chore(auth): #331 add and fix forgot password actual tests

Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.23.4@sha256:70031844b8c225351d0bb63e2c383f80db85d92ba894e3da7e13bcf80efa9a37 AS builder_go
+FROM golang:1.23.4@sha256:b01f7c744a3f1fccaf44905169169fed0ab13e6d1d702a6542d07b34cf677969 AS builder_go
 WORKDIR /me-fit
 RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.62.2
 RUN go install github.com/a-h/templ/cmd/templ@latest
@@ -13,7 +13,7 @@ RUN golangci-lint run ./...
 RUN go build -o /me-fit/me-fit .
 
 
-FROM node:22.12.0@sha256:35a5dd72bcac4bce43266408b58a02be6ff0b6098ffa6f5435aeea980a8951d7 AS builder_node
+FROM node:22.12.0@sha256:7bea049c66b5846c4ce2786b1b4e32865ef11b10fa446c1bfd791daea412c299 AS builder_node
 WORKDIR /me-fit
 COPY package.json package-lock.json ./
 RUN npm clean-install
@@ -21,7 +21,7 @@ COPY . ./
 RUN npm run build
 
 
-FROM debian:12.8@sha256:17122fe3d66916e55c0cbd5bbf54bb3f87b3582f4d86a755a0fd3498d360f91b
+FROM debian:12.8@sha256:b877a1a3fdf02469440f1768cf69c9771338a875b7add5e80c45b756c92ac20a
 WORKDIR /me-fit
 RUN apt-get update && apt-get install -y ca-certificates && echo "" > .env
 COPY migration ./migration

handler/auth.go

@@ -45,12 +45,12 @@ func (handler AuthImpl) Handle(router *http.ServeMux) {
 	router.Handle("/auth/delete-account", handler.handleDeleteAccountPage())
 	router.Handle("/api/auth/delete-account", handler.handleDeleteAccountComp())
 
-	router.Handle("/auth/change-password", handler.handleChangePasswordPage())
-	router.Handle("/api/auth/change-password", handler.handleChangePasswordComp())
+	router.Handle("GET /auth/change-password", handler.handleChangePasswordPage())
+	router.Handle("POST /api/auth/change-password", handler.handleChangePasswordComp())
 
-	router.Handle("/auth/forgot-password", handler.handleForgotPasswordPage())
-	router.Handle("/api/auth/forgot-password", handler.handleForgotPasswordComp())
-	router.Handle("/api/auth/forgot-password-actual", handler.handleForgotPasswordResponseComp())
+	router.Handle("GET /auth/forgot-password", handler.handleForgotPasswordPage())
+	router.Handle("POST /api/auth/forgot-password", handler.handleForgotPasswordComp())
+	router.Handle("POST /api/auth/forgot-password-actual", handler.handleForgotPasswordResponseComp())
 }
 
 var (
@@ -171,11 +171,17 @@ func (handler AuthImpl) handleSignUpVerifyResponsePage() http.HandlerFunc {
 
 		err := handler.service.VerifyUserEmail(token)
 
-		if err != nil {
-			utils.DoRedirect(w, r, "/auth/signin")
+		isVerified := err == nil
+		comp := auth.VerifyResponseComp(isVerified)
+
+		var status int
+		if isVerified {
+			status = http.StatusOK
 		} else {
-			utils.DoRedirect(w, r, "/")
+			status = http.StatusBadRequest
 		}
+
+		handler.render.RenderLayoutWithStatus(r, w, comp, nil, status)
 	}
 }
 
@@ -203,11 +209,14 @@ func (handler AuthImpl) handleSignUp() http.HandlerFunc {
 			} else if errors.Is(err, service.ErrInvalidEmail) {
 				utils.TriggerToast(w, r, "error", "The email provided is invalid", http.StatusBadRequest)
 				return
+			} else if errors.Is(err, service.ErrInvalidPassword) {
+				utils.TriggerToast(w, r, "error", service.ErrInvalidPassword.Error(), http.StatusBadRequest)
+				return
 			}
-			// If the "service.ErrAccountExists", then just continue
+			// If err is "service.ErrAccountExists", then just continue
 		}
 
-		utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.", http.StatusOK)
+		utils.TriggerToast(w, r, "success", "An activation link has been send to your email", http.StatusOK)
 	}
 }
 
