victorsteven / go-jwt-postgres-mysql-restful-api Goto Github PK

I think it would be better practice in login_controller.go to only issue a bearer token after explicitely checking that the user-provided password matches the hash after using bcrypt. In its current state the default is to provide a token if one specific error is not met.

if err != nil && err == bcrypt.ErrMismatchedHashAndPassword {

From what I understand the only case where this might be kind of exploited is, when the DB-stored passwords are not bcrypt hashes, which results in:
var ErrHashTooShort = "crypto/bcrypt: hashedSecret too short to be a bcrypted password"

I had that case because I had unencrypted test-data in my database.

Eventhough the attack surface might be limited here I would suggest to modify the code to teach and encourage safe best-practices.

How to validate:

• Register a new user
• change the bcrypt hash in the database to "test"
• Login with any password will issue a token from now on
• ...
• Profit :-)

`We are getting the env values
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0xb0 pc=0x434d526]

goroutine 1 [running]:
github.com/jinzhu/gorm.(*DB).clone(0x0, 0x0)
/Users/go/src/github.com/jinzhu/gorm/main.go:856 +0x26
github.com/jinzhu/gorm.(*DB).Debug(...)
/Users/go/src/github.com/jinzhu/gorm/main.go:531
github.com/gouthamjm/backend/crud/api/controllers.(*Server).Initialize(0x487f090, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
/Users/go/src/github.com/gouthamjm/backend/crud/api/controllers/base.go:59 +0xc5
github.com/gouthamjm/backend/crud/api.Run()
/Users/go/src/github.com/gouthamjm/backend/crud/api/server.go:32 +0x265
main.main()
/Users/go/src/github.com/gouthamjm/backend/crud/main.go:6 +0x25
exit status 2
`

I run into the following issue when using MySQL 5.7 and MariaDB 10.4

Error

go test -v --run TestFindAllUsers
We are connected to the mysql database
=== RUN   TestFindAllUsers
2020/03/05 11:23:21 Error 1217: Cannot delete or update a parent row: a foreign key constraint fails
exit status 1

Workaround

Disable foreign_key_checks before dropping the table then re-enable them.

        server.DB.Exec("SET foreign_key_checks=0")
        err := server.DB.Debug().DropTableIfExists(&models.User{}).Error
        if err != nil {
                return err
        }
        server.DB.Exec("SET foreign_key_checks=1")

Can errorMessage be omitted from the TestGetPostByID Method? Its not used anywhere else other than the struct.

Hello,

When I do go run main.go (on windows) I have error :

PS C:\www\SILVER\go> go run .\main.go
# github.com/mattn/go-sqlite3
/usr/lib/gcc/x86_64-pc-cygwin/10/../../../../x86_64-pc-cygwin/bin/ld: cannot find -lmingwex
/usr/lib/gcc/x86_64-pc-cygwin/10/../../../../x86_64-pc-cygwin/bin/ld: cannot find -lmingw32
collect2: error: ld returned 1 exit status
# github.com/mattn/go-sqlite3
sqlite3-binding.c: In function 'sqlite3SelectNew':
sqlite3-binding.c:123303:10: warning: function may return address of local variable [-Wreturn-local-addr]
123303 |   return pNew;
       |          ^~~~
sqlite3-binding.c:123263:10: note: declared here
123263 |   Select standin;
       |          ^~~~~~~

Thanks

I moved Server Struc to config/config.go
but it does not work
Unresolved type 'Server'

Hello Victor nice work with your code. When I try to pull down the package in main.go I get this error

Repository not found.
fatal: repository 'https://github.com/victorsteven/fullstack/' not found
package github.com/victorsteven/fullstack/api: exit status 128

I see you import "github.com/jinzhu/gorm"
and not gorm.io/gorm

It is the same ?

Thanks