From 3955d8626aef43efb0c86e723c44835dbb9660f8 Mon Sep 17 00:00:00 2001
From: kalipso <kalipso@c3d2.de>
Date: Tue, 15 Apr 2025 00:12:34 +0200
Subject: [PATCH] add/rm tokens, register with token

---
 controllers/userController.go           | 41 ++++++++++++-
 main.go                                 |  4 +-
 middlewares/requireAuth.go              | 79 +++++++++++++++++++++----
 repositories/registerTokenRepository.go |  7 ++-
 utils/utils.go                          | 19 ++++++
 views/invites.html                      | 28 +++++++++
 views/registertoken.html                | 59 ++++++++++++++++++
 7 files changed, 222 insertions(+), 15 deletions(-)
 create mode 100644 utils/utils.go
 create mode 100644 views/invites.html
 create mode 100644 views/registertoken.html

diff --git a/controllers/userController.go b/controllers/userController.go
index ba31b35..de5ff66 100644
--- a/controllers/userController.go
+++ b/controllers/userController.go
@@ -1,10 +1,12 @@
 package controllers
 
 import (
+	"errors"
 	"fmt"
 	"net/http"
 
 	"github.com/gin-gonic/gin"
+	"gorm.io/gorm"
 
 	"git.dynamicdiscord.de/kalipso/zineshop/models"
 	"git.dynamicdiscord.de/kalipso/zineshop/repositories"
@@ -188,13 +190,14 @@ func (rc *UserController) RegisterHandler(c *gin.Context) {
 
 	tokenExists, err := repositories.Tokens.Exists(token)
 
-	if err != nil {
+	if err != nil && !errors.Is(err, gorm.ErrRecordNotFound) {
 		data := gin.H{
 			"error":   err,
 			"success": "",
 		}
 
 		c.HTML(http.StatusOK, "register.html", data)
+		return
 	}
 
 	if !tokenExists {
@@ -203,6 +206,7 @@ func (rc *UserController) RegisterHandler(c *gin.Context) {
 			"success": "",
 		}
 		c.HTML(http.StatusOK, "register.html", data)
+		return
 	}
 
 	_, err = services.Users.Register(name, email, password, false)
@@ -233,9 +237,10 @@ func (rc *UserController) RegisterView(c *gin.Context) {
 	data := gin.H{
 		"error":   "",
 		"success": "",
+		"token":   c.Param("token"),
 	}
 
-	c.HTML(http.StatusOK, "register.html", data)
+	c.HTML(http.StatusOK, "registertoken.html", data)
 }
 
 func (rc *UserController) InitAdmin(c *gin.Context) {
@@ -292,6 +297,38 @@ func (rc *UserController) ResetHandler(c *gin.Context) {
 	c.HTML(http.StatusOK, "passwordreset.html", data)
 }
 
+func (rc *UserController) InviteView(c *gin.Context) {
+	tokens, _ := repositories.Tokens.GetAll()
+	fmt.Println(tokens)
+
+	data := gin.H{
+		"tokens": tokens,
+	}
+
+	c.HTML(http.StatusOK, "invites.html", data)
+}
+
+func (rc *UserController) InviteHandler(c *gin.Context) {
+	action := c.PostForm("action")
+
+	if action == "create" {
+		_, err := repositories.Tokens.Create()
+
+		if err != nil {
+			fmt.Println(err)
+			c.HTML(http.StatusBadRequest, "error.html", gin.H{"error": err})
+			return
+		}
+	}
+
+	if action == "delete" {
+		token := c.PostForm("token")
+		repositories.Tokens.Delete(token)
+	}
+
+	rc.InviteView(c)
+}
+
 func (rc *UserController) MainView(c *gin.Context) {
 	shopItems, _ := repositories.ShopItems.GetAll()
 	fmt.Println(len(shopItems))
diff --git a/main.go b/main.go
index b3f9f3b..3f1d114 100644
--- a/main.go
+++ b/main.go
@@ -89,7 +89,9 @@ func main() {
 		viewRoutes.GET("/logout", userController.Logout)
 		viewRoutes.GET("/register", userController.InitAdmin)
 		viewRoutes.GET("/register/:token", userController.RegisterView)
-		viewRoutes.GET("/passwordreset", userController.ResetView)
+		viewRoutes.GET("/invites", userController.InviteView)
+		viewRoutes.POST("/invites", userController.InviteHandler)
+		viewRoutes.GET("/passwordreset", authValidator.RequireAuth, userController.ResetView)
 		viewRoutes.GET("/additem", authValidator.RequireAuth, shopItemController.AddItemView)
 		viewRoutes.GET("/batchupload", authValidator.RequireAuth, shopItemController.AddItemsView)
 		viewRoutes.POST("/login", userController.LoginHandler)
diff --git a/middlewares/requireAuth.go b/middlewares/requireAuth.go
index 43e9bcc..7c5cbc1 100644
--- a/middlewares/requireAuth.go
+++ b/middlewares/requireAuth.go
@@ -1,13 +1,13 @@
 package middlewares
 
