diff --git a/admin/accounthttp.go b/admin/accounthttp.go index b5deca2..fc701e7 100644 --- a/admin/accounthttp.go +++ b/admin/accounthttp.go @@ -3,7 +3,6 @@ package admin import ( "fmt" "net/http" - "net/url" "os" "time" @@ -16,12 +15,9 @@ import ( func accountHandler(app *model.AppState) http.Handler { mux := http.NewServeMux() - mux.Handle("/totp-setup", totpSetupHandler(app)) - mux.Handle("/totp-confirm", totpConfirmHandler(app)) - mux.Handle("/totp-delete/", http.StripPrefix("/totp-delete", totpDeleteHandler(app))) - mux.Handle("/password", changePasswordHandler(app)) mux.Handle("/delete", deleteAccountHandler(app)) + mux.Handle("/", accountIndexHandler(app)) return mux } @@ -41,13 +37,6 @@ func accountIndexHandler(app *model.AppState) http.Handler { TOTPs []model.TOTP } - sessionMessage := session.Message - sessionError := session.Error - controller.SetSessionMessage(app.DB, session, "") - controller.SetSessionError(app.DB, session, "") - session.Message = sessionMessage - session.Error = sessionError - err = pages["account"].Execute(w, accountResponse{ Session: session, TOTPs: totps, @@ -68,39 +57,18 @@ func changePasswordHandler(app *model.AppState) http.Handler { session := r.Context().Value("session").(*model.Session) - controller.SetSessionMessage(app.DB, session, "") - controller.SetSessionError(app.DB, session, "") - r.ParseForm() currentPassword := r.Form.Get("current-password") if err := bcrypt.CompareHashAndPassword([]byte(session.Account.Password), []byte(currentPassword)); err != nil { - controller.SetSessionError(app.DB, session, "Incorrect password.") + controller.SetSessionMessage(app.DB, session, "Incorrect password.") http.Redirect(w, r, "/admin/account", http.StatusFound) return } newPassword := r.Form.Get("new-password") - hashedPassword, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost) - if err != nil { - fmt.Fprintf(os.Stderr, "WARN: Failed to generate password hash: %v\n", err) - controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.") - http.Redirect(w, r, "/admin/account", http.StatusFound) - return - } - - session.Account.Password = string(hashedPassword) - err = controller.UpdateAccount(app.DB, session.Account) - if err != nil { - fmt.Fprintf(os.Stderr, "WARN: Failed to update account password: %v\n", err) - controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.") - http.Redirect(w, r, "/admin/account", http.StatusFound) - return - } - - controller.SetSessionError(app.DB, session, "") - controller.SetSessionMessage(app.DB, session, "Password updated successfully.") + controller.SetSessionMessage(app.DB, session, fmt.Sprintf("Updating password to %s", newPassword)) http.Redirect(w, r, "/admin/account", http.StatusFound) }) } @@ -129,10 +97,10 @@ func deleteAccountHandler(app *model.AppState) http.Handler { if err := bcrypt.CompareHashAndPassword([]byte(session.Account.Password), []byte(r.Form.Get("password"))); err != nil { fmt.Printf( "[%s] WARN: Account \"%s\" attempted account deletion with incorrect password.\n", - time.Now().Format(time.UnixDate), + time.Now().Format("2006-02-01 15:04:05"), session.Account.Username, ) - controller.SetSessionError(app.DB, session, "Incorrect password.") + controller.SetSessionMessage(app.DB, session, "Incorrect password.") http.Redirect(w, r, "/admin/account", http.StatusFound) return } @@ -140,212 +108,36 @@ func deleteAccountHandler(app *model.AppState) http.Handler { totpMethod, err := controller.CheckTOTPForAccount(app.DB, session.Account.ID, r.Form.Get("totp")) if err != nil { fmt.Fprintf(os.Stderr, "Failed to fetch account: %v\n", err) - controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.") + controller.SetSessionMessage(app.DB, session, "Something went wrong. Please try again.") http.Redirect(w, r, "/admin/account", http.StatusFound) return } if totpMethod == nil { fmt.Printf( "[%s] WARN: Account \"%s\" attempted account deletion with incorrect TOTP.\n", - time.Now().Format(time.UnixDate), + time.Now().Format("2006-02-01 15:04:05"), session.Account.Username, ) - controller.SetSessionError(app.DB, session, "Incorrect TOTP.") + controller.SetSessionMessage(app.DB, session, "Incorrect TOTP.") http.Redirect(w, r, "/admin/account", http.StatusFound) } err = controller.DeleteAccount(app.DB, session.Account.ID) if err != nil { fmt.Fprintf(os.Stderr, "Failed to delete account: %v\n", err) - controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.") + controller.SetSessionMessage(app.DB, session, "Something went wrong. Please try again.") http.Redirect(w, r, "/admin/account", http.StatusFound) return } fmt.Printf( "[%s] INFO: Account \"%s\" deleted by user request.