2017-10-04 19:35:59 -04:00
|
|
|
package handlers
|
2015-06-25 22:36:58 -04:00
|
|
|
|
|
|
|
import (
|
2017-10-03 11:24:07 -04:00
|
|
|
"crypto/rand"
|
|
|
|
"encoding/base64"
|
2015-06-25 22:36:58 -04:00
|
|
|
"encoding/json"
|
|
|
|
"fmt"
|
2017-10-03 11:24:07 -04:00
|
|
|
"io"
|
2016-10-04 08:40:26 -04:00
|
|
|
"log"
|
2015-06-25 22:36:58 -04:00
|
|
|
"net/http"
|
2017-10-07 06:21:05 -04:00
|
|
|
"strings"
|
2017-10-03 11:24:07 -04:00
|
|
|
"time"
|
2015-06-25 22:36:58 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
type Session struct {
|
|
|
|
SessionId int64
|
|
|
|
SessionSecret string `json:"-"`
|
|
|
|
UserId int64
|
|
|
|
}
|
|
|
|
|
|
|
|
func (s *Session) Write(w http.ResponseWriter) error {
|
|
|
|
enc := json.NewEncoder(w)
|
|
|
|
return enc.Encode(s)
|
|
|
|
}
|
|
|
|
|
2017-10-07 06:21:05 -04:00
|
|
|
func (s *Session) Read(json_str string) error {
|
|
|
|
dec := json.NewDecoder(strings.NewReader(json_str))
|
|
|
|
return dec.Decode(s)
|
|
|
|
}
|
|
|
|
|
2017-10-04 08:05:51 -04:00
|
|
|
func GetSession(db *DB, r *http.Request) (*Session, error) {
|
2015-06-25 22:36:58 -04:00
|
|
|
var s Session
|
|
|
|
|
2017-10-03 11:24:07 -04:00
|
|
|
cookie, err := r.Cookie("moneygo-session")
|
|
|
|
if err != nil {
|
|
|
|
return nil, fmt.Errorf("moneygo-session cookie not set")
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
2017-10-03 11:24:07 -04:00
|
|
|
s.SessionSecret = cookie.Value
|
2015-06-25 22:36:58 -04:00
|
|
|
|
2017-10-04 08:05:51 -04:00
|
|
|
err = db.SelectOne(&s, "SELECT * from sessions where SessionSecret=?", s.SessionSecret)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
return &s, nil
|
|
|
|
}
|
|
|
|
|
2017-10-11 05:49:08 -04:00
|
|
|
func DeleteSessionIfExists(db *DB, r *http.Request) error {
|
2017-10-04 08:05:51 -04:00
|
|
|
// TODO do this in one transaction
|
|
|
|
session, err := GetSession(db, r)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err == nil {
|
2017-10-11 05:49:08 -04:00
|
|
|
_, err := db.Delete(session)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
2017-10-11 05:49:08 -04:00
|
|
|
return nil
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
2017-10-03 11:24:07 -04:00
|
|
|
func NewSessionCookie() (string, error) {
|
|
|
|
bits := make([]byte, 128)
|
|
|
|
if _, err := io.ReadFull(rand.Reader, bits); err != nil {
|
|
|
|
return "", err
|
|
|
|
}
|
|
|
|
return base64.StdEncoding.EncodeToString(bits), nil
|
|
|
|
}
|
|
|
|
|
2017-10-04 08:05:51 -04:00
|
|
|
func NewSession(db *DB, w http.ResponseWriter, r *http.Request, userid int64) (*Session, error) {
|
2015-06-25 22:36:58 -04:00
|
|
|
s := Session{}
|
|
|
|
|
2017-10-03 11:24:07 -04:00
|
|
|
session_secret, err := NewSessionCookie()
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
2017-10-03 11:24:07 -04:00
|
|
|
cookie := http.Cookie{
|
|
|
|
Name: "moneygo-session",
|
|
|
|
Value: session_secret,
|
|
|
|
Path: "/",
|
|
|
|
Domain: r.URL.Host,
|
|
|
|
Expires: time.Now().AddDate(0, 1, 0), // a month from now
|
|
|
|
Secure: true,
|
|
|
|
HttpOnly: true,
|
|
|
|
}
|
|
|
|
http.SetCookie(w, &cookie)
|
|
|
|
|
|
|
|
s.SessionSecret = session_secret
|
|
|
|
s.UserId = userid
|
|
|
|
|
2017-10-04 08:05:51 -04:00
|
|
|
err = db.Insert(&s)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2017-10-03 11:24:07 -04:00
|
|
|
return &s, nil
|
2015-06-25 22:36:58 -04:00
|
|
|
}
|
|
|
|
|
2017-10-04 08:05:51 -04:00
|
|
|
func SessionHandler(w http.ResponseWriter, r *http.Request, db *DB) {
|
2015-06-25 22:36:58 -04:00
|
|
|
if r.Method == "POST" || r.Method == "PUT" {
|
|
|
|
user_json := r.PostFormValue("user")
|
|
|
|
if user_json == "" {
|
|
|
|
WriteError(w, 3 /*Invalid Request*/)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
user := User{}
|
|
|
|
err := user.Read(user_json)
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, 3 /*Invalid Request*/)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2017-10-04 08:05:51 -04:00
|
|
|
dbuser, err := GetUserByUsername(db, user.Username)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
|
|
|
WriteError(w, 2 /*Unauthorized Access*/)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
user.HashPassword()
|
|
|
|
if user.PasswordHash != dbuser.PasswordHash {
|
|
|
|
WriteError(w, 2 /*Unauthorized Access*/)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2017-10-11 05:49:08 -04:00
|
|
|
err = DeleteSessionIfExists(db, r)
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, 999 /*Internal Error*/)
|
|
|
|
log.Print(err)
|
|
|
|
return
|
|
|
|
}
|
2015-06-25 22:36:58 -04:00
|
|
|
|
2017-10-04 08:05:51 -04:00
|
|
|
session, err := NewSession(db, w, r, dbuser.UserId)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
|
|
|
WriteError(w, 999 /*Internal Error*/)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2016-10-04 08:40:26 -04:00
|
|
|
err = session.Write(w)
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, 999 /*Internal Error*/)
|
|
|
|
log.Print(err)
|
|
|
|
return
|
|
|
|
}
|
2015-06-25 22:36:58 -04:00
|
|
|
} else if r.Method == "GET" {
|
2017-10-04 08:05:51 -04:00
|
|
|
s, err := GetSession(db, r)
|
2015-06-25 22:36:58 -04:00
|
|
|
if err != nil {
|
|
|
|
WriteError(w, 1 /*Not Signed In*/)
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
|
|
|
s.Write(w)
|
|
|
|
} else if r.Method == "DELETE" {
|
2017-10-11 05:49:08 -04:00
|
|
|
err := DeleteSessionIfExists(db, r)
|
|
|
|
if err != nil {
|
|
|
|
WriteError(w, 999 /*Internal Error*/)
|
|
|
|
log.Print(err)
|
|
|
|
return
|
|
|
|
}
|
2015-06-25 22:36:58 -04:00
|
|
|
WriteSuccess(w)
|
|
|
|
}
|
|
|
|
}
|