v0.5.0 user support with auth added, tests and doc updated

2025-11-05 02:56:41 -05:00
parent 59486bfe32
commit a3f4db96fa
25 changed files with 2409 additions and 1172 deletions
--- a/internal/http/auth.go
+++ b/internal/http/auth.go
@ -0,0 +1,232 @@
+// FILE: internal/http/auth.go
+package http
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+	"time"
+	"unicode"
+
+	"chess/internal/core"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+var emailRegex = regexp.MustCompile(`^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`)
+var usernameRegex = regexp.MustCompile(`^[a-zA-Z0-9_]{1,40}$`)
+
+// RegisterRequest defines the user registration payload
+type RegisterRequest struct {
+	Username string `json:"username" validate:"required,min=1,max=40"`
+	Email    string `json:"email" validate:"omitempty,max=255"`
+	Password string `json:"password" validate:"required,min=8,max=128"`
+}
+
+// LoginRequest defines the authentication payload
+type LoginRequest struct {
+	Identifier string `json:"identifier" validate:"required"` // username or email
+	Password   string `json:"password" validate:"required"`
+}
+
+// AuthResponse contains JWT token and user information
+type AuthResponse struct {
+	Token     string    `json:"token"`
+	UserID    string    `json:"userId"`
+	Username  string    `json:"username"`
+	Email     string    `json:"email,omitempty"`
+	ExpiresAt time.Time `json:"expiresAt"`
+}
+
+// UserResponse contains current user information
+type UserResponse struct {
+	UserID    string    `json:"userId"`
+	Username  string    `json:"username"`
+	Email     string    `json:"email,omitempty"`
+	CreatedAt time.Time `json:"createdAt"`
+}
+
+// RegisterHandler creates a new user account
+func (h *HTTPHandler) RegisterHandler(c *fiber.Ctx) error {
+	var req RegisterRequest
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(core.ErrorResponse{
+			Error:   "invalid request body",
+			Code:    core.ErrInvalidRequest,
+			Details: err.Error(),
+		})
+	}
+
+	// Validate username format
+	if !usernameRegex.MatchString(req.Username) {
+		return c.Status(fiber.StatusBadRequest).JSON(core.ErrorResponse{
+			Error:   "invalid username format",
+			Code:    core.ErrInvalidRequest,
+			Details: "username must be 1-40 characters, alphanumeric and underscore only",
+		})
+	}
+
+	// Validate email format if provided
+	if req.Email != "" && !emailRegex.MatchString(req.Email) {
+		return c.Status(fiber.StatusBadRequest).JSON(core.ErrorResponse{
+			Error:   "invalid email format",
+			Code:    core.ErrInvalidRequest,
+			Details: "email must be a valid email address",
+		})
+	}
+
+	// Validate password strength
+	if err := validatePassword(req.Password); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(core.ErrorResponse{
+			Error:   "weak password",
+			Code:    core.ErrInvalidRequest,
+			Details: err.Error(),
+		})
+	}
+
+	// Normalize for case-insensitive storage
+	req.Username = strings.ToLower(req.Username)
+	if req.Email != "" {
+		req.Email = strings.ToLower(req.Email)
+	}
+
+	// Create user
+	user, err := h.svc.CreateUser(req.Username, req.Email, req.Password)
+	if err != nil {
+		if strings.Contains(err.Error(), "already exists") {
+			return c.Status(fiber.StatusConflict).JSON(core.ErrorResponse{
+				Error:   "user already exists",
+				Code:    core.ErrInvalidRequest,
+				Details: "username or email already taken",
+			})
+		}
+		return c.Status(fiber.StatusInternalServerError).JSON(core.ErrorResponse{
+			Error: "failed to create user",
