diff --git a/Dockerfile b/Dockerfile index 4db9014..b45cc83 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,10 +1,16 @@ FROM golang:1.23.3@sha256:73f06be4578c9987ce560087e2e2ea6485fb605e3910542cadd8fa09fc5f3e31 AS builder_go WORKDIR /me-fit -RUN go install github.com/a-h/templ/cmd/templ@latest && go install github.com/vektra/mockery/v2@latest && go install honnef.co/go/tools/cmd/staticcheck@latest +RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.62.2 +RUN go install github.com/a-h/templ/cmd/templ@latest +RUN go install github.com/vektra/mockery/v2@latest COPY go.mod go.sum ./ RUN go mod download COPY . ./ -RUN templ generate && mockery --log-level warn && staticcheck ./... && go test ./... && go build -o /me-fit/me-fit . +RUN templ generate +RUN mockery --log-level warn +RUN go test ./... +RUN golangci-lint run ./... +RUN go build -o /me-fit/me-fit . FROM node:22.11.0@sha256:5c76d05034644fa8ecc9c2aa84e0a83cd981d0ef13af5455b87b9adf5b216561 AS builder_node diff --git a/db/auth.go b/db/auth.go index 3831004..0a73aa2 100644 --- a/db/auth.go +++ b/db/auth.go @@ -1,6 +1,7 @@ package db import ( + "log/slog" "me-fit/types" "me-fit/utils" @@ -13,9 +14,8 @@ import ( ) var ( - ErrUserNotFound = errors.New("User not found") - ErrUserExists = errors.New("User already exists") - ErrSessionNotFound = errors.New("Session not found") + ErrNotFound = errors.New("value not found") + ErrUserExists = errors.New("user already exists") ) type User struct { @@ -56,20 +56,45 @@ func NewSession(id string, userId uuid.UUID, createdAt time.Time) *Session { } } +type Token struct { + UserId uuid.UUID + Token string + Type string + CreatedAt time.Time + ExpiresAt time.Time +} + +var ( + TokenTypeEmailVerify = "email_verify" + TokenTypePasswordReset = "password_reset" +) + +func NewToken(userId uuid.UUID, token string, tokenType string, createdAt time.Time, expiresAt time.Time) *Token { + return &Token{ + UserId: userId, + Token: token, + Type: tokenType, + CreatedAt: createdAt, + ExpiresAt: expiresAt, + } +} + type AuthDb interface { InsertUser(user *User) error - GetUser(email string) (*User, error) - GetUserById(userId uuid.UUID) (*User, error) + UpdateUser(user *User) error + GetUserByEmail(email string) (*User, error) + GetUser(userId uuid.UUID) (*User, error) DeleteUser(userId uuid.UUID) error - UpdateUserPassword(userId uuid.UUID, newHash []byte) error - InsertEmailVerificationToken(userId uuid.UUID, token string) error - GetEmailVerificationToken(userId uuid.UUID) (string, error) + InsertToken(token *Token) error + GetToken(token string) (*Token, error) + GetTokensByUserIdAndType(userId uuid.UUID, tokenType string) ([]*Token, error) + DeleteToken(token string) error InsertSession(session *Session) error GetSession(sessionId string) (*Session, error) - DeleteOldSessions(userId uuid.UUID) error DeleteSession(sessionId string) error + DeleteOldSessions(userId uuid.UUID) error } type AuthDbSqlite struct { @@ -98,7 +123,22 @@ func (db AuthDbSqlite) InsertUser(user *User) error { return nil } -func (db AuthDbSqlite) GetUser(email string) (*User, error) { +func (db AuthDbSqlite) UpdateUser(user *User) error { + _, err := db.db.Exec(` + UPDATE user + SET email_verified = ?, email_verified_at = ?, password = ? + WHERE user_uuid = ?`, + user.EmailVerified, user.EmailVerifiedAt, user.Password, user.Id) + + if err != nil { + utils.LogError("SQL error UpdateUser", err) + return types.ErrInternal + } + + return nil +} + +func (db AuthDbSqlite) GetUserByEmail(email string) (*User, error) { var ( userId uuid.UUID emailVerified bool @@ -115,7 +155,7 @@ func (db AuthDbSqlite) GetUser(email string) (*User, error) { WHERE email = ?`, email).Scan(&userId, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt) if err != nil { if err == sql.ErrNoRows { - return nil, ErrUserNotFound + return nil, ErrNotFound } else { utils.LogError("SQL error GetUser", err) return nil, types.ErrInternal @@ -125,7 +165,7 @@ func (db AuthDbSqlite) GetUser(email string) (*User, error) { return NewUser(userId, email, emailVerified, emailVerifiedAt, isAdmin, password, salt, createdAt), nil } -func (db AuthDbSqlite) GetUserById(userId uuid.UUID) (*User, error) { +func (db AuthDbSqlite) GetUser(userId uuid.UUID) (*User, error) { var ( email string emailVerified bool @@ -142,7 +182,7 @@ func (db AuthDbSqlite) GetUserById(userId uuid.UUID) (*User, error) { WHERE user_uuid = ?