package website import ( "errors" "fmt" "net/http" "regexp" "strings" "time" "git.handmade.network/hmn/hmn/src/auth" "git.handmade.network/hmn/hmn/src/db" "git.handmade.network/hmn/hmn/src/email" "git.handmade.network/hmn/hmn/src/hmnurl" "git.handmade.network/hmn/hmn/src/logging" "git.handmade.network/hmn/hmn/src/models" "git.handmade.network/hmn/hmn/src/oops" "git.handmade.network/hmn/hmn/src/templates" ) var UsernameRegex = regexp.MustCompile(`^[0-9a-zA-Z][\w-]{2,29}$`) type LoginPageData struct { templates.BaseData RedirectUrl string ForgotPasswordUrl string } func LoginPage(c *RequestContext) ResponseData { if c.CurrentUser != nil { return RejectRequest(c, "You are already logged in.") } var res ResponseData res.MustWriteTemplate("auth_login.html", LoginPageData{ BaseData: getBaseDataAutocrumb(c, "Log in"), RedirectUrl: c.Req.URL.Query().Get("redirect"), ForgotPasswordUrl: hmnurl.BuildRequestPasswordReset(), }, c.Perf) return res } func Login(c *RequestContext) ResponseData { form, err := c.GetFormValues() if err != nil { return c.ErrorResponse(http.StatusBadRequest, NewSafeError(err, "request must contain form data")) } redirect := form.Get("redirect") if redirect == "" { redirect = "/" } if c.CurrentUser != nil { res := c.Redirect(redirect, http.StatusSeeOther) res.AddFutureNotice("warn", fmt.Sprintf("You are already logged in as %s.", c.CurrentUser.Username)) return res } username := form.Get("username") password := form.Get("password") if username == "" || password == "" { return c.Redirect(hmnurl.BuildLoginPage(redirect), http.StatusSeeOther) } showLoginWithFailure := func(c *RequestContext, redirect string) ResponseData { var res ResponseData baseData := getBaseDataAutocrumb(c, "Log in") baseData.AddImmediateNotice("failure", "Incorrect username or password") res.MustWriteTemplate("auth_login.html", LoginPageData{ BaseData: baseData, RedirectUrl: redirect, ForgotPasswordUrl: hmnurl.BuildRequestPasswordReset(), }, c.Perf) return res } userRow, err := db.QueryOne(c.Context(), c.Conn, models.User{}, "SELECT $columns FROM auth_user WHERE LOWER(username) = LOWER($1)", username) if err != nil { if errors.Is(err, db.NotFound) { return showLoginWithFailure(c, redirect) } else { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to look up user by username")) } } user := userRow.(*models.User) success, err := tryLogin(c, user, password) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, err) } if !success { return showLoginWithFailure(c, redirect) } if user.Status == models.UserStatusInactive { return RejectRequest(c, "You must validate your email address before logging in. You should've received an email shortly after registration. If you did not receive the email, please contact the staff.") } res := c.Redirect(redirect, http.StatusSeeOther) err = loginUser(c, user, &res) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, err) } return res } func Logout(c *RequestContext) ResponseData { redir := c.Req.URL.Query().Get("redirect") if redir == "" { redir = "/" } res := c.Redirect(redir, http.StatusSeeOther) logoutUser(c, &res) return res } func RegisterNewUser(c *RequestContext) ResponseData { if c.CurrentUser != nil { c.Redirect(hmnurl.BuildUserSettings(c.CurrentUser.Username), http.StatusSeeOther) } // TODO(asaf): Do something to prevent bot registration var res ResponseData res.MustWriteTemplate("auth_register.html", getBaseDataAutocrumb(c, "Register"), c.Perf) return res } func RegisterNewUserSubmit(c *RequestContext) ResponseData { if c.CurrentUser != nil { return RejectRequest(c, "Can't register new user. You are already logged in") } c.Req.ParseForm() username := strings.TrimSpace(c.Req.Form.Get("username")) displayName := strings.TrimSpace(c.Req.Form.Get("displayname")) emailAddress := strings.TrimSpace(c.Req.Form.Get("email")) password := c.Req.Form.Get("password") password2 := c.Req.Form.Get("password2") if !UsernameRegex.Match([]byte(username)) { return RejectRequest(c, "Invalid username") } if !email.IsEmail(emailAddress) { return RejectRequest(c, "Invalid email address") } if len(password) < 8 { return RejectRequest(c, "Password too short") } if password != password2 { return RejectRequest(c, "Password confirmation doesn't match password") } c.Perf.StartBlock("SQL", "Check