x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

tbs

Browse Source
This commit is contained in:
Tim Wundenberg
2024-12-05 23:24:39 +01:00
parent b9d50d986f
commit fe2d7c0fd4
16 changed files with 228 additions and 181 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
db/auth.go
View File

@@ -45,13 +45,15 @@ type Session struct {
Id string
UserId uuid.UUID
CreatedAt time.Time
ExpiresAt time.Time
}
func NewSession(id string, userId uuid.UUID, createdAt time.Time) *Session {
func NewSession(id string, userId uuid.UUID, createdAt time.Time, expiresAt time.Time) *Session {
return &Session{
Id: id,
UserId: userId,
CreatedAt: createdAt,
ExpiresAt: expiresAt,
}
}
@@ -106,7 +108,7 @@ func NewAuthSqlite(db *sql.DB) *AuthSqlite {
func (db AuthSqlite) InsertUser(user *User) error {
_, err := db.db.Exec(`
INSERT INTO user (user_uuid, email, email_verified, email_verified_at, is_admin, password, salt, created_at)
INSERT INTO user (user_id, email, email_verified, email_verified_at, is_admin, password, salt, created_at)
VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
user.Id, user.Email, user.EmailVerified, user.EmailVerifiedAt, user.IsAdmin, user.Password, user.Salt, user.CreateAt)
@@ -126,7 +128,7 @@ func (db AuthSqlite) UpdateUser(user *User) error {
_, err := db.db.Exec(`
UPDATE user
SET email_verified = ?, email_verified_at = ?, password = ?
WHERE user_uuid = ?`,
WHERE user_id = ?`,
user.EmailVerified, user.EmailVerifiedAt, user.Password, user.Id)
if err != nil {
@@ -149,7 +151,7 @@ func (db AuthSqlite) GetUserByEmail(email string) (*User, error) {
)
err := db.db.QueryRow(`
SELECT user_uuid, email_verified, email_verified_at, password, salt, created_at
SELECT user_id, email_verified, email_verified_at, password, salt, created_at
FROM user
WHERE email = ?`, email).Scan(&userId, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt)
if err != nil {
@@ -178,7 +180,7 @@ func (db AuthSqlite) GetUser(userId uuid.UUID) (*User, error) {
err := db.db.QueryRow(`
SELECT email, email_verified, email_verified_at, password, salt, created_at
FROM user
WHERE user_uuid = ?`, userId).Scan(&email, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt)
WHERE user_id = ?`, userId).Scan(&email, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt)
if err != nil {
if err == sql.ErrNoRows {
return nil, ErrNotFound
@@ -206,21 +208,21 @@ func (db AuthSqlite) DeleteUser(userId uuid.UUID) error {
return types.ErrInternal
}
_, err = tx.Exec("DELETE FROM user_token WHERE user_uuid = ?", userId)
_, err = tx.Exec("DELETE FROM user_token WHERE user_id = ?", userId)
if err != nil {
_ = tx.Rollback()
log.Error("Could not delete user tokens: %v", err)
return types.ErrInternal
}
_, err = tx.Exec("DELETE FROM session WHERE user_uuid = ?", userId)
_, err = tx.Exec("DELETE FROM session WHERE user_id = ?", userId)
if err != nil {
_ = tx.Rollback()
log.Error("Could not delete sessions: %v", err)
return types.ErrInternal
}
_, err = tx.Exec("DELETE FROM user WHERE user_uuid = ?", userId)
_, err = tx.Exec("DELETE FROM user WHERE user_id = ?", userId)
if err != nil {
_ = tx.Rollback()
log.Error("Could not delete user: %v", err)
@@ -238,7 +240,7 @@ func (db AuthSqlite) DeleteUser(userId uuid.UUID) error {
func (db AuthSqlite) InsertToken(token *Token) error {
_, err := db.db.Exec(`
INSERT INTO user_token (user_uuid, type, token, created_at, expires_at)
INSERT INTO user_token (user_id, type, token, created_at, expires_at)
VALUES (?, ?, ?, ?, ?)`, token.UserId, token.Type, token.Token, token.CreatedAt, token.ExpiresAt)
if err != nil {
@@ -260,7 +262,7 @@ func (db AuthSqlite) GetToken(token string) (*Token, error) {
)
err := db.db.QueryRow(`
SELECT user_uuid, type, created_at, expires_at
SELECT user_id, type, created_at, expires_at
FROM user_token
WHERE token = ?
AND type = 'email_verify'`, token).Scan(&userId, &tokenType, &createdAtStr, &expiresAtStr)
@@ -295,7 +297,7 @@ func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType string
query, err := db.db.Query(`
SELECT token, created_at, expires_at
FROM user_token
WHERE user_uuid = ?
WHERE user_id = ?
AND type = ?`, userId, tokenType)
if err != nil {
@@ -350,7 +352,7 @@ func (db AuthSqlite) DeleteToken(token string) error {
func (db AuthSqlite) InsertSession(session *Session) error {
_, err := db.db.Exec(`
INSERT INTO session (session_id, user_uuid, created_at)
INSERT INTO session (session_id, user_id, created_at)
VALUES (?, ?, ?)`, session.Id, session.UserId, session.CreatedAt)
if err != nil {
@@ -365,25 +367,25 @@ func (db AuthSqlite) GetSession(sessionId string) (*Session, error) {
var (
userId uuid.UUID
sessionCreatedAt time.Time
createdAt time.Time
expiresAt time.Time
)
err := db.db.QueryRow(`
SELECT u.user_uuid, s.created_at
FROM session s
INNER JOIN user u ON s.user_uuid = u.user_uuid
WHERE session_id = ?`, sessionId).Scan(&userId, &sessionCreatedAt)
SELECT user_id, created_at, expires_at
FROM session
WHERE session_id = ?`, sessionId).Scan(&userId, &createdAt, &expiresAt)
if err != nil {
return nil, ErrNotFound
}
return NewSession(sessionId, userId, sessionCreatedAt), nil
return NewSession(sessionId, userId, createdAt, expiresAt), nil
}
func (db AuthSqlite) DeleteOldSessions(userId uuid.UUID) error {
// Delete old inactive sessions
_, err := db.db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_uuid = ?", userId)
_, err := db.db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_id = ?", userId)
if err != nil {
log.Error("Could not delete old sessions: %v", err)
return types.ErrInternal

