functionally completed user editing
This commit is contained in:
z1glr
@@ -2,7 +2,6 @@ package availabilities
|
||||
|
||||
import (
|
||||
"github.com/johannesbuehl/golunteer/backend/pkg/db"
|
||||
"github.com/johannesbuehl/golunteer/backend/pkg/db/users"
|
||||
)
|
||||
|
||||
type eventAvailabilities struct {
|
||||
@@ -23,11 +22,9 @@ func Event(eventID int) (map[string]string, error) {
|
||||
// get the availabilities
|
||||
if availabilitiesMap, err := Keys(); err != nil {
|
||||
return nil, err
|
||||
} else if usersMap, err := users.Get(); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
for _, a := range availabilitiesRows {
|
||||
eventAvailabilities[usersMap[a.UserName].Name] = availabilitiesMap[a.AvailabilityID].Text
|
||||
eventAvailabilities[a.UserName] = availabilitiesMap[a.AvailabilityID].Text
|
||||
}
|
||||
|
||||
return eventAvailabilities, nil
|
||||
|
||||
@@ -1,42 +1,45 @@
|
||||
package users
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"time"
|
||||
|
||||
"github.com/google/uuid"
|
||||
cache "github.com/jfarleyx/go-simple-cache"
|
||||
"github.com/johannesbuehl/golunteer/backend/pkg/db"
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
)
|
||||
|
||||
type User struct {
|
||||
Name string `db:"name"`
|
||||
Password []byte `db:"password"`
|
||||
TokenID string `db:"tokenID"`
|
||||
Admin bool `db:"admin"`
|
||||
Name string `db:"name" json:"userName"`
|
||||
Admin bool `db:"admin" json:"admin"`
|
||||
}
|
||||
|
||||
var c *cache.Cache
|
||||
|
||||
// hashes a password
|
||||
func hashPassword(password string) ([]byte, error) {
|
||||
return bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
||||
}
|
||||
|
||||
func Get() (map[string]User, error) {
|
||||
if users, hit := c.Get("users"); !hit {
|
||||
refresh()
|
||||
func Get() ([]User, error) {
|
||||
// get the users from the database
|
||||
var users []User
|
||||
|
||||
return nil, fmt.Errorf("users not cached")
|
||||
if err := db.DB.Select(&users, "SELECT name, admin FROM USERS"); err != nil {
|
||||
return nil, err
|
||||
} else {
|
||||
return users.(map[string]User), nil
|
||||
return users, nil
|
||||
}
|
||||
}
|
||||
|
||||
func TokenID(userName string) (string, error) {
|
||||
var dbResult struct {
|
||||
TokenID string `db:"tokenID"`
|
||||
}
|
||||
|
||||
err := db.DB.Get(&dbResult, "SELECT tokenID FROM USERS WHERE name = ?", userName)
|
||||
|
||||
return dbResult.TokenID, err
|
||||
}
|
||||
|
||||
type UserAdd struct {
|
||||
UserName string `json:"userName" validate:"required" db:"userName"`
|
||||
Password string `json:"password" validate:"required,min=12"`
|
||||
Password string `json:"password" validate:"required,min=12,max=64"`
|
||||
Admin bool `json:"admin" db:"admin"`
|
||||
}
|
||||
|
||||
@@ -55,13 +58,9 @@ func Add(user UserAdd) error {
|
||||
TokenID: uuid.NewString(),
|
||||
}
|
||||
|
||||
if _, err := db.DB.NamedExec("INSERT INTO USERS (name, password, admin, tokenID) VALUES (:userName, :password, :admin, :tokenID)", insertUser); err != nil {
|
||||
return err
|
||||
} else {
|
||||
refresh()
|
||||
_, err := db.DB.NamedExec("INSERT INTO USERS (name, password, admin, tokenID) VALUES (:userName, :password, :admin, :tokenID)", insertUser)
|
||||
|
||||
return nil
|
||||
}
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
@@ -88,33 +87,19 @@ func ChangePassword(user UserChangePassword) (string, error) {
|
||||
if _, err := db.DB.NamedExec("UPDATE USERS SET tokenID = :tokenID, password = :password WHERE name = :userName", execStruct); err != nil {
|
||||
return "", err
|
||||
} else {
|
||||
refresh()
|
||||
|
||||
return execStruct.TokenID, nil
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func refresh() {
|
||||
// get the usersRaw from the database