\n", - time.Now().Format(time.UnixDate), + time.Now().Format("2006-02-01 15:04:05"), session.Account.Username, ) - controller.SetSessionAccount(app.DB, session, nil) - controller.SetSessionError(app.DB, session, "") + session.Account = nil controller.SetSessionMessage(app.DB, session, "Account deleted successfully.") http.Redirect(w, r, "/admin/login", http.StatusFound) }) } - -func totpSetupHandler(app *model.AppState) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.Method == http.MethodGet { - type totpSetupData struct { - Session *model.Session - } - - session := r.Context().Value("session").(*model.Session) - - err := pages["totp-setup"].Execute(w, totpSetupData{ Session: session }) - if err != nil { - fmt.Printf("WARN: Failed to render TOTP setup page: %s\n", err) - http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) - } - return - } - - if r.Method != http.MethodPost { - http.NotFound(w, r) - return - } - - type totpSetupData struct { - Session *model.Session - TOTP *model.TOTP - NameEscaped string - } - - err := r.ParseForm() - if err != nil { - http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) - return - } - - name := r.FormValue("totp-name") - if len(name) == 0 { - http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) - return - } - - session := r.Context().Value("session").(*model.Session) - - secret := controller.GenerateTOTPSecret(controller.TOTP_SECRET_LENGTH) - totp := model.TOTP { - AccountID: session.Account.ID, - Name: name, - Secret: string(secret), - } - err = controller.CreateTOTP(app.DB, &totp) - if err != nil { - fmt.Printf("WARN: Failed to create TOTP method: %s\n", err) - controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.") - err := pages["totp-setup"].Execute(w, totpSetupData{ Session: session }) - if err != nil { - fmt.Printf("WARN: Failed to render TOTP setup page: %s\n", err) - http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) - } - return - } - - err = pages["totp-confirm"].Execute(w, totpSetupData{ - Session: session, - TOTP: &totp, - NameEscaped: url.PathEscape(totp.Name), - }) - if err != nil { - fmt.Printf("WARN: Failed to render TOTP confirm page: %s\n", err) - http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) - } - }) -} - -func totpConfirmHandler(app *model.AppState) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.Method != http.MethodPost { - http.NotFound(w, r) - return - } - - type totpConfirmData struct { - Session *model.Session - TOTP *model.TOTP - } - - session := r.Context().Value("session").(*model.Session) - - err := r.ParseForm() - if err != nil { - http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) - return - } - name := r.FormValue("totp-name") - if len(name) == 0 { - http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) - return - } - code := r.FormValue("totp") - if len(code) != controller.TOTP_CODE_LENGTH { - http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) - return - } - - totp, err := controller.GetTOTP(app.DB, session.Account.ID, name) - if err != nil { - fmt.Printf("WARN: Failed to fetch TOTP method: %s\n", err) - controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.") - http.Redirect(w, r, "/admin/account", http.StatusFound) - return - } - if totp == nil { - http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) - return - } - - confirmCode := controller.GenerateTOTP(totp.Secret, 0) - if code != confirmCode { - confirmCodeOffset := controller.GenerateTOTP(totp.Secret, 1) - if code != confirmCodeOffset { - controller.SetSessionError(app.DB, session, "Incorrect TOTP code. Please try again.") - err = pages["totp-confirm"].Execute(w, totpConfirmData{ - Session: session, - TOTP: totp, - }) - return - } - } - - controller.SetSessionError(app.DB, session, "") - controller.SetSessionMessage(app.DB, session, fmt.Sprintf("TOTP method \"%s\" created successfully.", totp.Name)) - http.Redirect(w, r, "/admin/account", http.StatusFound) - }) -} - -func totpDeleteHandler(app *model.AppState) http.Handler { - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if r.Method != http.MethodGet { - http.NotFound(w, r) - return - } - - name := r.URL.Path - fmt.Printf("%s\n", name); - if len(name) == 0 { - http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) - return - } - - session := r.Context().Value("session").