fix: ret invalid cred if usr not found in login

2026-02-02 13:21:17 +00:00 · 2025-11-26 01:42:52 +00:00
parent 389fe35a0a
commit 06c3951293
6 changed files with 168 additions and 42 deletions
--- a/apps/backend/internal/auth/password.go
+++ b/apps/backend/internal/auth/password.go
@@ -1,132 +0,0 @@
-package auth
-
-import (
-	"crypto/rand"
-	"crypto/subtle"
-	"encoding/base64"
-	"errors"
-	"fmt"
-	"strings"
-
-	"golang.org/x/crypto/argon2"
-)
-
-// argon2id parameters
-const (
-	memory      = 64 * 1024
-	iterations  = 3
-	parallelism = 2
-	saltLength  = 16
-	keyLength   = 32
-)
-
-var (
-	ErrInvalidHash         = errors.New("invalid hash format")
-	ErrIncompatibleHash    = errors.New("incompatible hash algorithm")
-	ErrIncompatibleVersion = errors.New("incompatible argon2 version")
-)
-
-type argon2Hash struct {
-	memory      uint32
-	iterations  uint32
-	parallelism uint8
-	salt        []byte
-	hash        []byte
-}
-
-func HashPassword(password string) (string, error) {
-	salt := make([]byte, saltLength)
-	if _, err := rand.Read(salt); err != nil {
-		return "", fmt.Errorf("failed to generate salt: %w", err)
-	}
-
-	hash := argon2.IDKey(
-		[]byte(password),
-		salt,
-		iterations,
-		memory,
-		parallelism,
-		keyLength,
-	)
-
-	b64Salt := base64.RawStdEncoding.EncodeToString(salt)
-	b64Hash := base64.RawStdEncoding.EncodeToString(hash)
-
-	encodedHash := fmt.Sprintf(
-		"$argon2id$v=%d$m=%d,t=%d,p=%d$%s$%s",
-		argon2.Version,
-		memory,
-		iterations,
-		parallelism,
-		b64Salt,
-		b64Hash,
-	)
-
-	return encodedHash, nil
-}
-
-func VerifyPassword(password, encodedHash string) (bool, error) {
-	h, err := decodeHash(encodedHash)
-	if err != nil {
-		return false, err
-	}
-
-	otherHash := argon2.IDKey(
-		[]byte(password),
-		h.salt,
-		h.iterations,
-		h.memory,
-		h.parallelism,
-		uint32(len(h.hash)),
-	)
-
-	if subtle.ConstantTimeCompare(h.hash, otherHash) == 1 {
-		return true, nil
-	}
-
-	return false, nil
-}
-
-func decodeHash(encodedHash string) (*argon2Hash, error) {
-	parts := strings.Split(encodedHash, "$")
-	if len(parts) != 6 {
-		return nil, ErrInvalidHash
-	}
-
-	if parts[1] != "argon2id" {
-		return nil, ErrIncompatibleHash
-	}
-
-	var version int
-	if _, err := fmt.Sscanf(parts[2], "v=%d", &version); err != nil {
-		return nil, fmt.Errorf("failed to parse version: %w", err)
-	}
-	if version != argon2.Version {
-		return nil, ErrIncompatibleVersion
-	}
-
-	h := &argon2Hash{}
-	if _, err := fmt.Sscanf(
-		parts[3],
-		"m=%d,t=%d,p=%d",
-		&h.memory,
-		&h.iterations,
-		&h.parallelism,
-	); err != nil {
-		return nil, fmt.Errorf("failed to parse parameters: %w", err)
-	}
-
-	salt, err := base64.RawStdEncoding.DecodeString(parts[4])
-	if err != nil {
-		return nil, fmt.Errorf("failed to decode salt: %w", err)
-	}
-	h.salt = salt
-
-	hash, err := base64.RawStdEncoding.DecodeString(parts[5])
-	if err != nil {
-		return nil, fmt.Errorf("failed to decode hash: %w", err)
-	}
-	h.hash = hash
-
-	return h, nil
-}
--- a/apps/backend/internal/auth/service.go
+++ b/apps/backend/internal/auth/service.go
@@ -5,6 +5,7 @@ import (
 	"encoding/hex"
 	"errors"

+	"github.com/get-drexa/drexa/internal/password"
 	"github.com/get-drexa/drexa/internal/user"
 	"github.com/google/uuid"
 	"github.com/uptrace/bun"
@@ -39,25 +40,27 @@ func NewService(db *bun.DB, userService *user.Service, tokenConfig TokenConfig)
 	}
 }

-func (s *Service) LoginWithEmailAndPassword(ctx context.Context, email, password string) (*LoginResult, error) {
-	var u user.User
-
-	err := s.db.NewSelect().Model(&u).Where("email = ?", email).Scan(ctx)
+func (s *Service) LoginWithEmailAndPassword(ctx context.Context, email, plain string) (*LoginResult, error) {
+	u, err := s.userService.UserByEmail(ctx, email)
 	if err != nil {
+		var nf *user.NotFoundError
+		if errors.As(err, &nf) {
+			return nil, ErrInvalidCredentials
+		}
 		return nil, err
 	}

-	ok, err := VerifyPassword(password, u.Password)
+	ok, err := password.Verify(plain, u.Password)
 	if err != nil || !ok {
 		return nil, ErrInvalidCredentials
 	}

-	at, err := GenerateAccessToken(&u, &s.tokenConfig)
+	at, err := GenerateAccessToken(u, &s.tokenConfig)
 	if err != nil {
 		return nil, err
 	}

-	rt, err := GenerateRefreshToken(&u, &s.tokenConfig)
+	rt, err := GenerateRefreshToken(u, &s.tokenConfig)
 	if err != nil {
 		return nil, err
 	}
@@ -68,48 +71,44 @@ func (s *Service) LoginWithEmailAndPassword(ctx context.Context, email, password
 	}

 	return &LoginResult{
-		User:         &u,
+		User:         u,
 		AccessToken:  at,
 		RefreshToken: hex.EncodeToString(rt.Token),
 	}, nil
 }

 func (s *Service) Register(ctx context.Context, opts registerOptions) (*LoginResult, error) {
-	u := user.User{
+	hashed, err := password.Hash(opts.password)
+	if err != nil {
+		return nil, err
+	}
+
+	u, err := s.userService.RegisterUser(ctx, user.UserRegistrationOptions{
 		Email:       opts.email,
 		DisplayName: opts.displayName,
-	}
-
-	exists, err := s.db.NewSelect().Model(&u).Where("email = ?", opts.email).Exists(ctx)
-	if err != nil {
-		return nil, err
-	}
-	if exists {
-		return nil, ErrUserExists
-	}
-
-	u.Password, err = HashPassword(opts.password)
+		Password:    hashed,
+	})
 	if err != nil {
 		return nil, err
 	}

-	_, err = s.db.NewInsert().Model(&u).Exec(ctx)
+	at, err := GenerateAccessToken(u, &s.tokenConfig)
 	if err != nil {
 		return nil, err
 	}

-	at, err := GenerateAccessToken(&u, &s.tokenConfig)
+	rt, err := GenerateRefreshToken(u, &s.tokenConfig)
 	if err != nil {
 		return nil, err
 	}

-	rt, err := GenerateRefreshToken(&u, &s.tokenConfig)
+	_, err = s.db.NewInsert().Model(rt).Exec(ctx)
 	if err != nil {
 		return nil, err
 	}

 	return &LoginResult{
-		User:         &u,
+		User:         u,
 		AccessToken:  at,
 		RefreshToken: hex.EncodeToString(rt.Token),
 	}, nil