Change user handlers to set cookies on registration and log in

Change auth middleware to be session based on cookies
Add sessions in tokens package
2024-11-06 19:48:02 +02:00 · 2024-11-06 19:47:40 +02:00 · 2024-11-06 19:47:22 +02:00 · 2024-11-06 19:47:12 +02:00 · 2024-11-06 19:46:39 +02:00 · 2024-11-06 19:45:54 +02:00
9 changed files with 111 additions and 26 deletions
--- a/cmd/http-server/main.go
+++ b/cmd/http-server/main.go
@ -32,7 +32,7 @@ func main() {
 	r := gin.Default()
 	docs.SwaggerInfo.BasePath = "/api"
 	r.Use(cors.New(cors.Config{
-		AllowOrigins:     []string{"*"},
+		AllowOrigins:     []string{"http://localhost:5173"},
 		AllowMethods:     []string{"GET", "DELETE", "PUT", "PATCH", "OPTIONS"},
 		AllowHeaders:     []string{"Origin", "Content-Type"},
 		ExposeHeaders:    []string{"Content-Length"},
@ -44,6 +44,7 @@ func main() {
 	api := r.Group("/api")
 	{
 		api.GET("/ping", handlers.PingGet)
 		api.GET("/authping", middleware.AuthMiddleware(), handlers.PingGet)
 		userRoutes := api.Group("/user")
 		{
 			userRoutes.POST("/register", handlers.UserRegister)
--- a/consts/cookies.go
+++ b/consts/cookies.go
@ -0,0 +1,5 @@
 package consts
 const (
 	COOKIE_SESSION = "session"
 )
--- a/db/db.go
+++ b/db/db.go
@ -53,5 +53,6 @@ func Connect() *gorm.DB {
 	gormDB.AutoMigrate(&Transfer{})
 	gormDB.AutoMigrate(&User{})
 	gormDB.AutoMigrate(&Type{})
 	gormDB.AutoMigrate(&Session{})
 	return newUDB
 }
--- a/db/session.go
+++ b/db/session.go
@ -0,0 +1,10 @@
 package db
 import "time"
 type Session struct {
 	ID       string `gorm:"primaryKey"`
 	UserID   uint
 	User     *User
 	ExpireAt time.Time
 }
--- a/handlers/user.go
+++ b/handlers/user.go
@ -3,6 +3,7 @@ package handlers
 import (
 	"log"
 	"git.qowevisa.me/Qowevisa/fin-check-api/consts"
 	"git.qowevisa.me/Qowevisa/fin-check-api/db"
 	"git.qowevisa.me/Qowevisa/fin-check-api/tokens"
 	"git.qowevisa.me/Qowevisa/fin-check-api/types"
@ -47,9 +48,11 @@ func UserRegister(c *gin.Context) {
 		}
 		token1 = token
 	}
 	c.SetCookie(consts.COOKIE_SESSION, token1.Val, 3600, "/", "localhost", false, true)
 	acc := types.Account{
 		ID:       dbUser.ID,
 		Token:    token1.Val,
 		Username: dbUser.Username,
 	}
 	c.JSON(200, acc)
 }
@ -82,7 +85,7 @@ func UserLogin(c *gin.Context) {
 		return
 	}
 	if foundUser.ID == 0 {
-		c.JSON(500, types.ErrorResponse{Message: "Credentials are incorrect"})
+		c.JSON(400, types.ErrorResponse{Message: "Credentials are incorrect"})
 		return
 	}
 	var token1 *tokens.Token
@ -97,9 +100,13 @@ func UserLogin(c *gin.Context) {
 		}
 		token1 = token
 	}
 	c.SetCookie(consts.COOKIE_SESSION, token1.Val, 3600, "/", "localhost", false, true)
 	acc := types.Account{
 		ID:       foundUser.ID,
 		Token:    token1.Val,
 		Username: dbUser.Username,
 	}
 	c.JSON(200, acc)
 }
 func isSessionTokenForUserInvalid(userID uint) {}
--- a/middleware/auth.go
+++ b/middleware/auth.go
@ -1,8 +1,11 @@
 package middleware
 import (
-	"strings"
+	"errors"
 	"log"
 	"net/http"
 	"git.qowevisa.me/Qowevisa/fin-check-api/consts"
 	"git.qowevisa.me/Qowevisa/fin-check-api/tokens"
 	"git.qowevisa.me/Qowevisa/fin-check-api/types"
 	"github.com/gin-gonic/gin"
@ -11,31 +14,25 @@ import (
 // Passes UserID with `c.Set("UserID")` as it gets id from token
 func AuthMiddleware() gin.HandlerFunc {
 	return func(c *gin.Context) {
-		authHeader := c.GetHeader("Authorization")
+		token, err := c.Cookie(consts.COOKIE_SESSION)
-		if authHeader == "" {
+		if errors.Is(err, http.ErrNoCookie) {
-			c.JSON(401, types.ErrorResponse{Message: "Authorization header is required"})
+			c.JSON(401, types.ErrorResponse{Message: "Authorization cookie is required"})
 			c.Abort()
 			return
 		}
-
+		if !tokens.ValidateSessionToken(token) {
-		token := authHeader
+			c.JSON(401, types.ErrorResponse{Message: "Invalid authorization cookie"})
 		if strings.Index(token, "Bearer ") == 0 {
 			token = strings.Split(token, " ")[1]
