fix: migrate sigin to testable code #181

db/auth.go

@@ -6,6 +6,7 @@ import (
 
 	"database/sql"
 	"errors"
+	"strings"
 	"time"
 
 	"github.com/google/uuid"
@@ -13,6 +14,7 @@ import (
 
 var (
 	ErrUserNotFound = errors.New("User not found")
+	ErrUserExists   = errors.New("User already exists")
 )
 
 type User struct {
@@ -41,6 +43,10 @@ func NewUser(id uuid.UUID, email string, emailVerified bool, emailVerifiedAt *ti
 
 type DbAuth interface {
 	GetUser(email string) (*User, error)
+	InsertUser(user *User) error
+
+	GetEmailVerificationToken(userId uuid.UUID) (string, error)
+	InsertEmailVerificationToken(userId uuid.UUID, token string) error
 }
 
 type DbAuthSqlite struct {
@@ -77,3 +83,49 @@ func (db DbAuthSqlite) GetUser(email string) (*User, error) {
 
 	return NewUser(userId, email, emailVerified, emailVerifiedAt, isAdmin, password, salt, createdAt), nil
 }
+func (db DbAuthSqlite) InsertUser(user *User) error {
+	_, err := db.db.Exec(`
+		INSERT INTO user (user_uuid, email, email_verified, email_verified_at, is_admin, password, salt, created_at) 
+		VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
+		user.Id, user.Email, user.EmailVerified, user.EmailVerifiedAt, user.IsAdmin, user.Password, user.Salt, user.CreateAt)
+
+	if err != nil {
+		if strings.Contains(err.Error(), "email") {
+			return ErrUserExists
+		}
+
+		utils.LogError("SQL error InsertUser", err)
+		return types.ErrInternal
+	}
+
+	return nil
+}
+
+func (db DbAuthSqlite) GetEmailVerificationToken(userId uuid.UUID) (string, error) {
+	var token string
+
+	err := db.db.QueryRow(`
+		SELECT token 
+		FROM user_token 
+		WHERE user_uuid = ? 
+		AND type = 'email_verify'`, userId).Scan(&token)
+
+	if err != nil && err != sql.ErrNoRows {
+		utils.LogError("Could not get token", err)
+		return "", types.ErrInternal
+	}
+
+	return token, nil
+}
+func (db DbAuthSqlite) InsertEmailVerificationToken(userId uuid.UUID, token string) error {
+	_, err := db.db.Exec(`
+		INSERT INTO user_token (user_uuid, type, token, created_at) 
+		VALUES (?, 'email_verify', ?, datetime())`, userId, token)
+
+	if err != nil {
+		utils.LogError("Could not insert token", err)
+		return types.ErrInternal
+	}
+
+	return nil
+}

db/auth_test.go

@@ -4,6 +4,7 @@ import (
 	"me-fit/utils"
 
 	"database/sql"
+	"errors"
 	"reflect"
 	"testing"
 	"time"
@@ -16,6 +17,9 @@ func setupDb(t *testing.T) *sql.DB {
 	if err != nil {
 		t.Fatalf("Error opening database: %v", err)
 	}
+	t.Cleanup(func() {
+		db.Close()
+	})
 
 	err = utils.RunMigrations(db, "../")
 	if err != nil {
@@ -31,7 +35,6 @@ func TestGetUser(t *testing.T) {
 	t.Run("should return UserNotFound", func(t *testing.T) {
 		t.Parallel()
 		db := setupDb(t)
-		defer db.Close()
 
 		underTest := DbAuthSqlite{db: db}
 
@@ -44,7 +47,6 @@ func TestGetUser(t *testing.T) {
 	t.Run("should find user in database", func(t *testing.T) {
 		t.Parallel()
 		db := setupDb(t)
-		defer db.Close()
 
