-fit/template/workout"
"me-fit/utils"
@@ -67,7 +66,7 @@ func (handler WorkoutImpl) handleAddWorkout() http.HandlerFunc {
wo := service.NewWorkoutDto("", dateStr, typeStr, setsStr, repsStr)
wo, err := handler.service.AddWorkout(session.User, wo)
if err != nil {
utils.TriggerToast(w, r, "error", "Invalid input values")
utils.TriggerToast(w, r, "error", "Invalid input values", http.StatusBadRequest)
http.Error(w, "Invalid input values", http.StatusBadRequest)
return
}
@@ -111,25 +110,19 @@ func (handler WorkoutImpl) handleDeleteWorkout() http.HandlerFunc {
rowId := r.PathValue("id")
if rowId == "" {
http.Error(w, "Missing required fields", http.StatusBadRequest)
log.Warn("Missing required fields for workout delete")
utils.TriggerToast(w, r, "error", "Missing ID field")
utils.TriggerToast(w, r, "error", "Missing ID field", http.StatusBadRequest)
return
}
rowIdInt, err := strconv.Atoi(rowId)
if err != nil {
http.Error(w, "Invalid ID", http.StatusBadRequest)
log.Warn("Invalid ID for workout delete")
utils.TriggerToast(w, r, "error", "Invalid ID")
utils.TriggerToast(w, r, "error", "Invalid ID", http.StatusBadRequest)
return
}
err = handler.service.DeleteWorkout(session.User, rowIdInt)
if err != nil {
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
log.Error("Could not delete workout: %v", err.Error())
utils.TriggerToast(w, r, "error", "Internal Server Error")
utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
return
}
}

28
less
View File

@@ -1,28 +0,0 @@
__ _ ___
/ /\ | | | |_)
/_/--\ |_| |_| \_ v1.52.3, built with Go go1.22.5
mkdir /home/tiwun/source/me-fit/tmp
watching .
watching db
watching handler
watching handler/middleware
watching log
watching migration
watching mocks
!exclude node_modules
watching service
!exclude static
watching template
watching template/auth
watching template/mail
watching template/workout
!exclude tmp
watching types
watching utils
building...
(✓) Complete [ updates=12 duration=10.258748ms ]
cleaning...
deleting /home/tiwun/source/me-fit/tmp
see you again~

147
main_test.go
View File

@@ -11,6 +11,7 @@ import (
"testing"
"time"
"me-fit/db"
"me-fit/service"
"me-fit/types"
@@ -81,13 +82,13 @@ func TestIntegrationSecurityHeader(t *testing.T) {
assert.Equal(t, "GET, POST, DELETE", value)
value = resp.Header.Get("Content-Security-Policy")
assert.Equal(t, "default-src 'none';"+
"script-src 'self' https://umami.me-fit.eu"+
"connect-src 'self' https://umami.me-fit.eu"+
"img-src 'self'"+
"style-src 'self'"+
"form-action 'self'"+
"frame-ancestors 'none'", value)
assert.Equal(t, "default-src 'none'; "+
"script-src 'self' https://umami.me-fit.eu; "+
"connect-src 'self' https://umami.me-fit.eu; "+
"img-src 'self'; "+
"style-src 'self'; "+
"form-action 'self'; "+
"frame-ancestors 'none';", value)
value = resp.Header.Get("Cross-Origin-Resource-Policy")
assert.Equal(t, "same-origin", value)
@@ -159,6 +160,138 @@ func TestIntegrationAuth(t *testing.T) {
assert.True(t, cookie.HttpOnly, "Cookie is not secure")
assert.True(t, cookie.Secure, "Cookie is not secure")
})
t.Run("should change password and invalidate other sessions from user", func(t *testing.T) {
t.Parallel()
db, basePath, ctx := setupIntegrationTest(t)
userId := uuid.New()
userIdOther := uuid.New()
pass := service.GetHashPassword("password", []byte("salt"))
_, err := db.Exec(`
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
sessionId := "session-id"
assert.Nil(t, err)
_, err = db.Exec(`
INSERT INTO session (session_id, user_id, created_at, expires_at)
VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
assert.Nil(t, err)
_, err = db.Exec(`
INSERT INTO session (session_id, user_id, created_at, expires_at)
VALUES ("second", ?, datetime(), datetime("now", "+1 day"))`, userId)
assert.Nil(t, err)
_, err = db.Exec(`
INSERT INTO session (session_id, user_id, created_at, expires_at)
VALUES ("other", ?, datetime(), datetime("now", "+1 day"))`, userIdOther)
assert.Nil(t, err)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
assert.Nil(t, err)
req.Header.Set("Cookie", "id="+sessionId)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
html, err := html.Parse(resp.Body)
assert.Nil(t, err)
csrfToken := findCsrfToken(html)
assert.NotEqual(t, "", csrfToken)
formData := url.Values{
"current-password": {"password"},
"new-password": {"MyNewSecurePassword1!"},
"csrf-token": {csrfToken},
}
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Cookie", "id="+sessionId)
req.Header.Set("HX-Request", "true")
resp, err = httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var sessionIds []string
sessions, err := db.Query(`SELECT session_id FROM session WHERE NOT user_id = ? ORDER BY session_id`, uuid.Nil)
assert.Nil(t, err)
for sessions.Next() {
var sessionId string
err = sessions.Scan(&sessionId)
assert.Nil(t, err)
sessionIds = append(sessionIds, sessionId)
}
assert.Equal(t, 2, len(sessionIds))
assert.Equal(t, "other", sessionIds[0])
assert.Equal(t, "session-id", sessionIds[1])
})
t.Run("should forget password and invalidate all user sessions", func(t *testing.T) {
t.Parallel()
d, basePath, ctx := setupIntegrationTest(t)
userId := uuid.New()
pass := service.GetHashPassword("password", []byte("salt"))
_, err := d.Exec(`
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
assert.Nil(t, err)
_, err = d.Exec(`
INSERT INTO session (session_id, user_id, created_at, expires_at)
VALUES ("session-id", ?, datetime(), datetime("now", "+1 day"))`, userId)
assert.Nil(t, err)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/forgot-password", nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
sessionId := findCookie(resp, "id").Value
html, err := html.Parse(resp.Body)
assert.Nil(t, err)
csrfToken := findCsrfToken(html)
assert.NotEqual(t, "", csrfToken)
formData := url.Values{
"email": {"mail@mail.de"},
"csrf-token": {csrfToken},
}
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Cookie", "id="+sessionId)
req.Header.Set("HX-Request", "true")
resp, err = httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var token string
err = d.QueryRow("SELECT token FROM token WHERE type = ?", db.TokenTypePasswordReset).Scan(&token)
assert.Nil(t, err)
formData = url.Values{
"new-password": {"MyNewSecurePassword1!"},
"csrf-token": {csrfToken},
}
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password-actual", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Cookie", "id="+sessionId)
req.Header.Set("HX-Request", "true")
req.Header.Set("HX-Current-URL", basePath+"/auth/change-password?token="+url.QueryEscape(token))
resp, err = httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusOK, resp.StatusCode)
sessions, err := d.Query("SELECT session_id FROM session WHERE user_id = ?", userId)
assert.Nil(t, err)
assert.False(t, sessions.Next())
})
}
func findCookie(resp *http.Response, name string) *http.Cookie {

