x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

Compare commits

merge into: x:331-test-sign-in
Branches Tags
x:prod x:renovate/golang.org-x-net-0.x x:renovate/golang.org-x-crypto-0.x x:renovate/golang-1.x x:renovate/go-1.x x:fix-golang-ci x:fix-tests x:upgrade-tailwind x:remove-daysi-ui x:331-test-forgot-password x:331-test-sign-up x:331-test-sign-in
...
pull from: x:331-test-sign-up
Branches Tags
x:renovate/golang.org-x-net-0.x x:renovate/golang.org-x-crypto-0.x x:renovate/golang-1.x x:renovate/go-1.x x:prod x:fix-golang-ci x:fix-tests x:upgrade-tailwind x:remove-daysi-ui x:331-test-forgot-password x:331-test-sign-up x:331-test-sign-in

3 Commits
331-test-s ... 331-test-s

Author SHA1 Message Date
Tim Wundenberg
5ea400352f chore(auth): #331 add sign up verify tests
All checks were successful
Build Docker Image / Build-Docker-Image (push) Successful in 47s
Details
Build and Push Docker Image / Build-And-Push-Docker-Image (push) Successful in 53s
Details
2024-12-25 21:56:32 +01:00
Tim Wundenberg
397442767a chore(auth): #331 implement and fix sign up tests
All checks were successful
Build Docker Image / Build-Docker-Image (push) Successful in 47s
Details
Build and Push Docker Image / Build-And-Push-Docker-Image (push) Successful in 52s
Details
2024-12-24 22:39:26 +01:00
Tim Wundenberg
9462f8b245 chore(auth): #331 implement and fix fist sign up tests
All checks were successful
Build Docker Image / Build-Docker-Image (push) Successful in 45s
Details
Build and Push Docker Image / Build-And-Push-Docker-Image (push) Successful in 51s
Details
2024-12-23 22:57:41 +01:00
6 changed files with 330 additions and 21 deletions
Expand all files Collapse all files

19
handler/auth.go
View File

@@ -171,11 +171,17 @@ func (handler AuthImpl) handleSignUpVerifyResponsePage() http.HandlerFunc {
err := handler.service.VerifyUserEmail(token)
if err != nil {
utils.DoRedirect(w, r, "/auth/signin")
isVerified := err == nil
comp := auth.VerifyResponseComp(isVerified)
var status int
if isVerified {
status = http.StatusOK
} else {
utils.DoRedirect(w, r, "/")
status = http.StatusBadRequest
}
handler.render.RenderLayoutWithStatus(r, w, comp, nil, status)
}
}
@@ -203,11 +209,14 @@ func (handler AuthImpl) handleSignUp() http.HandlerFunc {
} else if errors.Is(err, service.ErrInvalidEmail) {
utils.TriggerToast(w, r, "error", "The email provided is invalid", http.StatusBadRequest)
return
} else if errors.Is(err, service.ErrInvalidPassword) {
utils.TriggerToast(w, r, "error", service.ErrInvalidPassword.Error(), http.StatusBadRequest)
return
}
// If the "service.ErrAccountExists", then just continue
// If err is "service.ErrAccountExists", then just continue
}
utils.TriggerToast(w, r, "success", "A link to activate your account has been emailed to the address provided.", http.StatusOK)
utils.TriggerToast(w, r, "success", "An activation link has been send to your email", http.StatusOK)
}
}

7
handler/middleware/cross_site_request_forgery.go
View File

@@ -8,6 +8,7 @@ import (
"me-fit/log"
"me-fit/service"
"me-fit/types"
"me-fit/utils"
)
type csrfResponseWriter struct {
@@ -57,7 +58,11 @@ func CrossSiteRequestForgery(auth service.Auth) func(http.Handler) http.Handler
}
if session == nil || csrfToken == "" || !auth.IsCsrfTokenValid(csrfToken, session.Id) {
log.Info("CSRF-Token not correct")
http.Error(w, "CSRF-Token not correct", http.StatusBadRequest)
if r.Header.Get("HX-Request") == "true" {
utils.TriggerToast(w, r, "error", "CSRF-Token not correct", http.StatusBadRequest)
} else {
http.Error(w, "CSRF-Token not correct", http.StatusBadRequest)
}
return
}
}

