From 3abefb9adf55bdfb16fc7ca92c42f31b0419ad16 Mon Sep 17 00:00:00 2001 From: Lilleman Date: Sun, 27 Feb 2022 17:32:30 +0100 Subject: [PATCH] Fixed internal server error for trying to login with wrong username --- .env_example | 2 +- docker-compose.yml | 6 +++--- go.mod | 6 ------ go.sum | 9 --------- src/handlers/helpers.go | 12 ++++++------ src/handlers/post.go | 4 ++-- tests/Dockerfile | 2 +- tests/test-cases/01basic.js | 30 ++++++++++++++++++++++++++++++ 8 files changed, 43 insertions(+), 28 deletions(-) diff --git a/.env_example b/.env_example index d5c4812..ee188a6 100644 --- a/.env_example +++ b/.env_example @@ -1,4 +1,4 @@ ADMIN_API_KEY=changeMe -DATABASE_URL="postgresql://postgres:postgres@127.0.0.1:5432/auth" +DATABASE_URL=postgres://postgres:puIleHgcpsvDr360ttUo@postgres:5432/auth?sslmode=disable JWT_SHARED_SECRET=changeMe WEB_BIND_HOST=":4000" \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml index 0500920..21265ac 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,7 +5,7 @@ services: image: postgres:14.2-alpine3.15 environment: - POSTGRES_USER=postgres - - POSTGRES_PASSWORD=postgres + - POSTGRES_PASSWORD=puIleHgcpsvDr360ttUo - POSTGRES_DB=auth db-migrations: @@ -13,7 +13,7 @@ services: context: . dockerfile: Dockerfile.migrations environment: - - DATABASE_URL=postgres://postgres:postgres@postgres:5432/auth?sslmode=disable + - DATABASE_URL=postgres://postgres:puIleHgcpsvDr360ttUo@postgres:5432/auth?sslmode=disable command: ["--wait", "up"] profiles: ["migrations"] depends_on: @@ -23,7 +23,7 @@ services: build: . environment: - ADMIN_API_KEY=hihi - - DATABASE_URL=postgres://postgres:postgres@postgres:5432/auth?sslmode=disable + - DATABASE_URL=postgres://postgres:puIleHgcpsvDr360ttUo@postgres:5432/auth?sslmode=disable - JWT_SHARED_SECRET=hihi - WEB_BIND_HOST=:4000 depends_on: diff --git a/go.mod b/go.mod index ecc027f..0937b9f 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,6 @@ module gitea.larvit.se/pwrpln/auth-api go 1.17 require ( - github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 github.com/arsmn/fiber-swagger/v2 v2.24.0 github.com/dgrijalva/jwt-go v3.2.0+incompatible github.com/gofiber/fiber/v2 v2.27.0 @@ -20,8 +19,6 @@ require ( github.com/PuerkitoBio/purell v1.1.1 // indirect github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 // indirect github.com/andybalholm/brotli v1.0.4 // indirect - github.com/cpuguy83/go-md2man/v2 v2.0.1 // indirect - github.com/ghodss/yaml v1.0.0 // indirect github.com/go-openapi/jsonpointer v0.19.5 // indirect github.com/go-openapi/jsonreference v0.19.6 // indirect github.com/go-openapi/spec v0.20.4 // indirect @@ -38,10 +35,7 @@ require ( github.com/klauspost/compress v1.14.3 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/pkg/errors v0.9.1 // indirect - github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/shurcooL/sanitized_anchor_name v1.0.0 // indirect github.com/swaggo/files v0.0.0-20210815190702-a29dd2bc99b2 // indirect - github.com/urfave/cli/v2 v2.3.0 // indirect github.com/valyala/bytebufferpool v1.0.0 // indirect github.com/valyala/fasthttp v1.33.0 // indirect github.com/valyala/tcplisten v1.0.0 // indirect diff --git a/go.sum b/go.sum index 2f9d6ba..66cbdfa 100644 --- a/go.sum +++ b/go.sum @@ -8,8 +8,6 @@ github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578 h1:d+Bc7a5rLufV github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/agiledragon/gomonkey/v2 v2.3.1 