 		underTest := DbAuthSqlite{db: db}
 
@@ -69,5 +71,53 @@ func TestGetUser(t *testing.T) {
 			t.Errorf("Expected %v, got %v", user, actual)
 		}
 	})
-
+}
+func TestInsertUser(t *testing.T) {
+	t.Parallel()
+
+	t.Run("should insert user", func(t *testing.T) {
+		t.Parallel()
+		db := setupDb(t)
+
+		underTest := DbAuthSqlite{db: db}
+
+		verifiedAt := time.Date(2020, 1, 5, 13, 0, 0, 0, time.UTC)
+		createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
+		user := NewUser(uuid.New(), "some@email.de", true, &verifiedAt, false, []byte("somePass"), []byte("someSalt"), createAt)
+
+		err := underTest.InsertUser(user)
+		if err != nil {
+			t.Fatalf("Error inserting user: %v", err)
+		}
+
+		actual, err := underTest.GetUser(user.Email)
+		if err != nil {
+			t.Fatalf("Error getting user: %v", err)
+		}
+
+		if !reflect.DeepEqual(user, actual) {
+			t.Errorf("Expected %v, got %v", user, actual)
+		}
+	})
+
+	t.Run("should throw error if user already exists", func(t *testing.T) {
+		t.Parallel()
+		db := setupDb(t)
+
+		underTest := DbAuthSqlite{db: db}
+
+		verifiedAt := time.Date(2020, 1, 5, 13, 0, 0, 0, time.UTC)
+		createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
+		user := NewUser(uuid.New(), "some@email.de", true, &verifiedAt, false, []byte("somePass"), []byte("someSalt"), createAt)
+
+		err := underTest.InsertUser(user)
+		if err != nil {
+			t.Fatalf("Error inserting user: %v", err)
+		}
+
+		err = underTest.InsertUser(user)
+		if !errors.Is(err, ErrUserExists) {
+			t.Fatalf("Error inserting user: %v", err)
+		}
+	})
 }

handler/auth.go

@@ -8,6 +8,7 @@ import (
 	"me-fit/utils"
 
 	"database/sql"
+	"errors"
 	"net/http"
 	"time"
 )
@@ -33,13 +34,13 @@ func NewHandlerAuth(db *sql.DB, service service.ServiceAuth, serverSettings *typ
 func (handler HandlerAuthImpl) handle(router *http.ServeMux) {
 	// Don't use auth middleware for these routes, as it makes redirecting very difficult, if the mail is not yet verified
 	router.Handle("/auth/signin", handler.handleSignInPage())
-	router.Handle("/auth/signup", service.HandleSignUpPage(handler.db, handler.serverSettings))
+	router.Handle("/auth/signup", handler.handleSignUpPage())
 	router.Handle("/auth/verify", service.HandleSignUpVerifyPage(handler.db, handler.serverSettings)) // Hint for the user to verify their email
 	router.Handle("/auth/delete-account", service.HandleDeleteAccountPage(handler.db, handler.serverSettings))
 	router.Handle("/auth/verify-email", service.HandleSignUpVerifyResponsePage(handler.db)) // The link contained in the email
 	router.Handle("/auth/change-password", service.HandleChangePasswordPage(handler.db, handler.serverSettings))
 	router.Handle("/auth/reset-password", service.HandleResetPasswordPage(handler.db, handler.serverSettings))
-	router.Handle("/api/auth/signup", service.HandleSignUpComp(handler.db, handler.serverSettings))
+	router.Handle("/api/auth/signup", handler.handleSignUp())
 	router.Handle("/api/auth/signin", handler.handleSignIn())
 	router.Handle("/api/auth/signout", service.HandleSignOutComp(handler.db))
 	router.Handle("/api/auth/delete-account", service.HandleDeleteAccountComp(handler.db, handler.serverSettings))
@@ -74,7 +75,6 @@ func (handler HandlerAuthImpl) handleSignInPage() http.HandlerFunc {
 		}
 	}
 }
-
 func (handler HandlerAuthImpl) handleSignIn() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		user, err := utils.WaitMinimumTime(securityWaitDuration, func() (*service.User, error) {
@@ -112,3 +112,54 @@ func (handler HandlerAuthImpl) handleSignIn() http.HandlerFunc {
 		}
 	}
 }
+
+func (handler HandlerAuthImpl) handleSignUpPage() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		user := utils.GetUserFromSession(handler.db, r)
+
+		if user == nil {
+			userComp := service.UserInfoComp(nil)
+			signUpComp := auth.SignInOrUpComp(false)
+			err := template.Layout(signUpComp, userComp, handler.serverSettings.Environment).Render(r.Context(), w)
+
+			if err != nil {
+				utils.LogError("Failed to render sign up page", err)
+				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+			}
+
+		} else if !user.EmailVerified {
+			utils.DoRedirect(w, r, "/auth/verify")
+		} else {
+			utils.DoRedirect(w, r, "/")
+		}
+	}
+}
+func (handler HandlerAuthImpl) handleSignUp() http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var email = r.FormValue("email")
+		var password = r.FormValue("password")
+
+		_, err := utils.WaitMinimumTime(securityWaitDuration, func() (interface{}, error) {
+			user, err := handler.service.SignUp(email, password)
+			if err != nil {
+				return nil, err
+			}
+
+			go handler.service.SendVerificationMail(user)
+			return nil, nil
+		})
+
+		if err != nil {
+			if errors.Is(err, types.ErrInternal) {
+				utils.TriggerToast(w, r, "error", "An error occurred")
+				return
+			} else if errors.Is(err, service.ErrInvalidEmail) {
+				utils.TriggerToast(w, r, "error", "The email provided is invalid")
+				return
+			}
+			// If the "service.ErrAccountExists", then just continue
+		}
+
+		utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.")
+	}
+}

