From b3ee4e420becec6ce1dc622189c4d7c6d1f60fdb Mon Sep 17 00:00:00 2001 From: James Tombleson Date: Mon, 1 Apr 2024 17:48:38 -0700 Subject: [PATCH] found a bug that would let the same username get used over and over --- api/handlers/v1/auth.go | 37 +++++++++++++++++++++++++------------ 1 file changed, 25 insertions(+), 12 deletions(-) diff --git a/api/handlers/v1/auth.go b/api/handlers/v1/auth.go index b3f9a07..c4e2348 100644 --- a/api/handlers/v1/auth.go +++ b/api/handlers/v1/auth.go @@ -4,6 +4,7 @@ import ( "errors" "go-cook/api/domain" "go-cook/api/repositories" + "log" "net/http" "github.com/golang-jwt/jwt/v5" @@ -11,16 +12,20 @@ import ( ) const ( - ErrJwtMissing = "auth token is missing" - ErrJwtClaimsMissing = "claims missing on token" - ErrJwtExpired = "auth token has expired" - ErrJwtScopeMissing = "required scope is missing" - ErrUserNotFound = "requested user does not exist" + ErrJwtMissing = "auth token is missing" + ErrJwtClaimsMissing = "claims missing on token" + ErrJwtExpired = "auth token has expired" + ErrJwtScopeMissing = "required scope is missing" + ErrUserNotFound = "requested user does not exist" + ErrUsernameAlreadyExists = "the requested username already exists" ) func (h *Handler) AuthRegister(c echo.Context) error { - username := c.QueryParam("username") - _, err := h.userRepo.GetByName(username) + username := c.FormValue("username") + password := c.FormValue("password") + + //username := c.QueryParam("username") + exists, err := h.userRepo.GetByName(username) if err != nil { // if we have an err, validate that if its not user not found. // if the user is not found, we can use that name @@ -31,8 +36,11 @@ func (h *Handler) AuthRegister(c echo.Context) error { }) } } + if exists.Name == username { + return h.InternalServerErrorResponse(c, ErrUsernameAlreadyExists) + } - password := c.QueryParam("password") + //password := c.QueryParam("password") err = h.UserService.CheckPasswordForRequirements(password) if err != nil { return c.JSON(http.StatusInternalServerError, domain.ErrorResponse{ @@ -41,7 +49,7 @@ func (h *Handler) AuthRegister(c echo.Context) error { }) } - _, err = h.userRepo.Create(username, password) + _, err = h.userRepo.Create(username, password, domain.ScopeRecipeRead) if err != nil { return c.JSON(http.StatusInternalServerError, domain.ErrorResponse{ HttpCode: http.StatusInternalServerError, @@ -53,8 +61,13 @@ func (h *Handler) AuthRegister(c echo.Context) error { } func (h *Handler) AuthLogin(c echo.Context) error { - username := c.QueryParam("username") - password := c.QueryParam("password") + formValues, err := c.FormParams() + if err != nil { + h.InternalServerErrorResponse(c, err.Error()) + } + log.Println(formValues) + username := formValues.Get("name") + password := formValues.Get("password") // Check to see if they are trying to login with the admin token if username == "" { @@ -62,7 +75,7 @@ func (h *Handler) AuthLogin(c echo.Context) error { } // check if the user exists - err := h.UserService.DoesUserExist(username) + err = h.UserService.DoesUserExist(username) if err != nil { return h.InternalServerErrorResponse(c, err.Error()) }