TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-02-28 20:27:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: login errors (#204)

Browse Source 
* feat: nice error messages

* feat: nice error messages

* fix: add project type

* fix: message ids

* handle error messages in login

* add some better error messages

* fix: better error messages on login

* fix: better error messages on login

* fix: add internal errors

* fix: tests
This commit is contained in:
Fabi 2020-06-11 13:22:24 +02:00 committed by GitHub
parent fb3a5c94a0
commit 2c97794538
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
27 changed files with 191 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/auth/repository/eventsourcing/eventstore/auth_request.go
View File

@ -138,7 +138,7 @@ func (repo *AuthRequestRepo) VerifyPassword(ctx context.Context, id, userID, pas
return err
}
if request.UserID != userID {
return errors.ThrowPreconditionFailed(nil, "EVENT-ds35D", "user id does not match request id")
return errors.ThrowPreconditionFailed(nil, "EVENT-ds35D", "Errors.User.NotMatchingUserID")
}
return repo.UserEvents.CheckPassword(ctx, userID, password, request.WithCurrentInfo(info))
}
@ -149,7 +149,7 @@ func (repo *AuthRequestRepo) VerifyMfaOTP(ctx context.Context, authRequestID, us
return err
}
if request.UserID != userID {
return errors.ThrowPreconditionFailed(nil, "EVENT-ADJ26", "user id does not match request id")
return errors.ThrowPreconditionFailed(nil, "EVENT-ADJ26", "Errors.User.NotMatchingUserID")
}
return repo.UserEvents.CheckMfaOTP(ctx, userID, code, request.WithCurrentInfo(info))
}

12
internal/auth_request/repository/cache/cache.go vendored
View File

@ -65,16 +65,16 @@ func (c *AuthRequestCache) getAuthRequest(key, value string) (*model.AuthRequest
err := c.client.QueryRow(query, value).Scan(&b, &requestType)
if err != nil {
if errors.Is(err, sql.ErrNoRows) {
return nil, caos_errs.ThrowNotFound(err, "CACHE-d24aD", "auth request not found")
return nil, caos_errs.ThrowNotFound(err, "CACHE-d24aD", "Errors.AuthRequest.NotFound")
}
return nil, caos_errs.ThrowInternal(err, "CACHE-as3kj", "unable to get auth request from database")
return nil, caos_errs.ThrowInternal(err, "CACHE-as3kj", "Errors.Internal")
}
request, err := model.NewAuthRequestFromType(requestType)
if err == nil {
err = json.Unmarshal(b, request)
}
if err != nil {
return nil, caos_errs.ThrowInternal(err, "CACHE-2wshg", "unable to unmarshal auth request")
return nil, caos_errs.ThrowInternal(err, "CACHE-2wshg", "Errors.Internal")
}
return request, nil
}
@ -82,15 +82,15 @@ func (c *AuthRequestCache) getAuthRequest(key, value string) (*model.AuthRequest
func (c *AuthRequestCache) saveAuthRequest(request *model.AuthRequest, query string, param interface{}) error {
b, err := json.Marshal(request)
if err != nil {
return caos_errs.ThrowInternal(err, "CACHE-os0GH", "unable to marshal auth request")
return caos_errs.ThrowInternal(err, "CACHE-os0GH", "Errors.Internal")
}
stmt, err := c.client.Prepare(query)
if err != nil {
return caos_errs.ThrowInternal(err, "CACHE-su3GK", "sql prepare failed")
return caos_errs.ThrowInternal(err, "CACHE-su3GK", "Errors.Internal")
}
_, err = stmt.Exec(request.ID, b, param)
if err != nil {
return caos_errs.ThrowInternal(err, "CACHE-sj8iS", "unable to save auth request")
return caos_errs.ThrowInternal(err, "CACHE-sj8iS", "Errors.Internal")
}
return nil
}

