x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

chore(auth): add service structs and test error handling
Some checks failed
Build Docker Image / Explore-Gitea-Actions (push) Failing after 44s
Details

Browse Source
This commit is contained in:
Tim Wundenberg
2024-09-25 21:31:57 +02:00
parent e53a0e5cf7
commit cbaee07890
2 changed files with 84 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
db/auth.go Normal file
View File

@@ -0,0 +1,29 @@
package db
import (
"database/sql"
"errors"
"strings"
"github.com/google/uuid"
)
type AuthDb interface {
InsertUser(userIs uuid.UUID, email string, password string) error
}
type AuthDbSqlite struct {
db *sql.DB
}
func (a *AuthDbSqlite) InsertUser(userId uuid.UUID, email string, passwordHash []byte, salt []byte) error {
_, err := a.db.Exec("INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at) VALUES (?, ?, FALSE, FALSE, ?, ?, datetime())", userId, email, passwordHash, salt)
if err != nil {
if strings.Contains(err.Error(), "email") {
return errors.New("Bad Request")
}
utils.LogError("Could not insert user", err)
return ErrInternalServer
}
}

107
service/auth.go
View File

@@ -13,6 +13,7 @@ import (
"strings" "strings"
"time" "time"
"me-fit/db"
"me-fit/template/auth" "me-fit/template/auth"
tempMail "me-fit/template/mail" tempMail "me-fit/template/mail"
"me-fit/types" "me-fit/types"
@@ -33,7 +34,8 @@ var (
// NOT TESTED // NOT TESTED
type AuthService struct { type AuthService struct {
db *sql.DB db *sql.DB
dbSer *db.AuthDb
} }
func NewAuthService(db *sql.DB) *AuthService { func NewAuthService(db *sql.DB) *AuthService {
@@ -42,6 +44,58 @@ func NewAuthService(db *sql.DB) *AuthService {
} }
} }
func (a *AuthService) SignUp(email string, password string) (*types.SessionId, error) {
_, err := mail.ParseAddress(email)
if err != nil {
return nil, errors.Join(errors.New("Invalid email"))
}
err = checkPassword(password)
if err != nil {
return nil, err
}
userId, err := uuid.NewRandom()
if err != nil {
utils.LogError("Could not generate UUID for new user", err)
return nil, ErrInternalServer
}
salt := make([]byte, 16)
_, err = rand.Read(salt)
if err != nil {
utils.LogError("Could not generate salt for new user", err)
return nil, ErrInternalServer
}
hash := getHashPassword(password, salt)
err := a.dbSer.InsertUser(a.db, userId, email, hash, salt)
_, err = a.db.Exec("INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at) VALUES (?, ?, FALSE, FALSE, ?, ?, datetime())", userId, email, hash, salt)
if err != nil {
// This does leak information about the email being in use, though not specifically stated
// It needs to be refacoteres to "If the email is not already in use, an email has been send to your address", or something
// The happy path, currently a redirect, needs to send the same message!
// Then it is also important to have the same compute time in both paths
// Otherwise an attacker could guess emails when comparing the response time
if strings.Contains(err.Error(), "email") {
return nil, errors.New("Bad Request")
}
utils.LogError("Could not insert user", err)
return nil, ErrInternalServer
}
sessionId, err := createSession(a.db, userId)
if err != nil {
return nil, err
}
// Send verification email as a goroutine
go SendVerificationEmail(a.db, userId.String(), email)
return sessionId, nil
}
func (a *AuthService) SignIn(email string, password string) (*types.SessionId, error) { func (a *AuthService) SignIn(email string, password string) (*types.SessionId, error) {
start := time.Now() start := time.Now()
@@ -117,57 +171,6 @@ func GetUserFromSessionId(db *sql.DB, sessionId types.SessionId) *types.User {
return types.NewUser(userId, email, sessionId, emailVerified) return types.NewUser(userId, email, sessionId, emailVerified)
} }
} }
func SignUp(db *sql.DB, email string, password string) (*types.SessionId, error) {
_, err := mail.ParseAddress(email)
if err != nil {
return nil, errors.Join(errors.New("Invalid email"))
}
err = checkPassword(password)
if err != nil {
return nil, err
}
userId, err := uuid.NewRandom()
if err != nil {
utils.LogError("Could not generate UUID for new user", err)
return nil, ErrInternalServer
}
salt := make([]byte, 16)
_, err = rand.Read(salt)
if err != nil {
utils.LogError("Could not generate salt for new user", err)
return nil, ErrInternalServer
}
hash := getHashPassword(password, salt)
_, err = db.Exec("INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at) VALUES (?, ?, FALSE, FALSE, ?, ?, datetime())", userId, email, hash, salt)
if err != nil {
// This does leak information about the email being in use, though not specifically stated
// It needs to be refacoteres to "If the email is not already in use, an email has been send to your address", or something
// The happy path, currently a redirect, needs to send the same message!
// Then it is also important to have the same compute time in both paths
// Otherwise an attacker could guess emails when comparing the response time
if strings.Contains(err.Error(), "email") {
return nil, errors.New("Bad Request")
}
utils.LogError("Could not insert user", err)
return nil, ErrInternalServer
}
sessionId, err := createSession(db, userId)
if err != nil {
return nil, err
}
// Send verification email as a goroutine
go SendVerificationEmail(db, userId.String(), email)
return sessionId, nil
}
func ValidateEmail(db *sql.DB, token string) error { func ValidateEmail(db *sql.DB, token string) error {
result, err := db.Exec(` result, err := db.Exec(`
UPDATE user UPDATE user