From 0237c2796fd43b88b0c1a8d8936e2e73b302479f Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Sat, 28 Sep 2019 08:35:49 -0400
Subject: [PATCH 1/7] Start cookie auth

---
 TODO.md               |  1 +
 main.go               | 12 ++++++------
 packages/auth/auth.go |  2 ++
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/TODO.md b/TODO.md
index 6d8f503..1252cbf 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1 +1,2 @@
+#. Set up cookies
 #. Implement comments
diff --git a/main.go b/main.go
index 3a597a8..71c5f49 100644
--- a/main.go
+++ b/main.go
@@ -52,14 +52,14 @@ func main() {
 
 func Routes() *chi.Mux {
 	router := chi.NewRouter()
-    // enable cors testing
-    // LOCK THIS DOWN FOR PRODUCTION
-    cors := cors.New(cors.Options{
-        AllowedOrigins: []string{"*"},
-    })
+	// enable cors testing
+	// LOCK THIS DOWN FOR PRODUCTION
+	cors := cors.New(cors.Options{
+		AllowedOrigins: []string{"*"},
+	})
 
 	router.Use(
-        cors.Handler,
+		cors.Handler,
 		render.SetContentType(render.ContentTypeJSON),
 		middleware.Logger,
 		middleware.DefaultCompress,
diff --git a/packages/auth/auth.go b/packages/auth/auth.go
index 5e29eb3..9c11c17 100644
--- a/packages/auth/auth.go
+++ b/packages/auth/auth.go
@@ -42,6 +42,7 @@ type Claims struct {
 
 type JWT struct {
 	JWT string `json:"jwt"`
+    Username string `json:"username"`
 }
 
 func Init() {
@@ -151,6 +152,7 @@ func signin(w http.ResponseWriter, r *http.Request) {
 	_, tokenString, _ := TokenAuth.Encode(claims)
 	token := JWT{
 		JWT: tokenString,
+        Username: creds.Username,
 	}
 	render.JSON(w, r, token)
 }

From ada62e95e2c4c9d20c3df529b37e483d6e1815c7 Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Sat, 5 Oct 2019 18:22:11 -0400
Subject: [PATCH 2/7] Update Readme, fix up auth

---
 README.md             | 2 +-
 packages/auth/auth.go | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 6dbf687..b1e58c9 100644
--- a/README.md
+++ b/README.md
@@ -66,7 +66,7 @@ Install steps are for Debian 9 (stretch)
 
 5. Run the application!
     ```
-    cd ${GOPATH}/src/git.minhas.io/asara/sudoscientist
+    cd ${GOPATH}/src/git.minhas.io/asara/sudoscientist-go-backend
     for i in settings/*; do source $i; done
     export DB_HOST=$(docker inspect -f "{{ .NetworkSettings.IPAddress }}" sudosci-db)
     go get
diff --git a/packages/auth/auth.go b/packages/auth/auth.go
index 9c11c17..f00c447 100644
--- a/packages/auth/auth.go
+++ b/packages/auth/auth.go
@@ -41,8 +41,8 @@ type Claims struct {
 }
 
 type JWT struct {
-	JWT string `json:"jwt"`
-    Username string `json:"username"`
+	JWT      string `json:"jwt"`
+	Username string `json:"username"`
 }
 
 func Init() {
@@ -151,8 +151,8 @@ func signin(w http.ResponseWriter, r *http.Request) {
 	}
 	_, tokenString, _ := TokenAuth.Encode(claims)
 	token := JWT{
-		JWT: tokenString,
-        Username: creds.Username,
+		JWT:      tokenString,
+		Username: creds.Username,
 	}
 	render.JSON(w, r, token)
 }

From 8a897dc16f2aed6a901c2e3b85122597e810e240 Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Sat, 5 Oct 2019 20:21:48 -0400
Subject: [PATCH 3/7] Implement split tokens that work with curl

---
 packages/auth/auth.go | 30 +++++++++++++++++-------------
 1 file changed, 17 insertions(+), 13 deletions(-)

diff --git a/packages/auth/auth.go b/packages/auth/auth.go
index f00c447..1f88f6b 100644
--- a/packages/auth/auth.go
+++ b/packages/auth/auth.go
@@ -12,6 +12,7 @@ import (
 	"github.com/go-chi/render"
 	"golang.org/x/crypto/bcrypt"
 	"net/http"
+	"strings"
 	"time"
 )
 
