memos/server/auth.go

package server

import (
	"encoding/json"
	"fmt"
	"net/http"

	"github.com/usememos/memos/api"
	"github.com/usememos/memos/common"
	metric "github.com/usememos/memos/plugin/metrics"

	"github.com/labstack/echo/v4"
	"golang.org/x/crypto/bcrypt"
)

func (s *Server) registerAuthRoutes(g *echo.Group) {
	g.POST("/auth/signin", func(c echo.Context) error {
		ctx := c.Request().Context()
		signin := &api.Signin{}
		if err := json.NewDecoder(c.Request().Body).Decode(signin); err != nil {
			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signin request").SetInternal(err)
		}

		userFind := &api.UserFind{
			Username: &signin.Username,
		}
		user, err := s.Store.FindUser(ctx, userFind)
		if err != nil && common.ErrorCode(err) != common.NotFound {
			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find user by username %s", signin.Username)).SetInternal(err)
		}
		if user == nil {
			return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("User not found with username %s", signin.Username))
		} else if user.RowStatus == api.Archived {
			return echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("User has been archived with username %s", signin.Username))
		}

		// Compare the stored hashed password, with the hashed version of the password that was received.
		if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(signin.Password)); err != nil {
			// If the two passwords don't match, return a 401 status.
			return echo.NewHTTPError(http.StatusUnauthorized, "Incorrect password").SetInternal(err)
		}

		if err = setUserSession(c, user); err != nil {
			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to set signin session").SetInternal(err)
		}
		s.Collector.Collect(ctx, &metric.Metric{
			Name: "user signed in",
		})

		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(user)); err != nil {
			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode user response").SetInternal(err)
		}
		return nil
	})

	g.POST("/auth/logout", func(c echo.Context) error {
		ctx := c.Request().Context()
		err := removeUserSession(c)
		if err != nil {
			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to set logout session").SetInternal(err)
		}
		s.Collector.Collect(ctx, &metric.Metric{
			Name: "user logout",
		})

		c.Response().WriteHeader(http.StatusOK)
		return nil
	})

	g.POST("/auth/signup", func(c echo.Context) error {
		ctx := c.Request().Context()
		signup := &api.Signup{}
		if err := json.NewDecoder(c.Request().Body).Decode(signup); err != nil {
			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signup request").SetInternal(err)
		}

		hostUserType := api.Host
		hostUserFind := api.UserFind{
			Role: &hostUserType,
		}
		hostUser, err := s.Store.FindUser(ctx, &hostUserFind)
		if err != nil && common.ErrorCode(err) != common.NotFound {
			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find host user").SetInternal(err)
		}
		if signup.Role == api.Host && hostUser != nil {
			return echo.NewHTTPError(http.StatusUnauthorized, "Site Host existed, please contact the site host to signin account firstly.").SetInternal(err)
		}

		systemSettingAllowSignUpName := api.SystemSettingAllowSignUpName
		allowSignUpSetting, err := s.Store.FindSystemSetting(ctx, &api.SystemSettingFind{
			Name: &systemSettingAllowSignUpName,
		})
		if err != nil && common.ErrorCode(err) != common.NotFound {
			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
		}

		allowSignUpSettingValue := false
		if allowSignUpSetting != nil {
			err = json.Unmarshal([]byte(allowSignUpSetting.Value), &allowSignUpSettingValue)
			if err != nil {
				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting allow signup").SetInternal(err)
			}
		}
		if !allowSignUpSettingValue && hostUser != nil {
			return echo.NewHTTPError(http.StatusUnauthorized, "Site Host existed, please contact the site host to signin account firstly.").SetInternal(err)
		}

		userCreate := &api.UserCreate{
			Username: signup.Username,
			Role:     api.Role(signup.Role),
			Nickname: signup.Username,
			Password: signup.Password,
			OpenID:   common.GenUUID(),
		}
		if err := userCreate.Validate(); err != nil {
			return echo.NewHTTPError(http.StatusBadRequest, "Invalid user create format.").SetInternal(err)
		}

