functionally completed user editing

2025-01-12 02:01:14 +00:00
parent ac6bf24d57
commit 0685283007
18 changed files with 410 additions and 132 deletions
--- a/backend/pkg/router/login.go
+++ b/backend/pkg/router/login.go
@@ -15,21 +15,23 @@ func handleWelcome(c *fiber.Ctx) error {
 		Admin: false,
 	}

-	if user, err := checkUser(c); err != nil {
+	args := HandlerArgs{C: c}
+
+	if loggedIn, err := args.checkUser(); err != nil {
 		response.Status = fiber.StatusInternalServerError

 		logger.Warn().Msgf("can't check user: %v", err)
-	} else if user == nil {
-		response.Status = fiber.StatusNoContent
+	} else if !loggedIn {
+		response.Status = fiber.StatusUnauthorized

 		logger.Debug().Msgf("user not authorized")
 	} else {
 		response.Data = UserChecked{
-			UserName: user.UserName,
-			Admin:    user.Admin,
+			UserName: args.User.UserName,
+			Admin:    args.User.Admin,
 		}

-		logger.Debug().Msgf("welcomed user %q", user.UserName)
+		logger.Debug().Msgf("welcomed user %q", args.User.UserName)
 	}

 	return response.send(c)
@@ -40,6 +42,8 @@ const messageWrongLogin = "Unkown user or wrong password"
 func handleLogin(c *fiber.Ctx) error {
 	logger.Debug().Msgf("HTTP %s request: %q", c.Method(), c.OriginalURL())

+	args := HandlerArgs{C: c}
+
 	// extract username and password from the request
 	requestBody := struct {
 		Username string `json:"userName" validate:"required"`
@@ -48,7 +52,7 @@ func handleLogin(c *fiber.Ctx) error {

 	var response responseMessage

-	if err := c.BodyParser(&requestBody); err != nil {
+	if err := args.C.BodyParser(&requestBody); err != nil {
 		logger.Debug().Msgf("can't parse login-body: %v", err)

 		response.Status = fiber.StatusBadRequest
@@ -79,7 +83,7 @@ func handleLogin(c *fiber.Ctx) error {
 					response.Status = fiber.StatusInternalServerError
 					logger.Error().Msgf("can't create JWT: %v", err)
 				} else {
-					setSessionCookie(c, &jwt)
+					args.setSessionCookie(&jwt)

 					response.Data = UserChecked{
 						UserName: requestBody.Username,
@@ -92,14 +96,18 @@ func handleLogin(c *fiber.Ctx) error {
 		}
 	}

-	return response.send(c)
+	return response.send(args.C)
 }

 // handles logout-requests
 func handleLogout(c *fiber.Ctx) error {
 	logger.Debug().Msgf("HTTP %s request: %q", c.Method(), c.OriginalURL())

-	removeSessionCookie(c)
+	args := HandlerArgs{
+		C: c,
+	}
+
+	args.removeSessionCookie()

 	return responseMessage{}.send(c)
 }
--- a/backend/pkg/router/router.go
+++ b/backend/pkg/router/router.go
@@ -79,6 +79,7 @@ func init() {
 			"events/availabilities": getEventsAvailabilities,
 			"events/user/pending":   getEventsUserPending,
 			"tasks":                 getTasks,
+			"users":                 getUsers,
 		},
 		"POST": {
 			"events": postEvent,
@@ -86,6 +87,7 @@ func init() {
 		},
 		"PATCH": {
 			"users/password": patchPassword,
+			"users":          patchUser,
 		},
 		"DELETE": {
 			"event": deleteEvent,
@@ -104,24 +106,24 @@ func init() {
 				logger.Debug().Msgf("HTTP %s request: %q", c.Method(), c.OriginalURL())

 				var response responseMessage
+				args := HandlerArgs{
+					C: c,
+				}

-				if user, err := checkUser(c); err != nil {
+				if loggedIn, err := args.checkUser(); err != nil {
 					response = responseMessage{
 						Status: fiber.StatusBadRequest,
 					}

 					logger.Error().Msgf("can't check user: %v", err)
-				} else if user == nil {
+				} else if !loggedIn {
 					response = responseMessage{
-						Status: fiber.StatusNoContent,
+						Status: fiber.StatusUnauthorized,
 					}

 					logger.Log().Msgf("user not authorized")
 				} else {
-					response = handler(HandlerArgs{
-						C:    c,
-						User: *user,
-					})
+					response = handler(args)
 				}

 				return response.send(c)
@@ -137,16 +139,16 @@ func Listen() {
 	fmt.Println(err)
 }

-func setSessionCookie(c *fiber.Ctx, jwt *string) {
+func (args HandlerArgs) setSessionCookie(jwt *string) {
 	var value string

 	if jwt == nil {
-		value = c.Cookies("session")
+		value = args.C.Cookies("session")
 	} else {
 		value = *jwt
 	}

-	c.Cookie(&fiber.Cookie{
+	args.C.Cookie(&fiber.Cookie{
 		Name:     "session",
 		Value:    value,
 		HTTPOnly: true,
@@ -156,8 +158,8 @@ func setSessionCookie(c *fiber.Ctx, jwt *string) {
 }

 // removes the session-coockie from a request
-func removeSessionCookie(c *fiber.Ctx) {
-	c.Cookie(&fiber.Cookie{
+func (args HandlerArgs) removeSessionCookie() {
+	args.C.Cookie(&fiber.Cookie{
 		Name:     "session",
 		Value:    "",
 		HTTPOnly: true,
@@ -219,11 +221,11 @@ type UserChecked struct {
 }

