2017-10-04 19:35:59 -04:00
|
|
|
package handlers
|
2015-06-25 22:36:58 -04:00
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
2017-12-02 06:14:47 -05:00
|
|
|
"github.com/aclindsa/moneygo/internal/models"
|
2017-12-06 21:09:47 -05:00
|
|
|
"github.com/aclindsa/moneygo/internal/store"
|
2016-10-04 08:40:26 -04:00
|
|
|
"log"
|
2015-06-25 22:36:58 -04:00
|
|
|
"net/http"
|
2017-10-03 11:24:07 -04:00
|
|
|
"time"
|
2015-06-25 22:36:58 -04:00
|
|
|
)
|
|
|
|
|
|
2017-12-06 21:09:47 -05:00
|
|
|
func GetSession(tx store.Tx, r *http.Request) (*models.Session, error) {
|
2017-10-03 11:24:07 -04:00
|
|
|
cookie, err := r.Cookie("moneygo-session")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("moneygo-session cookie not set")
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
|
2017-12-06 21:09:47 -05:00
|
|
|
s, err := tx.GetSession(cookie.Value)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2017-11-18 21:19:30 -05:00
|
|
|
|
|
|
|
|
if s.Expires.Before(time.Now()) {
|
2017-12-06 21:09:47 -05:00
|
|
|
err := tx.DeleteSession(s)
|
|
|
|
|
if err != nil {
|
|
|
|
|
log.Printf("Unexpected error when attempting to delete expired session: %s", err)
|
|
|
|
|
}
|
2017-11-18 21:19:30 -05:00
|
|
|
return nil, fmt.Errorf("Session has expired")
|
|
|
|
|
}
|
2017-12-06 21:09:47 -05:00
|
|
|
return s, nil
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
|
2017-12-06 21:09:47 -05:00
|
|
|
func DeleteSessionIfExists(tx store.Tx, r *http.Request) error {
|
2017-10-14 19:41:13 -04:00
|
|
|
session, err := GetSession(tx, r)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err == nil {
|
2017-12-06 21:09:47 -05:00
|
|
|
err := tx.DeleteSession(session)
|
2017-10-11 05:49:08 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
2017-10-11 05:49:08 -04:00
|
|
|
return nil
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
|
2017-10-14 14:20:50 -04:00
|
|
|
type NewSessionWriter struct {
|
2017-12-03 06:11:38 -05:00
|
|
|
session *models.Session
|
2017-10-14 14:20:50 -04:00
|
|
|
cookie *http.Cookie
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (n *NewSessionWriter) Write(w http.ResponseWriter) error {
|
|
|
|
|
http.SetCookie(w, n.cookie)
|
|
|
|
|
return n.session.Write(w)
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-06 21:09:47 -05:00
|
|
|
func NewSession(tx store.Tx, r *http.Request, userid int64) (*NewSessionWriter, error) {
|
|
|
|
|
err := DeleteSessionIfExists(tx, r)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-03 06:11:38 -05:00
|
|
|
s, err := models.NewSession(userid)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-06 21:09:47 -05:00
|
|
|
exists, err := tx.SessionExists(s.SessionSecret)
|
2017-11-18 20:45:35 -05:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2017-12-06 21:09:47 -05:00
|
|
|
if exists {
|
|
|
|
|
return nil, fmt.Errorf("Session already exists with the generated session_secret")
|
2017-11-18 20:45:35 -05:00
|
|
|
}
|
|
|
|
|
|
2017-12-06 21:09:47 -05:00
|
|
|
err = tx.InsertSession(s)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
2017-12-03 06:11:38 -05:00
|
|
|
|
|
|
|
|
return &NewSessionWriter{s, s.Cookie(r.URL.Host)}, nil
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
|
2017-11-12 20:17:27 -05:00
|
|
|
func SessionHandler(r *http.Request, context *Context) ResponseWriterWriter {
|
2015-06-25 22:36:58 -04:00
|
|
|
if r.Method == "POST" || r.Method == "PUT" {
|
2017-12-02 06:14:47 -05:00
|
|
|
var user models.User
|
2017-11-13 20:48:19 -05:00
|
|
|
if err := ReadJSON(r, &user); err != nil {
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(3 /*Invalid Request*/)
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
|
2017-12-07 20:08:43 -05:00
|
|
|
// Hash password before checking username to help mitigate timing
|
|
|
|
|
// attacks
|
|
|
|
|
user.HashPassword()
|
|
|
|
|
|
2017-12-09 05:56:45 -05:00
|
|
|
dbuser, err := context.Tx.GetUserByUsername(user.Username)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(2 /*Unauthorized Access*/)
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if user.PasswordHash != dbuser.PasswordHash {
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(2 /*Unauthorized Access*/)
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
|
2017-12-09 05:56:45 -05:00
|
|
|
sessionwriter, err := NewSession(context.Tx, r, dbuser.UserId)
|
2016-10-04 08:40:26 -04:00
|
|
|
if err != nil {
|
|
|
|
|
log.Print(err)
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(999 /*Internal Error*/)
|
2016-10-04 08:40:26 -04:00
|
|
|
}
|
2017-10-14 14:20:50 -04:00
|
|
|
return sessionwriter
|
2015-06-25 22:36:58 -04:00
|
|
|
} else if r.Method == "GET" {
|
2017-12-09 05:56:45 -05:00
|
|
|
s, err := GetSession(context.Tx, r)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(1 /*Not Signed In*/)
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
|
2017-10-14 14:20:50 -04:00
|
|
|
return s
|
2015-06-25 22:36:58 -04:00
|
|
|
} else if r.Method == "DELETE" {
|
2017-12-09 05:56:45 -05:00
|
|
|
err := DeleteSessionIfExists(context.Tx, r)
|
2017-10-11 05:49:08 -04:00
|
|
|
if err != nil {
|
|
|
|
|
log.Print(err)
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(999 /*Internal Error*/)
|
2017-10-11 05:49:08 -04:00
|
|
|
}
|
2017-10-14 14:20:50 -04:00
|
|
|
return SuccessWriter{}
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
2017-10-14 14:20:50 -04:00
|
|
|
return NewError(3 /*Invalid Request*/)
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
