#73 add sign in

service/auth.go

@@ -1,6 +1,7 @@
 package service
 
 import (
+	"bytes"
 	"crypto/rand"
 	"database/sql"
 	"encoding/base64"
@@ -8,6 +9,7 @@ import (
 	"net/http"
 	"net/mail"
 	"strings"
+	"time"
 
 	"me-fit/template"
 	"me-fit/template/auth"
@@ -85,6 +87,53 @@ func SignUp(db *sql.DB) http.HandlerFunc {
 	}
 }
 
+func SignIn(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var email = r.FormValue("email")
+		var password = r.FormValue("password")
+
+		var result bool = true
+		start := time.Now()
+
+		var user_uuid uuid.UUID
+		var saved_hash []byte
+		var salt []byte
+		err := db.QueryRow("SELECT user_uuid, password, salt FROM user WHERE email = ?", email).Scan(&user_uuid, &saved_hash, &salt)
+		if err != nil {
+			result = false
+		}
+
+		if result {
+			new_hash := getHashPassword(password, salt)
+
+			if !bytes.Equal(new_hash, saved_hash) {
+				result = false
+			}
+		}
+
+		if result {
+			result := tryCreateSessionAndSetCookie(r, w, db, user_uuid)
+			if !result {
+				return
+			}
+		}
+
+		duration := time.Since(start)
+		time_to_wait := 300 - duration.Milliseconds()
+		// It is important to sleep for a while to prevent timing attacks
+		// If the email is correct, the server will calculate the hash, which will take some time
+		// This way an attacker could guess emails when comparing the response time
+		// Because of that, we cant use WriteHeader in the middle of the function. We have to wait until the end
+		time.Sleep(time.Duration(time_to_wait) * time.Millisecond)
+
+		if result {
+			w.WriteHeader(http.StatusOK)
+		} else {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+		}
+	}
+}
+
 // var (
 // 	metricsAuthSignUp = promauto.NewCounterVec(
 // 		prometheus.CounterOpts{