diff --git a/db/auth.go b/db/auth.go index 76c010b..d99a2b0 100644 --- a/db/auth.go +++ b/db/auth.go @@ -6,6 +6,7 @@ import ( "database/sql" "errors" + "strings" "time" "github.com/google/uuid" @@ -13,6 +14,7 @@ import ( var ( ErrUserNotFound = errors.New("User not found") + ErrUserExists = errors.New("User already exists") ) type User struct { @@ -41,6 +43,10 @@ func NewUser(id uuid.UUID, email string, emailVerified bool, emailVerifiedAt *ti type DbAuth interface { GetUser(email string) (*User, error) + InsertUser(user *User) error + + GetEmailVerificationToken(userId uuid.UUID) (string, error) + InsertEmailVerificationToken(userId uuid.UUID, token string) error } type DbAuthSqlite struct { @@ -77,3 +83,49 @@ func (db DbAuthSqlite) GetUser(email string) (*User, error) { return NewUser(userId, email, emailVerified, emailVerifiedAt, isAdmin, password, salt, createdAt), nil } +func (db DbAuthSqlite) InsertUser(user *User) error { + _, err := db.db.Exec(` + INSERT INTO user (user_uuid, email, email_verified, email_verified_at, is_admin, password, salt, created_at) + VALUES (?, ?, ?, ?, ?, ?, ?, ?)`, + user.Id, user.Email, user.EmailVerified, user.EmailVerifiedAt, user.IsAdmin, user.Password, user.Salt, user.CreateAt) + + if err != nil { + if strings.Contains(err.Error(), "email") { + return ErrUserExists + } + + utils.LogError("SQL error InsertUser", err) + return types.ErrInternal + } + + return nil +} + +func (db DbAuthSqlite) GetEmailVerificationToken(userId uuid.UUID) (string, error) { + var token string + + err := db.db.QueryRow(` + SELECT token + FROM user_token + WHERE user_uuid = ? + AND type = 'email_verify'`, userId).Scan(&token) + + if err != nil && err != sql.ErrNoRows { + utils.LogError("Could not get token", err) + return "", types.ErrInternal + } + + return token, nil +} +func (db DbAuthSqlite) InsertEmailVerificationToken(userId uuid.UUID, token string) error { + _, err := db.db.Exec(` + INSERT INTO user_token (user_uuid, type, token, created_at) + VALUES (?, 'email_verify', ?, datetime())`, userId, token) + + if err != nil { + utils.LogError("Could not insert token", err) + return types.ErrInternal + } + + return nil +} diff --git a/db/auth_test.go b/db/auth_test.go index 48c6168..95e714d 100644 --- a/db/auth_test.go +++ b/db/auth_test.go @@ -4,6 +4,7 @@ import ( "me-fit/utils" "database/sql" + "errors" "reflect" "testing" "time" @@ -16,6 +17,9 @@ func setupDb(t *testing.T) *sql.DB { if err != nil { t.Fatalf("Error opening database: %v", err) } + t.Cleanup(func() { + db.Close() + }) err = utils.RunMigrations(db, "../") if err != nil { @@ -31,7 +35,6 @@ func TestGetUser(t *testing.T) { t.Run("should return UserNotFound", func(t *testing.T) { t.Parallel() db := setupDb(t) - defer db.Close() underTest := DbAuthSqlite{db: db} @@ -44,7 +47,6 @@ func TestGetUser(t *testing.T) { t.Run("should find user in database", func(t *testing.T) { t.Parallel() db := setupDb(t) - defer db.Close() underTest := DbAuthSqlite{db: db} @@ -69,5 +71,53 @@ func TestGetUser(t *testing.T) { t.Errorf("Expected %v, got %v", user, actual) } }) - +} +func TestInsertUser(t *testing.T) { + t.Parallel() + + t.Run("should insert user", func(t *testing.T) { + t.Parallel() + db := setupDb(t) + + underTest := DbAuthSqlite{db: db} + + verifiedAt := time.Date(2020, 1, 5, 13, 0, 0, 0, time.UTC) + createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC) + user := NewUser(uuid.New(), "some@email.de", true, &verifiedAt, false, []byte("somePass"), []byte("someSalt"), createAt) + + err := underTest.InsertUser(user) + if err != nil { + t.Fatalf("Error inserting user: %v", err) + } + + actual, err := underTest.GetUser(user.Email) + if err != nil { + t.Fatalf("Error getting user: %v", err) + } + + if !reflect.DeepEqual(user, actual) { + t.Errorf("Expected %v, got %v", user, actual) + } + }) + + t.Run("should throw error if user already exists", func(t *testing.T) { + t.Parallel() + db := setupDb(t) + + underTest := DbAuthSqlite{db: db} + + verifiedAt := time.Date(2020, 1, 5, 13, 0, 0, 0, time.UTC) + createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC) + user := NewUser(uuid.New(), "some@email.de", true, &verifiedAt, false, []byte("somePass"), []byte("someSalt"), createAt) + + err := underTest.InsertUser(user) + if err != nil { + t.Fatalf("Error inserting user: %v", err) + } + + err = underTest.InsertUser(user) + if !errors.Is(err, ErrUserExists) { + t.Fatalf("Error inserting user: %v", err) + } + }) } diff --git a/handler/auth.go b/handler/auth.go index 9267fee..6c7529a 100644 --- a/handler/auth.go +++ b/handler/auth.go @@ -8,6 +8,7 @@ import ( "me-fit/utils" "database/sql" + "errors" "net/http" "time" ) @@ -33,13 +34,13 @@ func NewHandlerAuth(db *sql.DB, service service.ServiceAuth, serverSettings *typ func (handler HandlerAuthImpl) handle(router *http.ServeMux) { // Don't use auth middleware for these routes, as it makes redirecting very difficult, if the mail is not yet verified router.Handle("/auth/signin", handler.handleSignInPage()) - router.Handle("/auth/signup", service.HandleSignUpPage(handler.db, handler.serverSettings)) + router.Handle("/auth/signup", handler.handleSignUpPage()) router.Handle("/auth/verify", service.HandleSignUpVerifyPage(handler.db, handler.serverSettings)) // Hint for the user to verify their email router.Handle("/auth/delete-account", service.HandleDeleteAccountPage(handler.db, handler.serverSettings)) router.Handle("/auth/verify-email", service.HandleSignUpVerifyResponsePage(handler.db)) // The link contained in the email router.Handle("/auth/change-password", service.HandleChangePasswordPage(handler.db, handler.serverSettings)) router.Handle("/auth/reset-password", service.HandleResetPasswordPage(handler.db, handler.serverSettings)) - router.Handle("/api/auth/signup", service.HandleSignUpComp(handler.db, handler.serverSettings)) + router.Handle("/api/auth/signup", handler.handleSignUp()) router.Handle("/api/auth/signin", handler.handleSignIn()) router.Handle("/api/auth/signout", service.HandleSignOutComp(handler.db)) router.Handle("/api/auth/delete-account", service.HandleDeleteAccountComp(handler.db, handler.serverSettings)) @@ -74,7 +75,6 @@ func (handler HandlerAuthImpl) handleSignInPage() http.HandlerFunc { } } } - func (handler HandlerAuthImpl) handleSignIn() http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { user, err := utils.WaitMinimumTime(securityWaitDuration, func() (*service.User, error) { @@ -112,3 +112,54 @@ func (handler HandlerAuthImpl) handleSignIn() http.HandlerFunc { } } } + +func (handler HandlerAuthImpl) handleSignUpPage() http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + user := utils.GetUserFromSession(handler.db, r) + + if user == nil { + userComp := service.UserInfoComp(nil) + signUpComp := auth.SignInOrUpComp(false) + err := template.Layout(signUpComp, userComp, handler.serverSettings.Environment).Render(r.Context(), w) + + if err != nil { + utils.LogError("Failed to render sign up page", err) + http.Error(w, "Internal Server Error", http.StatusInternalServerError) + } + + } else if !user.EmailVerified { + utils.DoRedirect(w, r, "/auth/verify") + } else { + utils.DoRedirect(w, r, "/") + } + } +} +func (handler HandlerAuthImpl) handleSignUp() http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + var email = r.FormValue("email") + var password = r.FormValue("password") + + _, err := utils.WaitMinimumTime(securityWaitDuration, func() (interface{}, error) { + user, err := handler.service.SignUp(email, password) + if err != nil { + return nil, err + } + + go handler.service.SendVerificationMail(user) + return nil, nil + }) + + if err != nil { + if errors.Is(err, types.ErrInternal) { + utils.TriggerToast(w, r, "error", "An error occurred") + return + } else if errors.Is(err, service.ErrInvalidEmail) { + utils.TriggerToast(w, r, "error", "The email provided is invalid") + return + } + // If the "service.ErrAccountExists", then just continue + } + + utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.") + } +} diff --git a/handler/default.go b/handler/default.go index be45239..af9eb74 100644 --- a/handler/default.go +++ b/handler/default.go @@ -15,7 +15,9 @@ func GetHandler(d *sql.DB, serverSettings *types.ServerSettings) http.Handler { router.HandleFunc("/", service.HandleIndexAnd404(d, serverSettings)) - handlerAuth := NewHandlerAuth(d, service.NewServiceAuthImpl(db.NewDbAuthSqlite(d)), serverSettings) + dbAuth := db.NewDbAuthSqlite(d) + serviceAuth := service.NewServiceAuthImpl(dbAuth, serverSettings) + handlerAuth := NewHandlerAuth(d, serviceAuth, serverSettings) // Serve static files (CSS, JS and images) router.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("./static/")))) diff --git a/service/auth.go b/service/auth.go index c9a8cd8..10edde2 100644 --- a/service/auth.go +++ b/service/auth.go @@ -11,6 +11,7 @@ import ( "net/mail" "net/url" "strings" + "time" "me-fit/db" "me-fit/template" @@ -27,6 +28,8 @@ import ( var ( ErrInvaidCredentials = errors.New("Invalid email or password") ErrPasswordComplexity = errors.New("Password needs to be 8 characters long, contain at least one number, one special, one uppercase and one lowercase character") + ErrInvalidEmail = errors.New("Invalid email") + ErrAccountExists = errors.New("Account already exists") ) type User struct { @@ -45,20 +48,25 @@ func NewUser(user *db.User) *User { type ServiceAuth interface { SignIn(email string, password string) (*User, error) + SignUp(email string, password string) (*User, error) + SendVerificationMail(user *User) } type ServiceAuthImpl struct { - dbAuth db.DbAuth + dbAuth db.DbAuth + serverSettings *types.ServerSettings + mailService MailService } -func NewServiceAuthImpl(dbAuth db.DbAuth) *ServiceAuthImpl { +func NewServiceAuthImpl(dbAuth db.DbAuth, serverSettings *types.ServerSettings) *ServiceAuthImpl { return &ServiceAuthImpl{ - dbAuth: dbAuth, + dbAuth: dbAuth, + serverSettings: serverSettings, + mailService: NewMailService(serverSettings), } } func (service ServiceAuthImpl) SignIn(email string, password string) (*User, error) { - user, err := service.dbAuth.GetUser(email) if err != nil { if errors.Is(err, db.ErrUserNotFound) { @@ -77,30 +85,79 @@ func (service ServiceAuthImpl) SignIn(email string, password string) (*User, err return NewUser(user), nil } -// TODO +func (service ServiceAuthImpl) SignUp(email string, password string) (*User, error) { + _, err := mail.ParseAddress(email) + if err != nil { + return nil, ErrInvalidEmail + } -func HandleSignUpPage(db *sql.DB, serverSettings *types.ServerSettings) http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { - user := utils.GetUserFromSession(db, r) + err = checkPassword(password) + if err != nil { + return nil, err + } - if user == nil { - userComp := UserInfoComp(nil) - signUpComp := auth.SignInOrUpComp(false) - err := template.Layout(signUpComp, userComp, serverSettings.Environment).Render(r.Context(), w) + userId, err := uuid.NewRandom() + if err != nil { + utils.LogError("Could not generate UUID", err) + return nil, types.ErrInternal + } - if err != nil { - utils.LogError("Failed to render sign up page", err) - http.Error(w, "Internal Server Error", http.StatusInternalServerError) - } + salt := make([]byte, 16) + _, err = rand.Read(salt) + if err != nil { + utils.LogError("Could not generate salt", err) + return nil, types.ErrInternal + } - } else if !user.EmailVerified { - utils.DoRedirect(w, r, "/auth/verify") + hash := GetHashPassword(password, salt) + + dbUser := db.NewUser(userId, email, false, nil, false, hash, salt, time.Now()) + + err = service.dbAuth.InsertUser(dbUser) + if err != nil { + if err == db.ErrUserExists { + return nil, ErrAccountExists } else { - utils.DoRedirect(w, r, "/") + return nil, types.ErrInternal } } + + return NewUser(dbUser), nil } +func (service ServiceAuthImpl) SendVerificationMail(user *User) { + var token string + + token, err := service.dbAuth.GetEmailVerificationToken(user.Id) + if err != nil { + return + } + + if token == "" { + token, err := utils.RandomToken() + if err != nil { + utils.LogError("Could not generate token", err) + return + } + + err = service.dbAuth.InsertEmailVerificationToken(user.Id, token) + if err != nil { + return + } + } + + var w strings.Builder + err = tempMail.Register(service.serverSettings.BaseUrl, token).Render(context.Background(), &w) + if err != nil { + utils.LogError("Could not render welcome email", err) + return + } + + service.mailService.SendMail(user.Email, "Welcome to ME-FIT", w.String()) +} + +// TODO + func HandleSignUpVerifyPage(db *sql.DB, serverSettings *types.ServerSettings) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { user := utils.GetUserFromSession(db, r) @@ -227,69 +284,6 @@ func UserInfoComp(user *types.User) templ.Component { } } -func HandleSignUpComp(db *sql.DB, serverSettings *types.ServerSettings) http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { - var email = r.FormValue("email") - var password = r.FormValue("password") - - _, err := mail.ParseAddress(email) - if err != nil { - http.Error(w, "Invalid email", http.StatusBadRequest) - return - } - - err = checkPassword(password) - if err != nil { - http.Error(w, err.Error(), http.StatusBadRequest) - return - } - - userId, err := uuid.NewRandom() - if err != nil { - utils.LogError("Could not generate UUID", err) - auth.Error("Internal Server Error").Render(r.Context(), w) - return - } - - salt := make([]byte, 16) - _, err = rand.Read(salt) - if err != nil { - utils.LogError("Could not generate salt", err) - auth.Error("Internal Server Error").Render(r.Context(), w) - return - } - - hash := GetHashPassword(password, salt) - - _, err = db.Exec("INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at) VALUES (?, ?, FALSE, FALSE, ?, ?, datetime())", userId, email, hash, salt) - if err != nil { - // This does leak information about the email being in use, though not specifically stated - // It needs to be refacoteres to "If the email is not already in use, an email has been send to your address", or something - // The happy path, currently a redirect, needs to send the same message! - // Then it is also important to have the same compute time in both paths - // Otherwise an attacker could guess emails when comparing the response time - if strings.Contains(err.Error(), "email") { - auth.Error("Bad Request").Render(r.Context(), w) - return - } - - utils.LogError("Could not insert user", err) - auth.Error("Internal Server Error").Render(r.Context(), w) - return - } - - err = TryCreateSessionAndSetCookie(r, w, db, userId) - if err != nil { - return - } - - // Send verification email as a goroutine - go sendVerificationEmail(db, userId.String(), email, serverSettings) - - utils.DoRedirect(w, r, "/auth/verify") - } -} - func HandleSignOutComp(db *sql.DB) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { user := utils.GetUserFromSession(db, r) @@ -394,7 +388,8 @@ func HandleVerifyResendComp(db *sql.DB, serverSettings *types.ServerSettings) ht return } - go sendVerificationEmail(db, user.Id.String(), user.Email, serverSettings) + // TODO + // go sendVerificationEmail(db, user.Id.String(), user.Email, serverSettings) w.Write([]byte("

Verification email sent