handler/default.go

@@ -15,7 +15,9 @@ func GetHandler(d *sql.DB, serverSettings *types.ServerSettings) http.Handler {
 
 	router.HandleFunc("/", service.HandleIndexAnd404(d, serverSettings))
 
-	handlerAuth := NewHandlerAuth(d, service.NewServiceAuthImpl(db.NewDbAuthSqlite(d)), serverSettings)
+	dbAuth := db.NewDbAuthSqlite(d)
+	serviceAuth := service.NewServiceAuthImpl(d, dbAuth, serverSettings)
+	handlerAuth := NewHandlerAuth(d, serviceAuth, serverSettings)
 
 	// Serve static files (CSS, JS and images)
 	router.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("./static/"))))

service/auth.go

@@ -11,6 +11,7 @@ import (
 	"net/mail"
 	"net/url"
 	"strings"
+	"time"
 
 	"me-fit/db"
 	"me-fit/template"
@@ -27,6 +28,8 @@ import (
 var (
 	ErrInvaidCredentials  = errors.New("Invalid email or password")
 	ErrPasswordComplexity = errors.New("Password needs to be 8 characters long, contain at least one number, one special, one uppercase and one lowercase character")
+	ErrInvalidEmail       = errors.New("Invalid email")
+	ErrAccountExists      = errors.New("Account already exists")
 )
 
 type User struct {
@@ -45,20 +48,28 @@ func NewUser(user *db.User) *User {
 
 type ServiceAuth interface {
 	SignIn(email string, password string) (*User, error)
+	SignUp(email string, password string) (*User, error)
+	SendVerificationMail(user *User)
 }
 
 type ServiceAuthImpl struct {
-	dbAuth db.DbAuth
+	//TODO remove db
+	db             *sql.DB
+	dbAuth         db.DbAuth
+	serverSettings *types.ServerSettings
+	mailService    MailService
 }
 
-func NewServiceAuthImpl(dbAuth db.DbAuth) *ServiceAuthImpl {
+func NewServiceAuthImpl(db *sql.DB, dbAuth db.DbAuth, serverSettings *types.ServerSettings) *ServiceAuthImpl {
 	return &ServiceAuthImpl{
-		dbAuth: dbAuth,
+		db:             db,
+		dbAuth:         dbAuth,
+		serverSettings: serverSettings,
+		mailService:    NewMailService(serverSettings),
 	}
 }
 
 func (service ServiceAuthImpl) SignIn(email string, password string) (*User, error) {
-
 	user, err := service.dbAuth.GetUser(email)
 	if err != nil {
 		if errors.Is(err, db.ErrUserNotFound) {
@@ -77,30 +88,79 @@ func (service ServiceAuthImpl) SignIn(email string, password string) (*User, err
 	return NewUser(user), nil
 }
 
-// TODO
+func (service ServiceAuthImpl) SignUp(email string, password string) (*User, error) {
+	_, err := mail.ParseAddress(email)
+	if err != nil {
+		return nil, ErrInvalidEmail
+	}
 
-func HandleSignUpPage(db *sql.DB, serverSettings *types.ServerSettings) http.HandlerFunc {
+	err = checkPassword(password)
-	return func(w http.ResponseWriter, r *http.Request) {
+	if err != nil {
-		user := utils.GetUserFromSession(db, r)
+		return nil, err
+	}
 