`, userId).Scan(&email, &emailVerified, &emailVerifiedAt, &password, &salt, &createdAt) if err != nil { if err == sql.ErrNoRows { - return nil, ErrUserNotFound + return nil, ErrNotFound } else { utils.LogError("SQL error GetUser", err) return nil, types.ErrInternal @@ -162,28 +202,28 @@ func (db AuthDbSqlite) DeleteUser(userId uuid.UUID) error { _, err = tx.Exec("DELETE FROM workout WHERE user_id = ?", userId) if err != nil { - tx.Rollback() + _ = tx.Rollback() utils.LogError("Could not delete workouts", err) return types.ErrInternal } _, err = tx.Exec("DELETE FROM user_token WHERE user_uuid = ?", userId) if err != nil { - tx.Rollback() + _ = tx.Rollback() utils.LogError("Could not delete user tokens", err) return types.ErrInternal } _, err = tx.Exec("DELETE FROM session WHERE user_uuid = ?", userId) if err != nil { - tx.Rollback() + _ = tx.Rollback() utils.LogError("Could not delete sessions", err) return types.ErrInternal } _, err = tx.Exec("DELETE FROM user WHERE user_uuid = ?", userId) if err != nil { - tx.Rollback() + _ = tx.Rollback() utils.LogError("Could not delete user", err) return types.ErrInternal } @@ -197,19 +237,10 @@ func (db AuthDbSqlite) DeleteUser(userId uuid.UUID) error { return nil } -func (db AuthDbSqlite) UpdateUserPassword(userId uuid.UUID, newHash []byte) error { - _, err := db.db.Exec("UPDATE user SET password = ? WHERE user_uuid = ?", newHash, userId) - if err != nil { - utils.LogError("Could not update password", err) - return types.ErrInternal - } - return nil -} - -func (db AuthDbSqlite) InsertEmailVerificationToken(userId uuid.UUID, token string) error { +func (db AuthDbSqlite) InsertToken(token *Token) error { _, err := db.db.Exec(` - INSERT INTO user_token (user_uuid, type, token, created_at) - VALUES (?, 'email_verify', ?, datetime())`, userId, token) + INSERT INTO user_token (user_uuid, type, token, created_at, expires_at) + VALUES (?, ?, ?, ?, ?)`, token.UserId, token.Type, token.Token, token.CreatedAt, token.ExpiresAt) if err != nil { utils.LogError("Could not insert token", err) @@ -219,21 +250,102 @@ func (db AuthDbSqlite) InsertEmailVerificationToken(userId uuid.UUID, token stri return nil } -func (db AuthDbSqlite) GetEmailVerificationToken(userId uuid.UUID) (string, error) { - var token string +func (db AuthDbSqlite) GetToken(token string) (*Token, error) { + var ( + userId uuid.UUID + tokenType string + createdAtStr string + expiresAtStr string + createdAt time.Time + expiresAt time.Time + ) err := db.db.QueryRow(` - SELECT token + SELECT user_uuid, type, created_at, expires_at FROM user_token - WHERE user_uuid = ? - AND type = 'email_verify'`, userId).Scan(&token) + WHERE token = ? + AND type = 'email_verify'`, token).Scan(&userId, &tokenType, &createdAtStr, &expiresAtStr) - if err != nil && err != sql.ErrNoRows { - utils.LogError("Could not get token", err) - return "", types.ErrInternal + if err != nil { + if err == sql.ErrNoRows { + slog.Info("Token '" + token + "' not found") + return nil, ErrNotFound + } else { + utils.LogError("Could not get token", err) + return nil, types.ErrInternal + } } - return token, nil + createdAt, err = time.Parse(time.RFC3339, createdAtStr) + if err != nil { + utils.LogError("Could not parse token.created_at", err) + return nil, types.ErrInternal + } + + expiresAt, err = time.Parse(time.RFC3339, expiresAtStr) + if err != nil { + utils.LogError("Could not parse token.expires_at", err) + return nil, types.ErrInternal + } + + return NewToken(userId, token, tokenType, createdAt, expiresAt), nil +} + +func (db AuthDbSqlite) GetTokensByUserIdAndType(userId uuid.UUID, tokenType string) ([]*Token, error) { + + query, err := db.db.Query(` + SELECT token, created_at, expires_at + FROM user_token + WHERE user_uuid = ? + AND type = ?