#73 change authorization

2024-08-25 22:25:32 +02:00
parent 81548465e7
commit d854dae68f
19 changed files with 589 additions and 187 deletions
--- a/service/auth.go
+++ b/service/auth.go
@@ -0,0 +1,273 @@
+package service
+
+import (
+	"bytes"
+	"crypto/rand"
+	"database/sql"
+	"encoding/base64"
+	"log"
+	"net/http"
+	"net/mail"
+	"strings"
+	"time"
+
+	"me-fit/template"
+	"me-fit/template/auth"
+
+	"github.com/a-h/templ"
+	"github.com/google/uuid"
+	"golang.org/x/crypto/argon2"
+)
+
+type User struct {
+	user_uuid uuid.UUID
+	email     string
+}
+
+func HandleSignInPage(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		user_comp := UserInfoComp(verifySessionAndReturnUser(db, r))
+		signIn := auth.SignInOrUp(true)
+		template.Layout(signIn, user_comp).Render(r.Context(), w)
+	}
+}
+
+func HandleSignUpPage(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		user_comp := UserInfoComp(verifySessionAndReturnUser(db, r))
+		signIn := auth.SignInOrUp(false)
+		template.Layout(signIn, user_comp).Render(r.Context(), w)
+	}
+}
+
+func UserInfoComp(user *User) templ.Component {
+
+	if user != nil {
+		return auth.UserComp(user.email)
+	} else {
+		return auth.UserComp("")
+	}
+}
+
+func HandleSignUp(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var email = r.FormValue("email")
+		var password = r.FormValue("password")
+
+		_, err := mail.ParseAddress(email)
+		if err != nil {
+			http.Error(w, "Invalid email", http.StatusBadRequest)
+			return
+		}
+
+		if len(password) < 8 ||
+			!strings.ContainsAny(password, "0123456789") ||
+			!strings.ContainsAny(password, "ABCDEFGHIJKLMNOPQRSTUVWXYZ") ||
+			!strings.ContainsAny(password, "abcdefghijklmnopqrstuvwxyz") ||
+			!strings.ContainsAny(password, "!@#$%^&*()_+-=[]{}\\|;:'\",.<>/?") {
+			http.Error(w, "Password needs to be 8 characters long, contain at least one number, one special, one uppercase and one lowercase character", http.StatusBadRequest)
+			return
+		}
+
+		user_uuid, err := uuid.NewRandom()
+		if err != nil {
+			log.Printf("Could not generate UUID: %v", err)
+			auth.Error("Internal Server Error").Render(r.Context(), w)
+			return
+		}
+
+		salt := make([]byte, 16)
+		rand.Read(salt)
+
+		hash := getHashPassword(password, salt)
+
+		_, err = db.Exec("INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at) VALUES (?, ?, FALSE, FALSE, ?, ?, datetime())", user_uuid, email, hash, salt)
+		if err != nil {
+			if strings.Contains(err.Error(), "email") {
+				auth.Error("Bad Request").Render(r.Context(), w)
+				return
+			}
+
+			auth.Error("Internal Server Error").Render(r.Context(), w)
+			log.Printf("Could not insert user: %v", err)
+			return
+		}
+
+		result := tryCreateSessionAndSetCookie(w, db, user_uuid)
+		if !result {
+			return
+		}
+
+		w.Header().Add("HX-Redirect", "/")
+		w.WriteHeader(http.StatusOK)
+	}
+}
+
+func HandleSignIn(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var email = r.FormValue("email")
+		var password = r.FormValue("password")
+
+		var result bool = true
+		start := time.Now()
+
+		var user_uuid uuid.UUID
+		var saved_hash []byte
+		var salt []byte
+		err := db.QueryRow("SELECT user_uuid, password, salt FROM user WHERE email = ?", email).Scan(&user_uuid, &saved_hash, &salt)
+		if err != nil {
+			result = false
+		}
+
+		if result {
+			new_hash := getHashPassword(password, salt)
+
+			if !bytes.Equal(new_hash, saved_hash) {
+				result = false
+			}
+		}
+
+		if result {
+			result := tryCreateSessionAndSetCookie(w, db, user_uuid)
+			if !result {
+				return
+			}
+		}
+
+		duration := time.Since(start)
+		time_to_wait := 100 - duration.Milliseconds()
