x/web-app-template
Archived
Template
2
0
Fork 0
Code Issues 13 Pull Requests 4 Actions Packages Activity

WIP: fix: restructure handler yet again #181 #186

Closed
tim wants to merge 7 commits from 181-first-test into master
pull from: 181-first-test
merge into: x:master
Conversation 0 Commits 7 Files Changed 12 +967 -608
12 changed files with 967 additions and 608 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
db/auth.go Normal file
View File

@@ -0,0 +1,29 @@
package db
import (
"database/sql"
"errors"
"strings"
"github.com/google/uuid"
)
type AuthDb interface {
InsertUser(userIs uuid.UUID, email string, password string) error
}
type AuthDbSqlite struct {
db *sql.DB
}
func (a *AuthDbSqlite) InsertUser(userId uuid.UUID, email string, passwordHash []byte, salt []byte) error {
_, err := a.db.Exec("INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at) VALUES (?, ?, FALSE, FALSE, ?, ?, datetime())", userId, email, passwordHash, salt)
if err != nil {
if strings.Contains(err.Error(), "email") {
return errors.New("Bad Request")
}
utils.LogError("Could not insert user", err)
return ErrInternalServer
}
}

382
handler/auth.go
View File

@@ -1,27 +1,375 @@
package handler package handler
import ( import (
"context"
"me-fit/service" "me-fit/service"
"me-fit/template"
"me-fit/template/auth"
mail "me-fit/template/mail"
"me-fit/types"
"me-fit/utils"
"strings"
"database/sql" "database/sql"
"net/http" "net/http"
"net/url"
) )
func handleAuth(db *sql.DB, router *http.ServeMux) { type AuthHandler struct {
// Don't use auth middleware for these routes, as it makes redirecting very difficult, if the mail is not yet verified db *sql.DB
router.Handle("/auth/signin", service.HandleSignInPage(db)) service *service.AuthService
router.Handle("/auth/signup", service.HandleSignUpPage(db)) }
router.Handle("/auth/verify", service.HandleSignUpVerifyPage(db)) // Hint for the user to verify their email
router.Handle("/auth/delete-account", service.HandleDeleteAccountPage(db)) func (a *AuthHandler) authUi() http.Handler {
router.Handle("/auth/verify-email", service.HandleSignUpVerifyResponsePage(db)) // The link contained in the email router := http.NewServeMux()
router.Handle("/auth/change-password", service.HandleChangePasswordPage(db))
router.Handle("/auth/reset-password", service.HandleResetPasswordPage(db)) router.Handle("/auth/signin", handleSignInPage(a.db))
router.Handle("/api/auth/signup", service.HandleSignUpComp(db)) router.Handle("/auth/signup", handleSignUpPage(a.db))
router.Handle("/api/auth/signin", service.HandleSignInComp(db)) router.Handle("/auth/verify", handleSignUpVerifyPage(a.db)) // Hint for the user to verify their email
router.Handle("/api/auth/signout", service.HandleSignOutComp(db)) router.Handle("/auth/delete-account", handleDeleteAccountPage(a.db))
router.Handle("/api/auth/delete-account", service.HandleDeleteAccountComp(db)) router.Handle("/auth/verify-email", handleSignUpVerifyResponsePage(a.db)) // The link contained in the email
router.Handle("/api/auth/verify-resend", service.HandleVerifyResendComp(db)) router.Handle("/auth/change-password", handleChangePasswordPage(a.db))
router.Handle("/api/auth/change-password", service.HandleChangePasswordComp(db)) router.Handle("/auth/reset-password", handleResetPasswordPage(a.db))
router.Handle("/api/auth/reset-password", service.HandleResetPasswordComp(db)) router.Handle("/", handleNotFound(a.db))
router.Handle("/api/auth/reset-password-actual", service.HandleActualResetPasswordComp(db))
return router
}
func (a *AuthHandler) authApi() http.Handler {
router := http.NewServeMux()
router.Handle("/api/auth/signup", handleSignUp(a.db))
router.Handle("/api/auth/signin", a.handleSignIn())
router.Handle("/api/auth/signout", handleSignOut(a.db))
router.Handle("/api/auth/delete-account", handleDeleteAccount(a.db))
router.Handle("/api/auth/verify-resend", handleVerifyResend(a.db))
router.Handle("/api/auth/change-password", handleChangePassword(a.db))
router.Handle("/api/auth/reset-password", handleResetPassword(a.db))
router.Handle("/api/auth/reset-password-actual", handleActualResetPassword(a.db))
return router
}
func handleSignInPage(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := service.GetUserFromRequest(db, r)
if user == nil {
userComp := service.UserInfoComp(nil)
signIn := auth.SignInOrUpComp(true)
err := template.Layout(signIn, userComp).Render(r.Context(), w)
if err != nil {
utils.LogError("Failed to render sign in page", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
}
} else if !user.EmailVerified {
utils.DoRedirect(w, r, "/auth/verify")
} else {
utils.DoRedirect(w, r, "/")
}
}
}
func handleSignUpPage(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := service.GetUserFromRequest(db, r)
if user == nil {
userComp := service.UserInfoComp(nil)
signUpComp := auth.SignInOrUpComp(false)
err := template.Layout(signUpComp, userComp).Render(r.Context(), w)
if err != nil {
utils.LogError("Failed to render sign up page", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
}
} else if !user.EmailVerified {
utils.DoRedirect(w, r, "/auth/verify")
} else {
utils.DoRedirect(w, r, "/")
}
}
}
func handleSignUpVerifyPage(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := service.GetUserFromRequest(db, r)
if user == nil {
utils.DoRedirect(w, r, "/auth/signin")
} else if user.EmailVerified {
utils.DoRedirect(w, r, "/")
} else {
userComp := service.UserInfoComp(user)
signIn := auth.VerifyComp()
err := template.Layout(signIn, userComp).Render(r.Context(), w)
if err != nil {
utils.LogError("Failed to render verify page", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
}
}
}
}
func handleDeleteAccountPage(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
// An unverified email should be able to delete their account
user := service.GetUserFromRequest(db, r)
if user == nil {
utils.DoRedirect(w, r, "/auth/signin")
} else {
userComp := service.UserInfoComp(user)
comp := auth.DeleteAccountComp()
err := template.Layout(comp, userComp).Render(r.Context(), w)
if err != nil {
utils.LogError("Failed to render delete account page", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
}
}
}
}
func handleSignUpVerifyResponsePage(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
token := r.URL.Query().Get("token")
if token == "" {
utils.DoRedirect(w, r, "/auth/verify")
return
}
err := service.ValidateEmail(db, token)
if err != nil {
utils.LogError("Could not validate email", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
}
utils.DoRedirect(w, r, "/")
}
}
func handleChangePasswordPage(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
isPasswordReset := r.URL.Query().Has("token")
user := service.GetUserFromRequest(db, r)
if user == nil && !isPasswordReset {
utils.DoRedirect(w, r, "/auth/signin")
} else {
userComp := service.UserInfoComp(user)
comp := auth.ChangePasswordComp(isPasswordReset)
err := template.Layout(comp, userComp).Render(r.Context(), w)
if err != nil {
utils.LogError("Failed to render change password page", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
}
}
}
}
func handleResetPasswordPage(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := service.GetUserFromRequest(db, r)
if user != nil {
utils.DoRedirect(w, r, "/auth/signin")
} else {
userComp := service.UserInfoComp(nil)
comp := auth.ResetPasswordComp()
err := template.Layout(comp, userComp).Render(r.Context(), w)
if err != nil {
utils.LogError("Failed to render change password page", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
}
}
}
}
func handleSignUp(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
var email = r.FormValue("email")
var password = r.FormValue("password")
sessionId, err := service.SignUp(db, email, password)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
http.SetCookie(w, createSessionCookie(*sessionId))
utils.DoRedirect(w, r, "/auth/verify")
}
}
func createSessionCookie(sessionId types.SessionId) *http.Cookie {
cookie := http.Cookie{
Name: "id",
Value: string(sessionId),
MaxAge: 60 * 60 * 8, // 8 hours
Secure: true,
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
Path: "/",
}
return &cookie
}
func (a *AuthHandler) handleSignIn() http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
var email = r.FormValue("email")
var password = r.FormValue("password")
sessionId, err := a.service.SignIn(email, password)
if err != nil {
utils.TriggerToast(w, r, "error", err.Error())
return
}
http.SetCookie(w, createSessionCookie(*sessionId))
utils.DoRedirect(w, r, "/auth/verify")
}
}
func handleSignOut(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := service.GetUserFromRequest(db, r)
err := service.SignOut(db, user)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
}
c := http.Cookie{
Name: "id",
Value: "",
MaxAge: -1,
Secure: true,
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
Path: "/",
}
http.SetCookie(w, &c)
utils.DoRedirect(w, r, "/")
}
}
func handleDeleteAccount(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := service.GetUserFromRequest(db, r)
if user == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
password := r.FormValue("password")
err := service.DeleteAccount(db, user, password)
if err != nil {
utils.LogError("Could not delete account", err)
utils.TriggerToast(w, r, "error", err.Error())
}
utils.DoRedirect(w, r, "/")
}
}
func handleVerifyResend(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := service.GetUserFromRequest(db, r)
if user == nil || user.EmailVerified {
utils.DoRedirect(w, r, "/auth/signin")
return
}
go service.SendVerificationEmail(db, user.Id.String(), user.Email)
w.Write([]byte("<p class=\"mt-8\">Verification email sent</p>"))
}
}
func handleChangePassword(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := service.GetUserFromRequest(db, r)
if user == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
currPass := r.FormValue("current-password")
newPass := r.FormValue("new-password")
err := service.ChangePassword(db, user, currPass, newPass)
if err != nil {
utils.TriggerToast(w, r, "error", err.Error())
return
}
utils.TriggerToast(w, r, "success", "Password changed")
}
}
func handleResetPassword(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
email := r.FormValue("email")
token, err := service.ResetPassword(db, email)
if err != nil {
utils.TriggerToast(w, r, "error", err.Error())
return
}
if token != "" {
var string strings.Builder
err = mail.ResetPassword(token).Render(context.Background(), &string)
if err != nil {
utils.LogError("Could not render reset password email", err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
}
utils.SendMail(email, "Reset Password", string.String())
}
utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent")
}
}
func handleActualResetPassword(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
pageUrl, err := url.Parse(r.Header.Get("HX-Current-URL"))
if err != nil {
utils.LogError("Could not get current URL", err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
}
token := pageUrl.Query().Get("token")
if token == "" {
utils.TriggerToast(w, r, "error", "No token")
return
}
newPass := r.FormValue("new-password")
service.ActualResetPassword(db, token, newPass)
if err != nil {
utils.TriggerToast(w, r, "error", err.Error())
return
}
utils.TriggerToast(w, r, "success", "Password changed")
}
} }

