diff --git a/backend/go.mod b/backend/go.mod index 12a0dc2..af63c98 100644 --- a/backend/go.mod +++ b/backend/go.mod @@ -5,6 +5,7 @@ go 1.21 require ( github.com/gin-gonic/gin v1.9.1 github.com/golang-jwt/jwt/v5 v5.2.0 + github.com/google/uuid v1.6.0 github.com/lib/pq v1.10.9 golang.org/x/crypto v0.18.0 github.com/joho/godotenv v1.5.1 diff --git a/backend/internal/api/handlers/auth.go b/backend/internal/api/handlers/auth.go new file mode 100644 index 0000000..fd2c2fb --- /dev/null +++ b/backend/internal/api/handlers/auth.go @@ -0,0 +1,184 @@ +package handlers + +import ( + "net/http" + + "github.com/gin-gonic/gin" + "github.com/yourusername/victorialogs-manager/internal/services" +) + +// AuthHandler handles authentication endpoints +type AuthHandler struct { + authService *services.AuthService +} + +// NewAuthHandler creates a new auth handler +func NewAuthHandler(authService *services.AuthService) *AuthHandler { + return &AuthHandler{ + authService: authService, + } +} + +// Login handles user login +// @Summary User login +// @Description Authenticate user and return JWT tokens +// @Tags auth +// @Accept json +// @Produce json +// @Param request body services.LoginRequest true "Login credentials" +// @Success 200 {object} services.LoginResponse +// @Failure 400 {object} ErrorResponse +// @Failure 401 {object} ErrorResponse +// @Router /api/v1/auth/login [post] +func (h *AuthHandler) Login(c *gin.Context) { + var req services.LoginRequest + if err := c.ShouldBindJSON(&req); err != nil { + c.JSON(http.StatusBadRequest, ErrorResponse{ + Error: "invalid request", + Message: err.Error(), + }) + return + } + + // Validate input + if req.Username == "" || req.Password == "" { + c.JSON(http.StatusBadRequest, ErrorResponse{ + Error: "validation error", + Message: "username and password are required", + }) + return + } + + resp, err := h.authService.Login(c.Request.Context(), &req) + if err != nil { + c.JSON(http.StatusUnauthorized, ErrorResponse{ + Error: "authentication failed", + Message: err.Error(), + }) + return + } + + c.JSON(http.StatusOK, resp) +} + +// RefreshToken handles token refresh +// @Summary Refresh access token +// @Description Get new access and refresh tokens using refresh token +// @Tags auth +// @Accept json +// @Produce json +// @Param request body services.RefreshTokenRequest true "Refresh token" +// @Success 200 {object} services.RefreshTokenResponse +// @Failure 400 {object} ErrorResponse +// @Failure 401 {object} ErrorResponse +// @Router /api/v1/auth/refresh [post] +func (h *AuthHandler) RefreshToken(c *gin.Context) { + var req services.RefreshTokenRequest + if err := c.ShouldBindJSON(&req); err != nil { + c.JSON(http.StatusBadRequest, ErrorResponse{ + Error: "invalid request", + Message: err.Error(), + }) + return + } + + resp, err := h.authService.RefreshToken(c.Request.Context(), &req) + if err != nil { + c.JSON(http.StatusUnauthorized, ErrorResponse{ + Error: "refresh failed", + Message: err.Error(), + }) + return + } + + c.JSON(http.StatusOK, resp) +} + +// GetMe returns the current user +// @Summary Get current user +// @Description Get current authenticated user information +// @Tags auth +// @Produce json +// @Success 200 {object} models.User +// @Failure 401 {object} ErrorResponse +// @Security BearerAuth +// @Router /api/v1/auth/me [get] +func (h *AuthHandler) GetMe(c *gin.Context) { + // Get user ID from context (set by auth middleware) + userID, exists := c.Get("user_id") + if !exists { + c.JSON(http.StatusUnauthorized, ErrorResponse{ + Error: "unauthorized", + Message: "user not authenticated", + }) + return + } + + user, err := h.authService.GetCurrentUser(c.Request.Context(), userID.