valitovgaziz/tp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

security: rotate secrets, add rate limiter, validate input, harden cookies

Browse Source
This commit is contained in:
valitovgaziz
2026-06-12 17:01:48 +05:00
parent 9f4fb23652
commit 5de587689c
8 changed files with 308 additions and 234 deletions
Download Patch File Download Diff File Expand all files Collapse all files
api/src/initializers/Routing.go
+68 -68
View File
@@ -1,68 +1,68 @@
package initializers
import (
"api/src/rt/admin"
"api/src/rt/auth"
"api/src/rt/prf"
"api/src/rt/srch"
"log/slog"
"os"
"time"
"net/http"
"github.com/go-chi/chi/v5"
"github.com/go-chi/chi/v5/middleware"
)
var Done = make(chan bool)
func InitChiRouting() {
slog.Info("Init routing")
r := chi.NewRouter()
// middlewares
r.Use(middleware.Logger)
r.Use(middleware.Timeout(60 * time.Second))
r.Use(middleware.RequestID)
r.Use(middleware.CleanPath)
r.Use(middleware.Heartbeat("/ping"))
r.Use(middleware.NoCache)
r.Use(middleware.Recoverer)
r.NotFound(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(404)
w.Write([]byte("route does not exist"))
})
r.MethodNotAllowed(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(405)
w.Write([]byte("method is not valid"))
})
// public Routes
r.Group(func(r chi.Router) {
r.Post("/signup", auth.Register) // register
r.Post("/signin", auth.Login) // signin
r.Get("/search", srch.Search)
})
// Private Routes
// Require Authentication
r.Group(func(r chi.Router) {
r.Use(auth.AuthMiddleware)
r.Get("/profile", prf.Profile)
r.Get("/allUsersAdm", admin.GetAllUser)
r.Route("/admin", func(r chi.Router) {
r.Use(auth.AuthAdminMiddleware)
r.Get("/allUsersAdm", admin.GetAllUser) // all users get
})
})
// up server on os.Getenv("SERVER_PORT") port on gorutin
go func() {
defer close(Done)
err := http.ListenAndServe(":"+os.Getenv("SERVER_PORT"), r)
if err != nil {
slog.Error("Can't start server: ", "error", err)
}
}()
}
package initializers
import (
"api/src/rt/admin"
"api/src/rt/auth"
"api/src/rt/prf"
"api/src/rt/srch"
"log/slog"
"os"
"time"
"net/http"
"github.com/go-chi/chi/v5"
"github.com/go-chi/chi/v5/middleware"
"github.com/go-chi/httprate"
)
var Done = make(chan bool)
func InitChiRouting() {
slog.Info("Init routing")
r := chi.NewRouter()
// middlewares
r.Use(middleware.Logger)
r.Use(middleware.Timeout(60 * time.Second))
r.Use(middleware.RequestID)
r.Use(middleware.CleanPath)
r.Use(middleware.Heartbeat("/ping"))
r.Use(middleware.NoCache)
r.Use(middleware.Recoverer)
r.NotFound(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(404)
w.Write([]byte("route does not exist"))
})
r.MethodNotAllowed(func(w http.ResponseWriter, r *http.Request) {
w.WriteHeader(405)
w.Write([]byte("method is not valid"))
})
// public Routes
r.Group(func(r chi.Router) {
r.Post("/signup", auth.Register) // register
r.With(httprate.Limit(5, 1*time.Minute)).Post("/signin", auth.Login) // signin with rate limiter
r.Get("/search", srch.Search)
})
// Private Routes
// Require Authentication
r.Group(func(r chi.Router) {
r.Use(auth.AuthMiddleware)
r.Get("/profile", prf.Profile)
r.Route("/admin", func(r chi.Router) {
r.Use(auth.AuthAdminMiddleware)
r.Get("/allUsersAdm", admin.GetAllUser) // all users get
})
})
// up server on os.Getenv("SERVER_PORT") port on gorutin
go func() {
defer close(Done)
err := http.ListenAndServe(":"+os.Getenv("SERVER_PORT"), r)
if err != nil {
slog.Error("Can't start server: ", "error", err)
}
}()
}
api/src/rt/auth/Login.go
+68 -61
View File
@@ -1,61 +1,68 @@
package auth
import (
"api/src/models"
"api/src/storages/psql"
"encoding/json"
"net/http"
"os"
"time"
"github.com/golang-jwt/jwt/v4"
"golang.org/x/crypto/bcrypt"
)
var jwtKey = []byte(os.Getenv("SECRET_KEY"))
func Login(w http.ResponseWriter, r *http.Request) {
var creds models.Credentials
if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
w.WriteHeader(http.StatusBadRequest)
return
}
// check user
var user models.User
// get user by email
result := psql.PSQL_GORM_DB.Where("email = ?", creds.Email).First(&user)
if result.Error != nil || !checkPasswordHash(creds.Password, user.Password) {
w.WriteHeader(http.StatusInternalServerError)
return
}
// create jwt token
expirationtime := time.Now().Add(5 * time.Minute)
claims := &models.Claims{
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(expirationtime),
},
Email: user.Email,
Phone: user.Phone,
Role: user.Role,
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString(jwtKey)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
return
}
http.SetCookie(w, &http.Cookie{
Name: "token",
Value: tokenString,
Expires: expirationtime,
})
w.WriteHeader(http.StatusOK)
}
func checkPasswordHash(password, hash string) bool {
err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
return err == nil
}
package auth
import (
"api/src/models"
"api/src/storages/psql"
"encoding/json"
"net/http"
"os"
