chat/internal/db/auth.go

package db

import (
	"context"
	"errors"
	"fmt"
	"time"

	"github.com/google/uuid"
	"golang.org/x/crypto/bcrypt"
)

//nolint:gochecknoglobals // var so tests can override via SetBcryptCost
var bcryptCost = bcrypt.DefaultCost

// SetBcryptCost overrides the bcrypt cost.
// Use bcrypt.MinCost in tests to avoid slow hashing.
func SetBcryptCost(cost int) { bcryptCost = cost }

var errNoPassword = errors.New(
	"account has no password set",
)

// RegisterUser creates a session with a hashed password
// and returns session ID, client ID, and token.
func (database *Database) RegisterUser(
	ctx context.Context,
	nick, password, username, hostname, remoteIP string,
) (int64, int64, string, error) {
	if username == "" {
		username = nick
	}

	hash, err := bcrypt.GenerateFromPassword(
		[]byte(password), bcryptCost,
	)
	if err != nil {
		return 0, 0, "", fmt.Errorf(
			"hash password: %w", err,
		)
	}

	sessionUUID := uuid.New().String()
	clientUUID := uuid.New().String()

	token, err := generateToken()
	if err != nil {
		return 0, 0, "", err
	}

	now := time.Now()

	transaction, err := database.conn.BeginTx(ctx, nil)
	if err != nil {
		return 0, 0, "", fmt.Errorf(
			"begin tx: %w", err,
		)
	}

	res, err := transaction.ExecContext(ctx,
		`INSERT INTO sessions
		 (uuid, nick, username, hostname, ip,
		  password_hash, created_at, last_seen)
		 VALUES (?, ?, ?, ?, ?, ?, ?, ?)`,
		sessionUUID, nick, username, hostname,
		remoteIP, string(hash), now, now)
	if err != nil {
		_ = transaction.Rollback()

		return 0, 0, "", fmt.Errorf(
			"create session: %w", err,
		)
	}

	sessionID, _ := res.LastInsertId()

	tokenHash := hashToken(token)

	clientRes, err := transaction.ExecContext(ctx,
		`INSERT INTO clients
		 (uuid, session_id, token, ip, hostname,
		  created_at, last_seen)
		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
		clientUUID, sessionID, tokenHash,
		remoteIP, hostname, now, now)
	if err != nil {
		_ = transaction.Rollback()

		return 0, 0, "", fmt.Errorf(
			"create client: %w", err,
		)
	}

	clientID, _ := clientRes.LastInsertId()

	err = transaction.Commit()
	if err != nil {
		return 0, 0, "", fmt.Errorf(
			"commit registration: %w", err,
		)
	}

	return sessionID, clientID, token, nil
}

// LoginUser verifies a nick/password and creates a new
// client token.
func (database *Database) LoginUser(
	ctx context.Context,
	nick, password, remoteIP, hostname string,
) (int64, int64, string, error) {
	var (
		sessionID    int64
		passwordHash string
	)

	err := database.conn.QueryRowContext(
		ctx,
		`SELECT id, password_hash
		 FROM sessions WHERE nick = ?`,
		nick,
	).Scan(&sessionID, &passwordHash)
	if err != nil {
		return 0, 0, "", fmt.Errorf(
			"get session for login: %w", err,
		)
	}

	if passwordHash == "" {
		return 0, 0, "", fmt.Errorf(
			"login: %w", errNoPassword,
		)
	}

	err = bcrypt.CompareHashAndPassword(
		[]byte(passwordHash), []byte(password),
	)
	if err != nil {
		return 0, 0, "", fmt.Errorf(
			"verify password: %w", err,
		)
	}

	clientUUID := uuid.New().String()

	token, err := generateToken()
	if err != nil {
		return 0, 0, "", err
	}

	now := time.Now()

	tokenHash := hashToken(token)

	res, err := database.conn.ExecContext(ctx,
		`INSERT INTO clients
		 (uuid, session_id, token, ip, hostname,
		  created_at, last_seen)
		 VALUES (?, ?, ?, ?, ?, ?, ?)`,
		clientUUID, sessionID, tokenHash,
		remoteIP, hostname, now, now)
	if err != nil {
		return 0, 0, "", fmt.Errorf(
			"create login client: %w", err,
		)
	}

	clientID, _ := res.LastInsertId()

	_, _ = database.conn.ExecContext(
		ctx,
		"UPDATE sessions SET last_seen = ? WHERE id = ?",
		now, sessionID,
	)

	return sessionID, clientID, token, nil
}