Fix password has comparison

Author: victorsteven

.env

@@ -1,37 +1,35 @@
-# API_PORT=8080
+# Postgres Live
+DB_HOST=127.0.0.1
+DB_DRIVER=postgres
+API_SECRET=98hbun98h #This is used when creating a JWT. It can be anything you want 
+DB_USER=steven
+DB_PASSWORD=
+DB_NAME=fullstack_api
+DB_PORT=5432 #Default postgres port
 
-# # Postgres
+# Postgres Test
+TestDbHost=127.0.0.1
+TestDbDriver=postgres
+TestApiSecret=98hbun98h
+TestDbUser=steven
+TestDbPassword=
+TestDbName=fullstack_api_test
+TestDbPort=5432
+
+# Mysql Live
 # DB_HOST=127.0.0.1
-# DB_DRIVER=postgres
-# API_SECRET=98hbun98h
+# DB_DRIVER=mysql 
+# API_SECRET=98hbun98h #This is used when creating a JWT. It can be anything you want 
 # DB_USER=steven
-# DB_PASSWORD=
+# DB_PASSWORD=here
 # DB_NAME=fullstack_api
-# DB_PORT=5432
+# DB_PORT=3306 #Default mysql port
 
-# # Test Postgres
+# Mysql Test
 # TestDbHost=127.0.0.1
-# TestDbDriver=postgres
+# TestDbDriver=mysql
 # TestApiSecret=98hbun98h
 # TestDbUser=steven
-# TestDbPassword=
+# TestDbPassword=here
 # TestDbName=fullstack_api_test
-# TestDbPort=5432
-
-# Mysql
-DB_HOST=127.0.0.1
-DB_DRIVER=mysql
-API_SECRET=98hbun98h
-DB_USER=steven
-DB_PASSWORD=here
-DB_NAME=fullstack_api
-DB_PORT=3306
-
-# Test Mysql
-TestDbHost=127.0.0.1
-TestDbDriver=mysql
-TestApiSecret=98hbun98h
-TestDbUser=steven
-TestDbPassword=here
-TestDbName=fullstack_api_test
-TestDbPort=3306
+# TestDbPort=3306

api/auth/token.go

@@ -3,13 +3,13 @@ package auth
 import (
 	"fmt"
 	"net/http"
+	"os"
 	"strconv"
 	"strings"
 	"time"
 
 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/victorsteven/fullstack/api/utils/console"
-	"github.com/victorsteven/fullstack/config"
 )
 
 func CreateToken(user_id uint32) (string, error) {
@@ -19,7 +19,8 @@ func CreateToken(user_id uint32) (string, error) {
 	// claims["exp"] = time.Now().Add(time.Hour * 1).Unix()
 	claims["exp"] = time.Now().Add(time.Hour * 24).Unix()
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	return token.SignedString(config.SECRETKEY)
+	return token.SignedString([]byte(os.Getenv("API_SECRET")))
+
 }
 
 func TokenValid(r *http.Request) error {
@@ -28,7 +29,7 @@ func TokenValid(r *http.Request) error {
 		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
 		}
-		return config.SECRETKEY, nil
+		return []byte(os.Getenv("API_SECRET")), nil
 	})
 	if err != nil {
 		return err
@@ -59,7 +60,7 @@ func ExtractTokenID(r *http.Request) (uint32, error) {
 		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("Unexpected signing method: %v", token.Header["alg"])
 		}
-		return config.SECRETKEY, nil
+		return []byte(os.Getenv("API_SECRET")), nil
 	})
 	if err != nil {
 		return 0, err

api/controllers/login_controller.go

@@ -9,6 +9,8 @@ import (
 	"github.com/victorsteven/fullstack/api/models"
 	"github.com/victorsteven/fullstack/api/responses"
 	"github.com/victorsteven/fullstack/api/utils/channels"
+	"github.com/victorsteven/fullstack/api/utils/formaterror"
+	"golang.org/x/crypto/bcrypt"
 )
 
