chore(auth): finalize test of new structure

service/auth.go

@@ -11,7 +11,6 @@ import (
 	"net/mail"
 	"net/url"
 	"strings"
-	"time"
 
 	"me-fit/db"
 	"me-fit/template"
@@ -25,44 +24,42 @@ import (
 	"golang.org/x/crypto/argon2"
 )
 
-type AuthService struct {
-	db db.Auth
+var (
+	InvaidEmailOrPassword = errors.New("Invalid email or password")
+)
+
+type ServiceAuth interface {
+	SignIn(email string, password string) (*db.User, error)
 }
 
-func NewAuthService(d *sql.DB) *AuthService {
-	return &AuthService{
-		db: db.NewAuthSqlite(d),
+type ServiceAuthImpl struct {
+	dbAuth db.DbAuth
+}
+
+func NewServiceAuthImpl(d *sql.DB) *ServiceAuthImpl {
+	return &ServiceAuthImpl{
+		dbAuth: db.NewDbAuthSqlite(d),
 	}
 }
 
-func (a AuthService) SignIn(email string, password string) *db.User {
+func (service ServiceAuthImpl) SignIn(email string, password string) (*db.User, error) {
 
-	var result bool = true
-	start := time.Now()
-
-	user, err := a.db.GetUser(email)
+	user, err := service.dbAuth.GetUser(email)
 	if err != nil {
-		result = false
-	}
-
-	if result {
-		new_hash := getHashPassword(password, user.Salt)
-
-		if subtle.ConstantTimeCompare(new_hash, user.Password) == 0 {
-			result = false
+		if errors.Is(err, db.UserNotFound) {
+			return nil, InvaidEmailOrPassword
+		} else {
+			return nil, err
 		}
 	}
 
-	duration := time.Since(start)
-	timeToWait := 100 - duration.Milliseconds()
-	// It is important to sleep for a while to prevent timing attacks
-	// If the email is correct, the server will calculate the hash, which will take some time
-	// This way an attacker could guess emails when comparing the response time
-	// Because of that, we cant use WriteHeader in the middle of the function. We have to wait until the end
-	// Unfortunatly this makes the code harder to read
-	time.Sleep(time.Duration(timeToWait) * time.Millisecond)
+	hash := getHashPassword(password, user.Salt)
 
-	return user
+	if subtle.ConstantTimeCompare(hash, user.Password) == 0 {
+		return nil, InvaidEmailOrPassword
+	}
+
+	return user, nil
 }
 
 func HandleSignInPage(db *sql.DB) http.HandlerFunc {
@@ -286,8 +283,8 @@ func HandleSignUpComp(db *sql.DB) http.HandlerFunc {
 			return
 		}
 
-		result := TryCreateSessionAndSetCookie(r, w, db, userId)
-		if !result {
+		err = TryCreateSessionAndSetCookie(r, w, db, userId)
+		if err != nil {
 			return
 		}
 
@@ -603,25 +600,24 @@ func sendVerificationEmail(db *sql.DB, userId string, email string) {
 	utils.SendMail(email, "Welcome to ME-FIT", w.String())
 }
 
-func TryCreateSessionAndSetCookie(r *http.Request, w http.ResponseWriter, db *sql.DB, user_uuid uuid.UUID) bool {
+func TryCreateSessionAndSetCookie(r *http.Request, w http.ResponseWriter, db *sql.DB, user_uuid uuid.UUID) error {
 	sessionId, err := utils.RandomToken()
 	if err != nil {
 		utils.LogError("Could not generate session ID", err)
-		auth.Error("Internal Server Error").Render(r.Context(), w)
-		return false
+		return types.InternalServerError
 	}
 
 	// Delete old inactive sessions
 	_, err = db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_uuid = ?", user_uuid)
 	if err != nil {
 		utils.LogError("Could not delete old sessions", err)
+		return types.InternalServerError
 	}
 
 	_, err = db.Exec("INSERT INTO session (session_id, user_uuid, created_at) VALUES (?, ?, datetime())", sessionId, user_uuid)
 	if err != nil {
 		utils.LogError("Could not insert session", err)
-		auth.Error("Internal Server Error").Render(r.Context(), w)
-		return false
+		return types.InternalServerError
 	}
 
 	cookie := http.Cookie{
@@ -635,7 +631,7 @@ func TryCreateSessionAndSetCookie(r *http.Request, w http.ResponseWriter, db *sq
 	}
 	http.SetCookie(w, &cookie)
 
-	return true
+	return nil
 }
 
 func getHashPassword(password string, salt []byte) []byte {