(*model.Session) - - totp, err := controller.GetTOTP(app.DB, session.Account.ID, name) - if err != nil { - fmt.Printf("WARN: Failed to fetch TOTP method: %s\n", err) - controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.") - http.Redirect(w, r, "/admin/account", http.StatusFound) - return - } - if totp == nil { - http.NotFound(w, r) - return - } - - err = controller.DeleteTOTP(app.DB, session.Account.ID, totp.Name) - if err != nil { - fmt.Printf("WARN: Failed to delete TOTP method: %s\n", err) - controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.") - http.Redirect(w, r, "/admin/account", http.StatusFound) - return - } - - controller.SetSessionError(app.DB, session, "") - controller.SetSessionMessage(app.DB, session, fmt.Sprintf("TOTP method \"%s\" deleted successfully.", totp.Name)) - http.Redirect(w, r, "/admin/account", http.StatusFound) - }) -} diff --git a/admin/http.go b/admin/http.go index 7dd5207..ad0d44e 100644 --- a/admin/http.go +++ b/admin/http.go @@ -93,6 +93,8 @@ func AdminIndexHandler(app *model.AppState) http.Handler { func registerAccountHandler(app *model.AppState) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { session := r.Context().Value("session").(*model.Session) + session.Error = sql.NullString{} + session.Message = sql.NullString{} if session.Account != nil { // user is already logged in @@ -100,12 +102,8 @@ func registerAccountHandler(app *model.AppState) http.Handler { return } - type registerData struct { - Session *model.Session - } - render := func() { - err := pages["register"].Execute(w, registerData{ Session: session }) + err := pages["register"].Execute(w, session) if err != nil { fmt.Printf("WARN: Error rendering create account page: %s\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) @@ -124,7 +122,8 @@ func registerAccountHandler(app *model.AppState) http.Handler { err := r.ParseForm() if err != nil { - http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) + session.Error = sql.NullString{ String: "Malformed data.", Valid: true } + render() return } @@ -145,7 +144,7 @@ func registerAccountHandler(app *model.AppState) http.Handler { invite, err := controller.GetInvite(app.DB, credentials.Invite) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve invite: %v\n", err) - controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.") + session.Error = sql.NullString{ String: "Something went wrong. Please try again.", Valid: true } render() return } @@ -154,7 +153,7 @@ func registerAccountHandler(app *model.AppState) http.Handler { err := controller.DeleteInvite(app.DB, invite.Code) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to delete expired invite: %v\n", err) } } - controller.SetSessionError(app.DB, session, "Invalid invite code.") + session.Error = sql.NullString{ String: "Invalid invite code.", Valid: true } render() return } @@ -162,7 +161,7 @@ func registerAccountHandler(app *model.AppState) http.Handler { hashedPassword, err := bcrypt.GenerateFromPassword([]byte(credentials.Password), bcrypt.DefaultCost) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to generate password hash: %v\n", err) - controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.") + session.Error = sql.NullString{ String: "Something went wrong. Please try again.", Valid: true } render() return } @@ -176,30 +175,21 @@ func registerAccountHandler(app *model.AppState) http.Handler { err = controller.CreateAccount(app.DB, &account) if err != nil { if strings.HasPrefix(err.Error(), "pq: duplicate key") { - controller.SetSessionError(app.DB, session, "An account with that username already exists.") + session.Error = sql.NullString{ String: "An account with that username already exists.", Valid: true } render() return } fmt.Fprintf(os.Stderr, "WARN: Failed to create account: %v\n", err) - controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.") + session.Error = sql.NullString{ String: "Something went wrong. Please try again.", Valid: true } render() return } - fmt.Printf( - "[%s]: Account registered: %s (%s)\n", - time.Now().Format(time.UnixDate), - account.Username, - account.ID, - ) - err = controller.DeleteInvite(app.DB, invite.Code) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to delete expired invite: %v\n", err) } // registration success! controller.SetSessionAccount(app.DB, session, &account) - controller.SetSessionMessage(app.DB, session, "") - controller.SetSessionError(app.DB, session, "") http.Redirect(w, r, "/admin", http.StatusFound) }) } @@ -239,7 +229,8 @@ func loginHandler(app *model.AppState) http.Handler { err := r.ParseForm() if err != nil { - http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) + session.Error = sql.NullString{ String: "Malformed data.", Valid: true } + render() return } @@ -262,12 +253,12 @@ func loginHandler(app *model.AppState) http.Handler { account, err := controller.GetAccountByUsername(app.DB, credentials.Username) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to fetch account for login: %v\n", err) - controller.SetSessionError(app.DB, session, "Invalid username or password.") + session.Error = sql.NullString{ String: "Invalid username or password.", Valid: true } render() return } if account == nil { - controller.SetSessionError(app.DB, session, "Invalid username or password.") + session.Error = sql.NullString{ String: "Invalid username or password.", Valid: true } render() return } @@ -276,10 +267,10 @@ func loginHandler(app *model.AppState) http.Handler { if err != nil { fmt.Printf( "[%s] INFO: Account \"%s\" attempted login with incorrect password.