@@ -41,8 +42,7 @@ type Claims struct {
 }
 
 type JWT struct {
-	JWT      string `json:"jwt"`
-	Username string `json:"username"`
+	JWT string `json:"jwt"`
 }
 
 func Init() {
@@ -114,9 +114,8 @@ func register(w http.ResponseWriter, r *http.Request) {
 		},
 	}
 	_, tokenString, _ := TokenAuth.Encode(claims)
-	token := JWT{
-		JWT: tokenString,
-	}
+	token := setCookies(w, tokenString, expirationTime)
+	w.WriteHeader(http.StatusOK)
 	render.JSON(w, r, token)
 }
 
@@ -141,7 +140,6 @@ func signin(w http.ResponseWriter, r *http.Request) {
 	if err = bcrypt.CompareHashAndPassword([]byte(storedCreds.Password), []byte(creds.Password)); err != nil {
 		w.WriteHeader(http.StatusUnauthorized)
 	}
-	w.WriteHeader(http.StatusOK)
 	expirationTime := time.Now().Add(5 * time.Hour)
 	claims := &Claims{
 		Username: creds.Username,
@@ -150,10 +148,8 @@ func signin(w http.ResponseWriter, r *http.Request) {
 		},
 	}
 	_, tokenString, _ := TokenAuth.Encode(claims)
-	token := JWT{
-		JWT:      tokenString,
-		Username: creds.Username,
-	}
+	token := setCookies(w, tokenString, expirationTime)
+	w.WriteHeader(http.StatusOK)
 	render.JSON(w, r, token)
 }
 
@@ -168,8 +164,16 @@ func refresh(w http.ResponseWriter, r *http.Request) {
 		},
 	}
 	_, tokenString, _ := TokenAuth.Encode(newClaims)
-	token := JWT{
-		JWT: tokenString,
-	}
+	token := setCookies(w, tokenString, expirationTime)
+	w.WriteHeader(http.StatusOK)
 	render.JSON(w, r, token)
 }
+
+func setCookies(w http.ResponseWriter, jwt string, expiration time.Time) string {
+	splitToken := strings.Split(jwt, ".")
+	dataCookie := http.Cookie{Name: "DataCookie", Value: strings.Join(splitToken[:2], "."), Expires: expiration, HttpOnly: false, Path: "/"}
+	http.SetCookie(w, &dataCookie)
+	signatureCookie := http.Cookie{Name: "SignatureCookie", Value: splitToken[2], Expires: expiration, HttpOnly: true, Path: "/"}
+	http.SetCookie(w, &signatureCookie)
+	return strings.Join(splitToken[:2], ".")
+}

From 1a2cb935401443bec8b4f9c9a99566942ed87b90 Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Sat, 5 Oct 2019 21:22:56 -0400
Subject: [PATCH 4/7] Add basic token split

---
 main.go               | 6 +++++-
 packages/auth/auth.go | 4 ++--
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/main.go b/main.go
index 71c5f49..4b048bb 100644
--- a/main.go
+++ b/main.go
@@ -55,7 +55,11 @@ func Routes() *chi.Mux {
 	// enable cors testing
 	// LOCK THIS DOWN FOR PRODUCTION
 	cors := cors.New(cors.Options{
-		AllowedOrigins: []string{"*"},
+		AllowedOrigins:   []string{"*"},
+		AllowedMethods:   []string{"GET", "POST"},
+		ExposedHeaders:   []string{"Link"},
+		AllowCredentials: true,
+		MaxAge:           360,
 	})
 
 	router.Use(
diff --git a/packages/auth/auth.go b/packages/auth/auth.go
index 1f88f6b..5b0a15b 100644
--- a/packages/auth/auth.go
+++ b/packages/auth/auth.go
@@ -171,9 +171,9 @@ func refresh(w http.ResponseWriter, r *http.Request) {
 
 func setCookies(w http.ResponseWriter, jwt string, expiration time.Time) string {
 	splitToken := strings.Split(jwt, ".")
-	dataCookie := http.Cookie{Name: "DataCookie", Value: strings.Join(splitToken[:2], "."), Expires: expiration, HttpOnly: false, Path: "/"}
+	dataCookie := http.Cookie{Name: "DataCookie", Value: strings.Join(splitToken[:2], "."), Expires: expiration, HttpOnly: false, Path: "/", Domain: "sudosci.test", MaxAge: 360, Secure: false}
 	http.SetCookie(w, &dataCookie)
-	signatureCookie := http.Cookie{Name: "SignatureCookie", Value: splitToken[2], Expires: expiration, HttpOnly: true, Path: "/"}
+	signatureCookie := http.Cookie{Name: "SignatureCookie", Value: splitToken[2], Expires: expiration, HttpOnly: true, Path: "/", Domain: "sudosci.test", MaxAge: 360, Secure: false}
 	http.SetCookie(w, &signatureCookie)
 	return strings.Join(splitToken[:2], ".")
 }

