photoview/api/graphql/resolvers/user.go

package resolvers

import (
	"context"
	"errors"
	"log"

	"github.com/viktorstrate/photoview/api/graphql/auth"
	"github.com/viktorstrate/photoview/api/graphql/models"
	"golang.org/x/crypto/bcrypt"
)

// func (r *Resolver) User() UserResolver {
// 	return &userResolver{r}
// }

// type userResolver struct{ *Resolver }

func (r *queryResolver) User(ctx context.Context, filter *models.Filter) ([]*models.User, error) {

	filterSQL, err := filter.FormatSQL("user")
	if err != nil {
		return nil, err
	}

	rows, err := r.Database.Query("SELECT * FROM user" + filterSQL)
	if err != nil {
		return nil, err
	}
	defer rows.Close()

	users, err := models.NewUsersFromRows(rows)
	if err != nil {
		return nil, err
	}

	return users, nil
}

func (r *queryResolver) MyUser(ctx context.Context) (*models.User, error) {

	user := auth.UserFromContext(ctx)
	if user == nil {
		return nil, auth.ErrUnauthorized
	}

	return user, nil
}

func (r *mutationResolver) AuthorizeUser(ctx context.Context, username string, password string) (*models.AuthorizeResult, error) {
	user, err := models.AuthorizeUser(r.Database, username, password)
	if err != nil {
		return &models.AuthorizeResult{
			Success: false,
			Status:  err.Error(),
		}, nil
	}

	tx, err := r.Database.Begin()
	if err != nil {
		return nil, err
	}

	var token *models.AccessToken

	token, err = user.GenerateAccessToken(tx)
	if err != nil {
		tx.Rollback()
		return nil, err
	}

	tx.Commit()

	return &models.AuthorizeResult{
		Success: true,
		Status:  "ok",
		Token:   &token.Value,
	}, nil
}
func (r *mutationResolver) RegisterUser(ctx context.Context, username string, password string, rootPath string) (*models.AuthorizeResult, error) {
	tx, err := r.Database.Begin()
	if err != nil {
		return nil, err
	}

	user, err := models.RegisterUser(tx, username, &password, rootPath, false)
	if err != nil {
		tx.Rollback()
		return &models.AuthorizeResult{
			Success: false,
			Status:  err.Error(),
		}, nil
	}

	token, err := user.GenerateAccessToken(tx)
	if err != nil {
		tx.Rollback()
		return nil, err
	}

	if err := tx.Commit(); err != nil {
		return nil, err
	}

	return &models.AuthorizeResult{
		Success: true,
		Status:  "ok",
		Token:   &token.Value,
	}, nil
}

func (r *mutationResolver) InitialSetupWizard(ctx context.Context, username string, password string, rootPath string) (*models.AuthorizeResult, error) {
	siteInfo, err := models.GetSiteInfo(r.Database)
	if err != nil {
		return nil, err
	}

	if !siteInfo.InitialSetup {
		return nil, errors.New("not initial setup")
	}

	tx, err := r.Database.Begin()
	if err != nil {
		return nil, err
	}

	if _, err := tx.Exec("UPDATE site_info SET initial_setup = false"); err != nil {
		tx.Rollback()
		return nil, err
	}

	user, err := models.RegisterUser(tx, username, &password, rootPath, true)
	if err != nil {
		tx.Rollback()
		return &models.AuthorizeResult{
			Success: false,
			Status:  err.Error(),
		}, nil
	}

	token, err := user.GenerateAccessToken(tx)
	if err != nil {
		tx.Rollback()
		return nil, err
	}

	if err := tx.Commit(); err != nil {
		return nil, err
	}

	return &models.AuthorizeResult{
		Success: true,
		Status:  "ok",
		Token:   &token.Value,
	}, nil
}

// Admin queries
func (r *mutationResolver) UpdateUser(ctx context.Context, id int, username *string, rootPath *string, password *string, admin *bool) (*models.User, error) {

	user_rows, err := r.Database.Query("SELECT * FROM user WHERE user_id = ?", id)
	if err != nil {
		return nil, err
	}
	if user_rows.Next() == false {
		return nil, errors.New("user not found")
	}
	user_rows.Close()

	update_str := ""
	update_args := make([]interface{}, 0)

	if username != nil {
		update_str += "username = ?, "
		update_args = append(update_args, username)
	}
	if rootPath != nil {
		if !models.ValidRootPath(*rootPath) {
			return nil, errors.New("invalid root path")
		}