 // checks wether the request is from a valid user
-func checkUser(c *fiber.Ctx) (*UserChecked, error) {
-	userName, tokenID, err := extractJWT(c)
+func (args *HandlerArgs) checkUser() (bool, error) {
+	userName, tokenID, err := extractJWT(args.C)

 	if err != nil {
-		return nil, nil
+		return false, nil
 	}

 	var dbResult struct {
@@ -232,19 +234,21 @@ func checkUser(c *fiber.Ctx) (*UserChecked, error) {
 	}

 	// retrieve the user from the database
-	if err := db.DB.QueryRowx("SELECT tokenID, admin FROM USERS WHERE name = ?", userName).StructScan(&dbResult); err != nil {
-		return nil, err
+	if err := db.DB.Get(&dbResult, "SELECT tokenID, admin FROM USERS WHERE name = ?", userName); err != nil {
+		return false, err

 		// if the tokenID is valid, the user is authorized
 	} else if dbResult.TokenID != tokenID {
-		return nil, err
+		return false, nil
 	} else {
 		// reset the expiration of the cookie
-		setSessionCookie(c, nil)
+		args.setSessionCookie(nil)

-		return &UserChecked{
+		args.User = UserChecked{
 			UserName: userName,
 			Admin:    dbResult.Admin,
-		}, err
+		}
+		return true, nil
+
 	}
 }
--- a/backend/pkg/router/user.go
+++ b/backend/pkg/router/user.go
@@ -5,6 +5,25 @@ import (
 	"github.com/johannesbuehl/golunteer/backend/pkg/db/users"
 )

+func getUsers(args HandlerArgs) responseMessage {
+	response := responseMessage{}
+
+	// check admin
+	if !args.User.Admin {
+		response.Status = fiber.StatusForbidden
+
+		logger.Log().Msgf("user is no admin")
+	} else if users, err := users.Get(); err != nil {
+		response.Status = fiber.StatusInternalServerError
+
+		logger.Error().Msgf("can't get users: %v", err)
+	} else {
+		response.Data = users
+	}
+
+	return response
+}
+
 func postUser(args HandlerArgs) responseMessage {
 	response := responseMessage{}

@@ -63,12 +82,108 @@ func patchPassword(args HandlerArgs) responseMessage {

 			// if something failed, remove the current session-cookie
 		}); err != nil {
-			removeSessionCookie(args.C)
+			args.removeSessionCookie()

 			// set the new session-cookie
 		} else {
 			// update the token in the session-cookie
-			setSessionCookie(args.C, &jwt)
+			args.setSessionCookie(&jwt)
+		}
+	}
+
+	return response
+}
+
+func patchUser(args HandlerArgs) responseMessage {
+	response := responseMessage{}
+	// check admin
+	if !args.User.Admin {
+		response.Status = fiber.StatusForbidden
+
+		logger.Log().Msgf("user is no admin")
+	} else {
+		// parse the body
+		var body struct {
+			users.UserAdd
+			NewName string `json:"newName"`
+		}
+
+		if err := args.C.BodyParser(&body); err != nil {
+			response.Status = fiber.StatusBadRequest
+
+			logger.Log().Msgf("can't parse body: %v", err)
+
+			// prevent to demoting self from admin
+		} else if !body.Admin && body.UserName == args.User.UserName {
+			response.Status = fiber.StatusBadRequest
+
+			logger.Warn().Msgf("can't demote self from admin")
+		} else {
+			// check for an empty user-name
+			if len(body.UserName) == 0 {
+				response.Status = fiber.StatusBadRequest
+
+				logger.Warn().Msgf("username is empty")
+
+				// if the password has length 0 assume the password shouldn't be changed
+			} else {
+				if len(body.Password) > 0 {
+					// create a password-change-struct and validate it. use the old user-name, since the new isn't stored yet
+					usePasswordChange := users.UserChangePassword{
+						UserName: body.UserName,
+						Password: body.Password,
+					}
+
+					if _, err = users.ChangePassword(usePasswordChange); err != nil {
+						response.Status = fiber.StatusInternalServerError
+
+						logger.Error().Msgf("can't change password: %v", err)
+
+						return response
+					}
+				}
+
+				// only change the name, if it differs
+				if body.NewName != body.UserName {
+					if err := users.ChangeName(body.UserName, body.NewName); err != nil {
+						response.Status = fiber.StatusInternalServerError
+
+						logger.Error().Msgf("can't change user-name: %v", err)
+
+						return response
+					}
+				}
+
+				// set the admin-status
+				if err := users.SetAdmin(body.NewName, body.Admin); err != nil {
+					response.Status = fiber.StatusInternalServerError
+
+					logger.Error().Msgf("updating admin-status failed: %v", err)
+				} else {
+					// if we modified ourself, update the session-cookie
+					if body.UserName == args.User.UserName {
+						// get the tokenID
+						if tokenID, err := users.TokenID(body.NewName); err != nil {
+							response.Status = fiber.StatusInternalServerError
+
+							logger.Error().Msgf("can't get tokenID: %v", err)
+
+						} else if jwt, err := config.SignJWT(JWTPayload{
+							UserName: body.NewName,
+							TokenID:  tokenID,
+						}); err != nil {
+							response.Status = fiber.StatusInternalServerError
+
+							logger.Error().Msgf("JWT-signing failed: %v", err)
+
+							// remove the session-cookie
+							args.removeSessionCookie()
+						} else {
+							args.setSessionCookie(&jwt)
+						}
+					}
+				}
+			}
 		}
 	}