ms-auth/internal/users/usecase/usecase.go

package usecase

import (
	"context"
	"errors"
	"git.sch9.ru/new_gate/ms-auth/config"
	"git.sch9.ru/new_gate/ms-auth/internal/models"
	"git.sch9.ru/new_gate/ms-auth/internal/users"
	"git.sch9.ru/new_gate/ms-auth/pkg"
	"github.com/golang-jwt/jwt/v4"
	"github.com/google/uuid"
	"time"
)

type UseCase struct {
	userRepo    users.PgRepository
	sessionRepo users.ValkeyRepository
	cfg         config.Config
}

func NewUseCase(
	userRepo users.PgRepository,
	sessionRepo users.ValkeyRepository,
	cfg config.Config,
) *UseCase {
	return &UseCase{
		userRepo:    userRepo,
		sessionRepo: sessionRepo,
		cfg:         cfg,
	}
}

func (u *UseCase) CreateUser(ctx context.Context, username string, password string, role models.Role) (int32, error) {
	const op = "UseCase.CreateUser"

	meId, ok := ctx.Value("userId").(int32)
	if !ok {
		return 0, pkg.Wrap(pkg.ErrUnauthenticated, nil, op, "no user id in context")
	}

	me, err := u.userRepo.C().ReadUserById(ctx, meId)
	if err != nil {
		return 0, pkg.Wrap(nil, err, op, "can't read user by id")
	}

	if !me.Role.AtLeast(models.RoleModerator) || me.Role.AtMost(role) && !me.Role.IsAdmin() {
		return 0, pkg.Wrap(pkg.NoPermission, nil, op, "no permission")
	}

	id, err := u.userRepo.C().CreateUser(ctx, username, password, role)
	if err != nil {
		return 0, pkg.Wrap(nil, err, op, "can't create user")
	}

	return id, nil
}

func (u *UseCase) ReadUserById(ctx context.Context, id int32) (*models.User, error) {
	const op = "UseCase.ReadUserById"

	user, err := u.userRepo.C().ReadUserById(ctx, id)
	if err != nil {
		return nil, pkg.Wrap(nil, err, op, "can't read user by id")
	}
	return user, nil
}

func (u *UseCase) ReadUserByUsername(ctx context.Context, username string) (*models.User, error) {
	const op = "UseCase.ReadUserByUsername"

	user, err := u.userRepo.C().ReadUserByUsername(ctx, username)
	if err != nil {
		return nil, pkg.Wrap(nil, err, op, "can't read user by username")
	}
	return user, nil
}

func (u *UseCase) UpdateUser(ctx context.Context, id int32, username *string, role *models.Role) error {
	const op = "UseCase.UpdateUser"

	meId, ok := ctx.Value("userId").(int32)
	if !ok {
		return pkg.Wrap(pkg.ErrUnauthenticated, nil, op, "no user id in context")
	}

	me, err := u.userRepo.C().ReadUserById(ctx, meId)
	if err != nil {
		return pkg.Wrap(nil, err, op, "can't read user by id")
	}

	user, err := u.userRepo.C().ReadUserById(ctx, id)
	if err != nil {
		return pkg.Wrap(nil, err, op, "can't read user by id")
	}

	hasPermission := func() bool {
		if me.Id == user.Id && role != nil {
			return false
		}
		if me.Role.IsAdmin() {
			return true
		}
		if role != nil && me.Role.AtMost(*role) {
			return false
		}
		if !me.Role.AtMost(user.Role) {
			return true
		}
		return false
	}()

	if !hasPermission {
		return pkg.Wrap(pkg.NoPermission, nil, op, "no permission")
	}

	tx, err := u.userRepo.BeginTx(ctx)
	if err != nil {
		return pkg.Wrap(nil, err, op, "cannot start transaction")
	}

	err = tx.UpdateUser(ctx, id, username, role)
	if err != nil {
		return pkg.Wrap(nil, errors.Join(err, tx.Rollback()), op, "cannot update user")
	}
	err = u.sessionRepo.DeleteAllSessions(ctx, id)
	if err != nil {
		return pkg.Wrap(nil, errors.Join(err, tx.Rollback()), op, "cannot delete all sessions")
	}
	err = tx.Commit()
	if err != nil {
		return pkg.Wrap(nil, err, op, "cannot commit transaction")
	}

	return nil
}

func (u *UseCase) DeleteUser(ctx context.Context, id int32) error {
	const op = "UseCase.DeleteUser"