8
internal/crypto/code.go
View File

@ -123,7 +123,7 @@ func IsCodeExpired(creationDate time.Time, expiry time.Duration) bool {
func VerifyCode(creationDate time.Time, expiry time.Duration, cryptoCode *CryptoValue, verificationCode string, g Generator) error {
if IsCodeExpired(creationDate, expiry) {
return errors.ThrowPreconditionFailed(nil, "CODE-QvUQ4P", "verification code is expired")
return errors.ThrowPreconditionFailed(nil, "CODE-QvUQ4P", "Errors.User.Code.Expired")
}
switch alg := g.Alg().(type) {
case EncryptionAlgorithm:
@ -131,7 +131,7 @@ func VerifyCode(creationDate time.Time, expiry time.Duration, cryptoCode *Crypto
case HashAlgorithm:
return verifyHashedCode(cryptoCode, verificationCode, alg)
}
return errors.ThrowInvalidArgument(nil, "CODE-fW2gNa", "generator alg is not supported")
return errors.ThrowInvalidArgument(nil, "CODE-fW2gNa", "Errors.User.Code.GeneratorAlgNotSupported")
}
func generateRandomString(length uint, chars []rune) (string, error) {
@ -158,7 +158,7 @@ func generateRandomString(length uint, chars []rune) (string, error) {
func verifyEncryptedCode(cryptoCode *CryptoValue, verificationCode string, alg EncryptionAlgorithm) error {
if cryptoCode == nil {
return errors.ThrowInvalidArgument(nil, "CRYPT-aqrFV", "cryptoCode must not be nil")
return errors.ThrowInvalidArgument(nil, "CRYPT-aqrFV", "Errors.User.Code.CryptoCodeNil")
}
code, err := DecryptString(cryptoCode, alg)
if err != nil {
@ -166,7 +166,7 @@ func verifyEncryptedCode(cryptoCode *CryptoValue, verificationCode string, alg E
}
if code != verificationCode {
return errors.ThrowInvalidArgument(nil, "CODE-woT0xc", "verification code is invalid")
return errors.ThrowInvalidArgument(nil, "CODE-woT0xc", "Errors.User.Code.Invalid")
}
return nil
}

6
internal/errors/caos_error.go
View File

@ -2,6 +2,7 @@ package errors
import (
"fmt"
"reflect"
)
var _ Error = (*CaosError)(nil)
@ -51,3 +52,8 @@ func (err *CaosError) Is(target error) bool {
_, ok := target.(*CaosError)
return ok
}
func (err *CaosError) As(target interface{}) bool {
reflect.Indirect(reflect.ValueOf(target)).Set(reflect.ValueOf(err))
return true
}

4
internal/eventstore/sdk/sdk.go
View File

@ -23,7 +23,7 @@ func Filter(ctx context.Context, filter filterFunc, appender appendFunc, query *
}
err = appender(events...)
if err != nil {
return ThrowAppendEventError(err, "SDK-awiWK", "appender failed")
return ThrowAppendEventError(err, "SDK-awiWK", "Errors.Internal")
}
return nil
}
@ -34,7 +34,7 @@ func Filter(ctx context.Context, filter filterFunc, appender appendFunc, query *
// the given events are appended by the appender
func Push(ctx context.Context, push pushFunc, appender appendFunc, aggregaters ...AggregateFunc) (err error) {
if len(aggregaters) < 1 {
return errors.ThrowPreconditionFailed(nil, "SDK-q9wjp", "no aggregaters passed")
return errors.ThrowPreconditionFailed(nil, "SDK-q9wjp", "Errors.Internal")
}
aggregates, err := makeAggregates(ctx, aggregaters)

2
internal/form/parser.go
View File

@ -20,7 +20,7 @@ func NewParser() *Parser {
func (p *Parser) Parse(r *http.Request, data interface{}) error {
err := r.ParseForm()
if err != nil {
return errors.ThrowInternal(err, "FORM-lCC9zI", "error parsing http form")
return errors.ThrowInternal(err, "FORM-lCC9zI", "Errors.Internal")
}
return p.decoder.Decode(data, r.Form)

2
internal/login/handler/change_password_handler.go
View File

@ -33,7 +33,7 @@ func (l *Login) handleChangePassword(w http.ResponseWriter, r *http.Request) {
func (l *Login) renderChangePassword(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
var errType, errMessage string
if err != nil {
errMessage = err.Error()
errMessage = l.getErrorMessage(r, err)
}
data := userData{
baseData: l.getBaseData(r, authReq, "Change Password", errType, errMessage),

4
internal/login/handler/init_password_handler.go
View File

@ -51,7 +51,7 @@ func (l *Login) handleInitPasswordCheck(w http.ResponseWriter, r *http.Request)
func (l *Login) checkPWCode(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *initPasswordFormData, err error) {
if data.Password != data.PasswordConfirm {
err := errors.ThrowInvalidArgument(nil, "VIEW-KaGue", "passwords dont match")
err := errors.ThrowInvalidArgument(nil, "VIEW-KaGue", "Errors.User.Password.ConfirmationWrong")
l.renderInitPassword(w, r, authReq, data.UserID, data.Code, err)
return
}
@ -75,7 +75,7 @@ func (l *Login) resendPasswordSet(w http.ResponseWriter, r *http.Request, authRe
func (l *Login) renderInitPassword(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID, code string, err error) {
var errType, errMessage string
if err != nil {
errMessage = err.Error()
errMessage = l.getErrorMessage(r, err)
}
if userID == "" && authReq != nil {
userID = authReq.UserID