61
handler/default.go
View File

@@ -3,26 +3,69 @@ package handler
import ( import (
"me-fit/middleware" "me-fit/middleware"
"me-fit/service" "me-fit/service"
"me-fit/template"
"me-fit/utils"
"database/sql" "database/sql"
"net/http" "net/http"
) )
func GetHandler(db *sql.DB) http.Handler { func GetHandler(db *sql.DB) http.Handler {
var router = http.NewServeMux() router := http.NewServeMux()
router.HandleFunc("/", service.HandleIndexAnd404(db)) router.HandleFunc("/{$}", handleIndex(db))
router.HandleFunc("/", handleNotFound(db))
// Serve static files (CSS, JS and images)
router.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("./static/")))) router.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("./static/"))))
handleWorkout(db, router) authHandler := AuthHandler{
db: db,
handleAuth(db, router) service: service.NewAuthService(db),
return middleware.Logging(middleware.EnableCors(router))
} }
func auth(db *sql.DB, h http.Handler) http.Handler { router.Handle("/auth/", authHandler.authUi())
router.Handle("/api/auth/", authHandler.authApi())
router.Handle("/workout", authMiddleware(db, workoutUi(db)))
router.Handle("/api/workout", authMiddleware(db, workoutApi(db)))
// Needed a second time with trailing slash, otherwise either /api/workout or /api/workout/{id} does not match
router.Handle("/api/workout/", authMiddleware(db, workoutApi(db)))
return middleware.Logging(
middleware.EnableCors(
router))
}
func authMiddleware(db *sql.DB, h http.Handler) http.Handler {
return middleware.EnsureValidSession(db, h) return middleware.EnsureValidSession(db, h)
} }
func handleIndex(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := service.GetUserFromRequest(db, r)
err := template.
Layout(template.Index(), service.UserInfoComp(user)).
Render(r.Context(), w)
if err != nil {
utils.LogError("Failed to render index", err)
http.Error(w, "Failed to render index", http.StatusInternalServerError)
}
}
}
func handleNotFound(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := service.GetUserFromRequest(db, r)
err := template.
Layout(template.NotFound(), service.UserInfoComp(user)).
Render(r.Context(), w)
if err != nil {
utils.LogError("Failed to render index", err)
http.Error(w, "Failed to render index", http.StatusInternalServerError)
}
w.WriteHeader(http.StatusNotFound)
}
}

