2017-10-04 19:35:59 -04:00
|
|
|
package handlers
|
2015-06-25 22:36:58 -04:00
|
|
|
|
|
|
|
import (
|
2017-10-03 11:24:07 -04:00
|
|
|
"crypto/rand"
|
|
|
|
"encoding/base64"
|
2015-06-25 22:36:58 -04:00
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2017-10-03 11:24:07 -04:00
|
|
|
"io"
|
2016-10-04 08:40:26 -04:00
|
|
|
"log"
|
2015-06-25 22:36:58 -04:00
|
|
|
"net/http"
|
2017-10-07 06:21:05 -04:00
|
|
|
"strings"
|
2017-10-03 11:24:07 -04:00
|
|
|
"time"
|
2015-06-25 22:36:58 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
type Session struct {
|
|
|
|
SessionId int64
|
|
|
|
SessionSecret string `json:"-"`
|
|
|
|
UserId int64
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *Session) Write(w http.ResponseWriter) error {
|
|
|
|
enc := json.NewEncoder(w)
|
|
|
|
return enc.Encode(s)
|
|
|
|
}
|
|
|
|
|
2017-10-07 06:21:05 -04:00
|
|
|
func (s *Session) Read(json_str string) error {
|
|
|
|
dec := json.NewDecoder(strings.NewReader(json_str))
|
|
|
|
return dec.Decode(s)
|
|
|
|
}
|
|
|
|
|
2017-10-14 14:20:50 -04:00
|
|
|
func GetSession(tx *Tx, r *http.Request) (*Session, error) {
|
2015-06-25 22:36:58 -04:00
|
|
|
var s Session
|
|
|
|
|
2017-10-03 11:24:07 -04:00
|
|
|
cookie, err := r.Cookie("moneygo-session")
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("moneygo-session cookie not set")
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
2017-10-03 11:24:07 -04:00
|
|
|
s.SessionSecret = cookie.Value
|
2015-06-25 22:36:58 -04:00
|
|
|
|
2017-10-14 14:20:50 -04:00
|
|
|
err = tx.SelectOne(&s, "SELECT * from sessions where SessionSecret=?", s.SessionSecret)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &s, nil
|
|
|
|
}
|
|
|
|
|
2017-10-14 14:20:50 -04:00
|
|
|
func DeleteSessionIfExists(tx *Tx, r *http.Request) error {
|
2017-10-14 19:41:13 -04:00
|
|
|
session, err := GetSession(tx, r)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err == nil {
|
2017-10-14 14:20:50 -04:00
|
|
|
_, err := tx.Delete(session)
|
2017-10-11 05:49:08 -04:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
2017-10-11 05:49:08 -04:00
|
|
|
return nil
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
2017-10-03 11:24:07 -04:00
|
|
|
func NewSessionCookie() (string, error) {
|
|
|
|
bits := make([]byte, 128)
|
|
|
|
if _, err := io.ReadFull(rand.Reader, bits); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return base64.StdEncoding.EncodeToString(bits), nil
|
|
|
|
}
|
|
|
|
|
2017-10-14 14:20:50 -04:00
|
|
|
type NewSessionWriter struct {
|
|
|
|
session *Session
|
|
|
|
cookie *http.Cookie
|
|
|
|
}
|
|
|
|
|
|
|
|
func (n *NewSessionWriter) Write(w http.ResponseWriter) error {
|
|
|
|
http.SetCookie(w, n.cookie)
|
|
|
|
return n.session.Write(w)
|
|
|
|
}
|
|
|
|
|
|
|
|
func NewSession(tx *Tx, r *http.Request, userid int64) (*NewSessionWriter, error) {
|
2015-06-25 22:36:58 -04:00
|
|
|
s := Session{}
|
|
|
|
|
2017-10-03 11:24:07 -04:00
|
|
|
session_secret, err := NewSessionCookie()
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2017-10-03 11:24:07 -04:00
|
|
|
cookie := http.Cookie{
|
|
|
|
Name: "moneygo-session",
|
|
|
|
Value: session_secret,
|
|
|
|
Path: "/",
|
|
|
|
Domain: r.URL.Host,
|
|
|
|
Expires: time.Now().AddDate(0, 1, 0), // a month from now
|
|
|
|
Secure: true,
|
|
|
|
HttpOnly: true,
|
|
|
|
}
|
|
|
|
|
|
|
|
s.SessionSecret = session_secret
|
|
|
|
s.UserId = userid
|
|
|
|
|
2017-10-14 14:20:50 -04:00
|
|
|
err = tx.Insert(&s)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2017-10-14 14:20:50 -04:00
|
|
|
return &NewSessionWriter{&s, &cookie}, nil
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
2017-11-12 20:17:27 -05:00
|
|
|
func SessionHandler(r *http.Request, context *Context) ResponseWriterWriter {
|
2015-06-25 22:36:58 -04:00
|
|
|
if r.Method == "POST" || r.Method == "PUT" {
|
2017-11-13 20:48:19 -05:00
|
|
|
var user User
|
|
|
|
if err := ReadJSON(r, &user); err != nil {
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(3 /*Invalid Request*/)
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
2017-11-12 20:17:27 -05:00
|
|
|
dbuser, err := GetUserByUsername(context.Tx, user.Username)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(2 /*Unauthorized Access*/)
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
user.HashPassword()
|
|
|
|
if user.PasswordHash != dbuser.PasswordHash {
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(2 /*Unauthorized Access*/)
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
2017-11-12 20:17:27 -05:00
|
|
|
err = DeleteSessionIfExists(context.Tx, r)
|
2017-10-11 05:49:08 -04:00
|
|
|
if err != nil {
|
|
|
|
log.Print(err)
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(999 /*Internal Error*/)
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
2017-11-12 20:17:27 -05:00
|
|
|
sessionwriter, err := NewSession(context.Tx, r, dbuser.UserId)
|
2016-10-04 08:40:26 -04:00
|
|
|
if err != nil {
|
|
|
|
log.Print(err)
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(999 /*Internal Error*/)
|
2016-10-04 08:40:26 -04:00
|
|
|
}
|
2017-10-14 14:20:50 -04:00
|
|
|
return sessionwriter
|
2015-06-25 22:36:58 -04:00
|
|
|
} else if r.Method == "GET" {
|
2017-11-12 20:17:27 -05:00
|
|
|
s, err := GetSession(context.Tx, r)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(1 /*Not Signed In*/)
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
2017-10-14 14:20:50 -04:00
|
|
|
return s
|
2015-06-25 22:36:58 -04:00
|
|
|
} else if r.Method == "DELETE" {
|
2017-11-12 20:17:27 -05:00
|
|
|
err := DeleteSessionIfExists(context.Tx, r)
|
2017-10-11 05:49:08 -04:00
|
|
|
if err != nil {
|
|
|
|
log.Print(err)
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(999 /*Internal Error*/)
|
2017-10-11 05:49:08 -04:00
|
|
|
}
|
2017-10-14 14:20:50 -04:00
|
|
|
return SuccessWriter{}
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(3 /*Invalid Request*/)
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|