-import(
-	"os"
+import (
 	"fmt"
+	"os"
 	"time"
 	//"strconv"
-	"net/http"
 	"github.com/gin-gonic/gin"
 	"github.com/golang-jwt/jwt/v5"
+	"net/http"
 
 	//"git.dynamicdiscord.de/kalipso/zineshop/models"
 	"git.dynamicdiscord.de/kalipso/zineshop/repositories"
@@ -70,7 +70,7 @@ func (av *AuthValidator) RequireAuth(c *gin.Context) {
 		c.AbortWithStatus(http.StatusUnauthorized)
 		return
 	}
-	
+
 	if claims, ok := token.Claims.(jwt.MapClaims); ok {
 		//Check Expiration
 		if float64(time.Now().Unix()) > claims["exp"].(float64) {
@@ -78,7 +78,7 @@ func (av *AuthValidator) RequireAuth(c *gin.Context) {
 			c.AbortWithStatus(http.StatusUnauthorized)
 			return
 		}
-		
+
 		//Find user
 		user, err := repositories.Users.GetById(claims["sub"])
 
@@ -86,15 +86,72 @@ func (av *AuthValidator) RequireAuth(c *gin.Context) {
 			c.AbortWithStatus(http.StatusUnauthorized)
 			return
 		}
-	
+
 		//Attach to req
 		c.Set("user", user)
-	
+
 		// Coninue
 		c.Next()
 		return
 	}
-	
+
+	c.AbortWithStatus(http.StatusUnauthorized)
+}
+
+func (av *AuthValidator) RequireAdmin(c *gin.Context) {
+	// Get Cookie
+	tokenString, err := c.Cookie("Authorization")
+
+	if err != nil {
+		c.AbortWithStatus(http.StatusUnauthorized)
+		return
+	}
+
+	//Validate
+	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
+		// Don't forget to validate the alg is what you expect:
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
+		}
+
+		// hmacSampleSecret is a []byte containing your secret, e.g. []byte("my_secret_key")
+		return []byte(os.Getenv("SECRET")), nil
+	})
+
+	if err != nil {
+		c.AbortWithStatus(http.StatusUnauthorized)
+		return
+	}
+
+	if claims, ok := token.Claims.(jwt.MapClaims); ok {
+		//Check Expiration
+		if float64(time.Now().Unix()) > claims["exp"].(float64) {
+			//expired
+			c.AbortWithStatus(http.StatusUnauthorized)
+			return
+		}
+
+		//Find user
+		user, err := repositories.Users.GetById(claims["sub"])
+
+		if err != nil {
+			c.AbortWithStatus(http.StatusUnauthorized)
+			return
+		}
+
+		if !user.IsAdmin {
+			c.AbortWithStatus(http.StatusUnauthorized)
+			return
+		}
+
+		//Attach to req
+		c.Set("user", user)
+
+		// Coninue
+		c.Next()
+		return
+	}
+
 	c.AbortWithStatus(http.StatusUnauthorized)
 }
 
@@ -119,19 +176,19 @@ func (av *AuthValidator) OptionalAuth(c *gin.Context) {
 	if err != nil {
 		return
 	}
-	
+
 	if claims, ok := token.Claims.(jwt.MapClaims); ok {
 		if float64(time.Now().Unix()) > claims["exp"].(float64) {
 			return
 		}
-		
+
 		//Find user
 		user, err := repositories.Users.GetById(claims["sub"])
 
 		if err != nil {
 			return
 		}
-	
+
 		//Attach to req
 		c.Set("user", user)
 	}
diff --git a/repositories/registerTokenRepository.go b/repositories/registerTokenRepository.go
index 8d8d1d4..99391a2 100644
--- a/repositories/registerTokenRepository.go
+++ b/repositories/registerTokenRepository.go
@@ -1,6 +1,7 @@
 package repositories
 
 import (
+	"errors"
 	"fmt"
 
 	"gorm.io/gorm"
@@ -59,9 +60,13 @@ func (t *GORMRegisterTokenRepository) GetAll() ([]models.RegisterToken, error) {
 
 func (t *GORMRegisterTokenRepository) Exists(tokenString string) (bool, error) {
 	var token models.RegisterToken
-	result := t.DB.First(&token, tokenString)
+	result := t.DB.First(&token, "token = ?", tokenString)
 
 	if result.Error != nil {
+		if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+			return false, nil
+		}
+
 		return false, result.Error
 	}
 