|
||||
var usersRaw []User
|
||||
func ChangeName(userName, newName string) error {
|
||||
_, err := db.DB.Exec("UPDATE USERS SET name = ? WHERE name = ?", newName, userName)
|
||||
|
||||
if err := db.DB.Select(&usersRaw, "SELECT * FROM USERS"); err == nil {
|
||||
// convert the result in a map
|
||||
users := map[string]User{}
|
||||
|
||||
for _, user := range usersRaw {
|
||||
users[user.Name] = user
|
||||
}
|
||||
|
||||
c.Set("users", users)
|
||||
}
|
||||
return err
|
||||
}
|
||||
|
||||
func init() {
|
||||
c = cache.New(24 * time.Hour)
|
||||
func SetAdmin(userName string, admin bool) error {
|
||||
_, err := db.DB.Exec("UPDATE USERS SET admin = ? WHERE name = ?", admin, userName)
|
||||
|
||||
c.OnExpired(refresh)
|
||||
|
||||
refresh()
|
||||
return err
|
||||
}
|
||||
|
||||
@@ -15,21 +15,23 @@ func handleWelcome(c *fiber.Ctx) error {
|
||||
Admin: false,
|
||||
}
|
||||
|
||||
if user, err := checkUser(c); err != nil {
|
||||
args := HandlerArgs{C: c}
|
||||
|
||||
if loggedIn, err := args.checkUser(); err != nil {
|
||||
response.Status = fiber.StatusInternalServerError
|
||||
|
||||
logger.Warn().Msgf("can't check user: %v", err)
|
||||
} else if user == nil {
|
||||
response.Status = fiber.StatusNoContent
|
||||
} else if !loggedIn {
|
||||
response.Status = fiber.StatusUnauthorized
|
||||
|
||||
logger.Debug().Msgf("user not authorized")
|
||||
} else {
|
||||
response.Data = UserChecked{
|
||||
UserName: user.UserName,
|
||||
Admin: user.Admin,
|
||||
UserName: args.User.UserName,
|
||||
Admin: args.User.Admin,
|
||||
}
|
||||
|
||||
logger.Debug().Msgf("welcomed user %q", user.UserName)
|
||||
logger.Debug().Msgf("welcomed user %q", args.User.UserName)
|
||||
}
|
||||
|
||||
return response.send(c)
|
||||
@@ -40,6 +42,8 @@ const messageWrongLogin = "Unkown user or wrong password"
|
||||
func handleLogin(c *fiber.Ctx) error {
|
||||
logger.Debug().Msgf("HTTP %s request: %q", c.Method(), c.OriginalURL())
|
||||
|
||||
args := HandlerArgs{C: c}
|
||||
|
||||
// extract username and password from the request
|
||||
requestBody := struct {
|
||||
Username string `json:"userName" validate:"required"`
|
||||
@@ -48,7 +52,7 @@ func handleLogin(c *fiber.Ctx) error {
|
||||
|
||||
var response responseMessage
|
||||
|
||||
if err := c.BodyParser(&requestBody); err != nil {
|
||||
if err := args.C.BodyParser(&requestBody); err != nil {
|
||||
logger.Debug().Msgf("can't parse login-body: %v", err)
|
||||
|
||||
response.Status = fiber.StatusBadRequest
|
||||
@@ -79,7 +83,7 @@ func handleLogin(c *fiber.Ctx) error {
|
||||
response.Status = fiber.StatusInternalServerError
|
||||
logger.Error().Msgf("can't create JWT: %v", err)
|
||||
} else {
|
||||
setSessionCookie(c, &jwt)
|
||||
args.setSessionCookie(&jwt)
|
||||
|
||||
response.Data = UserChecked{
|
||||
UserName: requestBody.Username,
|
||||
@@ -92,14 +96,18 @@ func handleLogin(c *fiber.Ctx) error {
|
||||
}
|
||||
}
|
||||
|
||||
return response.send(c)
|
||||
return response.send(args.C)
|
||||
}
|
||||
|
||||
// handles logout-requests
|
||||
func handleLogout(c *fiber.Ctx) error {
|
||||
logger.Debug().Msgf("HTTP %s request: %q", c.Method(), c.OriginalURL())
|
||||
|
||||
removeSessionCookie(c)
|
||||
args := HandlerArgs{
|
||||
C: c,
|
||||
}
|
||||
|
||||
args.removeSessionCookie()
|
||||
|
||||
return responseMessage{}.send(c)
|
||||
}
|
||||
|
||||
@@ -79,6 +79,7 @@ func init() {
|
||||
"events/availabilities": getEventsAvailabilities,
|
||||
"events/user/pending": getEventsUserPending,
|
||||
"tasks": getTasks,
|
||||
"users": getUsers,
|
||||
},
|
||||
"POST": {
|
||||
"events": postEvent,
|
||||
@@ -86,6 +87,7 @@ func init() {
|
||||
},
|
||||
"PATCH": {
|
||||
"users/password": patchPassword,
|
||||
