tbs

db/auth.go

@@ -13,8 +13,8 @@ import (
 )
 
 var (
-	ErrNotFound   = errors.New("value not found")
+	ErrNotFound      = errors.New("value not found")
-	ErrUserExists = errors.New("user already exists")
+	ErrAlreadyExists = errors.New("row already exists")
 )
 
 type User struct {
@@ -59,20 +59,25 @@ func NewSession(id string, userId uuid.UUID, createdAt time.Time, expiresAt time
 
 type Token struct {
 	UserId    uuid.UUID
+	SessionId string
 	Token     string
-	Type      string
+	Type      TokenType
 	CreatedAt time.Time
 	ExpiresAt time.Time
 }
 
+type TokenType string
+
 var (
-	TokenTypeEmailVerify   = "email_verify"
+	TokenTypeEmailVerify   TokenType = "email_verify"
-	TokenTypePasswordReset = "password_reset"
+	TokenTypePasswordReset TokenType = "password_reset"
+	TokenTypeCsrf          TokenType = "csrf"
 )
 
-func NewToken(userId uuid.UUID, token string, tokenType string, createdAt time.Time, expiresAt time.Time) *Token {
+func NewToken(userId uuid.UUID, sessionId string, token string, tokenType TokenType, createdAt time.Time, expiresAt time.Time) *Token {
 	return &Token{
 		UserId:    userId,
+		SessionId: sessionId,
 		Token:     token,
 		Type:      tokenType,
 		CreatedAt: createdAt,
@@ -89,7 +94,8 @@ type Auth interface {
 
 	InsertToken(token *Token) error
 	GetToken(token string) (*Token, error)
-	GetTokensByUserIdAndType(userId uuid.UUID, tokenType string) ([]*Token, error)
+	GetTokensByUserIdAndType(userId uuid.UUID, tokenType TokenType) ([]*Token, error)
+	GetTokensBySessionIdAndType(sessionId string, tokenType TokenType) ([]*Token, error)
 	DeleteToken(token string) error
 
 	InsertSession(session *Session) error
@@ -114,7 +120,7 @@ func (db AuthSqlite) InsertUser(user *User) error {
 
 	if err != nil {
 		if strings.Contains(err.Error(), "email") {
-			return ErrUserExists
+			return ErrAlreadyExists
 		}
 
 		log.Error("SQL error InsertUser: %v", err)
@@ -208,7 +214,7 @@ func (db AuthSqlite) DeleteUser(userId uuid.UUID) error {
 		return types.ErrInternal
 	}
 
-	_, err = tx.Exec("DELETE FROM user_token WHERE user_id = ?", userId)
+	_, err = tx.Exec("DELETE FROM token WHERE user_id = ?", userId)
 	if err != nil {
 		_ = tx.Rollback()
 		log.Error("Could not delete user tokens: %v", err)
@@ -240,8 +246,8 @@ func (db AuthSqlite) DeleteUser(userId uuid.UUID) error {
 
 func (db AuthSqlite) InsertToken(token *Token) error {
 	_, err := db.db.Exec(`
-		INSERT INTO user_token (user_id, type, token, created_at, expires_at)
+		INSERT INTO token (user_id, session_id, type, token, created_at, expires_at)
-		VALUES (?, ?, ?, ?, ?)`, token.UserId, token.Type, token.Token, token.CreatedAt, token.ExpiresAt)
+		VALUES (?, ?, ?, ?, ?, ?)`, token.UserId, token.SessionId, token.Type, token.Token, token.CreatedAt, token.ExpiresAt)
 
 	if err != nil {
 		log.Error("Could not insert token: %v", err)
@@ -254,7 +260,8 @@ func (db AuthSqlite) InsertToken(token *Token) error {
 func (db AuthSqlite) GetToken(token string) (*Token, error) {
 	var (
 		userId       uuid.UUID
-		tokenType    string
+		sessionId    string
+		tokenType    TokenType
 		createdAtStr string
 		expiresAtStr string
 		createdAt    time.Time
@@ -262,10 +269,9 @@ func (db AuthSqlite) GetToken(token string) (*Token, error) {
 	)
 
 	err := db.db.QueryRow(`
-		SELECT user_id, type, created_at, expires_at 
+		SELECT user_id, session_id, type, created_at, expires_at 
-		FROM user_token 
+		FROM token
-		WHERE token = ? 
+		WHERE token = ?`, token).Scan(&userId, &sessionId, &tokenType, &createdAtStr, &expiresAtStr)
-		AND type = 'email_verify'`, token).Scan(&userId, &tokenType, &createdAtStr, &expiresAtStr)
 
 	if err != nil {
 		if err == sql.ErrNoRows {
@@ -289,14 +295,14 @@ func (db AuthSqlite) GetToken(token string) (*Token, error) {
 		return nil, types.ErrInternal
 	}
 