21
handler/workout.go
View File

@@ -7,9 +7,20 @@ import (
"net/http" "net/http"
) )
func handleWorkout(db *sql.DB, router *http.ServeMux) { func workoutUi(db *sql.DB) http.Handler {
router.Handle("/workout", auth(db, service.HandleWorkoutPage(db))) router := http.NewServeMux()
router.Handle("POST /api/workout", auth(db, service.HandleWorkoutNewComp(db)))
router.Handle("GET /api/workout", auth(db, service.HandleWorkoutGetComp(db))) router.Handle("/workout", service.HandleWorkoutPage(db))
router.Handle("DELETE /api/workout/{id}", auth(db, service.HandleWorkoutDeleteComp(db)))
return router
}
func workoutApi(db *sql.DB) http.Handler {
router := http.NewServeMux()
router.Handle("POST /api/workout", service.HandleWorkoutNewComp(db))
router.Handle("GET /api/workout", service.HandleWorkoutGetComp(db))
router.Handle("DELETE /api/workout/{id}", service.HandleWorkoutDeleteComp(db))
return router
} }

3
middleware/auth.go
View File

@@ -1,6 +1,7 @@
package middleware package middleware
import ( import (
"me-fit/service"
"me-fit/utils" "me-fit/utils"
"context" "context"
@@ -12,7 +13,7 @@ func EnsureValidSession(db *sql.DB, next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
user := utils.GetUserFromSession(db, r) user := service.GetUserFromRequest(db, r)
if user == nil { if user == nil {
utils.DoRedirect(w, r, "/auth/signin") utils.DoRedirect(w, r, "/auth/signin")
return return

