feat: bob

2025-04-10 00:59:28 -04:00
parent dfd6789aa9
commit e9c44cbc94
58 changed files with 1649 additions and 3104 deletions
--- a/server/internal/handlers/user/v1/auth.go
+++ b/server/internal/handlers/user/v1/auth.go
@ -2,38 +2,44 @@ package user

 import (
 	"context"
+	"database/sql"
 	"errors"
 	"net/http"
 	"strconv"
 	"time"

-	_ "crypto/sha256"
+	_ "crypto/sha256" // Crypto

 	"connectrpc.com/connect"
+	"github.com/aarondl/opt/omit"
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/spotdemo4/trevstack/server/internal/interceptors"
 	"github.com/spotdemo4/trevstack/server/internal/models"
 	userv1 "github.com/spotdemo4/trevstack/server/internal/services/user/v1"
 	"github.com/spotdemo4/trevstack/server/internal/services/user/v1/userv1connect"
-	"github.com/veraison/go-cose"
+	"github.com/stephenafamo/bob"
 	"golang.org/x/crypto/bcrypt"
-	"gorm.io/gorm"
 )

 type AuthHandler struct {
-	db  *gorm.DB
+	db  *bob.DB
 	key []byte
 }

-func (h *AuthHandler) Login(_ context.Context, req *connect.Request[userv1.LoginRequest]) (*connect.Response[userv1.LoginResponse], error) {
-	// Validate
-	user := models.User{}
-	if err := h.db.First(&user, "username = ?", req.Msg.Username).Error; err != nil {
-		if errors.Is(err, gorm.ErrRecordNotFound) {
-			return nil, connect.NewError(connect.CodePermissionDenied, errors.New("invalid username or password"))
+func (h *AuthHandler) Login(ctx context.Context, req *connect.Request[userv1.LoginRequest]) (*connect.Response[userv1.LoginResponse], error) {
+	// Get user
+	user, err := models.Users.Query(
+		models.SelectWhere.Users.Username.EQ(req.Msg.Username),
+	).One(ctx, h.db)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return nil, connect.NewError(connect.CodePermissionDenied, err)
 		}
+
 		return nil, connect.NewError(connect.CodeInternal, err)
 	}
+
+	// Check password
 	if err := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(req.Msg.Password)); err != nil {
 		return nil, connect.NewError(connect.CodePermissionDenied, errors.New("invalid username or password"))
 	}
@ -72,15 +78,21 @@ func (h *AuthHandler) Login(_ context.Context, req *connect.Request[userv1.Login
 	return res, nil
 }

-func (h *AuthHandler) SignUp(_ context.Context, req *connect.Request[userv1.SignUpRequest]) (*connect.Response[userv1.SignUpResponse], error) {
-	// Validate
-	if err := h.db.First(&models.User{}, "username = ?", req.Msg.Username).Error; err != nil {
-		if !errors.Is(err, gorm.ErrRecordNotFound) {
+func (h *AuthHandler) SignUp(ctx context.Context, req *connect.Request[userv1.SignUpRequest]) (*connect.Response[userv1.SignUpResponse], error) {
+	// Get user
+	user, err := models.Users.Query(
+		models.SelectWhere.Users.Username.EQ(req.Msg.Username),
+	).One(ctx, h.db)
+	if err != nil {
+		if !errors.Is(err, sql.ErrNoRows) {
 			return nil, connect.NewError(connect.CodeInternal, err)
 		}
-	} else {
+	}
+	if user != nil {
 		return nil, connect.NewError(connect.CodeAlreadyExists, errors.New("username already exists"))
 	}
+
+	// Check if confirmation passwords match
 	if req.Msg.Password != req.Msg.ConfirmPassword {
 		return nil, connect.NewError(connect.CodeInvalidArgument, errors.New("passwords do not match"))
 	}
@ -92,11 +104,11 @@ func (h *AuthHandler) SignUp(_ context.Context, req *connect.Request[userv1.Sign
 	}