")) } @@ -566,39 +561,6 @@ func HandleResetPasswordComp(db *sql.DB, serverSettings *types.ServerSettings) h } } -func sendVerificationEmail(db *sql.DB, userId string, email string, serverSettings *types.ServerSettings) { - - var token string - err := db.QueryRow("SELECT token FROM user_token WHERE user_uuid = ? AND type = 'email_verify'", userId).Scan(&token) - if err != nil && err != sql.ErrNoRows { - utils.LogError("Could not get token", err) - return - } - - if token == "" { - token, err := utils.RandomToken() - if err != nil { - utils.LogError("Could not generate token", err) - return - } - - _, err = db.Exec("INSERT INTO user_token (user_uuid, type, token, created_at) VALUES (?, 'email_verify', ?, datetime())", userId, token) - if err != nil { - utils.LogError("Could not insert token", err) - return - } - } - - var w strings.Builder - err = tempMail.Register(serverSettings.BaseUrl, token).Render(context.Background(), &w) - if err != nil { - utils.LogError("Could not render welcome email", err) - return - } - mailService := NewMailService(serverSettings) - mailService.SendMail(email, "Welcome to ME-FIT", w.String()) -} - func TryCreateSessionAndSetCookie(r *http.Request, w http.ResponseWriter, db *sql.DB, user_uuid uuid.UUID) error { sessionId, err := utils.RandomToken() if err != nil { diff --git a/service/auth_test.go b/service/auth_test.go index 0e12e14..bf39eaa 100644 --- a/service/auth_test.go +++ b/service/auth_test.go @@ -2,7 +2,7 @@ package service import ( "me-fit/db" - m "me-fit/mocks" + "me-fit/mocks" "me-fit/types" "errors" @@ -18,7 +18,6 @@ func TestSignIn(t *testing.T) { t.Parallel() salt := []byte("salt") verifiedAt := time.Date(2020, 1, 2, 0, 0, 0, 0, time.UTC) - user := db.NewUser( uuid.New(), "test@test.de", @@ -30,10 +29,10 @@ func TestSignIn(t *testing.T) { time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC), ) - mockDbAuth := m.NewMockDbAuth(t) + mockDbAuth := mocks.NewMockDbAuth(t) mockDbAuth.EXPECT().GetUser("test@test.de").Return(user, nil) - underTest := NewServiceAuthImpl(mockDbAuth) + underTest := NewServiceAuthImpl(mockDbAuth, &types.ServerSettings{}) actualUser, err := underTest.SignIn(user.Email, "password") if err != nil { @@ -54,6 +53,7 @@ func TestSignIn(t *testing.T) { t.Parallel() salt := []byte("salt") verifiedAt := time.Date(2020, 1, 2, 0, 0, 0, 0, time.UTC) + user := db.NewUser( uuid.New(), "test@test.de", @@ -65,10 +65,10 @@ func TestSignIn(t *testing.T) { time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC), ) - mockDbAuth := m.NewMockDbAuth(t) + mockDbAuth := mocks.NewMockDbAuth(t) mockDbAuth.EXPECT().GetUser(user.Email).Return(user, nil) - underTest := NewServiceAuthImpl(mockDbAuth) + underTest := NewServiceAuthImpl(mockDbAuth, &types.ServerSettings{}) _, err := underTest.SignIn("test@test.de", "wrong password") if err != ErrInvaidCredentials { @@ -77,10 +77,11 @@ func TestSignIn(t *testing.T) { }) t.Run("should return ErrInvalidCretentials if user has not been found", func(t *testing.T) { t.Parallel() - mockDbAuth := m.NewMockDbAuth(t) + + mockDbAuth := mocks.NewMockDbAuth(t) mockDbAuth.EXPECT().GetUser("test").Return(nil, db.ErrUserNotFound) - underTest := NewServiceAuthImpl(mockDbAuth) + underTest := NewServiceAuthImpl(mockDbAuth, &types.ServerSettings{}) _, err := underTest.SignIn("test", "test") if err != ErrInvaidCredentials { @@ -89,10 +90,11 @@ func TestSignIn(t *testing.T) { }) t.Run("should forward ErrInternal on any other error", func(t *testing.T) { t.Parallel() - mockDbAuth := m.NewMockDbAuth(t) + + mockDbAuth := mocks.NewMockDbAuth(t) mockDbAuth.EXPECT().GetUser("test").Return(nil, errors.New("Some error")) - underTest := NewServiceAuthImpl(mockDbAuth) + underTest := NewServiceAuthImpl(mockDbAuth, &types.ServerSettings{}) _, err := underTest.SignIn("test", "test") if err != types.ErrInternal {