#73 add sign out

2024-08-29 09:24:38 +02:00
parent fe1f47a55e
commit cda672caac
7 changed files with 149 additions and 51 deletions
--- a/service/auth.go
+++ b/service/auth.go
@@ -14,27 +14,42 @@ import (
 	"me-fit/template"
 	"me-fit/template/auth"

+	"github.com/a-h/templ"
 	"github.com/google/uuid"
 	"golang.org/x/crypto/argon2"
 )

-func SignInPage(w http.ResponseWriter, r *http.Request) {
-	signIn := auth.SignInOrUp(true)
-	template.Layout(signIn).Render(r.Context(), w)
+type User struct {
+	user_uuid uuid.UUID
+	email     string
 }

-func SignUpPage(w http.ResponseWriter, r *http.Request) {
-	signIn := auth.SignInOrUp(false)
-	template.Layout(signIn).Render(r.Context(), w)
-}
-
-func UserInfoComp(db *sql.DB) http.HandlerFunc {
+func HandleSignInPage(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		//TODO
+		user_comp := UserInfoComp(verifySessionAndReturnUser(db, r))
+		signIn := auth.SignInOrUp(true)
+		template.Layout(signIn, user_comp).Render(r.Context(), w)
 	}
 }

-func SignUp(db *sql.DB) http.HandlerFunc {
+func HandleSignUpPage(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		user_comp := UserInfoComp(verifySessionAndReturnUser(db, r))
+		signIn := auth.SignInOrUp(false)
+		template.Layout(signIn, user_comp).Render(r.Context(), w)
+	}
+}
+
+func UserInfoComp(user *User) templ.Component {
+
+	if user != nil {
+		return auth.UserComp(user.email)
+	} else {
+		return auth.UserComp("")
+	}
+}
+
+func HandleSignUp(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var email = r.FormValue("email")
 		var password = r.FormValue("password")
@@ -78,16 +93,16 @@ func SignUp(db *sql.DB) http.HandlerFunc {
 			return
 		}

-		result := tryCreateSessionAndSetCookie(r, w, db, user_uuid)
+		result := tryCreateSessionAndSetCookie(w, db, user_uuid)
 		if !result {
 			return
 		}

-		w.WriteHeader(http.StatusOK)
+		http.Redirect(w, r, "/", http.StatusSeeOther)
 	}
 }

-func SignIn(db *sql.DB) http.HandlerFunc {
+func HandleSignIn(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		var email = r.FormValue("email")
 		var password = r.FormValue("password")
@@ -112,14 +127,14 @@ func SignIn(db *sql.DB) http.HandlerFunc {
 		}

 		if result {
-			result := tryCreateSessionAndSetCookie(r, w, db, user_uuid)
+			result := tryCreateSessionAndSetCookie(w, db, user_uuid)
 			if !result {
 				return
 			}
 		}

 		duration := time.Since(start)
-		time_to_wait := 300 - duration.Milliseconds()
+		time_to_wait := 100 - duration.Milliseconds()
 		// It is important to sleep for a while to prevent timing attacks
 		// If the email is correct, the server will calculate the hash, which will take some time
 		// This way an attacker could guess emails when comparing the response time
@@ -127,13 +142,39 @@ func SignIn(db *sql.DB) http.HandlerFunc {
 		time.Sleep(time.Duration(time_to_wait) * time.Millisecond)

 		if result {
-			w.WriteHeader(http.StatusOK)
+			http.Redirect(w, r, "/", http.StatusSeeOther)
 		} else {
 			http.Error(w, "Unauthorized", http.StatusUnauthorized)
 		}
 	}
 }

+func HandleSignOutComp(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		id := getSessionID(r)
+
+		_, err := db.Exec("DELETE FROM session WHERE session_id = ?", id)
+		if err != nil {
+			log.Printf("Could not delete session: %v", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		c := http.Cookie{
+			Name:     "id",
+			Value:    "",
+			MaxAge:   -1,
+			Secure:   true,
+			HttpOnly: true,
+			SameSite: http.SameSiteStrictMode,
+			Path:     "/",
+		}
+
+		http.SetCookie(w, &c)
+		auth.UserComp("").Render(r.Context(), w)
+	}
+}
+
 // var (
 // 	metricsAuthSignUp = promauto.NewCounterVec(
 // 		prometheus.CounterOpts{
@@ -159,7 +200,7 @@ func SignIn(db *sql.DB) http.HandlerFunc {
 // 	// )
 // )

-func tryCreateSessionAndSetCookie(r *http.Request, w http.ResponseWriter, db *sql.DB, user_uuid uuid.UUID) bool {
+func tryCreateSessionAndSetCookie(w http.ResponseWriter, db *sql.DB, user_uuid uuid.UUID) bool {
 	var session_id_bytes []byte = make([]byte, 32)
 	_, err := rand.Reader.Read(session_id_bytes)
 	if err != nil {
@@ -190,6 +231,42 @@ func tryCreateSessionAndSetCookie(r *http.Request, w http.ResponseWriter, db *sq
 	return true
 }

+func getSessionID(r *http.Request) string {
+	for _, c := range r.Cookies() {
+		if c.Name == "id" {
+			return c.Value
+		}
+	}
+	return ""
+}
+
+func verifySessionAndReturnUser(db *sql.DB, r *http.Request) *User {
+	session_id := getSessionID(r)
+	if session_id == "" {
+		return nil
+	}
+
+	var user User
+	var created_at time.Time
+
+	err := db.QueryRow(`
+			SELECT u.user_uuid, u.email, s.created_at
+			FROM session s
+			INNER JOIN user u ON s.user_uuid = u.user_uuid
+			WHERE session_id = ?`, session_id).Scan(&user.user_uuid, &user.email, &created_at)
+	if err != nil {
+		log.Printf("Could not verify session: %v", err)
+		return nil
+	}
+
+	// TODO: Test
+	// if created_at.Add(time.Duration(8 * time.Hour)).Before(time.Now()) {
+	// 	return nil
+	// }
+
+	return &user
+}
+
 func getHashPassword(password string, salt []byte) []byte {
 	return argon2.IDKey([]byte(password), salt, 1, 64*1024, 1, 16)
 }