-		if user == nil {
+	userId, err := uuid.NewRandom()
-			userComp := UserInfoComp(nil)
+	if err != nil {
-			signUpComp := auth.SignInOrUpComp(false)
+		utils.LogError("Could not generate UUID", err)
-			err := template.Layout(signUpComp, userComp, serverSettings.Environment).Render(r.Context(), w)
+		return nil, types.ErrInternal
+	}
 
-			if err != nil {
+	salt := make([]byte, 16)
-				utils.LogError("Failed to render sign up page", err)
+	_, err = rand.Read(salt)
-				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+	if err != nil {
-			}
+		utils.LogError("Could not generate salt", err)
+		return nil, types.ErrInternal
+	}
 
-		} else if !user.EmailVerified {
+	hash := GetHashPassword(password, salt)
-			utils.DoRedirect(w, r, "/auth/verify")
+
+	dbUser := db.NewUser(userId, email, false, nil, false, hash, salt, time.Now())
+
+	err = service.dbAuth.InsertUser(dbUser)
+	if err != nil {
+		if err == db.ErrUserExists {
+			return nil, ErrAccountExists
 		} else {
-			utils.DoRedirect(w, r, "/")
+			return nil, types.ErrInternal
 		}
 	}
+
+	return NewUser(dbUser), nil
 }
 
+func (service ServiceAuthImpl) SendVerificationMail(user *User) {
+	var token string
+
+	token, err := service.dbAuth.GetEmailVerificationToken(user.Id)
+	if err != nil {
+		return
+	}
+
+	if token == "" {
+		token, err := utils.RandomToken()
+		if err != nil {
+			utils.LogError("Could not generate token", err)
+			return
+		}
+
+		err = service.dbAuth.InsertEmailVerificationToken(user.Id, token)
+		if err != nil {
+			return
+		}
+	}
+
+	var w strings.Builder
+	err = tempMail.Register(service.serverSettings.BaseUrl, token).Render(context.Background(), &w)
+	if err != nil {
+		utils.LogError("Could not render welcome email", err)
+		return
+	}
+
+	service.mailService.SendMail(user.Email, "Welcome to ME-FIT", w.String())
+}
+
+// TODO
+
 func HandleSignUpVerifyPage(db *sql.DB, serverSettings *types.ServerSettings) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		user := utils.GetUserFromSession(db, r)
@@ -227,69 +287,6 @@ func UserInfoComp(user *types.User) templ.Component {
 	}
 }
 
-func HandleSignUpComp(db *sql.DB, serverSettings *types.ServerSettings) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		var email = r.FormValue("email")
-		var password = r.FormValue("password")
-
-		_, err := mail.ParseAddress(email)
-		if err != nil {
-			http.Error(w, "Invalid email", http.StatusBadRequest)
-			return
-		}
-
-		err = checkPassword(password)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusBadRequest)
-			return
-		}
-
-		userId, err := uuid.NewRandom()
-		if err != nil {
-			utils.LogError("Could not generate UUID", err)
-			auth.Error("Internal Server Error").Render(r.Context(), w)
-			return
-		}
-
-		salt := make([]byte, 16)
-		_, err = rand.Read(salt)
-		if err != nil {
-			utils.LogError("Could not generate salt", err)
-			auth.Error("Internal Server Error").Render(r.Context(), w)
-			return
-		}
-
-		hash := GetHashPassword(password, salt)
-
-		_, err = db.Exec("INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at) VALUES (?, ?, FALSE, FALSE, ?, ?, datetime())", userId, email, hash, salt)
-		if err != nil {
-			// This does leak information about the email being in use, though not specifically stated
-			// It needs to be refacoteres to "If the email is not already in use, an email has been send to your address", or something
-			// The happy path, currently a redirect, needs to send the same message!
-			// Then it is also important to have the same compute time in both paths
-			// Otherwise an attacker could guess emails when comparing the response time
-			if strings.Contains(err.Error(), "email") {
-				auth.Error("Bad Request").Render(r.Context(), w)
-				return
-			}
-
-			utils.LogError("Could not insert user", err)
-			auth.Error("Internal Server Error").Render(r.Context(), w)
-			return
-		}
-
-		err = TryCreateSessionAndSetCookie(r, w, db, userId)
-		if err != nil {
-			return
-		}
-
-		// Send verification email as a goroutine
-		go sendVerificationEmail(db, userId.String(), email, serverSettings)
-
-		utils.DoRedirect(w, r, "/auth/verify")
-	}
-}
-
 func HandleSignOutComp(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		user := utils.GetUserFromSession(db, r)
@@ -394,7 +391,8 @@ func HandleVerifyResendComp(db *sql.DB, serverSettings *types.ServerSettings) ht
 			return
 		}
 
