From b9b8099da1a098300d11e0f479d56e24e363e076 Mon Sep 17 00:00:00 2001
From: Michael Hunteman <michael@huntm.net>
Date: Sat, 6 Jul 2024 12:17:54 -0700
Subject: Secure PUT endpoint

---
 server/cmd/main.go | 47 ++++++++++++++++++++++++++++++++++-------------
 1 file changed, 34 insertions(+), 13 deletions(-)

(limited to 'server/cmd/main.go')

diff --git a/server/cmd/main.go b/server/cmd/main.go
index 5b81b66..b4b1c6d 100644
--- a/server/cmd/main.go
+++ b/server/cmd/main.go
@@ -2,14 +2,13 @@ package main
 
 import (
 	"context"
-	"crypto/rand"
-	"encoding/base64"
 	"encoding/json"
 	"fmt"
 	"log"
 	"net/http"
 	"os"
 	"regexp"
+	"time"
 
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/jackc/pgx/v5/pgxpool"
@@ -60,21 +59,22 @@ func (h *guestHandler) login(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	expirationTime := time.Now().Add(15 * time.Minute)
 	claims := &guests.Claims{
-		Guest:            guest,
-		RegisteredClaims: jwt.RegisteredClaims{},
+		Credentials: creds,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(expirationTime),
+		},
 	}
 
-	key := make([]byte, 32)
-	_, err = rand.Read(key)
+	key, err := os.ReadFile("C:\\Users\\mhunt\\skey.pem")
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
 
-	secretKey := []byte(base64.StdEncoding.EncodeToString(key))
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	tokenString, err := token.SignedString(secretKey)
+	tokenString, err := token.SignedString(key)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -92,10 +92,6 @@ func (h *guestHandler) login(w http.ResponseWriter, r *http.Request) {
 	}
 
 	w.WriteHeader(http.StatusOK)
-	http.SetCookie(w, &http.Cookie{
-		Name:  "token",
-		Value: tokenString,
-	})
 	w.Write(jsonBytes)
 }
 
@@ -148,6 +144,31 @@ func (h *guestHandler) createGuest(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *guestHandler) updateGuest(w http.ResponseWriter, r *http.Request) {
+	tokenString := r.Header.Get("Authorization")
+	claims := &guests.Claims{}
+
+	key, err := os.ReadFile("C:\\Users\\mhunt\\skey.pem")
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	token, err := jwt.ParseWithClaims(tokenString, claims, func(token *jwt.Token) (any, error) {
+		return key, nil
+	})
+	if err != nil {
+		if err == jwt.ErrSignatureInvalid {
+			w.WriteHeader(http.StatusUnauthorized)
+			return
+		}
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	if !token.Valid {
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+
 	matches := guestIdRe.FindStringSubmatch(r.URL.Path)
 	if len(matches) < 2 {
 		http.Error(w, "No id found", http.StatusBadRequest)
@@ -155,7 +176,7 @@ func (h *guestHandler) updateGuest(w http.ResponseWriter, r *http.Request) {
 	}
 
 	var guest guests.Guest
-	err := json.NewDecoder(r.Body).Decode(&guest)
+	err = json.NewDecoder(r.Body).Decode(&guest)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
 		return
-- 
cgit v1.2.3