feat: migrate Flask API to Go with JWT auth

internal/user/handler.go

@@ -0,0 +1,93 @@
+package user
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"rideaware/internal/config"
+	"rideaware/internal/middleware"
+)
+
+type Handler struct {
+	service *Service
+}
+
+func NewHandler() *Handler {
+	return &Handler{
+		service: NewService(),
+	}
+}
+
+type GetProfileResponse struct {
+	User    *User    `json:"user"`
+	Profile *Profile `json:"profile"`
+}
+
+func (h *Handler) GetProfile(w http.ResponseWriter, r *http.Request) {
+	claims := r.Context().Value(middleware.UserContextKey).(*config.CustomClaims)
+
+	user, err := h.service.repo.GetUserByID(claims.UserID)
+	if err != nil {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusNotFound)
+		json.NewEncoder(w).Encode(map[string]string{"error": "user not found"})
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(GetProfileResponse{
+		User:    user,
+		Profile: user.Profile,
+	})
+}
+
+func (h *Handler) UpdateProfile(w http.ResponseWriter, r *http.Request) {
+	claims := r.Context().Value(middleware.UserContextKey).(*config.CustomClaims)
+
+	var req struct {
+		FirstName string  `json:"first_name"`
+		LastName  string  `json:"last_name"`
+		Bio       string  `json:"bio"`
+		FTP       int     `json:"ftp"`
+		MaxHR     int     `json:"max_hr"`
+		Weight    float64 `json:"weight"`
+	}
+
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		json.NewEncoder(w).Encode(map[string]string{"error": "invalid request"})
+		return
+	}
+
+	user, err := h.service.repo.GetUserByID(claims.UserID)
+	if err != nil {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusNotFound)
+		json.NewEncoder(w).Encode(map[string]string{"error": "user not found"})
+		return
+	}
+
+	// Update profile
+	if user.Profile != nil {
+		user.Profile.FirstName = req.FirstName
+		user.Profile.LastName = req.LastName
+		user.Profile.Bio = req.Bio
+		user.Profile.FTP = req.FTP
+		user.Profile.MaxHR = req.MaxHR
+		user.Profile.Weight = req.Weight
+
+		if err := h.service.repo.UpdateUser(user); err != nil {
+			w.Header().Set("Content-Type", "application/json")
+			w.WriteHeader(http.StatusInternalServerError)
+			json.NewEncoder(w).Encode(map[string]string{"error": "failed to update profile"})
+			return
+		}
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(GetProfileResponse{
+		User:    user,
+		Profile: user.Profile,
+	})
+}