13
handler/render.go
View File

@@ -21,8 +21,9 @@ func NewRender(settings *types.Settings) *Render {
}
}
func (render *Render) Render(r *http.Request, w http.ResponseWriter, comp templ.Component) {
func (render *Render) RenderWithStatus(r *http.Request, w http.ResponseWriter, comp templ.Component, status int) {
w.Header().Set("Content-Type", "text/html")
w.WriteHeader(status)
err := comp.Render(r.Context(), w)
if err != nil {
log.Error("Failed to render layout: %v", err)
@@ -30,11 +31,19 @@ func (render *Render) Render(r *http.Request, w http.ResponseWriter, comp templ.
}
}
func (render *Render) Render(r *http.Request, w http.ResponseWriter, comp templ.Component) {
render.RenderWithStatus(r, w, comp, http.StatusOK)
}
func (render *Render) RenderLayout(r *http.Request, w http.ResponseWriter, slot templ.Component, user *types.User) {
render.RenderLayoutWithStatus(r, w, slot, user, http.StatusOK)
}
func (render *Render) RenderLayoutWithStatus(r *http.Request, w http.ResponseWriter, slot templ.Component, user *types.User, status int) {
userComp := render.getUserComp(user)
layout := template.Layout(slot, userComp, render.settings.Environment)
render.Render(r, w, layout)
render.RenderWithStatus(r, w, layout, status)
}
func (render *Render) getUserComp(user *types.User) templ.Component {

