feat(security): #286 fix test

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23.3@sha256:e5ca1999e21764b1fd40cf6564ebfb7022e7a55b8c72886a9bcb697a5feac8d6 AS builder_go
+FROM golang:1.23.4@sha256:574185e5c6b9d09873f455a7c205ea0514bfd99738c5dc7750196403a44ed4b7 AS builder_go
 WORKDIR /me-fit
 RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.62.2
 RUN go install github.com/a-h/templ/cmd/templ@latest
@@ -13,7 +13,7 @@ RUN golangci-lint run ./...
 RUN go build -o /me-fit/me-fit .
 
 
-FROM node:22.11.0@sha256:ec878c763e9fad09d22aae86e2edcb7a05b397dfe8411c16e2b90158d595e2ce AS builder_node
+FROM node:22.12.0@sha256:35a5dd72bcac4bce43266408b58a02be6ff0b6098ffa6f5435aeea980a8951d7 AS builder_node
 WORKDIR /me-fit
 COPY package.json package-lock.json ./
 RUN npm clean-install

db/auth.go

@@ -13,8 +13,8 @@ import (
 )
 
 var (
-	ErrNotFound   = errors.New("value not found")
-	ErrUserExists = errors.New("user already exists")
+	ErrNotFound      = errors.New("value not found")
+	ErrAlreadyExists = errors.New("row already exists")
 )
 
 type User struct {
@@ -45,32 +45,39 @@ type Session struct {
 	Id        string
 	UserId    uuid.UUID
 	CreatedAt time.Time
+	ExpiresAt time.Time
 }
 
-func NewSession(id string, userId uuid.UUID, createdAt time.Time) *Session {
+func NewSession(id string, userId uuid.UUID, createdAt time.Time, expiresAt time.Time) *Session {
 	return &Session{
 		Id:        id,
 		UserId:    userId,
 		CreatedAt: createdAt,
+		ExpiresAt: expiresAt,
 	}
 }
 
 type Token struct {
 	UserId    uuid.UUID
+	SessionId string
 	Token     string
-	Type      string
+	Type      TokenType
 	CreatedAt time.Time
 	ExpiresAt time.Time
 }
 
+type TokenType string
+
 var (
-	TokenTypeEmailVerify   = "email_verify"
-	TokenTypePasswordReset = "password_reset"
+	TokenTypeEmailVerify   TokenType = "email_verify"
+	TokenTypePasswordReset TokenType = "password_reset"
+	TokenTypeCsrf          TokenType = "csrf"
 )
 
-func NewToken(userId uuid.UUID, token string, tokenType string, createdAt time.Time, expiresAt time.Time) *Token {
+func NewToken(userId uuid.UUID, sessionId string, token string, tokenType TokenType, createdAt time.Time, expiresAt time.Time) *Token {
 	return &Token{
 		UserId:    userId,
+		SessionId: sessionId,
 		Token:     token,
 		Type:      tokenType,
 		CreatedAt: createdAt,
@@ -87,7 +94,8 @@ type Auth interface {
 
 	InsertToken(token *Token) error
 	GetToken(token string) (*Token, error)
-	GetTokensByUserIdAndType(userId uuid.UUID, tokenType string) ([]*Token, error)
+	GetTokensByUserIdAndType(userId uuid.UUID, tokenType TokenType) ([]*Token, error)
+	GetTokensBySessionIdAndType(sessionId string, tokenType TokenType) ([]*Token, error)
 	DeleteToken(token string) error
 
 	InsertSession(session *Session) error
@@ -106,13 +114,13 @@ func NewAuthSqlite(db *sql.DB) *AuthSqlite {
 
 func (db AuthSqlite) InsertUser(user *User) error {
 	_, err := db.db.Exec(`
-		INSERT INTO user (user_uuid, email, email_verified, email_verified_at, is_admin, password, salt, created_at) 
+		INSERT INTO user (user_id, email, email_verified, email_verified_at, is_admin, password, salt, created_at) 
 		VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
 		user.Id, user.Email, user.EmailVerified, user.EmailVerifiedAt, user.IsAdmin, user.Password, user.Salt, user.CreateAt)
 
 	if err != nil {
 		if strings.Contains(err.Error(), "email") {
-			return ErrUserExists
+			return ErrAlreadyExists
 		}
 
 		log.Error("SQL error InsertUser: %v", err)
@@ -126,7 +134,7 @@ func (db AuthSqlite) UpdateUser(user *User) error {
 	_, err := db.db.Exec(`
 		UPDATE user 
 		SET email_verified = ?, email_verified_at = ?, password = ?
-		WHERE user_uuid = ?`,
+		WHERE user_id = ?`,
 		user.EmailVerified, user.EmailVerifiedAt, user.Password, user.Id)
 
 	if err != nil {
@@ -149,7 +157,7 @@ func (db AuthSqlite) GetUserByEmail(email string) (*User, error) {
 	)
 
 	err := db.db.QueryRow(`
-		SELECT user_uuid, email_verified, email_verified_at, password, salt, created_at
+		SELECT user_id, email_verified, email_verified_at, password, salt, created_at
 		FROM user 
 		WHERE email = ?`, email).Scan(&userId, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt)
 	if err != nil {
@@ -178,7 +186,7 @@ func (db AuthSqlite) GetUser(userId uuid.UUID) (*User, error) {
 	err := db.db.QueryRow(`
 		SELECT email, email_verified, email_verified_at, password, salt, created_at
 		FROM user 
-		WHERE user_uuid = ?`, userId).Scan(&email, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt)
+		WHERE user_id = ?`, userId).Scan(&email, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt)
 	if err != nil {
 		if err == sql.ErrNoRows {
 			return nil, ErrNotFound
@@ -206,21 +214,21 @@ func (db AuthSqlite) DeleteUser(userId uuid.UUID) error {
 		return types.ErrInternal
 	}
 
-	_, err = tx.Exec("DELETE FROM user_token WHERE user_uuid = ?", userId)
+	_, err = tx.Exec("DELETE FROM token WHERE user_id = ?", userId)
 	if err != nil {
 		_ = tx.Rollback()
 		log.Error("Could not delete user tokens: %v", err)
 		return types.ErrInternal
 	}
 
-	_, err = tx.Exec("DELETE FROM session WHERE user_uuid = ?", userId)
+	_, err = tx.Exec("DELETE FROM session WHERE user_id = ?", userId)
 	if err != nil {
 		_ = tx.Rollback()
 		log.Error("Could not delete sessions: %v", err)
 		return types.ErrInternal
 	}
 