622
service/auth.go
View File

@@ -5,15 +5,15 @@ import (
"crypto/rand" "crypto/rand"
"crypto/subtle" "crypto/subtle"
"database/sql" "database/sql"
"encoding/base64"
"errors" "errors"
"log/slog" "log/slog"
"net/http" "net/http"
"net/mail" "net/mail"
"net/url"
"strings" "strings"
"time" "time"
"me-fit/template" "me-fit/db"
"me-fit/template/auth" "me-fit/template/auth"
tempMail "me-fit/template/mail" tempMail "me-fit/template/mail"
"me-fit/types" "me-fit/types"
@@ -24,97 +24,154 @@ import (
"golang.org/x/crypto/argon2" "golang.org/x/crypto/argon2"
) )
func HandleSignInPage(db *sql.DB) http.HandlerFunc { // TESTED
return func(w http.ResponseWriter, r *http.Request) {
user := utils.GetUserFromSession(db, r)
if user == nil { var (
userComp := UserInfoComp(nil) ErrInternalServer = errors.New("Internal Server Error")
signIn := auth.SignInOrUpComp(true) ErrInvalidUsernameOrPassword = errors.New("Invalid username or password")
err := template.Layout(signIn, userComp).Render(r.Context(), w) )
// NOT TESTED
type AuthService struct {
db *sql.DB
dbSer *db.AuthDb
}
func NewAuthService(db *sql.DB) *AuthService {
return &AuthService{
db: db,
}
}
func (a *AuthService) SignUp(email string, password string) (*types.SessionId, error) {
_, err := mail.ParseAddress(email)
if err != nil { if err != nil {
utils.LogError("Failed to render sign in page", err) return nil, errors.Join(errors.New("Invalid email"))
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
} }
} else if !user.EmailVerified { err = checkPassword(password)
utils.DoRedirect(w, r, "/auth/verify")
} else {
utils.DoRedirect(w, r, "/")
}
}
}
func HandleSignUpPage(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := utils.GetUserFromSession(db, r)
if user == nil {
userComp := UserInfoComp(nil)
signUpComp := auth.SignInOrUpComp(false)
err := template.Layout(signUpComp, userComp).Render(r.Context(), w)
if err != nil { if err != nil {
utils.LogError("Failed to render sign up page", err) return nil, err
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
} }
} else if !user.EmailVerified { userId, err := uuid.NewRandom()
utils.DoRedirect(w, r, "/auth/verify")
} else {
utils.DoRedirect(w, r, "/")
}
}
}
func HandleSignUpVerifyPage(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := utils.GetUserFromSession(db, r)
if user == nil {
utils.DoRedirect(w, r, "/auth/signin")
} else if user.EmailVerified {
utils.DoRedirect(w, r, "/")
} else {
userComp := UserInfoComp(user)
signIn := auth.VerifyComp()
err := template.Layout(signIn, userComp).Render(r.Context(), w)
if err != nil { if err != nil {
utils.LogError("Failed to render verify page", err) utils.LogError("Could not generate UUID for new user", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError) return nil, ErrInternalServer
}
}
}
} }
func HandleDeleteAccountPage(db *sql.DB) http.HandlerFunc { salt := make([]byte, 16)
return func(w http.ResponseWriter, r *http.Request) { _, err = rand.Read(salt)
// An unverified email should be able to delete their account
user := utils.GetUserFromSession(db, r)
if user == nil {
utils.DoRedirect(w, r, "/auth/signin")
} else {
userComp := UserInfoComp(user)
comp := auth.DeleteAccountComp()
err := template.Layout(comp, userComp).Render(r.Context(), w)
if err != nil { if err != nil {
utils.LogError("Failed to render delete account page", err) utils.LogError("Could not generate salt for new user", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError) return nil, ErrInternalServer
}
}
}
} }
func HandleSignUpVerifyResponsePage(db *sql.DB) http.HandlerFunc { hash := getHashPassword(password, salt)
return func(w http.ResponseWriter, r *http.Request) {
token := r.URL.Query().Get("token") err := a.dbSer.InsertUser(a.db, userId, email, hash, salt)
_, err = a.db.Exec("INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at) VALUES (?, ?, FALSE, FALSE, ?, ?, datetime())", userId, email, hash, salt)
if token == "" { if err != nil {
utils.DoRedirect(w, r, "/auth/verify") // This does leak information about the email being in use, though not specifically stated
return // It needs to be refacoteres to "If the email is not already in use, an email has been send to your address", or something
// The happy path, currently a redirect, needs to send the same message!
// Then it is also important to have the same compute time in both paths
// Otherwise an attacker could guess emails when comparing the response time
if strings.Contains(err.Error(), "email") {
return nil, errors.New("Bad Request")
} }
utils.LogError("Could not insert user", err)
return nil, ErrInternalServer
}
sessionId, err := createSession(a.db, userId)
if err != nil {
return nil, err
}
// Send verification email as a goroutine
go SendVerificationEmail(a.db, userId.String(), email)
return sessionId, nil
}
func (a *AuthService) SignIn(email string, password string) (*types.SessionId, error) {
start := time.Now()
sessionId, err := a.internalSignIn(email, password)
duration := time.Since(start)
timeToWait := 100 - duration.Milliseconds()
// It is important to sleep for a while to prevent timing attacks
// If the email is correct, the server will calculate the hash, which will take some time
// This way an attacker could guess emails when comparing the response time
// Because of that, we cant use WriteHeader in the middle of the function. We have to wait until the end
// Unfortunatly this makes the code harder to read
time.Sleep(time.Duration(timeToWait) * time.Millisecond)
return sessionId, err
}
func (a *AuthService) internalSignIn(email string, password string) (*types.SessionId, error) {
var (
userId uuid.UUID
savedHash []byte
salt []byte
)
err := a.db.QueryRow("SELECT user_uuid, password, salt FROM user WHERE email = ?", email).Scan(&userId, &savedHash, &salt)
if err != nil {
if err == sql.ErrNoRows {
return nil, ErrInvalidUsernameOrPassword
}
utils.LogError("Could not query user on sign in", err)
return nil, ErrInternalServer
}
new_hash := getHashPassword(password, salt)
if subtle.ConstantTimeCompare(new_hash, savedHash) == 0 {
return nil, errors.Join(ErrInvalidUsernameOrPassword)
}
sessionId, err := createSession(a.db, userId)
if err != nil {
return nil, err
}
return sessionId, nil
}
func GetUserFromSessionId(db *sql.DB, sessionId types.SessionId) *types.User {
if sessionId == "" {
return nil
}
var (
createdAt time.Time
userId uuid.UUID
email string
emailVerified bool
)
err := db.QueryRow(`
SELECT u.user_uuid, u.email, u.email_verified, s.created_at
FROM session s
INNER JOIN user u ON s.user_uuid = u.user_uuid
WHERE session_id = ?`, sessionId).Scan(&userId, &email, &emailVerified, &createdAt)
if err != nil {
slog.Warn("Could not verify session: " + err.Error())
return nil
}
if createdAt.Add(time.Duration(8 * time.Hour)).Before(time.Now()) {
return nil
} else {
return types.NewUser(userId, email, sessionId, emailVerified)
}
}
func ValidateEmail(db *sql.DB, token string) error {
result, err := db.Exec(` result, err := db.Exec(`
UPDATE user UPDATE user
SET email_verified = true, email_verified_at = datetime() SET email_verified = true, email_verified_at = datetime()
@@ -123,66 +180,22 @@ func HandleSignUpVerifyResponsePage(db *sql.DB) http.HandlerFunc {
FROM user_token FROM user_token
WHERE type = "email_verify" WHERE type = "email_verify"
AND token = ? AND token = ?
); );`, token)
`, token)
if err != nil { if err != nil {
utils.LogError("Could not update user on verify response", err) return errors.Join(errors.New("Could not update user on verify response"), err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
} }
i, err := result.RowsAffected() i, err := result.RowsAffected()
if err != nil { if err != nil {
utils.LogError("Could not get rows affected on verify response", err) return errors.Join(errors.New("Could not get rows affected on verify response"), err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
return
} }
if i == 0 { if i == 0 {
utils.DoRedirect(w, r, "/") return errors.New("Token is invalid")
} else {
utils.DoRedirect(w, r, "/auth/signin")
}
}
} }
func HandleChangePasswordPage(db *sql.DB) http.HandlerFunc { return nil
return func(w http.ResponseWriter, r *http.Request) {
isPasswordReset := r.URL.Query().Has("token")
user := utils.GetUserFromSession(db, r)
if user == nil && !isPasswordReset {
utils.DoRedirect(w, r, "/auth/signin")
} else {
userComp := UserInfoComp(user)