-	return NewToken(userId, token, tokenType, createdAt, expiresAt), nil
+	return NewToken(userId, sessionId, token, tokenType, createdAt, expiresAt), nil
 }
 
-func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType string) ([]*Token, error) {
+func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType TokenType) ([]*Token, error) {
 
 	query, err := db.db.Query(`
 		SELECT token, created_at, expires_at 
-		FROM user_token 
+		FROM token 
 		WHERE user_id = ?
 		AND type = ?`, userId, tokenType)
 
@@ -305,9 +311,32 @@ func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType string
 		return nil, types.ErrInternal
 	}
 
+	return getTokensFromQuery(query, userId, "", tokenType)
+}
+
+func (db AuthSqlite) GetTokensBySessionIdAndType(sessionId string, tokenType TokenType) ([]*Token, error) {
+
+	query, err := db.db.Query(`
+		SELECT token, created_at, expires_at 
+		FROM token 
+		WHERE session_id = ?
+		AND type = ?`, sessionId, tokenType)
+
+	if err != nil {
+		log.Error("Could not get token: %v", err)
+		return nil, types.ErrInternal
+	}
+
+	return getTokensFromQuery(query, uuid.Nil, sessionId, tokenType)
+}
+
+func getTokensFromQuery(query *sql.Rows, userId uuid.UUID, sessionId string, tokenType TokenType) ([]*Token, error) {
 	var tokens []*Token
 
+	hasRows := false
 	for query.Next() {
+		hasRows = true
+
 		var (
 			token        string
 			createdAtStr string
@@ -334,14 +363,18 @@ func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType string
 			return nil, types.ErrInternal
 		}
 
-		tokens = append(tokens, NewToken(userId, token, tokenType, createdAt, expiresAt))
+		tokens = append(tokens, NewToken(userId, sessionId, token, tokenType, createdAt, expiresAt))
+	}
+
+	if !hasRows {
+		return nil, ErrNotFound
 	}
 
 	return tokens, nil
 }
 
 func (db AuthSqlite) DeleteToken(token string) error {
-	_, err := db.db.Exec("DELETE FROM user_token WHERE token = ?", token)
+	_, err := db.db.Exec("DELETE FROM token WHERE token = ?", token)
 	if err != nil {
 		log.Error("Could not delete token: %v", err)
 		return types.ErrInternal

db/auth_test.go

@@ -51,7 +51,7 @@ func TestUser(t *testing.T) {
 		assert.Nil(t, err)
 		assert.Equal(t, expected, actual)
 	})
-	t.Run("should return UserNotFound", func(t *testing.T) {
+	t.Run("should return ErrNotFound", func(t *testing.T) {
 		t.Parallel()
 		db := setupDb(t)
 
@@ -74,7 +74,7 @@ func TestUser(t *testing.T) {
 		assert.Nil(t, err)
 
 		err = underTest.InsertUser(user)
-		assert.Equal(t, ErrUserExists, err)
+		assert.Equal(t, ErrAlreadyExists, err)
 	})
 	t.Run("should return ErrInternal on missing NOT NULL fields", func(t *testing.T) {
 		t.Parallel()
@@ -90,38 +90,110 @@ func TestUser(t *testing.T) {
 	})
 }
 
-func TestEmailVerification(t *testing.T) {
+func TestToken(t *testing.T) {
 	t.Parallel()
 
-	t.Run("should return NotFound", func(t *testing.T) {
+	t.Run("should insert and get the same", func(t *testing.T) {
 		t.Parallel()
 		db := setupDb(t)
 
 		underTest := AuthSqlite{db: db}
 
-		token, err := underTest.GetToken("someNonExistentToken")
+		createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
+		expiresAt := createAt.Add(24 * time.Hour)
+		expected := NewToken(uuid.New(), "sessionId", "token", TokenTypeCsrf, createAt, expiresAt)
 
-		assert.Equal(t, ErrNotFound, err)
+		err := underTest.InsertToken(expected)
-		assert.Nil(t, token)
+		assert.Nil(t, err)
+
+		actual, err := underTest.GetToken(expected.Token)
+		assert.Nil(t, err)
+		assert.Equal(t, expected, actual)
+
+		expected.SessionId = ""
+		actuals, err := underTest.GetTokensByUserIdAndType(expected.UserId, expected.Type)
+		assert.Nil(t, err)
+		assert.Equal(t, []*Token{expected}, actuals)
+
+		expected.SessionId = "sessionId"
+		expected.UserId = uuid.Nil
+		actuals, err = underTest.GetTokensBySessionIdAndType(expected.SessionId, expected.Type)
+		assert.Nil(t, err)
+		assert.Equal(t, []*Token{expected}, actuals)
 	})
-	t.Run("should insert and return token", func(t *testing.T) {
+	t.Run("should insert and return multiple tokens", func(t *testing.T) {
 		t.Parallel()
 		db := setupDb(t)
 
 		underTest := AuthSqlite{db: db}
-		tokenStr := "some secure token"
-		createdAt := time.Date(2020, 1, 5, 13, 0, 0, 0, time.UTC)
 