@@ -298,7 +307,7 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 		session := middleware.GetSession(r)
 		user := middleware.GetUser(r)
 		if session == nil || user == nil {
-			utils.DoRedirect(w, r, "/auth/signin")
+			utils.TriggerToast(w, r, "error", "Unathorized", http.StatusUnauthorized)
 			return
 		}
 
@@ -307,7 +316,7 @@ func (handler AuthImpl) handleChangePasswordComp() http.HandlerFunc {
 
 		err := handler.service.ChangePassword(user, session.Id, currPass, newPass)
 		if err != nil {
-			utils.TriggerToast(w, r, "error", "Password not correct", http.StatusUnauthorized)
+			utils.TriggerToast(w, r, "error", "Password not correct", http.StatusBadRequest)
 			return
 		}
 
@@ -346,14 +355,13 @@ func (handler AuthImpl) handleForgotPasswordComp() http.HandlerFunc {
 		if err != nil {
 			utils.TriggerToast(w, r, "error", "Internal Server Error", http.StatusInternalServerError)
 		} else {
-			utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent", http.StatusOK)
+			utils.TriggerToast(w, r, "info", "If the address exists, an email has been sent.", http.StatusOK)
 		}
 	}
 }
 
 func (handler AuthImpl) handleForgotPasswordResponseComp() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-
 		pageUrl, err := url.Parse(r.Header.Get("HX-Current-URL"))
 		if err != nil {
 			log.Error("Could not get current URL: %v", err)
@@ -366,7 +374,7 @@ func (handler AuthImpl) handleForgotPasswordResponseComp() http.HandlerFunc {
 
 		err = handler.service.ForgotPassword(token, newPass)
 		if err != nil {
-			utils.TriggerToast(w, r, "error", err.Error(), http.StatusInternalServerError)
+			utils.TriggerToast(w, r, "error", err.Error(), http.StatusBadRequest)
 		} else {
 			utils.TriggerToast(w, r, "success", "Password changed", http.StatusOK)
 		}

handler/index_and_404.go

@@ -36,13 +36,15 @@ func (handler IndexImpl) handleIndexAnd404() http.HandlerFunc {
 
 		var comp templ.Component
 
+		var status int
 		if r.URL.Path != "/" {
 			comp = template.NotFound()
-			w.WriteHeader(http.StatusNotFound)
+			status = http.StatusNotFound
 		} else {
 			comp = template.Index()
+			status = http.StatusOK
 		}
 
-		handler.render.RenderLayout(r, w, comp, user)
+		handler.render.RenderLayoutWithStatus(r, w, comp, user, status)
 	}
 }

handler/middleware/cross_site_request_forgery.go

@@ -8,6 +8,7 @@ import (
 	"me-fit/log"
 	"me-fit/service"
 	"me-fit/types"
+	"me-fit/utils"
 )
 
 type csrfResponseWriter struct {
@@ -57,7 +58,11 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
 				}
 				if session == nil || csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
 					log.Info("CSRF-Token not correct")
-					http.Error(w, "CSRF-Token not correct", http.StatusBadRequest)
+					if r.Header.Get("HX-Request") == "true" {
+						utils.TriggerToast(w, r, "error", "CSRF-Token not correct", http.StatusBadRequest)
+					} else {
+						http.Error(w, "CSRF-Token not correct", http.StatusBadRequest)
+					}
 					return
 				}
 			}

handler/render.go

@@ -21,8 +21,9 @@ func NewRender(settings *types.Settings) *Render {
 	}
 }
 
-func (render *Render) Render(r *http.Request, w http.ResponseWriter, comp templ.Component) {
+func (render *Render) RenderWithStatus(r *http.Request, w http.ResponseWriter, comp templ.Component, status int) {
 	w.Header().Set("Content-Type", "text/html")
+	w.WriteHeader(status)
 	err := comp.Render(r.Context(), w)
 	if err != nil {
 		log.Error("Failed to render layout: %v", err)
@@ -30,11 +31,19 @@ func (render *Render) Render(r *http.Request, w http.ResponseWriter, comp templ.
 	}
 }
 