"time"
"github.com/golang-jwt/jwt/v4"
"golang.org/x/crypto/bcrypt"
)
const (
loginErrMsg = "invalid email or password"
)
var jwtKey = []byte(os.Getenv("SECRET_KEY"))
func Login(w http.ResponseWriter, r *http.Request) {
var creds models.Credentials
if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
w.WriteHeader(http.StatusBadRequest)
return
}
// check user
var user models.User
result := psql.PSQL_GORM_DB.Where("email = ?", creds.Email).First(&user)
if result.Error != nil || !checkPasswordHash(creds.Password, user.Password) {
http.Error(w, loginErrMsg, http.StatusUnauthorized)
return
}
// create jwt token
expirationtime := time.Now().Add(5 * time.Minute)
claims := &models.Claims{
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(expirationtime),
},
Email: user.Email,
Phone: user.Phone,
Role: user.Role,
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
tokenString, err := token.SignedString(jwtKey)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
return
}
http.SetCookie(w, &http.Cookie{
Name: "token",
Value: tokenString,
Expires: expirationtime,
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteStrictMode,
Path: "/",
})
w.WriteHeader(http.StatusOK)
}
func checkPasswordHash(password, hash string) bool {
err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
return err == nil
}
api/src/rt/auth/Registr.go
+97 -50
View File
@@ -1,50 +1,97 @@
package auth
import (
"api/src/models"
"api/src/storages/psql"
"encoding/json"
"net/http"
"github.com/google/uuid"
"golang.org/x/crypto/bcrypt"
)
func Register(w http.ResponseWriter, r *http.Request) {
var Credentials models.Credentials
// Decoe body
if err := json.NewDecoder(r.Body).Decode(&Credentials); err != nil {
w.WriteHeader(http.StatusBadRequest)
return
}
// shep password
hashedPassword, err := hashPassword(Credentials.Password)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
return
}
id := uuid.New()
user := models.User{
Id: id,
Name: Credentials.Name,
Email: Credentials.Email,
Password: hashedPassword,
Phone: Credentials.Phone,
Role: Credentials.Role,
}
result := psql.PSQL_GORM_DB.Create(&user)
if result.Error != nil {
w.WriteHeader(http.StatusInternalServerError)
return
}
w.WriteHeader(http.StatusCreated)
}
func hashPassword(password string) (string, error) {
bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
return string(bytes), err
}
package auth
import (
"api/src/models"
"api/src/storages/psql"
"encoding/json"
"net/http"
"regexp"
"strings"
"github.com/google/uuid"
"golang.org/x/crypto/bcrypt"
)
var (
emailRegex = regexp.MustCompile(`^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$`)
phoneRegex = regexp.MustCompile(`^\+?[0-9\s\-\(\)]{7,20}$`)
validRoles = map[string]bool{"user": true, "admin": true}
)
type validationError struct {
Field string `json:"field"`
Message string `json:"message"`
}
func validateCredentials(c *models.Credentials) []validationError {
var errs []validationError
c.Name = strings.TrimSpace(c.Name)
c.Email = strings.TrimSpace(c.Email)
c.Phone = strings.TrimSpace(c.Phone)
c.Role = strings.TrimSpace(c.Role)
if c.Name == "" || len(c.Name) > 50 {
errs = append(errs, validationError{"name", "name is required and must be at most 50 characters"})
}
if c.Email == "" || len(c.Email) > 50 || !emailRegex.MatchString(c.Email) {
errs = append(errs, validationError{"email", "valid email is required"})
}
if c.Password == "" || len(c.Password) < 8 || len(c.Password) > 72 {
errs = append(errs, validationError{"password", "password must be between 8 and 72 characters"})
}
if c.Phone == "" || !phoneRegex.MatchString(c.Phone) {
errs = append(errs, validationError{"phone", "valid phone number is required"})
}
if c.Role != "" && !validRoles[c.Role] {
errs = append(errs, validationError{"role", "role must be 'user' or 'admin'"})
}
return errs
}
func Register(w http.ResponseWriter, r *http.Request) {
var creds models.Credentials
if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
http.Error(w, "invalid request body", http.StatusBadRequest)
return
}
if errs := validateCredentials(&creds); errs != nil {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusBadRequest)
json.NewEncoder(w).Encode(map[string]interface{}{"errors": errs})
return
}
hashedPassword, err := hashPassword(creds.Password)
if err != nil {
w.WriteHeader(http.StatusInternalServerError)
return
}
if creds.Role == "" {
creds.Role = "user"
}
user := models.User{
Id: uuid.New(),
Name: creds.Name,
Email: creds.Email,
Password: hashedPassword,
Phone: creds.Phone,
Role: creds.Role,
}
result := psql.PSQL_GORM_DB.Create(&user)
if result.Error != nil {
http.Error(w, "user with this email or phone already exists", http.StatusConflict)
return
}
w.WriteHeader(http.StatusCreated)
}
func hashPassword(password string) (string, error) {
bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
return string(bytes), err
}