blacklist") // TODO(asaf): Check email against blacklist blacklisted := false if blacklisted { // NOTE(asaf): Silent rejection so we don't allow attackers to harvest emails. return c.Redirect(hmnurl.BuildRegistrationSuccess(), http.StatusSeeOther) } c.Perf.EndBlock() c.Perf.StartBlock("SQL", "Check for existing usernames and emails") userAlreadyExists := true _, err := db.QueryInt(c.Context(), c.Conn, ` SELECT id FROM auth_user WHERE LOWER(username) = LOWER($1) `, username, ) if err != nil { if errors.Is(err, db.NotFound) { userAlreadyExists = false } else { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to fetch user")) } } if userAlreadyExists { return RejectRequest(c, fmt.Sprintf("Username (%s) already exists.", username)) } emailAlreadyExists := true _, err = db.QueryInt(c.Context(), c.Conn, ` SELECT id FROM auth_user WHERE LOWER(email) = LOWER($1) `, emailAddress, ) if err != nil { if errors.Is(err, db.NotFound) { emailAlreadyExists = false } else { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to fetch user")) } } c.Perf.EndBlock() if emailAlreadyExists { // NOTE(asaf): Silent rejection so we don't allow attackers to harvest emails. return c.Redirect(hmnurl.BuildRegistrationSuccess(), http.StatusSeeOther) } hashed := auth.HashPassword(password) c.Perf.StartBlock("SQL", "Create user and one time token") tx, err := c.Conn.Begin(c.Context()) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to start db transaction")) } defer tx.Rollback(c.Context()) now := time.Now() var newUserId int err = tx.QueryRow(c.Context(), ` INSERT INTO auth_user (username, email, password, date_joined, name, registration_ip) VALUES ($1, $2, $3, $4, $5, $6) RETURNING id `, username, emailAddress, hashed.String(), now, displayName, c.GetIP(), ).Scan(&newUserId) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to store user")) } ott := models.GenerateToken() _, err = tx.Exec(c.Context(), ` INSERT INTO handmade_onetimetoken (token_type, created, expires, token_content, owner_id) VALUES($1, $2, $3, $4, $5) `, models.TokenTypeRegistration, now, now.Add(time.Hour*24*7), ott, newUserId, ) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to store one-time token")) } c.Perf.EndBlock() mailName := displayName if mailName == "" { mailName = username } err = email.SendRegistrationEmail(emailAddress, mailName, username, ott, c.Perf) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to send registration email")) } c.Perf.StartBlock("SQL", "Commit user") err = tx.Commit(c.Context()) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to commit user to the db")) } c.Perf.EndBlock() return c.Redirect(hmnurl.BuildRegistrationSuccess(), http.StatusSeeOther) } type RegisterNewUserSuccessData struct { templates.BaseData ContactUsUrl string } func RegisterNewUserSuccess(c *RequestContext) ResponseData { if c.CurrentUser != nil { return c.Redirect(hmnurl.BuildHomepage(), http.StatusSeeOther) } var res ResponseData res.MustWriteTemplate("auth_register_success.html", RegisterNewUserSuccessData{ BaseData: getBaseDataAutocrumb(c, "Register"), ContactUsUrl: hmnurl.BuildContactPage(), }, c.Perf) return res } type EmailValidationData struct { templates.BaseData Token string Username string } func EmailConfirmation(c *RequestContext) ResponseData { if c.CurrentUser != nil { return c.Redirect(hmnurl.BuildHomepage(), http.StatusSeeOther) } username, hasUsername := c.PathParams["username"] if !hasUsername { return RejectRequest(c, "Bad validation url") } token := "" hasToken := false // TODO(asaf): Delete old hash/nonce about a week after launch hash, hasHash := c.PathParams["hash"] nonce, hasNonce := c.PathParams["nonce"] if hasHash && hasNonce { token = fmt.Sprintf("%s/%s", hash, nonce) hasToken = true } else { token, hasToken = c.PathParams["token"] } if !hasToken { return RejectRequest(c, "Bad validation url") } validationResult := validateUsernameAndToken(c, username, token, models.TokenTypeRegistration) if !validationResult.Match { return makeResponseForBadRegistrationTokenValidationResult(c, validationResult) } var res ResponseData res.MustWriteTemplate("auth_email_validation.html", EmailValidationData{ BaseData: getBaseDataAutocrumb(c, "Register"), Token: token, Username: