Fixed internal server error for trying to login with wrong username
Some checks failed
continuous-integration/drone/push Build is failing

This commit is contained in:
Lilleman auf Larv 2022-02-27 17:32:30 +01:00
parent 092a3f7712
commit 3abefb9adf
8 changed files with 43 additions and 28 deletions

View File

@ -1,4 +1,4 @@
ADMIN_API_KEY=changeMe
DATABASE_URL="postgresql://postgres:postgres@127.0.0.1:5432/auth"
DATABASE_URL=postgres://postgres:puIleHgcpsvDr360ttUo@postgres:5432/auth?sslmode=disable
JWT_SHARED_SECRET=changeMe
WEB_BIND_HOST=":4000"

View File

@ -5,7 +5,7 @@ services:
image: postgres:14.2-alpine3.15
environment:
- POSTGRES_USER=postgres
- POSTGRES_PASSWORD=postgres
- POSTGRES_PASSWORD=puIleHgcpsvDr360ttUo
- POSTGRES_DB=auth
db-migrations:
@ -13,7 +13,7 @@ services:
context: .
dockerfile: Dockerfile.migrations
environment:
- DATABASE_URL=postgres://postgres:postgres@postgres:5432/auth?sslmode=disable
- DATABASE_URL=postgres://postgres:puIleHgcpsvDr360ttUo@postgres:5432/auth?sslmode=disable
command: ["--wait", "up"]
profiles: ["migrations"]
depends_on:
@ -23,7 +23,7 @@ services:
build: .
environment:
- ADMIN_API_KEY=hihi
- DATABASE_URL=postgres://postgres:postgres@postgres:5432/auth?sslmode=disable
- DATABASE_URL=postgres://postgres:puIleHgcpsvDr360ttUo@postgres:5432/auth?sslmode=disable
- JWT_SHARED_SECRET=hihi
- WEB_BIND_HOST=:4000
depends_on:

6
go.mod
View File

@ -3,7 +3,6 @@ module gitea.larvit.se/pwrpln/auth-api
go 1.17
require (
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751
github.com/arsmn/fiber-swagger/v2 v2.24.0
github.com/dgrijalva/jwt-go v3.2.0+incompatible
github.com/gofiber/fiber/v2 v2.27.0
@ -20,8 +19,6 @@ require (
github.com/PuerkitoBio/purell v1.1.1 // indirect
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect
github.com/andybalholm/brotli v1.0.4 // indirect
github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect
github.com/ghodss/yaml v1.0.0 // indirect
github.com/go-openapi/jsonpointer v0.19.5 // indirect
github.com/go-openapi/jsonreference v0.19.6 // indirect
github.com/go-openapi/spec v0.20.4 // indirect
@ -38,10 +35,7 @@ require (
github.com/klauspost/compress v1.14.3 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/pkg/errors v0.9.1 // indirect
github.com/russross/blackfriday/v2 v2.1.0 // indirect
github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect
github.com/swaggo/files v0.0.0-20210815190702-a29dd2bc99b2 // indirect
github.com/urfave/cli/v2 v2.3.0 // indirect
github.com/valyala/bytebufferpool v1.0.0 // indirect
github.com/valyala/fasthttp v1.33.0 // indirect
github.com/valyala/tcplisten v1.0.0 // indirect

9
go.sum
View File

@ -8,8 +8,6 @@ github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV
github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
github.com/agiledragon/gomonkey/v2 v2.3.1 h1:k+UnUY0EMNYUFUAQVETGY9uUTxjMdnUkP0ARyJS1zzs=
github.com/agiledragon/gomonkey/v2 v2.3.1/go.mod h1:ap1AmDzcVOAz1YpeJ3TCzIgstoaWLA6jbbgxfB4w2iY=
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM=
github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc=
github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y=
github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY=
github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig=
@ -22,8 +20,6 @@ github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMe
github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4=
github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
github.com/cpuguy83/go-md2man/v2 v2.0.1 h1:r/myEWzV9lfsM1tFLgDyu0atFtJ1fXn261LKYj/3DxU=
github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY=
github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@ -31,7 +27,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM=
github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ=
github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk=
github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
@ -159,13 +154,10 @@ github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ=
github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU=
github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc=
github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0=
github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ=
github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o=
github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo=
github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc=
github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q=
github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
@ -186,7 +178,6 @@ github.com/swaggo/files v0.0.0-20210815190702-a29dd2bc99b2/go.mod h1:lKJPbtWzJ9J
github.com/swaggo/swag v1.7.8/go.mod h1:gZ+TJ2w/Ve1RwQsA2IRoSOTidHz6DX+PIG8GWvbnoLU=
github.com/swaggo/swag v1.7.9 h1:6vCG5mm43ebDzGlZPMGYrYI4zKFfOr5kicQX8qjeDwc=
github.com/swaggo/swag v1.7.9/go.mod h1:gZ+TJ2w/Ve1RwQsA2IRoSOTidHz6DX+PIG8GWvbnoLU=
github.com/urfave/cli/v2 v2.3.0 h1:qph92Y649prgesehzOrQjdWyxFOp/QVM+6imKHad91M=
github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI=
github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw=
github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=

