feat(security): #286 implement csrf middleware
This commit is contained in:
115
db/auth.go
115
db/auth.go
@@ -13,8 +13,8 @@ import (
|
||||
)
|
||||
|
||||
var (
|
||||
ErrNotFound = errors.New("value not found")
|
||||
ErrUserExists = errors.New("user already exists")
|
||||
ErrNotFound = errors.New("value not found")
|
||||
ErrAlreadyExists = errors.New("row already exists")
|
||||
)
|
||||
|
||||
type User struct {
|
||||
@@ -45,32 +45,39 @@ type Session struct {
|
||||
Id string
|
||||
UserId uuid.UUID
|
||||
CreatedAt time.Time
|
||||
ExpiresAt time.Time
|
||||
}
|
||||
|
||||
func NewSession(id string, userId uuid.UUID, createdAt time.Time) *Session {
|
||||
func NewSession(id string, userId uuid.UUID, createdAt time.Time, expiresAt time.Time) *Session {
|
||||
return &Session{
|
||||
Id: id,
|
||||
UserId: userId,
|
||||
CreatedAt: createdAt,
|
||||
ExpiresAt: expiresAt,
|
||||
}
|
||||
}
|
||||
|
||||
type Token struct {
|
||||
UserId uuid.UUID
|
||||
SessionId string
|
||||
Token string
|
||||
Type string
|
||||
Type TokenType
|
||||
CreatedAt time.Time
|
||||
ExpiresAt time.Time
|
||||
}
|
||||
|
||||
type TokenType string
|
||||
|
||||
var (
|
||||
TokenTypeEmailVerify = "email_verify"
|
||||
TokenTypePasswordReset = "password_reset"
|
||||
TokenTypeEmailVerify TokenType = "email_verify"
|
||||
TokenTypePasswordReset TokenType = "password_reset"
|
||||
TokenTypeCsrf TokenType = "csrf"
|
||||
)
|
||||
|
||||
func NewToken(userId uuid.UUID, token string, tokenType string, createdAt time.Time, expiresAt time.Time) *Token {
|
||||
func NewToken(userId uuid.UUID, sessionId string, token string, tokenType TokenType, createdAt time.Time, expiresAt time.Time) *Token {
|
||||
return &Token{
|
||||
UserId: userId,
|
||||
SessionId: sessionId,
|
||||
Token: token,
|
||||
Type: tokenType,
|
||||
CreatedAt: createdAt,
|
||||
@@ -87,7 +94,8 @@ type Auth interface {
|
||||
|
||||
InsertToken(token *Token) error
|
||||
GetToken(token string) (*Token, error)
|
||||
GetTokensByUserIdAndType(userId uuid.UUID, tokenType string) ([]*Token, error)
|
||||
GetTokensByUserIdAndType(userId uuid.UUID, tokenType TokenType) ([]*Token, error)
|
||||
GetTokensBySessionIdAndType(sessionId string, tokenType TokenType) ([]*Token, error)
|
||||
DeleteToken(token string) error
|
||||
|
||||
InsertSession(session *Session) error
|
||||
@@ -106,13 +114,13 @@ func NewAuthSqlite(db *sql.DB) *AuthSqlite {
|
||||
|
||||
func (db AuthSqlite) InsertUser(user *User) error {
|
||||
_, err := db.db.Exec(`
|
||||
INSERT INTO user (user_uuid, email, email_verified, email_verified_at, is_admin, password, salt, created_at)
|
||||
INSERT INTO user (user_id, email, email_verified, email_verified_at, is_admin, password, salt, created_at)
|
||||
VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
|
||||
user.Id, user.Email, user.EmailVerified, user.EmailVerifiedAt, user.IsAdmin, user.Password, user.Salt, user.CreateAt)
|
||||
|
||||
if err != nil {
|
||||
if strings.Contains(err.Error(), "email") {
|
||||
return ErrUserExists
|
||||
return ErrAlreadyExists
|
||||
}
|
||||
|
||||
log.Error("SQL error InsertUser: %v", err)
|
||||
@@ -126,7 +134,7 @@ func (db AuthSqlite) UpdateUser(user *User) error {
|
||||
_, err := db.db.Exec(`
|
||||
UPDATE user
|
||||
SET email_verified = ?, email_verified_at = ?, password = ?