`, userId, tokenType) + + if err != nil { + utils.LogError("Could not get token", err) + return nil, types.ErrInternal + } + + var tokens []*Token + + for query.Next() { + var ( + token string + createdAtStr string + expiresAtStr string + createdAt time.Time + expiresAt time.Time + ) + + err := query.Scan(&token, &createdAtStr, &expiresAtStr) + if err != nil { + utils.LogError("Could not scan token", err) + return nil, types.ErrInternal + } + + createdAt, err = time.Parse(time.RFC3339, createdAtStr) + if err != nil { + utils.LogError("Could not parse token.created_at", err) + return nil, types.ErrInternal + } + + expiresAt, err = time.Parse(time.RFC3339, expiresAtStr) + if err != nil { + utils.LogError("Could not parse token.expires_at", err) + return nil, types.ErrInternal + } + + tokens = append(tokens, NewToken(userId, token, tokenType, createdAt, expiresAt)) + } + + return tokens, nil +} + +func (db AuthDbSqlite) DeleteToken(token string) error { + _, err := db.db.Exec("DELETE FROM user_token WHERE token = ?", token) + if err != nil { + utils.LogError("Could not delete token", err) + return types.ErrInternal + } + return nil } func (db AuthDbSqlite) InsertSession(session *Session) error { @@ -264,7 +376,7 @@ func (db AuthDbSqlite) GetSession(sessionId string) (*Session, error) { WHERE session_id = ?`, sessionId).Scan(&userId, &sessionCreatedAt) if err != nil { - return nil, ErrSessionNotFound + return nil, ErrNotFound } return NewSession(sessionId, userId, sessionCreatedAt), nil diff --git a/db/auth_test.go b/db/auth_test.go index bb00522..3f26e7c 100644 --- a/db/auth_test.go +++ b/db/auth_test.go @@ -37,8 +37,8 @@ func TestUser(t *testing.T) { underTest := AuthDbSqlite{db: db} - _, err := underTest.GetUser("someNonExistentEmail") - assert.Equal(t, ErrUserNotFound, err) + _, err := underTest.GetUserByEmail("someNonExistentEmail") + assert.Equal(t, ErrNotFound, err) }) t.Run("should insert and get user", func(t *testing.T) { @@ -54,7 +54,7 @@ func TestUser(t *testing.T) { err := underTest.InsertUser(expected) assert.Nil(t, err) - actual, err := underTest.GetUser(expected.Email) + actual, err := underTest.GetUserByEmail(expected.Email) assert.Nil(t, err) assert.Equal(t, expected, actual) @@ -81,32 +81,35 @@ func TestUser(t *testing.T) { func TestEmailVerification(t *testing.T) { t.Parallel() - t.Run("should return empty string if no token is safed", func(t *testing.T) { + t.Run("should return NotFound", func(t *testing.T) { t.Parallel() db := setupDb(t) underTest := AuthDbSqlite{db: db} - token, err := underTest.GetEmailVerificationToken(uuid.New()) + token, err := underTest.GetToken("someNonExistentToken") - assert.Nil(t, err) - assert.Equal(t, "", token) + assert.Equal(t, ErrNotFound, err) + assert.Nil(t, token) }) t.Run("should insert and return token", func(t *testing.T) { t.Parallel() db := setupDb(t) underTest := AuthDbSqlite{db: db} + tokenStr := "some secure token" + createdAt := time.Date(2020, 1, 5, 13, 0, 0, 0, time.UTC) - userId := uuid.New() - expectedToken := "someToken" + expectedToken := NewToken(uuid.New(), tokenStr, TokenTypeEmailVerify, createdAt, createdAt.Add(24*time.Hour)) - err := underTest.InsertEmailVerificationToken(userId, expectedToken) + err := underTest.InsertToken(expectedToken) assert.Nil(t, err) - actualToken, err := underTest.GetEmailVerificationToken(userId) + actualToken, err := underTest.GetToken(tokenStr) assert.Nil(t, err) + t.Logf("expectedToken: %v", expectedToken) + t.Logf("actualToken: %v", actualToken) assert.Equal(t, expectedToken, actualToken) }) } diff --git a/handler/auth.go b/handler/auth.go index 4ea74d4..42f07c0 100644 --- a/handler/auth.go +++ b/handler/auth.go @@ -7,9 +7,9 @@ import ( "me-fit/types" "me-fit/utils" - "database/sql" "errors" "net/http" + "net/url" "time" ) @@ -18,14 +18,12 @@ type HandlerAuth interface { } type HandlerAuthImpl struct { - db *sql.DB service service.AuthService serverSettings *types.ServerSettings } -func NewHandlerAuth(db *sql.DB, service service.AuthService, serverSettings *types.ServerSettings) HandlerAuth { +func NewHandlerAuth(service service.AuthService, serverSettings *types.ServerSettings) HandlerAuth { return HandlerAuthImpl{ - db: db, service: service, serverSettings: serverSettings, } @@ -37,7 +35,7 @@ func (handler HandlerAuthImpl) Handle(router *http.ServeMux) { router.Handle("/auth/signup", handler.handleSignUpPage()) router.Handle("/auth/verify", handler.handleSignUpVerifyPage()) // Hint for the user to verify their email router.Handle("/auth/delete-account", handler.handleDeleteAccountPage()) - router.Handle("/auth/verify-email", service.HandleSignUpVerifyResponsePage(handler.db)) // The