247 lines
5.7 KiB
Go
247 lines
5.7 KiB
Go
|
package main
|
||
|
|
|
||
|
|
import (
|
||
|
|
"crypto/rand"
|
||
|
|
"database/sql"
|
||
|
|
"encoding/hex"
|
||
|
|
"errors"
|
||
|
|
"fmt"
|
||
|
|
"io"
|
||
|
|
"net/http"
|
||
|
|
"time"
|
||
|
|
|
||
|
|
"golang.org/x/crypto/bcrypt"
|
||
|
|
)
|
||
|
|
|
||
|
|
type User struct {
|
||
|
|
id string
|
||
|
|
username string
|
||
|
|
email string
|
||
|
|
user_type int
|
||
|
|
}
|
||
|
|
|
||
|
|
var ErrUserNotFound = errors.New("User Not found")
|
||
|
|
|
||
|
|
func userFromToken(db *sql.DB, token string) (*User, error) {
|
||
|
|
row, err := db.Query("select users.id, users.username, users.email, users.user_type from users inner join tokens on tokens.user_id = users.id where tokens.token = $1;", token)
|
||
|
|
|
||
|
|
if err != nil {
|
||
|
|
return nil, err
|
||
|
|
}
|
||
|
|
|
||
|
|
var id string
|
||
|
|
var username string
|
||
|
|
var email string
|
||
|
|
var user_type int
|
||
|
|
|
||
|
|
if !row.Next() {
|
||
|
|
return nil, ErrUserNotFound
|
||
|
|
}
|
||
|
|
|
||
|
|
err = row.Scan(&id, &username, &email, &user_type)
|
||
|
|
if err != nil {
|
||
|
|
return nil, err
|
||
|
|
}
|
||
|
|
|
||
|
|
return &User{id, username, email, user_type}, nil
|
||
|
|
}
|
||
|
|
|
||
|
|
func generateSalt() string {
|
||
|
|
salt := make([]byte, 4)
|
||
|
|
_, err := io.ReadFull(rand.Reader, salt)
|
||
|
|
if err != nil {
|
||
|
|
panic("TODO handle this better")
|
||
|
|
}
|
||
|
|
return hex.EncodeToString(salt)
|
||
|
|
}
|
||
|
|
|
||
|
|
func hashPassword(password string, salt string) (string, error) {
|
||
|
|
bytes_salt, err := hex.DecodeString(salt)
|
||
|
|
if err != nil {
|
||
|
|
return "", err
|
||
|
|
}
|
||
|
|
bytes, err := bcrypt.GenerateFromPassword(append([]byte(password), bytes_salt...), 14)
|
||
|
|
return string(bytes), err
|
||
|
|
}
|
||
|
|
|
||
|
|
func genToken() string {
|
||
|
|
token := make([]byte, 60)
|
||
|
|
_, err := io.ReadFull(rand.Reader, token)
|
||
|
|
if err != nil {
|
||
|
|
panic("TODO handle this better")
|
||
|
|
}
|
||
|
|
return hex.EncodeToString(token)
|
||
|
|
}
|
||
|
|
|
||
|
|
func generateToken(db *sql.DB, email string, password string) (string, bool) {
|
||
|
|
|
||
|
|
row, err := db.Query("select id, salt, password from users where email = $1;", email)
|
||
|
|
if err != nil || !row.Next() {
|
||
|
|
return "", false
|
||
|
|
}
|
||
|
|
|
||
|
|
var db_id string
|
||
|
|
var db_salt string
|
||
|
|
var db_password string
|
||
|
|
err = row.Scan(&db_id, &db_salt, &db_password)
|
||
|
|
if err != nil {
|
||
|
|
return "", false
|
||
|
|
}
|
||
|
|
|
||
|
|
bytes_salt, err := hex.DecodeString(db_salt)
|
||
|
|
if err != nil {
|
||
|
|
panic("TODO handle better! Somethign is wrong with salt being stored in the database")
|
||
|
|
}
|
||
|
|
|
||
|
|
if bcrypt.CompareHashAndPassword([]byte(db_password), append([]byte(password), bytes_salt...)) != nil {
|
||
|
|
return "", false
|
||
|
|
}
|
||
|
|
|
||
|
|
token := genToken()
|
||
|
|
|
||
|
|
_, err = db.Exec("insert into tokens (user_id, token) values ($1, $2);", db_id, token)
|
||
|
|
if err != nil {
|
||
|
|
return "", false
|
||
|
|
}
|
||
|
|
|
||
|
|
return token, true
|
||
|
|
}
|
||
|
|
|
||
|
|
func usersEndpints(db *sql.DB, handle *Handle) {
|
||
|
|
handle.GetHTML("/login", AnswerTemplate("login.html", nil))
|
||
|
|
handle.Post("/login", func(w http.ResponseWriter, r *http.Request, c *Context) *Error {
|
||
|
|
if c.Mode == JSON {
|
||
|
|
fmt.Println("Handle JSON")
|
||
|
|
return &Error{code: 404}
|
||
|
|
}
|
||
|
|
|
||
|
|
r.ParseForm()
|
||
|
|
f := r.Form
|
||
|
|
|
||
|
|
if checkEmpty(f, "email") || checkEmpty(f, "password") {
|
||
|
|
LoadBasedOnAnswer(c.Mode, w, "login.html", c.addMap(AnyMap{
|
||
|
|
"Submited": true,
|
||
|
|
}))
|
||
|
|
return nil
|
||
|
|
}
|
||
|
|
|
||
|
