mirror of
https://github.com/lordmathis/lemma.git
synced 2025-11-05 23:44:22 +00:00
Migrate backend auth to cookies
This commit is contained in:
@@ -1,11 +1,14 @@
|
||||
package handlers
|
||||
|
||||
import (
|
||||
"crypto/rand"
|
||||
"encoding/hex"
|
||||
"encoding/json"
|
||||
"net/http"
|
||||
"novamd/internal/auth"
|
||||
"novamd/internal/context"
|
||||
"novamd/internal/models"
|
||||
"time"
|
||||
|
||||
"golang.org/x/crypto/bcrypt"
|
||||
)
|
||||
@@ -18,27 +21,15 @@ type LoginRequest struct {
|
||||
|
||||
// LoginResponse represents a user login response
|
||||
type LoginResponse struct {
|
||||
AccessToken string `json:"accessToken"`
|
||||
RefreshToken string `json:"refreshToken"`
|
||||
User *models.User `json:"user"`
|
||||
Session *models.Session `json:"session"`
|
||||
}
|
||||
|
||||
// RefreshRequest represents a refresh token request
|
||||
type RefreshRequest struct {
|
||||
RefreshToken string `json:"refreshToken"`
|
||||
}
|
||||
|
||||
// RefreshResponse represents a refresh token response
|
||||
type RefreshResponse struct {
|
||||
AccessToken string `json:"accessToken"`
|
||||
User *models.User `json:"user"`
|
||||
SessionID string `json:"sessionId,omitempty"`
|
||||
ExpiresAt time.Time `json:"expiresAt,omitempty"`
|
||||
}
|
||||
|
||||
// Login godoc
|
||||
// @Summary Login
|
||||
// @Description Logs in a user
|
||||
// @Description Logs in a user and returns a session with access and refresh tokens
|
||||
// @Tags auth
|
||||
// @ID login
|
||||
// @Accept json
|
||||
// @Produce json
|
||||
// @Param body body LoginRequest true "Login request"
|
||||
@@ -48,7 +39,7 @@ type RefreshResponse struct {
|
||||
// @Failure 401 {object} ErrorResponse "Invalid credentials"
|
||||
// @Failure 500 {object} ErrorResponse "Failed to create session"
|
||||
// @Router /auth/login [post]
|
||||
func (h *Handler) Login(authService *auth.SessionService) http.HandlerFunc {
|
||||
func (h *Handler) Login(authService *auth.SessionService, cookieService auth.CookieService) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
var req LoginRequest
|
||||
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
||||
@@ -83,12 +74,27 @@ func (h *Handler) Login(authService *auth.SessionService) http.HandlerFunc {
|
||||
return
|
||||
}
|
||||
|
||||
// Prepare response
|
||||
// Generate CSRF token
|
||||
csrfToken := make([]byte, 32)
|
||||
if _, err := rand.Read(csrfToken); err != nil {
|
||||
respondError(w, "Failed to generate CSRF token", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
csrfTokenString := hex.EncodeToString(csrfToken)
|
||||
|
||||
// Set cookies
|
||||
http.SetCookie(w, cookieService.GenerateAccessTokenCookie(accessToken))
|
||||
http.SetCookie(w, cookieService.GenerateRefreshTokenCookie(session.RefreshToken))
|
||||
http.SetCookie(w, cookieService.GenerateCSRFCookie(csrfTokenString))
|
||||
|
||||
// Send CSRF token in header for initial setup
|
||||
w.Header().Set("X-CSRF-Token", csrfTokenString)
|
||||
|
||||
// Only send user info in response, not tokens
|
||||
response := LoginResponse{
|
||||
AccessToken: accessToken,
|
||||
RefreshToken: session.RefreshToken,
|
||||
User: user,
|
||||
Session: session,
|
||||
User: user,
|
||||
SessionID: session.ID,
|
||||
ExpiresAt: session.ExpiresAt,
|
||||
}
|
||||
|
||||
respondJSON(w, response)
|
||||
@@ -100,25 +106,30 @@ func (h *Handler) Login(authService *auth.SessionService) http.HandlerFunc {
|
||||
// @Description Log out invalidates the user's session
|
||||
// @Tags auth
|
||||
// @ID logout
|
||||
// @Security BearerAuth
|
||||
// @Success 204 "No Content"
|
||||
// @Failure 400 {object} ErrorResponse "Session ID required"
|
||||
// @Failure 500 {object} ErrorResponse "Failed to logout"
|
||||
// @Router /auth/logout [post]
|
||||
func (h *Handler) Logout(authService *auth.SessionService) http.HandlerFunc {
|
||||
