Moved auth to container. Added tests for auth.

container/auth.go

@@ -0,0 +1,196 @@
+package container
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+	"time"
+
+	"goweb/config"
+	"goweb/ent"
+	"goweb/ent/passwordtoken"
+	"goweb/ent/user"
+
+	"github.com/labstack/echo-contrib/session"
+	"github.com/labstack/echo/v4"
+	"golang.org/x/crypto/bcrypt"
+)
+
+const (
+	// sessionName stores the name of the session which contains authentication data
+	sessionName = "ua"
+
+	// sessionKeyUserID stores the key used to store the user ID in the session
+	sessionKeyUserID = "user_id"
+
+	// sessionKeyAuthenticated stores the key used to store the authentication status in the session
+	sessionKeyAuthenticated = "authenticated"
+)
+
+// NotAuthenticatedError is an error returned when a user is not authenticated
+type NotAuthenticatedError struct{}
+
+// Error implements the error interface.
+func (e NotAuthenticatedError) Error() string {
+	return "user not authenticated"
+}
+
+// InvalidTokenError is an error returned when an invalid token is provided
+type InvalidTokenError struct{}
+
+// Error implements the error interface.
+func (e InvalidTokenError) Error() string {
+	return "invalid token"
+}
+
+// AuthClient is the AuthClient that handles authentication requests
+type AuthClient struct {
+	config *config.Config
+	orm    *ent.Client
+}
+
+// NewAuthClient creates a new authentication AuthClient
+func NewAuthClient(cfg *config.Config, orm *ent.Client) *AuthClient {
+	return &AuthClient{
+		config: cfg,
+		orm:    orm,
+	}
+}
+
+// Login logs in a user of a given ID
+func (c *AuthClient) Login(ctx echo.Context, userID int) error {
+	sess, err := session.Get(sessionName, ctx)
+	if err != nil {
+		return err
+	}
+	sess.Values[sessionKeyUserID] = userID
+	sess.Values[sessionKeyAuthenticated] = true
+	return sess.Save(ctx.Request(), ctx.Response())
+}
+
+// Logout logs the requesting user out
+func (c *AuthClient) Logout(ctx echo.Context) error {
+	sess, err := session.Get(sessionName, ctx)
+	if err != nil {
+		return err
+	}
+	sess.Values[sessionKeyAuthenticated] = false
+	return sess.Save(ctx.Request(), ctx.Response())
+}
+
+// GetAuthenticatedUserID returns the authenticated user's ID, if the user is logged in
+func (c *AuthClient) GetAuthenticatedUserID(ctx echo.Context) (int, error) {
+	sess, err := session.Get(sessionName, ctx)
+	if err != nil {
+		return 0, err
+	}
+
+	if sess.Values[sessionKeyAuthenticated] == true {
+		return sess.Values[sessionKeyUserID].(int), nil
+	}
+
+	return 0, NotAuthenticatedError{}
+}
+
+// GetAuthenticatedUser returns the authenticated user if the user is logged in
+func (c *AuthClient) GetAuthenticatedUser(ctx echo.Context) (*ent.User, error) {
+	if userID, err := c.GetAuthenticatedUserID(ctx); err == nil {
+		return c.orm.User.Query().
+			Where(user.ID(userID)).
+			Only(ctx.Request().Context())
+	}
+
+	return nil, NotAuthenticatedError{}
+}
+
+// HashPassword returns a hash of a given password
+func (c *AuthClient) HashPassword(password string) (string, error) {
+	hash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return "", err
