v0.9.0 user and session management improvement, xterm.js addons

2026-02-07 15:37:52 -05:00
parent 0a85cc88bb
commit 820ad7eb27
62 changed files with 875 additions and 446 deletions
--- a/internal/server/service/user.go
+++ b/internal/server/service/user.go
@ -1,4 +1,3 @@
-// FILE: lixenwraith/chess/internal/server/service/user.go
 package service

 import (
@ -14,25 +13,54 @@ import (

 // User represents a registered user account
 type User struct {
-	UserID    string
-	Username  string
-	Email     string
-	CreatedAt time.Time
+	UserID      string
+	Username    string
+	Email       string
+	AccountType string
+	CreatedAt   time.Time
+	ExpiresAt   *time.Time
 }

-// CreateUser creates new user with transactional consistency
-func (s *Service) CreateUser(username, email, password string) (*User, error) {
+// CreateUser creates new user with registration limits enforcement
+func (s *Service) CreateUser(username, email, password string, permanent bool) (*User, error) {
 	if s.store == nil {
 		return nil, fmt.Errorf("storage disabled")
 	}

+	// Check registration limits
+	total, permCount, _, err := s.store.GetUserCounts()
+	if err != nil {
+		return nil, fmt.Errorf("failed to check user limits: %w", err)
+	}
+
+	// Determine account type
+	accountType := "temp"
+	var expiresAt *time.Time
+
+	if permanent {
+		if permCount >= PermanentSlots {
+			return nil, fmt.Errorf("permanent user slots full (%d/%d)", permCount, PermanentSlots)
+		}
+		accountType = "permanent"
+	} else {
+		expiry := time.Now().UTC().Add(TempUserTTL)
+		expiresAt = &expiry
+	}
+
+	// Handle capacity - remove oldest temp user if at max
+	if total >= MaxUsers {
+		if err := s.removeOldestTempUser(); err != nil {
+			return nil, fmt.Errorf("at capacity and cannot make room: %w", err)
+		}
+	}
+
 	// Hash password
 	passwordHash, err := auth.HashPassword(password)
 	if err != nil {
 		return nil, fmt.Errorf("failed to hash password: %w", err)
 	}

-	// Generate guaranteed unique user ID with proper collision handling
+	// Generate unique user ID
 	userID, err := s.generateUniqueUserID()
 	if err != nil {
 		return nil, fmt.Errorf("failed to generate unique ID: %w", err)
@ -40,19 +68,22 @@ func (s *Service) CreateUser(username, email, password string) (*User, error) {

 	// Create user record
 	user := &User{
-		UserID:    userID,
-		Username:  username,
-		Email:     email,
-		CreatedAt: time.Now().UTC(),
+		UserID:      userID,
+		Username:    username,
+		Email:       email,
+		AccountType: accountType,
+		CreatedAt:   time.Now().UTC(),
+		ExpiresAt:   expiresAt,
 	}

-	// Use transactional storage method
 	record := storage.UserRecord{
 		UserID:       userID,
-		Username:     username,
-		Email:        email,
+		Username:     strings.ToLower(username),
+		Email:        strings.ToLower(email),
 		PasswordHash: passwordHash,
+		AccountType:  accountType,
 		CreatedAt:    user.CreatedAt,
+		ExpiresAt:    expiresAt,
 	}

 	if err = s.store.CreateUser(record); err != nil {
@ -62,11 +93,28 @@ func (s *Service) CreateUser(username, email, password string) (*User, error) {
 	return user, nil
 }

-// AuthenticateUser verifies user credentials and returns user information
-// AuthenticateUser verifies user credentials and returns user information
-func (s *Service) AuthenticateUser(identifier, password string) (*User, error) {
+// removeOldestTempUser removes the oldest temporary user to make room
+func (s *Service) removeOldestTempUser() error {
+	oldest, err := s.store.GetOldestTempUser()
+	if err != nil {
+		return fmt.Errorf("no temp users to remove: %w", err)
+	}
+
+	// Delete their session first
+	_ = s.store.DeleteSessionByUserID(oldest.UserID)
+
+	// Delete the user
+	if err := s.store.DeleteUserByID(oldest.UserID); err != nil {
+		return fmt.Errorf("failed to remove oldest user: %w", err)
+	}
+
+	return nil
+}
+
+// AuthenticateUser verifies credentials and creates a new session
+func (s *Service) AuthenticateUser(identifier, password string) (*User, string, error) {
 	if s.store == nil {
-		return nil, fmt.Errorf("storage disabled")
+		return nil, "", fmt.Errorf("storage disabled")
 	}

 	var userRecord *storage.UserRecord
@ -80,36 +128,62 @@ func (s *Service) AuthenticateUser(identifier, password string) (*User, error) {
 	}

 	if err != nil {
-		// Always hash to prevent timing attacks
-		auth.HashPassword(password)
-		return nil, fmt.Errorf("invalid credentials")
+		auth.HashPassword(password) // Timing attack prevention
+		return nil, "", fmt.Errorf("invalid credentials")
 	}

 	// Verify password
 	if err := auth.VerifyPassword(password, userRecord.PasswordHash); err != nil {
-		return nil, fmt.Errorf("invalid credentials")
+		return nil, "", fmt.Errorf("invalid credentials")
 	}