70
service/auth.go
View File

@@ -18,11 +18,12 @@ import (
)
var (
ErrInvaidCredentials = errors.New("invalid email or password")
ErrInvalidCredentials = errors.New("invalid email or password")
ErrInvalidPassword = errors.New("password needs to be 8 characters long, contain at least one number, one special, one uppercase and one lowercase character")
ErrInvalidEmail = errors.New("invalid email")
ErrAccountExists = errors.New("account already exists")
ErrSessionIdInvalid = errors.New("session ID is invalid")
ErrTokenInvalid = errors.New("token is invalid")
)
type User struct {
@@ -65,9 +66,9 @@ type Auth interface {
SignInAnonymous() (*Session, error)
SignOut(sessionId string) error
DeleteAccount(user *User) error
DeleteAccount(user *User, currPass string) error
ChangePassword(user *User, currPass, newPass string) error
ChangePassword(session *Session, currPass, newPass string) error
SendForgotPasswordMail(email string) error
ForgotPassword(token string, newPass string) error
@@ -98,7 +99,7 @@ func (service AuthImpl) SignIn(email string, password string) (*Session, error)
user, err := service.db.GetUserByEmail(email)
if err != nil {
if errors.Is(err, db.ErrNotFound) {
return nil, ErrInvaidCredentials
return nil, ErrInvalidCredentials
} else {
return nil, types.ErrInternal
}
@@ -107,7 +108,7 @@ func (service AuthImpl) SignIn(email string, password string) (*Session, error)
hash := GetHashPassword(password, user.Salt)
if subtle.ConstantTimeCompare(hash, user.Password) == 0 {
return nil, ErrInvaidCredentials
return nil, ErrInvalidCredentials
}
session, err := service.createSession(user.Id)
@@ -297,9 +298,19 @@ func (service AuthImpl) SignOut(sessionId string) error {
return service.db.DeleteSession(sessionId)
}
func (service AuthImpl) DeleteAccount(user *User) error {
func (service AuthImpl) DeleteAccount(user *User, currPass string) error {
err := service.db.DeleteUser(user.Id)
userDb, err := service.db.GetUser(user.Id)
if err != nil {
return types.ErrInternal
}
currHash := GetHashPassword(currPass, userDb.Salt)
if subtle.ConstantTimeCompare(currHash, userDb.Password) == 0 {
return ErrInvalidCredentials
}
err = service.db.DeleteUser(user.Id)
if err != nil {
return err
}
@@ -309,7 +320,7 @@ func (service AuthImpl) DeleteAccount(user *User) error {
return nil
}
func (service AuthImpl) ChangePassword(user *User, currPass, newPass string) error {
func (service AuthImpl) ChangePassword(session *Session, currPass, newPass string) error {
if !isPasswordValid(newPass) {
return ErrInvalidPassword
@@ -319,18 +330,18 @@ func (service AuthImpl) ChangePassword(user *User, currPass, newPass string) err
return ErrInvalidPassword
}
_, err := service.SignIn(user.Email, currPass)
userDb, err := service.db.GetUser(session.User.Id)
if err != nil {
return err
}
userDb, err := service.db.GetUser(user.Id)
if err != nil {
return err
currHash := GetHashPassword(currPass, userDb.Salt)
if subtle.ConstantTimeCompare(currHash, userDb.Password) == 0 {
return ErrInvalidCredentials
}
newHash := GetHashPassword(newPass, userDb.Salt)
userDb.Password = newHash
err = service.db.UpdateUser(userDb)
@@ -338,11 +349,23 @@ func (service AuthImpl) ChangePassword(user *User, currPass, newPass string) err
return err
}
sessions, err := service.db.GetSessions(userDb.Id)
if err != nil {
return types.ErrInternal
}
for _, s := range sessions {
if s.Id != session.Id {
err = service.db.DeleteSession(s.Id)
if err != nil {
return types.ErrInternal
}
}
}
return nil
}
func (service AuthImpl) SendForgotPasswordMail(email string) error {
tokenStr, err := service.random.String(32)
if err != nil {
return err
@@ -383,7 +406,7 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
token, err := service.db.GetToken(tokenStr)
if err != nil {
return err
return ErrTokenInvalid
}
err = service.db.DeleteToken(tokenStr)
@@ -391,6 +414,11 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
return err
}
if token.Type != db.TokenTypePasswordReset ||
token.ExpiresAt.Before(service.clock.Now()) {
return ErrTokenInvalid
}
user, err := service.db.GetUser(token.UserId)
if err != nil {
log.Error("Could not get user from token: %v", err)
@@ -405,6 +433,18 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
return err
}
sessions, err := service.db.GetSessions(user.Id)
if err != nil {
return types.ErrInternal
}
for _, session := range sessions {
err = service.db.DeleteSession(session.Id)
if err != nil {
return types.ErrInternal
}
}
return nil
}