internal/user/model.go

@@ -0,0 +1,105 @@
+package user
+
+import (
+	"errors"
+	"time"
+
+	"golang.org/x/crypto/bcrypt"
+	"gorm.io/gorm"
+)
+
+type User struct {
+	ID        uint      `gorm:"primaryKey" json:"id"`
+	Username  string    `gorm:"uniqueIndex;not null" json:"username"`
+	Email     string    `gorm:"uniqueIndex;not null" json:"email"`
+	Password  string    `gorm:"not null" json:"-"`
+	IsActive  bool      `gorm:"default:true" json:"is_active"`
+	CreatedAt time.Time `json:"created_at"`
+	UpdatedAt time.Time `json:"updated_at"`
+
+	Profile        *Profile         `gorm:"foreignKey:UserID;constraint:OnDelete:Cascade" json:"profile,omitempty"`
+	PasswordResets []PasswordReset  `gorm:"foreignKey:UserID;constraint:OnDelete:Cascade" json:"password_resets,omitempty"`
+	Sessions       []Session        `gorm:"foreignKey:UserID;constraint:OnDelete:Cascade" json:"sessions,omitempty"`
+}
+
+type Profile struct {
+	ID             uint      `gorm:"primaryKey" json:"id"`
+	UserID         uint      `gorm:"not null;uniqueIndex" json:"user_id"`
+	FirstName      string    `gorm:"default:''" json:"first_name"`
+	LastName       string    `gorm:"default:''" json:"last_name"`
+	Bio            string    `gorm:"default:''" json:"bio"`
+	ProfilePicture string    `gorm:"default:''" json:"profile_picture"`
+	RestingHR      int       `gorm:"default:0" json:"resting_hr"`
+	MaxHR          int       `gorm:"default:0" json:"max_hr"`
+	FTP            int       `gorm:"default:0" json:"ftp"`
+	Weight         float64   `gorm:"default:0" json:"weight"`
+	TotalRides     int       `gorm:"default:0" json:"total_rides"`
+	TotalDistance  float64   `gorm:"default:0" json:"total_distance"`
+	TotalTime      int       `gorm:"default:0" json:"total_time"`
+	CreatedAt      time.Time `json:"created_at"`
+	UpdatedAt      time.Time `json:"updated_at"`
+}
+
+type PasswordReset struct {
+	ID        uint       `gorm:"primaryKey" json:"id"`
+	UserID    uint       `gorm:"not null" json:"user_id"`
+	Token     string     `gorm:"uniqueIndex;not null" json:"token"`
+	ExpiresAt time.Time  `gorm:"not null" json:"expires_at"`
+	UsedAt    *time.Time `json:"used_at"`
+	CreatedAt time.Time  `json:"created_at"`
+}
+
+type Session struct {
+	ID         uint      `gorm:"primaryKey" json:"id"`
+	UserID     uint      `gorm:"not null;index" json:"user_id"`
+	Token      string    `gorm:"uniqueIndex;not null" json:"token"`
+	ExpiresAt  time.Time `gorm:"not null;index" json:"expires_at"`
+	DeviceName string    `gorm:"default:''" json:"device_name"`
+	UserAgent  string    `gorm:"default:''" json:"user_agent"`
+	IPAddress  string    `gorm:"default:''" json:"ip_address"`
+	CreatedAt  time.Time `json:"created_at"`
+}
+
+// ===== Methods =====
+
+// SetPassword hashes and sets the password
+func (u *User) SetPassword(rawPassword string) error {
+	if len(rawPassword) < 8 {
+		return errors.New("password must be at least 8 characters long")
+	}
+	hashedPassword, err := bcrypt.GenerateFromPassword(
+		[]byte(rawPassword),
+		bcrypt.DefaultCost,
+	)
+	if err != nil {
+		return err
+	}
+	u.Password = string(hashedPassword)
+	return nil
+}
+
+// CheckPassword verifies the password
+func (u *User) CheckPassword(password string) bool {
+	return bcrypt.CompareHashAndPassword(
+		[]byte(u.Password),
+		[]byte(password),
+	) == nil
+}
+
+// AfterCreate hook: automatically create profile after user insert
+func (u *User) AfterCreate(tx *gorm.DB) error {
+	profile := &Profile{
+		UserID: u.ID,
+	}
+	return tx.Create(profile).Error
+}
+
+// IsPasswordResetTokenValid checks if token exists and is not expired
+func (prt *PasswordReset) IsValid() bool {
+	return prt.UsedAt == nil && time.Now().Before(prt.ExpiresAt)
+}
+
+// IsSessionValid checks if session is not expired
+func (s *Session) IsValid() bool {
+	return time.Now().Before(s.ExpiresAt)
+}

internal/user/repository.go

@@ -0,0 +1,62 @@
+package user
+
+import (
+	"errors"
+	"rideaware/pkg/database"
+	"gorm.io/gorm"
+)
+
+type Repository struct{}
+
+func NewRepository() *Repository {
+	return &Repository{}
+}
+
+func (r *Repository) CreateUser(user *User) error {
+	return database.DB.Create(user).Error
+}
+
+func (r *Repository) GetUserByUsername(username string) (*User, error) {
+	var user User
+	if err := database.DB.Where("username = ?", username).First(&user).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, errors.New("user not found")
+		}
+		return nil, err
+	}
+	return &user, nil
+}
+
+func (r *Repository) GetUserByEmail(email string) (*User, error) {
+	var user User
+	if err := database.DB.Where("email = ?", email).First(&user).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, errors.New("user not found")
+		}
+		return nil, err
+	}
+	return &user, nil
+}
+
+func (r *Repository) GetUserByID(id uint) (*User, error) {
+	var user User
+	if err := database.DB.Preload("Profile").Where("id = ?", id).First(&user).Error; err != nil {
+		if errors.Is(err, gorm.ErrRecordNotFound) {
+			return nil, errors.New("user not found")
+		}
+		return nil, err
+	}
+	return &user, nil
+}
+
+func (r *Repository) UpdateUser(user *User) error {
+	return database.DB.Save(user).Error
+}
+
+func (r *Repository) UserExists(username, email string) (bool, error) {
+	var count int64
+	err := database.DB.Model(&User{}).
+		Where("username = ? OR email = ?", username, email).
+		Count(&count).Error
+	return count > 0, err
+}