-		expectedToken := NewToken(uuid.New(), tokenStr, TokenTypeEmailVerify, createdAt, createdAt.Add(24*time.Hour))
+		createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
+		expiresAt := createAt.Add(24 * time.Hour)
+		userId := uuid.New()
+		expected1 := NewToken(userId, "sessionId", "token1", TokenTypeCsrf, createAt, expiresAt)
+		expected2 := NewToken(userId, "sessionId", "token2", TokenTypeCsrf, createAt, expiresAt)
 
-		err := underTest.InsertToken(expectedToken)
+		err := underTest.InsertToken(expected1)
+		assert.Nil(t, err)
+		err = underTest.InsertToken(expected2)
 		assert.Nil(t, err)
 
-		actualToken, err := underTest.GetToken(tokenStr)
+		expected1.UserId = uuid.Nil
+		expected2.UserId = uuid.Nil
+		actuals, err := underTest.GetTokensBySessionIdAndType(expected1.SessionId, expected1.Type)
+		assert.Nil(t, err)
+		assert.Equal(t, []*Token{expected1, expected2}, actuals)
+
+		expected1.SessionId = ""
+		expected2.SessionId = ""
+		expected1.UserId = userId
+		expected2.UserId = userId
+		actuals, err = underTest.GetTokensByUserIdAndType(userId, expected1.Type)
+		assert.Nil(t, err)
+		assert.Equal(t, []*Token{expected1, expected2}, actuals)
+
+	})
+	t.Run("should return ErrNotFound", func(t *testing.T) {
+		t.Parallel()
+		db := setupDb(t)
+
+		underTest := AuthSqlite{db: db}
+
+		_, err := underTest.GetToken("nonExistent")
+		assert.Equal(t, ErrNotFound, err)
+
+		_, err = underTest.GetTokensByUserIdAndType(uuid.New(), TokenTypeEmailVerify)
+		assert.Equal(t, ErrNotFound, err)
+
+		_, err = underTest.GetTokensBySessionIdAndType("sessionId", TokenTypeEmailVerify)
+		assert.Equal(t, ErrNotFound, err)
+	})
+	t.Run("should return ErrAlreadyExists", func(t *testing.T) {
+		t.Parallel()
+		db := setupDb(t)
+
+		underTest := AuthSqlite{db: db}
+
+		verifiedAt := time.Date(2020, 1, 5, 13, 0, 0, 0, time.UTC)
+		createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
+		user := NewUser(uuid.New(), "some@email.de", true, &verifiedAt, false, []byte("somePass"), []byte("someSalt"), createAt)
+
+		err := underTest.InsertUser(user)
 		assert.Nil(t, err)
 
-		t.Logf("expectedToken: %v", expectedToken)
+		err = underTest.InsertUser(user)
-		t.Logf("actualToken: %v", actualToken)
+		assert.Equal(t, ErrAlreadyExists, err)
-		assert.Equal(t, expectedToken, actualToken)
+	})
+	t.Run("should return ErrInternal on missing NOT NULL fields", func(t *testing.T) {
+		t.Parallel()
+		db := setupDb(t)
+
+		underTest := AuthSqlite{db: db}
+
+		createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
+		user := NewUser(uuid.New(), "some@email.de", false, nil, false, []byte("somePass"), nil, createAt)
+
+		err := underTest.InsertUser(user)
+		assert.Equal(t, types.ErrInternal, err)
 	})
 }

handler/middleware/cross_site_request_forgery.go

@@ -11,12 +11,17 @@ func CrossSiteRequestForgery(auth *service.Auth) func(http.Handler) http.Handler
 
 			// session := r.Context().Value(SessionKey)
 
-			if r.Method == "POST" {
+			if r.Method == http.MethodPost ||
+				r.Method == http.MethodPut ||
+				r.Method == http.MethodDelete ||
+				r.Method == http.MethodPatch {
+
 				csrfToken := r.FormValue("csrf-token")
 				if csrfToken == "" {
 					http.Error(w, "", http.StatusForbidden)
 					return
 				}
+
 			}
 
 			next.ServeHTTP(w, r)

service/auth.go

@@ -71,8 +71,8 @@ type Auth interface {
 	SendForgotPasswordMail(email string) error
 	ForgotPassword(token string, newPass string) error
 
