feat: Add logout functionality and security scanning tools

- Implemented user logout endpoint to revoke refresh tokens.
- Added new Makefile commands for security scanning with gosec and nancy.
- Created configuration file for gosec and updated README with new commands.
- Introduced scripts for running TOTP tests securely without hardcoded credentials.
- Enhanced API documentation to include logout functionality and related DTOs.

Author: gjovanovicst

.gosec.json

@@ -0,0 +1,16 @@
+{
+  "severity": "medium",
+  "confidence": "medium",
+  "exclude-rules": [],
+  "include-rules": [],
+  "exclude-dirs": ["vendor/", "node_modules/"],
+  "tests": true,
+  "exclude-generated": true,
+  "nosec": false,
+  "nosec-tag": "nosec",
+  "fmt": "json",
+  "stdout": true,
+  "verbose": false,
+  "output": "",
+  "log": ""
+}

Makefile

@@ -18,6 +18,16 @@ dev:
 test:
 	go test -v ./...
 
+# Run the TOTP test (requires TEST_TOTP_SECRET environment variable)
+test-totp:
+	@if [ -z "$$TEST_TOTP_SECRET" ]; then \
+		echo "Error: TEST_TOTP_SECRET environment variable is required"; \
+		echo "Set it with: export TEST_TOTP_SECRET=your_secret_here"; \
+		echo "Or run: ./run_test_secret.sh"; \
+		exit 1; \
+	fi
+	go run test_specific_secret.go
+
 # Clean build artifacts and temporary files
 clean:
 	rm -rf bin/
@@ -41,6 +51,22 @@ fmt:
 lint:
 	golangci-lint run
 
+# Install security scanning tools
+install-security-tools:
+	go install github.com/securego/gosec/v2/cmd/gosec@latest
+	go install github.com/sonatype-nexus-community/nancy@latest
+
+# Run security scan with gosec
+security-scan:
+	gosec -conf .gosec.json ./...
+
+# Run vulnerability scan with nancy
+vulnerability-scan:
+	go list -json -deps ./... | nancy sleuth
+
+# Run all security checks
+security: security-scan vulnerability-scan
+
 # Build for production
 build-prod:
 	CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o bin/api ./cmd/api
@@ -82,11 +108,16 @@ help:
 	@echo "  run                  - Run the application"
 	@echo "  dev                  - Run with hot reload (Air)"
 	@echo "  test                 - Run tests"
+	@echo "  test-totp            - Run TOTP test (requires TEST_TOTP_SECRET env var)"
 	@echo "  clean                - Clean build artifacts"
 	@echo "  install-air          - Install Air for hot reloading"
 	@echo "  setup                - Setup development environment"
 	@echo "  fmt                  - Format code"
 	@echo "  lint                 - Run linter"
+	@echo "  install-security-tools - Install gosec and nancy security scanners"
+	@echo "  security-scan        - Run gosec security scanner"
+	@echo "  vulnerability-scan   - Run nancy vulnerability scanner"
+	@echo "  security             - Run all security checks"
 	@echo "  build-prod           - Build for production"
 	@echo "  docker-dev           - Run development environment with Docker"
 	@echo "  docker-compose-build - Build Docker images using docker-compose"

README.md

@@ -106,11 +106,16 @@ The following `make` commands are available for development, testing, building,
 | `make run`             | Run the application without hot reload.                          |
 | `make dev`             | Run with hot reload using [Air](https://github.com/air-verse/air).|
 | `make test`            | Run all Go tests with verbose output.                            |
+| `make test-totp`       | Run TOTP test (requires `TEST_TOTP_SECRET` environment variable). |
 | `make clean`           | Remove build artifacts and temporary files.                      |
 | `make install-air`     | Install Air for hot reloading.                                   |
 | `make setup`           | Setup development environment (installs Air, tidy/download deps). |
 | `make fmt`             | Format code using `go fmt`.                                      |
 | `make lint`            | Run linter (`golangci-lint`).                                    |
+| `make install-security-tools` | Install security scanning tools (`gosec` and `nancy`).    |
+| `make security-scan`   | Run gosec security scanner.                                      |
+| `make vulnerability-scan` | Run nancy vulnerability scanner.                               |
+| `make security`        | Run all security checks (gosec + nancy).                         |
 | `make build-prod`      | Build for production (Linux, static binary).                     |
 | `make docker-dev`      | Run development environment with Docker (`./dev.sh`).             |
 | `make docker-compose-build` | Build Docker images using docker-compose.                  |
@@ -128,6 +133,7 @@ The following `make` commands are available for development, testing, building,
 ### Authentication
 - `POST /register` — User registration
 - `POST /login` — User login (with 2FA support)
+- `POST /logout` — User logout and token revocation (protected)
 - `POST /refresh-token` — Refresh JWT tokens
 - `GET /verify-email` — Email verification
 - `POST /forgot-password` — Request password reset

cmd/api/main.go

@@ -109,6 +109,7 @@ func main() {
 	protected.Use(middleware.AuthMiddleware())
 	{
 		protected.GET("/profile", userHandler.GetProfile)
+		protected.POST("/logout", userHandler.Logout)
 
 		// 2FA management routes
 		protected.POST("/2fa/generate", twofaHandler.Generate2FA)

docs/API.md

@@ -12,6 +12,12 @@
 - Request: `{ "email": "[email protected]", "password": "..." }`
 - Response: `{ "success": true, "data": { "token": "..." } }`
 