40
db/auth_test.go
View File

@@ -2,6 +2,7 @@ package db
import (
"database/sql"
"me-fit/types"
"testing"
"time"
@@ -29,17 +30,7 @@ func setupDb(t *testing.T) *sql.DB {
func TestUser(t *testing.T) {
t.Parallel()
t.Run("should return UserNotFound", func(t *testing.T) {
t.Parallel()
db := setupDb(t)
underTest := AuthSqlite{db: db}
_, err := underTest.GetUserByEmail("someNonExistentEmail")
assert.Equal(t, ErrNotFound, err)
})
t.Run("should insert and get user", func(t *testing.T) {
t.Run("should insert and get the same", func(t *testing.T) {
t.Parallel()
db := setupDb(t)
@@ -52,13 +43,24 @@ func TestUser(t *testing.T) {
err := underTest.InsertUser(expected)
assert.Nil(t, err)
actual, err := underTest.GetUserByEmail(expected.Email)
actual, err := underTest.GetUser(expected.Id)
assert.Nil(t, err)
assert.Equal(t, expected, actual)
actual, err = underTest.GetUserByEmail(expected.Email)
assert.Nil(t, err)
assert.Equal(t, expected, actual)
})
t.Run("should return UserNotFound", func(t *testing.T) {
t.Parallel()
db := setupDb(t)
t.Run("should throw error if user already exists", func(t *testing.T) {
underTest := AuthSqlite{db: db}
_, err := underTest.GetUserByEmail("nonExistentEmail")
assert.Equal(t, ErrNotFound, err)
})
t.Run("should return ErrUserExist", func(t *testing.T) {
t.Parallel()
db := setupDb(t)
@@ -74,6 +76,18 @@ func TestUser(t *testing.T) {
err = underTest.InsertUser(user)
assert.Equal(t, ErrUserExists, err)
})
t.Run("should return ErrInternal on missing NOT NULL fields", func(t *testing.T) {
t.Parallel()
db := setupDb(t)
underTest := AuthSqlite{db: db}
createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
user := NewUser(uuid.New(), "some@email.de", false, nil, false, []byte("somePass"), nil, createAt)
err := underTest.InsertUser(user)
assert.Equal(t, types.ErrInternal, err)
})
}
func TestEmailVerification(t *testing.T) {