-	_, err = tx.Exec("DELETE FROM user WHERE user_uuid = ?", userId)
+	_, err = tx.Exec("DELETE FROM user WHERE user_id = ?", userId)
 	if err != nil {
 		_ = tx.Rollback()
 		log.Error("Could not delete user: %v", err)
@@ -238,8 +246,8 @@ func (db AuthSqlite) DeleteUser(userId uuid.UUID) error {
 
 func (db AuthSqlite) InsertToken(token *Token) error {
 	_, err := db.db.Exec(`
-		INSERT INTO user_token (user_uuid, type, token, created_at, expires_at)
-		VALUES (?, ?, ?, ?, ?)`, token.UserId, token.Type, token.Token, token.CreatedAt, token.ExpiresAt)
+		INSERT INTO token (user_id, session_id, type, token, created_at, expires_at)
+		VALUES (?, ?, ?, ?, ?, ?)`, token.UserId, token.SessionId, token.Type, token.Token, token.CreatedAt, token.ExpiresAt)
 
 	if err != nil {
 		log.Error("Could not insert token: %v", err)
@@ -252,7 +260,8 @@ func (db AuthSqlite) InsertToken(token *Token) error {
 func (db AuthSqlite) GetToken(token string) (*Token, error) {
 	var (
 		userId       uuid.UUID
-		tokenType    string
+		sessionId    string
+		tokenType    TokenType
 		createdAtStr string
 		expiresAtStr string
 		createdAt    time.Time
@@ -260,10 +269,9 @@ func (db AuthSqlite) GetToken(token string) (*Token, error) {
 	)
 
 	err := db.db.QueryRow(`
-		SELECT user_uuid, type, created_at, expires_at 
-		FROM user_token 
-		WHERE token = ? 
-		AND type = 'email_verify'`, token).Scan(&userId, &tokenType, &createdAtStr, &expiresAtStr)
+		SELECT user_id, session_id, type, created_at, expires_at 
+		FROM token
+		WHERE token = ?`, token).Scan(&userId, &sessionId, &tokenType, &createdAtStr, &expiresAtStr)
 
 	if err != nil {
 		if err == sql.ErrNoRows {
@@ -287,15 +295,15 @@ func (db AuthSqlite) GetToken(token string) (*Token, error) {
 		return nil, types.ErrInternal
 	}
 
-	return NewToken(userId, token, tokenType, createdAt, expiresAt), nil
+	return NewToken(userId, sessionId, token, tokenType, createdAt, expiresAt), nil
 }
 
-func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType string) ([]*Token, error) {
+func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType TokenType) ([]*Token, error) {
 
 	query, err := db.db.Query(`
 		SELECT token, created_at, expires_at 
-		FROM user_token 
-		WHERE user_uuid = ?
+		FROM token 
+		WHERE user_id = ?
 		AND type = ?`, userId, tokenType)
 
 	if err != nil {
@@ -303,9 +311,32 @@ func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType string
 		return nil, types.ErrInternal
 	}
 
+	return getTokensFromQuery(query, userId, "", tokenType)
+}
+
+func (db AuthSqlite) GetTokensBySessionIdAndType(sessionId string, tokenType TokenType) ([]*Token, error) {
+
+	query, err := db.db.Query(`
+		SELECT token, created_at, expires_at 
+		FROM token 
+		WHERE session_id = ?
+		AND type = ?`, sessionId, tokenType)
+
+	if err != nil {
+		log.Error("Could not get token: %v", err)
+		return nil, types.ErrInternal
+	}
+
+	return getTokensFromQuery(query, uuid.Nil, sessionId, tokenType)
+}
+
+func getTokensFromQuery(query *sql.Rows, userId uuid.UUID, sessionId string, tokenType TokenType) ([]*Token, error) {
 	var tokens []*Token
 
+	hasRows := false
 	for query.Next() {
+		hasRows = true
+
 		var (
 			token        string
 			createdAtStr string
@@ -332,14 +363,18 @@ func (db AuthSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType string
 			return nil, types.ErrInternal
 		}
 
-		tokens = append(tokens, NewToken(userId, token, tokenType, createdAt, expiresAt))
+		tokens = append(tokens, NewToken(userId, sessionId, token, tokenType, createdAt, expiresAt))
+	}
+
+	if !hasRows {
+		return nil, ErrNotFound
 	}
 
 	return tokens, nil
 }
 
 func (db AuthSqlite) DeleteToken(token string) error {
-	_, err := db.db.Exec("DELETE FROM user_token WHERE token = ?", token)
+	_, err := db.db.Exec("DELETE FROM token WHERE token = ?", token)
 	if err != nil {
 		log.Error("Could not delete token: %v", err)
 		return types.ErrInternal
@@ -350,11 +385,11 @@ func (db AuthSqlite) DeleteToken(token string) error {
 func (db AuthSqlite) InsertSession(session *Session) error {
 
 	_, err := db.db.Exec(`
-		INSERT INTO session (session_id, user_uuid, created_at) 
-		VALUES (?, ?, ?)`, session.Id, session.UserId, session.CreatedAt)
+		INSERT INTO session (session_id, user_id, created_at, expires_at) 
+		VALUES (?, ?, ?, ?)`, session.Id, session.UserId, session.CreatedAt, session.ExpiresAt)
 
 	if err != nil {
-		log.Error("Could not insert new session", err)
+		log.Error("Could not insert new session %v", err)
 		return types.ErrInternal
 	}
 
@@ -364,26 +399,26 @@ func (db AuthSqlite) InsertSession(session *Session) error {
 func (db AuthSqlite) GetSession(sessionId string) (*Session, error) {
 
 	var (
-		userId           uuid.UUID
-		sessionCreatedAt time.Time
+		userId    uuid.UUID
+		createdAt time.Time
+		expiresAt time.Time
 	)
 
 	err := db.db.QueryRow(`
-			SELECT u.user_uuid, s.created_at
-			FROM session s
-			INNER JOIN user u ON s.user_uuid = u.user_uuid
-			WHERE session_id = ?`, sessionId).Scan(&userId, &sessionCreatedAt)
+			SELECT user_id, created_at, expires_at
+			FROM session 
+			WHERE session_id = ?`, sessionId).Scan(&userId, &createdAt, &expiresAt)
 
 	if err != nil {
 		return nil, ErrNotFound
 	}
 
-	return NewSession(sessionId, userId, sessionCreatedAt), nil
+	return NewSession(sessionId, userId, createdAt, expiresAt), nil
 }
 
 func (db AuthSqlite) DeleteOldSessions(userId uuid.UUID) error {
 	// Delete old inactive sessions
-	_, err := db.db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_uuid = ?", userId)
+	_, err := db.db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_id = ?", userId)
 	if err != nil {
 		log.Error("Could not delete old sessions: %v", err)
 		return types.ErrInternal

db/auth_test.go

@@ -2,6 +2,7 @@ package db
 
 import (
 	"database/sql"
+	"me-fit/types"
 	"testing"
 	"time"
 
@@ -29,17 +30,7 @@ func setupDb(t *testing.T) *sql.DB {
 func TestUser(t *testing.T) {
 	t.Parallel()
 