+		// It is important to sleep for a while to prevent timing attacks
+		// If the email is correct, the server will calculate the hash, which will take some time
+		// This way an attacker could guess emails when comparing the response time
+		// Because of that, we cant use WriteHeader in the middle of the function. We have to wait until the end
+		time.Sleep(time.Duration(time_to_wait) * time.Millisecond)
+
+		if result {
+			w.Header().Add("HX-Redirect", "/")
+			w.WriteHeader(http.StatusOK)
+		} else {
+			auth.Error("Invalid email or password").Render(r.Context(), w)
+		}
+	}
+}
+
+func HandleSignOutComp(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		id := getSessionID(r)
+
+		_, err := db.Exec("DELETE FROM session WHERE session_id = ?", id)
+		if err != nil {
+			log.Printf("Could not delete session: %v", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		c := http.Cookie{
+			Name:     "id",
+			Value:    "",
+			MaxAge:   -1,
+			Secure:   true,
+			HttpOnly: true,
+			SameSite: http.SameSiteStrictMode,
+			Path:     "/",
+		}
+
+		http.SetCookie(w, &c)
+		auth.UserComp("").Render(r.Context(), w)
+	}
+}
+
+// var (
+// 	metricsAuthSignUp = promauto.NewCounterVec(
+// 		prometheus.CounterOpts{
+// 			Name: "mefit_api_auth_signup_total",
+// 			Help: "The total number of auth signup api requests processed",
+// 		},
+// 		[]string{"result"},
+// 	)
+//
+// 	metricsError = promauto.NewCounterVec(
+// 		prometheus.CounterOpts{
+// 			Name: "mefit_api_error_total",
+// 			Help: "The total number of errors",
+// 		},
+// 		[]string{"result"},
+// 	)
+//
+// 	// metricsAuthSignIn = promauto.NewCounterVec(
+// 	// 	prometheus.CounterOpts{
+// 	// 		Name: "mefit_api_auth_signin_total",
+// 	// 	},
+// 	// 	[]string{"result"},
+// 	// )
+// )
+
+func tryCreateSessionAndSetCookie(w http.ResponseWriter, db *sql.DB, user_uuid uuid.UUID) bool {
+	var session_id_bytes []byte = make([]byte, 32)
+	_, err := rand.Reader.Read(session_id_bytes)
+	if err != nil {
+		log.Printf("Could not generate session ID: %v", err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return false
+	}
+	session_id := base64.StdEncoding.EncodeToString(session_id_bytes)
+
+	_, err = db.Exec("INSERT INTO session (session_id, user_uuid, created_at) VALUES (?, ?, datetime())", session_id, user_uuid)
+	if err != nil {
+		log.Printf("Could not insert session: %v", err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return false
+	}
+
+	cookie := http.Cookie{
+		Name:     "id",
+		Value:    session_id,
+		MaxAge:   60 * 60 * 8, // 8 hours
+		Secure:   true,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
+	}
+	http.SetCookie(w, &cookie)
+
+	return true
+}
+
+func getSessionID(r *http.Request) string {
+	for _, c := range r.Cookies() {
+		if c.Name == "id" {
+			return c.Value
+		}
+	}
+	return ""
+}
+
+func verifySessionAndReturnUser(db *sql.DB, r *http.Request) *User {
+	session_id := getSessionID(r)
+	if session_id == "" {
+		return nil
+	}
+
+	var user User
+	var created_at time.Time
+
+	err := db.QueryRow(`
+			SELECT u.user_uuid, u.email, s.created_at
+			FROM session s
+			INNER JOIN user u ON s.user_uuid = u.user_uuid
+			WHERE session_id = ?`, session_id).Scan(&user.user_uuid, &user.email, &created_at)
+	if err != nil {
+		log.Printf("Could not verify session: %v", err)
+		return nil
+	}
+
+	if created_at.Add(time.Duration(8 * time.Hour)).Before(time.Now()) {
+		return nil
+	}
+
+	return &user
+}
+
+func getHashPassword(password string, salt []byte) []byte {
+	return argon2.IDKey([]byte(password), salt, 1, 64*1024, 1, 16)
+}
--- a/service/static_ui.go
+++ b/service/static_ui.go
@@ -1,20 +1,25 @@
 package service