70
handler/auth.go
View File

@@ -1,6 +1,7 @@
package handler
import (
"me-fit/handler/middleware"
"me-fit/log"
"me-fit/service"
"me-fit/template/auth"
@@ -58,9 +59,9 @@ var (
func (handler AuthImpl) handleSignInPage() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
if user != nil {
if !user.EmailVerified {
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if session != nil {
if !session.User.EmailVerified {
utils.DoRedirect(w, r, "/auth/verify")
} else {
utils.DoRedirect(w, r, "/")
@@ -121,10 +122,10 @@ func (handler AuthImpl) handleSignIn() http.HandlerFunc {
func (handler AuthImpl) handleSignUpPage() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if user != nil {
if !user.EmailVerified {
if session != nil {
if !session.User.EmailVerified {
utils.DoRedirect(w, r, "/auth/verify")
} else {
utils.DoRedirect(w, r, "/")
@@ -139,33 +140,34 @@ func (handler AuthImpl) handleSignUpPage() http.HandlerFunc {
func (handler AuthImpl) handleSignUpVerifyPage() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
if user == nil {
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if session == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
if user.EmailVerified {
if session.User.EmailVerified {
utils.DoRedirect(w, r, "/")
return
}
signIn := auth.VerifyComp()
handler.render.RenderLayout(r, w, signIn, user)
handler.render.RenderLayout(r, w, signIn, session.User)
}
}
func (handler AuthImpl) handleVerifyResendComp() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
if err != nil {
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if session == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
user := session.User
go handler.service.SendVerificationMail(user.Id, user.Email)
_, err = w.Write([]byte("<p class=\"mt-8\">Verification email sent</p>"))
_, err := w.Write([]byte("<p class=\"mt-8\">Verification email sent</p>"))
if err != nil {
log.Error("Could not write response: %v", err)
}
@@ -219,12 +221,15 @@ func (handler AuthImpl) handleSignUp() http.HandlerFunc {
func (handler AuthImpl) handleSignOut() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
err := handler.service.SignOut(utils.GetSessionID(r))
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if session != nil {
err := handler.service.SignOut(session.Id)
if err != nil {
utils.TriggerToast(w, r, "error", "Internal Server Error")
http.Error(w, err.Error(), http.StatusInternalServerError)
http.Error(w, "An error occurred", http.StatusInternalServerError)
return
}
}
c := http.Cookie{
Name: "id",
@@ -243,34 +248,33 @@ func (handler AuthImpl) handleSignOut() http.HandlerFunc {
func (handler AuthImpl) handleDeleteAccountPage() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
// An unverified email should be able to delete their account
user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
if err != nil {
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if session == nil {
utils.DoRedirect(w, r, "/auth/signin")
}
comp := auth.DeleteAccountComp()
handler.render.RenderLayout(r, w, comp, user)
handler.render.RenderLayout(r, w, comp, session.User)
}
}
func (handler AuthImpl) handleDeleteAccountComp() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
if err != nil {
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if session == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
password := r.FormValue("password")
_, err = handler.service.SignIn(user.Email, password)
_, err := handler.service.SignIn(session.User.Email, password)
if err != nil {
utils.TriggerToast(w, r, "error", "Password not correct")
return
}
err = handler.service.DeleteAccount(user)
err = handler.service.DeleteAccount(session.User)
if err != nil {
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
@@ -285,23 +289,23 @@ func (handler AuthImpl) handleChangePasswordPage() http.HandlerFunc {
isPasswordReset := r.URL.Query().Has("token")
user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if user == nil && !isPasswordReset {
if session == nil && !isPasswordReset {
utils.DoRedirect(w, r, "/auth/signin")
return
}
comp := auth.ChangePasswordComp(isPasswordReset)
handler.render.RenderLayout(r, w, comp, user)
handler.render.RenderLayout(r, w, comp, session.User)
}
}
func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
if err != nil {
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if session == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
@@ -309,7 +313,7 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
currPass := r.FormValue("current-password")
newPass := r.FormValue("new-password")
err = handler.service.ChangePassword(user, currPass, newPass)
err := handler.service.ChangePassword(session.User, currPass, newPass)
if err != nil {
utils.TriggerToast(w, r, "error", "Password not correct")
return
@@ -322,14 +326,14 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
func (handler AuthImpl) handleResetPasswordPage() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
if err != nil {
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if session == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
comp := auth.ResetPasswordComp()
handler.render.RenderLayout(r, w, comp, user)
handler.render.RenderLayout(r, w, comp, session.User)
}
}