internal/user/service.go

@@ -0,0 +1,159 @@
+package user
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"errors"
+	"regexp"
+	"time"
+
+	"rideaware/internal/config"
+	"rideaware/internal/email"
+	"rideaware/pkg/database"
+)
+
+type Service struct {
+	repo  *Repository
+	email *email.Service
+}
+
+func NewService() *Service {
+	return &Service{
+		repo:  NewRepository(),
+		email: email.NewService(),
+	}
+}
+
+func (s *Service) CreateUser(username, password, email, firstName, lastName string) (*User, error) {
+	if username == "" || password == "" {
+		return nil, errors.New("username and password are required")
+	}
+
+	if email != "" {
+		if !isValidEmail(email) {
+			return nil, errors.New("invalid email format")
+		}
+	}
+
+	exists, err := s.repo.UserExists(username, email)
+	if err != nil {
+		return nil, err
+	}
+	if exists {
+		return nil, errors.New("username or email already exists")
+	}
+
+	user := &User{
+		Username: username,
+		Email:    email,
+	}
+
+	if err := user.SetPassword(password); err != nil {
+		return nil, err
+	}
+
+	if err := s.repo.CreateUser(user); err != nil {
+		return nil, err
+	}
+
+	_ = s.email.SendWelcomeEmail(email, username)
+
+	return user, nil
+}
+
+func (s *Service) VerifyUser(username, password string) (*User, error) {
+	user, err := s.repo.GetUserByUsername(username)
+	if err != nil {
+		return nil, errors.New("invalid username or password")
+	}
+
+	if !user.CheckPassword(password) {
+		return nil, errors.New("invalid username or password")
+	}
+
+	return user, nil
+}
+
+func (s *Service) RequestPasswordReset(email string) error {
+	user, err := s.repo.GetUserByEmail(email)
+	if err != nil {
+		// Don't leak if email exists
+		return nil
+	}
+
+	token, err := generateSecureToken(32)
+	if err != nil {
+		return err
+	}
+
+	resetToken := &PasswordReset{
+		UserID:    user.ID,
+		Token:     token,
+		ExpiresAt: time.Now().Add(config.JWT.ResetTokenDuration),
+	}
+
+	if err := database.DB.Create(resetToken).Error; err != nil {
+		return err
+	}
+
+	resetLink := "https://rideaware.app/reset-password?token=" + token
+	return s.email.SendPasswordResetEmail(user.Email, user.Username, resetLink)
+}
+
+func (s *Service) ResetPassword(token, newPassword string) error {
+	if len(newPassword) < 8 {
+		return errors.New("password must be at least 8 characters long")
+	}
+
+	var resetToken PasswordReset
+	if err := database.DB.Where("token = ?", token).First(&resetToken).Error; err != nil {
+		return errors.New("invalid or expired reset token")
+	}
+
+	if !resetToken.IsValid() {
+		return errors.New("reset token has expired")
+	}
+
+	user, err := s.repo.GetUserByID(resetToken.UserID)
+	if err != nil {
+		return err
+	}
+
+	if err := user.SetPassword(newPassword); err != nil {
+		return err
+	}
+
+	now := time.Now()
+	tx := database.DB.Begin()
+	defer func() {
+		if r := recover(); r != nil {
+			tx.Rollback()
+		}
+	}()
+
+	if err := tx.Model(user).Update("password", user.Password).Error; err != nil {
+		tx.Rollback()
+		return err
+	}
+
+	if err := tx.Model(&resetToken).Update("used_at", now).Error; err != nil {
+		tx.Rollback()
+		return err
+	}
+
+	return tx.Commit().Error
+}
+
+// Helper functions
+func isValidEmail(email string) bool {
+	regex := regexp.MustCompile(`^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$`)
+	return regex.MatchString(email)
+}
+
+func generateSecureToken(length int) (string, error) {
+	b := make([]byte, length)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	return base64.URLEncoding.EncodeToString(b), nil
+}