8
internal/login/handler/init_user_handler.go
View File

@ -51,7 +51,7 @@ func (l *Login) handleInitUserCheck(w http.ResponseWriter, r *http.Request) {
func (l *Login) checkUserInitCode(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *initUserFormData, err error) {
if data.Password != data.PasswordConfirm {
err := caos_errs.ThrowInvalidArgument(nil, "VIEW-fsdfd", "passwords dont match")
err := caos_errs.ThrowInvalidArgument(nil, "VIEW-fsdfd", "Errors.User.Password.ConfirmationWrong")
l.renderInitUser(w, r, nil, data.UserID, data.Code, err)
return
}
@ -79,7 +79,7 @@ func (l *Login) resendUserInit(w http.ResponseWriter, r *http.Request, authReq *
func (l *Login) renderInitUser(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID, code string, err error) {
var errType, errMessage string
if err != nil {
errMessage = err.Error()
errMessage = l.getErrorMessage(r, err)
}
if authReq != nil {
userID = authReq.UserID
@ -93,12 +93,12 @@ func (l *Login) renderInitUser(w http.ResponseWriter, r *http.Request, authReq *
}
func (l *Login) renderInitUserDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
var errType, errMessage, userName string
var userName string
if authReq != nil {
userName = authReq.UserName
}
data := userData{
baseData: l.getBaseData(r, authReq, "User Init Done", errType, errMessage),
baseData: l.getBaseData(r, authReq, "User Init Done", "", ""),
UserName: userName,
}
l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplInitUserDone], data, nil)

2
internal/login/handler/login_handler.go
View File

@ -53,7 +53,7 @@ func (l *Login) handleUsernameCheck(w http.ResponseWriter, r *http.Request) {
func (l *Login) renderLogin(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
var errType, errMessage string
if err != nil {
errMessage = err.Error()
errMessage = l.getErrorMessage(r, err)
}
data := userData{
baseData: l.getBaseData(r, authReq, "Login", errType, errMessage),

2
internal/login/handler/mail_verify_handler.go
View File

@ -70,7 +70,7 @@ func (l *Login) checkMailCode(w http.ResponseWriter, r *http.Request, authReq *m
func (l *Login) renderMailVerification(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, userID string, err error) {
var errType, errMessage string
if err != nil {
errMessage = err.Error()
errMessage = l.getErrorMessage(r, err)
}
if userID == "" {
userID = authReq.UserID

2
internal/login/handler/mfa_init_verify_handler.go
View File

@ -64,7 +64,7 @@ func (l *Login) handleOtpVerify(w http.ResponseWriter, r *http.Request, authReq
func (l *Login) renderMfaInitVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData, err error) {
var errType, errMessage string
if err != nil {
errMessage = err.Error()
errMessage = l.getErrorMessage(r, err)
}
data.baseData = l.getBaseData(r, authReq, "Mfa Init Verify", errType, errMessage)
data.UserName = authReq.UserName

6
internal/login/handler/mfa_prompt_handler.go
View File

@ -39,7 +39,7 @@ func (l *Login) handleMfaPrompt(w http.ResponseWriter, r *http.Request) {
func (l *Login) renderMfaPrompt(w http.ResponseWriter, r *http.Request, authSession *model.AuthRequest, mfaPromptData *model.MfaPromptStep, err error) {
var errType, errMessage string
if err != nil {
errMessage = err.Error()
errMessage = l.getErrorMessage(r, err)
}
data := mfaData{
baseData: l.getBaseData(r, authSession, "Mfa Prompt", errType, errMessage),
@ -47,7 +47,7 @@ func (l *Login) renderMfaPrompt(w http.ResponseWriter, r *http.Request, authSess
}
if mfaPromptData == nil {
l.renderError(w, r, authSession, caos_errs.ThrowPreconditionFailed(nil, "APP-XU0tj", "No available mfa providers"))
l.renderError(w, r, authSession, caos_errs.ThrowPreconditionFailed(nil, "APP-XU0tj", "Errors.User.Mfa.NoProviders"))
return
}
@ -70,7 +70,7 @@ func (l *Login) handleMfaCreation(w http.ResponseWriter, r *http.Request, authSe
l.handleOtpCreation(w, r, authSession, data)
return
}
l.renderError(w, r, authSession, caos_errs.ThrowPreconditionFailed(nil, "APP-Or3HO", "No available mfa providers"))
l.renderError(w, r, authSession, caos_errs.ThrowPreconditionFailed(nil, "APP-Or3HO", "Errors.User.Mfa.NoProviders"))
}
func (l *Login) handleOtpCreation(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, data *mfaVerifyData) {

2
internal/login/handler/mfa_verify_handler.go
View File

@ -35,7 +35,7 @@ func (l *Login) handleMfaVerify(w http.ResponseWriter, r *http.Request) {
func (l *Login) renderMfaVerify(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, verificationStep *model.MfaVerificationStep, err error) {
var errType, errMessage string
if err != nil {
errMessage = err.Error()
errMessage = l.getErrorMessage(r, err)
}
data := userData{
baseData: l.getBaseData(r, authReq, "Mfa Verify", errType, errMessage),