username, }, c.Perf) return res } func EmailConfirmationSubmit(c *RequestContext) ResponseData { c.Req.ParseForm() token := c.Req.Form.Get("token") username := c.Req.Form.Get("username") password := c.Req.Form.Get("password") validationResult := validateUsernameAndToken(c, username, token, models.TokenTypeRegistration) if !validationResult.Match { return makeResponseForBadRegistrationTokenValidationResult(c, validationResult) } success, err := tryLogin(c, validationResult.User, password) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, err) } else if !success { var res ResponseData baseData := getBaseDataAutocrumb(c, "Register") // NOTE(asaf): We can report that the password is incorrect, because an attacker wouldn't have a valid token to begin with. baseData.AddImmediateNotice("failure", "Incorrect password. Please try again.") res.MustWriteTemplate("auth_email_validation.html", EmailValidationData{ BaseData: baseData, Token: token, Username: username, }, c.Perf) return res } c.Perf.StartBlock("SQL", "Updating user status and deleting token") tx, err := c.Conn.Begin(c.Context()) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to start db transaction")) } defer tx.Rollback(c.Context()) _, err = tx.Exec(c.Context(), ` UPDATE auth_user SET status = $1 WHERE id = $2 `, // models.UserStatusConfirmed, models.UserStatusApproved, // TODO: Change this back to Confirmed after the jam. validationResult.User.ID, ) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to update user status")) } _, err = tx.Exec(c.Context(), ` DELETE FROM handmade_onetimetoken WHERE id = $1 `, validationResult.OneTimeToken.ID, ) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to delete one time token")) } err = tx.Commit(c.Context()) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to commit transaction")) } c.Perf.EndBlock() res := c.Redirect(hmnurl.BuildHomepage(), http.StatusSeeOther) res.AddFutureNotice("success", "You've completed your registration successfully!") err = loginUser(c, validationResult.User, &res) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, err) } return res } // NOTE(asaf): Only call this when validationResult.Match is false. func makeResponseForBadRegistrationTokenValidationResult(c *RequestContext, validationResult validateUserAndTokenResult) ResponseData { if validationResult.User == nil { return RejectRequest(c, "You haven't validated your email in time and your user was deleted. You may try registering again with the same username.") } if validationResult.OneTimeToken == nil { // NOTE(asaf): The user exists, but the validation token doesn't. // That means the user already validated their email and can just log in normally. return c.Redirect(hmnurl.BuildLoginPage(""), http.StatusSeeOther) } return RejectRequest(c, "Bad token. If you are having problems registering or logging in, please contact the staff.") } // NOTE(asaf): PasswordReset refers specifically to "forgot your password" flow over email, // not to changing your password through the user settings page. func RequestPasswordReset(c *RequestContext) ResponseData { if c.CurrentUser != nil { return c.Redirect(hmnurl.BuildHomepage(), http.StatusSeeOther) } var res ResponseData res.MustWriteTemplate("auth_password_reset.html", getBaseDataAutocrumb(c, "Password Reset"), c.Perf) return res } func RequestPasswordResetSubmit(c *RequestContext) ResponseData { if c.CurrentUser != nil { return c.Redirect(hmnurl.BuildHomepage(), http.StatusSeeOther) } c.Req.ParseForm() username := strings.TrimSpace(c.Req.Form.Get("username")) emailAddress := strings.TrimSpace(c.Req.Form.Get("email")) if username == "" && emailAddress == "" { return RejectRequest(c, "You must provide a username and an email address.") } var user *models.User c.Perf.StartBlock("SQL", "Fetching user") userRow, err := db.QueryOne(c.Context(), c.Conn, models.User{}, ` SELECT $columns FROM auth_user WHERE LOWER(username) = LOWER($1) AND LOWER(email) = LOWER($2) `, username, emailAddress, ) c.Perf.EndBlock() if err != nil { if !errors.Is(err, db.NotFound) { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to look up user by username")) } } if userRow != nil { user = userRow.