Migrate to cookie based session (secure cookie)

finish sign-in sign-up

.gitignore

@@ -2,3 +2,4 @@
 test.txt
 ledger-quicknote
 *.txt
+.htpasswd

auth/auth.go

@@ -6,31 +6,82 @@ import (
 	"fmt"
 	"os"
 	"strings"
+	"time"
 
+	"github.com/gorilla/securecookie"
 	"golang.org/x/crypto/bcrypt"
 )
 
 type AuthStore interface {
 	Register(user, pass string) error
-	Authenticate(user, pass string) error
+	Login(user, pass string) (token string, err error)
+	Verify(token string) (session Session, err error)
 	Remove(user string) error
 }
 
+type Session struct {
+	User   string
+	Expiry time.Time
+}
+
 type Htpasswd struct {
 	accounts map[string]string
 	filePath string
+	cookie   *securecookie.SecureCookie
 }
 
-func NewHtpasswd(path string) (AuthStore, error) {
+func New(path string, hashKey []byte) (AuthStore, error) {
 	s := Htpasswd{
 		filePath: path,
+		cookie:   securecookie.New(hashKey, nil),
 	}
 	err := s.read()
 	return s, err
 }
 
+func (s Htpasswd) Register(user, pass string) (err error) {
+	if _, ok := s.accounts[user]; ok {
+		return errors.New("user already exists")
+	}
+	s.accounts[user], err = hash(pass)
+	if err != nil {
+		return
+	}
+	return s.write()
+}
+
+func (s Htpasswd) Login(user, pass string) (token string, err error) {
+	hashed, ok := s.accounts[user]
+	if !ok {
+		return "", errors.New("user not found")
+	}
+	err = bcrypt.CompareHashAndPassword([]byte(hashed), []byte(pass))
+	if err != nil {
+		return "", errors.New("wrong password")
+	}
+	session := Session{
+		User:   user,
+		Expiry: time.Now().AddDate(0, 0, 7),
+	}
+	token, err = s.cookie.Encode("session", session)
+	if err != nil {
+		panic(err)
+	}
+	return
+}
+
+func (s Htpasswd) Verify(token string) (session Session, err error) {
+	err = s.cookie.Decode("session", token, &session)
+	return
+}
+
+func (s Htpasswd) Remove(user string) (err error) {
+	delete(s.accounts, user)
+	return s.write()
+}
+
 func (s *Htpasswd) read() (err error) {
-	file, err := os.Open(s.filePath)
+	file, err := os.OpenFile(s.filePath, os.O_RDONLY|os.O_CREATE, 0600)
 	if err != nil {
 		return err
 	}
@@ -66,27 +117,6 @@ func (s *Htpasswd) write() (err error) {
 	return nil
 }
 
-func (s Htpasswd) Register(user, pass string) (err error) {
-	s.accounts[user], err = hash(pass)
-	if err != nil {
-		return
-	}
-	return s.write()
-}
-
-func (s Htpasswd) Authenticate(user, pass string) (err error) {
-	hashed, ok := s.accounts[user]
-	if !ok {
-		return errors.New("user not found")
-	}
-	return bcrypt.CompareHashAndPassword([]byte(hashed), []byte(pass))
-}
-
-func (s Htpasswd) Remove(user string) (err error) {
-	delete(s.accounts, user)
-	return s.write()
-}
-
 func hash(pass string) (string, error) {
 	output, err := bcrypt.GenerateFromPassword([]byte(pass), bcrypt.DefaultCost)
 	return string(output), err

auth/auth_test.go

@@ -5,6 +5,8 @@ import (
 	"io/ioutil"
 	"strings"
 	"testing"
+
+	"github.com/gorilla/securecookie"
 )
 
 type User struct {
@@ -14,6 +16,7 @@ type User struct {
 }
 
 func TestHtpasswdSuccess(t *testing.T) {
+	hashKey := securecookie.GenerateRandomKey(32)
 	path := "/tmp/.htpasswd"
 	user1 := User{
 		user:   "user",
@@ -25,15 +28,23 @@ func TestHtpasswdSuccess(t *testing.T) {
 	if err != nil {
 		t.Fatal(err)
 	}
-	store, err := NewHtpasswd(path)
+	store, err := New(path, hashKey)
 	if err != nil {
 		t.Fatal(err)
 	}
-	err = store.Authenticate(user1.user, user1.pass)
+	token, err := store.Login(user1.user, user1.pass)
 	if err != nil {
 		t.Error(err)
 	}
 
+	session, err := store.Verify(token)
+	if err != nil {
+		t.Error(err)
+	}
+	if session.User != user1.user {
+		t.Fatalf("expected %s, got %s", user1.user, session.User)
+	}
+
 	user2 := User{
 		user: "foo",
 		pass: "bar",

