2023-09-19 13:39:59 +01:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
|
|
|
"crypto/rand"
|
|
|
|
"database/sql"
|
|
|
|
"encoding/hex"
|
|
|
|
"io"
|
|
|
|
"net/http"
|
|
|
|
|
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
|
|
|
2024-02-24 11:34:31 +00:00
|
|
|
dbtypes "git.andr3h3nriqu3s.com/andr3/fyp/logic/db_types"
|
2024-02-24 15:28:23 +00:00
|
|
|
"git.andr3h3nriqu3s.com/andr3/fyp/logic/utils"
|
2023-10-25 14:22:45 +01:00
|
|
|
. "git.andr3h3nriqu3s.com/andr3/fyp/logic/utils"
|
2023-09-21 16:43:11 +01:00
|
|
|
)
|
2023-09-19 13:39:59 +01:00
|
|
|
|
|
|
|
func generateSalt() string {
|
|
|
|
salt := make([]byte, 4)
|
|
|
|
_, err := io.ReadFull(rand.Reader, salt)
|
|
|
|
if err != nil {
|
|
|
|
panic("TODO handle this better")
|
|
|
|
}
|
|
|
|
return hex.EncodeToString(salt)
|
|
|
|
}
|
|
|
|
|
|
|
|
func hashPassword(password string, salt string) (string, error) {
|
|
|
|
bytes_salt, err := hex.DecodeString(salt)
|
|
|
|
if err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
bytes, err := bcrypt.GenerateFromPassword(append([]byte(password), bytes_salt...), 14)
|
|
|
|
return string(bytes), err
|
|
|
|
}
|
|
|
|
|
|
|
|
func genToken() string {
|
|
|
|
token := make([]byte, 60)
|
|
|
|
_, err := io.ReadFull(rand.Reader, token)
|
|
|
|
if err != nil {
|
|
|
|
panic("TODO handle this better")
|
|
|
|
}
|
|
|
|
return hex.EncodeToString(token)
|
|
|
|
}
|
|
|
|
|
|
|
|
func generateToken(db *sql.DB, email string, password string) (string, bool) {
|
|
|
|
row, err := db.Query("select id, salt, password from users where email = $1;", email)
|
|
|
|
if err != nil || !row.Next() {
|
|
|
|
return "", false
|
|
|
|
}
|
|
|
|
|
|
|
|
var db_id string
|
|
|
|
var db_salt string
|
|
|
|
var db_password string
|
|
|
|
err = row.Scan(&db_id, &db_salt, &db_password)
|
|
|
|
if err != nil {
|
|
|
|
return "", false
|
|
|
|
}
|
|
|
|
|
|
|
|
bytes_salt, err := hex.DecodeString(db_salt)
|
|
|
|
if err != nil {
|
|
|
|
panic("TODO handle better! Somethign is wrong with salt being stored in the database")
|
|
|
|
}
|
|
|
|
|
2024-02-24 11:34:31 +00:00
|
|
|
if err = bcrypt.CompareHashAndPassword([]byte(db_password), append([]byte(password), bytes_salt...)); err != nil {
|
2023-09-19 13:39:59 +01:00
|
|
|
return "", false
|
|
|
|
}
|
|
|
|
|
|
|
|
token := genToken()
|
|
|
|
|
|
|
|
_, err = db.Exec("insert into tokens (user_id, token) values ($1, $2);", db_id, token)
|
|
|
|
if err != nil {
|
|
|
|
return "", false
|
|
|
|
}
|
|
|
|
|
|
|
|
return token, true
|
|
|
|
}
|
|
|
|
|
|
|
|
func usersEndpints(db *sql.DB, handle *Handle) {
|
2024-03-09 10:52:08 +00:00
|
|
|
handle.Post("/login", func(c *Context) *Error {
|
|
|
|
type UserLogin struct {
|
|
|
|
Email string `json:"email"`
|
|
|
|
Password string `json:"password"`
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
var dat UserLogin
|
2023-09-19 13:39:59 +01:00
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
if err := c.ToJSON(&dat); err != nil {
|
|
|
|
return err