		passwordHash, err := bcrypt.GenerateFromPassword([]byte(signup.Password), bcrypt.DefaultCost)
		if err != nil {
			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)
		}

		userCreate.PasswordHash = string(passwordHash)

		user, err := s.Store.CreateUser(ctx, userCreate)
		if err != nil {
			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create user").SetInternal(err)
		}
		s.Collector.Collect(ctx, &metric.Metric{
			Name: "user signed up",
		})

		err = setUserSession(c, user)
		if err != nil {
			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to set signup session").SetInternal(err)
		}

		c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)
		if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(user)); err != nil {
			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode created user response").SetInternal(err)
		}
		return nil
	})
}
refactor: backend 2022-02-03 15:32:03 +08:00			`package server`

			`import (`
chore(go): use `json` instead of `jsonapi` 2022-02-04 16:51:48 +08:00			`"encoding/json"`
refactor: backend 2022-02-03 15:32:03 +08:00			`"fmt"`
			`"net/http"`

chore: rename module 2022-06-27 22:09:06 +08:00			`"github.com/usememos/memos/api"`
			`"github.com/usememos/memos/common"`
feat: add metric plugin (#361) 2022-10-29 11:15:39 +08:00			`metric "github.com/usememos/memos/plugin/metrics"`
chore: rename module 2022-06-27 22:09:06 +08:00
refactor: backend 2022-02-03 15:32:03 +08:00			`"github.com/labstack/echo/v4"`
feat: user hash password 2022-02-06 16:19:20 +08:00			`"golang.org/x/crypto/bcrypt"`
refactor: backend 2022-02-03 15:32:03 +08:00			`)`

			`func (s Server) registerAuthRoutes(g echo.Group) {`
refactor: visitor view (#107) * refactor: update api * refactor: visitor view * chore: update seed data 2022-07-07 23:11:20 +08:00			`g.POST("/auth/signin", func(c echo.Context) error {`
chore: use `tx` for user store 2022-08-07 09:23:46 +08:00			`ctx := c.Request().Context()`
refactor: visitor view (#107) * refactor: update api * refactor: visitor view * chore: update seed data 2022-07-07 23:11:20 +08:00			`signin := &api.Signin{}`
			`if err := json.NewDecoder(c.Request().Body).Decode(signin); err != nil {`
			`return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signin request").SetInternal(err)`
refactor: backend 2022-02-03 15:32:03 +08:00			`}`

			`userFind := &api.UserFind{`
feat: add username field (#544) * feat: add username field * chore: update 2022-11-23 22:27:21 +08:00			`Username: &signin.Username,`
refactor: backend 2022-02-03 15:32:03 +08:00			`}`
chore: use `tx` for user store 2022-08-07 09:23:46 +08:00			`user, err := s.Store.FindUser(ctx, userFind)`
chore: release `v0.4.3` 2022-09-09 20:00:04 +08:00			`if err != nil && common.ErrorCode(err) != common.NotFound {`
feat: add username field (#544) * feat: add username field * chore: update 2022-11-23 22:27:21 +08:00			`return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find user by username %s", signin.Username)).SetInternal(err)`
refactor: backend 2022-02-03 15:32:03 +08:00			`}`
			`if user == nil {`
feat: add username field (#544) * feat: add username field * chore: update 2022-11-23 22:27:21 +08:00			`return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("User not found with username %s", signin.Username))`
refactor: raw struct for store 2022-05-19 18:32:04 +08:00			`} else if user.RowStatus == api.Archived {`
feat: add username field (#544) * feat: add username field * chore: update 2022-11-23 22:27:21 +08:00			`return echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("User has been archived with username %s", signin.Username))`
refactor: backend 2022-02-03 15:32:03 +08:00			`}`

feat: user hash password 2022-02-06 16:19:20 +08:00			`// Compare the stored hashed password, with the hashed version of the password that was received.`
refactor: visitor view (#107) * refactor: update api * refactor: visitor view * chore: update seed data 2022-07-07 23:11:20 +08:00			`if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(signin.Password)); err != nil {`
feat: user hash password 2022-02-06 16:19:20 +08:00			`// If the two passwords don't match, return a 401 status.`
			`return echo.NewHTTPError(http.StatusUnauthorized, "Incorrect password").SetInternal(err)`
refactor: backend 2022-02-03 15:32:03 +08:00			`}`