-	t.Run("should return UserNotFound", func(t *testing.T) {
-		t.Parallel()
-		db := setupDb(t)
-
-		underTest := AuthSqlite{db: db}
-
-		_, err := underTest.GetUserByEmail("someNonExistentEmail")
-		assert.Equal(t, ErrNotFound, err)
-	})
-
-	t.Run("should insert and get user", func(t *testing.T) {
+	t.Run("should insert and get the same", func(t *testing.T) {
 		t.Parallel()
 		db := setupDb(t)
 
@@ -52,13 +43,24 @@ func TestUser(t *testing.T) {
 		err := underTest.InsertUser(expected)
 		assert.Nil(t, err)
 
-		actual, err := underTest.GetUserByEmail(expected.Email)
+		actual, err := underTest.GetUser(expected.Id)
 		assert.Nil(t, err)
+		assert.Equal(t, expected, actual)
 
+		actual, err = underTest.GetUserByEmail(expected.Email)
+		assert.Nil(t, err)
 		assert.Equal(t, expected, actual)
 	})
+	t.Run("should return ErrNotFound", func(t *testing.T) {
+		t.Parallel()
+		db := setupDb(t)
 
-	t.Run("should throw error if user already exists", func(t *testing.T) {
+		underTest := AuthSqlite{db: db}
+
+		_, err := underTest.GetUserByEmail("nonExistentEmail")
+		assert.Equal(t, ErrNotFound, err)
+	})
+	t.Run("should return ErrUserExist", func(t *testing.T) {
 		t.Parallel()
 		db := setupDb(t)
 
@@ -72,42 +74,126 @@ func TestUser(t *testing.T) {
 		assert.Nil(t, err)
 
 		err = underTest.InsertUser(user)
-		assert.Equal(t, ErrUserExists, err)
+		assert.Equal(t, ErrAlreadyExists, err)
+	})
+	t.Run("should return ErrInternal on missing NOT NULL fields", func(t *testing.T) {
+		t.Parallel()
+		db := setupDb(t)
+
+		underTest := AuthSqlite{db: db}
+
+		createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
+		user := NewUser(uuid.New(), "some@email.de", false, nil, false, []byte("somePass"), nil, createAt)
+
+		err := underTest.InsertUser(user)
+		assert.Equal(t, types.ErrInternal, err)
 	})
 }
 
-func TestEmailVerification(t *testing.T) {
+func TestToken(t *testing.T) {
 	t.Parallel()
 
-	t.Run("should return NotFound", func(t *testing.T) {
+	t.Run("should insert and get the same", func(t *testing.T) {
 		t.Parallel()
 		db := setupDb(t)
 
 		underTest := AuthSqlite{db: db}
 
-		token, err := underTest.GetToken("someNonExistentToken")
+		createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
+		expiresAt := createAt.Add(24 * time.Hour)
+		expected := NewToken(uuid.New(), "sessionId", "token", TokenTypeCsrf, createAt, expiresAt)
 
-		assert.Equal(t, ErrNotFound, err)
-		assert.Nil(t, token)
+		err := underTest.InsertToken(expected)
+		assert.Nil(t, err)
+
+		actual, err := underTest.GetToken(expected.Token)
+		assert.Nil(t, err)
+		assert.Equal(t, expected, actual)
+
+		expected.SessionId = ""
+		actuals, err := underTest.GetTokensByUserIdAndType(expected.UserId, expected.Type)
+		assert.Nil(t, err)
+		assert.Equal(t, []*Token{expected}, actuals)
+
+		expected.SessionId = "sessionId"
+		expected.UserId = uuid.Nil
+		actuals, err = underTest.GetTokensBySessionIdAndType(expected.SessionId, expected.Type)
+		assert.Nil(t, err)
+		assert.Equal(t, []*Token{expected}, actuals)
 	})
-	t.Run("should insert and return token", func(t *testing.T) {
+	t.Run("should insert and return multiple tokens", func(t *testing.T) {
 		t.Parallel()
 		db := setupDb(t)
 
 		underTest := AuthSqlite{db: db}
-		tokenStr := "some secure token"
-		createdAt := time.Date(2020, 1, 5, 13, 0, 0, 0, time.UTC)
 
-		expectedToken := NewToken(uuid.New(), tokenStr, TokenTypeEmailVerify, createdAt, createdAt.Add(24*time.Hour))
+		createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
+		expiresAt := createAt.Add(24 * time.Hour)
+		userId := uuid.New()
+		expected1 := NewToken(userId, "sessionId", "token1", TokenTypeCsrf, createAt, expiresAt)
+		expected2 := NewToken(userId, "sessionId", "token2", TokenTypeCsrf, createAt, expiresAt)
 
-		err := underTest.InsertToken(expectedToken)
+		err := underTest.InsertToken(expected1)
+		assert.Nil(t, err)
+		err = underTest.InsertToken(expected2)
 		assert.Nil(t, err)
 
-		actualToken, err := underTest.GetToken(tokenStr)
+		expected1.UserId = uuid.Nil
+		expected2.UserId = uuid.Nil
+		actuals, err := underTest.GetTokensBySessionIdAndType(expected1.SessionId, expected1.Type)
+		assert.Nil(t, err)
+		assert.Equal(t, []*Token{expected1, expected2}, actuals)
+
+		expected1.SessionId = ""
+		expected2.SessionId = ""
+		expected1.UserId = userId
+		expected2.UserId = userId
+		actuals, err = underTest.GetTokensByUserIdAndType(userId, expected1.Type)
+		assert.Nil(t, err)
+		assert.Equal(t, []*Token{expected1, expected2}, actuals)
+
+	})
+	t.Run("should return ErrNotFound", func(t *testing.T) {
+		t.Parallel()
+		db := setupDb(t)
+
+		underTest := AuthSqlite{db: db}
+
+		_, err := underTest.GetToken("nonExistent")
+		assert.Equal(t, ErrNotFound, err)
+
+		_, err = underTest.GetTokensByUserIdAndType(uuid.New(), TokenTypeEmailVerify)
+		assert.Equal(t, ErrNotFound, err)
+
+		_, err = underTest.GetTokensBySessionIdAndType("sessionId", TokenTypeEmailVerify)
+		assert.Equal(t, ErrNotFound, err)
+	})
+	t.Run("should return ErrAlreadyExists", func(t *testing.T) {
+		t.Parallel()
+		db := setupDb(t)
+
+		underTest := AuthSqlite{db: db}
+
+		verifiedAt := time.Date(2020, 1, 5, 13, 0, 0, 0, time.UTC)
+		createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
+		user := NewUser(uuid.New(), "some@email.de", true, &verifiedAt, false, []byte("somePass"), []byte("someSalt"), createAt)
+
+		err := underTest.InsertUser(user)
 		assert.Nil(t, err)
 