		update_str += "root_path = ?, "
		update_args = append(update_args, rootPath)
	}
	if admin != nil {
		update_str += "admin = ?, "
		update_args = append(update_args, admin)
	}
	if password != nil {
		hashedPassBytes, err := bcrypt.GenerateFromPassword([]byte(*password), 12)
		if err != nil {
			return nil, err
		}
		hashedPass := string(hashedPassBytes)

		update_str += "password = ?, "
		update_args = append(update_args, hashedPass)
	}

	if len(update_str) == 0 {
		return nil, errors.New("no updates requested")
	}

	update_str = update_str[:len(update_str)-2]
	log.Printf("Updating user with update string: %s\n", update_str)

	update_args = append(update_args, id)

	res, err := r.Database.Exec("UPDATE user SET "+update_str+" WHERE user_id = ?", update_args...)
	if err != nil {
		return nil, err
	}
	rows_aff, err := res.RowsAffected()
	if err != nil {
		return nil, err
	}
	if rows_aff == 0 {
		return nil, errors.New("no users were updated")
	}

	row := r.Database.QueryRow("SELECT * FROM user WHERE user_id = ?", id)
	user, err := models.NewUserFromRow(row)
	if err != nil {
		return nil, err
	}

	return user, nil
}

func (r *mutationResolver) CreateUser(ctx context.Context, username string, rootPath string, password *string, admin bool) (*models.User, error) {
	tx, err := r.Database.Begin()
	if err != nil {
		return nil, err
	}

	user, err := models.RegisterUser(tx, username, password, rootPath, admin)
	if err != nil {
		tx.Rollback()
		return nil, err
	}

	if err := tx.Commit(); err != nil {
		return nil, err
	}

	return user, nil
}

func (r *mutationResolver) DeleteUser(ctx context.Context, id int) (*models.User, error) {

	row := r.Database.QueryRow("SELECT * FROM user WHERE user_id = ?", id)
	user, err := models.NewUserFromRow(row)
	if err != nil {
		return nil, err
	}

	res, err := r.Database.Exec("DELETE FROM user WHERE user_id = ?", id)
	if err != nil {
		return nil, err
	}

	rows, err := res.RowsAffected()
	if err != nil {
		return nil, err
	}
	if rows == 0 {
		return nil, errors.New("no users deleted")
	}

	return user, nil
}
Work on photo resolver 2020-02-05 14:51:46 +01:00			`package resolvers`
Add user signup 2020-01-31 17:36:48 +01:00
			`import (`
			`"context"`
Setup initial setup wizard 2020-02-05 16:49:51 +01:00			`"errors"`
Add user management to api 2020-02-16 12:22:00 +01:00			`"log"`
Add user signup 2020-01-31 17:36:48 +01:00
Implement authorization 2020-01-31 23:30:34 +01:00			`"github.com/viktorstrate/photoview/api/graphql/auth"`
Add user signup 2020-01-31 17:36:48 +01:00			`"github.com/viktorstrate/photoview/api/graphql/models"`
Add change password support 2020-02-22 14:05:33 +01:00			`"golang.org/x/crypto/bcrypt"`
Add user signup 2020-01-31 17:36:48 +01:00			`)`

Implement authorization 2020-01-31 23:30:34 +01:00			`// func (r *Resolver) User() UserResolver {`
			`// return &userResolver{r}`
			`// }`

			`// type userResolver struct{ *Resolver }`

Work on settings page 2020-02-15 22:13:02 +01:00			`func (r queryResolver) User(ctx context.Context, filter models.Filter) ([]*models.User, error) {`
Work on photo resolver 2020-02-05 14:51:46 +01:00
Fixes viktorstrate/photoview#71 In order to prevent SQL injections and , reveal information about the database tables avoid passing MySQL functions as GQL sorting parameters, I refactored the FormatSQL() function. Additionally, the old approach with using regex to filter the orderBy parameter was not effective and prevented using column.table annotations. 2020-10-13 17:27:28 +02:00			`filterSQL, err := filter.FormatSQL("user")`
Working on integrating backend with ui 2020-02-09 15:26:59 +01:00			`if err != nil {`
			`return nil, err`
			`}`

Work on settings page 2020-02-15 22:13:02 +01:00			`rows, err := r.Database.Query("SELECT * FROM user" + filterSQL)`
Work on photo resolver 2020-02-05 14:51:46 +01:00			`if err != nil {`
			`return nil, err`
			`}`
			`defer rows.Close()`

			`users, err := models.NewUsersFromRows(rows)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return users, nil`
			`}`