\n", - time.Now().Format(time.UnixDate), + time.Now().Format("2006-02-01 15:04:05"), account.Username, ) - controller.SetSessionError(app.DB, session, "Invalid username or password.") + session.Error = sql.NullString{ String: "Invalid username or password.", Valid: true } render() return } @@ -287,12 +278,12 @@ func loginHandler(app *model.AppState) http.Handler { totpMethod, err := controller.CheckTOTPForAccount(app.DB, account.ID, credentials.TOTP) if err != nil { fmt.Fprintf(os.Stderr, "WARN: Failed to fetch TOTPs: %v\n", err) - controller.SetSessionError(app.DB, session, "Something went wrong. Please try again.") + session.Error = sql.NullString{ String: "Something went wrong. Please try again.", Valid: true } render() return } if totpMethod == nil { - controller.SetSessionError(app.DB, session, "Invalid TOTP.") + session.Error = sql.NullString{ String: "Invalid TOTP.", Valid: true } render() return } @@ -300,15 +291,13 @@ func loginHandler(app *model.AppState) http.Handler { // TODO: log login activity to user fmt.Printf( "[%s] INFO: Account \"%s\" logged in with method \"%s\"\n", - time.Now().Format(time.UnixDate), + time.Now().Format("2006-02-01 15:04:05"), account.Username, totpMethod.Name, ) // login success! controller.SetSessionAccount(app.DB, session, account) - controller.SetSessionMessage(app.DB, session, "") - controller.SetSessionError(app.DB, session, "") http.Redirect(w, r, "/admin", http.StatusFound) }) } @@ -390,7 +379,11 @@ func enforceSession(app *model.AppState, next http.Handler) http.Handler { // fetch existing session session, err = controller.GetSession(app.DB, sessionCookie.Value) - if err != nil && !strings.Contains(err.Error(), "no rows") { + if err != nil { + if strings.Contains(err.Error(), "no rows") { + http.Error(w, "Invalid session. Please try clearing your cookies and refresh.", http.StatusBadRequest) + return + } fmt.Fprintf(os.Stderr, "WARN: Failed to retrieve session: %v\n", err) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return diff --git a/admin/static/admin.css b/admin/static/admin.css index cbb827e..45d67a4 100644 --- a/admin/static/admin.css +++ b/admin/static/admin.css @@ -146,7 +146,7 @@ a img.icon { -a.delete:not(.button) { +a.delete { color: #d22828; } @@ -197,30 +197,3 @@ button:active, .button:active { opacity: .5; cursor: not-allowed !important; } - - - -form { - width: 100%; - display: block; -} -label { - width: 100%; - margin: 1rem 0 .5rem 0; - display: block; - color: #10101080; -} -input { - margin: .5rem 0; - padding: .3rem .5rem; - display: block; - border-radius: 4px; - border: 1px solid #808080; - font-size: inherit; - font-family: inherit; - color: inherit; -} -input[disabled] { - opacity: .5; - cursor: not-allowed; -} diff --git a/admin/static/edit-account.css b/admin/static/edit-account.css index 37351b2..52fb756 100644 --- a/admin/static/edit-account.css +++ b/admin/static/edit-account.css @@ -4,6 +4,10 @@ div.card { margin-bottom: 2rem; } +form button { + margin-top: 1rem; +} + label { width: 100%; margin: 1rem 0 .5rem 0; diff --git a/admin/templates.go b/admin/templates.go index 3bae106..1021832 100644 --- a/admin/templates.go +++ b/admin/templates.go @@ -33,16 +33,6 @@ var pages = map[string]*template.Template{ filepath.Join("views", "prideflag.html"), filepath.Join("admin", "views", "edit-account.html"), )), - "totp-setup": template.Must(template.ParseFiles( - filepath.Join("admin", "views", "layout.html"), - filepath.Join("views", "prideflag.html"), - filepath.Join("admin", "views", "totp-setup.html"), - )), - "totp-confirm": template.Must(template.ParseFiles( - filepath.Join("admin", "views", "layout.html"), - filepath.Join("views", "prideflag.html"), - filepath.Join("admin", "views", "totp-confirm.html"), - )), "release": template.Must(template.ParseFiles( filepath.Join("admin", "views", "layout.html"), diff --git a/admin/views/edit-account.html b/admin/views/edit-account.html index b1d083a..0acfaf5 100644 --- a/admin/views/edit-account.html +++ b/admin/views/edit-account.html @@ -44,7 +44,7 @@

Added: {{.CreatedAt}}

- Delete + Delete
{{end}} @@ -52,10 +52,7 @@

You have no MFA devices.

