chore(auth): add test for retrieving session from db #181

service/auth.go

@@ -24,9 +24,42 @@ import (
 	"golang.org/x/crypto/argon2"
 )
 
+// TESTED
+
+func GetUserFromSessionId(db *sql.DB, sessionId types.SessionId) *types.User {
+	if sessionId == "" {
+		return nil
+	}
+
+	var (
+		createdAt     time.Time
+		userId        uuid.UUID
+		email         string
+		emailVerified bool
+	)
+
+	err := db.QueryRow(`
+			SELECT u.user_uuid, u.email, u.email_verified, s.created_at
+			FROM session s
+			INNER JOIN user u ON s.user_uuid = u.user_uuid
+			WHERE session_id = ?`, sessionId).Scan(&userId, &email, &emailVerified, &createdAt)
+	if err != nil {
+		slog.Warn("Could not verify session: " + err.Error())
+		return nil
+	}
+
+	if createdAt.Add(time.Duration(8 * time.Hour)).Before(time.Now()) {
+		return nil
+	} else {
+		return types.NewUser(userId, email, sessionId, emailVerified)
+	}
+}
+
+// NOT TESTED
+
 func HandleSignInPage(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user := utils.GetUserFromSession(db, r)
+		user := GetUserFromRequest(db, r)
 
 		if user == nil {
 			userComp := UserInfoComp(nil)
@@ -48,7 +81,7 @@ func HandleSignInPage(db *sql.DB) http.HandlerFunc {
 
 func HandleSignUpPage(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user := utils.GetUserFromSession(db, r)
+		user := GetUserFromRequest(db, r)
 
 		if user == nil {
 			userComp := UserInfoComp(nil)
@@ -70,7 +103,7 @@ func HandleSignUpPage(db *sql.DB) http.HandlerFunc {
 
 func HandleSignUpVerifyPage(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user := utils.GetUserFromSession(db, r)
+		user := GetUserFromRequest(db, r)
 		if user == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 		} else if user.EmailVerified {
@@ -90,7 +123,7 @@ func HandleSignUpVerifyPage(db *sql.DB) http.HandlerFunc {
 func HandleDeleteAccountPage(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		// An unverified email should be able to delete their account
-		user := utils.GetUserFromSession(db, r)
+		user := GetUserFromRequest(db, r)
 		if user == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 		} else {
@@ -152,7 +185,7 @@ func HandleChangePasswordPage(db *sql.DB) http.HandlerFunc {
 
 		isPasswordReset := r.URL.Query().Has("token")
 
-		user := utils.GetUserFromSession(db, r)
+		user := GetUserFromRequest(db, r)
 		if user == nil && !isPasswordReset {
 			utils.DoRedirect(w, r, "/auth/signin")
 		} else {
@@ -170,7 +203,7 @@ func HandleChangePasswordPage(db *sql.DB) http.HandlerFunc {
 func HandleResetPasswordPage(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
-		user := utils.GetUserFromSession(db, r)
+		user := GetUserFromRequest(db, r)
 		if user != nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 		} else {
@@ -314,7 +347,7 @@ func HandleSignInComp(db *sql.DB) http.HandlerFunc {
 
 func HandleSignOutComp(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user := utils.GetUserFromSession(db, r)
+		user := GetUserFromRequest(db, r)
 
 		if user != nil {
 			_, err := db.Exec("DELETE FROM session WHERE session_id = ?", user.SessionId)
@@ -343,7 +376,7 @@ func HandleSignOutComp(db *sql.DB) http.HandlerFunc {
 
 func HandleDeleteAccountComp(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user := utils.GetUserFromSession(db, r)
+		user := GetUserFromRequest(db, r)
 		if user == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
@@ -409,7 +442,7 @@ func HandleDeleteAccountComp(db *sql.DB) http.HandlerFunc {
 
 func HandleVerifyResendComp(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user := utils.GetUserFromSession(db, r)
+		user := GetUserFromRequest(db, r)
 		if user == nil || user.EmailVerified {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
@@ -424,7 +457,7 @@ func HandleVerifyResendComp(db *sql.DB) http.HandlerFunc {
 func HandleChangePasswordComp(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
-		user := utils.GetUserFromSession(db, r)
+		user := GetUserFromRequest(db, r)
 		if user == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
@@ -669,3 +702,19 @@ func checkPassword(password string) error {
 		return nil
 	}
 }
+
+//TODO: delete
+
+func getSessionID(r *http.Request) types.SessionId {
+	for _, c := range r.Cookies() {
+		if c.Name == "id" {
+			return types.SessionId(c.Value)
+		}
+	}
+	return ""
+}
+
+func GetUserFromRequest(db *sql.DB, r *http.Request) *types.User {
+	sessionId := getSessionID(r)
+	return GetUserFromSessionId(db, sessionId)
+}

service/auth_test.go

@@ -1,9 +1,119 @@
 package service
 
 import (
+	"me-fit/types"
+	"me-fit/utils"
+
+	"database/sql"
 	"testing"
+
+	"github.com/google/uuid"
 )
 