 	// Create user
-	user := models.User{
-		Username: req.Msg.Username,
-		Password: string(hash),
-	}
-	if err := h.db.Create(&user).Error; err != nil {
+	_, err = models.Users.Insert(&models.UserSetter{
+		Username: omit.From(req.Msg.Username),
+		Password: omit.From(string(hash)),
+	}).One(ctx, h.db)
+	if err != nil {
 		return nil, connect.NewError(connect.CodeInternal, err)
 	}

@ -121,95 +133,95 @@ func (h *AuthHandler) Logout(_ context.Context, _ *connect.Request[userv1.Logout
 	return res, nil
 }

-func (h *AuthHandler) GetPasskeyIDs(_ context.Context, req *connect.Request[userv1.GetPasskeyIDsRequest]) (*connect.Response[userv1.GetPasskeyIDsResponse], error) {
-	// Get user
-	user := models.User{}
-	if err := h.db.Preload("Passkeys").First(&user, "username = ?", req.Msg.Username).Error; err != nil {
-		return nil, connect.NewError(connect.CodeNotFound, err)
-	}
+// func (h *AuthHandler) GetPasskeyIDs(_ context.Context, req *connect.Request[userv1.GetPasskeyIDsRequest]) (*connect.Response[userv1.GetPasskeyIDsResponse], error) {
+// 	// Get user
+// 	user := models.User{}
+// 	if err := h.db.Preload("Passkeys").First(&user, "username = ?", req.Msg.Username).Error; err != nil {
+// 		return nil, connect.NewError(connect.CodeNotFound, err)
+// 	}

-	// Get IDs
-	ids := []string{}
-	for _, passkey := range user.Passkeys {
-		ids = append(ids, passkey.ID)
-	}
+// 	// Get IDs
+// 	ids := []string{}
+// 	for _, passkey := range user.Passkeys {
+// 		ids = append(ids, passkey.ID)
+// 	}

-	return connect.NewResponse(&userv1.GetPasskeyIDsResponse{
-		PasskeyIds: ids,
-	}), nil
-}
+// 	return connect.NewResponse(&userv1.GetPasskeyIDsResponse{
+// 		PasskeyIds: ids,
+// 	}), nil
+// }

-func (h *AuthHandler) PasskeyLogin(_ context.Context, req *connect.Request[userv1.PasskeyLoginRequest]) (*connect.Response[userv1.PasskeyLoginResponse], error) {
-	// Get passkey
-	passkey := models.Passkey{}
-	if err := h.db.First(&passkey, "id = ?", req.Msg.Id).Error; err != nil {
-		return nil, connect.NewError(connect.CodeNotFound, err)
-	}
+// func (h *AuthHandler) PasskeyLogin(_ context.Context, req *connect.Request[userv1.PasskeyLoginRequest]) (*connect.Response[userv1.PasskeyLoginResponse], error) {
+// 	// Get passkey
+// 	passkey := models.Passkey{}
+// 	if err := h.db.First(&passkey, "id = ?", req.Msg.Id).Error; err != nil {
+// 		return nil, connect.NewError(connect.CodeNotFound, err)
+// 	}

-	// create a verifier from a trusted private key
-	var verifier cose.Verifier
-	var err error
-	switch req.Msg.Algorithm {
-	case -7:
-		verifier, err = cose.NewVerifier(cose.AlgorithmES256, passkey.PublicKey)
+// 	// create a verifier from a trusted private key
+// 	var verifier cose.Verifier
+// 	var err error
+// 	switch req.Msg.Algorithm {
+// 	case -7:
+// 		verifier, err = cose.NewVerifier(cose.AlgorithmES256, passkey.PublicKey)

-	case -257:
-		verifier, err = cose.NewVerifier(cose.AlgorithmRS256, passkey.PublicKey)
+// 	case -257:
+// 		verifier, err = cose.NewVerifier(cose.AlgorithmRS256, passkey.PublicKey)

