WIP: a bug is left to fix for validate middleware

Author: beevk

FixMe.md

@@ -0,0 +1,68 @@
+# Bug to fix
+
+Route Registration (Happens Once): When your server starts, the setupUserRoutes method runs and registers routes:
+`r.Post("/register", s.registerUser())`
+
+This calls `registerUser()` immediately (not per request) and uses its return value as the handler.
+
+Handler Creation (Happens Once): The `registerUser()` method executes and:
+- Creates any local variables in its scope
+- Returns a handler function via validatePayload
+- The returned handler is stored by the router
+- Request Handling (Happens Per Request):
+- When requests arrive, the previously stored handler function is executed in a new goroutine.
+
+
+The payload variable is:
+- Created once when registerUser() runs during setup
+- It Shared across all requests because:
+  - It's in the closure's outer scope. The closure is created once but executed many times.
+  - All executions reference the same memory location.
+
+## Solution / Fix
+The fix is moving the payload declaration inside the handler function so each request creates its own instance.\
+OR\
+Use middleware to bind and validate the payload.
+
+```go
+func (s *Server) registerUser() http.HandlerFunc {
+    return func(w http.ResponseWriter, r *http.Request) {
+        var payload domain.RegisterPayload
+        if err := validateAndDecode(r, &payload); err != nil {
+            badRequestResponse(w, err)
+            return
+        }
+        
+        user, err := s.domain.Register(payload)
+        // rest of your handler...
+    }
+}
+
+```
+
+```go
+// // PayloadValidation is the interface that all payload types must implement
+type PayloadValidation interface {
+IsValid() (bool, map[string]string)
+}
+
+// validateAndDecode decodes the request body into the provided payload and validates it
+func validateAndDecode(r *http.Request, payload PayloadValidation) error {
+    // Decode JSON from request body
+    if err := json.NewDecoder(r.Body).Decode(payload); err != nil {
+        return fmt.Errorf("invalid JSON: %w", err)
+    }
+
+    // Validate using the IsValid method from the interface
+    hasErrors, errors := payload.IsValid()
+    if hasErrors {
+        // Convert the errors map to a structured error
+        // You could return the first error, all errors, or create a custom error type
+        for field, message := range errors {
+            return fmt.Errorf("%s: %s", field, message)
+        }
+    }
+
+    return nil
+}
+```

domain/auth.go

@@ -16,6 +16,22 @@ type RegisterPayload struct {
 	Username        string `json:"username"`
 }
 
+type LoginPayload struct {
+	Email    string `json:"email"`
+	Password string `json:"password"`
+}
+
+func (r *LoginPayload) IsValid() (bool, map[string]string) {
+	v := NewValidator()
+
+	v.MustNotBeEmpty("email", r.Email)
+	v.MustBeValidEmail("email", r.Email)
+
+	v.MustNotBeEmpty("password", r.Password)
+
+	return v.HasErrors(), v.errors
+}
+
 func (r *RegisterPayload) IsValid() (bool, map[string]string) {
 	v := NewValidator()
 
@@ -65,6 +81,19 @@ func (d *Domain) Register(payload RegisterPayload) (*User, error) {
 	return user, nil
 }
 
+func (d *Domain) Login(payload LoginPayload) (*User, error) {
+	user, err := d.DB.UserRepo.GetByEmail(payload.Email)
+	if err != nil || user == nil {
+		return nil, ErrInternalServerError
+	}
+	err = user.CheckPassword(payload.Password)
+	if err != nil {
+		return nil, ErrInvalidCredentials
+	}
+
+	return user, nil
+}
+
 func (d *Domain) hashPassword(password string) (*string, error) {
 	bytePassword := []byte(password)
 	hashedPassword, err := bcrypt.GenerateFromPassword(bytePassword, bcrypt.DefaultCost)

