security: rotate secrets, add rate limiter, validate input, harden cookies

.env

@@ -1,21 +1,21 @@
-PGHOST=db
+PGHOST=db
-PGPORT=5432
+PGPORT=5432
-PGUSER=postgres
+PGUSER=postgres
-PGPASSWORD=postgres
+PGPASSWORD=HnFxccAF3sdUwnI1EkwmXQ==
-PGDATABASE=postgres
+PGDATABASE=postgres
-SSLmode=disable
+SSLmode=disable
-PGURL='postgres://postgres:postgres@db:5432/postgres?sslmode=disable'
+PGURL='postgres://postgres:HnFxccAF3sdUwnI1EkwmXQ==@db:5432/postgres?sslmode=disable'
-
+
-# SERVER
+# SERVER
-SERVER_PORT=8000
+SERVER_PORT=8000
-SECRET_KEY=my_very_secret_key
+SECRET_KEY=lUx8h9lpIPNPdcW9q27sJtgcZD/XlZnJWKQSLQ8t7rc=
-
+
-# MIGRATOR
+# MIGRATOR
-MIGRATOR_PORT=3000
+MIGRATOR_PORT=3000
-GOOSE_DRIVER=postgres
+GOOSE_DRIVER=postgres
-GOOSE_DBSTRING='user=postgres dbname=postgres sslmode=disable'
+GOOSE_DBSTRING='user=postgres password=HnFxccAF3sdUwnI1EkwmXQ== dbname=postgres sslmode=disable'
-GOOSE_MIGRATION_DIR=migrations
+GOOSE_MIGRATION_DIR=migrations
-
+
-# FRONTEND SPA
+# FRONTEND SPA
-HTTP=80         # ДЛЯ Certbot
+HTTP=80         # ДЛЯ Certbot
 HTTPS=443

.gitignore

@@ -1,34 +1,37 @@
-/spa/node_modules
+/spa/node_modules
-.env
+.env
-.vscode
+.vscode
-
+
-# Logs
+# Logs
-logs
+logs
-*.log
+*.log
-npm-debug.log*
+npm-debug.log*
-yarn-debug.log*
+yarn-debug.log*
-yarn-error.log*
+yarn-error.log*
-pnpm-debug.log*
+pnpm-debug.log*
-lerna-debug.log*
+lerna-debug.log*
-
+
-node_modules
+node_modules
-.DS_Store
+.DS_Store
-dist
+dist
-dist-ssr
+dist-ssr
-coverage
+coverage
-*.local
+*.local
-
+
-/cypress/videos/
+/cypress/videos/
-/cypress/screenshots/
+/cypress/screenshots/
-
+
-# Editor directories and files
+# Editor directories and files
-.vscode/*
+.vscode/*
-!.vscode/extensions.json
+!.vscode/extensions.json
-.idea
+.idea
-*.suo
+*.suo
-*.ntvs*
+*.ntvs*
-*.njsproj
+*.njsproj
-*.sln
+*.sln
-*.sw?
+*.sw?
-
+
-*.tsbuildinfo
+*.tsbuildinfo
+
+# Binaries
+api/bin/

api/go.mod

@@ -13,7 +13,7 @@ require (
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/stretchr/testify v1.9.0 // indirect
 	golang.org/x/crypto v0.25.0
-	golang.org/x/sync v0.7.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
 	golang.org/x/text v0.16.0 // indirect
 )
 
@@ -23,3 +23,10 @@ require (
 	gorm.io/driver/postgres v1.5.9
 	gorm.io/gorm v1.25.11
 )
+
+require (
+	github.com/go-chi/httprate v0.15.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
+	github.com/zeebo/xxh3 v1.0.2 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+)

api/go.sum

@@ -3,6 +3,8 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/go-chi/chi/v5 v5.1.0 h1:acVI1TYaD+hhedDJ3r54HyA6sExp3HfXq7QWEEY/xMw=
 github.com/go-chi/chi/v5 v5.1.0/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
+github.com/go-chi/httprate v0.15.0 h1:j54xcWV9KGmPf/X4H32/aTH+wBlrvxL7P+SdnRqxh5g=
+github.com/go-chi/httprate v0.15.0/go.mod h1:rzGHhVrsBn3IMLYDOZQsSU4fJNWcjui4fWKJcCId1R4=
 github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -19,6 +21,8 @@ github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
 github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/z8=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -26,10 +30,16 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
+github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
+github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 golang.org/x/crypto v0.25.0 h1:ypSNr+bnYL2YhwoMt2zPxHFmbAN1KZs/njMG3hxUp30=
 golang.org/x/crypto v0.25.0/go.mod h1:T+wALwcMOSE0kXgUAnPAHqTLW+XHgcELELW8VaDgm/M=
 golang.org/x/sync v0.7.0 h1:YsImfSBoP9QPYL0xyKJPq0gcaJdG3rInoqxTWbfQu9M=
 golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sys v0.30.0 h1:QjkSwP/36a20jFYWkSue1YwXzLmsV5Gfq7Eiy72C1uc=
+golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/text v0.16.0 h1:a94ExnEXNtEwYLGJSIUxnWoxoRz/ZcCsV63ROupILh4=
 golang.org/x/text v0.16.0/go.mod h1:GhwF1Be+LQoKShO3cGOHzqOgRrGaYc9AvblQOmPVHnI=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=

