refactor: moved hashing logic into application layer for security;

fix: error handling in auth service for database; refactor: removed redundant taken email check; chore: removed todos that were completed/not needed; fix: leaking transactions in complete registration and login on error; refactor: got rid of txless requests during transactions;
2025-07-06 13:01:00 +03:00
parent 5e32c3cbd3
commit 333817c9e1
9 changed files with 177 additions and 121 deletions
--- a/backend/internal/database/query.sql.go
+++ b/backend/internal/database/query.sql.go
@@ -46,17 +46,17 @@ func (q *Queries) CreateBannedUser(ctx context.Context, arg CreateBannedUserPara

 const createConfirmationCode = `-- name: CreateConfirmationCode :one
 INSERT INTO confirmation_codes(user_id, code_type, code_hash)
-VALUES ($1, $2, crypt($3::text, gen_salt('bf'))) RETURNING id, user_id, code_type, code_hash, expires_at, used, deleted
+VALUES ($1, $2, $3) RETURNING id, user_id, code_type, code_hash, expires_at, used, deleted
 `

 type CreateConfirmationCodeParams struct {
 	UserID   int64
 	CodeType int32
-	Code     string
+	CodeHash string
 }

 func (q *Queries) CreateConfirmationCode(ctx context.Context, arg CreateConfirmationCodeParams) (ConfirmationCode, error) {
-	row := q.db.QueryRow(ctx, createConfirmationCode, arg.UserID, arg.CodeType, arg.Code)
+	row := q.db.QueryRow(ctx, createConfirmationCode, arg.UserID, arg.CodeType, arg.CodeHash)
 	var i ConfirmationCode
 	err := row.Scan(
 		&i.ID,
@@ -72,17 +72,17 @@ func (q *Queries) CreateConfirmationCode(ctx context.Context, arg CreateConfirma

 const createLoginInformation = `-- name: CreateLoginInformation :one
 INSERT INTO login_informations(user_id, email, password_hash)
-VALUES ( $1, $2, crypt($3::text, gen_salt('bf')) ) RETURNING id, user_id, email, password_hash, totp_encrypted, email_2fa_enabled, password_change_date
+VALUES ( $1, $2, $3::text ) RETURNING id, user_id, email, password_hash, totp_encrypted, email_2fa_enabled, password_change_date
 `

 type CreateLoginInformationParams struct {
-	UserID   int64
-	Email    *string
-	Password string
+	UserID       int64
+	Email        *string
+	PasswordHash string
 }

 func (q *Queries) CreateLoginInformation(ctx context.Context, arg CreateLoginInformationParams) (LoginInformation, error) {
-	row := q.db.QueryRow(ctx, createLoginInformation, arg.UserID, arg.Email, arg.Password)
+	row := q.db.QueryRow(ctx, createLoginInformation, arg.UserID, arg.Email, arg.PasswordHash)
 	var i LoginInformation
 	err := row.Scan(
 		&i.ID,
@@ -229,37 +229,6 @@ func (q *Queries) DeleteUserByUsername(ctx context.Context, username string) err
 	return err
 }

-const getConfirmationCodeByCode = `-- name: GetConfirmationCodeByCode :one
-SELECT id, user_id, code_type, code_hash, expires_at, used, deleted FROM confirmation_codes
-WHERE 
-  user_id = $1 AND
-  code_type = $2 AND
-  expires_at > CURRENT_TIMESTAMP AND
-  used IS FALSE AND
-  code_hash = crypt($3::text, code_hash)
-`
-
-type GetConfirmationCodeByCodeParams struct {
-	UserID   int64
-	CodeType int32
-	Code     string
-}
-
-func (q *Queries) GetConfirmationCodeByCode(ctx context.Context, arg GetConfirmationCodeByCodeParams) (ConfirmationCode, error) {
-	row := q.db.QueryRow(ctx, getConfirmationCodeByCode, arg.UserID, arg.CodeType, arg.Code)
-	var i ConfirmationCode
-	err := row.Scan(
-		&i.ID,
-		&i.UserID,
-		&i.CodeType,
-		&i.CodeHash,
-		&i.ExpiresAt,
-		&i.Used,
-		&i.Deleted,
-	)
-	return i, err
-}
-
 const getLoginInformationByUsername = `-- name: GetLoginInformationByUsername :one
 SELECT login_informations.id, login_informations.user_id, login_informations.email, login_informations.password_hash, login_informations.totp_encrypted, login_informations.email_2fa_enabled, login_informations.password_change_date FROM login_informations
 JOIN users ON users.id = login_informations.user_id
@@ -550,47 +519,6 @@ func (q *Queries) GetUserByEmail(ctx context.Context, email string) (User, error
 	return i, err
 }