{{end}} -
- - Add TOTP Device -
+
diff --git a/admin/views/login.html b/admin/views/login.html index b77af83..e8581e8 100644 --- a/admin/views/login.html +++ b/admin/views/login.html @@ -11,7 +11,7 @@ a.discord { color: #5865F2; } -form#login { +form { width: 100%; display: flex; flex-direction: column; @@ -26,8 +26,26 @@ form button { margin-top: 1rem; } +label { + width: 100%; + margin: 1rem 0 .5rem 0; + display: block; + color: #10101080; +} input { width: 100%; + margin: .5rem 0; + padding: .3rem .5rem; + display: block; + border-radius: 4px; + border: 1px solid #808080; + font-size: inherit; + font-family: inherit; + color: inherit; +} +input[disabled] { + opacity: .5; + cursor: not-allowed; } {{end}} diff --git a/admin/views/register.html b/admin/views/register.html index 94170c9..8899fd9 100644 --- a/admin/views/register.html +++ b/admin/views/register.html @@ -11,7 +11,7 @@ a.discord { color: #5865F2; } -form#register { +form { width: 100%; display: flex; flex-direction: column; @@ -26,8 +26,22 @@ form button { margin-top: 1rem; } +label { + width: 100%; + margin: 1rem 0 .5rem 0; + display: block; + color: #10101080; +} input { width: 100%; + margin: .5rem 0; + padding: .3rem .5rem; + display: block; + border-radius: 4px; + border: 1px solid #808080; + font-size: inherit; + font-family: inherit; + color: inherit; } {{end}} @@ -38,7 +52,7 @@ input {

{{html .Session.Error.String}}

{{end}} -
+
diff --git a/admin/views/totp-confirm.html b/admin/views/totp-confirm.html deleted file mode 100644 index af6b6e1..0000000 --- a/admin/views/totp-confirm.html +++ /dev/null @@ -1,34 +0,0 @@ -{{define "head"}} -TOTP Confirmation - ari melody 💫 - - - -{{end}} - -{{define "content"}} -
- {{if .Session.Error.Valid}} -

{{html .Session.Error.String}}

- {{end}} - - -

Your TOTP secret: {{.TOTP.Secret}}

- - - -

- Please store this into your two-factor authentication app or - password manager, then enter your code below: -

- - - - - - -
-{{end}} diff --git a/admin/views/totp-setup.html b/admin/views/totp-setup.html deleted file mode 100644 index 62b9daf..0000000 --- a/admin/views/totp-setup.html +++ /dev/null @@ -1,20 +0,0 @@ -{{define "head"}} -TOTP Setup - ari melody 💫 - - -{{end}} - -{{define "content"}} -
- {{if .Session.Error.Valid}} -

{{html .Session.Error.String}}

- {{end}} - -
- - - - -
-
-{{end}} diff --git a/controller/account.go b/controller/account.go index 0cf3364..8272bad 100644 --- a/controller/account.go +++ b/controller/account.go @@ -108,7 +108,7 @@ func CreateAccount(db *sqlx.DB, account *model.Account) error { func UpdateAccount(db *sqlx.DB, account *model.Account) error { _, err := db.Exec( "UPDATE account " + - "SET username=$2,password=$3,email=$4,avatar_url=$5 " + + "SET username=$2, password=$3, email=$4, avatar_url=$5) " + "WHERE id=$1", account.ID, account.Username, @@ -120,7 +120,7 @@ func UpdateAccount(db *sqlx.DB, account *model.Account) error { return err } -func DeleteAccount(db *sqlx.DB, accountID string) error { - _, err := db.Exec("DELETE FROM account WHERE id=$1", accountID) +func DeleteAccount(db *sqlx.DB, username string) error { + _, err := db.Exec("DELETE FROM account WHERE username=$1", username) return err } diff --git a/controller/session.go b/controller/session.go index c9c4cbb..2a2a19e 100644 --- a/controller/session.go +++ b/controller/session.go @@ -63,7 +63,6 @@ func SetSessionAccount(db *sqlx.DB, session *model.Session, account *model.Accou func SetSessionMessage(db *sqlx.DB, session *model.Session, message string) error { var err error if message == "" { - if !session.Message.Valid { return nil } session.Message = sql.NullString{ } _, err = db.Exec("UPDATE session SET message=NULL WHERE token=$1", session.Token) } else { @@ -76,11 +75,10 @@ func SetSessionMessage(db *sqlx.DB, session *model.Session, message string) erro func SetSessionError(db *sqlx.DB, session *model.Session, message string) error { var err error if message == "" { - if !session.Error.Valid { return nil } - session.Error = sql.NullString{ } + session.Message = sql.NullString{ } _, err = db.Exec("UPDATE session SET error=NULL WHERE token=$1", session.Token) } else { - session.Error = sql.NullString{ String: message, Valid: true } + session.Message = sql.NullString{ String: message, Valid: true } _, err = db.Exec("UPDATE session SET error=$2 WHERE token=$1", session.Token, message) } return err diff --git a/controller/totp.go b/controller/totp.go index 02f1c4b..83a5b1c 100644 --- a/controller/totp.go +++ b/controller/totp.go @@ -17,9 +17,9 @@ import ( "github.com/jmoiron/sqlx" ) -const TOTP_SECRET_LENGTH = 32 -const TOTP_TIME_STEP int64 = 30 -const TOTP_CODE_LENGTH = 6 +const TOTP_SECRET_LENGTH = 64 +const TIME_STEP int64 = 30 +const CODE_LENGTH = 6 func GenerateTOTP(secret string, timeStepOffset int) string { decodedSecret, err := base32.StdEncoding.WithPadding(base32.NoPadding).DecodeString(secret) @@ -27,7 +27,7 @@ func GenerateTOTP(secret string, timeStepOffset int) string { fmt.Fprintf(os.Stderr, "WARN: Invalid Base32 secret\n") } - counter := time.Now().Unix() / TOTP_TIME_STEP - int64(timeStepOffset) + counter := time.Now().Unix() / TIME_STEP - int64(timeStepOffset) counterBytes := make([]byte, 8) binary.BigEndian.PutUint64(counterBytes, uint64(counter)) @@ -37,9 +37,9 @@ func GenerateTOTP(secret string, timeStepOffset int) string { offset := hash[len(hash) - 1] & 0x0f binaryCode := int32(binary.BigEndian.Uint32(hash[offset : offset + 4]) & 0x7FFFFFFF) - code := binaryCode % int32(math.Pow10(TOTP_CODE_LENGTH)) + code := binaryCode % int32(math.Pow10(CODE_LENGTH)) - return fmt.Sprintf(fmt.Sprintf("%%0%dd", TOTP_CODE_LENGTH), code) + return fmt.Sprintf(fmt.Sprintf("%%0%dd", CODE_LENGTH), code) } func GenerateTOTPSecret(length int) string { @@ -65,8 +65,8 @@ func GenerateTOTPURI(username string, secret string) string { query.Set("secret", secret) query.Set("issuer", "arimelody.me") query.Set("algorithm", "SHA1") - query.Set("digits", fmt.Sprintf("%d", TOTP_CODE_LENGTH)) - query.Set("period", fmt.Sprintf("%d", TOTP_TIME_STEP)) + query.Set("digits", fmt.Sprintf("%d", CODE_LENGTH)) + query.Set("period", fmt.Sprintf("%d", TIME_STEP)) url.RawQuery = query.Encode() return url.String() @@ -98,11 +98,7 @@ func CheckTOTPForAccount(db *sqlx.DB, accountID string, totp string) (*model.TOT for _, method := range totps { check := GenerateTOTP(method.Secret, 0) if check == totp { - return &method, nil - } - // try again with offset- maybe user input the code late? - check = GenerateTOTP(method.Secret, 1) - if check == totp { + // return the whole TOTP method as it may be useful for logging return &method, nil } } diff --git a/main.go b/main.go index 251d9a9..9c5b38a 100644 --- a/main.go +++ b/main.go @@ -4,7 +4,6 @@ import ( "errors" "fmt" "log" - "math" "math/rand" "net/http" "os" @@ -23,7 +22,6 @@ import ( "github.com/jmoiron/sqlx" _ "github.com/lib/pq" - "golang.org/x/crypto/bcrypt" ) // used for database migrations @@ -93,12 +91,12 @@ func main() { account, err := controller.GetAccountByUsername(app.DB, username) if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err) + fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err) os.Exit(1) } if account == nil { - fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username) + fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username) os.Exit(1) } @@ -111,10 +109,10 @@ func main() { err = controller.CreateTOTP(app.DB, &totp) if err != nil { if strings.HasPrefix(err.Error(), "pq: duplicate key") { - fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" already has a TOTP method named \"%s\"!\n", account.Username, totp.Name) + fmt.Fprintf(os.Stderr, "Account \"%s\" already has a TOTP method named \"%s\"!