link contained in the email + router.Handle("/auth/verify-email", handler.HandleSignUpVerifyResponsePage()) // The link contained in the email router.Handle("/auth/change-password", handler.handleChangePasswordPage()) router.Handle("/auth/reset-password", handler.handleResetPasswordPage()) router.Handle("/api/auth/signup", handler.handleSignUp()) @@ -46,8 +44,8 @@ func (handler HandlerAuthImpl) Handle(router *http.ServeMux) { router.Handle("/api/auth/delete-account", handler.HandleDeleteAccountComp()) router.Handle("/api/auth/verify-resend", handler.HandleVerifyResendComp()) router.Handle("/api/auth/change-password", handler.HandleChangePasswordComp()) - router.Handle("/api/auth/reset-password", service.HandleResetPasswordComp(handler.db, handler.serverSettings)) - router.Handle("/api/auth/reset-password-actual", service.HandleActualResetPasswordComp(handler.db)) + router.Handle("/api/auth/reset-password", handler.HandleForgotPasswordComp()) + router.Handle("/api/auth/reset-password-actual", handler.HandleForgotPasswordResponseComp()) } var ( @@ -331,7 +329,10 @@ func (handler HandlerAuthImpl) HandleVerifyResendComp() http.HandlerFunc { go handler.service.SendVerificationMail(user.Id, user.Email) - w.Write([]byte("

Verification email sent

")) + _, err = w.Write([]byte("

Verification email sent

")) + if err != nil { + utils.LogError("Could not write response", err) + } } } @@ -356,3 +357,63 @@ func (handler HandlerAuthImpl) HandleChangePasswordComp() http.HandlerFunc { utils.TriggerToast(w, r, "success", "Password changed") } } + +func (handler HandlerAuthImpl) HandleSignUpVerifyResponsePage() http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + + token := r.URL.Query().Get("token") + + err := handler.service.VerifyUserEmail(token) + + if err != nil { + utils.DoRedirect(w, r, "/auth/signin") + } else { + utils.DoRedirect(w, r, "/") + } + } +} + +func (handler HandlerAuthImpl) HandleForgotPasswordComp() http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + + email := r.FormValue("email") + if email == "" { + utils.TriggerToast(w, r, "error", "Please enter an email") + return + } + + err := handler.service.ForgotPassword(email) + if err != nil { + utils.TriggerToast(w, r, "error", "Internal Server Error") + } else { + utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent") + } + } +} + +func (handler HandlerAuthImpl) HandleForgotPasswordResponseComp() http.HandlerFunc { + return func(w http.ResponseWriter, r *http.Request) { + + pageUrl, err := url.Parse(r.Header.Get("HX-Current-URL")) + if err != nil { + utils.LogError("Could not get current URL", err) + utils.TriggerToast(w, r, "error", "Internal Server Error") + return + } + + token := pageUrl.Query().Get("token") + if token == "" { + utils.TriggerToast(w, r, "error", "No token") + return + } + + newPass := r.FormValue("new-password") + + err = handler.service.ForgotPasswordResponse(token, newPass) + if err != nil { + utils.TriggerToast(w, r, "error", err.Error()) + } else { + utils.TriggerToast(w, r, "success", "Password changed") + } + } +} diff --git a/handler/index_and_404.go b/handler/index_and_404.go index dd832ab..5654336 100644 --- a/handler/index_and_404.go +++ b/handler/index_and_404.go @@ -6,7 +6,6 @@ import ( "me-fit/types" "me-fit/utils" - "database/sql" "net/http" "github.com/a-h/templ" @@ -17,14 +16,12 @@ type IndexHandler interface { } type IndexHandlerImpl struct { - db *sql.DB service service.AuthService serverSettings *types.ServerSettings } -func NewIndexHandler(db *sql.DB, service service.AuthService, serverSettings *types.ServerSettings) IndexHandler { +func NewIndexHandler(service service.AuthService, serverSettings *types.ServerSettings) IndexHandler { return IndexHandlerImpl{ - db: db, service: service, serverSettings: serverSettings, } diff --git a/handler/workout.go b/handler/workout.go index 30a4379..4c36157 100644 --- a/handler/workout.go +++ b/handler/workout.go @@ -7,7 +7,6 @@ import ( "me-fit/types" "me-fit/utils" - "database/sql" "log/slog" "net/http" "strconv" @@ -19,15 +18,13 @@ type WorkoutHandler interface { } type WorkoutHandlerImpl struct { - db *sql.DB service service.WorkoutService auth service.AuthService serverSettings *types.ServerSettings } -func NewWorkoutHandler(db *sql.DB, service