Migrate to cookie based session (secure cookie)

finish sign-in sign-up
2022-10-21 16:57:10 +08:00
parent 8661c0081d
commit bc1095fc61
7 changed files with 114 additions and 30 deletions
--- a/auth/auth.go
+++ b/auth/auth.go
@@ -6,24 +6,34 @@ import (
 	"fmt"
 	"os"
 	"strings"
+	"time"

+	"github.com/gorilla/securecookie"
 	"golang.org/x/crypto/bcrypt"
 )

 type AuthStore interface {
 	Register(user, pass string) error
-	Authenticate(user, pass string) error
+	Login(user, pass string) (token string, err error)
+	Verify(token string) (session Session, err error)
 	Remove(user string) error
 }

+type Session struct {
+	User   string
+	Expiry time.Time
+}
+
 type Htpasswd struct {
 	accounts map[string]string
 	filePath string
+	cookie   *securecookie.SecureCookie
 }

-func NewHtpasswd(path string) (AuthStore, error) {
+func New(path string, hashKey []byte) (AuthStore, error) {
 	s := Htpasswd{
 		filePath: path,
+		cookie:   securecookie.New(hashKey, nil),
 	}
 	err := s.read()
 	return s, err
@@ -40,12 +50,29 @@ func (s Htpasswd) Register(user, pass string) (err error) {
 	return s.write()
 }

-func (s Htpasswd) Authenticate(user, pass string) (err error) {
+func (s Htpasswd) Login(user, pass string) (token string, err error) {
 	hashed, ok := s.accounts[user]
 	if !ok {
-		return errors.New("user not found")
+		return "", errors.New("user not found")
 	}
-	return bcrypt.CompareHashAndPassword([]byte(hashed), []byte(pass))
+	err = bcrypt.CompareHashAndPassword([]byte(hashed), []byte(pass))
+	if err != nil {
+		return "", errors.New("wrong password")
+	}
+	session := Session{
+		User:   user,
+		Expiry: time.Now().AddDate(0, 0, 7),
+	}
+	token, err = s.cookie.Encode("session", session)
+	if err != nil {
+		panic(err)
+	}
+	return
+}
+
+func (s Htpasswd) Verify(token string) (session Session, err error) {
+	err = s.cookie.Decode("session", token, &session)
+	return
 }

 func (s Htpasswd) Remove(user string) (err error) {
--- a/auth/auth_test.go
+++ b/auth/auth_test.go
@@ -5,6 +5,8 @@ import (
 	"io/ioutil"
 	"strings"
 	"testing"
+
+	"github.com/gorilla/securecookie"
 )

 type User struct {
@@ -14,6 +16,7 @@ type User struct {
 }

 func TestHtpasswdSuccess(t *testing.T) {
+	hashKey := securecookie.GenerateRandomKey(32)
 	path := "/tmp/.htpasswd"
 	user1 := User{
 		user:   "user",
@@ -25,15 +28,23 @@ func TestHtpasswdSuccess(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	store, err := NewHtpasswd(path)
+	store, err := New(path, hashKey)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = store.Authenticate(user1.user, user1.pass)
+	token, err := store.Login(user1.user, user1.pass)
 	if err != nil {
 		t.Error(err)
 	}

+	session, err := store.Verify(token)
+	if err != nil {
+		t.Error(err)
+	}
+	if session.User != user1.user {
+		t.Fatalf("expected %s, got %s", user1.user, session.User)
+	}
+
 	user2 := User{
 		user: "foo",
 		pass: "bar",
--- a/go.mod
+++ b/go.mod
@@ -10,6 +10,7 @@ require (
 	github.com/go-playground/universal-translator v0.18.0 // indirect
 	github.com/go-playground/validator/v10 v10.10.0 // indirect
 	github.com/goccy/go-json v0.9.7 // indirect
+	github.com/gorilla/securecookie v1.1.1 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect
--- a/go.sum
+++ b/go.sum
@@ -19,6 +19,8 @@ github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGF
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
--- a/main.go
+++ b/main.go
@@ -1,12 +1,13 @@
 package main

 import (
-	"errors"
 	"flag"
 	"log"
+	"net/http"
 	"text/template"

