1
0
mirror of https://github.com/aclindsa/moneygo.git synced 2024-10-30 15:50:04 -04:00
moneygo/internal/handlers/sessions.go

124 lines
2.7 KiB
Go
Raw Normal View History

package handlers
2015-06-25 22:36:58 -04:00
import (
"fmt"
"github.com/aclindsa/moneygo/internal/models"
"github.com/aclindsa/moneygo/internal/store"
"log"
2015-06-25 22:36:58 -04:00
"net/http"
"time"
2015-06-25 22:36:58 -04:00
)
func GetSession(tx store.Tx, r *http.Request) (*models.Session, error) {
cookie, err := r.Cookie("moneygo-session")
if err != nil {
return nil, fmt.Errorf("moneygo-session cookie not set")
2015-06-25 22:36:58 -04:00
}
s, err := tx.GetSession(cookie.Value)
2015-06-25 22:36:58 -04:00
if err != nil {
return nil, err
}
if s.Expires.Before(time.Now()) {
err := tx.DeleteSession(s)
if err != nil {
log.Printf("Unexpected error when attempting to delete expired session: %s", err)
}
return nil, fmt.Errorf("Session has expired")
}
return s, nil
2015-06-25 22:36:58 -04:00
}
func DeleteSessionIfExists(tx store.Tx, r *http.Request) error {
session, err := GetSession(tx, r)
2015-06-25 22:36:58 -04:00
if err == nil {
err := tx.DeleteSession(session)
if err != nil {
return err
}
2015-06-25 22:36:58 -04:00
}
return nil
2015-06-25 22:36:58 -04:00
}
type NewSessionWriter struct {
2017-12-03 06:11:38 -05:00
session *models.Session
cookie *http.Cookie
}
func (n *NewSessionWriter) Write(w http.ResponseWriter) error {
http.SetCookie(w, n.cookie)
return n.session.Write(w)
}
func NewSession(tx store.Tx, r *http.Request, userid int64) (*NewSessionWriter, error) {
err := DeleteSessionIfExists(tx, r)
if err != nil {
return nil, err
}
2017-12-03 06:11:38 -05:00
s, err := models.NewSession(userid)
2015-06-25 22:36:58 -04:00
if err != nil {
return nil, err
}
exists, err := tx.SessionExists(s.SessionSecret)
if err != nil {
return nil, err
}
if exists {
return nil, fmt.Errorf("Session already exists with the generated session_secret")
}
err = tx.InsertSession(s)
2015-06-25 22:36:58 -04:00
if err != nil {
return nil, err
}
2017-12-03 06:11:38 -05:00
return &NewSessionWriter{s, s.Cookie(r.URL.Host)}, nil
2015-06-25 22:36:58 -04:00
}
func SessionHandler(r *http.Request, context *Context) ResponseWriterWriter {
2015-06-25 22:36:58 -04:00
if r.Method == "POST" || r.Method == "PUT" {
var user models.User
if err := ReadJSON(r, &user); err != nil {
return NewError(3 /*Invalid Request*/)
2015-06-25 22:36:58 -04:00
}
2017-12-07 20:08:43 -05:00
// Hash password before checking username to help mitigate timing
// attacks
user.HashPassword()
dbuser, err := context.StoreTx.GetUserByUsername(user.Username)
2015-06-25 22:36:58 -04:00
if err != nil {
return NewError(2 /*Unauthorized Access*/)
2015-06-25 22:36:58 -04:00
}
if user.PasswordHash != dbuser.PasswordHash {
return NewError(2 /*Unauthorized Access*/)
2015-06-25 22:36:58 -04:00
}
sessionwriter, err := NewSession(context.StoreTx, r, dbuser.UserId)
if err != nil {
log.Print(err)
return NewError(999 /*Internal Error*/)
}
return sessionwriter
2015-06-25 22:36:58 -04:00
} else if r.Method == "GET" {
s, err := GetSession(context.StoreTx, r)
2015-06-25 22:36:58 -04:00
if err != nil {
return NewError(1 /*Not Signed In*/)
2015-06-25 22:36:58 -04:00
}
return s
2015-06-25 22:36:58 -04:00
} else if r.Method == "DELETE" {
err := DeleteSessionIfExists(context.StoreTx, r)
if err != nil {
log.Print(err)
return NewError(999 /*Internal Error*/)
}
return SuccessWriter{}
2015-06-25 22:36:58 -04:00
}
return NewError(3 /*Invalid Request*/)
2015-06-25 22:36:58 -04:00
}