-		t.Logf("expectedToken: %v", expectedToken)
-		t.Logf("actualToken: %v", actualToken)
-		assert.Equal(t, expectedToken, actualToken)
+		err = underTest.InsertUser(user)
+		assert.Equal(t, ErrAlreadyExists, err)
+	})
+	t.Run("should return ErrInternal on missing NOT NULL fields", func(t *testing.T) {
+		t.Parallel()
+		db := setupDb(t)
+
+		underTest := AuthSqlite{db: db}
+
+		createAt := time.Date(2020, 1, 5, 12, 0, 0, 0, time.UTC)
+		user := NewUser(uuid.New(), "some@email.de", false, nil, false, []byte("somePass"), nil, createAt)
+
+		err := underTest.InsertUser(user)
+		assert.Equal(t, types.ErrInternal, err)
 	})
 }

go.mod

@@ -10,7 +10,8 @@ require (
 	github.com/mattn/go-sqlite3 v1.14.24
 	github.com/prometheus/client_golang v1.20.5
 	github.com/stretchr/testify v1.10.0
-	golang.org/x/crypto v0.29.0
+	golang.org/x/crypto v0.30.0
+	golang.org/x/net v0.29.0
 )
 
 require (
@@ -27,7 +28,7 @@ require (
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/stretchr/objx v0.5.2 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/sys v0.27.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
 	google.golang.org/protobuf v1.34.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -4,12 +4,9 @@ github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/golang-migrate/migrate/v4 v4.18.1 h1:JML/k+t4tpHCpQTCAD62Nu43NUFzHY4CV3uAuvHGC+Y=
 github.com/golang-migrate/migrate/v4 v4.18.1/go.mod h1:HAX6m3sQgcdO81tdjn5exv20+3Kb13cmGli1hrD6hks=
-github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
-github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -21,19 +18,10 @@ github.com/joho/godotenv v1.5.1 h1:7eLL/+HRGLY0ldzfGMeQkb7vMd0as4CfYvUVzLqw0N0=
 github.com/joho/godotenv v1.5.1/go.mod h1:f4LDr5Voq0i2e/R5DDNOoa2zzDfwtkZa6DnEwAbqwq4=
 github.com/klauspost/compress v1.17.9 h1:6KIumPrER1LHsvBVuDa0r5xaG0Es51mhhB9BQB2qeMA=
 github.com/klauspost/compress v1.17.9/go.mod h1:Di0epgTjJY877eYKx5yC51cX2A2Vl2ibi7bDH9ttBbw=
-github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
-github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
-github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
-github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
-github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBWDRM=
 github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/prometheus/client_golang v1.20.5 h1:cxppBPuYhUnsO6yo/aoRol4L7q7UFfdm+bR9r+8l63Y=
 github.com/prometheus/client_golang v1.20.5/go.mod h1:PIEt8X02hGcP8JWbeHyeZ53Y/jReSnHgO035n//V5WE=
@@ -43,22 +31,16 @@ github.com/prometheus/common v0.55.0 h1:KEi6DK7lXW/m7Ig5i47x0vRzuBsHuvJdi5ee6Y3G
 github.com/prometheus/common v0.55.0/go.mod h1:2SECS4xJG1kd8XF9IcM1gMX6510RAEL65zxzNImwdc8=
 github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0learggepc=
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
-github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
-github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
-github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
-github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-golang.org/x/crypto v0.29.0 h1:L5SG1JTTXupVV3n6sUqMTeWbjAyfPwoda2DLX8J8FrQ=
-golang.org/x/crypto v0.29.0/go.mod h1:+F4F4N5hv6v38hfeYwTdx20oUvLLc+QfrE9Ax9HtgRg=
-golang.org/x/sys v0.27.0 h1:wBqf8DvsY9Y/2P8gAfPDEYNuS30J4lPHJxXSb/nJZ+s=
-golang.org/x/sys v0.27.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/crypto v0.30.0 h1:RwoQn3GkWiMkzlX562cLB7OxWvjH1L8xutO2WoJcRoY=
+golang.org/x/crypto v0.30.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
+golang.org/x/net v0.29.0/go.mod h1:gLkgy8jTGERgjzMic6DS9+SP0ajcu6Xu3Orq/SpETg0=
+golang.org/x/sys v0.28.0 h1:Fksou7UEQUWlKvIdsqzJmUmCX3cZuD2+P3XyyzwMhlA=
+golang.org/x/sys v0.28.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
 google.golang.org/protobuf v1.34.2/go.mod h1:qYOHts0dSfpeUzUFpOMr/WGzszTmLH+DiWniOlNbLDw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
-gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
-gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

handler/auth.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"me-fit/handler/middleware"
 	"me-fit/log"
 	"me-fit/service"
 	"me-fit/template/auth"
@@ -58,9 +59,9 @@ var (
 
 func (handler AuthImpl) handleSignInPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if user != nil {
-			if !user.EmailVerified {
+		session := middleware.GetSession(r)
+		if session != nil {
+			if !session.User.EmailVerified {
 				utils.DoRedirect(w, r, "/auth/verify")
 			} else {
 				utils.DoRedirect(w, r, "/")
@@ -121,10 +122,10 @@ func (handler AuthImpl) handleSignIn() http.HandlerFunc {
 
 func (handler AuthImpl) handleSignUpPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
+		session := middleware.GetSession(r)
 
-		if user != nil {
-			if !user.EmailVerified {
+		if session != nil {
+			if !session.User.EmailVerified {
 				utils.DoRedirect(w, r, "/auth/verify")
 			} else {
 				utils.DoRedirect(w, r, "/")
@@ -139,33 +140,34 @@ func (handler AuthImpl) handleSignUpPage() http.HandlerFunc {
 
 func (handler AuthImpl) handleSignUpVerifyPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if user == nil {
+		session := middleware.GetSession(r)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
-		if user.EmailVerified {
+		if session.User.EmailVerified {
 			utils.DoRedirect(w, r, "/")
 			return
 		}
 
 		signIn := auth.VerifyComp()
-		handler.render.RenderLayout(r, w, signIn, user)
+		handler.render.RenderLayout(r, w, signIn, session.User)
 	}
 }
 
 func (handler AuthImpl) handleVerifyResendComp() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := middleware.GetSession(r)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
+		user := session.User
 		go handler.service.SendVerificationMail(user.Id, user.Email)
 
-		_, err = w.Write([]byte("<p class=\"mt-8\">Verification email sent</p>"))
+		_, err := w.Write([]byte("<p class=\"mt-8\">Verification email sent</p>"))
 		if err != nil {
 			log.Error("Could not write response: %v", err)
 		}
@@ -219,11 +221,14 @@ func (handler AuthImpl) handleSignUp() http.HandlerFunc {
 
 func (handler AuthImpl) handleSignOut() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		err := handler.service.SignOut(utils.GetSessionID(r))
-		if err != nil {
-			utils.TriggerToast(w, r, "error", "Internal Server Error")
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-			return
+		session := middleware.GetSession(r)
+
+		if session != nil {
+			err := handler.service.SignOut(session.Id)
+			if err != nil {
+				http.Error(w, "An error occurred", http.StatusInternalServerError)
+				return
+			}
 		}
 
 		c := http.Cookie{
@@ -243,34 +248,34 @@ func (handler AuthImpl) handleSignOut() http.HandlerFunc {
 
 func (handler AuthImpl) handleDeleteAccountPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		// An unverified email should be able to delete their account
-		user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := middleware.GetSession(r)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
+			return
 		}
 
 		comp := auth.DeleteAccountComp()
-		handler.render.RenderLayout(r, w, comp, user)
+		handler.render.RenderLayout(r, w, comp, session.User)
 	}
 }
 
 func (handler AuthImpl) handleDeleteAccountComp() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := middleware.GetSession(r)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
 		password := r.FormValue("password")
 
