fyp/users.go

411 lines
9.6 KiB
Go

package main
import (
"crypto/rand"
"database/sql"
"encoding/hex"
"io"
"net/http"
"time"
"golang.org/x/crypto/bcrypt"
dbtypes "git.andr3h3nriqu3s.com/andr3/fyp/logic/db_types"
"git.andr3h3nriqu3s.com/andr3/fyp/logic/utils"
. "git.andr3h3nriqu3s.com/andr3/fyp/logic/utils"
)
func generateSalt() string {
salt := make([]byte, 4)
_, err := io.ReadFull(rand.Reader, salt)
if err != nil {
panic("TODO handle this better")
}
return hex.EncodeToString(salt)
}
func hashPassword(password string, salt string) (string, error) {
bytes_salt, err := hex.DecodeString(salt)
if err != nil {
return "", err
}
bytes, err := bcrypt.GenerateFromPassword(append([]byte(password), bytes_salt...), 14)
return string(bytes), err
}
func genToken() string {
token := make([]byte, 60)
_, err := io.ReadFull(rand.Reader, token)
if err != nil {
panic("TODO handle this better")
}
return hex.EncodeToString(token)
}
func deleteToken(db *sql.DB, userId string, time time.Time) (err error) {
_, err = db.Exec("delete from tokens where emit_day=$1 and user_id=$2", time, userId)
return
}
func generateToken(db *sql.DB, email string, password string, name string) (string, bool) {
row, err := db.Query("select id, salt, password from users where email = $1;", email)
if err != nil || !row.Next() {
return "", false
}
var db_id string
var db_salt string
var db_password string
err = row.Scan(&db_id, &db_salt, &db_password)
if err != nil {
return "", false
}
bytes_salt, err := hex.DecodeString(db_salt)
if err != nil {
panic("TODO handle better! Somethign is wrong with salt being stored in the database")
}
if err = bcrypt.CompareHashAndPassword([]byte(db_password), append([]byte(password), bytes_salt...)); err != nil {
return "", false
}
token := genToken()
_, err = db.Exec("insert into tokens (user_id, token, name) values ($1, $2, $3);", db_id, token, name)
if err != nil {
return "", false
}
return token, true
}
func usersEndpints(db *sql.DB, handle *Handle) {
handle.Post("/login", func(c *Context) *Error {
type UserLogin struct {
Email string `json:"email"`
Password string `json:"password"`
}
var dat UserLogin
if err := c.ToJSON(&dat); err != nil {
return err
}
// TODO Give this to the generateToken function
token, login := generateToken(db, dat.Email, dat.Password, "Logged in user")
if !login {
return c.SendJSONStatus(http.StatusUnauthorized, "Email or password are incorrect")
}
user, err := dbtypes.UserFromToken(c.Db, token)
if err != nil {
return c.Error500(err)
}
type UserReturn struct {
Token string `json:"token"`
Id string `json:"id"`
UserType int `json:"user_type"`
Username string `json:"username"`
Email string `json:"email"`
}
userReturn := UserReturn{
Token: token,
Id: user.Id,
UserType: user.UserType,
Username: user.Username,
Email: user.Email,
}
return c.SendJSON(userReturn)
})
handle.Post("/register", func(c *Context) *Error {
type UserLogin struct {
Username string `json:"username"`
Email string `json:"email"`
Password string `json:"password"`
}
var dat UserLogin
if err := c.ToJSON(&dat); err != nil {
return err
}
if len(dat.Username) == 0 || len(dat.Password) == 0 || len(dat.Email) == 0 {
return c.SendJSONStatus(http.StatusBadRequest, "Please provide a valid json")
}
rows, err := db.Query("select username, email from users where username=$1 or email=$2;", dat.Username, dat.Email)
if err != nil {
return c.Error500(err)
}
defer rows.Close()
if rows.Next() {
var db_username string
var db_email string
err = rows.Scan(&db_username, &db_email)
if err != nil {
return c.Error500(err)
}
if db_email == dat.Email {
return c.SendJSONStatus(http.StatusBadRequest, "Email already in use!")
}
if db_username == dat.Username {
return c.SendJSONStatus(http.StatusBadRequest, "Username already in use!")
}
panic("Unrechable")
}
if len([]byte(dat.Password)) > 68 {
return c.JsonBadRequest("Password is to long!")