+### Logout
+- `POST /logout`
+- Header: `Authorization: Bearer <access_token>`
+- Request: `{ "refresh_token": "..." }`
+- Response: `{ "message": "Successfully logged out" }`
+
 ### Refresh Token
 - `POST /refresh-token`
 - Request: `{ "refresh_token": "..." }`

docs/docs.go

@@ -683,6 +683,63 @@ const docTemplate = `{
                 }
             }
         },
+        "/logout": {
+            "post": {
+                "security": [
+                    {
+                        "ApiKeyAuth": []
+                    }
+                ],
+                "description": "Logout user and revoke refresh token",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Auth"
+                ],
+                "summary": "User logout",
+                "parameters": [
+                    {
+                        "description": "Logout Data",
+                        "name": "logout",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/dto.LogoutRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/dto.MessageResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/dto.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/dto.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/dto.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
         "/profile": {
             "get": {
                 "security": [
@@ -970,6 +1027,17 @@ const docTemplate = `{
                 }
             }
         },
+        "dto.LogoutRequest": {
+            "type": "object",
+            "required": [
+                "refresh_token"
+            ],
+            "properties": {
+                "refresh_token": {
+                    "type": "string"
+                }
+            }
+        },
         "dto.MessageResponse": {
             "type": "object",
             "properties": {

docs/implementation_phases/README.md

@@ -9,3 +9,4 @@ This folder contains detailed plans for each phase of the project:
 - Phase 5: API Endpoints and Middleware Implementation
 - Phase 6: Testing and Deployment Strategy
 - Phase 7: Documentation and Deployment
+- Phase 8: Two Factor Authentication Implementation

docs/swagger.json

@@ -677,6 +677,63 @@
                 }
             }
         },
+        "/logout": {
+            "post": {
+                "security": [
+                    {
+                        "ApiKeyAuth": []
+                    }
+                ],
+                "description": "Logout user and revoke refresh token",
+                "consumes": [
+                    "application/json"
+                ],
+                "produces": [
+                    "application/json"
+                ],
+                "tags": [
+                    "Auth"
+                ],
+                "summary": "User logout",
+                "parameters": [
+                    {
+                        "description": "Logout Data",
+                        "name": "logout",
+                        "in": "body",
+                        "required": true,
+                        "schema": {
+                            "$ref": "#/definitions/dto.LogoutRequest"
+                        }
+                    }
+                ],
+                "responses": {
+                    "200": {
+                        "description": "OK",
+                        "schema": {
+                            "$ref": "#/definitions/dto.MessageResponse"
+                        }
+                    },
+                    "400": {
+                        "description": "Bad Request",
+                        "schema": {
+                            "$ref": "#/definitions/dto.ErrorResponse"
+                        }
+                    },
+                    "401": {
+                        "description": "Unauthorized",
+                        "schema": {
+                            "$ref": "#/definitions/dto.ErrorResponse"
+                        }
+                    },
+                    "500": {
+                        "description": "Internal Server Error",
+                        "schema": {
+                            "$ref": "#/definitions/dto.ErrorResponse"
+                        }
+                    }
+                }
+            }
+        },
         "/profile": {
             "get": {
                 "security": [
@@ -964,6 +1021,17 @@
                 }
             }
         },
+        "dto.LogoutRequest": {
+            "type": "object",
+            "required": [
+                "refresh_token"
+            ],
+            "properties": {
+                "refresh_token": {
+                    "type": "string"
+                }
+            }
+        },
         "dto.MessageResponse": {
             "type": "object",
             "properties": {

docs/swagger.yaml

@@ -29,6 +29,13 @@ definitions:
       refresh_token:
         type: string
     type: object
+  dto.LogoutRequest:
+    properties:
+      refresh_token:
+        type: string
+    required:
+    - refresh_token
+    type: object
   dto.MessageResponse:
     properties:
       message:
@@ -582,6 +589,42 @@ paths:
       summary: User login
       tags:
       - Auth
+  /logout:
+    post:
+      consumes:
+      - application/json
+      description: Logout user and revoke refresh token
+      parameters:
+      - description: Logout Data
+        in: body
+        name: logout
+        required: true
+        schema:
+          $ref: '#/definitions/dto.LogoutRequest'
+      produces:
+      - application/json
+      responses:
+        "200":
+          description: OK
+          schema:
+            $ref: '#/definitions/dto.MessageResponse'
+        "400":
+          description: Bad Request
+          schema:
+            $ref: '#/definitions/dto.ErrorResponse'
+        "401":
+          description: Unauthorized
+          schema:
+            $ref: '#/definitions/dto.ErrorResponse'
+        "500":
+          description: Internal Server Error
+          schema:
+            $ref: '#/definitions/dto.ErrorResponse'
+      security:
+      - ApiKeyAuth: []
+      summary: User logout
+      tags:
+      - Auth
   /profile:
     get:
       description: Retrieve authenticated user's profile information

internal/twofa/handler.go

@@ -1,6 +1,7 @@
 package twofa
 
 import (
+	"fmt"
 	"net/http"
 
 	"github.com/gin-gonic/gin"
@@ -272,5 +273,8 @@ func generateTokensForUser(userID string) (string, string, error) {
 
 // clearTempSession clears the temporary 2FA session
 func clearTempSession(tempToken string) {
-	redis.DeleteTempUserSession(tempToken)
+	if err := redis.DeleteTempUserSession(tempToken); err != nil {
+		// Log the error but don't fail the operation since the user is already authenticated
+		fmt.Printf("Warning: Failed to delete temporary user session %s: %v\n", tempToken, err)
+	}
 }