2
internal/login/handler/password_handler.go
View File

@ -17,7 +17,7 @@ type passwordData struct {
func (l *Login) renderPassword(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
var errType, errMessage string
if err != nil {
errMessage = err.Error()
errMessage = l.getErrorMessage(r, err)
}
data := userData{
baseData: l.getBaseData(r, authReq, "Password", errType, errMessage),

2
internal/login/handler/password_reset_handler.go
View File

@ -22,7 +22,7 @@ func (l *Login) handlePasswordReset(w http.ResponseWriter, r *http.Request) {
func (l *Login) renderPasswordResetDone(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
var errType, errMessage string
if err != nil {
errMessage = err.Error()
errMessage = l.getErrorMessage(r, err)
}
data := userData{
baseData: l.getBaseData(r, authReq, "Password Reset Done", errType, errMessage),

4
internal/login/handler/register_handler.go
View File

@ -47,7 +47,7 @@ func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) {
return
}
if data.Password != data.Password2 {
err := caos_errs.ThrowInvalidArgument(nil, "VIEW-KaGue", "passwords dont match")
err := caos_errs.ThrowInvalidArgument(nil, "VIEW-KaGue", "Errors.User.Password.ConfirmationWrong")
l.renderRegister(w, r, authRequest, data, err)
return
}
@ -72,7 +72,7 @@ func (l *Login) handleRegisterCheck(w http.ResponseWriter, r *http.Request) {
func (l *Login) renderRegister(w http.ResponseWriter, r *http.Request, authRequest *model.AuthRequest, formData *registerFormData, err error) {
var errType, errMessage string
if err != nil {
errMessage = err.Error()
errMessage = l.getErrorMessage(r, err)
}
if formData == nil {
formData = new(registerFormData)

21
internal/login/handler/renderer.go
View File

@ -1,9 +1,10 @@
package handler
import (
"errors"
"fmt"
"github.com/caos/zitadel/internal/auth_request/model"
"github.com/caos/zitadel/internal/errors"
caos_errs "github.com/caos/zitadel/internal/errors"
"github.com/caos/zitadel/internal/i18n"
"github.com/caos/zitadel/internal/renderer"
"net/http"
@ -116,10 +117,10 @@ func CreateRenderer(staticDir http.FileSystem, cookieName string, defaultLanguag
func (l *Login) renderNextStep(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest) {
authReq, err := l.authRepo.AuthRequestByID(r.Context(), authReq.ID)
if err != nil {
l.renderInternalError(w, r, authReq, errors.ThrowInternal(nil, "APP-sio0W", "could not get authreq"))
l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(nil, "APP-sio0W", "could not get authreq"))
}
if len(authReq.PossibleSteps) == 0 {
l.renderInternalError(w, r, authReq, errors.ThrowInternal(nil, "APP-9sdp4", "no possible steps"))
l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(nil, "APP-9sdp4", "no possible steps"))
return
}
l.chooseNextStep(w, r, authReq, 0, nil)
@ -127,7 +128,7 @@ func (l *Login) renderNextStep(w http.ResponseWriter, r *http.Request, authReq *
func (l *Login) renderError(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, err error) {
if authReq == nil || len(authReq.PossibleSteps) == 0 {
l.renderInternalError(w, r, authReq, errors.ThrowInternal(err, "APP-OVOiT", "no possible steps"))
l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(err, "APP-OVOiT", "no possible steps"))
return
}
l.chooseNextStep(w, r, authReq, 0, err)
@ -164,7 +165,7 @@ func (l *Login) chooseNextStep(w http.ResponseWriter, r *http.Request, authReq *
case *model.InitUserStep:
l.renderInitUser(w, r, authReq, "", "", nil)
default:
l.renderInternalError(w, r, authReq, errors.ThrowInternal(nil, "APP-ds3QF", "step no possible"))
l.renderInternalError(w, r, authReq, caos_errs.ThrowInternal(nil, "APP-ds3QF", "step no possible"))
}
}
@ -191,6 +192,16 @@ func (l *Login) getBaseData(r *http.Request, authReq *model.AuthRequest, title s
}
}
func (l *Login) getErrorMessage(r *http.Request, err error) (errMsg string) {
caosErr := new(caos_errs.CaosError)
if errors.As(err, &caosErr) {
localized := l.renderer.LocalizeFromRequest(r, caosErr.Message, nil)
return localized + " (" + caosErr.ID + ")"
}
return err.Error()
}
func (l *Login) getTheme(r *http.Request) string {
return "zitadel" //TODO: impl
}

3
internal/login/handler/select_user_handler.go
View File

@ -14,9 +14,8 @@ type userSelectionFormData struct {
}
func (l *Login) renderUserSelection(w http.ResponseWriter, r *http.Request, authReq *model.AuthRequest, selectionData *model.SelectUserStep) {
var errType, errMessage string
data := userSelectionData{
baseData: l.getBaseData(r, authReq, "Select User", errType, errMessage),
baseData: l.getBaseData(r, authReq, "Select User", "", ""),
Users: selectionData.Users,
}
l.renderer.RenderTemplate(w, r, l.renderer.Templates[tmplUserSelection], data, nil)