 import (
-	"me-fit/templates"
+	"database/sql"
+	"me-fit/template"
 	"net/http"

 	"github.com/a-h/templ"
 )

-func HandleIndexAnd404(w http.ResponseWriter, r *http.Request) {
-	var comp templ.Component = nil
-	if r.URL.Path != "/" {
-		comp = templates.Layout(templates.NotFound())
-		w.WriteHeader(http.StatusNotFound)
-	} else {
-		comp = templates.Layout(templates.Index())
-	}
+func HandleIndexAnd404(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var comp templ.Component = nil
+		user_comp := UserInfoComp(verifySessionAndReturnUser(db, r))

-	comp.Render(r.Context(), w)
+		if r.URL.Path != "/" {
+			comp = template.Layout(template.NotFound(), user_comp)
+			w.WriteHeader(http.StatusNotFound)
+		} else {
+			comp = template.Layout(template.Index(), user_comp)
+		}
+
+		comp.Render(r.Context(), w)
+	}
 }
--- a/service/workout.go
+++ b/service/workout.go
@@ -1,8 +1,8 @@
 package service

 import (
-	"me-fit/templates"
-	"me-fit/utils"
+	"me-fit/template"
+	"me-fit/template/workout"

 	"database/sql"
 	"net/http"
@@ -23,16 +23,26 @@ var (
 	)
 )

-func App(w http.ResponseWriter, r *http.Request) {
-	comp := templates.App()
-	layout := templates.Layout(comp)
-	layout.Render(r.Context(), w)
+func HandleWorkoutPage(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		currentDate := time.Now().Format("2006-01-02")
+		inner := workout.WorkoutComp(currentDate)
+		user_comp := UserInfoComp(verifySessionAndReturnUser(db, r))
+		layout := template.Layout(inner, user_comp)
+		layout.Render(r.Context(), w)
+	}
 }

-func NewWorkout(db *sql.DB) http.HandlerFunc {
+func HandleNewWorkout(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		metrics.WithLabelValues("new").Inc()

+		user := verifySessionAndReturnUser(db, r)
+		if user == nil {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
 		var dateStr = r.FormValue("date")
 		var typeStr = r.FormValue("type")
 		var setsStr = r.FormValue("sets")
@@ -61,78 +71,84 @@ func NewWorkout(db *sql.DB) http.HandlerFunc {
 			return
 		}

-		//TODO: Ensure auth
-		// token := r.Context().Value(middleware.TOKEN_KEY).(*auth.Token)
-
-		_, err = db.Exec("INSERT INTO workout (user_id, date, type, sets, reps) VALUES (?, ?, ?, ?, ?)", "", date, typeStr, sets, reps)
+		_, err = db.Exec("INSERT INTO workout (user_id, date, type, sets, reps) VALUES (?, ?, ?, ?, ?)", user.user_uuid, date, typeStr, sets, reps)

 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+
+		wo := workout.Workout{
+			Date: r.FormValue("date"),
+			Type: r.FormValue("type"),
+			Sets: r.FormValue("sets"),
+			Reps: r.FormValue("reps"),
+		}
+
+		workout.WorkoutItemComp(wo, true).Render(r.Context(), w)
 	}
 }

-func GetWorkouts(db *sql.DB) http.HandlerFunc {
+func HandleGetWorkouts(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		metrics.WithLabelValues("get").Inc()

-		// token := r.Context().Value(middleware.TOKEN_KEY).(*auth.Token)
-		// var userId = token.UID
-		var userId = ""
+		user := verifySessionAndReturnUser(db, r)
+		if user == nil {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}

-		rows, err := db.Query("SELECT rowid, date, type, sets, reps FROM workout WHERE user_id = ?", userId)
+		rows, err := db.Query("SELECT rowid, date, type, sets, reps FROM workout WHERE user_id = ?", user.user_uuid)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}

-		var workouts = make([]map[string]interface{}, 0)
+		var workouts = make([]workout.Workout, 0)
 		for rows.Next() {
-			var id int
-			var date string
-			var workoutType string
-			var sets int
-			var reps int
+			var workout workout.Workout

-			err = rows.Scan(&id, &date, &workoutType, &sets, &reps)
+			err = rows.Scan(&workout.Id, &workout.Date, &workout.Type, &workout.Sets, &workout.Reps)
 			if err != nil {
 				http.Error(w, err.Error(), http.StatusInternalServerError)
 				return
 			}

-			workout := map[string]interface{}{
-				"id":   id,
-				"date": date,
-				"type": workoutType,
-				"sets": sets,
-				"reps": reps,
-			}
 			workouts = append(workouts, workout)
 		}

-		utils.WriteJSON(w, workouts)
+		workout.WorkoutListComp(workouts).Render(r.Context(), w)
 	}
 }

-func DeleteWorkout(db *sql.DB) http.HandlerFunc {
+func HandleDeleteWorkout(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		metrics.WithLabelValues("delete").Inc()

-		// token := r.Context().Value(middleware.TOKEN_KEY).(*auth.Token)
-		// var userId = token.UID
-		var userId = ""
+		user := verifySessionAndReturnUser(db, r)

-		rowId := r.FormValue("id")
+		rowId := r.PathValue("id")
 		if rowId == "" {
 			http.Error(w, "Missing required fields", http.StatusBadRequest)
 			return
 		}

-		_, err := db.Exec("DELETE FROM workout WHERE user_id = ? AND rowid = ?", userId, rowId)
+		res, err := db.Exec("DELETE FROM workout WHERE user_id = ? AND rowid = ?", user.user_uuid, rowId)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+
+		rows, err := res.RowsAffected()
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		if rows == 0 {
+			http.Error(w, "Not found", http.StatusNotFound)
+			return
+		}
 	}
 }