 	"github.com/gin-gonic/gin"
+	"github.com/gorilla/securecookie"
 	"github.com/lancatlin/ledger-quicknote/auth"
 )

@@ -33,9 +34,16 @@ func init() {
 	flag.StringVar(&LEDGER_INIT, "i", "", "ledger initiation file")
 	flag.StringVar(&WORKING_DIR, "w", "", "ledger working directory")
 	flag.StringVar(&HOST, "b", "127.0.0.1:8000", "binding address")
+	var hashKey string
+	flag.StringVar(&hashKey, "s", "", "session secret")
 	flag.Parse()
+
+	if hashKey == "" {
+		hashKey = string(securecookie.GenerateRandomKey(32))
+		log.Printf("Generate random session key: %s", hashKey)
+	}
 	var err error
-	store, err = auth.NewHtpasswd(HTPASSWD_FILE)
+	store, err = auth.New(HTPASSWD_FILE, []byte(hashKey))
 	if err != nil {
 		panic(err)
 	}
@@ -49,20 +57,14 @@ func main() {
 		c.HTML(200, "signup.html", nil)
 	})

-	r.POST("/signup", func(c *gin.Context) {
-		var user UserLogin
-		if err := c.ShouldBind(&user); err != nil {
-			c.HTML(400, "signup.html", err)
-			return
-		}
-		if err := store.Register(user.Email, user.Password); err != nil {
-			c.HTML(400, "signup.html", err)
-			return
-		}
-		c.Request.SetBasicAuth(user.Email, user.Password)
-		c.Redirect(303, "/dashboard")
+	r.GET("/signin", func(c *gin.Context) {
+		c.HTML(200, "signin.html", nil)
 	})

+	r.POST("/signup", signup)
+
+	r.POST("/signin", signin)
+
 	authZone := r.Group("", basicAuth)

 	authZone.GET("/dashboard", func(c *gin.Context) {
@@ -117,18 +119,18 @@ func main() {
 }

 func basicAuth(c *gin.Context) {
-	var user UserLogin
-	var ok bool
-	user.Email, user.Password, ok = c.Request.BasicAuth()
-	if !ok {
-		c.Header("WWW-Authenticate", "basic realm=\"Login to continue\"")
-		c.AbortWithError(401, errors.New("login required"))
+	cookie, err := c.Cookie("session")
+	if err == http.ErrNoCookie {
+		c.Redirect(303, "/signin")
 		return
 	}
-	if err := store.Authenticate(user.Email, user.Password); err != nil {
-		c.AbortWithError(401, err)
+	session, err := store.Verify(cookie)
+	if err != nil {
+		c.Redirect(303, "/signin")
 		return
 	}
-	c.Set("user", user)
+	c.Set("user", UserLogin{
+		Email: session.User,
+	})
 	c.Next()
 }
--- a/session.go
+++ b/session.go
@@ -0,0 +1,31 @@
+package main
+
+import "github.com/gin-gonic/gin"
+
+func signup(c *gin.Context) {
+	var user UserLogin
+	if err := c.ShouldBind(&user); err != nil {
+		c.HTML(400, "signup.html", err)
+		return
+	}
+	if err := store.Register(user.Email, user.Password); err != nil {
+		c.HTML(400, "signup.html", err)
+		return
+	}
+	signin(c)
+}
+
+func signin(c *gin.Context) {
+	var user UserLogin
+	if err := c.ShouldBind(&user); err != nil {
+		c.HTML(400, "signin.html", err)
+		return
+	}
+	token, err := store.Login(user.Email, user.Password)
+	if err != nil {
+		c.HTML(401, "signin.html", err)
+		return
+	}
+	c.SetCookie("session", token, 60*60*24*7, "", "", false, false)
+	c.Redirect(303, "/dashboard")
+}
--- a/templates/signin.html
+++ b/templates/signin.html
@@ -0,0 +1,10 @@
+{{ define "title" }}Sign Up{{ end }}
+{{ define "main" }}
+<h1>Sign In</h1>
+<form action="/signin" method="POST">
+    <label>Email: <input type="text" name="email"></label><br>
+    <label>Password: <input type="password" name="password"></label><br>
+    {{ with .Error }}<p class="error">{{ . }}</p>{{ end }}
+    <input type="submit" value="Sign Up">
+</form>
+{{ end }}