(*models.User) } if user != nil { c.Perf.StartBlock("SQL", "Fetching existing token") tokenRow, err := db.QueryOne(c.Context(), c.Conn, models.OneTimeToken{}, ` SELECT $columns FROM handmade_onetimetoken WHERE token_type = $1 AND owner_id = $2 `, models.TokenTypePasswordReset, user.ID, ) c.Perf.EndBlock() if err != nil { if !errors.Is(err, db.NotFound) { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to fetch onetimetoken for user")) } } var resetToken *models.OneTimeToken if tokenRow != nil { resetToken = tokenRow.(*models.OneTimeToken) } now := time.Now() if resetToken != nil { if resetToken.Expires.Before(now.Add(time.Minute * 30)) { // NOTE(asaf): Expired or about to expire c.Perf.StartBlock("SQL", "Deleting expired token") _, err = c.Conn.Exec(c.Context(), ` DELETE FROM handmade_onetimetoken WHERE id = $1 `, resetToken.ID, ) c.Perf.EndBlock() if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to delete onetimetoken")) } resetToken = nil } } if resetToken == nil { c.Perf.StartBlock("SQL", "Creating new token") tokenRow, err := db.QueryOne(c.Context(), c.Conn, models.OneTimeToken{}, ` INSERT INTO handmade_onetimetoken (token_type, created, expires, token_content, owner_id) VALUES ($1, $2, $3, $4, $5) RETURNING $columns `, models.TokenTypePasswordReset, now, now.Add(time.Hour*24), models.GenerateToken(), user.ID, ) c.Perf.EndBlock() if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to create onetimetoken")) } resetToken = tokenRow.(*models.OneTimeToken) err = email.SendPasswordReset(user.Email, user.BestName(), user.Username, resetToken.Content, resetToken.Expires, c.Perf) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to send email")) } } } return c.Redirect(hmnurl.BuildPasswordResetSent(), http.StatusSeeOther) } type PasswordResetSentData struct { templates.BaseData ContactUsUrl string } func PasswordResetSent(c *RequestContext) ResponseData { if c.CurrentUser != nil { return c.Redirect(hmnurl.BuildHomepage(), http.StatusSeeOther) } var res ResponseData res.MustWriteTemplate("auth_password_reset_sent.html", PasswordResetSentData{ BaseData: getBaseDataAutocrumb(c, "Password Reset"), ContactUsUrl: hmnurl.BuildContactPage(), }, c.Perf) return res } type DoPasswordResetData struct { templates.BaseData Username string Token string } func DoPasswordReset(c *RequestContext) ResponseData { username, hasUsername := c.PathParams["username"] token, hasToken := c.PathParams["token"] if !hasToken || !hasUsername { return RejectRequest(c, "Bad validation url.") } validationResult := validateUsernameAndToken(c, username, token, models.TokenTypePasswordReset) if !validationResult.Match { return RejectRequest(c, "Bad validation url.") } var res ResponseData if c.CurrentUser != nil && c.CurrentUser.ID != validationResult.User.ID { // NOTE(asaf): In the rare case that a user is logged in with user A and is trying to // change the password for user B, log out the current user to avoid confusion. logoutUser(c, &res) } res.MustWriteTemplate("auth_do_password_reset.html", DoPasswordResetData{ BaseData: getBaseDataAutocrumb(c, "Password Reset"), Username: username, Token: token, }, c.Perf) return res } func DoPasswordResetSubmit(c *RequestContext) ResponseData { c.Req.ParseForm() token := c.Req.Form.Get("token") username := c.Req.Form.Get("username") password := c.Req.Form.Get("password") password2 := c.Req.Form.Get("password2") validationResult := validateUsernameAndToken(c, username, token, models.TokenTypePasswordReset) if !validationResult.Match { return RejectRequest(c, "Bad validation url.") } if c.CurrentUser != nil && c.CurrentUser.ID != validationResult.User.ID { return RejectRequest(c, fmt.Sprintf("Can't change password for %s. You are logged in as %s.", username, c.CurrentUser.Username)) } if len(password) < 8 { return RejectRequest(c, "Password too short") } if password != password2 { return RejectRequest(c, "Password confirmation doesn't match password") } hashed := auth.HashPassword(password) c.Perf.StartBlock("SQL", "Update user's password and delete reset token") tx, err := c.Conn.Begin(c.Context()) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to start db transaction")) } defer tx.Rollback(c.Context()) tag, err := tx.Exec(c.Context(), ` UPDATE auth_user SET password = $1 WHERE id = $2 `, hashed.String(), validationResult.User.ID, ) if