\n", account.Username, totp.Name) os.Exit(1) } - fmt.Fprintf(os.Stderr, "FATAL: Failed to create TOTP method: %v\n", err) + fmt.Fprintf(os.Stderr, "Failed to create TOTP method: %v\n", err) os.Exit(1) } @@ -132,18 +130,18 @@ func main() { account, err := controller.GetAccountByUsername(app.DB, username) if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err) + fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err) os.Exit(1) } if account == nil { - fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username) + fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username) os.Exit(1) } err = controller.DeleteTOTP(app.DB, account.ID, totpName) if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to create TOTP method: %v\n", err) + fmt.Fprintf(os.Stderr, "Failed to create TOTP method: %v\n", err) os.Exit(1) } @@ -159,18 +157,18 @@ func main() { account, err := controller.GetAccountByUsername(app.DB, username) if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err) + fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err) os.Exit(1) } if account == nil { - fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username) + fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username) os.Exit(1) } totps, err := controller.GetTOTPsForAccount(app.DB, account.ID) if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to create TOTP methods: %v\n", err) + fmt.Fprintf(os.Stderr, "Failed to create TOTP methods: %v\n", err) os.Exit(1) } @@ -192,23 +190,23 @@ func main() { account, err := controller.GetAccountByUsername(app.DB, username) if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err) + fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err) os.Exit(1) } if account == nil { - fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username) + fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username) os.Exit(1) } totp, err := controller.GetTOTP(app.DB, account.ID, totpName) if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch TOTP method \"%s\": %v\n", totpName, err) + fmt.Fprintf(os.Stderr, "Failed to fetch TOTP method \"%s\": %v\n", totpName, err) os.Exit(1) } if totp == nil { - fmt.Fprintf(os.Stderr, "FATAL: TOTP method \"%s\" does not exist for account \"%s\"\n", totpName, username) + fmt.Fprintf(os.Stderr, "TOTP method \"%s\" does not exist for account \"%s\"\n", totpName, username) os.Exit(1) } @@ -220,22 +218,18 @@ func main() { fmt.Printf("Creating invite...\n") invite, err := controller.CreateInvite(app.DB, 16, time.Hour * 24) if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to create invite code: %v\n", err) + fmt.Fprintf(os.Stderr, "Failed to create invite code: %v\n", err) os.Exit(1) } - fmt.Printf( - "Here you go! This code expires in %d hours: %s\n", - int(math.Ceil(invite.ExpiresAt.Sub(invite.CreatedAt).Hours())), - invite.Code, - ) + fmt.Printf("Here you go! This code expires in 24 hours: %s\n", invite.Code) return case "purgeInvites": fmt.Printf("Deleting all invites...\n") err := controller.DeleteAllInvites(app.DB) if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to delete invites: %v\n", err) + fmt.Fprintf(os.Stderr, "Failed to delete invites: %v\n", err) os.Exit(1) } @@ -245,7 +239,7 @@ func main() { case "listAccounts": accounts, err := controller.GetAllAccounts(app.DB) if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch accounts: %v\n", err) + fmt.Fprintf(os.Stderr, "Failed to fetch accounts: %v\n", err) os.Exit(1) } @@ -265,39 +259,6 @@ func main() { } return - case "changePassword": - if len(os.Args) < 4 { - fmt.Fprintf(os.Stderr, "FATAL: `username` and `password` must be specified for changePassword\n") - os.Exit(1) - } - - username := os.Args[2] - password := os.Args[3] - account, err := controller.GetAccountByUsername(app.DB, username) - if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err) - os.Exit(1) - } - if account == nil { - fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username) - os.Exit(1) - } - - hashedPassword, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost) - if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to update password: %v\n", err) - os.Exit(1) - } - account.Password = string(hashedPassword) - err = controller.UpdateAccount(app.DB, account) - if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to delete account: %v\n", err) - os.Exit(1) - } - - fmt.Printf("Account \"%s\" deleted successfully.