drone/internal/api/handler/account/login.go

// Copyright 2021 Harness Inc. All rights reserved.
// Use of this source code is governed by the Polyform Free Trial License
// that can be found in the LICENSE.md file for this repository.

package account

import (
	"net/http"
	"time"

	"github.com/harness/gitness/internal/api/render"
	"github.com/harness/gitness/internal/store"
	"github.com/harness/gitness/internal/token"
	"github.com/harness/gitness/types"

	"github.com/rs/zerolog/hlog"
	"golang.org/x/crypto/bcrypt"
)

// HandleLogin returns an http.HandlerFunc that authenticates
// the user and returns an authentication token on success.
func HandleLogin(users store.UserStore, system store.SystemStore) http.HandlerFunc {
	return func(w http.ResponseWriter, r *http.Request) {
		ctx := r.Context()
		log := hlog.FromRequest(r)

		username := r.FormValue("username")
		password := r.FormValue("password")
		user, err := users.FindEmail(ctx, username)
		if err != nil {
			log.Debug().Err(err).
				Str("user", username).
				Msg("cannot find user")

			// always give not found error as extra security measurement.
			render.NotFoundf(w, "Invalid email or password")
			return
		}

		err = bcrypt.CompareHashAndPassword(
			[]byte(user.Password),
			[]byte(password),
		)
		if err != nil {
			log.Debug().Err(err).
				Str("user", username).
				Msg("invalid password")

			render.NotFoundf(w, "Invalid email or password")
			return
		}

		expires := time.Now().Add(system.Config(ctx).Token.Expire)
		token_, err := token.GenerateExp(user, expires.Unix(), user.Salt)
		if err != nil {
			log.Err(err).
				Str("user", username).
				Msg("failed to generate token")

			render.InternalErrorf(w, "Failed to create session")
			return
		}

		// return the token if the with_user boolean
		// query parameter is set to true.
		if r.FormValue("return_user") == "true" {
			render.JSON(w, &types.UserToken{
				User: user,
				Token: &types.Token{
					Value:   token_,
					Expires: expires.UTC(),
				},
			}, 200)
		} else {
			// else return the token only.
			render.JSON(w, &types.Token{Value: token_}, 200)
		}
	}
}