From 0ce261d9bd9f96501bdf1eb416856ff126dabd9c Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Sat, 5 Oct 2019 21:43:02 -0400
Subject: [PATCH 5/7] Set fake domain for temp

---
 main.go               | 6 +++---
 packages/auth/auth.go | 4 ++--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/main.go b/main.go
index 4b048bb..47035df 100644
--- a/main.go
+++ b/main.go
@@ -55,9 +55,9 @@ func Routes() *chi.Mux {
 	// enable cors testing
 	// LOCK THIS DOWN FOR PRODUCTION
 	cors := cors.New(cors.Options{
-		AllowedOrigins:   []string{"*"},
-		AllowedMethods:   []string{"GET", "POST"},
-		ExposedHeaders:   []string{"Link"},
+        AllowedOrigins:   []string{"*"},
+        AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"},
+        AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
 		AllowCredentials: true,
 		MaxAge:           360,
 	})
diff --git a/packages/auth/auth.go b/packages/auth/auth.go
index 5b0a15b..e5abb11 100644
--- a/packages/auth/auth.go
+++ b/packages/auth/auth.go
@@ -171,9 +171,9 @@ func refresh(w http.ResponseWriter, r *http.Request) {
 
 func setCookies(w http.ResponseWriter, jwt string, expiration time.Time) string {
 	splitToken := strings.Split(jwt, ".")
-	dataCookie := http.Cookie{Name: "DataCookie", Value: strings.Join(splitToken[:2], "."), Expires: expiration, HttpOnly: false, Path: "/", Domain: "sudosci.test", MaxAge: 360, Secure: false}
+	dataCookie := http.Cookie{Name: "DataCookie", Value: strings.Join(splitToken[:2], "."), Expires: expiration, HttpOnly: false, Path: "/", Domain: ".sudosci.test", MaxAge: 360, Secure: false}
 	http.SetCookie(w, &dataCookie)
-	signatureCookie := http.Cookie{Name: "SignatureCookie", Value: splitToken[2], Expires: expiration, HttpOnly: true, Path: "/", Domain: "sudosci.test", MaxAge: 360, Secure: false}
+	signatureCookie := http.Cookie{Name: "SignatureCookie", Value: splitToken[2], Expires: expiration, HttpOnly: true, Path: "/", Domain: ".sudosci.test", MaxAge: 360, Secure: false}
 	http.SetCookie(w, &signatureCookie)
 	return strings.Join(splitToken[:2], ".")
 }

From 681b0df9f540d0f8adcf152822052fd5d37e7f04 Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Sat, 5 Oct 2019 22:35:14 -0400
Subject: [PATCH 6/7] Wrap up split cookie auth

---
 main.go                                |  6 +++---
 packages/auth/auth.go                  |  3 ++-
 packages/blog/blog.go                  |  5 +++--
 packages/middleware/auth_middleware.go | 19 +++++++++++++++++++
 packages/users/users.go                |  3 ++-
 5 files changed, 29 insertions(+), 7 deletions(-)
 create mode 100644 packages/middleware/auth_middleware.go