-		go sendVerificationEmail(db, user.Id.String(), user.Email, serverSettings)
+		// TODO
+		// go sendVerificationEmail(db, user.Id.String(), user.Email, serverSettings)
 
 		w.Write([]byte("<p class=\"mt-8\">Verification email sent</p>"))
 	}
@@ -566,39 +564,6 @@ func HandleResetPasswordComp(db *sql.DB, serverSettings *types.ServerSettings) h
 	}
 }
 
-func sendVerificationEmail(db *sql.DB, userId string, email string, serverSettings *types.ServerSettings) {
-
-	var token string
-	err := db.QueryRow("SELECT token FROM user_token WHERE user_uuid = ? AND type = 'email_verify'", userId).Scan(&token)
-	if err != nil && err != sql.ErrNoRows {
-		utils.LogError("Could not get token", err)
-		return
-	}
-
-	if token == "" {
-		token, err := utils.RandomToken()
-		if err != nil {
-			utils.LogError("Could not generate token", err)
-			return
-		}
-
-		_, err = db.Exec("INSERT INTO user_token (user_uuid, type, token, created_at) VALUES (?, 'email_verify', ?, datetime())", userId, token)
-		if err != nil {
-			utils.LogError("Could not insert token", err)
-			return
-		}
-	}
-
-	var w strings.Builder
-	err = tempMail.Register(serverSettings.BaseUrl, token).Render(context.Background(), &w)
-	if err != nil {
-		utils.LogError("Could not render welcome email", err)
-		return
-	}
-	mailService := NewMailService(serverSettings)
-	mailService.SendMail(email, "Welcome to ME-FIT", w.String())
-}
-
 func TryCreateSessionAndSetCookie(r *http.Request, w http.ResponseWriter, db *sql.DB, user_uuid uuid.UUID) error {
 	sessionId, err := utils.RandomToken()
 	if err != nil {

service/auth_test.go

@@ -19,6 +19,15 @@ type DbAuthStub struct {
 func (d DbAuthStub) GetUser(email string) (*db.User, error) {
 	return d.user, d.err
 }
+func (d DbAuthStub) InsertUser(user *db.User) error {
+	return nil
+}
+func (d DbAuthStub) GetEmailVerificationToken(userId uuid.UUID) (string, error) {
+	return "", nil
+}
+func (d DbAuthStub) InsertEmailVerificationToken(userId uuid.UUID, token string) error {
+	return nil
+}
 
 func TestSignIn(t *testing.T) {
 	t.Parallel()
@@ -39,7 +48,7 @@ func TestSignIn(t *testing.T) {
 			),
 			err: nil,
 		}
-		underTest := NewServiceAuthImpl(stub)
+		underTest := NewServiceAuthImpl(nil, stub, &types.ServerSettings{})
 
 		actualUser, err := underTest.SignIn("test@test.de", "password")
 		if err != nil {
@@ -73,7 +82,7 @@ func TestSignIn(t *testing.T) {
 			),
 			err: nil,
 		}
-		underTest := NewServiceAuthImpl(stub)
+		underTest := NewServiceAuthImpl(nil, stub, &types.ServerSettings{})
 
 		_, err := underTest.SignIn("test@test.de", "wrong password")
 		if err != ErrInvaidCredentials {
@@ -86,7 +95,7 @@ func TestSignIn(t *testing.T) {
 			user: nil,
 			err:  db.ErrUserNotFound,
 		}
-		underTest := NewServiceAuthImpl(stub)
+		underTest := NewServiceAuthImpl(nil, stub, &types.ServerSettings{})
 
 		_, err := underTest.SignIn("test", "test")
 		if err != ErrInvaidCredentials {
@@ -99,7 +108,7 @@ func TestSignIn(t *testing.T) {
 			user: nil,
 			err:  errors.New("Some error"),
 		}
-		underTest := NewServiceAuthImpl(stub)
+		underTest := NewServiceAuthImpl(nil, stub, &types.ServerSettings{})
 
 		_, err := underTest.SignIn("test", "test")
 		if err != types.ErrInternal {