diff --git a/handler/auth.go b/handler/auth.go index 42db354..34dcf47 100644 --- a/handler/auth.go +++ b/handler/auth.go @@ -262,7 +262,7 @@ func (handler AuthImpl) handleDeleteAccountComp() http.HandlerFunc { err := handler.service.DeleteAccount(user, password) if err != nil { if err == service.ErrInvalidCredentials { - utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized) + utils.TriggerToast(w, r, "error", "Password not correct", http.StatusBadRequest) } else { utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError) } diff --git a/handler/middleware/cross_site_request_forgery.go b/handler/middleware/cross_site_request_forgery.go index 2f35292..28b9648 100644 --- a/handler/middleware/cross_site_request_forgery.go +++ b/handler/middleware/cross_site_request_forgery.go @@ -56,8 +56,8 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler if csrfToken == "" { csrfToken = r.Header.Get("csrf-token") } - if csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) { - http.Error(w, "", http.StatusForbidden) + if session == nil || csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) { + http.Error(w, "CSRF-Token not correct", http.StatusBadRequest) return } } diff --git a/main_test.go b/main_test.go index 9ad55ed..3eb8787 100644 --- a/main_test.go +++ b/main_test.go @@ -163,6 +163,167 @@ func TestIntegrationAuth(t *testing.T) { assert.NotEqual(t, anonymousSession.Value, cookie.Value, "Session ID did not change") }) }) + t.Run("DeleteAccount", func(t *testing.T) { + t.Run(`should redirect to "/" if not signed in`, func(t *testing.T) { + t.Parallel() + + _, basePath, ctx := setupIntegrationTest(t) + + req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/delete-account", nil) + assert.Nil(t, err) + resp, err := httpClient.Do(req) + assert.Nil(t, err) + + assert.Equal(t, http.StatusSeeOther, resp.StatusCode) + assert.Equal(t, "/auth/signin", resp.Header.Get("Location")) + }) + t.Run("should fail if not signed in", func(t *testing.T) { + t.Parallel() + + _, basePath, ctx := setupIntegrationTest(t) + + req, err := http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/delete-account", nil) + assert.Nil(t, err) + resp, err := httpClient.Do(req) + assert.Nil(t, err) + + assert.Equal(t, http.StatusBadRequest, resp.StatusCode) + }) + t.Run("should fail if password is incorrect", func(t *testing.T) { + t.Parallel() + + db, basePath, ctx := setupIntegrationTest(t) + userId := uuid.New() + + pass := service.GetHashPassword("password", []byte("salt")) + _, err := db.Exec(` + INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) + VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt")) + + sessionId := "session-id" + assert.Nil(t, err) + _, err = db.Exec(` + INSERT INTO session (session_id, user_id, created_at, expires_at) + VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId) + assert.Nil(t, err) + + req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/delete-account", nil) + assert.Nil(t, err) + req.Header.Set("Cookie", "id="+sessionId) + resp, err := httpClient.Do(req) + assert.Nil(t, err) + + html, err := html.Parse(resp.Body) + assert.Nil(t, err) + csrfToken := findCsrfToken(html) + assert.NotEqual(t, "", csrfToken) + + formData := url.Values{ + "password": {"wrong-password"}, + "csrf-token": {csrfToken}, + } + + req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/delete-account", strings.NewReader(formData.Encode())) + assert.Nil(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Cookie", "id="+sessionId) + req.Header.Set("HX-Request", "true") + resp, err = httpClient.Do(req) + assert.Nil(t, err) + + assert.Equal(t, http.StatusBadRequest, resp.StatusCode) + }) + t.Run("should fail if csrf-token is incorrect", func(t *testing.T) { + t.Parallel() + + db, basePath, ctx := setupIntegrationTest(t) + userId := uuid.New() + + pass := service.GetHashPassword("password", []byte("salt")) + _, err := db.Exec(` + INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) + VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt")) + + sessionId := "session-id" + assert.Nil(t, err) + _, err = db.Exec(` + INSERT INTO session (session_id, user_id, created_at, expires_at) + VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId) + assert.Nil(t, err) + + formData := url.Values{ + "password": {"password"}, + "csrf-token": {"wrong-csrf-token"}, + } + + req, err := http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/delete-account", strings.NewReader(formData.Encode())) + assert.Nil(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Cookie", "id="+sessionId) + req.Header.Set("HX-Request", "true") + resp, err := httpClient.Do(req) + assert.Nil(t, err) + + assert.Equal(t, http.StatusBadRequest, resp.StatusCode) + }) + t.Run("should delete all user related data", func(t *testing.T) { + t.Parallel() + + db, basePath, ctx := setupIntegrationTest(t) + userId := uuid.New() + + pass := service.GetHashPassword("password", []byte("salt")) + _, err := db.Exec(` + INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) + VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt")) + + sessionId := "session-id" + assert.Nil(t, err) + _, err = db.Exec(` + INSERT INTO session (session_id, user_id, created_at, expires_at) + VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId) + assert.Nil(t, err) + + req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/delete-account", nil) + assert.Nil(t, err) + req.Header.Set("Cookie", "id="+sessionId) + resp, err := httpClient.Do(req) + assert.Nil(t, err) + + html, err := html.Parse(resp.Body) + assert.Nil(t, err) + csrfToken := findCsrfToken(html) + assert.NotEqual(t, "", csrfToken) + formData := url.Values{ + "password": {"password"}, + "csrf-token": {csrfToken}, + } + + req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/delete-account", strings.NewReader(formData.Encode())) + assert.Nil(t, err) + req.Header.Set("Content-Type", "application/x-www-form-urlencoded") + req.Header.Set("Cookie", "id="+sessionId) + req.Header.Set("HX-Request", "true") + resp, err = httpClient.Do(req) + assert.Nil(t, err) + + assert.Equal(t, http.StatusOK, resp.StatusCode) + + var rows int + err = db.QueryRow("SELECT COUNT(*) FROM session WHERE user_id = ?", userId).Scan(&rows) + assert.Nil(t, err) + assert.Equal(t, 0, rows) + err = db.QueryRow("SELECT COUNT(*) FROM token WHERE user_id = ?", userId).Scan(&rows) + assert.Nil(t, err) + assert.Equal(t, 0, rows) + err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ?", userId).Scan(&rows) + assert.Nil(t, err) + assert.Equal(t, 0, rows) + err = db.QueryRow("SELECT COUNT(*) FROM workout WHERE user_id = ?", userId).Scan(&rows) + assert.Nil(t, err) + assert.Equal(t, 0, rows) + }) + }) t.Run("ChangePassword", func(t *testing.T) { t.Run("should change password and invalidate all other user sessions", func(t *testing.T) { t.Parallel()