253
main_test.go
View File

@@ -455,6 +455,259 @@ func TestIntegrationAuth(t *testing.T) {
assert.Equal(t, 0, rows)
})
})
t.Run("SignUp", func(t *testing.T) {
t.Run(`should redirect to "/" if signed in`, func(t *testing.T) {
t.Parallel()
db, basePath, ctx := setupIntegrationTest(t)
userId := uuid.New()
sessionId := "session-id"
pass := service.GetHashPassword("password", []byte("salt"))
_, err := db.Exec(`
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", TRUE, FALSE, ?, ?, datetime())`, userId, pass, []byte("salt"))
assert.Nil(t, err)
_, err = db.Exec(`
INSERT INTO session (session_id, user_id, created_at, expires_at)
VALUES (?, ?, datetime(), datetime("now", "+1 day"))`, sessionId, userId)
assert.Nil(t, err)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signin", nil)
assert.Nil(t, err)
req.Header.Set("Cookie", "id="+sessionId)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusSeeOther, resp.StatusCode)
assert.Equal(t, "/", resp.Header.Get("Location"))
})
t.Run(`should fail if csrf token is invalid`, func(t *testing.T) {
t.Parallel()
_, basePath, ctx := setupIntegrationTest(t)
formData := url.Values{
"email": {"mail@mail.de"},
"password": {"password"},
"csrf-token": {"invalid-csrf-token"},
}
req, err := http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signin", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("HX-Request", "true")
resp, err := httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
assert.Contains(t, resp.Header.Get("HX-Trigger"), "CSRF")
})
t.Run(`should fail if password is insecure`, func(t *testing.T) {
t.Parallel()
_, basePath, ctx := setupIntegrationTest(t)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signup", nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
body, err := html.Parse(resp.Body)
assert.Nil(t, err)
anonymousCsrfToken := findCsrfToken(body)
assert.NotEqual(t, "", anonymousCsrfToken)
anonymousSession := findCookie(resp, "id")
assert.NotNil(t, anonymousSession)
formData := url.Values{
"email": {"mail@mail.de"},
"password": {"insecure-password"},
"csrf-token": {anonymousCsrfToken},
}
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signup", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("HX-Request", "true")
req.Header.Set("Cookie", "id="+anonymousSession.Value)
resp, err = httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
assert.Contains(t, resp.Header.Get("HX-Trigger"), "password")
})
t.Run(`should say "verification mail send" if user already exists within ~250 ms`, func(t *testing.T) {
t.Parallel()
db, basePath, ctx := setupIntegrationTest(t)
_, err := db.Exec(`
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", TRUE, FALSE, ?, ?, datetime())`, uuid.New(), service.GetHashPassword("password", []byte("salt")), []byte("salt"))
assert.Nil(t, err)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signup", nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
body, err := html.Parse(resp.Body)
assert.Nil(t, err)
anonymousCsrfToken := findCsrfToken(body)
assert.NotEqual(t, "", anonymousCsrfToken)
anonymousSession := findCookie(resp, "id")
assert.NotNil(t, anonymousSession)
formData := url.Values{
"email": {"mail@mail.de"},
"password": {"secure-Password!1"},
"csrf-token": {anonymousCsrfToken},
}
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signup", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("HX-Request", "true")
req.Header.Set("Cookie", "id="+anonymousSession.Value)
timeStart := time.Now()
resp, err = httpClient.Do(req)
timeEnd := time.Now()
assert.Nil(t, err)
timeTaken := timeEnd.Sub(timeStart)
assert.LessOrEqual(t, timeTaken, 253*time.Millisecond)
assert.GreaterOrEqual(t, timeTaken, 250*time.Millisecond)
assert.Equal(t, http.StatusOK, resp.StatusCode)
assert.Contains(t, resp.Header.Get("HX-Trigger"), "An activation link has been send to your email")
})
t.Run(`should say "verification mail send" within ~250 ms`, func(t *testing.T) {
t.Parallel()
db, basePath, ctx := setupIntegrationTest(t)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/signup", nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
body, err := html.Parse(resp.Body)
assert.Nil(t, err)
anonymousCsrfToken := findCsrfToken(body)
assert.NotEqual(t, "", anonymousCsrfToken)
anonymousSession := findCookie(resp, "id")
assert.NotNil(t, anonymousSession)
formData := url.Values{
"email": {"mail@mail.de"},
"password": {"secure-Password!1"},
"csrf-token": {anonymousCsrfToken},
}
req, err = http.NewRequestWithContext(ctx, "POST", basePath+"/api/auth/signup", strings.NewReader(formData.Encode()))
assert.Nil(t, err)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("HX-Request", "true")
req.Header.Set("Cookie", "id="+anonymousSession.Value)
timeStart := time.Now()
resp, err = httpClient.Do(req)
timeEnd := time.Now()
assert.Nil(t, err)
timeTaken := timeEnd.Sub(timeStart)
assert.LessOrEqual(t, timeTaken, 253*time.Millisecond)
assert.GreaterOrEqual(t, timeTaken, 250*time.Millisecond)
assert.Equal(t, http.StatusOK, resp.StatusCode)
assert.Contains(t, resp.Header.Get("HX-Trigger"), "An activation link has been send to your email")
var rows int
err = db.QueryRow("SELECT COUNT(*) FROM user WHERE email = ? AND email_verified = FALSE", "mail@mail.de").Scan(&rows)
assert.Nil(t, err)
assert.Equal(t, 1, rows)
var token string
err = db.QueryRow("SELECT t.token FROM token t INNER JOIN user u ON u.user_id = t.user_id WHERE u.email = ? AND t.type = ?", "mail@mail.de", types.TokenTypeEmailVerify).Scan(&token)
assert.Nil(t, err)
assert.NotEqual(t, "", token)
})
})
t.Run("SignUpVerification", func(t *testing.T) {
t.Run(`should fail verifying email with non existent token`, func(t *testing.T) {
t.Parallel()
db, basePath, ctx := setupIntegrationTest(t)
userId := uuid.New()
_, err := db.Exec(`
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, []byte("pass"), []byte("salt"))
assert.Nil(t, err)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/verify-email?token=invalid-token", nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
var rows int
err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND email_verified = FALSE", userId).Scan(&rows)
assert.Nil(t, err)
assert.Equal(t, 1, rows)
})
t.Run(`should fail verifying email with outdated token`, func(t *testing.T) {
t.Parallel()
db, basePath, ctx := setupIntegrationTest(t)
userId := uuid.New()
token := "my-outdated-verifying-token"
_, err := db.Exec(`
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, []byte("pass"), []byte("salt"))
assert.Nil(t, err)
_, err = db.Exec(`
INSERT INTO token (token, user_id, type, created_at, expires_at)
VALUES (?, ?, ?, datetime("now", "-16 minute"), datetime("now", "-1 minute"))`, token, userId, types.TokenTypeEmailVerify)
assert.Nil(t, err)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/verify-email?token="+token, nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
var rows int
err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND email_verified = FALSE", userId).Scan(&rows)
assert.Nil(t, err)
assert.Equal(t, 1, rows)
})
t.Run(`should verify email with correct token`, func(t *testing.T) {
t.Parallel()
db, basePath, ctx := setupIntegrationTest(t)
userId := uuid.New()
token := "my-verifying-token"
_, err := db.Exec(`
INSERT INTO user (user_id, email, email_verified, is_admin, password, salt, created_at)
VALUES (?, "mail@mail.de", FALSE, FALSE, ?, ?, datetime())`, userId, []byte("pass"), []byte("salt"))
assert.Nil(t, err)
_, err = db.Exec(`
INSERT INTO token (token, user_id, session_id, type, created_at, expires_at)
VALUES (?, ?, "", ?, datetime("now"), datetime("now", "+15 minute"))`, token, userId, types.TokenTypeEmailVerify)
assert.Nil(t, err)
req, err := http.NewRequestWithContext(ctx, "GET", basePath+"/auth/verify-email?token="+token, nil)
assert.Nil(t, err)
resp, err := httpClient.Do(req)
assert.Nil(t, err)
assert.Equal(t, http.StatusOK, resp.StatusCode)
var rows int
err = db.QueryRow("SELECT COUNT(*) FROM user WHERE user_id = ? AND email_verified = TRUE", userId).Scan(&rows)
assert.Nil(t, err)
assert.Equal(t, 1, rows)
})
})
t.Run("SignOut", func(t *testing.T) {
t.Run("should fail if csrf token is not valid", func(t *testing.T) {
t.Parallel()