chore: clean server 2022-03-29 00:01:34 +08:00			`if err = setUserSession(c, user); err != nil {`
refactor: visitor view (#107) * refactor: update api * refactor: visitor view * chore: update seed data 2022-07-07 23:11:20 +08:00			`return echo.NewHTTPError(http.StatusInternalServerError, "Failed to set signin session").SetInternal(err)`
fix: get&set session 2022-02-04 00:56:44 +08:00			`}`
feat: add metric plugin (#361) 2022-10-29 11:15:39 +08:00			`s.Collector.Collect(ctx, &metric.Metric{`
			`Name: "user signed in",`
			`})`
fix: get&set session 2022-02-04 00:56:44 +08:00
refactor: backend 2022-02-03 15:32:03 +08:00			`c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)`
feat: compose response data 2022-02-04 17:06:04 +08:00			`if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(user)); err != nil {`
chore: address comments 2022-02-05 11:43:25 +08:00			`return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode user response").SetInternal(err)`
refactor: backend 2022-02-03 15:32:03 +08:00			`}`
			`return nil`
			`})`
chore: format server code 2022-02-18 22:21:10 +08:00
refactor: backend 2022-02-03 15:32:03 +08:00			`g.POST("/auth/logout", func(c echo.Context) error {`
feat: add metric plugin (#361) 2022-10-29 11:15:39 +08:00			`ctx := c.Request().Context()`
fix: get&set session 2022-02-04 00:56:44 +08:00			`err := removeUserSession(c)`
			`if err != nil {`
			`return echo.NewHTTPError(http.StatusInternalServerError, "Failed to set logout session").SetInternal(err)`
			`}`
feat: add metric plugin (#361) 2022-10-29 11:15:39 +08:00			`s.Collector.Collect(ctx, &metric.Metric{`
			`Name: "user logout",`
			`})`
refactor: backend 2022-02-03 15:32:03 +08:00
			`c.Response().WriteHeader(http.StatusOK)`
			`return nil`
			`})`
chore: format server code 2022-02-18 22:21:10 +08:00
refactor: backend 2022-02-03 15:32:03 +08:00			`g.POST("/auth/signup", func(c echo.Context) error {`
chore: use `tx` for user store 2022-08-07 09:23:46 +08:00			`ctx := c.Request().Context()`
feat: add system setting to allow user signup (#407) 2022-11-03 21:47:36 +08:00			`signup := &api.Signup{}`
			`if err := json.NewDecoder(c.Request().Body).Decode(signup); err != nil {`
			`return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signup request").SetInternal(err)`
			`}`

chore: rename user role (#108) * chore: rename user role to `host` * chore: related frontend changes * chore: fix migration file * chore: use tricky sql 2022-07-08 22:16:18 +08:00			`hostUserType := api.Host`
			`hostUserFind := api.UserFind{`
			`Role: &hostUserType,`
feat: add user role field (#49) * feat: add user role field * chore: fix typo * feat: update signup api 2022-05-15 10:57:54 +08:00			`}`
chore: use `tx` for user store 2022-08-07 09:23:46 +08:00			`hostUser, err := s.Store.FindUser(ctx, &hostUserFind)`
chore: release `v0.4.3` 2022-09-09 20:00:04 +08:00			`if err != nil && common.ErrorCode(err) != common.NotFound {`
chore: rename user role (#108) * chore: rename user role to `host` * chore: related frontend changes * chore: fix migration file * chore: use tricky sql 2022-07-08 22:16:18 +08:00			`return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find host user").SetInternal(err)`
feat: add user role field (#49) * feat: add user role field * chore: fix typo * feat: update signup api 2022-05-15 10:57:54 +08:00			`}`
feat: add system setting to allow user signup (#407) 2022-11-03 21:47:36 +08:00			`if signup.Role == api.Host && hostUser != nil {`
chore: rename user role (#108) * chore: rename user role to `host` * chore: related frontend changes * chore: fix migration file * chore: use tricky sql 2022-07-08 22:16:18 +08:00			`return echo.NewHTTPError(http.StatusUnauthorized, "Site Host existed, please contact the site host to signin account firstly.").SetInternal(err)`
feat: add user role field (#49) * feat: add user role field * chore: fix typo * feat: update signup api 2022-05-15 10:57:54 +08:00			`}`

