model: refactor AuthenticatedUser from AuthUser to avoid leaking data

When replying the /login route with AuthUser, the password was being
leaked back to the client. Using AuthenticatedUser avoid this issue.

cmd/auth/main.go

@@ -14,7 +14,7 @@ import (
 
 type ResponseLogin struct {
 	Authenticated bool           `json:"authenticated"`
-	User          model.AuthUser `json:"user,omitempty"`
+	User          model.AuthenticatedUser `json:"user,omitempty"`
 }
 
 type ResponseSignup struct {
@@ -35,9 +35,8 @@ func (r *ResponseSignup) JsonResponseSignInSetAndWrite(rw http.ResponseWriter, a
 
 }
 
-func (r *ResponseLogin) JsonResponseSetAndWrite(rw http.ResponseWriter, authenticated bool, u *model.AuthUser) error {
+func (r *ResponseLogin) JsonResponseSetAndWrite(rw http.ResponseWriter, authenticated bool, u *model.AuthenticatedUser) error {
 	r.Authenticated = authenticated
-	u.PasswordHash = ""
 	r.User = *u
 	b, err := json.Marshal(r)
 	if err != nil {
@@ -117,7 +116,7 @@ func setupRoute() {
 	})
 
 	http.HandleFunc("/login", func(rw http.ResponseWriter, r *http.Request) {
-		var authUser model.AuthUser
+        var authUser model.AuthUser
 
         rw.Header().Add("Access-Control-Allow-Origin", "*")
 
@@ -140,23 +139,23 @@ func setupRoute() {
 			return
 		}
 
-		id, err := authUser.AuthenticateUser(dao, crypt)
+	    okUser, err := authUser.AuthenticateUser(dao, crypt)
+
+
 		if err != nil {
 			log.Printf("could not authenticate user: %v", err)
 			rw.WriteHeader(http.StatusUnauthorized)
-			res.JsonResponseSetAndWrite(rw, false, &model.AuthUser{})
+			res.JsonResponseSetAndWrite(rw, false, &model.AuthenticatedUser{})
 			return
 		}
 
-		authUser.Id = id
-
 		rw.Header().Add("Content-Type", "application/json")
  
         // TODO: This wont work on http connection. Needs to update the server to https
         //rw.Header().Add("Set-Cookie", "jwt=1234567; Expires: Wed, 24 Aug 2022 00:00:00 GMT; Secure; HttpOnly")
 
 		rw.WriteHeader(http.StatusOK)
-		if err = res.JsonResponseSetAndWrite(rw, true, &authUser); err != nil {
+		if err = res.JsonResponseSetAndWrite(rw, true, okUser); err != nil {
 			log.Fatalf("could not write back to client: %v", err)
 		}
 	})

model/user.go

@@ -10,21 +10,22 @@ import (
 type AuthUser struct {
 	Id           string `json:"id"`
 	Username     string `json:"username"`
-	PasswordHash string `json:"passwordHash,omitempty"`
+	Password     string `json:"password,omitempty"`
 }
 
-func (u *AuthUser) AuthenticateUser(repo *dao.UserRepository, c *internals.Crypt) (string, error) {
-
+func (u *AuthUser) AuthenticateUser(repo *dao.UserRepository, c *internals.Crypt) (*AuthenticatedUser, error) {
+    var okUser AuthenticatedUser 
 	user, err := repo.GetUserByUsername(u.Username)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
 
-	err = c.CheckPasswordHash(u.PasswordHash, user.PasswordHash)
+	err = c.CheckPasswordHash(u.Password, user.PasswordHash)
 	if err != nil {
-		return "", err
+		return nil, err
 	}
-	return user.Id, nil
+    okUser.FromUser(user)
+	return &okUser, nil
 
 }
 
@@ -69,3 +70,13 @@ func (u *CreateUser) CreateUser(repo *dao.UserRepository, c *internals.Crypt) (s
 	return id, nil
 }
 
+type AuthenticatedUser struct {
+        Id       string  `json:"id"`
+        Username string `json:"username"`
+}
+
+
+func (u *AuthenticatedUser) FromUser (user dao.User) {
+        u.Id = user.Id;
+        u.Username = user.Username 
+}

tests/cmd/auth/logintest.json

@@ -1,4 +1,4 @@
 {
         "username": "mariamaria",
-        "passwordHash": "123456123456"
+        "password": "123456123456"
 }