-	// IsCsrfTokenValid(token string, user *User) bool
+	IsCsrfTokenValid(tokenStr string, userId uuid.UUID) bool
-	// GetCsrfToken(token string, user *User) bool
+	GetCsrfToken(session *Session) (string, error)
 }
 
 type AuthImpl struct {
@@ -193,7 +193,7 @@ func (service AuthImpl) SignUp(email string, password string) (*User, error) {
 
 	err = service.db.InsertUser(dbUser)
 	if err != nil {
-		if err == db.ErrUserExists {
+		if err == db.ErrAlreadyExists {
 			return nil, ErrAccountExists
 		} else {
 			return nil, types.ErrInternal
@@ -222,7 +222,7 @@ func (service AuthImpl) SendVerificationMail(userId uuid.UUID, email string) {
 			return
 		}
 
-		token = db.NewToken(userId, newTokenStr, db.TokenTypeEmailVerify, service.clock.Now(), service.clock.Now().Add(24*time.Hour))
+		token = db.NewToken(userId, "", newTokenStr, db.TokenTypeEmailVerify, service.clock.Now(), service.clock.Now().Add(24*time.Hour))
 
 		err = service.db.InsertToken(token)
 		if err != nil {
@@ -343,7 +343,7 @@ func (service AuthImpl) SendForgotPasswordMail(email string) error {
 		}
 	}
 
-	token := db.NewToken(user.Id, tokenStr, db.TokenTypePasswordReset, service.clock.Now(), service.clock.Now().Add(15*time.Minute))
+	token := db.NewToken(user.Id, "", tokenStr, db.TokenTypePasswordReset, service.clock.Now(), service.clock.Now().Add(15*time.Minute))
 
 	err = service.db.InsertToken(token)
 	if err != nil {
@@ -394,6 +394,43 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
 	return nil
 }
 
+func (service AuthImpl) IsCsrfTokenValid(tokenStr string, userId uuid.UUID) bool {
+	token, err := service.db.GetToken(tokenStr)
+	if err != nil {
+		return false
+	}
+
+	if token.Type != db.TokenTypeCsrf ||
+		token.UserId != userId ||
+		token.ExpiresAt.Before(service.clock.Now()) {
+
+		return false
+	}
+
+	return true
+}
+
+func (service AuthImpl) GetCsrfToken(session *Session) (string, error) {
+	tokens, _ := service.db.GetTokensBySessionIdAndType(session.Id, db.TokenTypeCsrf)
+
+	if len(tokens) > 0 {
+		return tokens[0].Token, nil
+	}
+
+	tokenStr, err := service.random.String(32)
+	if err != nil {
+		return "", types.ErrInternal
+	}
+
+	token := db.NewToken(uuid.Nil, session.Id, tokenStr, db.TokenTypeCsrf, service.clock.Now(), service.clock.Now().Add(24*time.Hour))
+	err = service.db.InsertToken(token)
+	if err != nil {
+		return "", types.ErrInternal
+	}
+
+	return tokenStr, nil
+}
+
 func GetHashPassword(password string, salt []byte) []byte {
 	return argon2.IDKey([]byte(password), salt, 1, 64*1024, 1, 16)
 }

service/auth_test.go

@@ -212,7 +212,7 @@ func TestSignUp(t *testing.T) {
 
 		mockClock.EXPECT().Now().Return(createTime)
 
-		mockAuthDb.EXPECT().InsertUser(db.NewUser(user.Id, user.Email, false, nil, false, GetHashPassword(password, salt), salt, createTime)).Return(db.ErrUserExists)
+		mockAuthDb.EXPECT().InsertUser(db.NewUser(user.Id, user.Email, false, nil, false, GetHashPassword(password, salt), salt, createTime)).Return(db.ErrAlreadyExists)
 
 		underTest := NewAuthImpl(mockAuthDb, mockRandom, mockClock, mockMail, &types.Settings{})
 
@@ -227,7 +227,7 @@ func TestSendVerificationMail(t *testing.T) {
 	t.Run("should use stored token and send mail", func(t *testing.T) {
 		t.Parallel()
 
-		token := db.NewToken(uuid.New(), "someRandomTokenToUse", db.TokenTypeEmailVerify, time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC), time.Date(2020, 1, 2, 0, 0, 0, 0, time.UTC))
+		token := db.NewToken(uuid.New(), "sessionId", "someRandomTokenToUse", db.TokenTypeEmailVerify, time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC), time.Date(2020, 1, 2, 0, 0, 0, 0, time.UTC))
 		tokens := []*db.Token{token}
 
 		email := "some@email.de"