feat(security): #286 anonymous sign in for csrf token on login form

2024-12-08 15:10:36 +01:00
parent 57989c9b03
commit eab42c26f8
7 changed files with 118 additions and 35 deletions
--- a/service/auth.go
+++ b/service/auth.go
@@ -62,6 +62,7 @@ type Auth interface {

 	SignIn(email string, password string) (*Session, error)
 	SignInSession(sessionId string) (*Session, error)
+	SignInAnonymous() (*Session, error)
 	SignOut(sessionId string) error

 	DeleteAccount(user *User) error
@@ -127,10 +128,14 @@ func (service AuthImpl) SignInSession(sessionId string) (*Session, error) {
 		return nil, types.ErrInternal
 	}

-	if sessionDb.ExpiresAt.After(service.clock.Now()) {
+	if sessionDb.ExpiresAt.Before(service.clock.Now()) {
 		return nil, nil
 	}

+	if sessionDb.UserId == uuid.Nil {
+		return NewSession(sessionDb, nil), nil
+	}
+
 	userDb, err := service.db.GetUser(sessionDb.UserId)
 	if err != nil {
 		return nil, types.ErrInternal
@@ -142,6 +147,15 @@ func (service AuthImpl) SignInSession(sessionId string) (*Session, error) {
 	return session, nil
 }

+func (service AuthImpl) SignInAnonymous() (*Session, error) {
+	sessionDb, err := service.createSession(uuid.Nil)
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	return NewSession(sessionDb, nil), nil
+}
+
 func (service AuthImpl) createSession(userId uuid.UUID) (*db.Session, error) {
 	sessionId, err := service.random.String(32)
 	if err != nil {
@@ -411,6 +425,10 @@ func (service AuthImpl) IsCsrfTokenValid(tokenStr string, sessionId string) bool
 }

 func (service AuthImpl) GetCsrfToken(session *Session) (string, error) {
+	if session == nil {
+		return "", types.ErrInternal
+	}
+
 	tokens, _ := service.db.GetTokensBySessionIdAndType(session.Id, db.TokenTypeCsrf)

 	if len(tokens) > 0 {