service.WorkoutService, auth service.AuthService, serverSettings *types.ServerSettings) WorkoutHandler { +func NewWorkoutHandler(service service.WorkoutService, auth service.AuthService, serverSettings *types.ServerSettings) WorkoutHandler { return WorkoutHandlerImpl{ - db: db, service: service, auth: auth, serverSettings: serverSettings, @@ -109,7 +106,12 @@ func (handler WorkoutHandlerImpl) handleGetWorkout() http.HandlerFunc { wos = append(wos, workout.Workout{Id: wo.RowId, Date: wo.Date, Type: wo.Type, Sets: wo.Sets, Reps: wo.Reps}) } - workout.WorkoutListComp(wos).Render(r.Context(), w) + err = workout.WorkoutListComp(wos).Render(r.Context(), w) + if err != nil { + utils.LogError("Could not render workoutlist", err) + utils.TriggerToast(w, r, "error", "Internal Server Error") + http.Error(w, err.Error(), http.StatusInternalServerError) + } } } diff --git a/main.go b/main.go index b3b1b61..06ee9ea 100644 --- a/main.go +++ b/main.go @@ -115,9 +115,9 @@ func createHandler(d *sql.DB, serverSettings *types.ServerSettings) http.Handler authService := service.NewAuthServiceImpl(authDb, randomService, clockService, mailService, serverSettings) workoutService := service.NewWorkoutServiceImpl(workoutDb, randomService, clockService, mailService, serverSettings) - indexHandler := handler.NewIndexHandler(d, authService, serverSettings) - authHandler := handler.NewHandlerAuth(d, authService, serverSettings) - workoutHandler := handler.NewWorkoutHandler(d, workoutService, authService, serverSettings) + indexHandler := handler.NewIndexHandler(authService, serverSettings) + authHandler := handler.NewHandlerAuth(authService, serverSettings) + workoutHandler := handler.NewWorkoutHandler(workoutService, authService, serverSettings) indexHandler.Handle(router) diff --git a/service/auth.go b/service/auth.go index 5137019..a67c60b 100644 --- a/service/auth.go +++ b/service/auth.go @@ -3,18 +3,14 @@ package service import ( "context" "crypto/subtle" - "database/sql" "errors" - "log/slog" - "net/http" "net/mail" - "net/url" "strings" "time" "me-fit/db" "me-fit/template/auth" - tempMail "me-fit/template/mail" + mailTemplate "me-fit/template/mail" "me-fit/types" "me-fit/utils" @@ -63,9 +59,12 @@ type AuthService interface { SignIn(email string, password string) (*Session, error) SignUp(email string, password string) (*User, error) SendVerificationMail(userId uuid.UUID, email string) + VerifyUserEmail(token string) error SignOut(sessionId string) error DeleteAccount(user *User) error ChangePassword(user *User, currPass, newPass string) error + ForgotPassword(email string) error + ForgotPasswordResponse(token string, newPass string) error GetUserFromSessionId(sessionId string) (*User, error) } @@ -89,9 +88,9 @@ func NewAuthServiceImpl(dbAuth db.AuthDb, randomGenerator RandomService, clock C } func (service AuthServiceImpl) SignIn(email string, password string) (*Session, error) { - user, err := service.dbAuth.GetUser(email) + user, err := service.dbAuth.GetUserByEmail(email) if err != nil { - if errors.Is(err, db.ErrUserNotFound) { + if errors.Is(err, db.ErrNotFound) { return nil, ErrInvaidCredentials } else { return nil, types.ErrInternal @@ -119,6 +118,7 @@ func (service AuthServiceImpl) createSession(userId uuid.UUID) (*db.Session, err } err = service.dbAuth.DeleteOldSessions(userId) + if err != nil { return nil, types.ErrInternal } @@ -170,27 +170,34 @@ func (service AuthServiceImpl) SignUp(email string, password string) (*User, err } func (service AuthServiceImpl) SendVerificationMail(userId uuid.UUID, email string) { - var token string - token, err := service.dbAuth.GetEmailVerificationToken(userId) + tokens, err := service.dbAuth.GetTokensByUserIdAndType(userId, db.TokenTypeEmailVerify) if err != nil { return } - if token == "" { - token, err := service.randomGenerator.String(32) + var token *db.Token + + if len(tokens) > 0 { + token = tokens[0] + } + + if token == nil { + newTokenStr, err := service.randomGenerator.String(32) if err != nil { return } - err = service.dbAuth.InsertEmailVerificationToken(userId, token) + token = db.NewToken(userId, newTokenStr, db.TokenTypeEmailVerify, service.clock.Now(), service.clock.Now().Add(24*time.Hour)) + + err = service.dbAuth.InsertToken(token) if err != nil { return } } var w