nyaa-pantsu/service/user/cookie_helper.go

package userService

import (
	"errors"
	"net/http"
	"strconv"
	"time"

	"github.com/NyaaPantsu/nyaa/db"
	"github.com/NyaaPantsu/nyaa/model"
	formStruct "github.com/NyaaPantsu/nyaa/service/user/form"
	msg "github.com/NyaaPantsu/nyaa/util/messages"
	"github.com/NyaaPantsu/nyaa/util/modelHelper"
	"github.com/NyaaPantsu/nyaa/util/timeHelper"
	"github.com/gorilla/context"
	"github.com/gorilla/securecookie"
	"golang.org/x/crypto/bcrypt"
)

const (
	// CookieName : Name of cookie
	CookieName = "session"
	// UserContextKey : key for user context
	UserContextKey = "user"
)

// If you want to keep login cookies between restarts you need to make these permanent
var cookieHandler = securecookie.New(
	securecookie.GenerateRandomKey(64),
	securecookie.GenerateRandomKey(32))

// DecodeCookie : Encoding & Decoding of the cookie value
func DecodeCookie(cookieValue string) (uint, error) {
	value := make(map[string]string)
	err := cookieHandler.Decode(CookieName, cookieValue, &value)
	if err != nil {
		return 0, err
	}
	timeInt, _ := strconv.ParseInt(value["t"], 10, 0)
	if timeHelper.IsExpired(time.Unix(timeInt, 0)) {
		return 0, errors.New("Cookie is expired")
	}
	ret, err := strconv.ParseUint(value["u"], 10, 0)
	return uint(ret), err
}

// EncodeCookie : Encoding of the cookie value
func EncodeCookie(userID uint) (string, error) {
	validUntil := timeHelper.FewDaysLater(7) // 1 week
	value := map[string]string{
		"u": strconv.FormatUint(uint64(userID), 10),
		"t": strconv.FormatInt(validUntil.Unix(), 10),
	}
	return cookieHandler.Encode(CookieName, value)
}

// ClearCookie : Erase cookie session
func ClearCookie(w http.ResponseWriter) (int, error) {
	cookie := &http.Cookie{
		Name:     CookieName,
		Value:    "",
		Path:     "/",
		HttpOnly: true,
		MaxAge:   -1,
	}
	http.SetCookie(w, cookie)
	return http.StatusOK, nil
}

// SetCookieHandler sets the authentication cookie
func SetCookieHandler(w http.ResponseWriter, r *http.Request, email string, pass string) (int, error) {
	if email == "" || pass == "" {
		return http.StatusNotFound, errors.New("No username/password entered")
	}

	var user model.User
	messages := msg.GetMessages(r)
	// search by email or username
	isValidEmail := formStruct.EmailValidation(email, messages)
	if isValidEmail {
		if db.ORM.Where("email = ?", email).First(&user).RecordNotFound() {
			return http.StatusNotFound, errors.New("User not found")
		}
	} else {
		if db.ORM.Where("username = ?", email).First(&user).RecordNotFound() {
			return http.StatusNotFound, errors.New("User not found")
		}
	}
	err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(pass))
	if err != nil {
		return http.StatusUnauthorized, errors.New("Password incorrect")
	}
	if user.IsBanned() {
		return http.StatusUnauthorized, errors.New("Account banned")
	}

	encoded, err := EncodeCookie(user.ID)
	if err != nil {
		return http.StatusInternalServerError, err
	}
	cookie := &http.Cookie{
		Name:     CookieName,
		Value:    encoded,
		Path:     "/",
		HttpOnly: true,
	}
	http.SetCookie(w, cookie)
	// also set response header for convenience
	w.Header().Set("X-Auth-Token", encoded)
	return http.StatusOK, nil
}

// RegisterHanderFromForm sets cookie from a RegistrationForm.
func RegisterHanderFromForm(w http.ResponseWriter, r *http.Request, registrationForm formStruct.RegistrationForm) (int, error) {
	username := registrationForm.Username // email isn't set at this point
	pass := registrationForm.Password
	return SetCookieHandler(w, r, username, pass)
}

