feat: added csrf feature

Wong801 · Wong801 · commit c7f5fbeafa8d · 2023-07-03T04:09:34.000+07:00
diff --git a/src/controllers/root.go b/src/controllers/root.go
@@ -1,10 +1,13 @@
 package controller
 
 import (
+	"net/http"
+
 	"github.com/Wong801/gin-api/src/api"
 	"github.com/Wong801/gin-api/src/db"
 	service "github.com/Wong801/gin-api/src/services"
 	"github.com/gin-gonic/gin"
+	csrf "github.com/utrack/gin-csrf"
 )
 
 type RootController struct {
@@ -41,3 +44,12 @@ func (rc RootController) Ping() func(c *gin.Context) {
 		c.Next()
 	}
 }
+
+func (rc RootController) GetToken() func(c *gin.Context) {
+	return func(c *gin.Context) {
+		c.Set("status", http.StatusOK)
+		c.Set("data", csrf.GetToken(c))
+
+		c.Next()
+	}
+}
diff --git a/src/controllers/user.go b/src/controllers/user.go
@@ -7,7 +7,6 @@ import (
 	model "github.com/Wong801/gin-api/src/models"
 	service "github.com/Wong801/gin-api/src/services"
 	"github.com/gin-gonic/gin"
-	csrf "github.com/utrack/gin-csrf"
 )
 
 type UserController struct {
@@ -94,18 +93,25 @@ func (uc UserController) Login() gin.HandlerFunc {
 			return
 		}
 		c.SetCookie("jwt", token.Jwt, token.MaxAge, "/", token.Domain, token.Secure, token.HttpOnly)
-		c.SetCookie("X-CSRF-TOKEN", csrf.GetToken(c), token.MaxAge, "/", token.Domain, false, false)
 		c.Set("data", map[string]string{
 			"message": "Login Success",
 		})
 		c.Next()
 	}
 }
 
+func (uc UserController) CheckLogin() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Set("data", map[string]string{
+			"message": "success",
+		})
+		c.Next()
+	}
+}
+
 func (uc UserController) Logout() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		c.SetCookie("jwt", "", -1, "/", "", true, true)
-		c.SetCookie("X-CSRF-TOKEN", "", -1, "/", "", false, false)
 		c.Next()
 	}
 }
diff --git a/src/models/user.go b/src/models/user.go
@@ -36,3 +36,9 @@ type UserChangePassword struct {
 func (u User) GetBase() *UserBase {
 	return &u.UserBase
 }
+
+func (ub UserBase) GetUser() *User {
+	return &User{
+		UserBase: ub,
+	}
+}
diff --git a/src/routes/main.go b/src/routes/main.go
@@ -1,7 +1,6 @@
 package route
 
 import (
-	"errors"
 	"net/http"
 
 	"github.com/Wong801/gin-api/src/config"
@@ -28,8 +27,10 @@ func InitRoutes() handler {
 	r.router.Use(csrf.Middleware(csrf.Options{
 		Secret: config.GetEnv("CSRF_SECRET", "secret"),
 		ErrorFunc: func(c *gin.Context) {
-			c.Set("status", http.StatusBadRequest)
-			c.Set("error", errors.New("CSRF token mismatch"))
+			c.AbortWithStatusJSON(http.StatusBadRequest, &entity.HttpResponse{
+				Success: false,
+				Data:    "CSRF token mismatch",
+			})
 		},
 	}))
 
diff --git a/src/routes/root.go b/src/routes/root.go
@@ -10,4 +10,5 @@ func (r handler) addRoot(rg *gin.RouterGroup) {
 
 	rg.GET("/stats", rc.GetStats())
 	rg.GET("/ping", rc.Ping())
+	rg.GET("/csrf", rc.GetToken())
 }
diff --git a/src/routes/user.go b/src/routes/user.go
@@ -17,6 +17,7 @@ func (r handler) addUsers(rg *gin.RouterGroup) {
 
 	userRoute.Use(m.Authenticate())
 
+	userRoute.POST("/check-login", userController.CheckLogin())
 	userRoute.POST("/logout", userController.Logout())
 	userRoute.PUT("/profile", userController.UpdateProfile())
 	userRoute.PATCH("/change-password", userController.ChangePassword())
diff --git a/src/services/user.go b/src/services/user.go
@@ -74,19 +74,16 @@ func (us UserService) GetUser() (int, *model.UserBase, error) {
 		return http.StatusNotFound, nil, err
 	}
 
-	return http.StatusFound, user.GetBase(), nil
+	return http.StatusOK, user.GetBase(), nil
 }
 
 func (us UserService) UpdateUser(id int, u *model.UserBase) (int, *model.UserBase, error) {
-	var user model.User
 	db.Open(us.DB)
 