comp := auth.ChangePasswordComp(isPasswordReset)
err := template.Layout(comp, userComp).Render(r.Context(), w)
if err != nil {
utils.LogError("Failed to render change password page", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
}
}
}
}
func HandleResetPasswordPage(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := utils.GetUserFromSession(db, r)
if user != nil {
utils.DoRedirect(w, r, "/auth/signin")
} else {
userComp := UserInfoComp(nil)
comp := auth.ResetPasswordComp()
err := template.Layout(comp, userComp).Render(r.Context(), w)
if err != nil {
utils.LogError("Failed to render change password page", err)
http.Error(w, "Internal Server Error", http.StatusInternalServerError)
}
}
}
} }
func UserInfoComp(user *types.User) templ.Component { func UserInfoComp(user *types.User) templ.Component {
@@ -194,165 +207,23 @@ func UserInfoComp(user *types.User) templ.Component {
} }
} }
func HandleSignUpComp(db *sql.DB) http.HandlerFunc { func SignOut(db *sql.DB, user *types.User) error {
return func(w http.ResponseWriter, r *http.Request) { if user == nil {
var email = r.FormValue("email") return nil
var password = r.FormValue("password")
_, err := mail.ParseAddress(email)
if err != nil {
http.Error(w, "Invalid email", http.StatusBadRequest)
return
} }
err = checkPassword(password)
if err != nil {
http.Error(w, err.Error(), http.StatusBadRequest)
return
}
userId, err := uuid.NewRandom()
if err != nil {
utils.LogError("Could not generate UUID", err)
auth.Error("Internal Server Error").Render(r.Context(), w)
return
}
salt := make([]byte, 16)
_, err = rand.Read(salt)
if err != nil {
utils.LogError("Could not generate salt", err)
auth.Error("Internal Server Error").Render(r.Context(), w)
return
}
hash := getHashPassword(password, salt)
_, err = db.Exec("INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at) VALUES (?, ?, FALSE, FALSE, ?, ?, datetime())", userId, email, hash, salt)
if err != nil {
// This does leak information about the email being in use, though not specifically stated
// It needs to be refacoteres to "If the email is not already in use, an email has been send to your address", or something
// The happy path, currently a redirect, needs to send the same message!
// Then it is also important to have the same compute time in both paths
// Otherwise an attacker could guess emails when comparing the response time
if strings.Contains(err.Error(), "email") {
auth.Error("Bad Request").Render(r.Context(), w)
return
}
utils.LogError("Could not insert user", err)
auth.Error("Internal Server Error").Render(r.Context(), w)
return
}
result := tryCreateSessionAndSetCookie(r, w, db, userId)
if !result {
return
}
// Send verification email as a goroutine
go sendVerificationEmail(db, userId.String(), email)
utils.DoRedirect(w, r, "/auth/verify")
}
}
func HandleSignInComp(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
var email = r.FormValue("email")
var password = r.FormValue("password")
var result bool = true
start := time.Now()
var (
userId uuid.UUID
savedHash []byte
salt []byte
emailVerified bool
)
err := db.QueryRow("SELECT user_uuid, password, salt, email_verified FROM user WHERE email = ?", email).Scan(&userId, &savedHash, &salt, &emailVerified)
if err != nil {
result = false
}
if result {
new_hash := getHashPassword(password, salt)
if subtle.ConstantTimeCompare(new_hash, savedHash) == 0 {
result = false
}
}
if result {
result := tryCreateSessionAndSetCookie(r, w, db, userId)
if !result {
return
}
}
duration := time.Since(start)
timeToWait := 100 - duration.Milliseconds()
// It is important to sleep for a while to prevent timing attacks
// If the email is correct, the server will calculate the hash, which will take some time
// This way an attacker could guess emails when comparing the response time
// Because of that, we cant use WriteHeader in the middle of the function. We have to wait until the end
// Unfortunatly this makes the code harder to read
time.Sleep(time.Duration(timeToWait) * time.Millisecond)
if result {
if !emailVerified {
utils.DoRedirect(w, r, "/auth/verify")
} else {
utils.DoRedirect(w, r, "/")
}
} else {
auth.Error("Invalid email or password").Render(r.Context(), w)
}
}
}
func HandleSignOutComp(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := utils.GetUserFromSession(db, r)
if user != nil {
_, err := db.Exec("DELETE FROM session WHERE session_id = ?", user.SessionId) _, err := db.Exec("DELETE FROM session WHERE session_id = ?", user.SessionId)
if err != nil { if err != nil {
utils.LogError("Could not delete session", err) return errors.Join(errors.New("Could not delete session"), err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
} }
c := http.Cookie{ return nil
Name: "id",
Value: "",
MaxAge: -1,
Secure: true,
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
Path: "/",
} }
http.SetCookie(w, &c) func DeleteAccount(db *sql.DB, user *types.User, password string) error {
utils.DoRedirect(w, r, "/")
}
}
func HandleDeleteAccountComp(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := utils.GetUserFromSession(db, r)
if user == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
password := r.FormValue("password")
if password == "" { if password == "" {
utils.TriggerToast(w, r, "error", "Password is required") return errors.New("Please enter your password")
return
} }
var ( var (
@@ -362,86 +233,47 @@ func HandleDeleteAccountComp(db *sql.DB) http.HandlerFunc {
err := db.QueryRow("SELECT password, salt FROM user WHERE user_uuid = ?", user.Id).Scan(&storedHash, &salt) err := db.QueryRow("SELECT password, salt FROM user WHERE user_uuid = ?", user.Id).Scan(&storedHash, &salt)
if err != nil { if err != nil {
utils.LogError("Could not get password", err) return errors.Join(errors.New("Could not get password"), err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
} }
currHash := getHashPassword(password, salt) currHash := getHashPassword(password, salt)
if subtle.ConstantTimeCompare(currHash, storedHash) == 0 { if subtle.ConstantTimeCompare(currHash, storedHash) == 0 {
utils.TriggerToast(w, r, "error", "Password is not correct") return errors.New("Password is not correct")
return
} }
_, err = db.Exec("DELETE FROM workout WHERE user_id = ?", user.Id) _, err = db.Exec("DELETE FROM workout WHERE user_id = ?", user.Id)
if err != nil { if err != nil {
utils.LogError("Could not delete workouts", err) return errors.Join(errors.New("Could not delete workouts"), err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
} }
_, err = db.Exec("DELETE FROM user_token WHERE user_uuid = ?", user.Id) _, err = db.Exec("DELETE FROM user_token WHERE user_uuid = ?", user.Id)
if err != nil { if err != nil {
utils.LogError("Could not delete user tokens", err) return errors.Join(errors.New("Could not delete tokens"), err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
} }
_, err = db.Exec("DELETE FROM session WHERE user_uuid = ?", user.Id) _, err = db.Exec("DELETE FROM session WHERE user_uuid = ?", user.Id)
if err != nil { if err != nil {
utils.LogError("Could not delete sessions", err) return errors.Join(errors.New("Could not delete sessions"), err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
} }
_, err = db.Exec("DELETE FROM user WHERE user_uuid = ?", user.Id) _, err = db.Exec("DELETE FROM user WHERE user_uuid = ?", user.Id)
if err != nil { if err != nil {
utils.LogError("Could not delete user", err) return errors.Join(errors.New("Could not delete user"), err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
} }
go utils.SendMail(user.Email, "Account deleted", "Your account has been deleted") go utils.SendMail(user.Email, "Account deleted", "Your account has been deleted")
return nil
utils.DoRedirect(w, r, "/")
}
} }
func HandleVerifyResendComp(db *sql.DB) http.HandlerFunc { func ChangePassword(db *sql.DB, user *types.User, currPass string, newPass string) error {
return func(w http.ResponseWriter, r *http.Request) {
user := utils.GetUserFromSession(db, r)
if user == nil || user.EmailVerified {
utils.DoRedirect(w, r, "/auth/signin")
return
}
go sendVerificationEmail(db, user.Id.String(), user.Email)
w.Write([]byte("<p class=\"mt-8\">Verification email sent</p>"))
}
}
func HandleChangePasswordComp(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := utils.GetUserFromSession(db, r)
if user == nil {
utils.DoRedirect(w, r, "/auth/signin")
return
}