37
internal/login/static/i18n/de.yaml
View File

@ -116,4 +116,41 @@ Actions:
Register: registrieren
ForgotPassword: Password zurücksetzen
Errors:
Internal: Es ist ein interner Fehler aufgetreten
AuthRequest:
NotFound: AuthRequest konnte nicht gefunden werden
User:
NotFound: Benutzer konnte nicht gefunden werden
NotMatchingUserID: User stimm nicht mit User in Auth Request überein
UserIDMissing: UserID ist leer
InvalidData: Userdaten sind ungültig
Password:
ConfirmationWrong: Passwort Bestätigung stimmt nicht überein
Empty: Passwort ist leer
Invalid: Passwort ungültig
PasswordComplexityPolicy:
NotFound: Passwort Policy konnte nicht gefunden werden
MinLength: Passwort ist zu kurz
HasLower: Passwort beinhaltet keinen klein Buchstaben
HasUpper: Passwort beinhaltet keinen gross Buchstaben
HasNumber: Passwort beinhaltet keine Nummer
HasSymbol: Passwort beinhaltet kein Symbol
Code:
Expired: Code ist abgelaufen
Invalid: Code ist ungültig
Empty: Code ist leer
CryptoCodeNil: Crypto Code ist nil
NotFound: Code konnte nicht gefunden werden
GeneratorAlgNotSupported: Generator Algorithums wird nicht unterstützt
EmailVerify:
UserIDEmpty: UserID ist leer
Mfa:
NoProviders: Es stehen keine Multifaktorprovider zur Verfügung
Otp:
AlreadyReady: Multifaktor OTP (OneTimePassword) ist bereits eingerichtet
NotExisting: Multifaktor OTP (OneTimePassword) existiert nicht
InvalidCode: Code ist ungültig
NotReady: Multifaktor OTP (OneTimePassword) ist nicht bereit
optional: (optional)

39
internal/login/static/i18n/en.yaml
View File

@ -116,4 +116,43 @@ Actions:
Register: register
ForgotPassword: Reset password
Errors:
Internal: An internal error occured
AuthRequest:
NotFound: Could not find authrequest
User:
NotFound: User could not be found
NotMatchingUserID: User and user in authrequest don't match
UserIDMissing: UserID is empty
InvalidData: Invalid userdata
Password:
ConfirmationWrong: Passwordconfirmation is wrong
Empty: Password is empty
Invalid: Passwort is invalid
PasswordComplexityPolicy:
NotFound: Password policy not found
MinLength: Password is to short
HasLower: Password must contain lower letter
HasUpper: Password must contain upper letter
HasNumber: Password must contain number
HasSymbol: Password must contain symbol
Code:
Expired: Code is expired
Invalid: Code is invalid
Empty: Code is empty
CryptoCodeNil: Crypto code is nil
NotFound: Could not find code
GeneratorAlgNotSupported: Unsupported generator algorithm
EmailVerify:
UserIDEmpty: UserID is empty
Mfa:
NoProviders: No available multifactor providers
Otp:
AlreadyReady: Multifactor OTP (OneTimePassword) is already setup
NotExisting: Multifactor OTP (OneTimePassword) doesn't exist
InvalidCode: Invalid code
NotReady: Multifactor OTP (OneTimePassword) isn't ready
optional: (optional)

10
internal/policy/model/policy_complexity.go
View File

@ -31,23 +31,23 @@ func (p *PasswordComplexityPolicy) IsValid() bool {
func (p *PasswordComplexityPolicy) Check(password string) error {
if p.MinLength != 0 && uint64(len(password)) < p.MinLength {
return caos_errs.ThrowInvalidArgumentf(nil, "MODEL-HuJf6", "Passwordpolicy doesn't match: Minlength %v", p.MinLength)
return caos_errs.ThrowInvalidArgument(nil, "MODEL-HuJf6", "Errors.User.PasswordComplexityPolicy.MinLength")
}
if p.HasLowercase && !hasStringLowerCase(password) {
return caos_errs.ThrowInvalidArgument(nil, "MODEL-co3Xw", "Passwordpolicy doesn't match: HasLowerCase")
return caos_errs.ThrowInvalidArgument(nil, "MODEL-co3Xw", "Errors.User.PasswordComplexityPolicy.HasLower")
}
if p.HasUppercase && !hasStringUpperCase(password) {
return caos_errs.ThrowInvalidArgument(nil, "MODEL-VoaRj", "Passwordpolicy doesn't match: HasUpperCase")
return caos_errs.ThrowInvalidArgument(nil, "MODEL-VoaRj", "Errors.User.PasswordComplexityPolicy.HasUpper")
}
if p.HasNumber && !hasNumber(password) {
return caos_errs.ThrowInvalidArgument(nil, "MODEL-ZBv4H", "Passwordpolicy doesn't match: HasNumber")
return caos_errs.ThrowInvalidArgument(nil, "MODEL-ZBv4H", "Errors.User.PasswordComplexityPolicy.HasNumber")
}
if p.HasSymbol && !hasSymbol(password) {
return caos_errs.ThrowInvalidArgument(nil, "MODEL-ZDLwA", "Passwordpolicy doesn't match: HasSymbol")
return caos_errs.ThrowInvalidArgument(nil, "MODEL-ZDLwA", "Errors.User.PasswordComplexityPolicy.HasSymbol")
}
return nil
}