29
template/auth/verify_response.templ Normal file
View File

@@ -0,0 +1,29 @@
package auth
templ VerifyResponseComp(isVerified bool) {
<main>
<div class="flex flex-col items-center justify-center h-screen">
if isVerified {
<h2 class="text-6xl mb-10">
Your email has been verified
</h2>
<p class="text-lg text-center">
You have completed the verification process. Thank you!
</p>
<a class="btn btn-primary mt-8" href="/">
Go Home
</a>
} else {
<h2 class="text-6xl mb-10">
Error during verification
</h2>
<p class="text-lg text-center">
Please try again by sign up process
</p>
<a class="btn btn-primary mt-8" href="/auth/signup">
Sign Up
</a>
}
</div>
</main>
}

30
template/mail/register.templ
View File

@@ -3,17 +3,21 @@ package mail;
import "net/url"
templ Register(baseUrl string, token string) {
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<title>Welcome</title>
</head>
<body>
<h4>Thank you for Sign Up!</h4>
<p>Click <a href={ templ.URL(baseUrl + "/auth/verify-email?token=" + url.QueryEscape(token)) }>here</a> to verify your account.</p>
<p>Kind regards</p>
</body>
</html>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>Welcome</title>
</head>
<body>
<h4>Thank you for Sign Up!</h4>
<p>Click <a href={ templ.URL(baseUrl + "/auth/verify-email?token=" + url.QueryEscape(token)) }>here</a> to finalize
your registration.</p>
<p>Kind regards</p>
</body>
</html>
}