"users": patchUser,
|
||||
},
|
||||
"DELETE": {
|
||||
"event": deleteEvent,
|
||||
@@ -104,24 +106,24 @@ func init() {
|
||||
logger.Debug().Msgf("HTTP %s request: %q", c.Method(), c.OriginalURL())
|
||||
|
||||
var response responseMessage
|
||||
args := HandlerArgs{
|
||||
C: c,
|
||||
}
|
||||
|
||||
if user, err := checkUser(c); err != nil {
|
||||
if loggedIn, err := args.checkUser(); err != nil {
|
||||
response = responseMessage{
|
||||
Status: fiber.StatusBadRequest,
|
||||
}
|
||||
|
||||
logger.Error().Msgf("can't check user: %v", err)
|
||||
} else if user == nil {
|
||||
} else if !loggedIn {
|
||||
response = responseMessage{
|
||||
Status: fiber.StatusNoContent,
|
||||
Status: fiber.StatusUnauthorized,
|
||||
}
|
||||
|
||||
logger.Log().Msgf("user not authorized")
|
||||
} else {
|
||||
response = handler(HandlerArgs{
|
||||
C: c,
|
||||
User: *user,
|
||||
})
|
||||
response = handler(args)
|
||||
}
|
||||
|
||||
return response.send(c)
|
||||
@@ -137,16 +139,16 @@ func Listen() {
|
||||
fmt.Println(err)
|
||||
}
|
||||
|
||||
func setSessionCookie(c *fiber.Ctx, jwt *string) {
|
||||
func (args HandlerArgs) setSessionCookie(jwt *string) {
|
||||
var value string
|
||||
|
||||
if jwt == nil {
|
||||
value = c.Cookies("session")
|
||||
value = args.C.Cookies("session")
|
||||
} else {
|
||||
value = *jwt
|
||||
}
|
||||
|
||||
c.Cookie(&fiber.Cookie{
|
||||
args.C.Cookie(&fiber.Cookie{
|
||||
Name: "session",
|
||||
Value: value,
|
||||
HTTPOnly: true,
|
||||
@@ -156,8 +158,8 @@ func setSessionCookie(c *fiber.Ctx, jwt *string) {
|
||||
}
|
||||
|
||||
// removes the session-coockie from a request
|
||||
func removeSessionCookie(c *fiber.Ctx) {
|
||||
c.Cookie(&fiber.Cookie{
|
||||
func (args HandlerArgs) removeSessionCookie() {
|
||||
args.C.Cookie(&fiber.Cookie{
|
||||
Name: "session",
|
||||
Value: "",
|
||||
HTTPOnly: true,
|
||||
@@ -219,11 +221,11 @@ type UserChecked struct {
|
||||
}
|
||||
|
||||
// checks wether the request is from a valid user
|
||||
func checkUser(c *fiber.Ctx) (*UserChecked, error) {
|
||||
userName, tokenID, err := extractJWT(c)
|
||||
func (args *HandlerArgs) checkUser() (bool, error) {
|
||||
userName, tokenID, err := extractJWT(args.C)
|
||||
|
||||
if err != nil {
|
||||
return nil, nil
|
||||
return false, nil
|
||||
}
|
||||
|
||||
var dbResult struct {
|
||||
@@ -232,19 +234,21 @@ func checkUser(c *fiber.Ctx) (*UserChecked, error) {
|
||||
}
|
||||
|
||||
// retrieve the user from the database
|
||||
if err := db.DB.QueryRowx("SELECT tokenID, admin FROM USERS WHERE name = ?", userName).StructScan(&dbResult); err != nil {
|
||||
return nil, err
|
||||
if err := db.DB.Get(&dbResult, "SELECT tokenID, admin FROM USERS WHERE name = ?", userName); err != nil {
|
||||
return false, err
|
||||
|
||||
// if the tokenID is valid, the user is authorized
|
||||
} else if dbResult.TokenID != tokenID {
|
||||
return nil, err
|
||||
return false, nil
|
||||
} else {
|
||||
// reset the expiration of the cookie
|
||||
setSessionCookie(c, nil)
|
||||
args.setSessionCookie(nil)
|
||||
|
||||
return &UserChecked{
|
||||
args.User = UserChecked{
|
||||
UserName: userName,
|
||||
Admin: dbResult.Admin,
|
||||
}, err
|
||||
}
|
||||
return true, nil
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
@@ -5,6 +5,25 @@ import (
|
||||
"github.com/johannesbuehl/golunteer/backend/pkg/db/users"
|
||||
)
|
||||
|
||||
func getUsers(args HandlerArgs) responseMessage {
|
||||
response := responseMessage{}
|
||||
|
||||
// check admin
|
||||
if !args.User.Admin {
|
||||
response.Status = fiber.StatusForbidden
|
||||
|
||||
logger.Log().Msgf("user is no admin")
|
||||
} else if users, err := users.Get(); err != nil {
|
||||
response.Status = fiber.StatusInternalServerError