|
email := f.Get("email")
|
||
|
|
password := f.Get("password")
|
||
|
|
|
||
|
|
// TODO Give this to the generateToken function
|
||
|
|
expiration := time.Now().Add(24 * time.Hour)
|
||
|
|
token, login := generateToken(db, email, password)
|
||
|
|
if !login {
|
||
|
|
LoadBasedOnAnswer(c.Mode, w, "login.html", c.addMap(AnyMap{
|
||
|
|
"Submited": true,
|
||
|
|
"NoUserOrPassword": true,
|
||
|
|
"Email": email,
|
||
|
|
}))
|
||
|
|
return nil
|
||
|
|
}
|
||
|
|
|
||
|
|
cookie := &http.Cookie{Name: "auth", Value: token, HttpOnly: false, Expires: expiration}
|
||
|
|
http.SetCookie(w, cookie)
|
||
|
|
|
||
|
|
w.Header().Set("Location", "/")
|
||
|
|
w.WriteHeader(http.StatusSeeOther)
|
||
|
|
return nil
|
||
|
|
})
|
||
|
|
|
||
|
|
handle.GetHTML("/register", AnswerTemplate("register.html", nil))
|
||
|
|
handle.Post("/register", func(w http.ResponseWriter, r *http.Request, c *Context) *Error {
|
||
|
|
if c.Mode == JSON {
|
||
|
|
return &Error{code: http.StatusNotFound}
|
||
|
|
}
|
||
|
|
|
||
|
|
r.ParseForm()
|
||
|
|
f := r.Form
|
||
|
|
|
||
|
|
if checkEmpty(f, "email") || checkEmpty(f, "password") || checkEmpty(f, "username") {
|
||
|
|
LoadBasedOnAnswer(c.Mode, w, "register.html", AnyMap{
|
||
|
|
"Submited": true,
|
||
|
|
})
|
||
|
|
return nil
|
||
|
|
}
|
||
|
|
|
||
|
|
email := f.Get("email")
|
||
|
|
username := f.Get("username")
|
||
|
|
password := f.Get("password")
|
||
|
|
|
||
|
|
rows, err := db.Query("select username, email from users where username=$1 or email=$2;", username, email)
|
||
|
|
if err != nil {
|
||
|
|
panic("TODO handle this")
|
||
|
|
}
|
||
|
|
defer rows.Close()
|
||
|
|
|
||
|
|
if rows.Next() {
|
||
|
|
var db_username string
|
||
|
|
var db_email string
|
||
|
|
err = rows.Scan(&db_username, &db_email)
|
||
|
|
if err != nil {
|
||
|
|
panic("TODO handle this better")
|
||
|
|
}
|
||
|
|
LoadBasedOnAnswer(c.Mode, w, "register.html", AnyMap{
|
||
|
|
"Submited": true,
|
||
|
|
"Email": email,
|
||
|
|
"Username": username,
|
||
|
|
"EmailError": db_email == email,
|
||
|
|
"UserError": db_username == username,
|
||
|
|
})
|
||
|
|
return nil
|
||
|
|
}
|
||
|
|
|
||
|
|
if len([]byte(password)) > 68 {
|
||
|
|
LoadBasedOnAnswer(c.Mode, w, "register.html", AnyMap{
|
||
|
|
"Submited": true,
|
||
|
|
"Email": email,
|
||
|
|
"Username": username,
|
||
|
|
"PasswordToLong": true,
|
||
|
|
})
|
||
|
|
return nil
|
||
|
|
}
|
||
|
|
|
||
|
|
salt := generateSalt()
|
||
|
|
hash_password, err := hashPassword(password, salt)
|
||
|
|
if err != nil {
|
||
|
|
return &Error{
|
||
|
|
code: http.StatusInternalServerError,
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
_, err = db.Exec("insert into users (username, email, salt, password) values ($1, $2, $3, $4);", username, email, salt, hash_password)
|
||
|
|
|
||
|
|
if err != nil {
|
||
|
|
return &Error{
|
||
|
|
code: http.StatusInternalServerError,
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
// TODO Give this to the generateToken function
|
||
|
|
expiration := time.Now().Add(24 * time.Hour)
|
||
|
|
token, login := generateToken(db, email, password)
|
||
|
|
|
||
|
|
if !login {
|
||
|
|
msg := "Login failed"
|
||
|
|
return &Error{
|
||
|
|
code: http.StatusInternalServerError,
|
||
|
|
msg: &msg,
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
cookie := &http.Cookie{Name: "auth", Value: token, HttpOnly: false, Expires: expiration}
|
||
|
|
http.SetCookie(w, cookie)
|
||
|
|
w.Header().Set("Location", "/")
|
||
|
|
w.WriteHeader(http.StatusSeeOther)
|
||
|
|
return nil
|
||
|
|
})
|
||
|
|
|
||
|
|
handle.Get("/logout", func(w http.ResponseWriter, r *http.Request, c *Context) *Error {
|
||
|
|
if c.Mode == JSON {
|
||
|
|
panic("TODO handle json")
|
||
|
|
}
|
||
|
|
logoff(c.Mode, w, r)
|
||
|
|
return nil
|
||
|
|
})
|
||
|
|
}
|