}
salt := generateSalt()
hash_password, err := hashPassword(dat.Password, salt)
if err != nil {
return c.Error500(err)
}
_, err = db.Exec("insert into users (username, email, salt, password) values ($1, $2, $3, $4);", dat.Username, dat.Email, salt, hash_password)
if err != nil {
return c.Error500(err)
}
// TODO Give this to the generateToken function
token, login := generateToken(db, dat.Email, dat.Password, "User Login")
if !login {
return c.SendJSONStatus(500, "Could not login after creatting account please try again later")
}
user, err := dbtypes.UserFromToken(c.Db, token)
if err != nil {
return c.Error500(err)
}
type UserReturn struct {
Token string `json:"token"`
Id string `json:"id"`
UserType int `json:"user_type"`
Username string `json:"username"`
Email string `json:"email"`
}
userReturn := UserReturn{
Token: token,
Id: user.Id,
UserType: user.UserType,
Username: user.Username,
Email: user.Email,
}
return c.SendJSON(userReturn)
})
// TODO allow admin users to update this data
handle.Get("/user/info", func(c *Context) *Error {
if !c.CheckAuthLevel(1) {
return nil
}
user, err := dbtypes.UserFromToken(c.Db, *c.Token)
if err != nil {
return c.Error500(err)
}
type UserReturn struct {
Id string `json:"id"`
UserType int `json:"user_type"`
Username string `json:"username"`
Email string `json:"email"`
}
userReturn := UserReturn{
Id: user.Id,
UserType: user.UserType,
Username: user.Username,
Email: user.Email,
}
return c.SendJSON(userReturn)
})
// Handles updating users
handle.Post("/user/info", func(c *Context) *Error {
if !c.CheckAuthLevel(int(dbtypes.User_Normal)) {
return nil
}
type UserData struct {
Id string `json:"id"`
Email string `json:"email"`
}
var dat UserData
if err := c.ToJSON(&dat); err != nil {
return err
}
if dat.Id != c.User.Id && c.User.UserType != int(dbtypes.User_Admin) {
return c.SendJSONStatus(403, "You need to be an admin to update another users account")
}
if dat.Id != c.User.Id {
var data struct {
Id string
}
err := utils.GetDBOnce(c, &data, "users where id=$1", dat.Id)
if err == NotFoundError {
return c.JsonBadRequest("User does not exist")
} else if err != nil {
return c.Error500(err)
}
}
var data struct {
Id string
}
err := utils.GetDBOnce(c, &data, "users where email=$1", dat.Email)
if err != nil && err != NotFoundError {
return c.Error500(err)
}
if err != NotFoundError {
if data.Id == dat.Id {
return c.JsonBadRequest("Email is the name as the previous one!")
} else {
return c.JsonBadRequest("Email already in use")
}
}
_, err = c.Db.Exec("update users set email=$2 where id=$1", dat.Id, dat.Email)
if err != nil {
return c.Error500(err)
}
var user struct {
Id string
Username string
Email string
User_Type int
}
err = utils.GetDBOnce(c, &user, "users where id=$1", dat.Id)
if err != nil {
return c.Error500(err)
}
toReturnUser := dbtypes.User{
Id: user.Id,
Username: user.Username,
Email: user.Email,
UserType: user.User_Type,
}
return c.SendJSON(toReturnUser)
})
handle.Post("/user/info/password", func(c *Context) *Error {
if !c.CheckAuthLevel(1) {
return nil
}
var dat struct {
Old_Password string `json:"old_password"`
Password string `json:"password"`
Password2 string `json:"password2"`
}
if err := c.ToJSON(&dat); err != nil {
return err
}
if dat.Password == "" {
return c.JsonBadRequest("Password can not be empty")
}
if dat.Password != dat.Password2 {
return c.JsonBadRequest("New passwords did not match")
}
// TODO remote token
_, login := generateToken(db, c.User.Email, dat.Old_Password, "Update password Token")
if !login {
return c.JsonBadRequest("Password is incorrect")
}
salt := generateSalt()
hash_password, err := hashPassword(dat.Password, salt)
if err != nil {
return c.Error500(err)
}
_, err = db.Exec("update users set salt=$1, password=$2 where id=$3", salt, hash_password, c.User.Id)
if err != nil {
return c.Error500(err)
}
return c.SendJSON(c.User.Id)
})
type TokenList struct {
Id string `json:"id"`
Page int `json:"page"`
}
PostAuthJson[TokenList](handle, "/user/token/list", 1, func(c *Context, obj *TokenList) *Error {
if obj.Id == "" {
obj.Id = c.User.Id
}
if obj.Id != c.User.Id && c.User.UserType < int(dbtypes.User_Admin) {
return c.JsonBadRequest("Could not find user tokens")
}
type Token struct {
CreationDate time.Time `json:"create_date" db:"emit_day"`
TimeToLive int `json:"time_to_live" db:"time_to_live"`
Name string `json:"name"`
}
tokens, err := GetDbMultitple[Token](c, "tokens where user_id=$1 order by emit_day desc limit 11 offset $2;", obj.Id, 10*obj.Page)
if err != nil {
return c.E500M("Failed get tokens", err)
}
max_len := min(11, len(tokens))
c.ShowMessage = false
return c.SendJSON(struct {
TokenList []*Token `json:"token_list"`
ShowNext bool `json:"show_next"`
}{
tokens[0:max_len],
len(tokens) > 10,
})
})
type TokenDelete struct {
Time time.Time `json:"time" validate:"required"`
}
DeleteAuthJson(handle, "/user/token", 1, func(c *Context, obj *TokenDelete) *Error {
// TODO allow admin user to delete to other persons token
err := deleteToken(c.Db, c.User.Id, obj.Time)
if err != nil {
return c.E500M("Could not delete token", err)
}
return c.SendJSON("Ok")
})
// TODO create function to remove token
}