#73 add sign in
All checks were successful
Build Docker Image / Explore-Gitea-Actions (push) Successful in 46s
All checks were successful
Build Docker Image / Explore-Gitea-Actions (push) Successful in 46s
This commit is contained in:
Tim
@@ -24,6 +24,7 @@ func getHandler(db *sql.DB) http.Handler {
|
|||||||
router.HandleFunc("/auth/signin", service.SignInPage)
|
router.HandleFunc("/auth/signin", service.SignInPage)
|
||||||
router.HandleFunc("/auth/signup", service.SignUpPage)
|
router.HandleFunc("/auth/signup", service.SignUpPage)
|
||||||
router.HandleFunc("/api/auth/signup", service.SignUp(db))
|
router.HandleFunc("/api/auth/signup", service.SignUp(db))
|
||||||
|
router.HandleFunc("/api/auth/signin", service.SignIn(db))
|
||||||
router.HandleFunc("/api/auth/userinfo", service.UserInfoComp(db))
|
router.HandleFunc("/api/auth/userinfo", service.UserInfoComp(db))
|
||||||
|
|
||||||
return middleware.Logging(middleware.EnableCors(router))
|
return middleware.Logging(middleware.EnableCors(router))
|
||||||
|
|||||||
@@ -1,6 +1,7 @@
|
|||||||
package service
|
package service
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"bytes"
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"database/sql"
|
"database/sql"
|
||||||
"encoding/base64"
|
"encoding/base64"
|
||||||
@@ -8,6 +9,7 @@ import (
|
|||||||
"net/http"
|
"net/http"
|
||||||
"net/mail"
|
"net/mail"
|
||||||
"strings"
|
"strings"
|
||||||
|
"time"
|
||||||
|
|
||||||
"me-fit/template"
|
"me-fit/template"
|
||||||
"me-fit/template/auth"
|
"me-fit/template/auth"
|
||||||
@@ -85,6 +87,53 @@ func SignUp(db *sql.DB) http.HandlerFunc {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func SignIn(db *sql.DB) http.HandlerFunc {
|
||||||
|
return func(w http.ResponseWriter, r *http.Request) {
|
||||||
|
var email = r.FormValue("email")
|
||||||
|
var password = r.FormValue("password")
|
||||||
|
|
||||||
|
var result bool = true
|
||||||
|
start := time.Now()
|
||||||
|
|
||||||
|
var user_uuid uuid.UUID
|
||||||
|
var saved_hash []byte
|
||||||
|
var salt []byte
|
||||||
|
err := db.QueryRow("SELECT user_uuid, password, salt FROM user WHERE email = ?", email).Scan(&user_uuid, &saved_hash, &salt)
|
||||||
|
if err != nil {
|
||||||
|
result = false
|
||||||
|
}
|
||||||
|
|
||||||
|
if result {
|
||||||
|
new_hash := getHashPassword(password, salt)
|
||||||
|
|
||||||
|
if !bytes.Equal(new_hash, saved_hash) {
|
||||||
|
result = false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if result {
|
||||||
|
result := tryCreateSessionAndSetCookie(r, w, db, user_uuid)
|
||||||
|
if !result {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
duration := time.Since(start)
|
||||||
|
time_to_wait := 300 - duration.Milliseconds()
|
||||||
|
// It is important to sleep for a while to prevent timing attacks
|
||||||
|
// If the email is correct, the server will calculate the hash, which will take some time
|
||||||
|
// This way an attacker could guess emails when comparing the response time
|
||||||
|
// Because of that, we cant use WriteHeader in the middle of the function. We have to wait until the end
|
||||||
|
time.Sleep(time.Duration(time_to_wait) * time.Millisecond)
|
||||||
|
|
||||||
|
if result {
|
||||||
|
w.WriteHeader(http.StatusOK)
|
||||||
|
} else {
|
||||||
|
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// var (
|
// var (
|
||||||
// metricsAuthSignUp = promauto.NewCounterVec(
|
// metricsAuthSignUp = promauto.NewCounterVec(
|
||||||
// prometheus.CounterOpts{
|
// prometheus.CounterOpts{
|
||||||
|
|||||||
Reference in New Issue
Block a user