+func (render *Render) Render(r *http.Request, w http.ResponseWriter, comp templ.Component) {
+	render.RenderWithStatus(r, w, comp, http.StatusOK)
+}
+
 func (render *Render) RenderLayout(r *http.Request, w http.ResponseWriter, slot templ.Component, user *types.User) {
+	render.RenderLayoutWithStatus(r, w, slot, user, http.StatusOK)
+}
+
+func (render *Render) RenderLayoutWithStatus(r *http.Request, w http.ResponseWriter, slot templ.Component, user *types.User, status int) {
 	userComp := render.getUserComp(user)
 	layout := template.Layout(slot, userComp, render.settings.Environment)
 
-	render.Render(r, w, layout)
+	render.RenderWithStatus(r, w, layout, status)
 }
 
 func (render *Render) getUserComp(user *types.User) templ.Component {

main_test.go

@@ -455,6 +455,259 @@ func TestIntegrationAuth(t *testing.T) {
 			assert.Equal(t, 0, rows)
 		})
 	})
+	t.Run("SignUp", func(t *testing.T) {
+		t.Run(`should redirect to "/" if signed in`, func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+
+			userId := uuid.New()
+			sessionId := "session-id"
+			pass := service.GetHashPassword("password", []byte("salt"))
+
+			_, err := db.Exec(`
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+			VALUES (?, "mail@mail.de", TRUE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+			assert.Nil(t, err)
+			_, err = db.Exec(`
+			INSERT INTO session (session_id, user_id, created_at, expires_at)
+			VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
+			assert.Nil(t, err)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
+			assert.Equal(t, "/", resp.Header.Get("Location"))
+		})
+		t.Run(`should fail if csrf token is invalid`, func(t *testing.T) {
+			t.Parallel()
+
+			_, basePath, ctx := setupIntegrationTest(t)
+
+			formData := url.Values{
+				"email":      {"mail@mail.de"},
+				"password":   {"password"},
+				"csrf-token": {"invalid-csrf-token"},
+			}
+			req, err := http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("HX-Request", "true")
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+			assert.Contains(t, resp.Header.Get("HX-Trigger"), "CSRF")
+		})
+		t.Run(`should fail if password is insecure`, func(t *testing.T) {
+			t.Parallel()
+
+			_, basePath, ctx := setupIntegrationTest(t)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signup", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			body, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(body)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+			anonymousSession := findCookie(resp, "id")
+			assert.NotNil(t, anonymousSession)
+
+			formData := url.Values{
+				"email":      {"mail@mail.de"},
+				"password":   {"insecure-password"},
+				"csrf-token": {anonymousCsrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signup", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("HX-Request", "true")
+			req.Header.Set("Cookie", "id="+anonymousSession.Value)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+			assert.Contains(t, resp.Header.Get("HX-Trigger"), "password")
+		})
+		t.Run(`should say "verification mail send" if user already exists within ~250 ms`, func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+
+			_, err := db.Exec(`
+				INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
+				VALUES (?, "mail@mail.de", TRUE, FALSE, ?, ?, datetime())`, uuid.New(), service.GetHashPassword("password", []byte("salt")), []byte("salt"))
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signup", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			body, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(body)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+			anonymousSession := findCookie(resp, "id")
+			assert.NotNil(t, anonymousSession)
+
+			formData := url.Values{
+				"email":      {"mail@mail.de"},
+				"password":   {"secure-Password!1"},
+				"csrf-token": {anonymousCsrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signup", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("HX-Request", "true")
+			req.Header.Set("Cookie", "id="+anonymousSession.Value)
+			timeStart := time.Now()
+			resp, err = httpClient.Do(req)
+			timeEnd := time.Now()
+			assert.Nil(t, err)
+			timeTaken := timeEnd.Sub(timeStart)
+			assert.LessOrEqual(t, timeTaken, 253*time.Millisecond)
+			assert.GreaterOrEqual(t, timeTaken, 250*time.Millisecond)
+
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+			assert.Contains(t, resp.Header.Get("HX-Trigger"), "An activation link has been send to your email")
+		})
+		t.Run(`should say "verification mail send" within ~250 ms`, func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signup", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			body, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(body)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+			anonymousSession := findCookie(resp, "id")
+			assert.NotNil(t, anonymousSession)
+
+			formData := url.Values{
+				"email":      {"mail@mail.de"},
+				"password":   {"secure-Password!1"},
+				"csrf-token": {anonymousCsrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signup", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("HX-Request", "true")
+			req.Header.Set("Cookie", "id="+anonymousSession.Value)
+			timeStart := time.Now()
+			resp, err = httpClient.Do(req)
+			timeEnd := time.Now()
+			assert.Nil(t, err)
+			timeTaken := timeEnd.Sub(timeStart)
+			assert.LessOrEqual(t, timeTaken, 253*time.Millisecond)
+			assert.GreaterOrEqual(t, timeTaken, 250*time.Millisecond)
+
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+			assert.Contains(t, resp.Header.Get("HX-Trigger"), "An activation link has been send to your email")
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM user WHERE email = ? AND email_verified = FALSE", "mail@mail.de").Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+			var token string
+			err = db.QueryRow("SELECT t.token FROM token t INNER JOIN user u ON u.user_id = t.user_id WHERE u.email = ? AND t.type = ?", "mail@mail.de", types.TokenTypeEmailVerify).Scan(&token)
+			assert.Nil(t, err)
+			assert.NotEqual(t, "", token)
+		})
+	})
+	t.Run("SignUpVerification", func(t *testing.T) {
+		t.Run(`should fail verifying email with non existent token`, func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+
+			userId := uuid.New()
+
+			_, err := db.Exec(`
+				INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+				VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, []byte("pass"), []byte("salt"))