// RegisterHandler sets a cookie when user registered.
func RegisterHandler(w http.ResponseWriter, r *http.Request) (int, error) {
	var registrationForm formStruct.RegistrationForm
	modelHelper.BindValueForm(&registrationForm, r)
	return RegisterHanderFromForm(w, r, registrationForm)
}

// CurrentUser determines the current user from the request or context
func CurrentUser(r *http.Request) (model.User, error) {
	var user model.User
	var encoded string

	encoded = r.Header.Get("X-Auth-Token")
	if len(encoded) == 0 {
		// check cookie instead
		cookie, err := r.Cookie(CookieName)
		if err != nil {
			return user, err
		}
		encoded = cookie.Value
	}
	userID, err := DecodeCookie(encoded)
	if err != nil {
		return user, err
	}

	userFromContext := getUserFromContext(r)

	if userFromContext.ID > 0 && userID == userFromContext.ID {
		user = userFromContext
	} else {
		if db.ORM.Preload("Notifications").Where("user_id = ?", userID).First(&user).RecordNotFound() { // We only load unread notifications
			return user, errors.New("User not found")
		}
		setUserToContext(r, user)
	}

	if user.IsBanned() {
		// recheck as user might've been banned in the meantime
		return user, errors.New("Account banned")
	}
	return user, nil
}

func getUserFromContext(r *http.Request) model.User {
	if rv := context.Get(r, UserContextKey); rv != nil {
		return rv.(model.User)
	}
	return model.User{}
}
func setUserToContext(r *http.Request, val model.User) {
	context.Set(r, UserContextKey, val)
}
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`package userService`

			`import (`
			`"errors"`
Golint friendly next (#756) * Gofmt friendly Keeping Go source code in line with what they preconize * Golint Friendly Next So I have made some variables unexported Added comments in every function that I know what it does Removed some deprecated stuff that I was sure of Added a comment on possible deprecated methods "Is it deprecated?" Changed some variable/method name according to golint recommendations * Update filelist.go 2017-05-26 12:12:52 +02:00			`"net/http"`
			`"strconv"`
			`"time"`

finish repo transfer 2017-05-17 07:58:40 +02:00			`"github.com/NyaaPantsu/nyaa/db"`
			`"github.com/NyaaPantsu/nyaa/model"`
			`formStruct "github.com/NyaaPantsu/nyaa/service/user/form"`
wiiiip 2017-05-21 20:20:40 +02:00			`msg "github.com/NyaaPantsu/nyaa/util/messages"`
finish repo transfer 2017-05-17 07:58:40 +02:00			`"github.com/NyaaPantsu/nyaa/util/modelHelper"`
			`"github.com/NyaaPantsu/nyaa/util/timeHelper"`
Added multi action on torrents 2017-05-20 13:45:15 +02:00			`"github.com/gorilla/context"`
Better DB error handling 2017-05-09 19:23:21 +02:00			`"github.com/gorilla/securecookie"`
			`"golang.org/x/crypto/bcrypt"`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`)`

Added multi action on torrents 2017-05-20 13:45:15 +02:00			`const (`
Golint friendly next (#756) * Gofmt friendly Keeping Go source code in line with what they preconize * Golint Friendly Next So I have made some variables unexported Added comments in every function that I know what it does Removed some deprecated stuff that I was sure of Added a comment on possible deprecated methods "Is it deprecated?" Changed some variable/method name according to golint recommendations * Update filelist.go 2017-05-26 12:12:52 +02:00			`// CookieName : Name of cookie`
			`CookieName = "session"`
			`// UserContextKey : key for user context`
Added multi action on torrents 2017-05-20 13:45:15 +02:00			`UserContextKey = "user"`
go fmt all the code 2017-05-24 09:11:13 +02:00			`)`
Stateless cookie auth 2017-05-12 12:40:31 +02:00
			`// If you want to keep login cookies between restarts you need to make these permanent`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`var cookieHandler = securecookie.New(`
			`securecookie.GenerateRandomKey(64),`
			`securecookie.GenerateRandomKey(32))`