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// TODO Give this to the generateToken function
|
2024-03-09 10:52:08 +00:00
|
|
|
token, login := generateToken(db, dat.Email, dat.Password)
|
2023-09-19 13:39:59 +01:00
|
|
|
if !login {
|
2024-03-09 10:52:08 +00:00
|
|
|
return c.SendJSONStatus(http.StatusUnauthorized, "Email or password are incorrect")
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
user, err := dbtypes.UserFromToken(c.Db, token)
|
|
|
|
if err != nil {
|
|
|
|
return c.Error500(err)
|
|
|
|
}
|
2024-02-24 11:34:31 +00:00
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
type UserReturn struct {
|
|
|
|
Token string `json:"token"`
|
|
|
|
Id string `json:"id"`
|
|
|
|
UserType int `json:"user_type"`
|
|
|
|
Username string `json:"username"`
|
|
|
|
Email string `json:"email"`
|
|
|
|
}
|
2024-02-24 11:34:31 +00:00
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
userReturn := UserReturn{
|
|
|
|
Token: token,
|
|
|
|
Id: user.Id,
|
|
|
|
UserType: user.UserType,
|
|
|
|
Username: user.Username,
|
|
|
|
Email: user.Email,
|
|
|
|
}
|
2024-02-24 11:34:31 +00:00
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
return c.SendJSON(userReturn)
|
|
|
|
})
|
2024-02-24 11:34:31 +00:00
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
handle.Post("/register", func(c *Context) *Error {
|
|
|
|
type UserLogin struct {
|
|
|
|
Username string `json:"username"`
|
|
|
|
Email string `json:"email"`
|
|
|
|
Password string `json:"password"`
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
var dat UserLogin
|
2023-09-19 13:39:59 +01:00
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
if err := c.ToJSON(&dat); err != nil {
|
|
|
|
return err
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
if len(dat.Username) == 0 || len(dat.Password) == 0 || len(dat.Email) == 0 {
|
|
|
|
return c.SendJSONStatus(http.StatusBadRequest, "Please provide a valid json")
|
|
|
|
}
|
2023-09-19 13:39:59 +01:00
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
rows, err := db.Query("select username, email from users where username=$1 or email=$2;", dat.Username, dat.Email)
|
2023-09-19 13:39:59 +01:00
|
|
|
if err != nil {
|
2024-03-09 10:52:08 +00:00
|
|
|
return c.Error500(err)
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|
|
|
|
defer rows.Close()
|
|
|
|
|
|
|
|
if rows.Next() {
|
|
|
|
var db_username string
|
|
|
|
var db_email string
|
|
|
|
err = rows.Scan(&db_username, &db_email)
|
|
|
|
if err != nil {
|
2024-03-09 10:52:08 +00:00
|
|
|
return c.Error500(err)
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|
2024-03-09 10:52:08 +00:00
|
|
|
if db_email == dat.Email {
|
|
|
|
return c.SendJSONStatus(http.StatusBadRequest, "Email already in use!")
|
|
|
|
}
|
|
|
|
if db_username == dat.Username {
|
|
|
|
return c.SendJSONStatus(http.StatusBadRequest, "Username already in use!")
|
|
|
|
}
|
|
|
|
panic("Unrechable")
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
if len([]byte(dat.Password)) > 68 {
|
|
|
|
return c.JsonBadRequest("Password is to long!")