-		_, err = handler.service.SignIn(user.Email, password)
+		_, err := handler.service.SignIn(session.User.Email, password)
 		if err != nil {
 			utils.TriggerToast(w, r, "error", "Password not correct")
 			return
 		}
 
-		err = handler.service.DeleteAccount(user)
+		err = handler.service.DeleteAccount(session.User)
 		if err != nil {
 			utils.TriggerToast(w, r, "error", "Internal Server Error")
 			return
@@ -285,23 +290,23 @@ func (handler AuthImpl) handleChangePasswordPage() http.HandlerFunc {
 
 		isPasswordReset := r.URL.Query().Has("token")
 
-		user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
+		session := middleware.GetSession(r)
 
-		if user == nil && !isPasswordReset {
+		if session == nil && !isPasswordReset {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
 		comp := auth.ChangePasswordComp(isPasswordReset)
-		handler.render.RenderLayout(r, w, comp, user)
+		handler.render.RenderLayout(r, w, comp, session.User)
 	}
 }
 
 func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
-		user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := middleware.GetSession(r)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
@@ -309,7 +314,7 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 		currPass := r.FormValue("current-password")
 		newPass := r.FormValue("new-password")
 
-		err = handler.service.ChangePassword(user, currPass, newPass)
+		err := handler.service.ChangePassword(session.User, currPass, newPass)
 		if err != nil {
 			utils.TriggerToast(w, r, "error", "Password not correct")
 			return
@@ -322,14 +327,14 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 func (handler AuthImpl) handleResetPasswordPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 
-		user, err := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := middleware.GetSession(r)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
 		comp := auth.ResetPasswordComp()
-		handler.render.RenderLayout(r, w, comp, user)
+		handler.render.RenderLayout(r, w, comp, session.User)
 	}
 }
 

handler/index_and_404.go

@@ -1,9 +1,9 @@
 package handler
 
 import (
+	"me-fit/handler/middleware"
 	"me-fit/service"
 	"me-fit/template"
-	"me-fit/utils"
 
 	"net/http"
 
@@ -32,7 +32,11 @@ func (handler IndexImpl) Handle(router *http.ServeMux) {
 
 func (handler IndexImpl) handleIndexAnd404() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, _ := handler.service.GetUserFromSessionId(utils.GetSessionID(r))
+		session := middleware.GetSession(r)
+		var user *service.User
+		if session != nil {
+			user = session.User
+		}
 
 		var comp templ.Component
 

handler/middleware/authenticate.go

@@ -0,0 +1,48 @@
+package middleware
+
+import (
+	"context"
+
+	"me-fit/service"
+
+	"net/http"
+)
+
+type ContextKey string
+
+var SessionKey ContextKey = "session"
+
+func Authenticate(service service.Auth) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			sessionId := getSessionID(r)
+			session, _ := service.SignInSession(sessionId)
+
+			if session != nil {
+				ctx := context.WithValue(r.Context(), SessionKey, session)
+
+				next.ServeHTTP(w, r.WithContext(ctx))
+			} else {
+				next.ServeHTTP(w, r)
+			}
+		})
+	}
+}
+
+func GetSession(r *http.Request) *service.Session {
+	obj := r.Context().Value(SessionKey)
+	if obj == nil {
+		return nil
+	}
+
+	return obj.(*service.Session)
+}
+
+func getSessionID(r *http.Request) string {
+	cookie, err := r.Cookie("id")
+	if err != nil {
+		return ""
+	}
+
+	return cookie.Value
+}

handler/middleware/cross_site_request_forgery.go

@@ -0,0 +1,84 @@
+package middleware
+
+import (
+	"fmt"
+	"strings"
+
+	"me-fit/service"
+
+	"net/http"
+)
+
+type csrfResponseWriter struct {
+	http.ResponseWriter
+	auth    service.Auth
+	session *service.Session
+}
+
+func newCsrfResponseWriter(w http.ResponseWriter, auth service.Auth, session *service.Session) *csrfResponseWriter {
+	return &csrfResponseWriter{
+		ResponseWriter: w,
+		auth:           auth,
+		session:        session,
+	}
+}
+
+func (rr *csrfResponseWriter) Write(data []byte) (int, error) {
+	dataStr := string(data)
+	if strings.Contains(dataStr, "</form>") {
+		csrfToken, err := rr.auth.GetCsrfToken(rr.session)
+		if err == nil {
+			csrfField := fmt.Sprintf(`<input type="hidden" name="csrf-token" value="%s">`, csrfToken)
+			dataStr = strings.ReplaceAll(dataStr, "</form>", csrfField+"</form>")
+		}
+	}
+
+	return rr.ResponseWriter.Write([]byte(dataStr))
+}
+
+func (rr *csrfResponseWriter) WriteHeader(statusCode int) {
+	rr.ResponseWriter.WriteHeader(statusCode)
+}
+
+func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+
+			session := GetSession(r)
+
+			if r.Method == http.MethodPost ||
+				r.Method == http.MethodPut ||
+				r.Method == http.MethodDelete ||
+				r.Method == http.MethodPatch {
+
+				csrfToken := r.FormValue("csrf-token")
+				if csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
+					http.Error(w, "", http.StatusForbidden)
+					return
+				}
+			}
+
+			if session == nil {
+				var err error
+				session, err = auth.SignInAnonymous()
+				if err != nil {
+					http.Error(w, "", http.StatusInternalServerError)
+					return
+				}
+			}
+			cookie := http.Cookie{
+				Name:     "id",
+				Value:    session.Id,
+				MaxAge:   60 * 60 * 8, // 8 hours
+				Secure:   true,
+				HttpOnly: true,
+				SameSite: http.SameSiteStrictMode,
+				Path:     "/",
+			}
+			http.SetCookie(w, &cookie)
+
+			responseWriter := newCsrfResponseWriter(w, auth, session)
+			next.ServeHTTP(responseWriter, r)
+		})
+	}
+}

handler/workout.go

@@ -1,6 +1,7 @@
 package handler
 
 import (
+	"me-fit/handler/middleware"
 	"me-fit/log"
 	"me-fit/service"
 	"me-fit/template/workout"
@@ -38,22 +39,22 @@ func (handler WorkoutImpl) Handle(router *http.ServeMux) {
 