h1:k+UnUY0EMNYUFUAQVETGY9uUTxjMdnUkP0ARyJS1zzs= github.com/agiledragon/gomonkey/v2 v2.3.1/go.mod h1:ap1AmDzcVOAz1YpeJ3TCzIgstoaWLA6jbbgxfB4w2iY= -github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751 h1:JYp7IbQjafoB+tBA3gMyHYHrpOtNuDiK/uB5uXxq5wM= -github.com/alecthomas/template v0.0.0-20190718012654-fb15b899a751/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/andybalholm/brotli v1.0.2/go.mod h1:loMXtMfwqflxFJPmdbJO0a3KNoPuLBgiu3qAvBg8x/Y= github.com/andybalholm/brotli v1.0.4 h1:V7DdXeJtZscaqfNuAdSRuRFzuiKlHSC/Zh3zl9qY3JY= github.com/andybalholm/brotli v1.0.4/go.mod h1:fO7iG3H7G2nSZ7m0zPUDn85XEX2GTukHGRSepvi9Eig= @@ -22,8 +20,6 @@ github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMe github.com/coreos/go-systemd v0.0.0-20190321100706-95778dfbb74e/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/coreos/go-systemd v0.0.0-20190719114852-fd7a80b32e1f/go.mod h1:F5haX7vjVVG0kc13fIWeqUViNPyEJxv/OmvnBo0Yme4= github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/cpuguy83/go-md2man/v2 v2.0.1 h1:r/myEWzV9lfsM1tFLgDyu0atFtJ1fXn261LKYj/3DxU= -github.com/cpuguy83/go-md2man/v2 v2.0.1/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -31,7 +27,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A= @@ -159,13 +154,10 @@ github.com/rs/xid v1.2.1/go.mod h1:+uKXf+4Djp6Md1KODXJxgGQPKngRmWyn10oCKFzNHOQ= github.com/rs/zerolog v1.13.0/go.mod h1:YbFCdg8HfsridGWAh22vktObvhZbQsZXe4/zB0OKkWU= github.com/rs/zerolog v1.15.0/go.mod h1:xYTKnLHcpfU2225ny5qZjxnj9NvkumZYjJHlAThCjNc= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= -github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/satori/go.uuid v1.2.0/go.mod h1:dA0hQrYB0VpLJoorglMZABFdXlWrHn1NEOzdhQKdks0= github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4= github.com/shopspring/decimal v1.2.0 h1:abSATXmQEYyShuxI4/vyW3tV1MrKAJzCZ/0zLUXYbsQ= github.com/shopspring/decimal v1.2.0/go.mod h1:DKyhrW/HYNuLGql+MJL6WCR6knT2jwCFRcu2hWCYk4o= -github.com/shurcooL/sanitized_anchor_name v1.0.0 h1:PdmoCO6wvbs+7yrJyMORt4/BmY5IYyJwS/kOiWx8mHo= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMBDgk/93Q= github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE= @@ -186,7 +178,6 @@ github.com/swaggo/files v0.0.0-20210815190702-a29dd2bc99b2/go.mod h1:lKJPbtWzJ9J github.com/swaggo/swag v1.7.8/go.mod h1:gZ+TJ2w/Ve1RwQsA2IRoSOTidHz6DX+PIG8GWvbnoLU= github.com/swaggo/swag v1.7.9 h1:6vCG5mm43ebDzGlZPMGYrYI4zKFfOr5kicQX8qjeDwc= github.com/swaggo/swag v1.7.9/go.mod h1:gZ+TJ2w/Ve1RwQsA2IRoSOTidHz6DX+PIG8GWvbnoLU= -github.com/urfave/cli/v2 v2.3.0 h1:qph92Y649prgesehzOrQjdWyxFOp/QVM+6imKHad91M= github.com/urfave/cli/v2 v2.3.0/go.mod h1:LJmUH05zAU44vOAcrfzZQKsZbVcdbOG8rtL3/XcUArI= github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6KllzawFIhcdPw= github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc= diff --git a/src/handlers/helpers.go b/src/handlers/helpers.go index 632e933..b43624c 100644 --- a/src/handlers/helpers.go +++ b/src/handlers/helpers.go @@ -56,7 +56,7 @@ func (h Handlers) parseJWT(JWT string) (Claims, error) { return Claims{}, err } if !token.Valid { - err := errors.New("Invalid token") + err := errors.New("invalid token") return Claims{}, err } @@ -89,7 +89,7 @@ func (h Handlers) RequireAdminRole(c *fiber.Ctx) error { headers := h.parseHeaders(c) if headers["Authorization"] == "" { - return errors.New("Authorization header is missing") + return errors.New("authorization header is missing") } claims, claimsErr := h.parseJWT(headers["Authorization"]) @@ -98,11 +98,11 @@ func (h Handlers) RequireAdminRole(c *fiber.Ctx) error { } if claims.AccountFields == nil { - return errors.New("Account have no fields at all") + return errors.New("account have no fields at all") } if claims.AccountFields["role"] == nil { - return errors.New("Account have no field named \"role\"") + return errors.New("account have no field named \"role\"") } for _, role := range claims.AccountFields["role"] { @@ -111,7 +111,7 @@ func (h Handlers) RequireAdminRole(c *fiber.Ctx) error { } } - return errors.New("No \"admin\" role found on account") + return errors.New("no \"admin\" role found on account") } // RequireAdminRoleOrAccountID returns nil if no error is found @@ -119,7 +119,7 @@ func (h Handlers) RequireAdminRoleOrAccountID(c *fiber.Ctx, accountID string) er headers := h.parseHeaders(c) if headers["Authorization"] == "" { - return errors.New("Authorization header is missing") + return errors.New("authorization header is missing") } claims, claimsErr := h.parseJWT(headers["Authorization"]) diff --git a/src/handlers/post.go b/src/handlers/post.go index 895c163..4b4d0f5 100644 --- a/src/handlers/post.go +++ b/src/handlers/post.go @@ -141,14 +141,14 @@ func (h Handlers) AccountAuthPassword(c *fiber.Ctx) error { resolvedAccount, err := h.Db.AccountGet("", "", authInput.Name) if err != nil { - if err.Error() == "No account found" { + if err.Error() == "no rows in result set" { return c.Status(403).JSON([]ResJSONError{{Error: "Invalid name or password"}}) } return c.Status(500).JSON([]ResJSONError{{Error: err.Error()}}) } - if utils.CheckPasswordHash(authInput.Password, resolvedAccount.Password) == false { + if !utils.CheckPasswordHash(authInput.Password, resolvedAccount.Password) { return c.Status(403).JSON([]ResJSONError{{Error: "Invalid name or password"}}) } diff --git a/tests/Dockerfile b/tests/Dockerfile index 9d25bc4..938462c 100644 --- a/tests/Dockerfile +++ b/tests/Dockerfile @@ -1,4 +1,4 @@ -FROM node:16.8.0-slim +FROM node:17.6.0-alpine3.15 WORKDIR /srv diff --git a/tests/test-cases/01basic.js b/tests/test-cases/01basic.js index 408e3d2..4907acf 100644 --- a/tests/test-cases/01basic.js +++ b/tests/test-cases/01basic.js @@ -110,6 +110,36 @@ test('test-cases/01basic.js: Auth by username and password', async t => { t.equal(userJWT.accountName, userName, 'The verified account name should match the created user'); }); +test('test-cases/01basic.js: Auth by username and wrong password', async t => { + try { + await got.post(`${process.env.AUTH_URL}/auth/password`, { + json: { + name: userName, + password: 'isWrong', + }, + responseType: 'json', + }); + t.fail('Trying to login with wrong password should fail with a 403'); + } catch(err) { + t.equal(err.message, 'Response code 403 (Forbidden)', 'Trying to login with wrong password should fail with a 403'); + } +}); + +test('test-cases/01basic.js: Auth by wrong username', async t => { + try { + await got.post(`${process.env.AUTH_URL}/auth/password`, { + json: { + name: 'lapptomte', + password: 'isWrong', + }, + responseType: 'json', + }); + t.fail('Trying to login with wrong username should fail with a 403'); + } catch(err) { + t.equal(err.message, 'Response code 403 (Forbidden)', 'Trying to login with wrong username should fail with a 403'); + } +}); + test('test-cases/01basic.js: PUT /account/{id}/fields', async t => { const res = await got.put(`${process.env.AUTH_URL}/account/${user.id}/fields`, { headers: { 'Authorization': `bearer ${adminJWTString}`},