diff --git a/main.go b/main.go
index 47035df..8af50a6 100644
--- a/main.go
+++ b/main.go
@@ -55,9 +55,9 @@ func Routes() *chi.Mux {
 	// enable cors testing
 	// LOCK THIS DOWN FOR PRODUCTION
 	cors := cors.New(cors.Options{
-        AllowedOrigins:   []string{"*"},
-        AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"},
-        AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
+		AllowedOrigins:   []string{"*"},
+		AllowedMethods:   []string{"GET", "POST", "PUT", "DELETE", "PATCH", "OPTIONS"},
+		AllowedHeaders:   []string{"Accept", "Authorization", "Content-Type", "X-CSRF-Token"},
 		AllowCredentials: true,
 		MaxAge:           360,
 	})
diff --git a/packages/auth/auth.go b/packages/auth/auth.go
index e5abb11..a73e6a6 100644
--- a/packages/auth/auth.go
+++ b/packages/auth/auth.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"encoding/json"
 	"fmt"
+	"git.minhas.io/asara/sudoscientist-go-backend/packages/middleware"
 	"git.minhas.io/asara/sudoscientist-go-backend/packages/users"
 	"github.com/badoux/checkmail"
 	"github.com/dgrijalva/jwt-go"
@@ -54,7 +55,7 @@ func Routes() *chi.Mux {
 	r.Post("/signin", signin)
 	r.Post("/register", register)
 	r.Group(func(r chi.Router) {
-		r.Use(jwtauth.Verifier(TokenAuth))
+		r.Use(jwtauth.Verify(TokenAuth, auth_middleware.TokenFromSplitCookie))
 		r.Use(jwtauth.Authenticator)
 		r.Post("/refresh", refresh)
 	})
diff --git a/packages/blog/blog.go b/packages/blog/blog.go
index d8a2c23..640e30b 100644
--- a/packages/blog/blog.go
+++ b/packages/blog/blog.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"encoding/json"
 	"fmt"
+	"git.minhas.io/asara/sudoscientist-go-backend/packages/middleware"
 	"github.com/go-chi/chi"
 	"github.com/go-chi/jwtauth"
 	"github.com/go-chi/render"
@@ -79,13 +80,13 @@ func Init() {
 func Routes() *chi.Mux {
 	r := chi.NewRouter()
 	r.Group(func(r chi.Router) {
-		r.Use(jwtauth.Verifier(TokenAuth))
+		r.Use(jwtauth.Verify(TokenAuth, auth_middleware.TokenFromSplitCookie))
 		r.Use(jwtauth.Authenticator)
 		r.Post("/", createBlogPost)
 		r.Patch("/by-id/{id}", updateBlogPostById)
+		r.Get("/by-slug/{slug}", getBlogPostBySlug)
 	})
 	r.Get("/", getBlogPosts)
-	r.Get("/by-slug/{slug}", getBlogPostBySlug)
 	r.Get("/by-id/{id}", getBlogPostById)
 	r.Get("/by-tag/{tag}", getBlogPostsByTag)
 	r.Get("/by-author/{author}", getBlogPostsByAuthor)
diff --git a/packages/middleware/auth_middleware.go b/packages/middleware/auth_middleware.go
new file mode 100644
index 0000000..2d62a95
--- /dev/null
+++ b/packages/middleware/auth_middleware.go
@@ -0,0 +1,19 @@
+package auth_middleware
+
+import (
+	"fmt"
+	"net/http"
+)
+
+func TokenFromSplitCookie(r *http.Request) string {
+	dataCookie, err := r.Cookie("DataCookie")
+	if err != nil {
+		return ""
+	}
+	signatureCookie, err := r.Cookie("SignatureCookie")
+	if err != nil {
+		return ""
+	}
+	cookie := dataCookie.Value + "." + signatureCookie.Value
+	return cookie
+}
diff --git a/packages/users/users.go b/packages/users/users.go
index 581ae46..a1aa6c6 100644
--- a/packages/users/users.go
+++ b/packages/users/users.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"encoding/json"
 	"fmt"
+	"git.minhas.io/asara/sudoscientist-go-backend/packages/middleware"
 	"github.com/go-chi/chi"
 	"github.com/go-chi/jwtauth"
 	"github.com/go-chi/render"
@@ -36,7 +37,7 @@ func Init() {
 func Routes() *chi.Mux {
 	r := chi.NewRouter()
 	r.Group(func(r chi.Router) {
-		r.Use(jwtauth.Verifier(TokenAuth))
+		r.Use(jwtauth.Verify(TokenAuth, auth_middleware.TokenFromSplitCookie))
 		r.Use(jwtauth.Authenticator)
 		r.Put("/{username}", updateUser)
 	})

From dcf11108ce6a46b85be5eeba57edc5873e8d73e8 Mon Sep 17 00:00:00 2001
From: Asara <amarpreet@minhas.io>
Date: Sat, 5 Oct 2019 22:45:01 -0400
Subject: [PATCH 7/7] Finished auth

---
 TODO.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/TODO.md b/TODO.md
index 1252cbf..6d8f503 100644
--- a/TODO.md
+++ b/TODO.md
@@ -1,2 +1 @@
-#. Set up cookies
 #. Implement comments