diff --git a/README.md b/README.md index 714217c..014387b 100644 --- a/README.md +++ b/README.md @@ -117,10 +117,17 @@ JWT token. ### Register User ``` -POST /register +POST /register/:code/:nonce ``` -Register a new user. Proxies `core`'s CreateUser endpoint, adding in a dummy token. Admittedly not the most secure implementation ever, but sue me it's 3AM now. +Register a new user. Proxies `core`'s CreateUser endpoint, adding in a dummy token. Admittedly not the most secure implementation ever, but sue me it's 3AM now. Requires a code and nonce supplied from querying the `/init` endpoint. + +#### Params + +| Name | Type | Description | Required | +| ---- | ---- | ----------- | -------- | +| code | String | OTP code SMS-ed to the user. Initiated with the `/init` endpoint. | ✓ | +| nonce | String | Nonce returned by the `/init` endpoint response. | ✓ | #### Body @@ -148,4 +155,5 @@ Created user object. | Code | Description | | ---- | ----------- | | 400 | Error parsing submitted body, or fields first_name or last_name have a length of 0 | +| 401 | Supplied OTP is invalid | | 500 | Error occurred inserting entry into database/proxying | diff --git a/main.go b/main.go index 84b9448..edbfb40 100644 --- a/main.go +++ b/main.go @@ -84,7 +84,7 @@ func main() { router.POST("/login", Login); router.POST("/init", InitRequest) router.POST("/verify", VerifyCode) - router.POST("/register", CreateUser) + router.POST("/register/:code/:nonce", CreateUser) // Start server log.Printf("starting server on %s", listen) @@ -279,6 +279,21 @@ func Login(w http.ResponseWriter, r *http.Request, p httprouter.Params) { } func CreateUser(w http.ResponseWriter, r *http.Request, p httprouter.Params) { + code := p.ByName("code") + nonce := p.ByName("nonce") + + // Get nonce + storedNonce, err := redisClient.Get(code + "nonce").Result() + if err != nil { + http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) + return + } + + if nonce != storedNonce { + http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized) + return + } + proxyReq, err := http.NewRequest(r.Method, coreURL, r.Body) if err != nil { http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)