+			Code:  core.ErrInternalError,
+		})
+	}
+
+	// Generate JWT token
+	token, err := h.svc.GenerateUserToken(user.UserID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(core.ErrorResponse{
+			Error: "failed to generate token",
+			Code:  core.ErrInternalError,
+		})
+	}
+
+	return c.Status(fiber.StatusCreated).JSON(AuthResponse{
+		Token:     token,
+		UserID:    user.UserID,
+		Username:  user.Username,
+		Email:     user.Email,
+		ExpiresAt: time.Now().Add(7 * 24 * time.Hour),
+	})
+}
+
+// validatePassword checks password strength requirements
+func validatePassword(password string) error {
+	const (
+		minPasswordLength = 8
+		maxPasswordLength = 128
+	)
+	if len(password) < minPasswordLength {
+		return fmt.Errorf("password must be at least 8 characters")
+	}
+	if len(password) > maxPasswordLength {
+		return fmt.Errorf("password must not exceed 128 characters")
+	}
+
+	// Check for at least one letter and one number
+	hasLetter := false
+	hasNumber := false
+	for _, r := range password {
+		switch {
+		case unicode.IsLetter(r):
+			hasLetter = true
+		case unicode.IsNumber(r):
+			hasNumber = true
+		}
+		if hasLetter && hasNumber {
+			break
+		}
+	}
+
+	if !hasLetter || !hasNumber {
+		return fmt.Errorf("password must contain at least one letter and one number")
+	}
+
+	return nil
+}
+
+// LoginHandler authenticates user and returns JWT token
+func (h *HTTPHandler) LoginHandler(c *fiber.Ctx) error {
+	var req LoginRequest
+	if err := c.BodyParser(&req); err != nil {
+		return c.Status(fiber.StatusBadRequest).JSON(core.ErrorResponse{
+			Error:   "invalid request body",
+			Code:    core.ErrInvalidRequest,
+			Details: err.Error(),
+		})
+	}
+
+	// Normalize identifier for case-insensitive lookup
+	req.Identifier = strings.ToLower(req.Identifier)
+
+	// Authenticate user
+	user, err := h.svc.AuthenticateUser(req.Identifier, req.Password)
+	if err != nil {
+		// Always return same error to prevent user enumeration
+		return c.Status(fiber.StatusUnauthorized).JSON(core.ErrorResponse{
+			Error: "invalid credentials",
+			Code:  core.ErrInvalidRequest,
+		})
+	}
+
+	// Generate JWT token
+	token, err := h.svc.GenerateUserToken(user.UserID)
+	if err != nil {
+		return c.Status(fiber.StatusInternalServerError).JSON(core.ErrorResponse{
+			Error: "failed to generate token",
+			Code:  core.ErrInternalError,
+		})
+	}
+
+	// Update last login
+	// TODO: for now, non-blocking if login time update fails, log/block in the future
+	_ = h.svc.UpdateLastLogin(user.UserID)
+
+	return c.JSON(AuthResponse{
+		Token:     token,
+		UserID:    user.UserID,
+		Username:  user.Username,
+		Email:     user.Email,
+		ExpiresAt: time.Now().Add(7 * 24 * time.Hour),
+	})
+}
+
+// GetCurrentUserHandler returns authenticated user information
+func (h *HTTPHandler) GetCurrentUserHandler(c *fiber.Ctx) error {
+	userID, ok := c.Locals("userID").(string)
+	if !ok || userID == "" {
+		return c.Status(fiber.StatusUnauthorized).JSON(core.ErrorResponse{
+			Error: "unauthorized",
+			Code:  core.ErrInvalidRequest,
+		})
+	}
+
+	user, err := h.svc.GetUserByID(userID)
+	if err != nil {
+		return c.Status(fiber.StatusNotFound).JSON(core.ErrorResponse{
+			Error: "user not found",
+			Code:  core.ErrInvalidRequest,
+		})
+	}
+
+	return c.JSON(UserResponse{
+		UserID:    user.UserID,
+		Username:  user.Username,
+		Email:     user.Email,
+		CreatedAt: user.CreatedAt,
+	})
+}
--- a/internal/http/handler.go
+++ b/internal/http/handler.go
@ -2,13 +2,14 @@
 package http

