From 3ba8903de98ae841c2c9b0a5641807257e5768af Mon Sep 17 00:00:00 2001 From: "Maurice L." Date: Fri, 27 Feb 2026 15:58:05 +0100 Subject: [PATCH] Finished login system with refresh-tokens --- handlers/account.go | 106 ++++++++++++++++++++++++++++++++++++------ models/loginmodels.go | 13 +++--- server/server.go | 2 + storage/storage.go | 78 +++++++++++++++++++++++++++++-- utils/util.go | 13 ++++++ 5 files changed, 186 insertions(+), 26 deletions(-) diff --git a/handlers/account.go b/handlers/account.go index 89323e3..ac10f96 100644 --- a/handlers/account.go +++ b/handlers/account.go @@ -2,12 +2,14 @@ package handlers import ( "encoding/json" + "log" "net/http" "os" "shap-planner-backend/auth" "shap-planner-backend/models" "shap-planner-backend/storage" "shap-planner-backend/utils" + "time" ) func Register(w http.ResponseWriter, r *http.Request) { @@ -38,7 +40,6 @@ func Register(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusCreated) } - func Login(w http.ResponseWriter, r *http.Request) { var creds struct { Username string `json:"username"` @@ -51,11 +52,13 @@ func Login(w http.ResponseWriter, r *http.Request) { user, err := storage.GetUserByUsername(creds.Username) if err != nil { + println("user " + creds.Username + " not found") http.Error(w, "Invalid credentials", http.StatusUnauthorized) return } if !auth.CheckPasswordHash(creds.Password, user.Password) { + println("invalid password") http.Error(w, "Invalid credentials", http.StatusUnauthorized) return } @@ -66,29 +69,55 @@ func Login(w http.ResponseWriter, r *http.Request) { return } - token, err := auth.GenerateJWT(user.ID, user.Role, secret) + accessToken, err := auth.GenerateJWT(user.ID, user.Role, secret) if err != nil { http.Error(w, "Could not generate token", http.StatusInternalServerError) return } - type userResp struct { - ID string `json:"id"` - Username string `json:"username"` - Role string `json:"role"` + refreshTokenPlain, err := utils.GenerateRefreshToken() + if err != nil { + http.Error(w, "could not generate refresh token", http.StatusInternalServerError) + return + } + refreshHash := utils.HashToken(refreshTokenPlain) + refreshID := utils.GenerateUUID() + refreshExpires := time.Now().Add(7 * 24 * time.Hour).Unix() // expiry: 7 days + + deviceInfo := r.Header.Get("User-Agent") + + if err := storage.AddRefreshToken(models.RefreshToken{ + ID: refreshID, + UserID: user.ID, + Token: refreshHash, + ExpiresAt: refreshExpires, + DeviceInfo: deviceInfo, + CreatedAt: time.Now().Unix(), + Revoked: false, + }); err != nil { + http.Error(w, "could not save refresh token", http.StatusInternalServerError) + return + } + + // Return access + refresh token (refresh in plain for client to store securely) + resp := map[string]interface{}{ + "access_token": accessToken, + "refresh_token": refreshTokenPlain, + "user": map[string]interface{}{ + "id": user.ID, + "username": user.Username, + "role": user.Role, + }, } w.Header().Set("Content-Type", "application/json") - json.NewEncoder(w).Encode(map[string]interface{}{ - "token": token, - "user": userResp{ - ID: user.ID, - Username: user.Username, - Role: user.Role, - }, - }) + json.NewEncoder(w).Encode(resp) +} +func Logout(w http.ResponseWriter, r *http.Request) { + claims := r.Context().Value(auth.UserContextKey).