currPass := r.FormValue("current-password")
newPass := r.FormValue("new-password")
err := checkPassword(newPass) err := checkPassword(newPass)
if err != nil { if err != nil {
utils.TriggerToast(w, r, "error", err.Error()) return err
return
} }
if currPass == newPass { if currPass == newPass {
utils.TriggerToast(w, r, "error", "Please use a new password") return errors.New("New password can not be the same as the current password")
return
} }
var ( var (
@@ -451,52 +283,29 @@ func HandleChangePasswordComp(db *sql.DB) http.HandlerFunc {
err = db.QueryRow("SELECT password, salt FROM user WHERE user_uuid = ?", user.Id).Scan(&storedHash, &salt) err = db.QueryRow("SELECT password, salt FROM user WHERE user_uuid = ?", user.Id).Scan(&storedHash, &salt)
if err != nil { if err != nil {
utils.LogError("Could not get password", err) return errors.Join(errors.New("Could not get password"), err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
} }
currHash := getHashPassword(currPass, salt) currHash := getHashPassword(currPass, salt)
if subtle.ConstantTimeCompare(currHash, storedHash) == 0 { if subtle.ConstantTimeCompare(currHash, storedHash) == 0 {
utils.TriggerToast(w, r, "error", "Current Password is not correct") return errors.New("Current password is not correct")
return
} }
newHash := getHashPassword(newPass, salt) newHash := getHashPassword(newPass, salt)
_, err = db.Exec("UPDATE user SET password = ? WHERE user_uuid = ?", newHash, user.Id) _, err = db.Exec("UPDATE user SET password = ? WHERE user_uuid = ?", newHash, user.Id)
if err != nil { if err != nil {
utils.LogError("Could not update password", err) return errors.Join(errors.New("Could not update password"), err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
} }
utils.TriggerToast(w, r, "success", "Password changed") return nil
}
} }
func HandleActualResetPasswordComp(db *sql.DB) http.HandlerFunc { func ActualResetPassword(db *sql.DB, token string, newPass string) error {
return func(w http.ResponseWriter, r *http.Request) {
pageUrl, err := url.Parse(r.Header.Get("HX-Current-URL")) err := checkPassword(newPass)
if err != nil { if err != nil {
utils.LogError("Could not get current URL", err) return err
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
}
token := pageUrl.Query().Get("token")
if token == "" {
utils.TriggerToast(w, r, "error", "No token")
return
}
newPass := r.FormValue("new-password")
err = checkPassword(newPass)
if err != nil {
utils.TriggerToast(w, r, "error", err.Error())
return
} }
var ( var (
@@ -513,43 +322,33 @@ func HandleActualResetPasswordComp(db *sql.DB) http.HandlerFunc {
AND t.expires_at > datetime() AND t.expires_at > datetime()
`, token).Scan(&userId, &salt) `, token).Scan(&userId, &salt)
if err != nil { if err != nil {
slog.Warn("Could not get user from token: " + err.Error()) return errors.Join(errors.New("Could not get user from token"), err)
utils.TriggerToast(w, r, "error", "Invalid token")
return
} }
_, err = db.Exec("DELETE FROM user_token WHERE token = ? AND type = 'password_reset'", token) _, err = db.Exec("DELETE FROM user_token WHERE token = ? AND type = 'password_reset'", token)
if err != nil { if err != nil {
utils.LogError("Could not delete token", err) return errors.Join(errors.New("Could not delete token"), err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
} }
passHash := getHashPassword(newPass, salt) passHash := getHashPassword(newPass, salt)
_, err = db.Exec("UPDATE user SET password = ? WHERE user_uuid = ?", passHash, userId) _, err = db.Exec("UPDATE user SET password = ? WHERE user_uuid = ?", passHash, userId)
if err != nil { if err != nil {
utils.LogError("Could not update password", err) return errors.Join(errors.New("Could not update password"), err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
} }
utils.TriggerToast(w, r, "success", "Password changed") return nil
} }
}
func HandleResetPasswordComp(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
email := r.FormValue("email") func ResetPassword(db *sql.DB, email string) (string, error) {
if email == "" { if email == "" {
utils.TriggerToast(w, r, "error", "Please enter an email") return "", errors.New("Please enter an email")
return
} }
token, err := utils.RandomToken() token, err := randomToken()
if err != nil { if err != nil {
utils.LogError("Could not generate token", err) return "", errors.Join(errors.New("Could not generate token"), err)
return
} }
res, err := db.Exec(` res, err := db.Exec(`
@@ -559,33 +358,22 @@ func HandleResetPasswordComp(db *sql.DB) http.HandlerFunc {
WHERE email = ? WHERE email = ?
`, token, email) `, token, email)
if err != nil { if err != nil {
utils.LogError("Could not insert token", err) return "", errors.Join(errors.New("Could not insert token"), err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
} }
i, err := res.RowsAffected() i, err := res.RowsAffected()
if err != nil { if err != nil {
utils.LogError("Could not get rows affected", err) return "", errors.Join(errors.New("Could not get rows affected"), err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
} }
if i != 0 { if i == 0 {
var mail strings.Builder return "", nil
err = tempMail.ResetPassword(token).Render(context.Background(), &mail) } else {
if err != nil { return token, nil
utils.LogError("Could not render reset password email", err)
utils.TriggerToast(w, r, "error", "Internal Server Error")
return
} }
utils.SendMail(email, "Reset Password", mail.String())
} }
utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent") func SendVerificationEmail(db *sql.DB, userId string, email string) {
}
}
func sendVerificationEmail(db *sql.DB, userId string, email string) {
var token string var token string
err := db.QueryRow("SELECT token FROM user_token WHERE user_uuid = ? AND type = 'email_verify'", userId).Scan(&token) err := db.QueryRow("SELECT token FROM user_token WHERE user_uuid = ? AND type = 'email_verify'", userId).Scan(&token)
@@ -595,7 +383,7 @@ func sendVerificationEmail(db *sql.DB, userId string, email string) {
} }
if token == "" { if token == "" {
token, err := utils.RandomToken() token, err := randomToken()
if err != nil { if err != nil {
utils.LogError("Could not generate token", err) utils.LogError("Could not generate token", err)
return return
@@ -617,8 +405,31 @@ func sendVerificationEmail(db *sql.DB, userId string, email string) {
utils.SendMail(email, "Welcome to ME-FIT", w.String()) utils.SendMail(email, "Welcome to ME-FIT", w.String())
} }
func createSession(db *sql.DB, user_uuid uuid.UUID) (*types.SessionId, error) {
sessionId, err := randomToken()
if err != nil {
return nil, err
}
// Delete old inactive sessions
_, err = db.Exec("DELETE FROM session WHERE created_at < datetime('now','-8 hours') AND user_uuid = ?", user_uuid)
if err != nil {
utils.LogError("Could not delete old sessions", err)
return nil, ErrInternalServer
}
_, err = db.Exec("INSERT INTO session (session_id, user_uuid, created_at) VALUES (?, ?, datetime())", sessionId, user_uuid)
if err != nil {
utils.LogError("Could not insert new session", err)
return nil, ErrInternalServer
}
sessionIdType := types.SessionId(sessionId)
return &sessionIdType, nil
}
func tryCreateSessionAndSetCookie(r *http.Request, w http.ResponseWriter, db *sql.DB, user_uuid uuid.UUID) bool { func tryCreateSessionAndSetCookie(r *http.Request, w http.ResponseWriter, db *sql.DB, user_uuid uuid.UUID) bool {
sessionId, err := utils.RandomToken() sessionId, err := randomToken()
if err != nil { if err != nil {
utils.LogError("Could not generate session ID", err) utils.LogError("Could not generate session ID", err)
auth.Error("Internal Server Error").Render(r.Context(), w) auth.Error("Internal Server Error").Render(r.Context(), w)
@@ -668,3 +479,30 @@ func checkPassword(password string) error {
return nil return nil
} }
} }
//TODO: delete
func getSessionID(r *http.Request) types.SessionId {
for _, c := range r.Cookies() {
if c.Name == "id" {
return types.SessionId(c.Value)
}
}
return ""
}
func GetUserFromRequest(db *sql.DB, r *http.Request) *types.User {
sessionId := getSessionID(r)
return GetUserFromSessionId(db, sessionId)
}
func randomToken() (string, error) {
b := make([]byte, 32)
_, err := rand.Read(b)
if err != nil {
utils.LogError("Could not generate random token", err)
return "", ErrInternalServer
}
return base64.StdEncoding.EncodeToString(b), nil
}