Golint friendly next (#756) * Gofmt friendly Keeping Go source code in line with what they preconize * Golint Friendly Next So I have made some variables unexported Added comments in every function that I know what it does Removed some deprecated stuff that I was sure of Added a comment on possible deprecated methods "Is it deprecated?" Changed some variable/method name according to golint recommendations * Update filelist.go 2017-05-26 12:12:52 +02:00			`// DecodeCookie : Encoding & Decoding of the cookie value`
			`func DecodeCookie(cookieValue string) (uint, error) {`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`value := make(map[string]string)`
Golint friendly next (#756) * Gofmt friendly Keeping Go source code in line with what they preconize * Golint Friendly Next So I have made some variables unexported Added comments in every function that I know what it does Removed some deprecated stuff that I was sure of Added a comment on possible deprecated methods "Is it deprecated?" Changed some variable/method name according to golint recommendations * Update filelist.go 2017-05-26 12:12:52 +02:00			`err := cookieHandler.Decode(CookieName, cookieValue, &value)`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`if err != nil {`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`return 0, err`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`
Golint friendly next (#756) * Gofmt friendly Keeping Go source code in line with what they preconize * Golint Friendly Next So I have made some variables unexported Added comments in every function that I know what it does Removed some deprecated stuff that I was sure of Added a comment on possible deprecated methods "Is it deprecated?" Changed some variable/method name according to golint recommendations * Update filelist.go 2017-05-26 12:12:52 +02:00			`timeInt, _ := strconv.ParseInt(value["t"], 10, 0)`
			`if timeHelper.IsExpired(time.Unix(timeInt, 0)) {`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`return 0, errors.New("Cookie is expired")`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`ret, err := strconv.ParseUint(value["u"], 10, 0)`
			`return uint(ret), err`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`

Golint friendly next (#756) * Gofmt friendly Keeping Go source code in line with what they preconize * Golint Friendly Next So I have made some variables unexported Added comments in every function that I know what it does Removed some deprecated stuff that I was sure of Added a comment on possible deprecated methods "Is it deprecated?" Changed some variable/method name according to golint recommendations * Update filelist.go 2017-05-26 12:12:52 +02:00			`// EncodeCookie : Encoding of the cookie value`
			`func EncodeCookie(userID uint) (string, error) {`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`validUntil := timeHelper.FewDaysLater(7) // 1 week`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`value := map[string]string{`
Golint friendly next (#756) * Gofmt friendly Keeping Go source code in line with what they preconize * Golint Friendly Next So I have made some variables unexported Added comments in every function that I know what it does Removed some deprecated stuff that I was sure of Added a comment on possible deprecated methods "Is it deprecated?" Changed some variable/method name according to golint recommendations * Update filelist.go 2017-05-26 12:12:52 +02:00			`"u": strconv.FormatUint(uint64(userID), 10),`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`"t": strconv.FormatInt(validUntil.Unix(), 10),`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`return cookieHandler.Encode(CookieName, value)`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`

Golint friendly next (#756) * Gofmt friendly Keeping Go source code in line with what they preconize * Golint Friendly Next So I have made some variables unexported Added comments in every function that I know what it does Removed some deprecated stuff that I was sure of Added a comment on possible deprecated methods "Is it deprecated?" Changed some variable/method name according to golint recommendations * Update filelist.go 2017-05-26 12:12:52 +02:00			`// ClearCookie : Erase cookie session`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`func ClearCookie(w http.ResponseWriter) (int, error) {`
			`cookie := &http.Cookie{`
finish repo transfer 2017-05-17 07:58:40 +02:00			`Name: CookieName,`
			`Value: "",`
			`Path: "/",`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`HttpOnly: true,`
finish repo transfer 2017-05-17 07:58:40 +02:00			`MaxAge: -1,`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`
			`http.SetCookie(w, cookie)`
			`return http.StatusOK, nil`
			`}`

Stateless cookie auth 2017-05-12 12:40:31 +02:00			`// SetCookieHandler sets the authentication cookie`
wiiiip 2017-05-21 20:20:40 +02:00			`func SetCookieHandler(w http.ResponseWriter, r *http.Request, email string, pass string) (int, error) {`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`if email == "" \|\| pass == "" {`
			`return http.StatusNotFound, errors.New("No username/password entered")`
			`}`