-	default:
-		return nil, connect.NewError(connect.CodeInternal, errors.New("decode algorithm not implemented"))
-	}
-	if err != nil {
-		return nil, connect.NewError(connect.CodeInternal, err)
-	}
+// 	default:
+// 		return nil, connect.NewError(connect.CodeInternal, errors.New("decode algorithm not implemented"))
+// 	}
+// 	if err != nil {
+// 		return nil, connect.NewError(connect.CodeInternal, err)
+// 	}

-	// create a sign message from a raw signature payload
-	var msg cose.Sign1Message
-	if err = msg.UnmarshalCBOR(req.Msg.Signature); err != nil {
-		return nil, connect.NewError(connect.CodeInternal, err)
-	}
+// 	// create a sign message from a raw signature payload
+// 	var msg cose.Sign1Message
+// 	if err = msg.UnmarshalCBOR(req.Msg.Signature); err != nil {
+// 		return nil, connect.NewError(connect.CodeInternal, err)
+// 	}

-	// Validate passkey
-	err = msg.Verify(nil, verifier)
-	if err != nil {
-		return nil, connect.NewError(connect.CodeUnauthenticated, err)
-	}
+// 	// Validate passkey
+// 	err = msg.Verify(nil, verifier)
+// 	if err != nil {
+// 		return nil, connect.NewError(connect.CodeUnauthenticated, err)
+// 	}

-	// Generate JWT
-	t := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.RegisteredClaims{
-		Issuer:  "trevstack",
-		Subject: strconv.FormatUint(uint64(passkey.UserID), 10),
-		IssuedAt: &jwt.NumericDate{
-			Time: time.Now(),
-		},
-		ExpiresAt: &jwt.NumericDate{
-			Time: time.Now().Add(time.Hour * 24),
-		},
-	})
-	ss, err := t.SignedString(h.key)
-	if err != nil {
-		return nil, connect.NewError(connect.CodeInternal, err)
-	}
+// 	// Generate JWT
+// 	t := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.RegisteredClaims{
+// 		Issuer:  "trevstack",
+// 		Subject: strconv.FormatUint(uint64(passkey.UserID), 10),
+// 		IssuedAt: &jwt.NumericDate{
+// 			Time: time.Now(),
+// 		},
+// 		ExpiresAt: &jwt.NumericDate{
+// 			Time: time.Now().Add(time.Hour * 24),
+// 		},
+// 	})
+// 	ss, err := t.SignedString(h.key)
+// 	if err != nil {
+// 		return nil, connect.NewError(connect.CodeInternal, err)
+// 	}

-	// Create cookie
-	cookie := http.Cookie{
-		Name:     "token",
-		Value:    ss,
-		Path:     "/",
-		MaxAge:   86400,
-		HttpOnly: true,
-		Secure:   true,
-		SameSite: http.SameSiteStrictMode,
-	}
+// 	// Create cookie
+// 	cookie := http.Cookie{
+// 		Name:     "token",
+// 		Value:    ss,
+// 		Path:     "/",
+// 		MaxAge:   86400,
+// 		HttpOnly: true,
+// 		Secure:   true,
+// 		SameSite: http.SameSiteStrictMode,
+// 	}

-	res := connect.NewResponse(&userv1.PasskeyLoginResponse{
-		Token: ss,
-	})
-	res.Header().Set("Set-Cookie", cookie.String())
-	return res, nil
-}
+// 	res := connect.NewResponse(&userv1.PasskeyLoginResponse{
+// 		Token: ss,
+// 	})
+// 	res.Header().Set("Set-Cookie", cookie.String())
+// 	return res, nil
+// }

-func NewAuthHandler(db *gorm.DB, key string) (string, http.Handler) {
+func NewAuthHandler(db *bob.DB, key string) (string, http.Handler) {
 	interceptors := connect.WithInterceptors(interceptors.NewRateLimitInterceptor(key))

 	return userv1connect.NewAuthServiceHandler(