feat(security): #328 delete old sessions for change and forgot password

handler/auth.go

@@ -48,9 +48,9 @@ func (handler AuthImpl) Handle(router *http.ServeMux) {
 	router.Handle("/auth/change-password", handler.handleChangePasswordPage())
 	router.Handle("/api/auth/change-password", handler.handleChangePasswordComp())
 
-	router.Handle("/auth/reset-password", handler.handleResetPasswordPage())
-	router.Handle("/api/auth/reset-password", handler.handleForgotPasswordComp())
-	router.Handle("/api/auth/reset-password-actual", handler.handleForgotPasswordResponseComp())
+	router.Handle("/auth/forgot-password", handler.handleForgotPasswordPage())
+	router.Handle("/api/auth/forgot-password", handler.handleForgotPasswordComp())
+	router.Handle("/api/auth/forgot-password-actual", handler.handleForgotPasswordResponseComp())
 }
 
 var (
@@ -93,12 +93,10 @@ func (handler AuthImpl) handleSignIn() http.HandlerFunc {
 		})
 
 		if err != nil {
-			if err == service.ErrInvaidCredentials {
-				utils.TriggerToast(w, r, "error", "Invalid email or password")
-				http.Error(w, "Invalid email or password", http.StatusUnauthorized)
+			if err == service.ErrInvalidCredentials {
+				utils.TriggerToast(w, r, "error", "Invalid email or password", http.StatusUnauthorized)
 			} else {
-				log.Error("Error signing in: %v", err)
-				http.Error(w, "An error occurred", http.StatusInternalServerError)
+				utils.TriggerToast(w, r, "error", "An error occurred", http.StatusInternalServerError)
 			}
 			return
 		}
@@ -198,16 +196,16 @@ func (handler AuthImpl) handleSignUp() http.HandlerFunc {
 
 		if err != nil {
 			if errors.Is(err, types.ErrInternal) {
-				utils.TriggerToast(w, r, "error", "An error occurred")
+				utils.TriggerToast(w, r, "error", "An error occurred", http.StatusInternalServerError)
 				return
 			} else if errors.Is(err, service.ErrInvalidEmail) {
-				utils.TriggerToast(w, r, "error", "The email provided is invalid")
+				utils.TriggerToast(w, r, "error", "The email provided is invalid", http.StatusBadRequest)
 				return
 			}
 			// If the "service.ErrAccountExists", then just continue
 		}
 
-		utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.")
+		utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.", http.StatusOK)
 	}
 }
 
@@ -261,15 +259,13 @@ func (handler AuthImpl) handleDeleteAccountComp() http.HandlerFunc {
 
 		password := r.FormValue("password")
 
-		_, err := handler.service.SignIn(user.Email, password)
+		err := handler.service.DeleteAccount(user, password)
 		if err != nil {
-			utils.TriggerToast(w, r, "error", "Password not correct")
-			return
-		}
-
-		err = handler.service.DeleteAccount(user)
-		if err != nil {
-			utils.TriggerToast(w, r, "error", "Internal Server Error")
+			if err == service.ErrInvalidCredentials {
+				utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized)
+			} else {
+				utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
+			}
 			return
 		}
 
@@ -297,8 +293,8 @@ func (handler AuthImpl) handleChangePasswordPage() http.HandlerFunc {
 func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
-		user := middleware.GetUser(r)
-		if user == nil {
+		session := middleware.GetSession(r)
+		if session == nil || session.User == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
@@ -306,22 +302,22 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 		currPass := r.FormValue("current-password")
 		newPass := r.FormValue("new-password")
 
-		err := handler.service.ChangePassword(user, currPass, newPass)
+		err := handler.service.ChangePassword(session, currPass, newPass)
 		if err != nil {
-			utils.TriggerToast(w, r, "error", "Password not correct")
+			utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized)
 			return
 		}
 
-		utils.TriggerToast(w, r, "success", "Password changed")
+		utils.TriggerToast(w, r, "success", "Password changed", http.StatusOK)
 	}
 }
 
-func (handler AuthImpl) handleResetPasswordPage() http.HandlerFunc {
+func (handler AuthImpl) handleForgotPasswordPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
 		user := middleware.GetUser(r)
-		if user == nil {
-			utils.DoRedirect(w, r, "/auth/signin")
+		if user != nil {
+			utils.DoRedirect(w, r, "/")
 			return
 		}
 
@@ -335,15 +331,19 @@ func (handler AuthImpl) handleForgotPasswordComp() http.HandlerFunc {
 
 		email := r.FormValue("email")
 		if email == "" {
-			utils.TriggerToast(w, r, "error", "Please enter an email")
+			utils.TriggerToast(w, r, "error", "Please enter an email", http.StatusBadRequest)
 			return
 		}
 