api/src/initializers/Routing.go

@@ -1,68 +1,68 @@
-package initializers
+package initializers
-
+
-import (
+import (
-	"api/src/rt/admin"
+	"api/src/rt/admin"
-	"api/src/rt/auth"
+	"api/src/rt/auth"
-	"api/src/rt/prf"
+	"api/src/rt/prf"
-	"api/src/rt/srch"
+	"api/src/rt/srch"
-	"log/slog"
+	"log/slog"
-	"os"
+	"os"
-	"time"
+	"time"
-
+
-	"net/http"
+	"net/http"
-
+
-	"github.com/go-chi/chi/v5"
+	"github.com/go-chi/chi/v5"
-	"github.com/go-chi/chi/v5/middleware"
+	"github.com/go-chi/chi/v5/middleware"
-)
+	"github.com/go-chi/httprate"
-
+)
-var Done = make(chan bool)
+
-
+var Done = make(chan bool)
-func InitChiRouting() {
+
-	slog.Info("Init routing")
+func InitChiRouting() {
-	r := chi.NewRouter()
+	slog.Info("Init routing")
-
+	r := chi.NewRouter()
-	// middlewares
+
-	r.Use(middleware.Logger)
+	// middlewares
-	r.Use(middleware.Timeout(60 * time.Second))
+	r.Use(middleware.Logger)
-	r.Use(middleware.RequestID)
+	r.Use(middleware.Timeout(60 * time.Second))
-	r.Use(middleware.CleanPath)
+	r.Use(middleware.RequestID)
-	r.Use(middleware.Heartbeat("/ping"))
+	r.Use(middleware.CleanPath)
-	r.Use(middleware.NoCache)
+	r.Use(middleware.Heartbeat("/ping"))
-	r.Use(middleware.Recoverer)
+	r.Use(middleware.NoCache)
-	r.NotFound(func(w http.ResponseWriter, r *http.Request) {
+	r.Use(middleware.Recoverer)
-		w.WriteHeader(404)
+	r.NotFound(func(w http.ResponseWriter, r *http.Request) {
-		w.Write([]byte("route does not exist"))
+		w.WriteHeader(404)
-	})
+		w.Write([]byte("route does not exist"))
-	r.MethodNotAllowed(func(w http.ResponseWriter, r *http.Request) {
+	})
-		w.WriteHeader(405)
+	r.MethodNotAllowed(func(w http.ResponseWriter, r *http.Request) {
-		w.Write([]byte("method is not valid"))
+		w.WriteHeader(405)
-	})
+		w.Write([]byte("method is not valid"))
-
+	})
-	// public Routes
+
-	r.Group(func(r chi.Router) {
+	// public Routes
-		r.Post("/signup", auth.Register) // register
+	r.Group(func(r chi.Router) {
-		r.Post("/signin", auth.Login)    // signin
+		r.Post("/signup", auth.Register)                       // register
-		r.Get("/search", srch.Search)
+		r.With(httprate.Limit(5, 1*time.Minute)).Post("/signin", auth.Login) // signin with rate limiter
-	})
+		r.Get("/search", srch.Search)
-
+	})
-	// Private Routes
+
-	// Require Authentication
+	// Private Routes
-	r.Group(func(r chi.Router) {
+	// Require Authentication
-		r.Use(auth.AuthMiddleware)
+	r.Group(func(r chi.Router) {
-		r.Get("/profile", prf.Profile)
+		r.Use(auth.AuthMiddleware)
-		r.Get("/allUsersAdm", admin.GetAllUser)
+		r.Get("/profile", prf.Profile)
-		r.Route("/admin", func(r chi.Router) {
+		r.Route("/admin", func(r chi.Router) {
-			r.Use(auth.AuthAdminMiddleware)
+			r.Use(auth.AuthAdminMiddleware)
-			r.Get("/allUsersAdm", admin.GetAllUser) // all users get
+			r.Get("/allUsersAdm", admin.GetAllUser) // all users get
-		})
+		})
-	})
+	})
-
+
-	// up server on os.Getenv("SERVER_PORT") port on gorutin
+	// up server on os.Getenv("SERVER_PORT") port on gorutin
-	go func() {
+	go func() {
-		defer close(Done)
+		defer close(Done)
-		err := http.ListenAndServe(":"+os.Getenv("SERVER_PORT"), r)
+		err := http.ListenAndServe(":"+os.Getenv("SERVER_PORT"), r)
-		if err != nil {
+		if err != nil {
-			slog.Error("Can't start server: ", "error", err)
+			slog.Error("Can't start server: ", "error", err)
-		}
+		}
-	}()
+	}()
-}
+}