-	us.DB.Database.Where("id = ?", id)
-
-	if err := us.DB.Database.Save(&user).Error; err != nil {
-		return http.StatusInternalServerError, nil, err
+	if err := us.DB.Database.Save(u.GetUser()).Error; err != nil {
+		return http.StatusBadRequest, nil, err
 	}
-	return http.StatusOK, user.GetBase(), nil
+	return http.StatusOK, u.GetUser().GetBase(), nil
 }
 
 func (us UserService) Register(u *model.User) (int, error) {
@@ -109,7 +106,7 @@ func (us UserService) Login(u *model.UserLogin) (int, *entity.Token, error) {
 	db.Open(us.DB)
 
 	if err := us.DB.Database.First(&user, "email = ? OR username = ?", u.Email, u.Username).Error; err != nil {
-		return http.StatusNotFound, nil, errors.New("user not found")
+		return http.StatusBadRequest, nil, errors.New("incorrect username or password")
 	}
 
 	correctPassword := checkPasswordHash(u.Password, user.Password)

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,6 @@ import (`
`7`	`7`	`model "github.com/Wong801/gin-api/src/models"`
`8`	`8`	`service "github.com/Wong801/gin-api/src/services"`
`9`	`9`	`"github.com/gin-gonic/gin"`
`10`		`- csrf "github.com/utrack/gin-csrf"`
`11`	`10`	`)`
`12`	`11`
`13`	`12`	`type UserController struct {`
`@@ -94,18 +93,25 @@ func (uc UserController) Login() gin.HandlerFunc {`
`94`	`93`	`return`
`95`	`94`	`}`
`96`	`95`	`c.SetCookie("jwt", token.Jwt, token.MaxAge, "/", token.Domain, token.Secure, token.HttpOnly)`
`97`		`- c.SetCookie("X-CSRF-TOKEN", csrf.GetToken(c), token.MaxAge, "/", token.Domain, false, false)`
`98`	`96`	`c.Set("data", map[string]string{`
`99`	`97`	`"message": "Login Success",`
`100`	`98`	`})`
`101`	`99`	`c.Next()`
`102`	`100`	`}`
`103`	`101`	`}`
`104`	`102`
	`103`	`+func (uc UserController) CheckLogin() gin.HandlerFunc {`
	`104`	`+ return func(c *gin.Context) {`
	`105`	`+ c.Set("data", map[string]string{`
	`106`	`+ "message": "success",`
	`107`	`+ })`
	`108`	`+ c.Next()`
	`109`	`+ }`
	`110`	`+}`
	`111`	`+`
`105`	`112`	`func (uc UserController) Logout() gin.HandlerFunc {`
`106`	`113`	`return func(c *gin.Context) {`
`107`	`114`	`c.SetCookie("jwt", "", -1, "/", "", true, true)`
`108`		`- c.SetCookie("X-CSRF-TOKEN", "", -1, "/", "", false, false)`
`109`	`115`	`c.Next()`
`110`	`116`	`}`
`111`	`117`	`}`
Original file line number	Diff line number	Diff line change
`@@ -10,4 +10,5 @@ func (r handler) addRoot(rg *gin.RouterGroup) {`
`10`	`10`
`11`	`11`	`rg.GET("/stats", rc.GetStats())`
`12`	`12`	`rg.GET("/ping", rc.Ping())`
	`13`	`+ rg.GET("/csrf", rc.GetToken())`
`13`	`14`	`}`
Original file line number	Diff line number	Diff line change
`@@ -74,19 +74,16 @@ func (us UserService) GetUser() (int, *model.UserBase, error) {`
`74`	`74`	`return http.StatusNotFound, nil, err`
`75`	`75`	`}`
`76`	`76`
`77`		`- return http.StatusFound, user.GetBase(), nil`
	`77`	`+ return http.StatusOK, user.GetBase(), nil`
`78`	`78`	`}`
`79`	`79`
`80`	`80`	`func (us UserService) UpdateUser(id int, u model.UserBase) (int, model.UserBase, error) {`
`81`		`- var user model.User`
`82`	`81`	`db.Open(us.DB)`
`83`	`82`
`84`		`- us.DB.Database.Where("id = ?", id)`
`85`		`-`
`86`		`- if err := us.DB.Database.Save(&user).Error; err != nil {`
`87`		`- return http.StatusInternalServerError, nil, err`
	`83`	`+ if err := us.DB.Database.Save(u.GetUser()).Error; err != nil {`
	`84`	`+ return http.StatusBadRequest, nil, err`
`88`	`85`	`}`
`89`		`- return http.StatusOK, user.GetBase(), nil`
	`86`	`+ return http.StatusOK, u.GetUser().GetBase(), nil`
`90`	`87`	`}`
`91`	`88`
`92`	`89`	`func (us UserService) Register(u *model.User) (int, error) {`
`@@ -109,7 +106,7 @@ func (us UserService) Login(u model.UserLogin) (int, entity.Token, error) {`
`109`	`106`	`db.Open(us.DB)`
`110`	`107`
`111`	`108`	`if err := us.DB.Database.First(&user, "email = ? OR username = ?", u.Email, u.Username).Error; err != nil {`
`112`		`- return http.StatusNotFound, nil, errors.New("user not found")`
	`109`	`+ return http.StatusBadRequest, nil, errors.New("incorrect username or password")`
`113`	`110`	`}`
`114`	`111`
`115`	`112`	`correctPassword := checkPasswordHash(u.Password, user.Password)`