|
||||
WHERE user_uuid = ?`,
|
||||
WHERE user_id = ?`,
|
||||
user.EmailVerified, user.EmailVerifiedAt, user.Password, user.Id)
|
||||
|
||||
if err != nil {
|
||||
@@ -149,7 +157,7 @@ func (db AuthSqlite) GetUserByEmail(email string) (*User, error) {
|
||||
)
|
||||
|
||||
err := db.db.QueryRow(`
|
||||
SELECT user_uuid, email_verified, email_verified_at, password, salt, created_at
|
||||
SELECT user_id, email_verified, email_verified_at, password, salt, created_at
|
||||
FROM user
|
||||
WHERE email = ?`, email).Scan(&userId, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt)
|
||||
if err != nil {
|
||||
@@ -178,7 +186,7 @@ func (db AuthSqlite) GetUser(userId uuid.UUID) (*User, error) {
|
||||
err := db.db.QueryRow(`
|
||||
SELECT email, email_verified, email_verified_at, password, salt, created_at
|
||||
FROM user
|
||||
WHERE user_uuid = ?`, userId).Scan(&email, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt)
|
||||
WHERE user_id = ?`, userId).Scan(&email, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt)
|
||||
if err != nil {
|
||||
if err == sql.ErrNoRows {
|
||||
return nil, ErrNotFound
|
||||
@@ -206,21 +214,21 @@ func (db AuthSqlite) DeleteUser(userId uuid.UUID) error {
|
||||
return types.ErrInternal
|
||||
}
|
||||
|
||||
_, err = tx.Exec("DELETE FROM user_token WHERE user_uuid = ?", userId)
|
||||
_, err = tx.Exec("DELETE FROM token WHERE user_id = ?", userId)
|
||||
if err != nil {
|
||||
_ = tx.Rollback()
|
||||
log.Error("Could not delete user tokens: %v", err)
|
||||
return types.ErrInternal
|
||||
}
|
||||
|
||||
_, err = tx.Exec("DELETE FROM session WHERE user_uuid = ?", userId)
|
||||
_, err = tx.Exec("DELETE FROM session WHERE user_id = ?", userId)
|
||||
if err != nil {
|
||||
_ = tx.Rollback()
|
||||
log.Error("Could not delete sessions: %v", err)
|
||||
return types.ErrInternal
|
||||
}
|
||||
|
||||
_, err = tx.Exec("DELETE FROM user WHERE user_uuid = ?", userId)
|
||||
_, err = tx.Exec("DELETE FROM user WHERE user_id = ?", userId)
|
||||
if err != nil {
|
||||
_ = tx.Rollback()
|
||||
log.Error("Could not delete user: %v", err)
|
||||
@@ -238,8 +246,8 @@ func (db AuthSqlite) DeleteUser(userId uuid.UUID) error {
|
||||
|
||||
func (db AuthSqlite) InsertToken(token *Token) error {
|
||||
_, err := db.db.Exec(`
|
||||
INSERT INTO user_token (user_uuid, type, token, created_at, expires_at)
|
||||
VALUES (?, ?, ?, ?, ?)`, token.UserId, token.Type, token.Token, token.CreatedAt, token.ExpiresAt)
|
||||
INSERT INTO token (user_id, session_id, type, token, created_at, expires_at)
|
||||
VALUES (?, ?, ?, ?, ?, ?)`, token.UserId, token.SessionId, token.Type, token.Token, token.CreatedAt, token.ExpiresAt)
|
||||
|
||||
if err != nil {
|
||||
log.Error("Could not insert token: %v", err)
|
||||
@@ -252,7 +260,8 @@ func (db AuthSqlite) InsertToken(token *Token) error {
|
||||
func (db AuthSqlite) GetToken(token string) (*Token, error) {
|
||||
var (
|
||||
userId uuid.UUID
|
||||
tokenType string
|
||||
sessionId string
|
||||
tokenType TokenType
|
||||
createdAtStr string
|
||||
expiresAtStr string
|
||||
createdAt time.Time
|
||||
@@ -260,10 +269,9 @@ func (db AuthSqlite) GetToken(token string) (*Token, error) {
|
||||
)
|
||||
|
||||
err := db.db.QueryRow(`
|
||||
SELECT user_uuid, type, created_at, expires_at
|
||||
FROM user_token
|
||||
WHERE token = ?
|
||||
AND type = 'email_verify'`, token).Scan(&userId, &tokenType, &createdAtStr, &expiresAtStr)
|
||||
SELECT user_id, session_id, type, created_at, expires_at
|
||||
FROM token
|
||||
WHERE token = ?`, token).Scan(&userId, &sessionId, &tokenType, &createdAtStr, &expiresAtStr)
|
||||
|
||||
if err != nil {
|
||||
if err == sql.ErrNoRows {
|
||||
@@ -287,15 +295,15 @@ func (db AuthSqlite) GetToken(token string) (*Token, error) {
|
||||
return nil, types.ErrInternal
|
||||
}
|
||||
|
||||
return NewToken(userId, token, tokenType, createdAt, expiresAt), nil
|
||||
return NewToken(userId, sessionId, token, tokenType, createdAt, expiresAt), nil
|
||||
}
|
||||
|
||||
func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType string) ([]*Token, error) {
|
||||
func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType TokenType) ([]*Token, error) {
|
||||
|
||||
query, err := db.db.Query(`
|
||||
SELECT token, created_at, expires_at
|
||||
FROM user_token
|
||||
WHERE user_uuid = ?
|
||||
FROM token
|
||||
WHERE user_id = ?