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/go-playground/universal-translator v0.18.0 // indirect
 	github.com/go-playground/validator/v10 v10.10.0 // indirect
 	github.com/goccy/go-json v0.9.7 // indirect
+	github.com/gorilla/securecookie v1.1.1 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/leodido/go-urn v1.2.1 // indirect
 	github.com/mattn/go-isatty v0.0.14 // indirect

go.sum

@@ -19,6 +19,8 @@ github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGF
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
+github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=

main.go

@@ -1,18 +1,14 @@
 package main
 
 import (
-	"bytes"
 	"flag"
-	"fmt"
-	"io"
 	"log"
-	"os"
-	"os/exec"
-	"strings"
+	"net/http"
 	"text/template"
-	"time"
 
 	"github.com/gin-gonic/gin"
+	"github.com/gorilla/securecookie"
+	"github.com/lancatlin/ledger-quicknote/auth"
 )
 
 var ledgerTpl *template.Template
@@ -23,12 +19,13 @@ var LEDGER_INIT string
 var WORKING_DIR string
 var HOST string
 
-type TxData struct {
-	Action  string `form:"action" binding:"required"`
-	Name    string `form:"name"`
-	Date    string
-	Amount  string `form:"amount" binding:"required"`
-	Account string `form:"account"`
+var store auth.AuthStore
+
+const HTPASSWD_FILE = ".htpasswd"
+
+type UserLogin struct {
+	Email    string `form:"email" binding:"required"`
+	Password string `form:"password" binding:"required"`
 }
 
 func init() {
@@ -37,13 +34,40 @@ func init() {
 	flag.StringVar(&LEDGER_INIT, "i", "", "ledger initiation file")
 	flag.StringVar(&WORKING_DIR, "w", "", "ledger working directory")
 	flag.StringVar(&HOST, "b", "127.0.0.1:8000", "binding address")
+	var hashKey string
+	flag.StringVar(&hashKey, "s", "", "session secret")
 	flag.Parse()
+
+	if hashKey == "" {
+		hashKey = string(securecookie.GenerateRandomKey(32))
+		log.Printf("Generate random session key: %s", hashKey)
+	}
+	var err error
+	store, err = auth.New(HTPASSWD_FILE, []byte(hashKey))
+	if err != nil {
+		panic(err)
+	}
 }
 
 func main() {
 	r := gin.Default()
 	r.HTMLRender = loadTemplates("templates")
-	r.GET("/", func(c *gin.Context) {
+
+	r.GET("/signup", func(c *gin.Context) {
+		c.HTML(200, "signup.html", nil)
+	})
+
+	r.GET("/signin", func(c *gin.Context) {
+		c.HTML(200, "signin.html", nil)
+	})
+
+	r.POST("/signup", signup)
+
+	r.POST("/signin", signin)
+
+	authZone := r.Group("", basicAuth)
+
+	authZone.GET("/dashboard", func(c *gin.Context) {
 		c.HTML(200, "index.html", struct {
 			Templates []*template.Template
 			Scripts   map[string][]string
@@ -53,7 +77,7 @@ func main() {
 		})
 	})
 
-	r.POST("/new", func(c *gin.Context) {
+	authZone.POST("/new", func(c *gin.Context) {
 		var data TxData
 		if err := c.ShouldBind(&data); err != nil {
 			c.AbortWithError(400, err)
@@ -70,7 +94,7 @@ func main() {
 		}{tx})
 	})
 
-	r.POST("/submit", func(c *gin.Context) {
+	authZone.POST("/submit", func(c *gin.Context) {
 		tx := c.PostForm("tx")
 		if err := appendToFile(tx); err != nil {
 			c.AbortWithError(500, err)
@@ -82,7 +106,7 @@ func main() {
 		}{tx})
 	})
 
-	r.GET("/exec", func(c *gin.Context) {
+	authZone.GET("/exec", func(c *gin.Context) {
 		name, _ := c.GetQuery("name")
 		if err := executeScript(c.Writer, name); err != nil {
 			c.AbortWithError(500, err)
@@ -94,33 +118,19 @@ func main() {
 	log.Fatal(r.Run(HOST))
 }
 