8
handler/index_and_404.go
View File

@@ -1,9 +1,9 @@
package handler
import (
"me-fit/handler/middleware"
"me-fit/service"
"me-fit/template"
"me-fit/utils"
"net/http"
@@ -32,7 +32,11 @@ func (handler IndexImpl) Handle(router *http.ServeMux) {
func (handler IndexImpl) handleIndexAnd404() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
session := r.Context().Value(middleware.SessionKey).(*service.Session)
var user *service.User
if session != nil {
user = session.User
}
var comp templ.Component

38
handler/middleware/authenticate.go Normal file
View File

@@ -0,0 +1,38 @@
package middleware
import (
"context"
"me-fit/service"
"net/http"
)
type ContextKey string
var SessionKey ContextKey = "session"
func Authenticate(service service.Auth) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
sessionId := getSessionID(r)
session, _ := service.SignInSession(sessionId)
if session != nil {
ctx := context.WithValue(r.Context(), SessionKey, session)
next.ServeHTTP(w, r.WithContext(ctx))
} else {
next.ServeHTTP(w, r)
}
})
}
}
func getSessionID(r *http.Request) string {
cookie, err := r.Cookie("id")
if err != nil {
return ""
}
return cookie.Name
}

18
handler/middleware/cross_site_request_forgery.go
View File

@@ -1,16 +1,20 @@
package middleware
import "net/http"
import (
"me-fit/service"
"net/http"
)
func CrossSiteRequestForgery() func(http.Handler) http.Handler {
func CrossSiteRequestForgery(auth *service.Auth) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// session := r.Context().Value(SessionKey)
if r.Method == "POST" {
// Check the CSRF token
csrfToken := r.Header.Get("X-CSRF-Token")
sessionToken := r.Header.Get("X-Session-Token")
if csrfToken != sessionToken {
http.Error(w, "CSRF token mismatch", http.StatusForbidden)
csrfToken := r.FormValue("csrf-token")
if csrfToken == "" {
http.Error(w, "", http.StatusForbidden)
return
}
}

22
handler/middleware/user.go
View File

@@ -1,22 +0,0 @@
package middleware
import (
"me-fit/service"
"net/http"
)
func UserAuth(service *service.AuthService) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Check the user is logged in
sessionToken := r.Header.Get("X-Session-Token")
if sessionToken == "" {
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
}
next.ServeHTTP(w, r)
})
}
}