150
service/auth_test.go Normal file
View File

@@ -0,0 +1,150 @@
package service
import (
"me-fit/types"
"me-fit/utils"
"database/sql"
"testing"
"github.com/google/uuid"
)
func mustSetup(t *testing.T) *sql.DB {
db, err := sql.Open("sqlite3", ":memory:")
if err != nil {
t.Fatalf("Could not open Database data.db: %v", err)
}
utils.MustRunMigrationsTest(db, "../")
return db
}
func TestGetUserFromSessionIfSessionNotExpired(t *testing.T) {
db := mustSetup(t)
defer db.Close()
expected := types.NewUser(uuid.New(), "email", "session_id", true)
db.Exec(`INSERT INTO user (
user_uuid, email, email_verified, email_verified_at,
is_admin, password, salt, created_at)
VAlUES (
?, ?, 1, datetime(),
0, "password", "salt", datetime())`, expected.Id, expected.Email)
db.Exec(`INSERT INTO session (session_id, user_uuid, created_at) VALUES (?, ?, datetime('now', '-2 hour'))`, expected.SessionId, expected.Id)
actual := GetUserFromSessionId(db, expected.SessionId)
if *actual != *expected {
t.Errorf("Expected %v, got %v", *expected, *actual)
}
}
func TestGetUserFromSessionIfSessionInFuture(t *testing.T) {
db := mustSetup(t)
defer db.Close()
expected := types.NewUser(uuid.New(), "email", "session_id", true)
db.Exec(`INSERT INTO user (
user_uuid, email, email_verified, email_verified_at,
is_admin, password, salt, created_at)
VAlUES (
?, ?, 1, datetime(),
0, "password", "salt", datetime())`, expected.Id, expected.Email)
db.Exec(`INSERT INTO session (session_id, user_uuid, created_at) VALUES (?, ?, datetime('now', '+2 hour'))`, expected.SessionId, expected.Id)
actual := GetUserFromSessionId(db, expected.SessionId)
if *actual != *expected {
t.Errorf("Expected %v, got %v", *expected, *actual)
}
}
func TestFailGetUserFromSessionIfSessionExpired(t *testing.T) {
db := mustSetup(t)
defer db.Close()
expected := types.NewUser(uuid.New(), "email", "session_id", true)
db.Exec(`INSERT INTO user (
user_uuid, email, email_verified, email_verified_at,
is_admin, password, salt, created_at)
VAlUES (
?, ?, 1, datetime(),
0, "password", "salt", datetime())`, expected.Id, expected.Email)
db.Exec(`INSERT INTO session (session_id, user_uuid, created_at) VALUES (?, ?, datetime('now', '-8 hour', '-1 minute'))`, expected.SessionId, expected.Id)
actual := GetUserFromSessionId(db, expected.SessionId)
if actual != nil {
t.Errorf("Expected nil, got %v", *actual)
}
}
func TestGetUserFromSessionShouldFindCorrectUserBySessionId(t *testing.T) {
db := mustSetup(t)
defer db.Close()
expected := types.NewUser(uuid.New(), "email", "session_id", true)
userId2 := uuid.New()
db.Exec(`INSERT INTO user (
user_uuid, email, email_verified, email_verified_at,
is_admin, password, salt, created_at)
VAlUES (
?, ?, 1, datetime(),
0, "password", "salt", datetime()),
(
?, ?, 1, datetime(),
0, "password", "salt", datetime())
`, expected.Id, expected.Email, userId2, "email2")
db.Exec(`
INSERT INTO session (
session_id, user_uuid, created_at)
VALUES
(?, ?, datetime('now')),
(?, ?, datetime('now'))
`, expected.SessionId, expected.Id, expected.SessionId+"x", userId2)
actual := GetUserFromSessionId(db, expected.SessionId)
if *actual != *expected {
t.Errorf("Expected %v, got %v", *expected, *actual)
}
}
func TestValidPasswords(t *testing.T) {
passwords := []string{
"aB!'2d2y", //normal
"v-#:j`fQurudEEUk#xA)uzI-B+'eZW3`F*5Eaf+{YID#PWuD.TbyH'f<MC)Ck$!]K[K6~dIN&R'mRaKO,qpDpP'*A!/}73=ilK_COqM/Q%!(hyS8V75e2@J2k223T`tv", // 128 characters
`aB!"'2d2y`, // include " in password
}
for _, password := range passwords {
err := checkPassword(password)
if err != nil {
t.Errorf("Expected nil, got error")
}
}
}
func TestInvalidPasswords(t *testing.T) {
passwords := []string{
"aB!'2d2", // too short
"", // empty
"ab123SSa", // no special character
"passwor1!", // no uppercase
"PASSWOR1!", // no lowercase
"Password!", // no number
"Password1", // no special character
}
for _, password := range passwords {
err := checkPassword(password)
if err == nil {
t.Errorf("Expected error, got nil")
}
}
}