-	return &User{
+	// Check if temp user expired
+	if userRecord.AccountType == "temp" && userRecord.ExpiresAt != nil {
+		if time.Now().UTC().After(*userRecord.ExpiresAt) {
+			return nil, "", fmt.Errorf("account expired")
+		}
+	}
+
+	// Create new session (invalidates any existing session)
+	sessionID := uuid.New().String()
+	sessionRecord := storage.SessionRecord{
+		SessionID: sessionID,
 		UserID:    userRecord.UserID,
-		Username:  userRecord.Username,
-		Email:     userRecord.Email,
-		CreatedAt: userRecord.CreatedAt,
-	}, nil
+		CreatedAt: time.Now().UTC(),
+		ExpiresAt: time.Now().UTC().Add(SessionTTL),
+	}
+
+	if err := s.store.CreateSession(sessionRecord); err != nil {
+		return nil, "", fmt.Errorf("failed to create session: %w", err)
+	}
+
+	// Update last login
+	_ = s.store.UpdateUserLastLoginSync(userRecord.UserID, time.Now().UTC())
+
+	return &User{
+		UserID:      userRecord.UserID,
+		Username:    userRecord.Username,
+		Email:       userRecord.Email,
+		AccountType: userRecord.AccountType,
+		CreatedAt:   userRecord.CreatedAt,
+		ExpiresAt:   userRecord.ExpiresAt,
+	}, sessionID, nil
 }

-// UpdateLastLogin updates the last login timestamp for a user
-func (s *Service) UpdateLastLogin(userID string) error {
+// ValidateSession checks if a session is valid
+func (s *Service) ValidateSession(sessionID string) (bool, error) {
+	if s.store == nil {
+		return false, fmt.Errorf("storage disabled")
+	}
+	return s.store.IsSessionValid(sessionID)
+}
+
+// InvalidateSession removes a session (logout)
+func (s *Service) InvalidateSession(sessionID string) error {
 	if s.store == nil {
 		return fmt.Errorf("storage disabled")
 	}
-
-	err := s.store.UpdateUserLastLoginSync(userID, time.Now().UTC())
-	if err != nil {
-		return fmt.Errorf("failed to update last login time for user %s: %w\n", userID, err)
-	}
-
-	return nil
+	return s.store.DeleteSession(sessionID)
 }

 // GetUserByID retrieves user information by user ID
@ -124,31 +198,47 @@ func (s *Service) GetUserByID(userID string) (*User, error) {
 	}

 	return &User{
-		UserID:    userRecord.UserID,
-		Username:  userRecord.Username,
-		Email:     userRecord.Email,
-		CreatedAt: userRecord.CreatedAt,
+		UserID:      userRecord.UserID,
+		Username:    userRecord.Username,
+		Email:       userRecord.Email,
+		AccountType: userRecord.AccountType,
+		CreatedAt:   userRecord.CreatedAt,
+		ExpiresAt:   userRecord.ExpiresAt,
 	}, nil
 }

-// GenerateUserToken creates a JWT token for the specified user
-func (s *Service) GenerateUserToken(userID string) (string, error) {
+// GenerateUserToken creates a JWT token for the specified user with session ID
+func (s *Service) GenerateUserToken(userID, sessionID string) (string, error) {
 	user, err := s.GetUserByID(userID)
 	if err != nil {
 		return "", err
 	}

 	claims := map[string]any{
-		"username": user.Username,
-		"email":    user.Email,
+		"username":   user.Username,
+		"email":      user.Email,
+		"session_id": sessionID,
 	}

-	return auth.GenerateHS256Token(s.jwtSecret, userID, claims, 7*24*time.Hour)
+	return auth.GenerateHS256Token(s.jwtSecret, userID, claims, SessionTTL)
 }

-// ValidateToken verifies JWT token and returns user ID with claims
+// ValidateToken verifies JWT token and session validity
 func (s *Service) ValidateToken(token string) (string, map[string]any, error) {
-	return auth.ValidateHS256Token(s.jwtSecret, token)
+	userID, claims, err := auth.ValidateHS256Token(s.jwtSecret, token)
+	if err != nil {
+		return "", nil, err
+	}
+
+	// Validate session is still active
+	if sessionID, ok := claims["session_id"].(string); ok && s.store != nil {
+		valid, err := s.store.IsSessionValid(sessionID)
+		if err != nil || !valid {
+			return "", nil, fmt.Errorf("session invalidated")
+		}
+	}
+
+	return userID, claims, nil
 }

 // generateUniqueUserID creates a unique user ID with collision detection
@ -157,19 +247,32 @@ func (s *Service) generateUniqueUserID() (string, error) {

 	for i := 0; i < maxAttempts; i++ {
 		id := uuid.New().String()
-
-		// Check for collision
 		if _, err := s.store.GetUserByID(id); err != nil {
-			// Error means not found, ID is unique
 			return id, nil
 		}
-
-		// Collision detected, try again
-		if i == maxAttempts-1 {
-			// After max attempts, fail and don't risk collision
-			return "", fmt.Errorf("failed to generate unique ID after %d attempts", maxAttempts)
-		}
 	}

 	return "", fmt.Errorf("failed to generate unique user ID")
+}
+
+// CreateUserSession creates a session for a user without re-authenticating
+// Used after registration to avoid redundant password hashing
+func (s *Service) CreateUserSession(userID string) (string, error) {
+	if s.store == nil {
+		return "", fmt.Errorf("storage disabled")
+	}
+
+	sessionID := uuid.New().String()
+	sessionRecord := storage.SessionRecord{
+		SessionID: sessionID,
+		UserID:    userID,
+		CreatedAt: time.Now().UTC(),
+		ExpiresAt: time.Now().UTC().Add(SessionTTL),
+	}
+
+	if err := s.store.CreateSession(sessionRecord); err != nil {
+		return "", fmt.Errorf("failed to create session: %w", err)
+	}
+
+	return sessionID, nil
 }