231 lines
6.1 KiB
Go
231 lines
6.1 KiB
Go
package main
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"database/sql"
|
|
"fmt"
|
|
"log"
|
|
"net/http"
|
|
"os"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"golang.org/x/crypto/bcrypt"
|
|
)
|
|
|
|
var jwtSecret []byte
|
|
|
|
// InitJWT initializes JWT secret (legacy function)
|
|
func InitJWT() {
|
|
secret := os.Getenv("JWT_SECRET")
|
|
if secret == "" {
|
|
// Generate a random secret for development
|
|
secret = generateRandomSecret()
|
|
log.Println("Warning: Using generated JWT secret. Set JWT_SECRET environment variable for production.")
|
|
}
|
|
jwtSecret = []byte(secret)
|
|
}
|
|
|
|
// InitJWTWithConfig initializes JWT secret with configuration
|
|
func InitJWTWithConfig(config *Config) {
|
|
jwtSecret = []byte(config.JWTSecret)
|
|
}
|
|
|
|
// generateRandomSecret generates a random secret for JWT
|
|
func generateRandomSecret() string {
|
|
b := make([]byte, 32)
|
|
rand.Read(b)
|
|
return fmt.Sprintf("%x", b)
|
|
}
|
|
|
|
// hashPassword hashes a password using bcrypt
|
|
func hashPassword(password string) (string, error) {
|
|
bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
|
|
return string(bytes), err
|
|
}
|
|
|
|
// checkPasswordHash compares a password with its hash
|
|
func checkPasswordHash(password, hash string) bool {
|
|
err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
|
|
return err == nil
|
|
}
|
|
|
|
// generateToken generates a JWT token for a user
|
|
func generateToken(userID int, username string) (string, error) {
|
|
claims := jwt.MapClaims{
|
|
"user_id": userID,
|
|
"username": username,
|
|
"exp": time.Now().Add(time.Hour * 24 * 7).Unix(), // 7 days
|
|
"iat": time.Now().Unix(),
|
|
}
|
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
|
|
return token.SignedString(jwtSecret)
|
|
}
|
|
|
|
// validateToken validates a JWT token and returns the claims
|
|
func validateToken(tokenString string) (jwt.MapClaims, error) {
|
|
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
|
|
if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
|
|
return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
|
|
}
|
|
return jwtSecret, nil
|
|
})
|
|
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
|
|
return claims, nil
|
|
}
|
|
|
|
return nil, fmt.Errorf("invalid token")
|
|
}
|
|
|
|
// AuthMiddleware validates JWT token and sets user context
|
|
func AuthMiddleware() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
authHeader := c.GetHeader("Authorization")
|
|
if authHeader == "" {
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "Authorization header required"})
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
// Extract token from "Bearer <token>"
|
|
tokenParts := strings.Split(authHeader, " ")
|
|
if len(tokenParts) != 2 || tokenParts[0] != "Bearer" {
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid authorization header format"})
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
tokenString := tokenParts[1]
|
|
claims, err := validateToken(tokenString)
|
|
if err != nil {
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid token"})
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
// Set user information in context
|
|
c.Set("user_id", int(claims["user_id"].(float64)))
|
|
c.Set("username", claims["username"])
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// RegisterHandler handles user registration
|
|
func RegisterHandler(c *gin.Context) {
|
|
var req RegisterRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
|
return
|
|
}
|
|
|
|
// Check if username already exists
|
|
var existingUser User
|
|
err := db.QueryRow("SELECT id FROM users WHERE username = $1 OR email = $2", req.Username, req.Email).Scan(&existingUser.ID)
|
|
if err != sql.ErrNoRows {
|
|
c.JSON(http.StatusConflict, gin.H{"error": "Username or email already exists"})
|
|
return
|
|
}
|
|
|
|
// Hash password
|
|
hashedPassword, err := hashPassword(req.Password)
|
|
if err != nil {
|
|
c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to hash password"})
|
|
return
|
|
}
|
|
|
|
// Create user
|
|
var user User
|
|
err = db.QueryRow(
|
|
"INSERT INTO users (username, email, password) VALUES ($1, $2, $3) RETURNING id, username, email, created_at, updated_at",
|
|
req.Username, req.Email, hashedPassword,
|
|
).Scan(&user.ID, &user.Username, &user.Email, &user.CreatedAt, &user.UpdatedAt)
|
|
|
|
if err != nil {
|
|
c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to create user"})
|
|
return
|
|
}
|
|
|
|
// Generate token
|
|
token, err := generateToken(user.ID, user.Username)
|
|
if err != nil {
|
|
c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate token"})
|
|
return
|
|
}
|
|
|
|
c.JSON(http.StatusCreated, AuthResponse{
|
|
Token: token,
|
|
User: user,
|
|
})
|
|
}
|
|
|
|
// LoginHandler handles user login
|
|
func LoginHandler(c *gin.Context) {
|
|
var req LoginRequest
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
c.JSON(http.StatusBadRequest, gin.H{"error": err.Error()})
|
|
return
|
|
}
|
|
|
|
// Find user
|
|
var user User
|
|
err := db.QueryRow(
|
|
"SELECT id, username, email, password, created_at, updated_at FROM users WHERE username = $1",
|
|
req.Username,
|
|
).Scan(&user.ID, &user.Username, &user.Email, &user.Password, &user.CreatedAt, &user.UpdatedAt)
|
|
|
|
if err == sql.ErrNoRows {
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid credentials 1"})
|
|
return
|
|
} else if err != nil {
|
|
c.JSON(http.StatusInternalServerError, gin.H{"error": "Database error"})
|
|
return
|
|
}
|
|
|
|
// Check password
|
|
if !checkPasswordHash(req.Password, user.Password) {
|
|
c.JSON(http.StatusUnauthorized, gin.H{"error": "Invalid credentials 2"})
|
|
return
|
|
}
|
|
|
|
// Generate token
|
|
token, err := generateToken(user.ID, user.Username)
|
|
if err != nil {
|
|
c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate token"})
|
|
return
|
|
}
|
|
|
|
// Clear password from response
|
|
user.Password = ""
|
|
|
|
c.JSON(http.StatusOK, AuthResponse{
|
|
Token: token,
|
|
User: user,
|
|
})
|
|
}
|
|
|
|
// GetCurrentUserHandler returns the current authenticated user
|
|
func GetCurrentUserHandler(c *gin.Context) {
|
|
userID := c.GetInt("user_id")
|
|
|
|
var user User
|
|
err := db.QueryRow(
|
|
"SELECT id, username, email, created_at, updated_at FROM users WHERE id = $1",
|
|
userID,
|
|
).Scan(&user.ID, &user.Username, &user.Email, &user.CreatedAt, &user.UpdatedAt)
|
|
|
|
if err != nil {
|
|
c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get user"})
|
|
return
|
|
}
|
|
|
|
c.JSON(http.StatusOK, user)
|
|
}
|