4
service/auth_test.go
View File

@@ -80,7 +80,7 @@ func TestSignIn(t *testing.T) {
_, err := underTest.SignIn("test@test.de", "wrong password")
assert.Equal(t, ErrInvaidCredentials, err)
assert.Equal(t, ErrInvalidCredentials, err)
})
t.Run("should return ErrInvalidCretentials if user has not been found", func(t *testing.T) {
t.Parallel()
@@ -94,7 +94,7 @@ func TestSignIn(t *testing.T) {
underTest := NewAuthImpl(mockAuthDb, mockRandom, mockClock, mockMail, &types.Settings{})
_, err := underTest.SignIn("test", "test")
assert.Equal(t, ErrInvaidCredentials, err)
assert.Equal(t, ErrInvalidCredentials, err)
})
t.Run("should forward ErrInternal on any other error", func(t *testing.T) {
t.Parallel()

2
template/auth/change_password.templ
View File

@@ -4,7 +4,7 @@ templ ChangePasswordComp(isPasswordReset bool) {
<form
class="max-w-xl px-2 mx-auto flex flex-col gap-4 h-full justify-center"
if isPasswordReset {
hx-post="/api/auth/reset-password-actual"
hx-post="/api/auth/forgot-password-actual"
} else {
hx-post="/api/auth/change-password"
}

2
template/auth/reset_password.templ
View File

@@ -3,7 +3,7 @@ package auth
templ ResetPasswordComp() {
<form
class="max-w-xl px-2 mx-auto flex flex-col gap-4 h-full justify-center"
hx-post="/api/auth/reset-password"
hx-post="/api/auth/forgot-password"
hx-swap="none"
>
<h2 class="text-6xl mb-10">

2
template/auth/sign_in_or_up.templ
View File

@@ -62,7 +62,7 @@ if isSignIn {
</label>
<div class="flex justify-end items-center gap-2">
if isSignIn {
<a href="/auth/reset-password" class="grow link text-gray-500 text-sm">Forgot Password?</a>
<a href="/auth/forgot-password" class="grow link text-gray-500 text-sm">Forgot Password?</a>
<a href="/auth/signup" class="link text-gray-500 text-sm">Don't have an account? Sign Up</a>
<button class="btn btn-primary">
Sign In

3
utils/http.go
View File

@@ -8,9 +8,10 @@ import (
"time"
)
func TriggerToast(w http.ResponseWriter, r *http.Request, class string, message string) {
func TriggerToast(w http.ResponseWriter, r *http.Request, class string, message string, statusCode int) {
if isHtmx(r) {
w.Header().Set("HX-Trigger", fmt.Sprintf(`{"toast": "%v|%v"}`, class, message))
w.WriteHeader(statusCode)
} else {
log.Error("Trying to trigger toast in non-HTMX request")
}