View File

@ -56,7 +56,7 @@ func (h Handlers) parseJWT(JWT string) (Claims, error) {
return Claims{}, err
}
if !token.Valid {
err := errors.New("Invalid token")
err := errors.New("invalid token")
return Claims{}, err
}
@ -89,7 +89,7 @@ func (h Handlers) RequireAdminRole(c *fiber.Ctx) error {
headers := h.parseHeaders(c)
if headers["Authorization"] == "" {
return errors.New("Authorization header is missing")
return errors.New("authorization header is missing")
}
claims, claimsErr := h.parseJWT(headers["Authorization"])
@ -98,11 +98,11 @@ func (h Handlers) RequireAdminRole(c *fiber.Ctx) error {
}
if claims.AccountFields == nil {
return errors.New("Account have no fields at all")
return errors.New("account have no fields at all")
}
if claims.AccountFields["role"] == nil {
return errors.New("Account have no field named \"role\"")
return errors.New("account have no field named \"role\"")
}
for _, role := range claims.AccountFields["role"] {
@ -111,7 +111,7 @@ func (h Handlers) RequireAdminRole(c *fiber.Ctx) error {
}
}
return errors.New("No \"admin\" role found on account")
return errors.New("no \"admin\" role found on account")
}
// RequireAdminRoleOrAccountID returns nil if no error is found
@ -119,7 +119,7 @@ func (h Handlers) RequireAdminRoleOrAccountID(c *fiber.Ctx, accountID string) er
headers := h.parseHeaders(c)
if headers["Authorization"] == "" {
return errors.New("Authorization header is missing")
return errors.New("authorization header is missing")
}
claims, claimsErr := h.parseJWT(headers["Authorization"])

View File

@ -141,14 +141,14 @@ func (h Handlers) AccountAuthPassword(c *fiber.Ctx) error {
resolvedAccount, err := h.Db.AccountGet("", "", authInput.Name)
if err != nil {
if err.Error() == "No account found" {
if err.Error() == "no rows in result set" {
return c.Status(403).JSON([]ResJSONError{{Error: "Invalid name or password"}})
}
return c.Status(500).JSON([]ResJSONError{{Error: err.Error()}})
}
if utils.CheckPasswordHash(authInput.Password, resolvedAccount.Password) == false {
if !utils.CheckPasswordHash(authInput.Password, resolvedAccount.Password) {
return c.Status(403).JSON([]ResJSONError{{Error: "Invalid name or password"}})
}

View File

@ -1,4 +1,4 @@
FROM node:16.8.0-slim
FROM node:17.6.0-alpine3.15
WORKDIR /srv

View File

@ -110,6 +110,36 @@ test('test-cases/01basic.js: Auth by username and password', async t => {
t.equal(userJWT.accountName, userName, 'The verified account name should match the created user');
});
test('test-cases/01basic.js: Auth by username and wrong password', async t => {
try {
await got.post(`${process.env.AUTH_URL}/auth/password`, {
json: {
name: userName,
password: 'isWrong',
},
responseType: 'json',
});
t.fail('Trying to login with wrong password should fail with a 403');
} catch(err) {
t.equal(err.message, 'Response code 403 (Forbidden)', 'Trying to login with wrong password should fail with a 403');
}
});
test('test-cases/01basic.js: Auth by wrong username', async t => {
try {
await got.post(`${process.env.AUTH_URL}/auth/password`, {
json: {
name: 'lapptomte',
password: 'isWrong',
},
responseType: 'json',
});
t.fail('Trying to login with wrong username should fail with a 403');
} catch(err) {
t.equal(err.message, 'Response code 403 (Forbidden)', 'Trying to login with wrong username should fail with a 403');
}
});
test('test-cases/01basic.js: PUT /account/{id}/fields', async t => {
const res = await got.put(`${process.env.AUTH_URL}/account/${user.id}/fields`, {
headers: { 'Authorization': `bearer ${adminJWTString}`},