|
||||
|
||||
logger.Error().Msgf("can't get users: %v", err)
|
||||
} else {
|
||||
response.Data = users
|
||||
}
|
||||
|
||||
return response
|
||||
}
|
||||
|
||||
func postUser(args HandlerArgs) responseMessage {
|
||||
response := responseMessage{}
|
||||
|
||||
@@ -63,12 +82,108 @@ func patchPassword(args HandlerArgs) responseMessage {
|
||||
|
||||
// if something failed, remove the current session-cookie
|
||||
}); err != nil {
|
||||
removeSessionCookie(args.C)
|
||||
args.removeSessionCookie()
|
||||
|
||||
// set the new session-cookie
|
||||
} else {
|
||||
// update the token in the session-cookie
|
||||
setSessionCookie(args.C, &jwt)
|
||||
args.setSessionCookie(&jwt)
|
||||
}
|
||||
}
|
||||
|
||||
return response
|
||||
}
|
||||
|
||||
func patchUser(args HandlerArgs) responseMessage {
|
||||
response := responseMessage{}
|
||||
// check admin
|
||||
if !args.User.Admin {
|
||||
response.Status = fiber.StatusForbidden
|
||||
|
||||
logger.Log().Msgf("user is no admin")
|
||||
} else {
|
||||
// parse the body
|
||||
var body struct {
|
||||
users.UserAdd
|
||||
NewName string `json:"newName"`
|
||||
}
|
||||
|
||||
if err := args.C.BodyParser(&body); err != nil {
|
||||
response.Status = fiber.StatusBadRequest
|
||||
|
||||
logger.Log().Msgf("can't parse body: %v", err)
|
||||
|
||||
// prevent to demoting self from admin
|
||||
} else if !body.Admin && body.UserName == args.User.UserName {
|
||||
response.Status = fiber.StatusBadRequest
|
||||
|
||||
logger.Warn().Msgf("can't demote self from admin")
|
||||
} else {
|
||||
// check for an empty user-name
|
||||
if len(body.UserName) == 0 {
|
||||
response.Status = fiber.StatusBadRequest
|
||||
|
||||
logger.Warn().Msgf("username is empty")
|
||||
|
||||
// if the password has length 0 assume the password shouldn't be changed
|
||||
} else {
|
||||
if len(body.Password) > 0 {
|
||||
// create a password-change-struct and validate it. use the old user-name, since the new isn't stored yet
|
||||
usePasswordChange := users.UserChangePassword{
|
||||
UserName: body.UserName,
|
||||
Password: body.Password,
|
||||
}
|
||||
|
||||
if _, err = users.ChangePassword(usePasswordChange); err != nil {
|
||||
response.Status = fiber.StatusInternalServerError
|
||||
|
||||
logger.Error().Msgf("can't change password: %v", err)
|
||||
|
||||
return response
|
||||
}
|
||||
}
|
||||
|
||||
// only change the name, if it differs
|
||||
if body.NewName != body.UserName {
|
||||
if err := users.ChangeName(body.UserName, body.NewName); err != nil {
|
||||
response.Status = fiber.StatusInternalServerError
|
||||
|
||||
logger.Error().Msgf("can't change user-name: %v", err)
|
||||
|
||||
return response
|
||||
}
|
||||
}
|
||||
|
||||
// set the admin-status
|
||||
if err := users.SetAdmin(body.NewName, body.Admin); err != nil {
|
||||
response.Status = fiber.StatusInternalServerError
|
||||
|
||||
logger.Error().Msgf("updating admin-status failed: %v", err)
|
||||
} else {
|
||||
// if we modified ourself, update the session-cookie
|
||||
if body.UserName == args.User.UserName {
|
||||
// get the tokenID
|
||||
if tokenID, err := users.TokenID(body.NewName); err != nil {
|
||||
response.Status = fiber.StatusInternalServerError
|
||||
|
||||
logger.Error().Msgf("can't get tokenID: %v", err)
|
||||
|
||||
} else if jwt, err := config.SignJWT(JWTPayload{
|
||||
UserName: body.NewName,
|
||||
TokenID: tokenID,
|
||||
}); err != nil {
|
||||
response.Status = fiber.StatusInternalServerError
|
||||
|
||||
logger.Error().Msgf("JWT-signing failed: %v", err)
|
||||
|
||||
// remove the session-cookie
|
||||
args.removeSessionCookie()
|
||||
} else {
|
||||
args.setSessionCookie(&jwt)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user