diff --git a/utils/utils.go b/utils/utils.go
new file mode 100644
index 0000000..66c4d20
--- /dev/null
+++ b/utils/utils.go
@@ -0,0 +1,19 @@
+package utils
+
+import (
+	"crypto/rand"
+	"encoding/hex"
+)
+
+func GenerateSessionId(length int) string {
+	bytes := make([]byte, length) // 16 bytes = 128 bits
+	_, err := rand.Read(bytes)
+	if err != nil {
+		panic("failed to generate session ID")
+	}
+	return hex.EncodeToString(bytes)
+}
+
+func GenerateToken() string {
+	return GenerateSessionId(16)
+}
diff --git a/views/invites.html b/views/invites.html
new file mode 100644
index 0000000..0d2e303
--- /dev/null
+++ b/views/invites.html
@@ -0,0 +1,28 @@
+{{ template "header.html" . }}
+
+
+<div class="flex min-h-full flex-col justify-center px-6 py-12 lg:px-8">
+  <div class="sm:mx-auto sm:w-full sm:max-w-sm">
+    <img class="mx-auto h-10 w-auto" src="/static/img/logo-black.png" alt="Your Company">
+    <h2 class="mt-10 text-center text-2xl/9 font-bold tracking-tight text-gray-900">Create/Delete Invites</h2>
+  </div>
+
+  <div class="mt-10 sm:mx-auto sm:w-full sm:max-w-sm">
+  {{ range .tokens }}
+    <form action="/invites" method="POST">
+      <div class="max-w-md mx-auto mt-4">
+        <div class="flex">
+          <input type="text" id="token" name="token" value="{{ .Token }}" readonly="readonly" class="flex-grow border border-gray-300 rounded-md p-2 focus:outline-none focus:ring focus:ring-blue-500">
+          <button type="submit" name="action" value="delete" class="bg-red-800 text-white rounded px-4 hover:bg-red-900">Delete</button>
+        </div>
+    </form>
+  {{ end }}
+    <form action="/invites" method="POST">
+      <div class="max-w-md mx-auto mt-4">
+        <div class="flex">
+            <button type="submit" name="action" value="create" class="bg-green-600 text-white ml-4 mr-4 rounded px-4 hover:bg-green-700">Create</button>
+        </div>
+    </div>
+    </form>
+  </div>
+{{ template "footer.html" . }}
diff --git a/views/registertoken.html b/views/registertoken.html
new file mode 100644
index 0000000..38bbf14
--- /dev/null
+++ b/views/registertoken.html
@@ -0,0 +1,59 @@
+{{ template "header.html" . }}
+
+<div class="flex min-h-full flex-col justify-center px-6 py-12 lg:px-8">
+  <div class="sm:mx-auto sm:w-full sm:max-w-sm">
+    <img class="mx-auto h-10 w-auto" src="/static/img/logo-black.png" alt="Logo">
+    <h2 class="mt-10 text-center text-2xl/9 font-bold tracking-tight text-gray-900">Register your account</h2>
+  </div>
+
+  <div class="mt-10 sm:mx-auto sm:w-full sm:max-w-sm">
+    <form class="space-y-6" action="/register" method="POST">
+      <div>
+        <label for="token" class="block text-sm/6 font-medium text-gray-900">Token</label>
+        <div class="mt-2">
+          <input type="text" name="token" id="token" value="{{ .token }}" required class="block w-full rounded-md bg-white px-3 py-1.5 text-base text-gray-900 outline outline-1 -outline-offset-1 outline-gray-300 placeholder:text-gray-400 focus:outline focus:outline-2 focus:-outline-offset-2 focus:outline-indigo-600 sm:text-sm/6">
+        </div>
+      </div>
+
+
+      <div>
+        <label for="name" class="block text-sm/6 font-medium text-gray-900">Username</label>
+        <div class="mt-2">
+          <input type="text" name="name" id="name" required class="block w-full rounded-md bg-white px-3 py-1.5 text-base text-gray-900 outline outline-1 -outline-offset-1 outline-gray-300 placeholder:text-gray-400 focus:outline focus:outline-2 focus:-outline-offset-2 focus:outline-indigo-600 sm:text-sm/6">
+        </div>
+      </div>
+
+      <div>
+        <label for="email" class="block text-sm/6 font-medium text-gray-900">Email address</label>
+        <div class="mt-2">
+          <input type="email" name="email" id="email" autocomplete="email" required class="block w-full rounded-md bg-white px-3 py-1.5 text-base text-gray-900 outline outline-1 -outline-offset-1 outline-gray-300 placeholder:text-gray-400 focus:outline focus:outline-2 focus:-outline-offset-2 focus:outline-indigo-600 sm:text-sm/6">
+        </div>
+      </div>
+
+      <div>
+        <div class="flex items-center justify-between">
+          <label for="password" class="block text-sm/6 font-medium text-gray-900">Password</label>
+        </div>
+        <div class="mt-2">
+          <input type="password" name="password" id="password" autocomplete="current-password" required class="block w-full rounded-md bg-white px-3 py-1.5 text-base text-gray-900 outline outline-1 -outline-offset-1 outline-gray-300 placeholder:text-gray-400 focus:outline focus:outline-2 focus:-outline-offset-2 focus:outline-indigo-600 sm:text-sm/6">
+        </div>
+      </div>
+
+      <p class="mt-10 text-center text-sm/6 text-red-500">
+      {{ .error }}
+      </p>
+      <p class="mt-10 text-center text-sm/6 text-green-500">
+      {{ .success }}
+      </p>
+
+
+
+      <div>
+        <button type="submit" class="flex w-full justify-center rounded-md bg-indigo-600 px-3 py-1.5 text-sm/6 font-semibold text-white shadow-sm hover:bg-indigo-500 focus-visible:outline focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-indigo-600">Register</button>
+      </div>
+    </form>
+  </div>
+</div>
+
+
+{{ template "footer.html" . }}