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
salt := generateSalt()
|
2024-03-09 10:52:08 +00:00
|
|
|
hash_password, err := hashPassword(dat.Password, salt)
|
2023-09-19 13:39:59 +01:00
|
|
|
if err != nil {
|
2024-03-09 10:52:08 +00:00
|
|
|
return c.Error500(err)
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
_, err = db.Exec("insert into users (username, email, salt, password) values ($1, $2, $3, $4);", dat.Username, dat.Email, salt, hash_password)
|
2023-09-19 13:39:59 +01:00
|
|
|
if err != nil {
|
2024-03-09 10:52:08 +00:00
|
|
|
return c.Error500(err)
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
// TODO Give this to the generateToken function
|
2024-03-09 10:52:08 +00:00
|
|
|
token, login := generateToken(db, dat.Email, dat.Password)
|
2023-09-19 13:39:59 +01:00
|
|
|
if !login {
|
2024-03-09 10:52:08 +00:00
|
|
|
return c.SendJSONStatus(500, "Could not login after creatting account please try again later")
|
|
|
|
}
|
|
|
|
|
|
|
|
user, err := dbtypes.UserFromToken(c.Db, token)
|
|
|
|
if err != nil {
|
|
|
|
return c.Error500(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
type UserReturn struct {
|
|
|
|
Token string `json:"token"`
|
|
|
|
Id string `json:"id"`
|
|
|
|
UserType int `json:"user_type"`
|
|
|
|
Username string `json:"username"`
|
|
|
|
Email string `json:"email"`
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
userReturn := UserReturn{
|
|
|
|
Token: token,
|
|
|
|
Id: user.Id,
|
|
|
|
UserType: user.UserType,
|
|
|
|
Username: user.Username,
|
|
|
|
Email: user.Email,
|
|
|
|
}
|
|
|
|
|
|
|
|
return c.SendJSON(userReturn)
|
2023-09-19 13:39:59 +01:00
|
|
|
})
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
// TODO allow admin users to update this data
|
|
|
|
handle.Get("/user/info", func(c *Context) *Error {
|
|
|
|
if !c.CheckAuthLevel(1) {
|
2023-10-25 14:22:45 +01:00
|
|
|
return nil
|
|
|
|
}
|
2024-03-09 10:52:08 +00:00
|
|
|
|
|
|
|
user, err := dbtypes.UserFromToken(c.Db, *c.Token)
|
|
|
|
if err != nil {
|
|
|
|
return c.Error500(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
type UserReturn struct {
|
|
|
|
Id string `json:"id"`
|
|
|
|
UserType int `json:"user_type"`
|
|
|
|
Username string `json:"username"`
|
|
|
|
Email string `json:"email"`
|
|
|
|
}
|
|
|
|
|
|
|
|
userReturn := UserReturn{
|
|
|
|
Id: user.Id,
|
|
|
|
UserType: user.UserType,
|
|
|
|
Username: user.Username,
|
|
|
|
Email: user.Email,
|
2023-10-25 14:22:45 +01:00
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
return c.SendJSON(userReturn)
|
2023-10-25 14:22:45 +01:00
|
|
|
})
|
|
|
|
|
2024-02-24 15:28:23 +00:00
|
|
|
// Handles updating users
|
2024-03-09 10:52:08 +00:00
|
|
|
handle.Post("/user/info", func(c *Context) *Error {
|
|
|
|
if !c.CheckAuthLevel(int(dbtypes.User_Normal)) {
|
2024-02-24 15:28:23 +00:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
type UserData struct {
|
|
|
|
Id string `json:"id"`
|
|
|
|
Email string `json:"email"`
|
|
|
|
}
|
|
|
|
|
|
|
|
var dat UserData
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
if err := c.ToJSON(&dat); err != nil {
|
2024-02-24 15:28:23 +00:00
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
if dat.Id != c.User.Id && c.User.UserType != int(dbtypes.User_Admin) {
|
2024-03-01 23:03:25 +00:00
|
|
|
return c.SendJSONStatus(403, "You need to be an admin to update another users account")
|
2024-02-24 15:28:23 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if dat.Id != c.User.Id {
|
|
|
|
var data struct {
|
|
|
|
Id string
|
|
|
|
}
|
|
|
|
|
|
|
|
err := utils.GetDBOnce(c, &data, "users where id=$1", dat.Id)
|
|
|
|
if err == NotFoundError {
|
2024-03-01 23:03:25 +00:00
|
|
|
return c.JsonBadRequest("User does not exist")
|
2024-02-24 15:28:23 +00:00
|
|
|
} else if err != nil {
|
|
|
|
return c.Error500(err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
var data struct {
|
|
|
|
Id string
|
|
|
|
}
|
|
|
|
|
|
|
|
err := utils.GetDBOnce(c, &data, "users where email=$1", dat.Email)
|
|
|
|
if err != nil && err != NotFoundError {
|
|
|
|
return c.Error500(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != NotFoundError {
|
|
|
|
if data.Id == dat.Id {
|
2024-03-01 23:03:25 +00:00
|
|
|
return c.JsonBadRequest("Email is the name as the previous one!")