api/src/rt/auth/Login.go

@@ -1,61 +1,68 @@
-package auth
+package auth
-
+
-import (
+import (
-	"api/src/models"
+	"api/src/models"
-	"api/src/storages/psql"
+	"api/src/storages/psql"
-	"encoding/json"
+	"encoding/json"
-	"net/http"
+	"net/http"
-	"os"
+	"os"
-	"time"
+	"time"
-
+
-	"github.com/golang-jwt/jwt/v4"
+	"github.com/golang-jwt/jwt/v4"
-	"golang.org/x/crypto/bcrypt"
+	"golang.org/x/crypto/bcrypt"
-)
+)
-
+
-var jwtKey = []byte(os.Getenv("SECRET_KEY"))
+const (
-
+	loginErrMsg = "invalid email or password"
-func Login(w http.ResponseWriter, r *http.Request) {
+)
-	var creds models.Credentials
+
-	if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
+var jwtKey = []byte(os.Getenv("SECRET_KEY"))
-		w.WriteHeader(http.StatusBadRequest)
+
-		return
+func Login(w http.ResponseWriter, r *http.Request) {
-	}
+	var creds models.Credentials
-	// check user
+	if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
-	var user models.User
+		w.WriteHeader(http.StatusBadRequest)
-	// get user by email
+		return
-	result := psql.PSQL_GORM_DB.Where("email = ?", creds.Email).First(&user)
+	}
-	if result.Error != nil || !checkPasswordHash(creds.Password, user.Password) {
+	// check user
-		w.WriteHeader(http.StatusInternalServerError)
+	var user models.User
-		return
+	result := psql.PSQL_GORM_DB.Where("email = ?", creds.Email).First(&user)
-	}
+	if result.Error != nil || !checkPasswordHash(creds.Password, user.Password) {
-
+		http.Error(w, loginErrMsg, http.StatusUnauthorized)
-	// create jwt token
+		return
-	expirationtime := time.Now().Add(5 * time.Minute)
+	}
-	claims := &models.Claims{
+
-		RegisteredClaims: jwt.RegisteredClaims{
+	// create jwt token
-			ExpiresAt: jwt.NewNumericDate(expirationtime),
+	expirationtime := time.Now().Add(5 * time.Minute)
-		},
+	claims := &models.Claims{
-		Email: user.Email,
+		RegisteredClaims: jwt.RegisteredClaims{
-		Phone: user.Phone,
+			ExpiresAt: jwt.NewNumericDate(expirationtime),
-		Role:  user.Role,
+		},
-	}
+		Email: user.Email,
-
+		Phone: user.Phone,
-	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
+		Role:  user.Role,
-	tokenString, err := token.SignedString(jwtKey)
+	}
-	if err != nil {
+
-		w.WriteHeader(http.StatusInternalServerError)
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-		return
+	tokenString, err := token.SignedString(jwtKey)
-	}
+	if err != nil {
-
+		w.WriteHeader(http.StatusInternalServerError)
-	http.SetCookie(w, &http.Cookie{
+		return
-		Name:    "token",
+	}
-		Value:   tokenString,
+
-		Expires: expirationtime,
+	http.SetCookie(w, &http.Cookie{
-	})
+		Name:     "token",
-	w.WriteHeader(http.StatusOK)
+		Value:    tokenString,
-}
+		Expires:  expirationtime,
-
+		HttpOnly: true,
-func checkPasswordHash(password, hash string) bool {
+		Secure:   true,
-	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+		SameSite: http.SameSiteStrictMode,
-	return err == nil
+		Path:     "/",
-}
+	})
+	w.WriteHeader(http.StatusOK)
+}
+
+func checkPasswordHash(password, hash string) bool {
+	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
+	return err == nil
+}