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/verify-email?token=invalid-token", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND email_verified = FALSE", userId).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
+		t.Run(`should fail verifying email with outdated token`, func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+
+			userId := uuid.New()
+			token := "my-outdated-verifying-token"
+
+			_, err := db.Exec(`
+				INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+				VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, []byte("pass"), []byte("salt"))
+			assert.Nil(t, err)
+			_, err = db.Exec(`
+				INSERT INTO token (token, user_id, type, created_at, expires_at)
+				VALUES (?, ?, ?, datetime("now", "-16 minute"), datetime("now", "-1 minute"))`, token, userId, types.TokenTypeEmailVerify)
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/verify-email?token="+token, nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND email_verified = FALSE", userId).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
+		t.Run(`should verify email with correct token`, func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+
+			userId := uuid.New()
+			token := "my-verifying-token"
+
+			_, err := db.Exec(`
+				INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+				VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, []byte("pass"), []byte("salt"))
+			assert.Nil(t, err)
+			_, err = db.Exec(`
+				INSERT INTO token (token, user_id, session_id, type, created_at, expires_at)
+				VALUES (?, ?, "", ?, datetime("now"), datetime("now", "+15 minute"))`, token, userId, types.TokenTypeEmailVerify)
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/verify-email?token="+token, nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND email_verified = TRUE", userId).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
+	})
 	t.Run("SignOut", func(t *testing.T) {
 		t.Run("should fail if csrf token is not valid", func(t *testing.T) {
 			t.Parallel()
@@ -680,7 +933,187 @@ func TestIntegrationAuth(t *testing.T) {
 			assert.Equal(t, 0, rows)
 		})
 	})
+
 	t.Run("ChangePassword", func(t *testing.T) {
+		t.Run(`should redirect to "/" if not signed in`, func(t *testing.T) {
+			t.Parallel()
+
+			_, basePath, ctx := setupIntegrationTest(t)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
+			assert.Equal(t, "/auth/signin", resp.Header.Get("Location"))
+		})
+		t.Run(`should throw unautohorized if not signed in`, func(t *testing.T) {
+			t.Parallel()
+
+			_, basePath, ctx := setupIntegrationTest(t)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			html, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(html)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+			anonymousSessionId := findCookie(resp, "id").Value
+			assert.NotEqual(t, "", anonymousSessionId)
+
+			formData := url.Values{
+				"current-password": {"password"},
+				"new-password":     {"MyNewSecurePassword1!"},
+				"csrf-token":       {anonymousCsrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+anonymousSessionId)
+			req.Header.Set("HX-Request", "true")
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+		})
+		t.Run(`should fail if csrf token is invalid`, func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+			userId := uuid.New()
+
+			pass := service.GetHashPassword("password", []byte("salt"))
+			_, err := db.Exec(`
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+			VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+
+			sessionId := "session-id"
+			assert.Nil(t, err)
+			_, err = db.Exec(`
+			INSERT INTO session (session_id, user_id, created_at, expires_at)
+			VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
+			assert.Nil(t, err)
+
+			formData := url.Values{
+				"current-password": {"password"},
+				"new-password":     {"MyNewSecurePassword1!"},
+				"csrf-token":       {"invalid-csrf-token"},
+			}
+
+			req, err := http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+sessionId)
+			req.Header.Set("HX-Request", "true")
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
+		t.Run("should fail if current password does not match", func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+			userId := uuid.New()
+			pass := service.GetHashPassword("password", []byte("salt"))
+
+			_, err := db.Exec(`
+				INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+				VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+
+			sessionId := "session-id"
+			assert.Nil(t, err)
+			_, err = db.Exec(`
+				INSERT INTO session (session_id, user_id, created_at, expires_at)
+				VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
+			assert.Nil(t, err)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			html, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			csrfToken := findCsrfToken(html)
+			assert.NotEqual(t, "", csrfToken)
+
+			formData := url.Values{
+				"current-password": {"wrong-password"},
+				"new-password":     {"MyNewSecurePassword1!"},
+				"csrf-token":       {csrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+sessionId)
+			req.Header.Set("HX-Request", "true")
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
+		t.Run("should fail if new password is insecure", func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+			userId := uuid.New()
+			pass := service.GetHashPassword("password", []byte("salt"))
+
+			_, err := db.Exec(`
+				INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+				VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+
+			sessionId := "session-id"
+			assert.Nil(t, err)
+			_, err = db.Exec(`
+				INSERT INTO session (session_id, user_id, created_at, expires_at)
+				VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/change-password", nil)
+			assert.Nil(t, err)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			html, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			csrfToken := findCsrfToken(html)
+			assert.NotEqual(t, "", csrfToken)
+
+			formData := url.Values{
+				"current-password": {"password"},
+				"new-password":     {"insecure-password"},
+				"csrf-token":       {csrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/change-password", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+sessionId)
+			req.Header.Set("HX-Request", "true")
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
 		t.Run("should change password and invalidate all other user sessions", func(t *testing.T) {
 			t.Parallel()
 