+	}
+	return string(hash), nil
+}
+
+// CheckPassword check if a given password matches a given hash
+func (c *AuthClient) CheckPassword(password, hash string) error {
+	return bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+}
+
+// GeneratePasswordResetToken generates a password reset token for a given user.
+// For security purposes, the token itself is not stored in the database but rather
+// a hash of the token, exactly how passwords are handled. This method returns both
+// the generated token as well as the token entity which only contains the hash.
+func (c *AuthClient) GeneratePasswordResetToken(ctx echo.Context, userID int) (string, *ent.PasswordToken, error) {
+	// Generate the token, which is what will go in the URL, but not the database
+	token, err := c.RandomToken(c.config.App.PasswordToken.Length)
+	if err != nil {
+		return "", nil, err
+	}
+
+	// Hash the token, which is what will be stored in the database
+	hash, err := c.HashPassword(token)
+	if err != nil {
+		return "", nil, err
+	}
+
+	// Create and save the password reset token
+	pt, err := c.orm.PasswordToken.
+		Create().
+		SetHash(hash).
+		SetUserID(userID).
+		Save(ctx.Request().Context())
+
+	return token, pt, err
+}
+
+// GetValidPasswordToken returns a valid password token entity for a given user and a given token.
+// Since the actual token is not stored in the database for security purposes, all non-expired token entities
+// are fetched from the database belonging to the requesting user and a hash of the provided token is compared
+// with the hash stored in the database.
+func (c *AuthClient) GetValidPasswordToken(ctx echo.Context, token string, userID int) (*ent.PasswordToken, error) {
+	// Ensure expired tokens are never returned
+	expiration := time.Now().Add(-c.config.App.PasswordToken.Expiration)
+
+	// Query to find all tokens for te user that haven't expired
+	// We need to get all of them in order to properly match the token to the hashes
+	pts, err := c.orm.PasswordToken.
+		Query().
+		Where(passwordtoken.HasUserWith(user.ID(userID))).
+		Where(passwordtoken.CreatedAtGTE(expiration)).
+		All(ctx.Request().Context())
+
+	if err != nil {
+		ctx.Logger().Error(err)
+		return nil, err
+	}
+
+	// Check all tokens for a hash match
+	for _, pt := range pts {
+		if err := c.CheckPassword(token, pt.Hash); err == nil {
+			return pt, nil
+		}
+	}
+
+	return nil, InvalidTokenError{}
+}
+
+// DeletePasswordTokens deletes all password tokens in the database for a belonging to a given user.
+// This should be called after a successful password reset.
+func (c *AuthClient) DeletePasswordTokens(ctx echo.Context, userID int) error {
+	_, err := c.orm.PasswordToken.
+		Delete().
+		Where(passwordtoken.HasUserWith(user.ID(userID))).
+		Exec(ctx.Request().Context())
+
+	return err
+}
+
+// RandomToken generates a random token string of a given length
+func (c *AuthClient) RandomToken(length int) (string, error) {
+	b := make([]byte, (length/2)+1)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	token := hex.EncodeToString(b)
+	return token[:length], nil
+}