func (h *Handler) Logout(authService *auth.SessionService, cookieService auth.CookieService) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
sessionID := r.Header.Get("X-Session-ID")
|
||||
if sessionID == "" {
|
||||
respondError(w, "Session ID required", http.StatusBadRequest)
|
||||
// Get session ID from cookie
|
||||
sessionCookie, err := r.Cookie("access_token")
|
||||
if err != nil {
|
||||
http.Error(w, "Unauthorized", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
err := authService.InvalidateSession(sessionID)
|
||||
if err != nil {
|
||||
respondError(w, "Failed to logout", http.StatusInternalServerError)
|
||||
// Invalidate the session in the database
|
||||
if err := authService.InvalidateSession(sessionCookie.Value); err != nil {
|
||||
respondError(w, "Failed to invalidate session", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
// Clear cookies
|
||||
http.SetCookie(w, cookieService.InvalidateCookie("access_token"))
|
||||
http.SetCookie(w, cookieService.InvalidateCookie("refresh_token"))
|
||||
http.SetCookie(w, cookieService.InvalidateCookie("csrf_token"))
|
||||
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
}
|
||||
}
|
||||
@@ -131,36 +142,39 @@ func (h *Handler) Logout(authService *auth.SessionService) http.HandlerFunc {
|
||||
// @Accept json
|
||||
// @Produce json
|
||||
// @Param body body RefreshRequest true "Refresh request"
|
||||
// @Success 200 {object} RefreshResponse
|
||||
// @Success 200 "Tokens refreshed successfully via cookies"
|
||||
// @Failure 400 {object} ErrorResponse "Invalid request body"
|
||||
// @Failure 400 {object} ErrorResponse "Refresh token required"
|
||||
// @Failure 401 {object} ErrorResponse "Invalid refresh token"
|
||||
// @Router /auth/refresh [post]
|
||||
func (h *Handler) RefreshToken(authService *auth.SessionService) http.HandlerFunc {
|
||||
func (h *Handler) RefreshToken(authService *auth.SessionService, cookieService auth.CookieService) http.HandlerFunc {
|
||||
return func(w http.ResponseWriter, r *http.Request) {
|
||||
var req RefreshRequest
|
||||
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
|
||||
respondError(w, "Invalid request body", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
if req.RefreshToken == "" {
|
||||
refreshCookie, err := r.Cookie("refresh_token")
|
||||
if err != nil {
|
||||
respondError(w, "Refresh token required", http.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
|
||||
// Generate new access token
|
||||
accessToken, err := authService.RefreshSession(req.RefreshToken)
|
||||
accessToken, err := authService.RefreshSession(refreshCookie.Value)
|
||||
if err != nil {
|
||||
respondError(w, "Invalid refresh token", http.StatusUnauthorized)
|
||||
return
|
||||
}
|
||||
|
||||
response := RefreshResponse{
|
||||
AccessToken: accessToken,
|
||||
// Generate new CSRF token
|
||||
csrfToken := make([]byte, 32)
|
||||
if _, err := rand.Read(csrfToken); err != nil {
|
||||
respondError(w, "Failed to generate CSRF token", http.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
csrfTokenString := hex.EncodeToString(csrfToken)
|
||||
|
||||
respondJSON(w, response)
|
||||
http.SetCookie(w, cookieService.GenerateAccessTokenCookie(accessToken))
|
||||
http.SetCookie(w, cookieService.GenerateCSRFCookie(csrfTokenString))
|
||||
|
||||
w.Header().Set("X-CSRF-Token", csrfTokenString)
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -169,7 +183,7 @@ func (h *Handler) RefreshToken(authService *auth.SessionService) http.HandlerFun
|
||||
// @Description Returns the current authenticated user
|
||||
// @Tags auth
|
||||
// @ID getCurrentUser
|
||||
// @Security BearerAuth
|
||||
// @Security CookieAuth
|
||||
// @Produce json
|
||||
// @Success 200 {object} models.User
|
||||
// @Failure 404 {object} ErrorResponse "User not found"
|
||||
|
||||
Reference in New Issue
Block a user