api/src/rt/auth/Registr.go

@@ -1,50 +1,97 @@
-package auth
+package auth
-
+
-import (
+import (
-	"api/src/models"
+	"api/src/models"
-	"api/src/storages/psql"
+	"api/src/storages/psql"
-	"encoding/json"
+	"encoding/json"
-	"net/http"
+	"net/http"
-
+	"regexp"
-	"github.com/google/uuid"
+	"strings"
-
+
-	"golang.org/x/crypto/bcrypt"
+	"github.com/google/uuid"
-)
+
-
+	"golang.org/x/crypto/bcrypt"
-func Register(w http.ResponseWriter, r *http.Request) {
+)
-	var Credentials models.Credentials
+
-	// Decoe body
+var (
-	if err := json.NewDecoder(r.Body).Decode(&Credentials); err != nil {
+	emailRegex = regexp.MustCompile(`^[a-zA-Z0-9._%+\-]+@[a-zA-Z0-9.\-]+\.[a-zA-Z]{2,}$`)
-		w.WriteHeader(http.StatusBadRequest)
+	phoneRegex = regexp.MustCompile(`^\+?[0-9\s\-\(\)]{7,20}$`)
-		return
+	validRoles = map[string]bool{"user": true, "admin": true}
-	}
+)
-
+
-	// shep password
+type validationError struct {
-	hashedPassword, err := hashPassword(Credentials.Password)
+	Field   string `json:"field"`
-	if err != nil {
+	Message string `json:"message"`
-		w.WriteHeader(http.StatusInternalServerError)
+}
-		return
+
-	}
+func validateCredentials(c *models.Credentials) []validationError {
-
+	var errs []validationError
-	id := uuid.New()
+
-
+	c.Name = strings.TrimSpace(c.Name)
-	user := models.User{
+	c.Email = strings.TrimSpace(c.Email)
-		Id:       id,
+	c.Phone = strings.TrimSpace(c.Phone)
-		Name:     Credentials.Name,
+	c.Role = strings.TrimSpace(c.Role)
-		Email:    Credentials.Email,
+
-		Password: hashedPassword,
+	if c.Name == "" || len(c.Name) > 50 {
-		Phone:    Credentials.Phone,
+		errs = append(errs, validationError{"name", "name is required and must be at most 50 characters"})
-		Role:     Credentials.Role,
+	}
-	}
+	if c.Email == "" || len(c.Email) > 50 || !emailRegex.MatchString(c.Email) {
-	result := psql.PSQL_GORM_DB.Create(&user)
+		errs = append(errs, validationError{"email", "valid email is required"})
-	if result.Error != nil {
+	}
-		w.WriteHeader(http.StatusInternalServerError)
+	if c.Password == "" || len(c.Password) < 8 || len(c.Password) > 72 {
-		return
+		errs = append(errs, validationError{"password", "password must be between 8 and 72 characters"})
-	}
+	}
-	w.WriteHeader(http.StatusCreated)
+	if c.Phone == "" || !phoneRegex.MatchString(c.Phone) {
-}
+		errs = append(errs, validationError{"phone", "valid phone number is required"})
-
+	}
-func hashPassword(password string) (string, error) {
+	if c.Role != "" && !validRoles[c.Role] {
-	bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
+		errs = append(errs, validationError{"role", "role must be 'user' or 'admin'"})
-	return string(bytes), err
+	}
-}
+
+	return errs
+}
+
+func Register(w http.ResponseWriter, r *http.Request) {
+	var creds models.Credentials
+	if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
+		http.Error(w, "invalid request body", http.StatusBadRequest)
+		return
+	}
+
+	if errs := validateCredentials(&creds); errs != nil {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		json.NewEncoder(w).Encode(map[string]interface{}{"errors": errs})
+		return
+	}
+
+	hashedPassword, err := hashPassword(creds.Password)
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	if creds.Role == "" {
+		creds.Role = "user"
+	}
+
+	user := models.User{
+		Id:       uuid.New(),
+		Name:     creds.Name,
+		Email:    creds.Email,
+		Password: hashedPassword,
+		Phone:    creds.Phone,
+		Role:     creds.Role,
+	}
+	result := psql.PSQL_GORM_DB.Create(&user)
+	if result.Error != nil {
+		http.Error(w, "user with this email or phone already exists", http.StatusConflict)
+		return
+	}
+	w.WriteHeader(http.StatusCreated)
+}
+
+func hashPassword(password string) (string, error) {
+	bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
+	return string(bytes), err
+}