From ac7aa8c6e95023def1eba7615d8a42ad52271500 Mon Sep 17 00:00:00 2001 From: Vidhu Kant Sharma Date: Sun, 29 Jan 2023 20:11:09 +0530 Subject: checking password before editing/deleting user --- user/password.go | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) create mode 100644 user/password.go (limited to 'user/password.go') diff --git a/user/password.go b/user/password.go new file mode 100644 index 0000000..d667ebc --- /dev/null +++ b/user/password.go @@ -0,0 +1,70 @@ +/* OpenBills-server - Server for libre billing software OpenBills-web + * Copyright (C) 2022 Vidhu Kant Sharma + + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + + * You should have received a copy of the GNU General Public License + * along with this program. If not, see . + */ + +package user + +import ( + "github.com/gin-gonic/gin" + "go.mongodb.org/mongo-driver/bson" + "go.mongodb.org/mongo-driver/mongo" + "golang.org/x/crypto/bcrypt" + "log" + "net/http" +) + +func checkPassword() gin.HandlerFunc { + return func(ctx *gin.Context) { + var u User + ctx.BindJSON(&u) + + filter := bson.M{ + "$or": []bson.M{ + // u.UserName in this case can be either username or email + {"Email": u.UserName}, + {"UserName": u.UserName}, + }, + } + + // check if the user exists in DB + var user User + err := db.FindOne(ctx, filter).Decode(&user) + if err != nil { + if err == mongo.ErrNoDocuments { + ctx.JSON(http.StatusNotFound, gin.H{"error": "user does not exist"}) + } else { + log.Printf("Error while reading user from DB to check password: %v", err.Error()) + ctx.JSON(http.StatusInternalServerError, gin.H{"error": "internal server error"}) + } + ctx.Abort() + } else { + // compare hash and password + err = bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(u.Password)) + if err != nil { + if err == bcrypt.ErrMismatchedHashAndPassword { + ctx.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "incorrect password"}) + } else { + log.Printf("Error while checking password: %v", err.Error()) + ctx.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"error": "internal server error"}) + } + } + } + + // everything's fine! + ctx.Set("user", user) + ctx.Next() + } +} -- cgit v1.2.3