strings.Builder - err = tempMail.Register(service.serverSettings.BaseUrl, token).Render(context.Background(), &w) + err = mailTemplate.Register(service.serverSettings.BaseUrl, token.Token).Render(context.Background(), &w) if err != nil { utils.LogError("Could not render welcome email", err) return @@ -199,6 +206,44 @@ func (service AuthServiceImpl) SendVerificationMail(userId uuid.UUID, email stri service.mailService.SendMail(email, "Welcome to ME-FIT", w.String()) } +func (service AuthServiceImpl) VerifyUserEmail(tokenStr string) error { + + if tokenStr == "" { + return types.ErrInternal + } + + token, err := service.dbAuth.GetToken(tokenStr) + if err != nil { + return types.ErrInternal + } + + user, err := service.dbAuth.GetUser(token.UserId) + if err != nil { + return types.ErrInternal + } + + if token.Type != db.TokenTypeEmailVerify { + return types.ErrInternal + } + + now := service.clock.Now() + + if token.ExpiresAt.Before(now) { + return types.ErrInternal + } + + user.EmailVerified = true + user.EmailVerifiedAt = &now + + err = service.dbAuth.UpdateUser(user) + if err != nil { + return types.ErrInternal + } + + _ = service.dbAuth.DeleteToken(token.Token) + return nil +} + func (service AuthServiceImpl) SignOut(sessionId string) error { return service.dbAuth.DeleteSession(sessionId) @@ -214,7 +259,7 @@ func (service AuthServiceImpl) GetUserFromSessionId(sessionId string) (*User, er return nil, types.ErrInternal } - user, err := service.dbAuth.GetUserById(session.UserId) + user, err := service.dbAuth.GetUser(session.UserId) if err != nil { return nil, types.ErrInternal } @@ -228,48 +273,6 @@ func (service AuthServiceImpl) GetUserFromSessionId(sessionId string) (*User, er // TODO -func HandleSignUpVerifyResponsePage(db *sql.DB) http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { - - token := r.URL.Query().Get("token") - - if token == "" { - utils.DoRedirect(w, r, "/auth/verify") - return - } - - result, err := db.Exec(` - UPDATE user - SET email_verified = true, email_verified_at = datetime() - WHERE user_uuid = ( - SELECT user_uuid - FROM user_token - WHERE type = "email_verify" - AND token = ? - ); - `, token) - - if err != nil { - utils.LogError("Could not update user on verify response", err) - http.Error(w, "Internal Server Error", http.StatusInternalServerError) - return - } - - i, err := result.RowsAffected() - if err != nil { - utils.LogError("Could not get rows affected on verify response", err) - http.Error(w, "Internal Server Error", http.StatusInternalServerError) - return - } - - if i == 0 { - utils.DoRedirect(w, r, "/") - } else { - utils.DoRedirect(w, r, "/auth/signin") - } - } -} - func UserInfoComp(user *User) templ.Component { if user != nil { @@ -306,14 +309,16 @@ func (service AuthServiceImpl) ChangePassword(user *User, currPass, newPass stri return err } - userDb, err := service.dbAuth.GetUserById(user.Id) + userDb, err := service.dbAuth.GetUser(user.Id) if err != nil { return err } newHash := GetHashPassword(newPass, userDb.Salt) - err = service.dbAuth.UpdateUserPassword(user.Id, newHash) + userDb.Password = newHash + + err = service.dbAuth.UpdateUser(userDb) if err != nil { return err } @@ -321,115 +326,71 @@ func (service AuthServiceImpl) ChangePassword(user *User, currPass, newPass stri return nil } -func HandleActualResetPasswordComp(db *sql.DB) http.HandlerFunc { - return func(w http.ResponseWriter, r *http.Request) { +func (service AuthServiceImpl) ForgotPassword(email string) error { - pageUrl, err := url.Parse(r.Header.Get("HX-Current-URL")) - if err != nil { - utils.LogError("Could not get current URL", err) - utils.TriggerToast(w, r, "error", "Internal Server Error") - return - } - - token := pageUrl.Query().Get("token") - if token == "" { - utils.TriggerToast(w, r, "error", "No token") - return - } - - newPass := r.FormValue("new-password") - - if !isPasswordValid(newPass) { - utils.TriggerToast(w, r, "error", ErrInvalidPassword.Error()) - return - } - - var ( - userId uuid.UUID - salt []byte - ) - - err = db.QueryRow(` - SELECT u.user_uuid, salt - FROM user_token t - INNER JOIN user u ON t.user_uuid = u.user_uuid - WHERE t.token = ? - AND t.type = 'password_reset' - AND t.expires_at > datetime() - `, token).Scan(&userId, &salt) - if err != nil { - slog.Warn("Could