25
handler/workout.go
View File

@@ -1,6 +1,7 @@
package handler
import (
"me-fit/handler/middleware"
"me-fit/log"
"me-fit/service"
"me-fit/template/workout"
@@ -38,22 +39,22 @@ func (handler WorkoutImpl) Handle(router *http.ServeMux) {
func (handler WorkoutImpl) handleWorkoutPage() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user, err := handler.auth.GetUserFromSessionId(utils.GetSessionID(r))
if err != nil {
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if session == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
currentDate := time.Now().Format("2006-01-02")
comp := workout.WorkoutComp(currentDate)
handler.render.RenderLayout(r, w, comp, user)
handler.render.RenderLayout(r, w, comp, session.User)
}
}
func (handler WorkoutImpl) handleAddWorkout() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user, err := handler.auth.GetUserFromSessionId(utils.GetSessionID(r))
if err != nil {
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if session == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
@@ -64,7 +65,7 @@ func (handler WorkoutImpl) handleAddWorkout() http.HandlerFunc {
var repsStr = r.FormValue("reps")
wo := service.NewWorkoutDto("", dateStr, typeStr, setsStr, repsStr)
wo, err = handler.service.AddWorkout(user, wo)
wo, err := handler.service.AddWorkout(session.User, wo)
if err != nil {
utils.TriggerToast(w, r, "error", "Invalid input values")
http.Error(w, "Invalid input values", http.StatusBadRequest)
@@ -79,13 +80,13 @@ func (handler WorkoutImpl) handleAddWorkout() http.HandlerFunc {
func (handler WorkoutImpl) handleGetWorkout() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user, err := handler.auth.GetUserFromSessionId(utils.GetSessionID(r))
if err != nil {
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if session == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
workouts, err := handler.service.GetWorkouts(user)
workouts, err := handler.service.GetWorkouts(session.User)
if err != nil {
return
}
@@ -102,8 +103,8 @@ func (handler WorkoutImpl) handleGetWorkout() http.HandlerFunc {
func (handler WorkoutImpl) handleDeleteWorkout() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user, err := handler.auth.GetUserFromSessionId(utils.GetSessionID(r))
if err != nil {
session := r.Context().Value(middleware.SessionKey).(*service.Session)
if session == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
@@ -124,7 +125,7 @@ func (handler WorkoutImpl) handleDeleteWorkout() http.HandlerFunc {
return
}
err = handler.service.DeleteWorkout(user, rowIdInt)
err = handler.service.DeleteWorkout(session.User, rowIdInt)
if err != nil {
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
log.Error("Could not delete workout: %v", err.Error())

2
main_test.go
View File

@@ -34,7 +34,7 @@ func TestHandleSignIn(t *testing.T) {
pass := service.GetHashPassword("password", []byte("salt"))
_, err := db.Exec(`
INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at)
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, uuid.New(), pass, []byte("salt"))
if err != nil {
t.Fatalf("Error inserting user: %v", err)

37
migration/001_initial_schema.up.sql
View File

@@ -1,4 +1,40 @@
CREATE TABLE user (
user_id TEXT NOT NULL UNIQUE PRIMARY KEY,
email TEXT NOT NULL UNIQUE,
email_verified BOOLEAN NOT NULL,
email_verified_at DATETIME,
is_admin BOOLEAN NOT NULL,
password BLOB NOT NULL,
salt BLOB NOT NULL,
created_at DATETIME NOT NULL
) WITHOUT ROWID;
CREATE TABLE session (
session_id TEXT NOT NULL UNIQUE PRIMARY KEY,
user_id TEXT NOT NULL,
created_at DATETIME NOT NULL,
expires_at DATETIME NOT NULL
) WITHOUT ROWID;
CREATE TABLE token (
token TEXT NOT NULL UNIQUE PRIMARY KEY,
user_id TEXT,
session_id TEXT,
type TEXT NOT NULL,
created_at DATETIME NOT NULL,
expires_at DATETIME
);
CREATE TABLE workout (
user_id INTEGER NOT NULL,
date TEXT NOT NULL,
@@ -6,4 +42,3 @@ CREATE TABLE workout (
sets INTEGER NOT NULL,
reps INTEGER NOT NULL
);

21
migration/002_user_and_session.up.sql
View File

@@ -1,21 +0,0 @@
CREATE TABLE user (
user_uuid TEXT NOT NULL UNIQUE PRIMARY KEY,
email TEXT NOT NULL UNIQUE,
email_verified BOOLEAN NOT NULL,
is_admin BOOLEAN NOT NULL,
password BLOB NOT NULL,
salt BLOB NOT NULL,
created_at DATETIME NOT NULL
) WITHOUT ROWID;
CREATE TABLE session (
session_id TEXT NOT NULL UNIQUE PRIMARY KEY,
user_uuid TEXT NOT NULL,
created_at DATETIME NOT NULL
) WITHOUT ROWID;

2
migration/003_user_mail_verification.up.sql
View File

@@ -1,2 +0,0 @@
ALTER TABLE user ADD COLUMN email_verified_at DATETIME DEFAULT NULL;

11
migration/004_user_tokens.up.sql
View File

@@ -1,11 +0,0 @@
-- E.G. email-verifications, password-resets, unsubscribe-from-newsletter etc.
CREATE TABLE user_token (
user_uuid TEXT NOT NULL,
type TEXT NOT NULL,
token TEXT NOT NULL UNIQUE PRIMARY KEY,
created_at DATETIME NOT NULL,
expires_at DATETIME
);