	userId, ok := ctx.Value("userId").(int32)
	if !ok {
		return pkg.Wrap(pkg.ErrUnauthenticated, nil, op, "no user id in context")
	}

	me, err := u.ReadUserById(ctx, userId)
	if err != nil {
		return pkg.Wrap(nil, err, op, "can't read user by id")
	}

	if me.Id == id || !me.Role.IsAdmin() {
		return pkg.Wrap(pkg.NoPermission, nil, op, "no permission")
	}

	tx, err := u.userRepo.BeginTx(ctx)
	if err != nil {
		return pkg.Wrap(nil, err, op, "cannot start transaction")
	}

	err = tx.DeleteUser(ctx, id)
	if err != nil {
		return pkg.Wrap(nil, errors.Join(err, tx.Rollback()), op, "cannot delete user")
	}

	err = u.sessionRepo.DeleteAllSessions(ctx, id)
	if err != nil {
		return pkg.Wrap(nil, errors.Join(err, tx.Rollback()), op, "cannot delete all sessions")
	}
	err = tx.Commit()
	if err != nil {
		return pkg.Wrap(nil, err, op, "cannot commit transaction")
	}

	return nil
}

func (u *UseCase) CreateSession(ctx context.Context, userId int32, role models.Role) (string, error) {
	const op = "UseCase.CreateSession"

	sessionId, err := u.sessionRepo.CreateSession(ctx, userId, role)
	if err != nil {
		return "", pkg.Wrap(nil, err, op, "cannot create session")
	}

	return sessionId, nil
}

func (u *UseCase) ReadSession(ctx context.Context, sessionId string) (*models.Session, error) {
	const op = "UseCase.ReadSession"

	session, err := u.sessionRepo.ReadSession(ctx, sessionId)
	if err != nil {
		return nil, pkg.Wrap(nil, err, op, "cannot read session")
	}
	return session, nil
}

func (u *UseCase) UpdateSession(ctx context.Context, sessionId string) error {
	const op = "UseCase.UpdateSession"

	err := u.sessionRepo.UpdateSession(ctx, sessionId)
	if err != nil {
		return pkg.Wrap(nil, err, op, "cannot update session")
	}
	return nil
}

func (u *UseCase) DeleteSession(ctx context.Context, sessionId string) error {
	const op = "UseCase.DeleteSession"

	err := u.sessionRepo.DeleteSession(ctx, sessionId)
	if err != nil {
		return pkg.Wrap(nil, err, op, "cannot delete session")
	}
	return nil
}

func (u *UseCase) DeleteAllSessions(ctx context.Context, userId int32) error {
	const op = "UseCase.DeleteAllSessions"

	err := u.sessionRepo.DeleteAllSessions(ctx, userId)
	if err != nil {
		return pkg.Wrap(nil, err, op, "cannot delete all sessions")
	}

	return nil
}

type Token struct {
	SessionId string      `json:"sid"`
	UserId    int32       `json:"sub"`
	Role      models.Role `json:"rle"`
	ExpiresAt time.Time   `json:"exp"`
	IssuedAt  time.Time   `json:"iat"`
	NotBefore time.Time   `json:"nbf"`
}

func (t Token) Valid() error {
	if err := uuid.Validate(t.SessionId); err != nil {
		return err
	}
	if t.UserId <= 0 {
		return errors.New("invalid user id")
	}
	if t.Role <= 0 {
		return errors.New("invalid role")
	}
	if t.ExpiresAt.IsZero() {
		return errors.New("invalid exp")
	}
	if t.IssuedAt.IsZero() {
		return errors.New("invalid iat")
	}
	if t.NotBefore.IsZero() {
		return errors.New("invalid nbf")
	}
	return nil
}

func (u *UseCase) Verify(ctx context.Context, sessionId string) (string, error) {
	const op = "UseCase.Verify"

	session, err := u.sessionRepo.ReadSession(ctx, sessionId)
	if err != nil {
		return "", pkg.Wrap(nil, err, op, "cannot read session")
	}

	token := jwt.NewWithClaims(
		jwt.SigningMethodHS256,
		Token{
			SessionId: sessionId,
			UserId:    session.UserId,
			Role:      session.Role,
			ExpiresAt: time.Now().Add(time.Hour * 24),
			IssuedAt:  time.Now(),
			NotBefore: time.Now(),
		},
	)

	signedToken, err := token.SignedString([]byte(u.cfg.JWTSecret))
	if err != nil {
		return "", pkg.Wrap(pkg.ErrInternal, err, op, "cannot sign token")
	}

	return signedToken, nil
}