			`var user model.User`
wiiiip 2017-05-21 20:20:40 +02:00			`messages := msg.GetMessages(r)`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`// search by email or username`
Fix #679 Parsing template.HTML into string and then use Sprintf make a bug. 2017-05-22 10:15:18 +02:00			`isValidEmail := formStruct.EmailValidation(email, messages)`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`if isValidEmail {`
			`if db.ORM.Where("email = ?", email).First(&user).RecordNotFound() {`
			`return http.StatusNotFound, errors.New("User not found")`
Revert "Stateless cookies (#372)" This reverts commit 2f06fb8fa1403e127e7024d69138a589eaca0d53. 2017-05-12 08:42:15 +02:00			`}`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`} else {`
			`if db.ORM.Where("username = ?", email).First(&user).RecordNotFound() {`
			`return http.StatusNotFound, errors.New("User not found")`
Revert "Stateless cookies (#372)" This reverts commit 2f06fb8fa1403e127e7024d69138a589eaca0d53. 2017-05-12 08:42:15 +02:00			`}`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(pass))`
			`if err != nil {`
			`return http.StatusUnauthorized, errors.New("Password incorrect")`
			`}`
Fix bug, remove literals (#629) * Use ModeratorDir variable * Rename cookieHelper to cookie_helper for consistency * Use named constant instead of literals * Fix ability to upload when uploads are disabled The old code let people upload under the right conditions when uploads were disabled. (ie: User is banned and config.AdminAreStillAllowedTo is false) * Increase timeout (fixes #517) * Fix inconsistent indentation .{js, css} (fix #583) Fix negative page Temporary fix. The issue was that going to a negative page caused the sql query to have a negative offset. This caused an error in the database query. We need to cleanup this code, but this will work for now. * Fix wrong PG_DATA directory due to upgrade to 9.6 * Add server status link to FAQ * Fix failing tests * Clarify group_vars/all and hosts doc * Add a wrapper to protect /mod route * Fix login page not showing form errors 2017-05-20 01:10:16 +02:00			`if user.IsBanned() {`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`return http.StatusUnauthorized, errors.New("Account banned")`
			`}`

			`encoded, err := EncodeCookie(user.ID)`
			`if err != nil {`
			`return http.StatusInternalServerError, err`
			`}`
			`cookie := &http.Cookie{`
finish repo transfer 2017-05-17 07:58:40 +02:00			`Name: CookieName,`
			`Value: encoded,`
			`Path: "/",`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`HttpOnly: true,`
			`}`
			`http.SetCookie(w, cookie)`
			`// also set response header for convenience`
			`w.Header().Set("X-Auth-Token", encoded)`
			`return http.StatusOK, nil`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`

			`// RegisterHanderFromForm sets cookie from a RegistrationForm.`
wiiiip 2017-05-21 20:20:40 +02:00			`func RegisterHanderFromForm(w http.ResponseWriter, r *http.Request, registrationForm formStruct.RegistrationForm) (int, error) {`
Make email verification work correctly Previously the email was set before it had been verified, which was very wrong. 2017-05-10 21:16:30 +02:00			`username := registrationForm.Username // email isn't set at this point`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`pass := registrationForm.Password`
wiiiip 2017-05-21 20:20:40 +02:00			`return SetCookieHandler(w, r, username, pass)`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`

			`// RegisterHandler sets a cookie when user registered.`
			`func RegisterHandler(w http.ResponseWriter, r *http.Request) (int, error) {`
Added User Registration View Moved public files in public folder 2017-05-07 00:10:40 +02:00			`var registrationForm formStruct.RegistrationForm`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`modelHelper.BindValueForm(&registrationForm, r)`
wiiiip 2017-05-21 20:20:40 +02:00			`return RegisterHanderFromForm(w, r, registrationForm)`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`