@@ -736,6 +1169,12 @@ func TestIntegrationAuth(t *testing.T) {
 
 			assert.Equal(t, http.StatusOK, resp.StatusCode)
 
+			pass = service.GetHashPassword("MyNewSecurePassword1!", []byte("salt"))
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+
 			var sessionIds []string
 			sessions, err := db.Query(`SELECT session_id FROM session WHERE NOT user_id = ? ORDER BY session_id`, uuid.Nil)
 			assert.Nil(t, err)
@@ -752,7 +1191,288 @@ func TestIntegrationAuth(t *testing.T) {
 		})
 	})
 
-	t.Run("ForgotPassword", func(t *testing.T) {
+	t.Run("ForgotPasswordMail", func(t *testing.T) {
+		t.Run(`should redirect to "/" if signed in`, func(t *testing.T) {
+			t.Parallel()
+
+			d, basePath, ctx := setupIntegrationTest(t)
+			userId := uuid.New()
+
+			pass := service.GetHashPassword("password", []byte("salt"))
+			_, err := d.Exec(`
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+			VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+			assert.Nil(t, err)
+
+			sessionId := "session-id"
+			_, err = d.Exec(`
+			INSERT INTO session (session_id, user_id, created_at, expires_at)
+			VALUES ("session-id", ?, datetime(), datetime("now", "+1 day"))`, userId)
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/forgot-password", nil)
+			assert.Nil(t, err)
+			req.Header.Set("Cookie", "id="+sessionId)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
+			assert.Equal(t, "/", resp.Header.Get("Location"))
+		})
+		t.Run(`should fail if csrf token is invalid`, func(t *testing.T) {
+			t.Parallel()
+
+			d, basePath, ctx := setupIntegrationTest(t)
+			userId := uuid.New()
+
+			pass := service.GetHashPassword("password", []byte("salt"))
+			_, err := d.Exec(`
+			INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+			VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/forgot-password", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+			anonymousSessionId := findCookie(resp, "id").Value
+			assert.NotEqual(t, "", anonymousSessionId)
+
+			formData := url.Values{
+				"email":      {"mail@mail.de"},
+				"csrf-token": {"invalid-csrf-token"},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("HX-Request", "true")
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+			var rows int
+			err = d.QueryRow("SELECT COUNT(*) FROM token WHERE user_id = ? AND type = ?", userId, types.TokenTypePasswordReset).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 0, rows)
+		})
+		t.Run(`should fail but respond with uniform message`, func(t *testing.T) {
+			t.Parallel()
+
+			_, basePath, ctx := setupIntegrationTest(t)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/forgot-password", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+			anonymousSessionId := findCookie(resp, "id").Value
+			assert.NotEqual(t, "", anonymousSessionId)
+			body, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(body)
+
+			formData := url.Values{
+				"email":      {"non-existent@mail.de"},
+				"csrf-token": {anonymousCsrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("HX-Request", "true")
+			req.Header.Set("Cookie", "id="+anonymousSessionId)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+			msg := "If the address exists, an email has been sent."
+			assert.Contains(t, resp.Header.Get("HX-Trigger"), msg)
+		})
+		t.Run(`should generate token and respond with uniform message`, func(t *testing.T) {
+			t.Parallel()
+
+			db, basePath, ctx := setupIntegrationTest(t)
+
+			userId := uuid.New()
+			pass := service.GetHashPassword("password", []byte("salt"))
+			_, err := db.Exec(`
+				INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
+				VALUES (?, "mail@mail.de", TRUE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/forgot-password", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+			anonymousSessionId := findCookie(resp, "id").Value
+			assert.NotEqual(t, "", anonymousSessionId)
+			body, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(body)
+
+			formData := url.Values{
+				"email":      {"mail@mail.de"},
+				"csrf-token": {anonymousCsrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("HX-Request", "true")
+			req.Header.Set("Cookie", "id="+anonymousSessionId)
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+
+			assert.Equal(t, http.StatusOK, resp.StatusCode)
+
+			msg := "If the address exists, an email has been sent."
+			assert.Contains(t, resp.Header.Get("HX-Trigger"), msg)
+
+			var rows int
+			err = db.QueryRow("SELECT COUNT(*) FROM token WHERE user_id = ? AND type = ?", userId, types.TokenTypePasswordReset).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
+	})
+