2
internal/user/model/password.go
View File

@ -40,7 +40,7 @@ func (p *Password) HashPasswordIfExisting(policy *policy_model.PasswordComplexit
return nil
}
if policy == nil {
return caos_errs.ThrowPreconditionFailed(nil, "MODEL-s8ifS", "Policy should not be nil")
return caos_errs.ThrowPreconditionFailed(nil, "MODEL-s8ifS", "Errors.User.PasswordComplexityPolicy.NotFound")
}
if err := policy.Check(p.SecretString); err != nil {
return err

61
internal/user/repository/eventsourcing/eventstore.go
View File

@ -149,7 +149,7 @@ func (es *UserEventstore) CreateUser(ctx context.Context, user *usr_model.User,
func (es *UserEventstore) PrepareRegisterUser(ctx context.Context, user *usr_model.User, policy *policy_model.PasswordComplexityPolicy, resourceOwner string) (*model.User, []*es_models.Aggregate, error) {
user.SetEmailAsUsername()
if !user.IsValid() || user.Password == nil || user.SecretString == "" {
return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-9dk45", "user is invalid")
return nil, nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-9dk45", "Errors.User.InvalidData")
}
id, err := es.idGenerator.Next()
if err != nil {
@ -326,8 +326,11 @@ func (es *UserEventstore) InitCodeSent(ctx context.Context, userID string) error
}
func (es *UserEventstore) VerifyInitCode(ctx context.Context, policy *policy_model.PasswordComplexityPolicy, userID, verificationCode, password string) error {
if userID == "" || verificationCode == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-lo9fd", "userId or Code empty")
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-lo9fd", "Errors.User.UserIDMissing")
}
if verificationCode == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-lo9fd", "Errors.User.Code.Empty")
}
pw := &usr_model.Password{SecretString: password}
err := pw.HashPasswordIfExisting(policy, es.PasswordAlg, false)
@ -339,13 +342,15 @@ func (es *UserEventstore) VerifyInitCode(ctx context.Context, policy *policy_mod
return err
}
if existing.InitCode == nil {
return caos_errs.ThrowNotFound(nil, "EVENT-spo9W", "code not found")
return caos_errs.ThrowNotFound(nil, "EVENT-spo9W", "Errors.User.Code.NotFound")
}
repoPassword := model.PasswordFromModel(pw)
repoExisting := model.UserFromModel(existing)
var updateAggregate func(ctx context.Context) (*es_models.Aggregate, error)
if err := crypto.VerifyCode(existing.InitCode.CreationDate, existing.InitCode.Expiry, existing.InitCode.Code, verificationCode, es.InitializeUserCode); err != nil {
updateAggregate = InitCodeCheckFailedAggregate(es.AggregateCreator(), repoExisting)
es_sdk.Push(ctx, es.PushAggregates, repoExisting.AppendEvents, updateAggregate)
return err
} else {
updateAggregate = InitCodeVerifiedAggregate(es.AggregateCreator(), repoExisting, repoPassword)
}
@ -360,7 +365,7 @@ func (es *UserEventstore) VerifyInitCode(ctx context.Context, policy *policy_mod
func (es *UserEventstore) SkipMfaInit(ctx context.Context, userID string) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-dic8s", "userID missing")
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-dic8s", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
if err != nil {
@ -398,7 +403,7 @@ func (es *UserEventstore) CheckPassword(ctx context.Context, userID, password st
return err
}
if existing.Password == nil {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-s35Fa", "no password set")
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-s35Fa", "Errors.User.Password.Empty")
}
if err := crypto.CompareHash(existing.Password.SecretCrypto, []byte(password), es.PasswordAlg); err == nil {
return es.setPasswordCheckResult(ctx, existing, authRequest, PasswordCheckSucceededAggregate)
@ -406,7 +411,7 @@ func (es *UserEventstore) CheckPassword(ctx context.Context, userID, password st
if err := es.setPasswordCheckResult(ctx, existing, authRequest, PasswordCheckFailedAggregate); err != nil {
return err
}
return caos_errs.ThrowInvalidArgument(nil, "EVENT-452ad", "invalid password")
return caos_errs.ThrowInvalidArgument(nil, "EVENT-452ad", "Errors.User.Password.Invalid")
}
func (es *UserEventstore) setPasswordCheckResult(ctx context.Context, user *usr_model.User, authRequest *req_model.AuthRequest, check func(*es_models.AggregateCreator, *model.User, *model.AuthRequest) es_sdk.AggregateFunc) error {
@ -435,10 +440,10 @@ func (es *UserEventstore) SetPassword(ctx context.Context, policy *policy_model.
return err
}
if user.PasswordCode == nil {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-65sdr", "reset code not found")
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-65sdr", "Errors.User.Code.NotFound")
}
if err := crypto.VerifyCode(user.PasswordCode.CreationDate, user.PasswordCode.Expiry, user.PasswordCode.Code, code, es.PasswordVerificationCode); err != nil {
return caos_errs.ThrowPreconditionFailed(err, "EVENT-sd6DF", "code invalid")
return err
}
_, err = es.changedPassword(ctx, user, policy, password, false)
return err
@ -450,10 +455,10 @@ func (es *UserEventstore) ChangePassword(ctx context.Context, policy *policy_mod
return nil, err
}
if user.Password == nil {
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-Fds3s", "user has no password")