(string)) + if err != nil { + c.JSON(http.StatusNotFound, ErrorResponse{ + Error: "user not found", + Message: err.Error(), + }) + return + } + + c.JSON(http.StatusOK, user) +} + +// ChangePassword handles password change +// @Summary Change password +// @Description Change current user's password +// @Tags auth +// @Accept json +// @Produce json +// @Param request body services.ChangePasswordRequest true "Password change request" +// @Success 200 {object} SuccessResponse +// @Failure 400 {object} ErrorResponse +// @Failure 401 {object} ErrorResponse +// @Security BearerAuth +// @Router /api/v1/auth/change-password [post] +func (h *AuthHandler) ChangePassword(c *gin.Context) { + // Get user ID from context + userID, exists := c.Get("user_id") + if !exists { + c.JSON(http.StatusUnauthorized, ErrorResponse{ + Error: "unauthorized", + Message: "user not authenticated", + }) + return + } + + var req services.ChangePasswordRequest + if err := c.ShouldBindJSON(&req); err != nil { + c.JSON(http.StatusBadRequest, ErrorResponse{ + Error: "invalid request", + Message: err.Error(), + }) + return + } + + err := h.authService.ChangePassword(c.Request.Context(), userID.(string), &req) + if err != nil { + c.JSON(http.StatusBadRequest, ErrorResponse{ + Error: "password change failed", + Message: err.Error(), + }) + return + } + + c.JSON(http.StatusOK, SuccessResponse{ + Message: "password changed successfully", + }) +} + +// ErrorResponse represents an error response +type ErrorResponse struct { + Error string `json:"error"` + Message string `json:"message"` +} + +// SuccessResponse represents a success response +type SuccessResponse struct { + Message string `json:"message"` +} diff --git a/backend/internal/services/auth_service.go b/backend/internal/services/auth_service.go new file mode 100644 index 0000000..82ab3a7 --- /dev/null +++ b/backend/internal/services/auth_service.go @@ -0,0 +1,231 @@ +package services + +import ( + "context" + "fmt" + + "golang.org/x/crypto/bcrypt" + "github.com/google/uuid" + "github.com/yourusername/victorialogs-manager/internal/models" + "github.com/yourusername/victorialogs-manager/internal/repository" + "github.com/yourusername/victorialogs-manager/internal/utils" +) + +// AuthService handles authentication business logic +type AuthService struct { + userRepo *repository.UserRepository + jwtManager *utils.JWTManager +} + +// NewAuthService creates a new auth service +func NewAuthService(userRepo *repository.UserRepository, jwtManager *utils.JWTManager) *AuthService { + return &AuthService{ + userRepo: userRepo, + jwtManager: jwtManager, + } +} + +// LoginRequest represents a login request +type LoginRequest struct { + Username string `json:"username" binding:"required"` + Password string `json:"password" binding:"required"` +} + +// LoginResponse represents a login response +type LoginResponse struct{ + AccessToken string `json:"access_token"` + RefreshToken string `json:"refresh_token"` + User *models.User `json:"user"` +} + +// Login authenticates a user and returns JWT tokens +func (s *AuthService) Login(ctx context.Context, req *LoginRequest) (*LoginResponse, error) { + // Get user by username + user, err := s.userRepo.GetByUsername(ctx, req.Username) + if err != nil { + return nil, fmt.Errorf("invalid credentials") + } + + // Check if user is active + if !user.IsActive { + return nil, fmt.Errorf("user account is disabled") + } + + // Verify password + err = bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(req.Password)) + if err != nil { + return nil, fmt.Errorf("invalid credentials") + } + + // Generate access token + accessToken, err := s.jwtManager.GenerateAccessToken(user) + if err != nil { + return nil, fmt.Errorf("failed to generate access token: %w", err) + } + + // Generate refresh token + refreshToken, err := s.jwtManager.GenerateRefreshToken(user.ID) + if err != nil { + return nil, fmt.Errorf("failed to generate refresh token: %w", err) + } + + // Clear password hash from response + user.PasswordHash = "" + + return &LoginResponse{ + AccessToken: accessToken, + RefreshToken: refreshToken, + User: user, + }, nil +} + +// RefreshTokenRequest represents a refresh token request +type RefreshTokenRequest struct { + RefreshToken string `json:"refresh_token" binding:"required"` +} + +// RefreshTokenResponse represents a refresh token response +type RefreshTokenResponse struct { + AccessToken string `json:"access_token"` + RefreshToken string `json:"refresh_token"` +} + +// RefreshToken generates new tokens from a refresh token +func (s *AuthService) RefreshToken(ctx context.Context, req *RefreshTokenRequest) (*RefreshTokenResponse, error) { + // Validate refresh token + userID, err := s.jwtManager.ValidateRefreshToken(req.RefreshToken) + if err != nil { + return nil, fmt.Errorf("invalid refresh token: %w", err) + } + + // Get user + user, err := s.userRepo.GetByID(ctx, userID) + if err != nil { + return nil, fmt.Errorf("user not found") + } + + // Check if user is active + if !user.IsActive { + return nil, fmt.Errorf("user account is disabled") + } + + // Generate new access token + accessToken, err := s.jwtManager.GenerateAccessToken(user) + if err != nil { + return nil, fmt.Errorf("failed to generate access token: %w", err) + } + + // Generate new refresh token + refreshToken, err := s.jwtManager.GenerateRefreshToken(user.ID) + if err != nil { + return nil, fmt.Errorf("failed to generate refresh token: %w", err) + } + + return &RefreshTokenResponse{ + AccessToken: accessToken, + RefreshToken: refreshToken, + }, nil +} + +// GetCurrentUser returns the current user from claims +func (s *AuthService) GetCurrentUser(ctx context.Context, userID string) (*models.User, error) { + user, err := s.userRepo.GetByID(ctx, userID) + if err != nil { + return nil, fmt.Errorf("user not found") + } + + // Clear password hash + user.PasswordHash = "" + + return user, nil +} + +// CreateUserRequest represents a user creation request +type CreateUserRequest struct { + Username string `json:"username" binding:"required,min=3,max=50"` + Email string `json:"email" binding:"required,email"` + Password string `json:"password" binding:"required,min=8"` + Role models.Role `json:"role" binding:"required"` +} + +// CreateUser creates a new user (admin only) +func (s *AuthService) CreateUser(ctx context.Context, req *CreateUserRequest) (*models.User, error) { + // Check if username exists + exists, err := s.userRepo.UsernameExists(ctx, req.Username) + if err != nil { + return nil, fmt.Errorf("failed to check username: %w", err) + } + if exists { + return nil, fmt.Errorf("username already exists") + } + + // Check if email exists + exists, err = s.userRepo.EmailExists(ctx, req.Email) + if err != nil { + return nil, fmt.Errorf("failed to check email: %w", err) + } + if exists { + return nil, fmt.Errorf("email already exists") + } + + // Hash password + hashedPassword, err := bcrypt.GenerateFromPassword([]byte(req.Password), bcrypt.DefaultCost) + if err != nil { + return nil, fmt.Errorf("failed to hash password: %w", err) + } + + // Create user + user := &models.User{ + ID: uuid.New().String(), + Username: req.Username, + Email: req.Email, + PasswordHash: string(hashedPassword), + Role: req.Role, + IsActive: true, + } + + err = s.userRepo.Create(ctx, user) + if err != nil { + return nil, fmt.Errorf("failed to create user: %w", err) + } + + // Clear password hash + user.PasswordHash = "" + + return user, nil +} + +// ChangePasswordRequest represents a password change request +type ChangePasswordRequest struct { + OldPassword string `json:"old_password" binding:"required"` + NewPassword string `json:"new_password" binding:"required,min=8"` +} + +// ChangePassword changes a user's password +func (s *AuthService) ChangePassword(ctx context.Context, userID string, req *ChangePasswordRequest) error { + // Get user + user, err := s.userRepo.GetByID(ctx, userID) + if err != nil { + return fmt.Errorf("user not found") + } + + // Verify old password + err = bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(req.OldPassword)) + if err != nil { + return fmt.Errorf("invalid old password") + } + + // Hash new password + hashedPassword, err := bcrypt.GenerateFromPassword([]byte(req.NewPassword), bcrypt.DefaultCost) + if err != nil { + return fmt.Errorf("failed to hash password: %w", err) + } + + // Update password + err = s.userRepo.UpdatePassword(ctx, userID, string(hashedPassword)) + if err != nil { + return fmt.Errorf("failed to update password: %w", err) + } + + return nil +}