container/auth_test.go

@@ -0,0 +1,105 @@
+package container
+
+import (
+	"context"
+	"errors"
+	"testing"
+
+	"goweb/ent/passwordtoken"
+	"goweb/ent/user"
+
+	"github.com/gorilla/sessions"
+	"github.com/labstack/echo-contrib/session"
+	"github.com/labstack/echo/v4"
+	"github.com/stretchr/testify/require"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestAuth(t *testing.T) {
+	// Simulate an HTTP request through the session middleware to initiate the session
+	mw := session.Middleware(sessions.NewCookieStore([]byte("secret")))
+	handler := mw(echo.NotFoundHandler)
+	assert.Error(t, handler(ctx))
+
+	assertNoAuth := func() {
+		_, err := c.Auth.GetAuthenticatedUserID(ctx)
+		assert.True(t, errors.Is(err, NotAuthenticatedError{}))
+		_, err = c.Auth.GetAuthenticatedUser(ctx)
+		assert.True(t, errors.Is(err, NotAuthenticatedError{}))
+	}
+
+	assertNoAuth()
+
+	err := c.Auth.Login(ctx, usr.ID)
+	require.NoError(t, err)
+
+	uid, err := c.Auth.GetAuthenticatedUserID(ctx)
+	require.NoError(t, err)
+	assert.Equal(t, usr.ID, uid)
+
+	u, err := c.Auth.GetAuthenticatedUser(ctx)
+	require.NoError(t, err)
+	assert.Equal(t, u.ID, usr.ID)
+
+	err = c.Auth.Logout(ctx)
+	require.NoError(t, err)
+
+	assertNoAuth()
+}
+
+func TestPasswordHashing(t *testing.T) {
+	pw := "testcheckpassword"
+	hash, err := c.Auth.HashPassword(pw)
+	assert.NoError(t, err)
+	assert.NotEqual(t, hash, pw)
+	err = c.Auth.CheckPassword(pw, hash)
+	assert.NoError(t, err)
+}
+
+func TestGeneratePasswordResetToken(t *testing.T) {
+	token, pt, err := c.Auth.GeneratePasswordResetToken(ctx, usr.ID)
+	require.NoError(t, err)
+	assert.Len(t, token, c.Config.App.PasswordToken.Length)
+	assert.NoError(t, c.Auth.CheckPassword(token, pt.Hash))
+}
+
+func TestGetValidPasswordToken(t *testing.T) {
+	_, err := c.Auth.GetValidPasswordToken(ctx, "faketoken", usr.ID)
+	assert.Error(t, err)
+
+	token, pt, err := c.Auth.GeneratePasswordResetToken(ctx, usr.ID)
+	require.NoError(t, err)
+	pt2, err := c.Auth.GetValidPasswordToken(ctx, token, usr.ID)
+	require.NoError(t, err)
+	assert.Equal(t, pt.ID, pt2.ID)
+}
+
+func TestDeletePasswordTokens(t *testing.T) {
+	for i := 0; i < 3; i++ {
+		_, _, err := c.Auth.GeneratePasswordResetToken(ctx, usr.ID)
+		require.NoError(t, err)
+	}
+
+	err := c.Auth.DeletePasswordTokens(ctx, usr.ID)
+	require.NoError(t, err)
+
+	count, err := c.ORM.PasswordToken.
+		Query().
+		Where(passwordtoken.HasUserWith(user.ID(usr.ID))).
+		Count(context.Background())
+
+	require.NoError(t, err)
+	assert.Equal(t, 0, count)
+}
+
+func TestRandomToken(t *testing.T) {
+	length := 64
+	a, err := c.Auth.RandomToken(length)
+	require.NoError(t, err)
+	b, err := c.Auth.RandomToken(length)
+	require.NoError(t, err)
+	assert.Len(t, a, 64)
+	assert.Len(t, b, 64)
+	assert.NotEqual(t, a, b)
+}

container/container.go

@@ -5,7 +5,6 @@ import (
 	"database/sql"
 	"fmt"
 
-	"goweb/auth"
 	"goweb/mail"
 
 	"entgo.io/ent/dialect"
@@ -28,7 +27,7 @@ type Container struct {
 	Database *sql.DB
 	ORM      *ent.Client
 	Mail     *mail.Client
-	Auth     *auth.Client
+	Auth     *AuthClient
 }
 
 func NewContainer() *Container {
@@ -130,5 +129,5 @@ func (c *Container) initMail() {
 }
 
 func (c *Container) initAuth() {
-	c.Auth = auth.NewClient(c.Config, c.ORM)
+	c.Auth = NewAuthClient(c.Config, c.ORM)
 }

container/container_test.go

@@ -1,18 +1,53 @@
 package container
 
 import (
+	"context"
+	"net/http"
+	"net/http/httptest"
 	"os"
+	"strings"
 	"testing"
 
 	"goweb/config"
+	"goweb/ent"
+
+	"github.com/labstack/echo/v4"
 
 	"github.com/stretchr/testify/assert"
 )
 
+var (
+	c   *Container
+	ctx echo.Context
+	usr *ent.User
+	rec *httptest.ResponseRecorder
+)
+
 func TestMain(m *testing.M) {
 	// Set the environment to test
 	config.SwitchEnvironment(config.EnvTest)
 
+	// Create a new container
+	c = NewContainer()
+
+	// Create a web context
+	req := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(""))
+	rec = httptest.NewRecorder()
+	ctx = c.Web.NewContext(req, rec)
+
+	// Create a test user
+	var err error
+	usr, err = c.ORM.User.
+		Create().
+		SetEmail("test@test.dev").
+		SetPassword("abc").
+		SetName("Test User").
+		Save(context.Background())
+
+	if err != nil {
+		panic(err)
+	}
+
 	// Run tests
 	exitVal := m.Run()
 	os.Exit(exitVal)