 func (handler WorkoutImpl) handleWorkoutPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, err := handler.auth.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := middleware.GetSession(r)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
 		currentDate := time.Now().Format("2006-01-02")
 		comp := workout.WorkoutComp(currentDate)
-		handler.render.RenderLayout(r, w, comp, user)
+		handler.render.RenderLayout(r, w, comp, session.User)
 	}
 }
 
 func (handler WorkoutImpl) handleAddWorkout() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, err := handler.auth.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := middleware.GetSession(r)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
@@ -64,7 +65,7 @@ func (handler WorkoutImpl) handleAddWorkout() http.HandlerFunc {
 		var repsStr = r.FormValue("reps")
 
 		wo := service.NewWorkoutDto("", dateStr, typeStr, setsStr, repsStr)
-		wo, err = handler.service.AddWorkout(user, wo)
+		wo, err := handler.service.AddWorkout(session.User, wo)
 		if err != nil {
 			utils.TriggerToast(w, r, "error", "Invalid input values")
 			http.Error(w, "Invalid input values", http.StatusBadRequest)
@@ -79,13 +80,13 @@ func (handler WorkoutImpl) handleAddWorkout() http.HandlerFunc {
 
 func (handler WorkoutImpl) handleGetWorkout() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, err := handler.auth.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := middleware.GetSession(r)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
 
-		workouts, err := handler.service.GetWorkouts(user)
+		workouts, err := handler.service.GetWorkouts(session.User)
 		if err != nil {
 			return
 		}
@@ -102,8 +103,8 @@ func (handler WorkoutImpl) handleGetWorkout() http.HandlerFunc {
 
 func (handler WorkoutImpl) handleDeleteWorkout() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		user, err := handler.auth.GetUserFromSessionId(utils.GetSessionID(r))
-		if err != nil {
+		session := middleware.GetSession(r)
+		if session == nil {
 			utils.DoRedirect(w, r, "/auth/signin")
 			return
 		}
@@ -124,7 +125,7 @@ func (handler WorkoutImpl) handleDeleteWorkout() http.HandlerFunc {
 			return
 		}
 
-		err = handler.service.DeleteWorkout(user, rowIdInt)
+		err = handler.service.DeleteWorkout(session.User, rowIdInt)
 		if err != nil {
 			http.Error(w, "Internal Server Error", http.StatusInternalServerError)
 			log.Error("Could not delete workout: %v", err.Error())

log/default.go

@@ -45,6 +45,12 @@ func Info(message string, args ...interface{}) {
 
 func format(message string, args []interface{}) string {
 	var w strings.Builder
-	fmt.Fprintf(&w, message, args)
+
+	if len(args) > 0 {
+		fmt.Fprintf(&w, message, args...)
+	} else {
+		w.WriteString(message)
+	}
+
 	return w.String()
 }

main.go

@@ -49,8 +49,7 @@ func run(ctx context.Context, database *sql.DB, env func(string) string) {
 	// init db
 	err := db.RunMigrations(database, "")
 	if err != nil {
-		log.Error("Could not run migrations: %v", err)
-		os.Exit(1)
+		log.Fatal("Could not run migrations: %v", err)
 	}
 
 	// init servers
@@ -78,7 +77,7 @@ func run(ctx context.Context, database *sql.DB, env func(string) string) {
 }
 
 func startServer(s *http.Server) {
-	log.Info("Starting server on %v", s.Addr)
+	log.Info("Starting server on %q", s.Addr)
 	if err := s.ListenAndServe(); err != nil && err != http.ErrServerClosed {
 		log.Error("error listening and serving: %v", err)
 	}
@@ -131,6 +130,8 @@ func createHandler(d *sql.DB, serverSettings *types.Settings) http.Handler {
 		middleware.Log,
 		middleware.ContentSecurityPolicy,
 		middleware.Cors(serverSettings),
+		middleware.Authenticate(authService),
+		middleware.CrossSiteRequestForgery(authService),
 		middleware.Corp,
 		middleware.Coop,
 	)

main_test.go

@@ -1,7 +1,6 @@
 package main
 
 import (
-	"me-fit/db"
 	"me-fit/log"
 	"me-fit/service"
 	"me-fit/types"
@@ -15,6 +14,8 @@ import (
 	"time"
 
 	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
+	"golang.org/x/net/html"
 )
 
 func TestHandleSignIn(t *testing.T) {
@@ -34,31 +35,41 @@ func TestHandleSignIn(t *testing.T) {
 
 		pass := service.GetHashPassword("password", []byte("salt"))
 		_, err := db.Exec(`
-			INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at) 
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
 			VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, uuid.New(), pass, []byte("salt"))
 		if err != nil {
 			t.Fatalf("Error inserting user: %v", err)
 		}
 
-		formData := url.Values{
-			"email":    {"mail@mail.de"},
-			"password": {"password"},
-		}
-
-		req, err := http.NewRequestWithContext(ctx, "POST", "http://localhost:8080/api/auth/signin", strings.NewReader(formData.Encode()))
-		if err != nil {
-			t.Fatalf("Error creating request: %v", err)
-		}
-		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+		req, err := http.NewRequestWithContext(ctx, "GET", "http://localhost:8080/auth/signin", nil)
+		assert.Nil(t, err)
 
 		resp, err := httpClient.Do(req)
-		if err != nil {
-			t.Fatalf("Error making request: %v", err)
+		assert.Nil(t, err)
+
+		html, err := html.Parse(resp.Body)
+		assert.Nil(t, err)
+
+		csrfToken := findCsrfToken(html)
+		assert.NotEqual(t, "", csrfToken)
+		anonymousSession := findCookie(resp, "id")
+		assert.NotNil(t, anonymousSession)
+
+		formData := url.Values{
+			"email":      {"mail@mail.de"},
+			"password":   {"password"},
+			"csrf-token": {csrfToken},
 		}
 
-		if resp.StatusCode != http.StatusSeeOther {
-			t.Fatalf("Expected status code 303, got %d", resp.StatusCode)
-		}
+		req, err = http.NewRequestWithContext(ctx, "POST", "http://localhost:8080/api/auth/signin", strings.NewReader(formData.Encode()))
+		assert.Nil(t, err)
+		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+		req.Header.Set("Cookie", anonymousSession.Name+"="+anonymousSession.Value)
+
+		resp, err = httpClient.Do(req)
+		assert.Nil(t, err)
+
+		assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
 
 		cookie := findCookie(resp, "id")
 		if cookie == nil {
@@ -91,11 +102,6 @@ func setupIntegrationTest(t *testing.T, port string) (*sql.DB, context.Context)
 		database.Close()
 	})
 