-		err := handler.service.SendForgotPasswordMail(email)
+		_, err := utils.WaitMinimumTime(securityWaitDuration, func() (interface{}, error) {
+			err := handler.service.SendForgotPasswordMail(email)
+			return nil, err
+		})
+
 		if err != nil {
-			utils.TriggerToast(w, r, "error", "Internal Server Error")
+			utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
 		} else {
-			utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent")
+			utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent", http.StatusOK)
 		}
 	}
 }
@@ -354,23 +354,18 @@ func (handler AuthImpl) handleForgotPasswordResponseComp() http.HandlerFunc {
 		pageUrl, err := url.Parse(r.Header.Get("HX-Current-URL"))
 		if err != nil {
 			log.Error("Could not get current URL: %v", err)
-			utils.TriggerToast(w, r, "error", "Internal Server Error")
+			utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
 			return
 		}
 
 		token := pageUrl.Query().Get("token")
-		if token == "" {
-			utils.TriggerToast(w, r, "error", "No token")
-			return
-		}
-
 		newPass := r.FormValue("new-password")
 
 		err = handler.service.ForgotPassword(token, newPass)
 		if err != nil {
-			utils.TriggerToast(w, r, "error", err.Error())
+			utils.TriggerToast(w, r, "error", err.Error(), http.StatusInternalServerError)
 		} else {
-			utils.TriggerToast(w, r, "success", "Password changed")
+			utils.TriggerToast(w, r, "success", "Password changed", http.StatusOK)
 		}
 	}
 }

handler/middleware/cross_site_request_forgery.go

@@ -61,7 +61,9 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
 				}
 			}
 
-			if session == nil && (strings.Contains(r.RequestURI, "/auth/signup") || strings.Contains(r.RequestURI, "/auth/signin")) {
+			// Always sign in anonymous
+			// This way, there is no way to forget creating a csrf token
+			if session == nil {
 				session, _ = auth.SignInAnonymous()
 
 				cookie := CreateSessionCookie(session.Id)

handler/middleware/security_headers.go

@@ -14,13 +14,13 @@ func SecurityHeaders(serverSettings *types.Settings) func(http.Handler) http.Han
 			w.Header().Set("Access-Control-Allow-Origin", serverSettings.BaseUrl)
 			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, DELETE")
 			w.Header().Set("Content-Security-Policy",
-				"default-src 'none';"+
-					"script-src 'self' https://umami.me-fit.eu"+
-					"connect-src 'self' https://umami.me-fit.eu"+
-					"img-src 'self'"+
-					"style-src 'self'"+
-					"form-action 'self'"+
-					"frame-ancestors 'none'",
+				"default-src 'none'; "+
+					"script-src 'self' https://umami.me-fit.eu; "+
+					"connect-src 'self' https://umami.me-fit.eu; "+
+					"img-src 'self'; "+
+					"style-src 'self'; "+
+					"form-action 'self'; "+
+					"frame-ancestors 'none'; ",
 			)
 			w.Header().Set("Cross-Origin-Resource-Policy", "same-origin")
 			w.Header().Set("Cross-Origin-Opener-Policy", "same-origin")

handler/workout.go

@@ -2,7 +2,6 @@ package handler
 
 import (
 	"me-fit/handler/middleware"
-	"me-fit/log"
 	"me-fit/service"
 	"me-fit/template/workout"
 	"me-fit/utils"
@@ -67,7 +66,7 @@ func (handler WorkoutImpl) handleAddWorkout() http.HandlerFunc {
 		wo := service.NewWorkoutDto("", dateStr, typeStr, setsStr, repsStr)
 		wo, err := handler.service.AddWorkout(session.User, wo)
 		if err != nil {
-			utils.TriggerToast(w, r, "error", "Invalid input values")
+			utils.TriggerToast(w, r, "error", "Invalid input values", http.StatusBadRequest)
 			http.Error(w, "Invalid input values", http.StatusBadRequest)
 			return
 		}
@@ -111,25 +110,19 @@ func (handler WorkoutImpl) handleDeleteWorkout() http.HandlerFunc {
 
 		rowId := r.PathValue("id")
 		if rowId == "" {
-			http.Error(w, "Missing required fields", http.StatusBadRequest)
-			log.Warn("Missing required fields for workout delete")
-			utils.TriggerToast(w, r, "error", "Missing ID field")
+			utils.TriggerToast(w, r, "error", "Missing ID field", http.StatusBadRequest)
 			return
 		}
 
 		rowIdInt, err := strconv.Atoi(rowId)
 		if err != nil {
-			http.Error(w, "Invalid ID", http.StatusBadRequest)
-			log.Warn("Invalid ID for workout delete")
-			utils.TriggerToast(w, r, "error", "Invalid ID")
+			utils.TriggerToast(w, r, "error", "Invalid ID", http.StatusBadRequest)
 			return
 		}
 
 		err = handler.service.DeleteWorkout(session.User, rowIdInt)
 		if err != nil {
-			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
-			log.Error("Could not delete workout: %v", err.Error())
-			utils.TriggerToast(w, r, "error", "Internal Server Error")
+			utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
 			return
 		}
 	}