-const getUserByLoginCredentials = `-- name: GetUserByLoginCredentials :one
-SELECT
-  users.id,
-  users.username,
-  linfo.password_hash,
-  linfo.totp_encrypted
-FROM users
-JOIN login_informations AS linfo ON users.id = linfo.user_id
-LEFT JOIN banned_users AS banned ON users.id = banned.user_id
-WHERE 
-  users.username = $1 AND
-  users.verified IS TRUE AND -- Verified
-  users.deleted IS FALSE AND -- Not deleted
-  banned.user_id IS NULL AND -- Not banned
-  linfo.password_hash = crypt($2::text, linfo.password_hash)
-`
-
-type GetUserByLoginCredentialsParams struct {
-	Username string
-	Password string
-}
-
-type GetUserByLoginCredentialsRow struct {
-	ID            int64
-	Username      string
-	PasswordHash  string
-	TotpEncrypted *string
-}
-
-func (q *Queries) GetUserByLoginCredentials(ctx context.Context, arg GetUserByLoginCredentialsParams) (GetUserByLoginCredentialsRow, error) {
-	row := q.db.QueryRow(ctx, getUserByLoginCredentials, arg.Username, arg.Password)
-	var i GetUserByLoginCredentialsRow
-	err := row.Scan(
-		&i.ID,
-		&i.Username,
-		&i.PasswordHash,
-		&i.TotpEncrypted,
-	)
-	return i, err
-}
-
 const getUserByUsername = `-- name: GetUserByUsername :one
 SELECT id, username, verified, registration_date, deleted FROM users 
 WHERE username = $1
@@ -644,6 +572,78 @@ func (q *Queries) GetUserSessions(ctx context.Context, userID int64) ([]Session,
 	return items, nil
 }

+const getValidConfirmationCodeByCode = `-- name: GetValidConfirmationCodeByCode :one
+SELECT id, user_id, code_type, code_hash, expires_at, used, deleted FROM confirmation_codes
+WHERE 
+  user_id = $1 AND
+  code_type = $2 AND
+  expires_at > CURRENT_TIMESTAMP AND
+  used IS FALSE AND
+  code_hash = crypt($3::text, code_hash)
+`
+
+type GetValidConfirmationCodeByCodeParams struct {
+	UserID   int64
+	CodeType int32
+	Code     string
+}
+
+func (q *Queries) GetValidConfirmationCodeByCode(ctx context.Context, arg GetValidConfirmationCodeByCodeParams) (ConfirmationCode, error) {
+	row := q.db.QueryRow(ctx, getValidConfirmationCodeByCode, arg.UserID, arg.CodeType, arg.Code)
+	var i ConfirmationCode
+	err := row.Scan(
+		&i.ID,
+		&i.UserID,
+		&i.CodeType,
+		&i.CodeHash,
+		&i.ExpiresAt,
+		&i.Used,
+		&i.Deleted,
+	)
+	return i, err
+}
+
+const getValidUserByLoginCredentials = `-- name: GetValidUserByLoginCredentials :one
+SELECT
+  users.id,
+  users.username,
+  linfo.password_hash,
+  linfo.totp_encrypted
+FROM users
+JOIN login_informations AS linfo ON users.id = linfo.user_id
+LEFT JOIN banned_users AS banned ON users.id = banned.user_id
+WHERE 
+  users.username = $1 AND
+  users.verified IS TRUE AND -- Verified
+  users.deleted IS FALSE AND -- Not deleted
+  banned.user_id IS NULL AND -- Not banned
+  linfo.password_hash = crypt($2::text, linfo.password_hash)
+`
+
+type GetValidUserByLoginCredentialsParams struct {
+	Username string
+	Password string
+}
+
+type GetValidUserByLoginCredentialsRow struct {
+	ID            int64
+	Username      string
+	PasswordHash  string
+	TotpEncrypted *string
+}
+
+func (q *Queries) GetValidUserByLoginCredentials(ctx context.Context, arg GetValidUserByLoginCredentialsParams) (GetValidUserByLoginCredentialsRow, error) {
+	row := q.db.QueryRow(ctx, getValidUserByLoginCredentials, arg.Username, arg.Password)
+	var i GetValidUserByLoginCredentialsRow
+	err := row.Scan(
+		&i.ID,
+		&i.Username,
+		&i.PasswordHash,
+		&i.TotpEncrypted,
+	)
+	return i, err
+}
+
 const pruneExpiredConfirmationCodes = `-- name: PruneExpiredConfirmationCodes :exec
 DELETE FROM confirmation_codes
 WHERE expires_at < CURRENT_TIMESTAMP