feat: add system setting to allow user signup (#407) 2022-11-03 21:47:36 +08:00			`systemSettingAllowSignUpName := api.SystemSettingAllowSignUpName`
			`allowSignUpSetting, err := s.Store.FindSystemSetting(ctx, &api.SystemSettingFind{`
			`Name: &systemSettingAllowSignUpName,`
			`})`
			`if err != nil && common.ErrorCode(err) != common.NotFound {`
			`return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)`
			`}`

			`allowSignUpSettingValue := false`
			`if allowSignUpSetting != nil {`
			`err = json.Unmarshal([]byte(allowSignUpSetting.Value), &allowSignUpSettingValue)`
			`if err != nil {`
			`return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting allow signup").SetInternal(err)`
			`}`
			`}`
			`if !allowSignUpSettingValue && hostUser != nil {`
			`return echo.NewHTTPError(http.StatusUnauthorized, "Site Host existed, please contact the site host to signin account firstly.").SetInternal(err)`
refactor: backend 2022-02-03 15:32:03 +08:00			`}`

chore: update user create validator 2022-08-20 21:03:15 +08:00			`userCreate := &api.UserCreate{`
feat: add username field (#544) * feat: add username field * chore: update 2022-11-23 22:27:21 +08:00			`Username: signup.Username,`
chore: update user create validator 2022-08-20 21:03:15 +08:00			`Role: api.Role(signup.Role),`
feat: add username field (#544) * feat: add username field * chore: update 2022-11-23 22:27:21 +08:00			`Nickname: signup.Username,`
chore: update user create validator 2022-08-20 21:03:15 +08:00			`Password: signup.Password,`
			`OpenID: common.GenUUID(),`
feat: add user role field (#49) * feat: add user role field * chore: fix typo * feat: update signup api 2022-05-15 10:57:54 +08:00			`}`
chore: update user create validator 2022-08-20 21:03:15 +08:00			`if err := userCreate.Validate(); err != nil {`
			`return echo.NewHTTPError(http.StatusBadRequest, "Invalid user create format.").SetInternal(err)`
feat: user hash password 2022-02-06 16:19:20 +08:00			`}`

			`passwordHash, err := bcrypt.GenerateFromPassword([]byte(signup.Password), bcrypt.DefaultCost)`
			`if err != nil {`
			`return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)`
			`}`

chore: update user create validator 2022-08-20 21:03:15 +08:00			`userCreate.PasswordHash = string(passwordHash)`

chore: use `tx` for user store 2022-08-07 09:23:46 +08:00			`user, err := s.Store.CreateUser(ctx, userCreate)`
refactor: backend 2022-02-03 15:32:03 +08:00			`if err != nil {`
			`return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create user").SetInternal(err)`
			`}`
feat: add metric plugin (#361) 2022-10-29 11:15:39 +08:00			`s.Collector.Collect(ctx, &metric.Metric{`
			`Name: "user signed up",`
			`})`
refactor: backend 2022-02-03 15:32:03 +08:00
fix: get&set session 2022-02-04 00:56:44 +08:00			`err = setUserSession(c, user)`
			`if err != nil {`
			`return echo.NewHTTPError(http.StatusInternalServerError, "Failed to set signup session").SetInternal(err)`
			`}`

refactor: backend 2022-02-03 15:32:03 +08:00			`c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8)`
feat: compose response data 2022-02-04 17:06:04 +08:00			`if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(user)); err != nil {`
chore: address comments 2022-02-05 11:43:25 +08:00			`return echo.NewHTTPError(http.StatusInternalServerError, "Failed to encode created user response").SetInternal(err)`
refactor: backend 2022-02-03 15:32:03 +08:00			`}`
			`return nil`
			`})`
			`}`