not get user from token: " + err.Error()) - utils.TriggerToast(w, r, "error", "Invalid token") - return - } - - _, err = db.Exec("DELETE FROM user_token WHERE token = ? AND type = 'password_reset'", token) - if err != nil { - utils.LogError("Could not delete token", err) - utils.TriggerToast(w, r, "error", "Internal Server Error") - return - } - - passHash := GetHashPassword(newPass, salt) - - _, err = db.Exec("UPDATE user SET password = ? WHERE user_uuid = ?", passHash, userId) - if err != nil { - utils.LogError("Could not update password", err) - utils.TriggerToast(w, r, "error", "Internal Server Error") - return - } - - utils.TriggerToast(w, r, "success", "Password changed") + tokenStr, err := service.randomGenerator.String(32) + if err != nil { + return err } + + user, err := service.dbAuth.GetUserByEmail(email) + if err != nil { + if err == db.ErrNotFound { + return nil + } else { + return types.ErrInternal + } + } + + token := db.NewToken(user.Id, tokenStr, db.TokenTypePasswordReset, service.clock.Now(), service.clock.Now().Add(15*time.Minute)) + + err = service.dbAuth.InsertToken(token) + if err != nil { + return types.ErrInternal + } + + var mail strings.Builder + err = mailTemplate.ResetPassword(service.serverSettings.BaseUrl, token.Token).Render(context.Background(), &mail) + if err != nil { + utils.LogError("Could not render reset password email", err) + return types.ErrInternal + } + go service.mailService.SendMail(email, "Reset Password", mail.String()) + + return nil } -func HandleResetPasswordComp(db *sql.DB, serverSettings *types.ServerSettings) http.HandlerFunc { - mailService := NewMailServiceImpl(serverSettings) - return func(w http.ResponseWriter, r *http.Request) { +func (service AuthServiceImpl) ForgotPasswordResponse(tokenStr string, newPass string) error { - email := r.FormValue("email") - if email == "" { - utils.TriggerToast(w, r, "error", "Please enter an email") - return - } - - token, err := NewRandomServiceImpl().String(32) - if err != nil { - return - } - - res, err := db.Exec(` - INSERT INTO user_token (user_uuid, type, token, created_at, expires_at) - SELECT user_uuid, 'password_reset', ?, datetime(), datetime('now', '+15 minute') - FROM user - WHERE email = ? - `, token, email) - if err != nil { - utils.LogError("Could not insert token", err) - utils.TriggerToast(w, r, "error", "Internal Server Error") - return - } - - i, err := res.RowsAffected() - if err != nil { - utils.LogError("Could not get rows affected", err) - utils.TriggerToast(w, r, "error", "Internal Server Error") - return - } - - if i != 0 { - var mail strings.Builder - err = tempMail.ResetPassword(serverSettings.BaseUrl, token).Render(context.Background(), &mail) - if err != nil { - utils.LogError("Could not render reset password email", err) - utils.TriggerToast(w, r, "error", "Internal Server Error") - return - } - mailService.SendMail(email, "Reset Password", mail.String()) - } - - utils.TriggerToast(w, r, "info", "If the email exists, an email has been sent") + if !isPasswordValid(newPass) { + return ErrInvalidPassword } + + token, err := service.dbAuth.GetToken(tokenStr) + if err != nil { + return err + } + + err = service.dbAuth.DeleteToken(tokenStr) + if err != nil { + return err + } + + user, err := service.dbAuth.GetUser(token.UserId) + if err != nil { + utils.LogError("Could not get user from token", err) + return types.ErrInternal + } + + passHash := GetHashPassword(newPass, user.Salt) + + user.Password = passHash + err = service.dbAuth.UpdateUser(user) + if err != nil { + return err + } + + return nil } func GetHashPassword(password string, salt []byte) []byte { diff --git a/service/auth_test.go b/service/auth_test.go index e968f44..2ac2378 100644 --- a/service/auth_test.go +++ b/service/auth_test.go @@ -36,7 +36,7 @@ func TestSignIn(t *testing.T) { dbSession := db.NewSession("sessionId", user.Id, time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC)) mockAuthDb := mocks.NewMockAuthDb(t) - mockAuthDb.EXPECT().GetUser("test@test.de").Return(user, nil) + mockAuthDb.EXPECT().GetUserByEmail("test@test.de").Return(user, nil) mockAuthDb.EXPECT().DeleteOldSessions(user.Id).Return(nil) mockAuthDb.EXPECT().InsertSession(dbSession).Return(nil) mockRandom := mocks.NewMockRandomService(t) @@ -71,7 +71,7 @@ func TestSignIn(t *testing.T) { ) mockAuthDb := mocks.NewMockAuthDb(t) - mockAuthDb.EXPECT().GetUser(user.Email).Return(user, nil) + mockAuthDb.EXPECT().GetUserByEmail(user.Email).Return(user, nil) mockRandom := mocks.NewMockRandomService(t) mockClock := mocks.NewMockClockService(t) mockMail := mocks.NewMockMailService(t) @@ -86,7 +86,7 @@ func TestSignIn(t *testing.T) { t.Parallel() mockAuthDb := mocks.NewMockAuthDb(t) - mockAuthDb.EXPECT().GetUser("test").Return(nil, db.ErrUserNotFound) + mockAuthDb.EXPECT().GetUserByEmail("test").Return(nil, db.ErrNotFound) mockRandom := mocks.NewMockRandomService(t) mockClock := mocks.NewMockClockService(t) mockMail := mocks.NewMockMailService(t) @@ -100,7 +100,7 @@ func TestSignIn(t *testing.T) { t.Parallel() mockAuthDb := mocks.NewMockAuthDb(t) - mockAuthDb.EXPECT().GetUser("test").Return(nil, errors.New("Some undefined error")) + mockAuthDb.EXPECT().GetUserByEmail("test").Return(nil, errors.New("Some undefined error")) mockRandom := mocks.NewMockRandomService(t) mockClock := mocks.NewMockClockService(t) mockMail := mocks.NewMockMailService(t) @@ -227,7 +227,9 @@ func TestSendVerificationMail(t *testing.T) { t.Run("should use stored token and send mail", func(t *testing.T) { t.Parallel() - token := "someRandomTokenToUse" + token := db.NewToken(uuid.New(), "someRandomTokenToUse", db.TokenTypeEmailVerify, time.Date(2020, 1, 1, 0, 0, 0, 0, time.UTC), time.Date(2020, 1, 2, 0, 0, 0, 0, time.UTC)) + tokens := []*db.Token{token} + email := "some@email.de" userId := uuid.New() @@ -236,9 +238,11 @@ func TestSendVerificationMail(t *testing.T) { mockClock := mocks.NewMockClockService(t) mockMail := mocks.NewMockMailService(t) - mockAuthDb.EXPECT().GetEmailVerificationToken(userId).Return(token, nil) + mockAuthDb.EXPECT().GetTokensByUserIdAndType(userId, db.TokenTypeEmailVerify).Return(tokens, nil) - mockMail.EXPECT().SendMail(email, "Welcome to ME-FIT", mock.MatchedBy(func(message string) bool { return strings.Contains(message, token) })).Return(nil) + mockMail.EXPECT().SendMail(email, "Welcome to ME-FIT", mock.MatchedBy(func(message string) bool { + return strings.Contains(message, token.Token) + })).Return() underTest := NewAuthServiceImpl(mockAuthDb, mockRandom, mockClock, mockMail, &types.ServerSettings{}) diff --git a/service/mail.go b/service/mail.go index 0505edb..08b6fe2 100644 --- a/service/mail.go +++ b/service/mail.go @@ -2,12 +2,15 @@ package service import ( "fmt" - "me-fit/types" "net/smtp" + + "me-fit/types" + "me-fit/utils" ) type MailService interface { - SendMail(to string, subject string, message string) error + // Sending an email is a fire and forget operation. Thus no error handling + SendMail(to string, subject string, message string) } type MailServiceImpl struct { @@ -18,9 +21,9 @@ func NewMailServiceImpl(serverSettings *types.ServerSettings) MailServiceImpl { return MailServiceImpl{serverSettings: serverSettings} } -func (m MailServiceImpl) SendMail(to string, subject string, message string) error { +func (m MailServiceImpl) SendMail(to string, subject string, message string) { if m.serverSettings.Smtp == nil { - return nil + return } s := m.serverSettings.Smtp @@ -29,5 +32,8 @@ func (m MailServiceImpl) SendMail(to string, subject string, message string) err msg := fmt.Sprintf("From: %v <%v>\nTo: %v\nSubject: %v\nMIME-version: 1.0;\nContent-Type: text/html; charset=\"UTF-8\";\n\n%v", s.FromName, s.FromMail, to, subject, message) - return smtp.SendMail(s.Host+":"+s.Port, auth, s.FromMail, []string{to}, []byte(msg)) + err := smtp.SendMail(s.Host+":"+s.Port, auth, s.FromMail, []string{to}, []byte(msg)) + if err != nil { + utils.LogError("Error sending mail: %v", err) + } } diff --git a/template/layout.templ b/template/layout.templ index a379ec8..311d41f 100644 --- a/template/layout.templ +++ b/template/layout.templ @@ -1,48 +1,48 @@ package template templ Layout(slot templ.Component, user templ.Component, environment string) { - - - - - - ME-FIT - - - - if environment == "prod" { - - } - - - - - - -
-
- - ME-FIT logo - ME-FIT - - @user -
-
- if slot != nil { - @slot + + + + + ME-FIT + + + + if environment == "prod" { + } -
-
-
- -
- - - + + + + + +
+
+ + ME-FIT logo + ME-FIT + + @user +
+
+ if slot != nil { + @slot + } +
+
+
+ +
+ + }