-	err = db.RunMigrations(database, "")
-	if err != nil {
-		t.Fatalf("Could not run migrations: %v", err)
-	}
-
 	go run(ctx, database, getEnv(port))
 
 	err = waitForReady(ctx, 5*time.Second, "http://localhost:8080")
@@ -171,3 +177,44 @@ func waitForReady(
 		}
 	}
 }
+
+func findCsrfToken(data *html.Node) string {
+	attr := getTokenAttribute(data)
+	if attr != nil {
+		return attr.Val
+	}
+
+	if data.FirstChild != nil {
+		if token := findCsrfToken(data.FirstChild); token != "" {
+			return token
+		}
+	}
+	if data.NextSibling != nil {
+		if token := findCsrfToken(data.NextSibling); token != "" {
+			return token
+		}
+	}
+
+	return ""
+}
+
+func getTokenAttribute(data *html.Node) *html.Attribute {
+	returnValue := false
+	for _, attr := range data.Attr {
+		if attr.Key == "name" && attr.Val == "csrf-token" {
+			returnValue = true
+		}
+	}
+
+	if !returnValue {
+		return nil
+	}
+
+	for _, attr := range data.Attr {
+		if attr.Key == "value" {
+			return &attr
+		}
+	}
+
+	return nil
+}

migration/001_initial_schema.up.sql

@@ -1,4 +1,40 @@
 
+CREATE TABLE user (
+	user_id TEXT NOT NULL UNIQUE PRIMARY KEY,
+
+	email TEXT NOT NULL UNIQUE,
+	email_verified BOOLEAN NOT NULL,
+	email_verified_at DATETIME,
+
+	is_admin BOOLEAN NOT NULL,
+
+	password BLOB NOT NULL,
+	salt BLOB NOT NULL,
+
+	created_at DATETIME NOT NULL
+) WITHOUT ROWID;
+
+CREATE TABLE session (
+	session_id TEXT NOT NULL UNIQUE PRIMARY KEY,
+	user_id TEXT NOT NULL,
+
+	created_at DATETIME NOT NULL,
+	expires_at DATETIME NOT NULL
+) WITHOUT ROWID;
+
+
+CREATE TABLE token (
+	token TEXT NOT NULL UNIQUE PRIMARY KEY,
+
+	user_id TEXT,
+	session_id TEXT,
+
+	type TEXT NOT NULL,
+
+	created_at DATETIME NOT NULL,
+	expires_at DATETIME
+);
+
 CREATE TABLE workout (
 	user_id INTEGER NOT NULL,
 	date TEXT NOT NULL,
@@ -6,4 +42,3 @@ CREATE TABLE workout (
 	sets INTEGER NOT NULL,
 	reps INTEGER NOT NULL
 );
-

migration/002_user_and_session.up.sql

@@ -1,21 +0,0 @@
-
-CREATE TABLE user (
-	user_uuid TEXT NOT NULL UNIQUE PRIMARY KEY,
-
-	email TEXT NOT NULL UNIQUE,
-	email_verified BOOLEAN NOT NULL,
-
-	is_admin BOOLEAN NOT NULL,
-
-	password BLOB NOT NULL,
-	salt BLOB NOT NULL,
-
-	created_at DATETIME NOT NULL
-) WITHOUT ROWID;
-
-CREATE TABLE session (
-	session_id TEXT NOT NULL UNIQUE PRIMARY KEY,
-	user_uuid TEXT NOT NULL,
-
-	created_at DATETIME NOT NULL
-) WITHOUT ROWID;

migration/003_user_mail_verification.up.sql

@@ -1,2 +0,0 @@
-
-ALTER TABLE user ADD COLUMN email_verified_at DATETIME DEFAULT NULL;

migration/004_user_tokens.up.sql

@@ -1,11 +0,0 @@
-
--- E.G. email-verifications, password-resets, unsubscribe-from-newsletter etc.
-CREATE TABLE user_token (
-	user_uuid TEXT NOT NULL,
-
-	type TEXT NOT NULL,
-	token TEXT NOT NULL UNIQUE PRIMARY KEY,
-
-	created_at DATETIME NOT NULL,
-	expires_at DATETIME
-);

service/auth.go

@@ -42,6 +42,7 @@ func NewUser(user *db.User) *User {
 type Session struct {
 	Id        string
 	CreatedAt time.Time
+	ExpiresAt time.Time
 	User      *User
 }
 
@@ -49,6 +50,7 @@ func NewSession(session *db.Session, user *User) *Session {
 	return &Session{
 		Id:        session.Id,
 		CreatedAt: session.CreatedAt,
+		ExpiresAt: session.ExpiresAt,
 		User:      user,
 	}
 }
@@ -59,6 +61,8 @@ type Auth interface {
 	VerifyUserEmail(token string) error
 
 	SignIn(email string, password string) (*Session, error)
+	SignInSession(sessionId string) (*Session, error)
+	SignInAnonymous() (*Session, error)
 	SignOut(sessionId string) error
 
 	DeleteAccount(user *User) error
@@ -68,7 +72,8 @@ type Auth interface {
 	SendForgotPasswordMail(email string) error
 	ForgotPassword(token string, newPass string) error
 
-	GetUserFromSessionId(sessionId string) (*User, error)
+	IsCsrfTokenValid(tokenStr string, sessionId string) bool
+	GetCsrfToken(session *Session) (string, error)
 }
 
 type AuthImpl struct {
@@ -113,6 +118,44 @@ func (service AuthImpl) SignIn(email string, password string) (*Session, error)
 	return NewSession(session, NewUser(user)), nil
 }
 
+func (service AuthImpl) SignInSession(sessionId string) (*Session, error) {
+	if sessionId == "" {
+		return nil, ErrSessionIdInvalid
+	}
+
+	sessionDb, err := service.db.GetSession(sessionId)
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	if sessionDb.ExpiresAt.Before(service.clock.Now()) {
+		return nil, nil
+	}
+
+	if sessionDb.UserId == uuid.Nil {
+		return NewSession(sessionDb, nil), nil
+	}
+
+	userDb, err := service.db.GetUser(sessionDb.UserId)
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	user := NewUser(userDb)
+	session := NewSession(sessionDb, user)
+
+	return session, nil
+}
+
+func (service AuthImpl) SignInAnonymous() (*Session, error) {
+	sessionDb, err := service.createSession(uuid.Nil)
+	if err != nil {
+		return nil, types.ErrInternal
+	}
+
+	return NewSession(sessionDb, nil), nil
+}
+
 func (service AuthImpl) createSession(userId uuid.UUID) (*db.Session, error) {
 	sessionId, err := service.random.String(32)
 	if err != nil {
@@ -125,7 +168,10 @@ func (service AuthImpl) createSession(userId uuid.UUID) (*db.Session, error) {
 		return nil, types.ErrInternal
 	}
 