58
service/auth.go
View File

@@ -42,6 +42,7 @@ func NewUser(user *db.User) *User {
type Session struct {
Id string
CreatedAt time.Time
ExpiresAt time.Time
User *User
}
@@ -49,6 +50,7 @@ func NewSession(session *db.Session, user *User) *Session {
return &Session{
Id: session.Id,
CreatedAt: session.CreatedAt,
ExpiresAt: session.ExpiresAt,
User: user,
}
}
@@ -59,6 +61,7 @@ type Auth interface {
VerifyUserEmail(token string) error
SignIn(email string, password string) (*Session, error)
SignInSession(sessionId string) (*Session, error)
SignOut(sessionId string) error
DeleteAccount(user *User) error
@@ -68,7 +71,8 @@ type Auth interface {
SendForgotPasswordMail(email string) error
ForgotPassword(token string, newPass string) error
GetUserFromSessionId(sessionId string) (*User, error)
// IsCsrfTokenValid(token string, user *User) bool
// GetCsrfToken(token string, user *User) bool
}
type AuthImpl struct {
@@ -113,6 +117,31 @@ func (service AuthImpl) SignIn(email string, password string) (*Session, error)
return NewSession(session, NewUser(user)), nil
}
func (service AuthImpl) SignInSession(sessionId string) (*Session, error) {
if sessionId == "" {
return nil, ErrSessionIdInvalid
}
sessionDb, err := service.db.GetSession(sessionId)
if err != nil {
return nil, types.ErrInternal
}
if sessionDb.ExpiresAt.After(service.clock.Now()) {
return nil, nil
}
userDb, err := service.db.GetUser(sessionDb.UserId)
if err != nil {
return nil, types.ErrInternal
}
user := NewUser(userDb)
session := NewSession(sessionDb, user)
return session, nil
}
func (service AuthImpl) createSession(userId uuid.UUID) (*db.Session, error) {
sessionId, err := service.random.String(32)
if err != nil {
@@ -125,7 +154,10 @@ func (service AuthImpl) createSession(userId uuid.UUID) (*db.Session, error) {
return nil, types.ErrInternal
}
session := db.NewSession(sessionId, userId, service.clock.Now())
createAt := service.clock.Now()
expiresAt := createAt.Add(24 * time.Hour)
session := db.NewSession(sessionId, userId, createAt, expiresAt)
err = service.db.InsertSession(session)
if err != nil {
@@ -251,28 +283,6 @@ func (service AuthImpl) SignOut(sessionId string) error {
return service.db.DeleteSession(sessionId)
}
func (service AuthImpl) GetUserFromSessionId(sessionId string) (*User, error) {
if sessionId == "" {
return nil, ErrSessionIdInvalid
}
session, err := service.db.GetSession(sessionId)
if err != nil {
return nil, types.ErrInternal
}
user, err := service.db.GetUser(session.UserId)
if err != nil {
return nil, types.ErrInternal
}
if session.CreatedAt.Add(time.Duration(8 * time.Hour)).Before(service.clock.Now()) {
return nil, nil
} else {
return NewUser(user), nil
}
}
func (service AuthImpl) DeleteAccount(user *User) error {
err := service.db.DeleteUser(user.Id)

2
service/auth_test.go
View File

@@ -33,7 +33,7 @@ func TestSignIn(t *testing.T) {
time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC),
)
dbSession := db.NewSession("sessionId", user.Id, time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC))
dbSession := db.NewSession("sessionId", user.Id, time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC), time.Date(2020, 1, 2, 0, 0, 0, 0, time.UTC))
mockAuthDb := mocks.NewMockAuth(t)
mockAuthDb.EXPECT().GetUserByEmail("test@test.de").Return(user, nil)

9
utils/http.go
View File

@@ -31,15 +31,6 @@ func WaitMinimumTime[T interface{}](waitTime time.Duration, function func() (T,
return result, err
}
func GetSessionID(r *http.Request) string {
for _, c := range r.Cookies() {
if c.Name == "id" {
return c.Value
}
}
return ""
}
func isHtmx(r *http.Request) bool {
return r.Header.Get("HX-Request") == "true"
}