Implement authorization 2020-01-31 23:30:34 +01:00			`func (r queryResolver) MyUser(ctx context.Context) (models.User, error) {`

			`user := auth.UserFromContext(ctx)`
			`if user == nil {`
			`return nil, auth.ErrUnauthorized`
			`}`

			`return user, nil`
			`}`

Refactor gqlgen 2020-02-01 00:08:23 +01:00			`func (r mutationResolver) AuthorizeUser(ctx context.Context, username string, password string) (models.AuthorizeResult, error) {`
Add user signup 2020-01-31 17:36:48 +01:00			`user, err := models.AuthorizeUser(r.Database, username, password)`
			`if err != nil {`
Refactor gqlgen 2020-02-01 00:08:23 +01:00			`return &models.AuthorizeResult{`
Add user signup 2020-01-31 17:36:48 +01:00			`Success: false,`
			`Status: err.Error(),`
			`}, nil`
			`}`

Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`tx, err := r.Database.Begin()`
			`if err != nil {`
			`return nil, err`
			`}`

Implement authorization 2020-01-31 23:30:34 +01:00			`var token *models.AccessToken`

Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`token, err = user.GenerateAccessToken(tx)`
Implement access token 2020-01-31 18:51:24 +01:00			`if err != nil {`
Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`tx.Rollback()`
Implement access token 2020-01-31 18:51:24 +01:00			`return nil, err`
			`}`
Add user signup 2020-01-31 17:36:48 +01:00
Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`tx.Commit()`

Refactor gqlgen 2020-02-01 00:08:23 +01:00			`return &models.AuthorizeResult{`
Add user signup 2020-01-31 17:36:48 +01:00			`Success: true,`
			`Status: "ok",`
Implement access token 2020-01-31 18:51:24 +01:00			`Token: &token.Value,`
Add user signup 2020-01-31 17:36:48 +01:00			`}, nil`
			`}`
Refactor gqlgen 2020-02-01 00:08:23 +01:00			`func (r mutationResolver) RegisterUser(ctx context.Context, username string, password string, rootPath string) (models.AuthorizeResult, error) {`
Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`tx, err := r.Database.Begin()`
Add user signup 2020-01-31 17:36:48 +01:00			`if err != nil {`
Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`return nil, err`
			`}`

Add user management to api 2020-02-16 12:22:00 +01:00			`user, err := models.RegisterUser(tx, username, &password, rootPath, false)`
Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`if err != nil {`
			`tx.Rollback()`
Refactor gqlgen 2020-02-01 00:08:23 +01:00			`return &models.AuthorizeResult{`
Add user signup 2020-01-31 17:36:48 +01:00			`Success: false,`
			`Status: err.Error(),`
			`}, nil`
			`}`

Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`token, err := user.GenerateAccessToken(tx)`
Implement access token 2020-01-31 18:51:24 +01:00			`if err != nil {`
Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`tx.Rollback()`
			`return nil, err`
			`}`

			`if err := tx.Commit(); err != nil {`
Implement access token 2020-01-31 18:51:24 +01:00			`return nil, err`
			`}`
Add user signup 2020-01-31 17:36:48 +01:00
Refactor gqlgen 2020-02-01 00:08:23 +01:00			`return &models.AuthorizeResult{`
Add user signup 2020-01-31 17:36:48 +01:00			`Success: true,`
			`Status: "ok",`
Implement access token 2020-01-31 18:51:24 +01:00			`Token: &token.Value,`
Add user signup 2020-01-31 17:36:48 +01:00			`}, nil`
			`}`
Setup initial setup wizard 2020-02-05 16:49:51 +01:00
			`func (r mutationResolver) InitialSetupWizard(ctx context.Context, username string, password string, rootPath string) (models.AuthorizeResult, error) {`
			`siteInfo, err := models.GetSiteInfo(r.Database)`
			`if err != nil {`
			`return nil, err`
			`}`

Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`if !siteInfo.InitialSetup {`
			`return nil, errors.New("not initial setup")`
			`}`

			`tx, err := r.Database.Begin()`
			`if err != nil {`
Setup initial setup wizard 2020-02-05 16:49:51 +01:00			`return nil, err`
			`}`

Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`if _, err := tx.Exec("UPDATE site_info SET initial_setup = false"); err != nil {`
			`tx.Rollback()`
			`return nil, err`
			`}`