|
||||
AND type = ?`, userId, tokenType)
|
||||
|
||||
if err != nil {
|
||||
@@ -303,9 +311,32 @@ func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType string
|
||||
return nil, types.ErrInternal
|
||||
}
|
||||
|
||||
return getTokensFromQuery(query, userId, "", tokenType)
|
||||
}
|
||||
|
||||
func (db AuthSqlite) GetTokensBySessionIdAndType(sessionId string, tokenType TokenType) ([]*Token, error) {
|
||||
|
||||
query, err := db.db.Query(`
|
||||
SELECT token, created_at, expires_at
|
||||
FROM token
|
||||
WHERE session_id = ?
|
||||
AND type = ?`, sessionId, tokenType)
|
||||
|
||||
if err != nil {
|
||||
log.Error("Could not get token: %v", err)
|
||||
return nil, types.ErrInternal
|
||||
}
|
||||
|
||||
return getTokensFromQuery(query, uuid.Nil, sessionId, tokenType)
|
||||
}
|
||||
|
||||
func getTokensFromQuery(query *sql.Rows, userId uuid.UUID, sessionId string, tokenType TokenType) ([]*Token, error) {
|
||||
var tokens []*Token
|
||||
|
||||
hasRows := false
|
||||
for query.Next() {
|
||||
hasRows = true
|
||||
|
||||
var (
|
||||
token string
|
||||
createdAtStr string
|
||||
@@ -332,14 +363,18 @@ func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType string
|
||||
return nil, types.ErrInternal
|
||||
}
|
||||
|
||||
tokens = append(tokens, NewToken(userId, token, tokenType, createdAt, expiresAt))
|
||||
tokens = append(tokens, NewToken(userId, sessionId, token, tokenType, createdAt, expiresAt))
|
||||
}
|
||||
|
||||
if !hasRows {
|
||||
return nil, ErrNotFound
|
||||
}
|
||||
|
||||
return tokens, nil
|
||||
}
|
||||
|
||||
func (db AuthSqlite) DeleteToken(token string) error {
|
||||
_, err := db.db.Exec("DELETE FROM user_token WHERE token = ?", token)
|
||||
_, err := db.db.Exec("DELETE FROM token WHERE token = ?", token)
|
||||
if err != nil {
|
||||
log.Error("Could not delete token: %v", err)
|
||||
return types.ErrInternal
|
||||
@@ -350,11 +385,11 @@ func (db AuthSqlite) DeleteToken(token string) error {
|
||||
func (db AuthSqlite) InsertSession(session *Session) error {
|
||||
|
||||
_, err := db.db.Exec(`
|
||||
INSERT INTO session (session_id, user_uuid, created_at)
|
||||
VALUES (?, ?, ?)`, session.Id, session.UserId, session.CreatedAt)
|
||||
INSERT INTO session (session_id, user_id, created_at, expires_at)
|
||||
VALUES (?, ?, ?, ?)`, session.Id, session.UserId, session.CreatedAt, session.ExpiresAt)
|
||||
|
||||
if err != nil {
|
||||
log.Error("Could not insert new session", err)
|
||||
log.Error("Could not insert new session %v", err)
|
||||
return types.ErrInternal
|
||||
}
|
||||
|
||||
@@ -364,26 +399,26 @@ func (db AuthSqlite) InsertSession(session *Session) error {
|
||||
func (db AuthSqlite) GetSession(sessionId string) (*Session, error) {
|
||||
|
||||
var (
|
||||
userId uuid.UUID
|
||||
sessionCreatedAt time.Time
|
||||
userId uuid.UUID
|
||||
createdAt time.Time
|
||||
expiresAt time.Time
|
||||
)
|
||||
|
||||
err := db.db.QueryRow(`
|
||||
SELECT u.user_uuid, s.created_at
|
||||
FROM session s
|
||||
INNER JOIN user u ON s.user_uuid = u.user_uuid
|
||||
WHERE session_id = ?`, sessionId).Scan(&userId, &sessionCreatedAt)
|
||||
SELECT user_id, created_at, expires_at
|
||||
FROM session
|
||||
WHERE session_id = ?`, sessionId).Scan(&userId, &createdAt, &expiresAt)
|
||||
|
||||
if err != nil {
|
||||
return nil, ErrNotFound
|
||||
}
|
||||
|
||||
return NewSession(sessionId, userId, sessionCreatedAt), nil
|
||||
return NewSession(sessionId, userId, createdAt, expiresAt), nil
|
||||
}
|
||||
|
||||
func (db AuthSqlite) DeleteOldSessions(userId uuid.UUID) error {
|
||||
// Delete old inactive sessions
|
||||
_, err := db.db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_uuid = ?", userId)
|
||||
_, err := db.db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_id = ?", userId)
|
||||
if err != nil {
|
||||
log.Error("Could not delete old sessions: %v", err)
|
||||
return types.ErrInternal
|
||||
|
||||
Reference in New Issue
Block a user