(*auth.Claims) + storage.RevokeAllRefreshTokensForUser(claims.UserID) + w.WriteHeader(204) } - func TestHandler(w http.ResponseWriter, r *http.Request) { claimsRaw := r.Context().Value(auth.UserContextKey) if claimsRaw == nil { @@ -109,3 +138,50 @@ func TestHandler(w http.ResponseWriter, r *http.Request) { "msg": "access granted to protected endpoint", }) } +func RefreshToken(w http.ResponseWriter, r *http.Request) { + var req struct { + RefreshToken string `json:"refresh_token"` + } + if err := json.NewDecoder(r.Body).Decode(&req); err != nil { + http.Error(w, "Invalid request", http.StatusBadRequest) + return + } + + hashed := utils.HashToken(req.RefreshToken) + + tokenRow, err := storage.GetRefreshToken(hashed) + if err != nil || tokenRow.Revoked || tokenRow.ExpiresAt < time.Now().Unix() { + http.Error(w, "Invalid refresh token", http.StatusUnauthorized) + return + } + + if err := storage.RevokeRefreshToken(tokenRow.ID); err != nil { + log.Println(err) + } + + newToken, _ := utils.GenerateRefreshToken() + newHash := utils.HashToken(newToken) + newExpires := time.Now().Add(7 * 24 * time.Hour).Unix() //7 days + newID := utils.GenerateUUID() + deviceInfo := r.Header.Get("User-Agent") + if err = storage.AddRefreshToken(models.RefreshToken{ + ID: newID, + UserID: tokenRow.UserID, + Token: newHash, + ExpiresAt: newExpires, + CreatedAt: time.Now().Unix(), + Revoked: false, + DeviceInfo: deviceInfo, + }); err != nil { + return + } + + accessToken, _ := auth.GenerateJWT(tokenRow.UserID, "", []byte(os.Getenv("SHAP_JWT_SECRET"))) + + if err = json.NewEncoder(w).Encode(map[string]string{ + "access_token": accessToken, + "refresh_token": newToken, + }); err != nil { + return + } +} diff --git a/models/loginmodels.go b/models/loginmodels.go index 8130760..f216477 100644 --- a/models/loginmodels.go +++ b/models/loginmodels.go @@ -1,10 +1,11 @@ package models -import "time" - type RefreshToken struct { - ID string `json:id` - UserID string `json:userid` - Token string `json:token` - ExpiresAt time.Time `json:expiresat` + ID string `json:id` + UserID string `json:userid` + Token string `json:token` + ExpiresAt int64 `json:expiresat` + CreatedAt int64 `json:createdat` + Revoked bool `json:revoked` + DeviceInfo string `json:deviceinfo` } diff --git a/server/server.go b/server/server.go index 553ffe5..b1d1b14 100644 --- a/server/server.go +++ b/server/server.go @@ -48,6 +48,8 @@ func (server *Server) Run() { // Public mux.HandleFunc("/api/login", handlers.Login) mux.HandleFunc("/api/register", handlers.Register) + mux.HandleFunc("/api/refresh", handlers.RefreshToken) + mux.HandleFunc("/api/logout", handlers.Logout) // Login required mux.Handle("/api/expenses", auth.AuthMiddleware(server.JWTSecret)(http.HandlerFunc(handlers.GetExpenses))) diff --git a/storage/storage.go b/storage/storage.go index ab6228e..c2a0f63 100644 --- a/storage/storage.go +++ b/storage/storage.go @@ -2,11 +2,13 @@ package storage import ( "database/sql" + "errors" "shap-planner-backend/models" _ "github.com/glebarez/go-sqlite" ) +var ErrNotFound = sql.ErrNoRows var DB *sql.DB func InitDB(filepath string) error { @@ -19,13 +21,33 @@ func InitDB(filepath string) error { //Create Users-Table _, err = DB.Exec(`CREATE TABLE IF NOT EXISTS users( id TEXT PRIMARY KEY, - username TEXT UNIQUE, - password TEXT + username TEXT UNIQUE NOT NULL, + password TEXT NOT NULL, + role TEXT NOT NULL );`) if err != nil { return err } + //Create refresh token-table + _, err = DB.Exec(`CREATE TABLE IF NOT EXISTS refresh_tokens( + id TEXT PRIMARY KEY, + user_id TEXT NOT NULL, + token_hash TEXT NOT NULL, + expires_at INTEGER NOT NULL, + created_at INTEGER NOT NULL, + revoked INTEGER NOT NULL DEFAULT 0, + device_info TEXT, + FOREIGN KEY(user_id) REFERENCES users(id) + )`) + if err != nil { + return err + } + _, err = DB.Exec(`CREATE INDEX IF NOT EXISTS idx_refresh_token_hash ON refresh_tokens(token_hash)`) + if err != nil { + return err + } + //Create Expenses-Table _, err = DB.Exec(`CREATE TABLE IF NOT EXISTS expenses( id TEXT PRIMARY KEY @@ -34,21 +56,67 @@ func InitDB(filepath string) error { return err } +// Users func AddUser(user models.User) error { _, err := DB.Exec("INSERT INTO users(id, username, password, role) VALUES (?, ?, ?, ?)", user.ID, user.Username, user.Password, user.Role) return err } - func GetUserByUsername(username string) (models.User, error) { row := DB.QueryRow("SELECT * FROM users WHERE username = ?", username) var user models.User - err := row.Scan(&user.ID, &user.Username, &user.Password) + err := row.Scan(&user.ID, &user.Username, &user.Password, &user.Role) return user, err } - func GetUserById(id string) (models.User, error) { row := DB.QueryRow("SELECT * FROM users WHERE id = ?", id) var user models.User err := row.Scan(&user.ID, &user.Username, &user.Password) return user, err } + +// Refresh Tokens +func AddRefreshToken(token models.RefreshToken) error { + _, err := DB.Exec("INSERT INTO refresh_tokens(id, user_id, token_hash, expires_at, created_at, revoked, device_info) VALUES (?, ?, ?, ?, ?, ?, ?)", + token.ID, token.UserID, token.Token, token.ExpiresAt, token.CreatedAt, token.Revoked, token.DeviceInfo) + return err +} +func GetRefreshToken(token string) (models.RefreshToken, error) { + row := DB.QueryRow("SELECT * FROM refresh_tokens WHERE token_hash = ?", token) + var refresh_token models.RefreshToken + err := row.Scan(&refresh_token.ID, &refresh_token.UserID, &refresh_token.Token, &refresh_token.ExpiresAt, &refresh_token.CreatedAt, &refresh_token.Revoked, &refresh_token.DeviceInfo) + return refresh_token, err +} +func RevokeRefreshToken(tokenID string) error { + if DB == nil { + return errors.New("db not initialized") + } + + res, err := DB.Exec(` + UPDATE refresh_tokens + SET revoked = 1 + WHERE id = ? + `, tokenID) + if err != nil { + return err + } + n, err := res.RowsAffected() + if err != nil { + return err + } + if n == 0 { + return ErrNotFound + } + return nil +} +func RevokeAllRefreshTokensForUser(userID string) error { + if DB == nil { + return errors.New("db not initialized") + } + + _, err := DB.Exec(` + UPDATE refresh_tokens + SET revoked = 1 + WHERE user_id = ? + `, userID) + return err +} diff --git a/utils/util.go b/utils/util.go index bf8ef7f..026803c 100644 --- a/utils/util.go +++ b/utils/util.go @@ -2,7 +2,9 @@ package utils import ( "crypto/rand" + "crypto/sha256" "encoding/base64" + "encoding/hex" "github.com/google/uuid" ) @@ -18,3 +20,14 @@ func GenerateSecret() string { } return base64.StdEncoding.EncodeToString(b) } +func GenerateRefreshToken() (string, error) { + b := make([]byte, 32) + if _, err := rand.Read(b); err != nil { + return "", err + } + return base64.RawURLEncoding.EncodeToString(b), nil +} +func HashToken(token string) string { + hash := sha256.Sum256([]byte(token)) + return hex.EncodeToString(hash[:]) +}