Add user management to api 2020-02-16 12:22:00 +01:00			`user, err := models.RegisterUser(tx, username, &password, rootPath, true)`
Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`if err != nil {`
			`tx.Rollback()`
			`return &models.AuthorizeResult{`
			`Success: false,`
			`Status: err.Error(),`
			`}, nil`
Setup initial setup wizard 2020-02-05 16:49:51 +01:00			`}`

Set max sql connections + improve user register 2020-02-14 14:29:41 +01:00			`token, err := user.GenerateAccessToken(tx)`
			`if err != nil {`
			`tx.Rollback()`
			`return nil, err`
			`}`

			`if err := tx.Commit(); err != nil {`
			`return nil, err`
			`}`

			`return &models.AuthorizeResult{`
			`Success: true,`
			`Status: "ok",`
			`Token: &token.Value,`
			`}, nil`
Setup initial setup wizard 2020-02-05 16:49:51 +01:00			`}`
Add user management to api 2020-02-16 12:22:00 +01:00
			`// Admin queries`
Add change password support 2020-02-22 14:05:33 +01:00			`func (r mutationResolver) UpdateUser(ctx context.Context, id int, username string, rootPath string, password string, admin bool) (models.User, error) {`
Add user management to api 2020-02-16 12:22:00 +01:00
			`user_rows, err := r.Database.Query("SELECT * FROM user WHERE user_id = ?", id)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if user_rows.Next() == false {`
			`return nil, errors.New("user not found")`
			`}`
			`user_rows.Close()`

			`update_str := ""`
			`update_args := make([]interface{}, 0)`

			`if username != nil {`
			`update_str += "username = ?, "`
			`update_args = append(update_args, username)`
			`}`
			`if rootPath != nil {`
			`if !models.ValidRootPath(*rootPath) {`
			`return nil, errors.New("invalid root path")`
			`}`

			`update_str += "root_path = ?, "`
			`update_args = append(update_args, rootPath)`
			`}`
			`if admin != nil {`
			`update_str += "admin = ?, "`
			`update_args = append(update_args, admin)`
			`}`
Add change password support 2020-02-22 14:05:33 +01:00			`if password != nil {`
			`hashedPassBytes, err := bcrypt.GenerateFromPassword([]byte(*password), 12)`
			`if err != nil {`
			`return nil, err`
			`}`
			`hashedPass := string(hashedPassBytes)`

			`update_str += "password = ?, "`
			`update_args = append(update_args, hashedPass)`
			`}`
Add user management to api 2020-02-16 12:22:00 +01:00
			`if len(update_str) == 0 {`
			`return nil, errors.New("no updates requested")`
			`}`

			`update_str = update_str[:len(update_str)-2]`
			`log.Printf("Updating user with update string: %s\n", update_str)`

			`update_args = append(update_args, id)`

			`res, err := r.Database.Exec("UPDATE user SET "+update_str+" WHERE user_id = ?", update_args...)`
			`if err != nil {`
			`return nil, err`
			`}`
			`rows_aff, err := res.RowsAffected()`
			`if err != nil {`
			`return nil, err`
			`}`
			`if rows_aff == 0 {`
			`return nil, errors.New("no users were updated")`
			`}`

			`row := r.Database.QueryRow("SELECT * FROM user WHERE user_id = ?", id)`
			`user, err := models.NewUserFromRow(row)`
			`if err != nil {`
			`return nil, err`
			`}`

			`return user, nil`
			`}`

			`func (r mutationResolver) CreateUser(ctx context.Context, username string, rootPath string, password string, admin bool) (*models.User, error) {`
			`tx, err := r.Database.Begin()`
			`if err != nil {`
			`return nil, err`
			`}`

			`user, err := models.RegisterUser(tx, username, password, rootPath, admin)`
			`if err != nil {`
			`tx.Rollback()`
			`return nil, err`
			`}`

			`if err := tx.Commit(); err != nil {`
			`return nil, err`
			`}`

			`return user, nil`
			`}`

			`func (r mutationResolver) DeleteUser(ctx context.Context, id int) (models.User, error) {`

			`row := r.Database.QueryRow("SELECT * FROM user WHERE user_id = ?", id)`
			`user, err := models.NewUserFromRow(row)`
			`if err != nil {`
			`return nil, err`
			`}`

			`res, err := r.Database.Exec("DELETE FROM user WHERE user_id = ?", id)`
			`if err != nil {`
			`return nil, err`
			`}`

			`rows, err := res.RowsAffected()`
			`if err != nil {`
			`return nil, err`
			`}`
			`if rows == 0 {`
			`return nil, errors.New("no users deleted")`
			`}`

			`return user, nil`
			`}`