\n", account.Username) - return - case "deleteAccount": if len(os.Args) < 3 { fmt.Fprintf(os.Stderr, "FATAL: `username` must be specified for deleteAccount\n") @@ -308,12 +269,12 @@ func main() { account, err := controller.GetAccountByUsername(app.DB, username) if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to fetch account \"%s\": %v\n", username, err) + fmt.Fprintf(os.Stderr, "Failed to fetch account \"%s\": %v\n", username, err) os.Exit(1) } if account == nil { - fmt.Fprintf(os.Stderr, "FATAL: Account \"%s\" does not exist.\n", username) + fmt.Fprintf(os.Stderr, "Account \"%s\" does not exist.\n", username) os.Exit(1) } @@ -324,9 +285,9 @@ func main() { return } - err = controller.DeleteAccount(app.DB, account.ID) + err = controller.DeleteAccount(app.DB, username) if err != nil { - fmt.Fprintf(os.Stderr, "FATAL: Failed to delete account: %v\n", err) + fmt.Fprintf(os.Stderr, "Failed to delete account: %v\n", err) os.Exit(1) } diff --git a/schema_migration/000-init.sql b/schema_migration/000-init.sql index ff5c1af..48b8fbe 100644 --- a/schema_migration/000-init.sql +++ b/schema_migration/000-init.sql @@ -4,19 +4,19 @@ -- Accounts CREATE TABLE arimelody.account ( - id UUID DEFAULT gen_random_uuid(), - username TEXT NOT NULL UNIQUE, - password TEXT NOT NULL, - email TEXT, - avatar_url TEXT, + id uuid DEFAULT gen_random_uuid(), + username text NOT NULL UNIQUE, + password text NOT NULL, + email text, + avatar_url text, created_at TIMESTAMP DEFAULT current_timestamp ); ALTER TABLE arimelody.account ADD CONSTRAINT account_pk PRIMARY KEY (id); -- Privilege CREATE TABLE arimelody.privilege ( - account UUID NOT NULL, - privilege TEXT NOT NULL + account uuid NOT NULL, + privilege text NOT NULL ); ALTER TABLE arimelody.privilege ADD CONSTRAINT privilege_pk PRIMARY KEY (account, privilege); @@ -33,12 +33,12 @@ CREATE TABLE arimelody.session ( token TEXT, user_agent TEXT NOT NULL, created_at TIMESTAMP NOT NULL DEFAULT current_timestamp, - expires_at TIMESTAMP DEFAULT NULL, + expires_at TIMESTAMP DEFAULT NULL account UUID, message TEXT, - error TEXT + error TEXT, ); -ALTER TABLE arimelody.session ADD CONSTRAINT session_pk PRIMARY KEY (token); +ALTER TABLE arimelody.session ADD CONSTRAINT session_pk PRIMARY KEY (session); -- TOTPs CREATE TABLE arimelody.totp ( diff --git a/schema_migration/001-pre-versioning.sql b/schema_migration/001-pre-versioning.sql index cd0c061..76fb1b8 100644 --- a/schema_migration/001-pre-versioning.sql +++ b/schema_migration/001-pre-versioning.sql @@ -2,21 +2,21 @@ -- New items -- --- Accounts +-- Acounts CREATE TABLE arimelody.account ( - id UUID DEFAULT gen_random_uuid(), - username TEXT NOT NULL UNIQUE, - password TEXT NOT NULL, - email TEXT, - avatar_url TEXT, + id uuid DEFAULT gen_random_uuid(), + username text NOT NULL UNIQUE, + password text NOT NULL, + email text, + avatar_url text, created_at TIMESTAMP DEFAULT current_timestamp ); ALTER TABLE arimelody.account ADD CONSTRAINT account_pk PRIMARY KEY (id); -- Privilege CREATE TABLE arimelody.privilege ( - account UUID NOT NULL, - privilege TEXT NOT NULL + account uuid NOT NULL, + privilege text NOT NULL ); ALTER TABLE arimelody.privilege ADD CONSTRAINT privilege_pk PRIMARY KEY (account, privilege); @@ -33,12 +33,12 @@ CREATE TABLE arimelody.session ( token TEXT, user_agent TEXT NOT NULL, created_at TIMESTAMP NOT NULL DEFAULT current_timestamp, - expires_at TIMESTAMP DEFAULT NULL, + expires_at TIMESTAMP DEFAULT NULL account UUID, message TEXT, - error TEXT + error TEXT, ); -ALTER TABLE arimelody.session ADD CONSTRAINT session_pk PRIMARY KEY (token); +ALTER TABLE arimelody.session ADD CONSTRAINT session_pk PRIMARY KEY (session); -- TOTPs CREATE TABLE arimelody.totp (