+	t.Run("ForgotPasswordResponse", func(t *testing.T) {
+		t.Run(`should fail if token does not exist`, func(t *testing.T) {
+			t.Parallel()
+
+			d, basePath, ctx := setupIntegrationTest(t)
+			userId := uuid.New()
+
+			pass := service.GetHashPassword("password", []byte("salt"))
+			_, err := d.Exec(`
+				INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+				VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/forgot-password", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			anonymousSessionId := findCookie(resp, "id").Value
+			html, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(html)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+
+			formData := url.Values{
+				"new-password": {"MyNewSecurePassword1!"},
+				"csrf-token":   {anonymousCsrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password-actual", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+anonymousSessionId)
+			req.Header.Set("HX-Request", "true")
+			req.Header.Set("HX-Current-URL", basePath+"/auth/change-password?token=invalidToken")
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+			var rows int
+			err = d.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
+		t.Run(`should fail if token is outdated`, func(t *testing.T) {
+			t.Parallel()
+
+			d, basePath, ctx := setupIntegrationTest(t)
+			userId := uuid.New()
+
+			pass := service.GetHashPassword("password", []byte("salt"))
+			_, err := d.Exec(`
+				INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+				VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/forgot-password", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			anonymousSessionId := findCookie(resp, "id").Value
+			html, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(html)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+
+			token := "password-reset-token"
+			_, err = d.Exec(`
+				INSERT INTO token (token, user_id, session_id, type, created_at, expires_at)
+				VALUES (?, ?, ?, ?, datetime("now", "-16 minute"), datetime("now", "-1 minute"))`, token, userId, "", types.TokenTypePasswordReset)
+			assert.Nil(t, err)
+
+			formData := url.Values{
+				"new-password": {"MyNewSecurePassword1!"},
+				"csrf-token":   {anonymousCsrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password-actual", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+anonymousSessionId)
+			req.Header.Set("HX-Request", "true")
+			req.Header.Set("HX-Current-URL", basePath+"/auth/change-password?token="+url.QueryEscape(token))
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+			var rows int
+			err = d.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
+		t.Run(`should fail if password is insecure`, func(t *testing.T) {
+			t.Parallel()
+
+			d, basePath, ctx := setupIntegrationTest(t)
+			userId := uuid.New()
+
+			pass := service.GetHashPassword("password", []byte("salt"))
+			_, err := d.Exec(`
+				INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at) 
+				VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
+			assert.Nil(t, err)
+
+			req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/forgot-password", nil)
+			assert.Nil(t, err)
+			resp, err := httpClient.Do(req)
+			assert.Nil(t, err)
+			anonymousSessionId := findCookie(resp, "id").Value
+			html, err := html.Parse(resp.Body)
+			assert.Nil(t, err)
+			anonymousCsrfToken := findCsrfToken(html)
+			assert.NotEqual(t, "", anonymousCsrfToken)
+
+			token := "password-reset-token"
+			_, err = d.Exec(`
+				INSERT INTO token (token, user_id, session_id, type, created_at, expires_at)
+				VALUES (?, ?, ?, ?, datetime("now"), datetime("now", "+15 minute"))`, token, userId, "", types.TokenTypePasswordReset)
+			assert.Nil(t, err)
+
+			formData := url.Values{
+				"new-password": {"insecure-password"},
+				"csrf-token":   {anonymousCsrfToken},
+			}
+			req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/forgot-password-actual", strings.NewReader(formData.Encode()))
+			assert.Nil(t, err)
+			req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+			req.Header.Set("Cookie", "id="+anonymousSessionId)
+			req.Header.Set("HX-Request", "true")
+			req.Header.Set("HX-Current-URL", basePath+"/auth/change-password?token="+url.QueryEscape(token))
+			resp, err = httpClient.Do(req)
+			assert.Nil(t, err)
+			assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+
+			var rows int
+			err = d.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND password = ?", userId, pass).Scan(&rows)
+			assert.Nil(t, err)
+			assert.Equal(t, 1, rows)
+		})
 		t.Run("should change password and invalidate ALL sessions", func(t *testing.T) {
 			t.Parallel()
 