 func (server *Server) Login(w http.ResponseWriter, r *http.Request) {
@@ -32,7 +34,8 @@ func (server *Server) Login(w http.ResponseWriter, r *http.Request) {
 	}
 	token, err := server.SignIn(user.Email, user.Password)
 	if err != nil {
-		responses.ERROR(w, http.StatusUnprocessableEntity, err)
+		formattedError := formaterror.FormatError(err.Error())
+		responses.ERROR(w, http.StatusUnprocessableEntity, formattedError)
 		return
 	}
 	responses.JSON(w, http.StatusOK, token)
@@ -51,6 +54,12 @@ func (server *Server) SignIn(email, password string) (string, error) {
 			ch <- false
 			return
 		}
+
+		err = models.VerifyPassword(user.Password, password)
+		if err != nil && err == bcrypt.ErrMismatchedHashAndPassword {
+			ch <- false
+			return
+		}
 		ch <- true
 	}(done)
 

api/models/Post.go

@@ -18,8 +18,6 @@ type Post struct {
 	AuthorID  uint32    `gorm:"not null" json:"author_id"`
 	CreatedAt time.Time `gorm:"default:CURRENT_TIMESTAMP" json:"created_at"`
 	UpdatedAt time.Time `gorm:"default:CURRENT_TIMESTAMP" json:"updated_at"`
-	// CreatedAt time.Time `json:"created_at"`
-	// UpdatedAt time.Time `json:"updated_at"`
 }
 
 func (p *Post) Prepare() {

api/models/User.go

@@ -8,8 +8,8 @@ import (
 
 	"github.com/badoux/checkmail"
 	"github.com/jinzhu/gorm"
-	"github.com/victorsteven/fullstack/api/security"
 	"github.com/victorsteven/fullstack/api/utils/channels"
+	"golang.org/x/crypto/bcrypt"
 )
 
 type User struct {
@@ -21,8 +21,16 @@ type User struct {
 	UpdatedAt time.Time `gorm:"default:CURRENT_TIMESTAMP" json:"updated_at"`
 }
 
+func Hash(password string) ([]byte, error) {
+	return bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+}
+
+func VerifyPassword(hashedPassword, password string) error {
+	return bcrypt.CompareHashAndPassword([]byte(hashedPassword), []byte(password))
+}
+
 func (u *User) BeforeSave() error {
-	hashedPassword, err := security.Hash(u.Password)
+	hashedPassword, err := Hash(u.Password)
 	if err != nil {
 		return err
 	}

api/security/password.go

@@ -18,6 +18,8 @@ func FormatError(err string) error {
 	if strings.Contains(err, "title") {
 		return errors.New("Title Already Taken")
 	}
-
-	return nil
+	if strings.Contains(err, "hashedPassword") {
+		return errors.New("Incorrect Password")
+	}
+	return errors.New("Incorrect Details")
 }

api/utils/formaterror/formaterror.go

@@ -3,6 +3,7 @@ package controllertests
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"log"
 	"net/http"
@@ -18,18 +19,42 @@ func TestSignIn(t *testing.T) {
 	if err != nil {
 		log.Fatal(err)
 	}
-
 	user, err := seedOneUser()
 	if err != nil {
 		fmt.Printf("This is the error %v\n", err)
 	}
-	fmt.Printf("This is the user: %v\n", user)
 
-	token, err := server.SignIn(user.Email, user.Password)
-	if err != nil {
-		log.Fatal(err)
+	samples := []struct {
+		email        string
+		password     string
+		errorMessage string
+	}{
+		{
+			email:        user.Email,
+			password:     "password", //Note the password has to be this, not the hashed one from the database
+			errorMessage: "",
+		},
+		{
+			email:        user.Email,
+			password:     "Wrong password",
+			errorMessage: "crypto/bcrypt: hashedPassword is not the hash of the given password",
+		},
+		{
+			email:        "Wrong email",
+			password:     "password",
+			errorMessage: "record not found",
+		},
+	}
+
+	for _, v := range samples {
+
+		token, err := server.SignIn(v.email, v.password)
+		if err != nil {
+			assert.Equal(t, err, errors.New(v.errorMessage))
+		} else {
+			assert.NotEqual(t, token, "")
+		}
 	}
-	assert.NotEqual(t, token, "")
 }
 