-func newTx(data TxData) (result string, err error) {
-	data.Date = time.Now().Format("2006/01/02")
-	var buf bytes.Buffer
-	err = ledgerTpl.ExecuteTemplate(&buf, data.Action, data)
-	return buf.String(), nil
-}
-
-func appendToFile(tx string) (err error) {
-	f, err := os.OpenFile(LEDGER_FILE, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
+func basicAuth(c *gin.Context) {
+	cookie, err := c.Cookie("session")
+	if err == http.ErrNoCookie {
+		c.Redirect(303, "/signin")
+		return
+	}
+	session, err := store.Verify(cookie)
 	if err != nil {
-		return err
+		c.Redirect(303, "/signin")
+		return
 	}
-	defer f.Close()
-
-	buf := strings.NewReader(strings.ReplaceAll(tx, "\r", "")) // Remove CR generated from browser
-	_, err = io.Copy(f, buf)
-	return err
-}
-
-func executeScript(w io.Writer, name string) (err error) {
-	script, ok := SCRIPTS[name]
-	if !ok {
-		return fmt.Errorf("%s script not found", name)
-	}
-	cmd := exec.Command("ledger", append([]string{"--init-file", LEDGER_INIT, "--file", LEDGER_FILE}, script...)...)
-	cmd.Dir = WORKING_DIR
-	cmd.Stdout = w
-	cmd.Stderr = w
-	return cmd.Run()
+	c.Set("user", UserLogin{
+		Email: session.User,
+	})
+	c.Next()
 }

session.go

@@ -0,0 +1,31 @@
+package main
+
+import "github.com/gin-gonic/gin"
+
+func signup(c *gin.Context) {
+	var user UserLogin
+	if err := c.ShouldBind(&user); err != nil {
+		c.HTML(400, "signup.html", err)
+		return
+	}
+	if err := store.Register(user.Email, user.Password); err != nil {
+		c.HTML(400, "signup.html", err)
+		return
+	}
+	signin(c)
+}
+
+func signin(c *gin.Context) {
+	var user UserLogin
+	if err := c.ShouldBind(&user); err != nil {
+		c.HTML(400, "signin.html", err)
+		return
+	}
+	token, err := store.Login(user.Email, user.Password)
+	if err != nil {
+		c.HTML(401, "signin.html", err)
+		return
+	}
+	c.SetCookie("session", token, 60*60*24*7, "", "", false, false)
+	c.Redirect(303, "/dashboard")
+}

templates/error.html

@@ -0,0 +1,4 @@
+{{ define "title" }}Error{{ end }}
+{{ define "main" }}
+<p class="error">{{ .Error }}</p>
+{{ end }}

templates/signin.html

@@ -0,0 +1,10 @@
+{{ define "title" }}Sign Up{{ end }}
+{{ define "main" }}
+<h1>Sign In</h1>
+<form action="/signin" method="POST">
+    <label>Email: <input type="text" name="email"></label><br>
+    <label>Password: <input type="password" name="password"></label><br>
+    {{ with .Error }}<p class="error">{{ . }}</p>{{ end }}
+    <input type="submit" value="Sign Up">
+</form>
+{{ end }}

templates/signup.html

@@ -0,0 +1,10 @@
+{{ define "title" }}Sign Up{{ end }}
+{{ define "main" }}
+<h1>Sign Up</h1>
+<form action="/signup" method="POST">
+    <label>Email: <input type="text" name="email"></label><br>
+    <label>Password: <input type="password" name="password"></label><br>
+    {{ with .Error }}<p class="error">{{ . }}</p>{{ end }}
+    <input type="submit" value="Sign Up">
+</form>
+{{ end }}

tx.go

@@ -0,0 +1,50 @@
+package main
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"os"
+	"os/exec"
+	"strings"
+	"time"
+)
+
+type TxData struct {
+	Action  string `form:"action" binding:"required"`
+	Name    string `form:"name"`
+	Date    string
+	Amount  string `form:"amount" binding:"required"`
+	Account string `form:"account"`
+}
+
+func newTx(data TxData) (result string, err error) {
+	data.Date = time.Now().Format("2006/01/02")
+	var buf bytes.Buffer
+	err = ledgerTpl.ExecuteTemplate(&buf, data.Action, data)
+	return buf.String(), nil
+}
+
+func appendToFile(tx string) (err error) {
+	f, err := os.OpenFile(LEDGER_FILE, os.O_WRONLY|os.O_CREATE|os.O_APPEND, 0644)
+	if err != nil {
+		return err
+	}
+	defer f.Close()
+
+	buf := strings.NewReader(strings.ReplaceAll(tx, "\r", "")) // Remove CR generated from browser
+	_, err = io.Copy(f, buf)
+	return err
+}
+
+func executeScript(w io.Writer, name string) (err error) {
+	script, ok := SCRIPTS[name]
+	if !ok {
+		return fmt.Errorf("%s script not found", name)
+	}
+	cmd := exec.Command("ledger", append([]string{"--init-file", LEDGER_INIT, "--file", LEDGER_FILE}, script...)...)
+	cmd.Dir = WORKING_DIR
+	cmd.Stdout = w
+	cmd.Stderr = w
+	return cmd.Run()
+}