package main import ( "crypto/rand" "database/sql" "fmt" "net/http" "os" "strings" "time" "github.com/gin-gonic/gin" "github.com/golang-jwt/jwt/v5" "golang.org/x/crypto/bcrypt" ) var jwtSecret []byte // InitJWT initializes JWT secret (legacy function) func InitJWT() { secret := os.Getenv("JWT_SECRET") if secret == "" { // Generate a random secret for development secret = generateRandomSecret() Logger.Println("Warning: Using generated JWT secret. Set JWT_SECRET environment variable for production.") } jwtSecret = []byte(secret) } // InitJWTWithConfig initializes JWT secret with configuration func InitJWTWithConfig(config *Config) { jwtSecret = []byte(config.JWTSecret) } // generateRandomSecret generates a random secret for JWT func generateRandomSecret() string { b := make([]byte, 32) rand.Read(b) return fmt.Sprintf("%x", b) } // hashPassword hashes a password using bcrypt func hashPassword(password string) (string, error) { bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14) return string(bytes), err } // checkPasswordHash compares a password with its hash func checkPasswordHash(password, hash string) bool { err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)) return err == nil } // generateToken generates a JWT token for a user func generateToken(userID int, username string) (string, error) { claims := jwt.MapClaims{ "user_id": userID, "username": username, "exp": time.Now().Add(time.Hour * 24 * 7).Unix(), // 7 days "iat": time.Now().Unix(), } token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims) return token.SignedString(jwtSecret) } // validateToken validates a JWT token and returns the claims func validateToken(tokenString string) (jwt.MapClaims, error) { token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) { if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok { return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"]) } return jwtSecret, nil }) if err != nil { return nil, err } if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid { return claims, nil } return nil, fmt.Errorf("invalid token") } // AuthMiddleware validates JWT token and sets user context func AuthMiddleware() gin.HandlerFunc { return func(c *gin.Context) { authHeader := c.GetHeader("Authorization") if authHeader == "" { c.JSON(http.StatusUnauthorized, gin.H{"error": "Authorization header required"}) c.Abort() return } // Extract token from "Bearer " tokenParts := strings.Split(authHeader, " ") if len(tokenParts) != 2 || tokenParts[0] != "Bearer" { c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid authorization header format"}) c.Abort() return } tokenString := tokenParts[1] claims, err := validateToken(tokenString) if err != nil { c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid token"}) c.Abort() return } // Set user information in context c.Set("user_id", int(claims["user_id"].(float64))) c.Set("username", claims["username"]) c.Next() } } // RegisterHandler handles user registration func RegisterHandler(c *gin.Context) { var req RegisterRequest if err := c.ShouldBindJSON(&req); err != nil { RecordAuthAttempt("register", "bad_request") c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return } // Check if username already exists var existingUser User err := db.QueryRow("SELECT id FROM users WHERE username = $1 OR email = $2", req.Username, req.Email).Scan(&existingUser.ID) if err != sql.ErrNoRows { RecordAuthAttempt("register", "conflict") c.JSON(http.StatusConflict, gin.H{"error": "Username or email already exists"}) return } // Hash password hashedPassword, err := hashPassword(req.Password) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to hash password"}) return } // Create user var user User err = db.QueryRow( "INSERT INTO users (username, email, password) VALUES ($1, $2, $3) RETURNING id, username, email, created_at, updated_at", req.Username, req.Email, hashedPassword, ).Scan(&user.ID, &user.Username, &user.Email, &user.CreatedAt, &user.UpdatedAt) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create user"}) return } // Generate token token, err := generateToken(user.ID, user.Username) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate token"}) return } RecordAuthAttempt("register", "success") c.JSON(http.StatusCreated, AuthResponse{ Token: token, User: user, }) } // LoginHandler handles user login func LoginHandler(c *gin.Context) { var req LoginRequest if err := c.ShouldBindJSON(&req); err != nil { RecordAuthAttempt("login", "bad_request") c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()}) return } // Find user var user User err := db.QueryRow( "SELECT id, username, email, password, created_at, updated_at FROM users WHERE username = $1", req.Username, ).Scan(&user.ID, &user.Username, &user.Email, &user.Password, &user.CreatedAt, &user.UpdatedAt) if err == sql.ErrNoRows { RecordAuthAttempt("login", "user_not_found") c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid credentials 1"}) return } else if err != nil { RecordAuthAttempt("login", "database_error") c.JSON(http.StatusInternalServerError, gin.H{"error": "Database error"}) return } // Check password if !checkPasswordHash(req.Password, user.Password) { RecordAuthAttempt("login", "invalid_password") c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid credentials 2"}) return } // Generate token token, err := generateToken(user.ID, user.Username) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate token"}) return } // Clear password from response user.Password = "" RecordAuthAttempt("login", "success") c.JSON(http.StatusOK, AuthResponse{ Token: token, User: user, }) } // GetCurrentUserHandler returns the current authenticated user func GetCurrentUserHandler(c *gin.Context) { userID := c.GetInt("user_id") var user User err := db.QueryRow( "SELECT id, username, email, created_at, updated_at FROM users WHERE id = $1", userID, ).Scan(&user.ID, &user.Username, &user.Email, &user.CreatedAt, &user.UpdatedAt) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get user"}) return } c.JSON(http.StatusOK, user) }