return nil, caos_errs.ThrowPreconditionFailed(nil, "EVENT-Fds3s", "Errors.User.Password.Empty")
}
if err := crypto.CompareHash(user.Password.SecretCrypto, []byte(old), es.PasswordAlg); err != nil {
return nil, caos_errs.ThrowInvalidArgument(nil, "EVENT-s56a3", "invalid password")
return nil, caos_errs.ThrowInvalidArgument(nil, "EVENT-s56a3", "Errors.User.Password.Invalid")
}
return es.changedPassword(ctx, user, policy, new, false)
}
@ -478,7 +483,7 @@ func (es *UserEventstore) changedPassword(ctx context.Context, user *usr_model.U
func (es *UserEventstore) RequestSetPassword(ctx context.Context, userID string, notifyType usr_model.NotificationType) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-dic8s", "userID missing")
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-dic8s", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
if err != nil {
@ -503,7 +508,7 @@ func (es *UserEventstore) RequestSetPassword(ctx context.Context, userID string,
func (es *UserEventstore) PasswordCodeSent(ctx context.Context, userID string) error {
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-s09ow", "userID missing")
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-s09ow", "Errors.User.UserIDMissing")
}
user, err := es.UserByID(ctx, userID)
if err != nil {
@ -603,15 +608,18 @@ func (es *UserEventstore) ChangeEmail(ctx context.Context, email *usr_model.Emai
}
func (es *UserEventstore) VerifyEmail(ctx context.Context, userID, verificationCode string) error {
if userID == "" || verificationCode == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-lo9fd", "userId or Code empty")
if userID == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-lo9fd", "Errors.User.UserIDMissing")
}
if verificationCode == "" {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-skDws", "Errors.User.Code.Empty")
}
existing, err := es.UserByID(ctx, userID)
if err != nil {
return err
}
if existing.EmailCode == nil {
return caos_errs.ThrowNotFound(nil, "EVENT-lso9w", "code not found")
return caos_errs.ThrowNotFound(nil, "EVENT-lso9w", "Errors.User.Code.NotFound")
}
err = crypto.VerifyCode(existing.EmailCode.CreationDate, existing.EmailCode.Expiry, existing.EmailCode.Code, verificationCode, es.EmailVerificationCode)
@ -621,7 +629,7 @@ func (es *UserEventstore) VerifyEmail(ctx context.Context, userID, verificationC
if err := es.setEmailVerifyResult(ctx, existing, EmailVerificationFailedAggregate); err != nil {
return err
}
return caos_errs.ThrowInvalidArgument(err, "EVENT-dtGaa", "invalid code")
return caos_errs.ThrowInvalidArgument(err, "EVENT-dtGaa", "Errors.User.Code.Invalid")
}
func (es *UserEventstore) setEmailVerifyResult(ctx context.Context, existing *usr_model.User, check func(aggCreator *es_models.AggregateCreator, existing *model.User) es_sdk.AggregateFunc) error {
@ -852,7 +860,7 @@ func (es *UserEventstore) AddOTP(ctx context.Context, userID string) (*usr_model
return nil, err
}
if existing.IsOTPReady() {
return nil, caos_errs.ThrowAlreadyExists(nil, "EVENT-do9se", "user has already configured otp")
return nil, caos_errs.ThrowAlreadyExists(nil, "EVENT-do9se", "Errors.User.Mfa.Otp.AlreadyReady")
}
key, err := totp.Generate(totp.GenerateOpts{Issuer: es.Multifactors.OTP.Issuer, AccountName: userID})
if err != nil {
@ -901,8 +909,11 @@ func (es *UserEventstore) CheckMfaOTPSetup(ctx context.Context, userID, code str
if err != nil {
return err
}
if user.OTP == nil || user.IsOTPReady() {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sd5NJ", "otp not existing or already set up")
if user.OTP == nil {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sd5NJ", "Errors.Users.Mfa.Otp.NotExisting")
}
if user.IsOTPReady() {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sd5NJ", "Errors.Users.Mfa.Otp.AlreadyReady")
}
if err := es.verifyMfaOTP(user.OTP, code); err != nil {
return err
@ -923,18 +934,22 @@ func (es *UserEventstore) CheckMfaOTP(ctx context.Context, userID, code string,
return err
}
if !user.IsOTPReady() {
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sd5NJ", "opt not ready")
return caos_errs.ThrowPreconditionFailed(nil, "EVENT-sd5NJ", "Errors.User.Mfa.Otp.NotReady")
}
repoUser := model.UserFromModel(user)
repoAuthReq := model.AuthRequestFromModel(authRequest)
var aggregate func(*es_models.AggregateCreator, *model.User, *model.AuthRequest) es_sdk.AggregateFunc
if err := es.verifyMfaOTP(user.OTP, code); err != nil {
var checkErr error
if checkErr = es.verifyMfaOTP(user.OTP, code); checkErr != nil {
aggregate = MfaOTPCheckFailedAggregate
} else {
aggregate = MfaOTPCheckSucceededAggregate
}
err = es_sdk.Push(ctx, es.PushAggregates, repoUser.AppendEvents, aggregate(es.AggregateCreator(), repoUser, repoAuthReq))
if checkErr != nil {
return checkErr
}
if err != nil {
return err
}
@ -951,7 +966,7 @@ func (es *UserEventstore) verifyMfaOTP(otp *usr_model.OTP, code string) error {
valid := es.validateTOTP(code, decrypt)
if !valid {
return caos_errs.ThrowInvalidArgument(nil, "EVENT-8isk2", "Invalid code")
return caos_errs.ThrowInvalidArgument(nil, "EVENT-8isk2", "Errors.User.Mfa.Otp.InvalidCode")
}
return nil
}