-	session := db.NewSession(sessionId, userId, service.clock.Now())
+	createAt := service.clock.Now()
+	expiresAt := createAt.Add(24 * time.Hour)
+
+	session := db.NewSession(sessionId, userId, createAt, expiresAt)
 
 	err = service.db.InsertSession(session)
 	if err != nil {
@@ -161,7 +207,7 @@ func (service AuthImpl) SignUp(email string, password string) (*User, error) {
 
 	err = service.db.InsertUser(dbUser)
 	if err != nil {
-		if err == db.ErrUserExists {
+		if err == db.ErrAlreadyExists {
 			return nil, ErrAccountExists
 		} else {
 			return nil, types.ErrInternal
@@ -190,7 +236,7 @@ func (service AuthImpl) SendVerificationMail(userId uuid.UUID, email string) {
 			return
 		}
 
-		token = db.NewToken(userId, newTokenStr, db.TokenTypeEmailVerify, service.clock.Now(), service.clock.Now().Add(24*time.Hour))
+		token = db.NewToken(userId, "", newTokenStr, db.TokenTypeEmailVerify, service.clock.Now(), service.clock.Now().Add(24*time.Hour))
 
 		err = service.db.InsertToken(token)
 		if err != nil {
@@ -251,28 +297,6 @@ func (service AuthImpl) SignOut(sessionId string) error {
 	return service.db.DeleteSession(sessionId)
 }
 
-func (service AuthImpl) GetUserFromSessionId(sessionId string) (*User, error) {
-	if sessionId == "" {
-		return nil, ErrSessionIdInvalid
-	}
-
-	session, err := service.db.GetSession(sessionId)
-	if err != nil {
-		return nil, types.ErrInternal
-	}
-
-	user, err := service.db.GetUser(session.UserId)
-	if err != nil {
-		return nil, types.ErrInternal
-	}
-
-	if session.CreatedAt.Add(time.Duration(8 * time.Hour)).Before(service.clock.Now()) {
-		return nil, nil
-	} else {
-		return NewUser(user), nil
-	}
-}
-
 func (service AuthImpl) DeleteAccount(user *User) error {
 
 	err := service.db.DeleteUser(user.Id)
@@ -333,7 +357,7 @@ func (service AuthImpl) SendForgotPasswordMail(email string) error {
 		}
 	}
 
-	token := db.NewToken(user.Id, tokenStr, db.TokenTypePasswordReset, service.clock.Now(), service.clock.Now().Add(15*time.Minute))
+	token := db.NewToken(user.Id, "", tokenStr, db.TokenTypePasswordReset, service.clock.Now(), service.clock.Now().Add(15*time.Minute))
 
 	err = service.db.InsertToken(token)
 	if err != nil {
@@ -384,6 +408,47 @@ func (service AuthImpl) ForgotPassword(tokenStr string, newPass string) error {
 	return nil
 }
 
+func (service AuthImpl) IsCsrfTokenValid(tokenStr string, sessionId string) bool {
+	token, err := service.db.GetToken(tokenStr)
+	if err != nil {
+		return false
+	}
+
+	if token.Type != db.TokenTypeCsrf ||
+		token.SessionId != sessionId ||
+		token.ExpiresAt.Before(service.clock.Now()) {
+
+		return false
+	}
+
+	return true
+}
+
+func (service AuthImpl) GetCsrfToken(session *Session) (string, error) {
+	if session == nil {
+		return "", types.ErrInternal
+	}
+
+	tokens, _ := service.db.GetTokensBySessionIdAndType(session.Id, db.TokenTypeCsrf)
+
+	if len(tokens) > 0 {
+		return tokens[0].Token, nil
+	}
+
+	tokenStr, err := service.random.String(32)
+	if err != nil {
+		return "", types.ErrInternal
+	}
+
+	token := db.NewToken(uuid.Nil, session.Id, tokenStr, db.TokenTypeCsrf, service.clock.Now(), service.clock.Now().Add(24*time.Hour))
+	err = service.db.InsertToken(token)
+	if err != nil {
+		return "", types.ErrInternal
+	}
+
+	return tokenStr, nil
+}
+
 func GetHashPassword(password string, salt []byte) []byte {
 	return argon2.IDKey([]byte(password), salt, 1, 64*1024, 1, 16)
 }

service/auth_test.go

@@ -33,7 +33,7 @@ func TestSignIn(t *testing.T) {
 			time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC),
 		)
 
-		dbSession := db.NewSession("sessionId", user.Id, time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC))
+		dbSession := db.NewSession("sessionId", user.Id, time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC), time.Date(2020, 1, 2, 0, 0, 0, 0, time.UTC))
 
 		mockAuthDb := mocks.NewMockAuth(t)
 		mockAuthDb.EXPECT().GetUserByEmail("test@test.de").Return(user, nil)
@@ -212,7 +212,7 @@ func TestSignUp(t *testing.T) {
 
 		mockClock.EXPECT().Now().Return(createTime)
 
-		mockAuthDb.EXPECT().InsertUser(db.NewUser(user.Id, user.Email, false, nil, false, GetHashPassword(password, salt), salt, createTime)).Return(db.ErrUserExists)
+		mockAuthDb.EXPECT().InsertUser(db.NewUser(user.Id, user.Email, false, nil, false, GetHashPassword(password, salt), salt, createTime)).Return(db.ErrAlreadyExists)
 
 		underTest := NewAuthImpl(mockAuthDb, mockRandom, mockClock, mockMail, &types.Settings{})
 
@@ -227,7 +227,7 @@ func TestSendVerificationMail(t *testing.T) {
 	t.Run("should use stored token and send mail", func(t *testing.T) {
 		t.Parallel()
 
-		token := db.NewToken(uuid.New(), "someRandomTokenToUse", db.TokenTypeEmailVerify, time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC), time.Date(2020, 1, 2, 0, 0, 0, 0, time.UTC))
+		token := db.NewToken(uuid.New(), "sessionId", "someRandomTokenToUse", db.TokenTypeEmailVerify, time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC), time.Date(2020, 1, 2, 0, 0, 0, 0, time.UTC))
 		tokens := []*db.Token{token}
 
 		email := "some@email.de"

types/settings.go

@@ -77,8 +77,8 @@ func NewSettingsFromEnv(env func(string) string) *Settings {
 		log.Fatal("SMTP and Prometheus must be enabled in production")
 	}
 
-	log.Info("BASE_URL is %v", settings.BaseUrl)
-	log.Info("ENVIRONMENT is %v", settings.Environment)
+	log.Info("BASE_URL is %q", settings.BaseUrl)
+	log.Info("ENVIRONMENT is %q", settings.Environment)
 
 	return settings
 }

utils/http.go

@@ -31,15 +31,6 @@ func WaitMinimumTime[T interface{}](waitTime time.Duration, function func() (T,
 	return result, err
 }
 
-func GetSessionID(r *http.Request) string {
-	for _, c := range r.Cookies() {
-		if c.Name == "id" {
-			return c.Value
-		}
-	}
-	return ""
-}
-
 func isHtmx(r *http.Request) bool {
 	return r.Header.Get("HX-Request") == "true"
 }