Added multi action on torrents 2017-05-20 13:45:15 +02:00			`// CurrentUser determines the current user from the request or context`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`func CurrentUser(r *http.Request) (model.User, error) {`
			`var user model.User`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`var encoded string`
Removing debug fmt 2017-05-24 00:23:50 +02:00
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`encoded = r.Header.Get("X-Auth-Token")`
			`if len(encoded) == 0 {`
			`// check cookie instead`
			`cookie, err := r.Cookie(CookieName)`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`if err != nil {`
			`return user, err`
			`}`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`encoded = cookie.Value`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`
Golint friendly next (#756) * Gofmt friendly Keeping Go source code in line with what they preconize * Golint Friendly Next So I have made some variables unexported Added comments in every function that I know what it does Removed some deprecated stuff that I was sure of Added a comment on possible deprecated methods "Is it deprecated?" Changed some variable/method name according to golint recommendations * Update filelist.go 2017-05-26 12:12:52 +02:00			`userID, err := DecodeCookie(encoded)`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`if err != nil {`
			`return user, err`
			`}`
Added multi action on torrents 2017-05-20 13:45:15 +02:00
			`userFromContext := getUserFromContext(r)`

Golint friendly next (#756) * Gofmt friendly Keeping Go source code in line with what they preconize * Golint Friendly Next So I have made some variables unexported Added comments in every function that I know what it does Removed some deprecated stuff that I was sure of Added a comment on possible deprecated methods "Is it deprecated?" Changed some variable/method name according to golint recommendations * Update filelist.go 2017-05-26 12:12:52 +02:00			`if userFromContext.ID > 0 && userID == userFromContext.ID {`
Added multi action on torrents 2017-05-20 13:45:15 +02:00			`user = userFromContext`
			`} else {`
Golint friendly next (#756) * Gofmt friendly Keeping Go source code in line with what they preconize * Golint Friendly Next So I have made some variables unexported Added comments in every function that I know what it does Removed some deprecated stuff that I was sure of Added a comment on possible deprecated methods "Is it deprecated?" Changed some variable/method name according to golint recommendations * Update filelist.go 2017-05-26 12:12:52 +02:00			`if db.ORM.Preload("Notifications").Where("user_id = ?", userID).First(&user).RecordNotFound() { // We only load unread notifications`
Added multi action on torrents 2017-05-20 13:45:15 +02:00			`return user, errors.New("User not found")`
			`}`
Golint friendly next (#756) * Gofmt friendly Keeping Go source code in line with what they preconize * Golint Friendly Next So I have made some variables unexported Added comments in every function that I know what it does Removed some deprecated stuff that I was sure of Added a comment on possible deprecated methods "Is it deprecated?" Changed some variable/method name according to golint recommendations * Update filelist.go 2017-05-26 12:12:52 +02:00			`setUserToContext(r, user)`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`}`

Fix bug, remove literals (#629) * Use ModeratorDir variable * Rename cookieHelper to cookie_helper for consistency * Use named constant instead of literals * Fix ability to upload when uploads are disabled The old code let people upload under the right conditions when uploads were disabled. (ie: User is banned and config.AdminAreStillAllowedTo is false) * Increase timeout (fixes #517) * Fix inconsistent indentation .{js, css} (fix #583) Fix negative page Temporary fix. The issue was that going to a negative page caused the sql query to have a negative offset. This caused an error in the database query. We need to cleanup this code, but this will work for now. * Fix wrong PG_DATA directory due to upgrade to 9.6 * Add server status link to FAQ * Fix failing tests * Clarify group_vars/all and hosts doc * Add a wrapper to protect /mod route * Fix login page not showing form errors 2017-05-20 01:10:16 +02:00			`if user.IsBanned() {`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`// recheck as user might've been banned in the meantime`
			`return user, errors.New("Account banned")`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`
Stateless cookie auth 2017-05-12 12:40:31 +02:00			`return user, nil`
User Package (WIP) Added services and utils needed 2017-05-06 21:21:39 +02:00			`}`
Added multi action on torrents 2017-05-20 13:45:15 +02:00
			`func getUserFromContext(r *http.Request) model.User {`
			`if rv := context.Get(r, UserContextKey); rv != nil {`
go fmt all the code 2017-05-24 09:11:13 +02:00			`return rv.(model.User)`
			`}`
			`return model.User{}`
Added multi action on torrents 2017-05-20 13:45:15 +02:00			`}`
			`func setUserToContext(r *http.Request, val model.User) {`
go fmt all the code 2017-05-24 09:11:13 +02:00			`context.Set(r, UserContextKey, val)`
Removing debug fmt 2017-05-24 00:23:50 +02:00			`}`