32
service/index_and_404.go
View File

@@ -1,32 +0,0 @@
package service
import (
"database/sql"
"me-fit/template"
"me-fit/utils"
"net/http"
"github.com/a-h/templ"
)
func HandleIndexAnd404(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
user := utils.GetUserFromSession(db, r)
var comp templ.Component = nil
userComp := UserInfoComp(user)
if r.URL.Path != "/" {
comp = template.Layout(template.NotFound(), userComp)
w.WriteHeader(http.StatusNotFound)
} else {
comp = template.Layout(template.Index(), userComp)
}
err := comp.Render(r.Context(), w)
if err != nil {
utils.LogError("Failed to render index", err)
http.Error(w, "Failed to render index", http.StatusInternalServerError)
}
}
}

13
types/types.go
View File

@@ -2,9 +2,20 @@ package types
import "github.com/google/uuid" import "github.com/google/uuid"
type SessionId string
type User struct { type User struct {
Id uuid.UUID Id uuid.UUID
Email string Email string
SessionId string SessionId SessionId
EmailVerified bool EmailVerified bool
} }
func NewUser(id uuid.UUID, email string, sessionId SessionId, emailVerified bool) *User {
return &User{
Id: id,
Email: email,
SessionId: sessionId,
EmailVerified: emailVerified,
}
}

16
utils/ctypto.go
View File

@@ -1,16 +0,0 @@
package utils
import (
"crypto/rand"
"encoding/base64"
)
func RandomToken() (string, error) {
b := make([]byte, 32)
_, err := rand.Read(b)
if err != nil {
return "", err
}
return base64.StdEncoding.EncodeToString(b), nil
}

9
utils/db.go
View File

@@ -10,13 +10,20 @@ import (
) )
func MustRunMigrations(db *sql.DB) { func MustRunMigrations(db *sql.DB) {
mustRunMigrationsInternal(db, "")
}
func MustRunMigrationsTest(db *sql.DB, pathPrefix string) {
mustRunMigrationsInternal(db, "../")
}
func mustRunMigrationsInternal(db *sql.DB, pathPrefix string) {
driver, err := sqlite3.WithInstance(db, &sqlite3.Config{}) driver, err := sqlite3.WithInstance(db, &sqlite3.Config{})
if err != nil { if err != nil {
log.Fatal(err) log.Fatal(err)
} }
m, err := migrate.NewWithDatabaseInstance( m, err := migrate.NewWithDatabaseInstance(
"file://./migration/", "file://./"+pathPrefix+"migration/",
"", "",
driver) driver)
if err != nil { if err != nil {

35
utils/http.go
View File

@@ -1,12 +1,10 @@
package utils package utils
import ( import (
"database/sql"
"fmt" "fmt"
"log/slog" "log/slog"
"me-fit/types" "me-fit/types"
"net/http" "net/http"
"time"
"github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus"
"github.com/prometheus/client_golang/prometheus/promauto" "github.com/prometheus/client_golang/prometheus/promauto"
@@ -61,39 +59,10 @@ func GetUser(r *http.Request) *types.User {
} }
} }
func GetUserFromSession(db *sql.DB, r *http.Request) *types.User { func GetSessionID(r *http.Request) types.SessionId {
sessionId := getSessionID(r)
if sessionId == "" {
return nil
}
var user types.User
var createdAt time.Time
user.SessionId = sessionId
err := db.QueryRow(`
SELECT u.user_uuid, u.email, u.email_verified, s.created_at
FROM session s
INNER JOIN user u ON s.user_uuid = u.user_uuid
WHERE session_id = ?`, sessionId).Scan(&user.Id, &user.Email, &user.EmailVerified, &createdAt)
if err != nil {
slog.Warn("Could not verify session: " + err.Error())
return nil
}
if createdAt.Add(time.Duration(8 * time.Hour)).Before(time.Now()) {
return nil
} else {
return &user
}
}
func getSessionID(r *http.Request) string {
for _, c := range r.Cookies() { for _, c := range r.Cookies() {
if c.Name == "id" { if c.Name == "id" {
return c.Value return types.SessionId(c.Value)
} }
} }
return "" return ""