8
internal/user/repository/eventsourcing/eventstore_test.go
View File

@ -1487,7 +1487,7 @@ func TestSetPassword(t *testing.T) {
password: "password",
},
res: res{
errFunc: caos_errs.IsPreconditionFailed,
errFunc: caos_errs.IsErrorInvalidArgument,
},
},
{
@ -1511,7 +1511,7 @@ func TestSetPassword(t *testing.T) {
password: "password",
},
res: res{
errFunc: caos_errs.IsPreconditionFailed,
errFunc: caos_errs.IsErrorInvalidArgument,
},
},
}
@ -3076,7 +3076,9 @@ func TestCheckMfaOTP(t *testing.T) {
},
},
},
res: res{},
res: res{
errFunc: caos_errs.IsErrorInvalidArgument,
},
},
{
name: "empty userid",

9
internal/user/repository/view/user_view.go
View File

@ -12,6 +12,9 @@ func UserByID(db *gorm.DB, table, userID string) (*model.UserView, error) {
user := new(model.UserView)
query := view.PrepareGetByKey(table, model.UserSearchKey(usr_model.USERSEARCHKEY_USER_ID), userID)
err := query(db, user)
if caos_errs.IsNotFound(err) {
return nil, caos_errs.ThrowNotFound(nil, "VIEW-sj8Sw", "Errors.User.NotFound")
}
return user, err
}
@ -19,6 +22,9 @@ func UserByUserName(db *gorm.DB, table, userName string) (*model.UserView, error
user := new(model.UserView)
query := view.PrepareGetByKey(table, model.UserSearchKey(usr_model.USERSEARCHKEY_USER_NAME), userName)
err := query(db, user)
if caos_errs.IsNotFound(err) {
return nil, caos_errs.ThrowNotFound(nil, "VIEW-Lso9s", "Errors.User.NotFound")
}
return user, err
}
@ -36,6 +42,9 @@ func GetGlobalUserByEmail(db *gorm.DB, table, email string) (*model.UserView, er
user := new(model.UserView)
query := view.PrepareGetByKey(table, model.UserSearchKey(usr_model.USERSEARCHKEY_EMAIL), email)
err := query(db, user)
if caos_errs.IsNotFound(err) {
return nil, caos_errs.ThrowNotFound(nil, "VIEW-8uWer", "Errors.User.NotFound")
}
return user, err
}

2
internal/view/requests.go
View File

@ -23,7 +23,7 @@ func PrepareGetByKey(table string, key ColumnKey, id string) func(db *gorm.DB, r
return caos_errs.ThrowNotFound(err, "VIEW-XRI9c", "object not found")
}
logging.LogWithFields("VIEW-xVShS", "AggregateID", id).WithError(err).Warn("get from view error")
return caos_errs.ThrowInternal(err, "VIEW-J92Td", "view error")
return caos_errs.ThrowInternal(err, "VIEW-J92Td", "Errors.Internal")
}
}