template/auth/verify_response.templ

@@ -0,0 +1,29 @@
+package auth
+
+templ VerifyResponseComp(isVerified bool) {
+<main>
+	<div class="flex flex-col items-center justify-center h-screen">
+		if isVerified {
+		<h2 class="text-6xl mb-10">
+			Your email has been verified
+		</h2>
+		<p class="text-lg text-center">
+			You have completed the verification process. Thank you!
+		</p>
+		<a class="btn btn-primary mt-8" href="/">
+			Go Home
+		</a>
+		} else {
+		<h2 class="text-6xl mb-10">
+			Error during verification
+		</h2>
+		<p class="text-lg text-center">
+			Please try again by sign up process
+		</p>
+		<a class="btn btn-primary mt-8" href="/auth/signup">
+			Sign Up
+		</a>
+		}
+	</div>
+</main>
+}

template/mail/register.templ

@@ -3,17 +3,21 @@ package mail;
 import "net/url"
 
 templ Register(baseUrl string, token string) {
-	<!DOCTYPE html>
-	<html lang="en">
-		<head>
-			<meta charset="UTF-8"/>
-			<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
-			<title>Welcome</title>
-		</head>
-		<body>
-			<h4>Thank you for Sign Up!</h4>
-			<p>Click <a href={ templ.URL(baseUrl + "/auth/verify-email?token=" + url.QueryEscape(token)) }>here</a> to verify your account.</p>
-			<p>Kind regards</p>
-		</body>
-	</html>
+<!DOCTYPE html>
+<html lang="en">
+
+<head>
+	<meta charset="UTF-8" />
+	<meta name="viewport" content="width=device-width, initial-scale=1.0" />
+	<title>Welcome</title>
+</head>
+
+<body>
+	<h4>Thank you for Sign Up!</h4>
+	<p>Click <a href={ templ.URL(baseUrl + "/auth/verify-email?token=" + url.QueryEscape(token)) }>here</a> to finalize
+		your registration.</p>
+	<p>Kind regards</p>
+</body>
+
+</html>
 }