 		}
 		if !tokens.AmIAllowed(token) {
 			c.JSON(401, types.ErrorResponse{Message: "Token is invalid"})
 			c.Abort()
 			return
 		}
-
+		session, err := tokens.GetSession(token)
-		if userID, err := tokens.GetID(token); err != nil {
+		if err != nil {
-			c.JSON(401, types.ErrorResponse{Message: "Token is invalid ERR4001"})
+			log.Printf("ERROR: tokens.GetSession: %v\n", err)
 			c.JSON(500, types.ErrorResponse{Message: "Server error"})
 			c.Abort()
 			return
 		} else {
 			c.Set("UserID", userID)
 		}
 		c.Set("UserID", session.UserID)
 		c.Next()
 	}
--- a/tokens/dispatcher.go
+++ b/tokens/dispatcher.go
@ -138,7 +138,7 @@ func AddToken(id uint) (*Token, error) {
 	_, exists := toks.Tokmap[id]
 	toks.Mu.RUnlock()
 	if exists {
-		return nil, ERROR_ALREADY_HAVE_TOKEN
+		// return nil, ERROR_ALREADY_HAVE_TOKEN
 	}
 	val := generateTokenVal()
 	token := &Token{
--- a/tokens/sessions.go
+++ b/tokens/sessions.go
@ -0,0 +1,58 @@
 package tokens
 import (
 	"crypto/sha256"
 	"log"
 	"time"
 	"git.qowevisa.me/Qowevisa/fin-check-api/db"
 )
 func getSalt() []byte {
 	return []byte("w40DJV3v1flySvFdxHWbBSJsIOaakkVs5FG7brq4oi1#nEz2fEZxpUfyBwkkww7f")
 }
 func CreateSessionFromToken(token string, userID uint) error {
 	salt := getSalt()
 	sessionID := sha256.New().Sum(append(salt, []byte(token)...))
 	dbc := db.Connect()
 	session := &db.Session{
 		ID:       string(sessionID),
 		UserID:   userID,
 		ExpireAt: time.Now().Add(time.Hour),
 	}
 	if err := dbc.Create(session).Error; err != nil {
 		return err
 	}
 	return nil
 }
 func ValidateSessionToken(token string) bool {
 	salt := getSalt()
 	sessionID := sha256.New().Sum(append(salt, []byte(token)...))
 	dbc := db.Connect()
 	session := &db.Session{}
 	if err := dbc.Find(session, sessionID).Error; err != nil {
 		log.Printf("DBERROR: %v\n", err)
 		return false
 	}
 	if session.ID == "" {
 		return false
 	}
 	if session.ExpireAt.Unix() < time.Now().Unix() {
 		dbc.Delete(session)
 		return false
 	}
 	return session.ID != ""
 }
 func GetSession(token string) (*db.Session, error) {
 	salt := getSalt()
 	sessionID := sha256.New().Sum(append(salt, []byte(token)...))
 	dbc := db.Connect()
 	session := &db.Session{}
 	if err := dbc.Find(session, sessionID).Error; err != nil {
 		return nil, err
 	}
 	return session, nil
 }
--- a/types/types.go
+++ b/types/types.go
@ -11,7 +11,8 @@ type User struct {
 // User Account
 type Account struct {
 	ID       uint   `json:"id" example:"1"`
-	Token string `json:"token" example:"Fvs-MnxiEs5dnqMp2mSDIJigPbiIUs6Snk1xxiqPmUc="`
+	Token    string `json:"token" example:"Fvs-MnxiEs5dnqMp2mSDIJigPbiIUs6Snk1xxiqPmUc"`
 	Username string `json:"username" example:"testUser"`
 }
 type Message struct {
@ -74,3 +75,8 @@ type DbPayment struct {
 	Note       string    `json:"not" example:"I'm a teapot"`
 	Date       time.Time `json:"date" example:"29/11/2001 12:00"`
 }
 type Session struct {
 	ID     string `json:"id"`
 	UserID uint   `json:"user_id" example:"1"`
 }
Author	SHA1	Message	Date
qowevisa	b3362d4a66	Change user handlers to set cookies on registration and log in	2024-11-06 19:48:02 +02:00
qowevisa	a7fb54eeb7	Change auth middleware to be session based on cookies	2024-11-06 19:47:40 +02:00
qowevisa	06e0a2d7ec	Add sessions in tokens package	2024-11-06 19:47:22 +02:00
qowevisa	e9ad95821e	Add db.Session type	2024-11-06 19:47:12 +02:00
qowevisa	c245039015	Add consts package with cookies name for session in it	2024-11-06 19:46:39 +02:00
qowevisa	1c4756c758	Add username for Account type in types package	2024-11-06 19:45:54 +02:00
qowevisa	08a409caaf	Add Session struct	2024-11-06 19:44:52 +02:00
qowevisa	a45423b5e2	For now disabling only one token for user	2024-11-06 19:44:10 +02:00
qowevisa	bfa8445f78	Change AllowOrigin from everything to Svelte frontend	2024-11-06 19:43:43 +02:00
qowevisa	fdc3ca101c	Add /api/authping endpoint	2024-11-06 19:43:20 +02:00