err != nil || tag.RowsAffected() == 0 { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to update user's password")) } if validationResult.User.Status == models.UserStatusInactive { _, err = tx.Exec(c.Context(), ` UPDATE auth_user SET status = $1 WHERE id = $2 `, models.UserStatusConfirmed, validationResult.User.ID, ) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to update user's status")) } } _, err = tx.Exec(c.Context(), ` DELETE FROM handmade_onetimetoken WHERE id = $1 `, validationResult.OneTimeToken.ID, ) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to delete onetimetoken")) } err = tx.Commit(c.Context()) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, oops.New(err, "failed to commit password reset to the db")) } c.Perf.EndBlock() res := c.Redirect(hmnurl.BuildUserSettings(""), http.StatusSeeOther) res.AddFutureNotice("success", "Password changed successfully.") err = loginUser(c, validationResult.User, &res) if err != nil { return c.ErrorResponse(http.StatusInternalServerError, err) } return res } func tryLogin(c *RequestContext, user *models.User, password string) (bool, error) { c.Perf.StartBlock("AUTH", "Checking password") defer c.Perf.EndBlock() hashed, err := auth.ParsePasswordString(user.Password) if err != nil { return false, oops.New(err, "failed to parse password string") } passwordsMatch, err := auth.CheckPassword(password, hashed) if err != nil { return false, oops.New(err, "failed to check password against hash") } if !passwordsMatch { return false, nil } // re-hash and save the user's password if necessary if hashed.IsOutdated() { newHashed := auth.HashPassword(password) err := auth.UpdatePassword(c.Context(), c.Conn, user.Username, newHashed) if err != nil { c.Logger.Error().Err(err).Msg("failed to update user's password") } // If errors happen here, we can still continue with logging them in } return true, nil } func loginUser(c *RequestContext, user *models.User, responseData *ResponseData) error { c.Perf.StartBlock("SQL", "Setting last login and creating session") defer c.Perf.EndBlock() tx, err := c.Conn.Begin(c.Context()) if err != nil { return oops.New(err, "failed to start db transaction") } defer tx.Rollback(c.Context()) now := time.Now() _, err = tx.Exec(c.Context(), ` UPDATE auth_user SET last_login = $1 WHERE id = $2 `, now, user.ID, ) if err != nil { return oops.New(err, "failed to update last_login for user") } session, err := auth.CreateSession(c.Context(), c.Conn, user.Username) if err != nil { return oops.New(err, "failed to create session") } err = tx.Commit(c.Context()) if err != nil { return oops.New(err, "failed to commit transaction") } responseData.SetCookie(auth.NewSessionCookie(session)) return nil } func logoutUser(c *RequestContext, res *ResponseData) { sessionCookie, err := c.Req.Cookie(auth.SessionCookieName) if err == nil { // clear the session from the db immediately, no expiration err := auth.DeleteSession(c.Context(), c.Conn, sessionCookie.Value) if err != nil { logging.Error().Err(err).Msg("failed to delete session on logout") } } res.SetCookie(auth.DeleteSessionCookie) } type validateUserAndTokenResult struct { User *models.User OneTimeToken *models.OneTimeToken Match bool Error error } func validateUsernameAndToken(c *RequestContext, username string, token string, tokenType models.OneTimeTokenType) validateUserAndTokenResult { c.Perf.StartBlock("SQL", "Check username and token") defer c.Perf.EndBlock() type userAndTokenQuery struct { User models.User `db:"auth_user"` OneTimeToken *models.OneTimeToken `db:"onetimetoken"` } row, err := db.QueryOne(c.Context(), c.Conn, userAndTokenQuery{}, ` SELECT $columns FROM auth_user LEFT JOIN handmade_onetimetoken AS onetimetoken ON onetimetoken.owner_id = auth_user.id WHERE LOWER(auth_user.username) = LOWER($1) AND onetimetoken.token_type = $2 `, username, tokenType, ) var result validateUserAndTokenResult if err != nil { if !errors.Is(err, db.NotFound) { result.Error = oops.New(err, "failed to fetch user and token from db") return result } } if row != nil { data := row.(*userAndTokenQuery) result.User = &data.User result.OneTimeToken = data.OneTimeToken if result.OneTimeToken != nil { result.Match = (result.OneTimeToken.Content == token) } } return result }