 import (
-	"chess/internal/core"
-	"chess/internal/processor"
-	"chess/internal/service"
 	"fmt"
 	"strings"
 	"time"

+	"chess/internal/core"
+	"chess/internal/processor"
+	"chess/internal/service"
+
 	"github.com/gofiber/fiber/v2"
 	"github.com/gofiber/fiber/v2/middleware/cors"
 	"github.com/gofiber/fiber/v2/middleware/limiter"
@ -47,27 +48,66 @@ func NewFiberApp(proc *processor.Processor, svc *service.Service, devMode bool)
 	app.Use(cors.New(cors.Config{
 		AllowOrigins: "*",
 		AllowMethods: "GET,POST,PUT,DELETE,OPTIONS",
-		AllowHeaders: "Origin,Content-Type,Accept",
+		AllowHeaders: "Origin,Content-Type,Accept,Authorization",
 	}))

 	// Health check (no rate limit)
 	app.Get("/health", h.Health)

-	// API v1 routes with rate limiting
+	// API v1 routes
 	api := app.Group("/api/v1")

-	// Rate limiter: 10/20 req/sec per IP with expiry
+	// Auth routes with specific rate limiting
+	auth := api.Group("/auth")
+
+	// Register: 5 req/min per IP
+	auth.Post("/register", limiter.New(limiter.Config{
+		Max:        5,
+		Expiration: 1 * time.Minute,
+		KeyGenerator: func(c *fiber.Ctx) string {
+			return c.IP()
+		},
+		LimitReached: func(c *fiber.Ctx) error {
+			return c.Status(fiber.StatusTooManyRequests).JSON(core.ErrorResponse{
+				Error:   "rate limit exceeded",
+				Code:    core.ErrRateLimitExceeded,
+				Details: "5 registrations per minute allowed",
+			})
+		},
+	}), h.RegisterHandler)
+
+	// Login: 10 req/min per IP
+	auth.Post("/login", limiter.New(limiter.Config{
+		Max:        10,
+		Expiration: 1 * time.Minute,
+		KeyGenerator: func(c *fiber.Ctx) string {
+			return c.IP()
+		},
+		LimitReached: func(c *fiber.Ctx) error {
+			return c.Status(fiber.StatusTooManyRequests).JSON(core.ErrorResponse{
+				Error:   "rate limit exceeded",
+				Code:    core.ErrRateLimitExceeded,
+				Details: "10 login attempts per minute allowed",
+			})
+		},
+	}), h.LoginHandler)
+
+	// Create token validator closure
+	validateToken := svc.ValidateToken
+
+	// Current user (requires auth)
+	auth.Get("/me", AuthRequired(validateToken), h.GetCurrentUserHandler)
+
+	// Game routes with standard rate limiting
 	maxReq := rateLimitRate
 	if devMode {
-		maxReq = rateLimitRate * 2 // Loosen rate limiter for testing
+		maxReq = rateLimitRate * 2
 	}
 	api.Use(limiter.New(limiter.Config{
-		Max:        maxReq,          // Allow requests per second
-		Expiration: 1 * time.Second, // Per second
+		Max:        maxReq,
+		Expiration: 1 * time.Second,
 		KeyGenerator: func(c *fiber.Ctx) string {
-			// Check X-Forwarded-For first, then X-Real-IP, then RemoteIP
 			if xff := c.Get("X-Forwarded-For"); xff != "" {
-				// Take the first IP from X-Forwarded-For chain
 				if idx := strings.Index(xff, ","); idx != -1 {
 					return strings.TrimSpace(xff[:idx])
 				}
@ -82,9 +122,6 @@ func NewFiberApp(proc *processor.Processor, svc *service.Service, devMode bool)
 				Details: fmt.Sprintf("%d requests per second allowed", maxReq),
 			})
 		},
-		Storage:                nil, // Use in-memory storage (default)
-		SkipFailedRequests:     false,
-		SkipSuccessfulRequests: false,
 	}))

 	// Content-Type validation for POST and PUT requests
@ -93,8 +130,8 @@ func NewFiberApp(proc *processor.Processor, svc *service.Service, devMode bool)
 	// Middleware validation for sanitization
 	api.Use(validationMiddleware)

-	// Register game routes
-	api.Post("/games", h.CreateGame)
+	// Register game routes with auth middleware
+	api.Post("/games", OptionalAuth(validateToken), h.CreateGame) // Optional auth for player ID association
 	api.Put("/games/:gameId/players", h.ConfigurePlayers)
 	api.Get("/games/:gameId", h.GetGame)
 	api.Delete("/games/:gameId", h.DeleteGame)
@ -179,8 +216,12 @@ func (h *HTTPHandler) CreateGame(c *fiber.Ctx) error {
 	var req core.CreateGameRequest
 	req = *(validatedBody.(*core.CreateGameRequest))

-	// Let processor generate game ID via service
+	// Retrieve authenticated user ID if available
+	userID, _ := c.Locals("userID").(string)
+
+	// Generate game ID via service with optional user context
 	cmd := processor.NewCreateGameCommand(req)
+	cmd.UserID = userID // Add user ID to command if authenticated

 	resp := h.proc.Execute(cmd)

--- a/internal/http/middleware.go
+++ b/internal/http/middleware.go
@ -0,0 +1,63 @@
+// FILE: internal/http/middleware.go
+package http
+
+import (
+	"strings"
+
+	"chess/internal/core"
+
+	"github.com/gofiber/fiber/v2"
+)
+
+// TokenValidator validates JWT tokens
+type TokenValidator func(token string) (userID string, claims map[string]any, err error)
+
+// AuthRequired enforces JWT authentication for protected endpoints
+func AuthRequired(validateToken TokenValidator) fiber.Handler {
+	return func(c *fiber.Ctx) error {
+		token := extractBearerToken(c.Get("Authorization"))
+		if token == "" {
+			return c.Status(fiber.StatusUnauthorized).JSON(core.ErrorResponse{
+				Error: "missing authorization token",
+				Code:  core.ErrInvalidRequest,
+			})
+		}
+
+		userID, _, err := validateToken(token)
+		if err != nil {
+			return c.Status(fiber.StatusUnauthorized).JSON(core.ErrorResponse{
+				Error: "invalid or expired token",
+				Code:  core.ErrInvalidRequest,
+			})
+		}
+
+		c.Locals("userID", userID)
+		return c.Next()
+	}
+}
+
+// OptionalAuth validates JWT if present but allows anonymous access
+func OptionalAuth(validateToken TokenValidator) fiber.Handler {
+	return func(c *fiber.Ctx) error {
+		token := extractBearerToken(c.Get("Authorization"))
+		if token == "" {
+			return c.Next()
+		}
+
+		userID, _, err := validateToken(token)
+		if err == nil {
+			c.Locals("userID", userID)
+		}
+		// Continue regardless of token validity
+		return c.Next()
+	}
+}
+
+// extractBearerToken extracts JWT token from Authorization header
+func extractBearerToken(header string) string {
+	const prefix = "Bearer "
+	if !strings.HasPrefix(header, prefix) {
+		return ""
+	}
+	return strings.TrimPrefix(header, prefix)
+}