pomme/internal/api/auth.go

package api

import (
	"net/http"
	"time"

	"git.freecumextremist.com/grumbulon/pomme/internal"
	"github.com/go-chi/render"
	"golang.org/x/crypto/bcrypt"
	"gorm.io/gorm"
)

// Auth godoc
//
//	@Summary		authenticate as a regular user
//	@Description	login to Pomme
//
//	@Description	Rate limited: 5 requests every 5 second
//
//	@Tags			accounts
//	@Accept			json
//	@Produce		json
//	@Param			username	query		string	true	"Username"
//	@Param			password	query		string	true	"Password"
//	@Success		200			{object}	internal.GenericResponse[internal.Response]
//	@failure		401			{object}	internal.GenericResponse[internal.Response] "authFailed is a 401 error when logging in fails, includes realm"
//	@Router			/api/login [post]
func Login(w http.ResponseWriter, r *http.Request) {
	var result internal.User

	if _, err := r.Cookie("jwt"); err == nil {
		w.Header().Set("Content-Type", "application/json")

		resp := internal.Response{
			Message:      "Already logged in",
			HTTPResponse: http.StatusOK,
		}
		render.JSON(w, r, resp)

		return
	}

	err := r.ParseForm()
	if err != nil {
		internalServerError(w, r, "unable to parse request")

		return
	}

	username := r.Form.Get("username")

	password := r.Form.Get("password")

	if username == "" {
		internalServerError(w, r, "no username provided") // this should prob be handled by the frontend

		return
	}

	if password == "" {
		internalServerError(w, r, "no password provided") // this should prob be handled by the frontend

		return
	}

	db, ok := r.Context().Value(keyPrincipalContextID).(*gorm.DB)
	if !ok {
		internalServerError(w, r, "DB connection failed")

		return
	}

	db.Where("username = ?", username).First(&result)

	if result.Username == "" {
		authFailed(w, r, "authentication")

		return
	}

	err = bcrypt.CompareHashAndPassword([]byte(result.HashedPassword), []byte(password))

	if err != nil {
		authFailed(w, r, "authentication")

		return
	}

	token, err := makeToken(username)
	if err != nil {
		internalServerError(w, r, err.Error())

		return
	}

	http.SetCookie(w, &http.Cookie{
		HttpOnly: true,
		Expires:  time.Now().Add(1 * time.Hour),
		MaxAge:   3600,
		SameSite: http.SameSiteLaxMode,
		// Uncomment below for HTTPS:
		// Secure: true,
		Name:  "jwt", // Must be named "jwt" or else the token cannot be searched for by jwtauth.Verifier.
		Value: token,
	})

	resp := internal.Response{
		Message:      "Successfully logged in",
		HTTPResponse: http.StatusOK,
	}
	render.JSON(w, r, resp)
}

// Logout destroys a users JWT cookie.
func Logout(w http.ResponseWriter, r *http.Request) {
	http.SetCookie(w, &http.Cookie{
		HttpOnly: true,
		MaxAge:   -1, // Delete the cookie.
		SameSite: http.SameSiteLaxMode,
		// Secure: true,
		Name:  "jwt",
		Value: "",
	})

	resp := internal.Response{
		Message:      "Successfully logged out",
		HTTPResponse: http.StatusOK,
	}
	render.JSON(w, r, resp)
}