fix auth middleware

main.go

@@ -5,6 +5,7 @@ package main
 import (
 	"context"
 	"database/sql"
+	"filething/middleware"
 	"filething/models"
 	"filething/routes"
 	"filething/ui"
@@ -14,7 +15,7 @@ import (
 	"strings"
 
 	"github.com/labstack/echo/v4"
-	"github.com/labstack/echo/v4/middleware"
+	echoMiddleware "github.com/labstack/echo/v4/middleware"
 	"github.com/uptrace/bun"
 	"github.com/uptrace/bun/dialect/pgdialect"
 	"github.com/uptrace/bun/driver/pgdriver"
@@ -49,9 +50,9 @@ func main() {
 		}
 	})
 
-	e.Use(middleware.Gzip())
+	e.Use(echoMiddleware.Gzip())
-	e.Use(middleware.CORS())
+	e.Use(echoMiddleware.CORS())
-	e.Use(middleware.CSRFWithConfig(middleware.CSRFConfig{
+	e.Use(echoMiddleware.CSRFWithConfig(echoMiddleware.CSRFConfig{
 		TokenLookup:    "cookie:_csrf",
 		CookiePath:     "/",
 		CookieSecure:   true,
@@ -63,6 +64,12 @@ func main() {
 	{
 		api.POST("/login", routes.LoginHandler)
 		api.POST("/signup", routes.SignupHandler)
+		api.Use(middleware.SessionMiddleware(db))
+		api.GET("/user", func(c echo.Context) error {
+			user := c.Get("user").(*models.User)
+			message := fmt.Sprintf("You are %s", user.ID)
+			return c.JSON(http.StatusOK, map[string]string{"message": message})
+		})
 		api.GET("/hello", func(c echo.Context) error {
 			return c.JSON(http.StatusOK, map[string]string{"message": "Hello, World!!!"})
 		})

middleware/auth.go

@@ -4,8 +4,10 @@ import (
 	"context"
 	"database/sql"
 	"filething/models"
+	"fmt"
 	"net/http"
 
+	"github.com/google/uuid"
 	"github.com/labstack/echo/v4"
 	"github.com/uptrace/bun"
 )
@@ -36,17 +38,25 @@ func SessionMiddleware(db *bun.DB) echo.MiddlewareFunc {
 			sessionToken := cookie.Value
 
 			// Query the session and user data from PostgreSQL
-			session := new(models.Session)
+			sessionId, err := uuid.Parse(sessionToken)
-			err = db.NewSelect().Model(session).Relation("User").WherePK(sessionToken).Scan(context.Background())
+			if err != nil {
+				return echo.NewHTTPError(http.StatusBadRequest, "Bad request")
+			}
+
+			session := &models.Session{
+				ID: sessionId,
+			}
+			err = db.NewSelect().Model(session).Relation("User").WherePK().Scan(context.Background())
 
 			if err != nil {
+				fmt.Println(err)
 				if err == sql.ErrNoRows {
 					return echo.NewHTTPError(http.StatusUnauthorized, "Invalid session token")
 				}
 				return echo.NewHTTPError(http.StatusInternalServerError, "Database error")
 			}
 
-			user := session.User
+			user := &session.User
 
 			// Store the user in the context
 			c.Set(UserContextKey, user)

models/user.go

@@ -27,6 +27,6 @@ type User struct {
 type Session struct {
 	bun.BaseModel `bun:"table:sessions,alias:u"`
 	ID            uuid.UUID `bun:",pk,type:uuid,default:uuid_generate_v4()"`
-	UserID        uuid.UUID `bun:"user_id,notnull"`
+	UserID        uuid.UUID `bun:"user_id,notnull,type:uuid"`
 	User          User      `bun:"rel:belongs-to,join:user_id=id"`
 }

routes/auth.go

@@ -41,9 +41,10 @@ func LoginHandler(c echo.Context) error {
 	}
 
 	c.SetCookie(&http.Cookie{
-		Name:  "sessionToken",
+		Name:     "sessionToken",
-		Value: session.ID.String(),
+		Value:    session.ID.String(),
-		Path:  "/",
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
 	})
 
 	return c.JSON(http.StatusOK, map[string]string{"message": "Login successful!"})
@@ -109,9 +110,10 @@ func SignupHandler(c echo.Context) error {
 	}
 
 	c.SetCookie(&http.Cookie{
-		Name:  "sessionToken",
+		Name:     "sessionToken",
-		Value: session.ID.String(),
+		Value:    session.ID.String(),
-		Path:  "/",
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
 	})
 
 	return c.JSON(http.StatusOK, map[string]string{"message": "Signup successful!"})