 func TestLogin(t *testing.T) {
@@ -40,7 +65,6 @@ func TestLogin(t *testing.T) {
 	if err != nil {
 		fmt.Printf("This is the error %v\n", err)
 	}
-
 	samples := []struct {
 		inputJSON    string
 		statusCode   int
@@ -53,10 +77,15 @@ func TestLogin(t *testing.T) {
 			statusCode:   200,
 			errorMessage: "",
 		},
+		{
+			inputJSON:    `{"email": "pet@gmail.com", "password": "wrong password"}`,
+			statusCode:   422,
+			errorMessage: "Incorrect Password",
+		},
 		{
 			inputJSON:    `{"email": "frank@gmail.com", "password": "password"}`,
 			statusCode:   422,
-			errorMessage: "record not found",
+			errorMessage: "Incorrect Details",
 		},
 		{
 			inputJSON:    `{"email": "kangmail.com", "password": "password"}`,
@@ -84,7 +113,7 @@ func TestLogin(t *testing.T) {
 
 		req, err := http.NewRequest("POST", "/login", bytes.NewBufferString(v.inputJSON))
 		if err != nil {
-			log.Fatalf("this is the error: %v", err)
+			t.Errorf("this is the error: %v", err)
 		}
 		rr := httptest.NewRecorder()
 		handler := http.HandlerFunc(server.Login)
@@ -99,7 +128,7 @@ func TestLogin(t *testing.T) {
 			responseMap := make(map[string]interface{})
 			err = json.Unmarshal([]byte(rr.Body.String()), &responseMap)
 			if err != nil {
-				fmt.Printf("Cannot convert to json: %v", err)
+				t.Errorf("Cannot convert to json: %v", err)
 			}
 			assert.Equal(t, responseMap["error"], v.errorMessage)
 		}

tests/controllertests/login_controller_test.go

@@ -25,7 +25,7 @@ func TestCreatePost(t *testing.T) {
 	if err != nil {
 		log.Fatalf("Cannot seed user %v\n", err)
 	}
-	token, err := server.SignIn(user.Email, user.Password)
+	token, err := server.SignIn(user.Email, "password") //Note the password in the database is already hashed, we want unhashed
 	if err != nil {
 		log.Fatalf("cannot login: %v\n", err)
 	}
@@ -226,7 +226,7 @@ func TestUpdatePost(t *testing.T) {
 			continue
 		}
 		PostUserEmail = user.Email
-		PostUserPassword = user.Password
+		PostUserPassword = "password" //Note the password in the database is already hashed, we want unhashed
 	}
 	//Login the user and get the authentication token
 	token, err := server.SignIn(PostUserEmail, PostUserPassword)
@@ -375,7 +375,7 @@ func TestDeletePost(t *testing.T) {
 			continue
 		}
 		PostUserEmail = user.Email
-		PostUserPassword = user.Password
+		PostUserPassword = "password" //Note the password in the database is already hashed, we want unhashed
 	}
 	//Login the user and get the authentication token
 	token, err := server.SignIn(PostUserEmail, PostUserPassword)

tests/controllertests/post_controller_test.go

@@ -194,7 +194,7 @@ func TestUpdateUser(t *testing.T) {
 		}
 		AuthID = user.ID
 		AuthEmail = user.Email
-		AuthPassword = user.Password
+		AuthPassword = "password" //Note the password in the database is already hashed, we want unhashed
 	}
 	//Login the user and get the authentication token
 	token, err := server.SignIn(AuthEmail, AuthPassword)
@@ -342,7 +342,7 @@ func TestDeleteUser(t *testing.T) {
 		}
 		AuthID = user.ID
 		AuthEmail = user.Email
-		AuthPassword = user.Password
+		AuthPassword = "password" ////Note the password in the database is already hashed, we want unhashed
 	}
 	//Login the user and get the authentication token
 	token, err := server.SignIn(AuthEmail, AuthPassword)