+func mustSetup(t *testing.T) *sql.DB {
+	db, err := sql.Open("sqlite3", ":memory:")
+	if err != nil {
+		t.Fatalf("Could not open Database data.db: %v", err)
+	}
+	utils.MustRunMigrationsTest(db, "../")
+	return db
+}
+
+func TestGetUserFromSessionIfSessionNotExpired(t *testing.T) {
+	db := mustSetup(t)
+	defer db.Close()
+
+	expected := types.NewUser(uuid.New(), "email", "session_id", true)
+
+	db.Exec(`INSERT INTO user (
+			user_uuid, email, email_verified,	email_verified_at,
+			is_admin,	password,	salt,	created_at)
+		VAlUES (
+			?, ?, 1, datetime(), 
+			0, "password", "salt", datetime())`, expected.Id, expected.Email)
+	db.Exec(`INSERT INTO session (session_id, user_uuid, created_at) VALUES (?, ?, datetime('now', '-2 hour'))`, expected.SessionId, expected.Id)
+
+	actual := GetUserFromSessionId(db, expected.SessionId)
+
+	if *actual != *expected {
+		t.Errorf("Expected %v, got %v", *expected, *actual)
+	}
+}
+
+func TestGetUserFromSessionIfSessionInFuture(t *testing.T) {
+	db := mustSetup(t)
+	defer db.Close()
+
+	expected := types.NewUser(uuid.New(), "email", "session_id", true)
+
+	db.Exec(`INSERT INTO user (
+			user_uuid, email, email_verified,	email_verified_at,
+			is_admin,	password,	salt,	created_at)
+		VAlUES (
+			?, ?, 1, datetime(), 
+			0, "password", "salt", datetime())`, expected.Id, expected.Email)
+	db.Exec(`INSERT INTO session (session_id, user_uuid, created_at) VALUES (?, ?, datetime('now', '+2 hour'))`, expected.SessionId, expected.Id)
+
+	actual := GetUserFromSessionId(db, expected.SessionId)
+
+	if *actual != *expected {
+		t.Errorf("Expected %v, got %v", *expected, *actual)
+	}
+}
+
+func TestFailGetUserFromSessionIfSessionExpired(t *testing.T) {
+	db := mustSetup(t)
+	defer db.Close()
+
+	expected := types.NewUser(uuid.New(), "email", "session_id", true)
+
+	db.Exec(`INSERT INTO user (
+			user_uuid, email, email_verified,	email_verified_at,
+			is_admin,	password,	salt,	created_at)
+		VAlUES (
+			?, ?, 1, datetime(), 
+			0, "password", "salt", datetime())`, expected.Id, expected.Email)
+	db.Exec(`INSERT INTO session (session_id, user_uuid, created_at) VALUES (?, ?, datetime('now', '-8 hour', '-1 minute'))`, expected.SessionId, expected.Id)
+
+	actual := GetUserFromSessionId(db, expected.SessionId)
+
+	if actual != nil {
+		t.Errorf("Expected nil, got %v", *actual)
+	}
+}
+
+func TestGetUserFromSessionShouldFindCorrectUserBySessionId(t *testing.T) {
+	db := mustSetup(t)
+	defer db.Close()
+
+	expected := types.NewUser(uuid.New(), "email", "session_id", true)
+	userId2 := uuid.New()
+
+	db.Exec(`INSERT INTO user (
+			user_uuid, email, email_verified,	email_verified_at,
+			is_admin,	password,	salt,	created_at)
+		VAlUES (
+			?, ?, 1, datetime(), 
+			0, "password", "salt", datetime()),
+		( 
+			?, ?, 1, datetime(), 
+			0, "password", "salt", datetime())
+			`, expected.Id, expected.Email, userId2, "email2")
+	db.Exec(`
+		INSERT INTO session (
+			session_id, user_uuid, created_at) 
+		VALUES 
+			(?, ?, datetime('now')),
+			(?, ?, datetime('now'))
+			`, expected.SessionId, expected.Id, expected.SessionId+"x", userId2)
+
+	actual := GetUserFromSessionId(db, expected.SessionId)
+
+	if *actual != *expected {
+		t.Errorf("Expected %v, got %v", *expected, *actual)
+	}
+}
+
 func TestValidPasswords(t *testing.T) {
 	passwords := []string{
 		"aB!'2d2y", //normal

service/index_and_404.go

@@ -1,32 +0,0 @@
-package service
-
-import (
-	"database/sql"
-	"me-fit/template"
-	"me-fit/utils"
-	"net/http"
-
-	"github.com/a-h/templ"
-)
-
-func HandleIndexAnd404(db *sql.DB) http.HandlerFunc {
-	return func(w http.ResponseWriter, r *http.Request) {
-		user := utils.GetUserFromSession(db, r)
-
-		var comp templ.Component = nil
-		userComp := UserInfoComp(user)
-
-		if r.URL.Path != "/" {
-			comp = template.Layout(template.NotFound(), userComp)
-			w.WriteHeader(http.StatusNotFound)
-		} else {
-			comp = template.Layout(template.Index(), userComp)
-		}
-
-		err := comp.Render(r.Context(), w)
-		if err != nil {
-			utils.LogError("Failed to render index", err)
-			http.Error(w, "Failed to render index", http.StatusInternalServerError)
-		}
-	}
-}