|
2024-02-24 15:28:23 +00:00
|
|
|
} else {
|
2024-03-01 23:03:25 +00:00
|
|
|
return c.JsonBadRequest("Email already in use")
|
2024-02-24 15:28:23 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = c.Db.Exec("update users set email=$2 where id=$1", dat.Id, dat.Email)
|
|
|
|
if err != nil {
|
|
|
|
return c.Error500(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
var user struct {
|
|
|
|
Id string
|
|
|
|
Username string
|
|
|
|
Email string
|
|
|
|
User_Type int
|
|
|
|
}
|
|
|
|
|
|
|
|
err = utils.GetDBOnce(c, &user, "users where id=$1", dat.Id)
|
|
|
|
if err != nil {
|
|
|
|
return c.Error500(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
toReturnUser := dbtypes.User{
|
|
|
|
Id: user.Id,
|
|
|
|
Username: user.Username,
|
|
|
|
Email: user.Email,
|
|
|
|
UserType: user.User_Type,
|
|
|
|
}
|
|
|
|
|
2024-03-01 23:03:25 +00:00
|
|
|
return c.SendJSON(toReturnUser)
|
2024-02-24 15:28:23 +00:00
|
|
|
})
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
handle.Post("/user/info/password", func(c *Context) *Error {
|
|
|
|
if !c.CheckAuthLevel(1) {
|
2023-10-25 14:22:45 +01:00
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
var dat struct {
|
|
|
|
Old_Password string `json:"old_password"`
|
|
|
|
Password string `json:"password"`
|
|
|
|
Password2 string `json:"password2"`
|
2023-10-25 14:22:45 +01:00
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
if err := c.ToJSON(&dat); err != nil {
|
|
|
|
return err
|
2023-10-25 14:22:45 +01:00
|
|
|
}
|
2024-02-24 15:28:23 +00:00
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
if dat.Password == "" {
|
|
|
|
return c.JsonBadRequest("Password can not be empty")
|
2023-10-25 14:22:45 +01:00
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
if dat.Password != dat.Password2 {
|
|
|
|
return c.JsonBadRequest("New passwords did not match")
|
2023-10-25 14:22:45 +01:00
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
c.Logger.Warn("test", "dat", dat)
|
2023-10-25 14:22:45 +01:00
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
_, login := generateToken(db, c.User.Email, dat.Old_Password)
|
2023-10-25 14:22:45 +01:00
|
|
|
if !login {
|
2024-03-09 10:52:08 +00:00
|
|
|
return c.JsonBadRequest("Password is incorrect")
|
2023-10-25 14:22:45 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
salt := generateSalt()
|
2024-03-09 10:52:08 +00:00
|
|
|
hash_password, err := hashPassword(dat.Password, salt)
|
2023-10-25 14:22:45 +01:00
|
|
|
if err != nil {
|
|
|
|
return c.Error500(err)
|
|
|
|
}
|
|
|
|
|
|
|
|
_, err = db.Exec("update users set salt=$1, password=$2 where id=$3", salt, hash_password, c.User.Id)
|
|
|
|
if err != nil {
|
|
|
|
return c.Error500(err)
|
|
|
|
}
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
return c.SendJSON(c.User.Id)
|
2023-10-25 14:22:45 +01:00
|
|
|
})
|
|
|
|
|
2024-03-09 10:52:08 +00:00
|
|
|
// TODO create function to remove token
|
2023-09-19 13:39:59 +01:00
|
|
|
}
|