domain/errors.go

@@ -9,6 +9,11 @@ var (
 	ErrUserWithUsernameAlreadyExists = errors.New("user with username already exists")
 	ErrUserWithEmailAlreadyExists    = errors.New("user with email already exists")
 	ErrNoResult                      = errors.New("no result found")
+	ErrUnauthorized                  = errors.New("unauthorized")
+	ErrForbidden                     = errors.New("forbidden")
+	ErrInternalServerError           = errors.New("internal server error")
+	ErrBadRequest                    = errors.New("bad request")
+	ErrInvalidCredentials            = errors.New("invalid credentials. Please check your email and password")
 )
 
 type ErrNotLongEnough struct {

domain/todos.go

@@ -8,7 +8,7 @@ type ToDo struct {
 	tableName struct{} `pg:"todos"`
 	ID        int64    `json:"id"`
 	Title     string   `json:"title"`
-	Completed bool     `json:"completed"`
+	Completed bool     `json:"completed" pg:",use_zero"` // use_zero to store false value instead of NULL
 	UserID    int64    `json:"userId"`
 
 	CreatedAt time.Time `json:"createdAt"`

domain/users.go

@@ -5,6 +5,7 @@ import (
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
+	"golang.org/x/crypto/bcrypt"
 )
 
 type User struct {
@@ -44,6 +45,11 @@ func (u *User) GenerateToken() (*JWTToken, error) {
 	}, nil
 }
 
+func (u *User) CheckPassword(password string) error {
+	passwordAsBytes, userProvidedPasswordAsBytes := []byte(u.Password), []byte(password)
+	return bcrypt.CompareHashAndPassword(passwordAsBytes, userProvidedPasswordAsBytes)
+}
+
 func (d *Domain) GetUserById(id int64) (*User, error) {
 	user, err := d.DB.UserRepo.GetById(id)
 	if err != nil {

handlers/middlewares.go

@@ -13,10 +13,6 @@ import (
 	"github.com/golang-jwt/jwt/v5"
 )
 
-var (
-	ForbiddenErr = errors.New("forbidden")
-)
-
 func badRequestResponse(w http.ResponseWriter, err error) {
 	data := map[string]string{"error": err.Error()}
 	JsonResponse(w, data, http.StatusBadRequest)
@@ -142,7 +138,7 @@ func (s *Server) withOwner(contextKey string) func(next http.Handler) http.Handl
 
 			isOwner := r.Context().Value(contextKey).(domain.HasOwner).IsOwner(user)
 			if !isOwner {
-				forbiddenResponse(w, ForbiddenErr)
+				forbiddenResponse(w, domain.ErrForbidden)
 				return
 			}
 

handlers/userRoutes.go

@@ -7,5 +7,6 @@ import (
 func (s *Server) setupUserRoutes(r chi.Router) {
 	r.Route("/users", func(r chi.Router) {
 		r.Post("/register", s.registerUser())
+		r.Post("/login", s.loginUser())
 	})
 }

handlers/users.go

@@ -14,7 +14,6 @@ type authResponse struct {
 
 func (s *Server) registerUser() http.HandlerFunc {
 	var payload domain.RegisterPayload
-
 	return validatePayload(func(w http.ResponseWriter, r *http.Request) {
 		user, err := s.domain.Register(payload)
 		if err != nil {
@@ -49,3 +48,25 @@ func (s *Server) getUserFromContext(r *http.Request) (*domain.User, error) {
 
 	return user, nil
 }
+
+func (s *Server) loginUser() http.HandlerFunc {
+	var payload domain.LoginPayload
+	return validatePayload(func(w http.ResponseWriter, r *http.Request) {
+		user, err := s.domain.Login(payload)
+		if err != nil {
+			unauthorizedResponse(w, err)
+			return
+		}
+
+		// Generate JWT token
+		token, err := user.GenerateToken()
+		if err != nil {
+			internalServerErrorResponse(w, err)
+			return
+		}
+		utils.JsonResponse(w, &authResponse{
+			User:  user,
+			Token: token,
+		}, http.StatusOK)
+	}, &payload)
+}