added some govno to postgres

internal/auth/service.go

@@ -7,21 +7,24 @@ import (
 	"encoding/base64"
 	"errors"
 	"fmt"
-	"log"
 	"strings"
 	"time"
+	"unicode"
 
 	"golang.org/x/crypto/bcrypt"
 )
 
 var (
-	ErrEmailExists    = errors.New("email already registered")
-	ErrInvalidCreds   = errors.New("invalid email or password")
-	ErrUserNotFound   = errors.New("user not found")
-	ErrInvalidUserID  = errors.New("invalid user ID")
-	ErrInvalidRefresh = errors.New("invalid refresh token")
-	ErrRefreshExpired = errors.New("refresh token expired")
-	ErrLogoutInvalid  = errors.New("refresh token not found or already used")
+	ErrEmailExists     = errors.New("email already registered")
+	ErrInvalidCreds    = errors.New("invalid email or password")
+	ErrUserNotFound    = errors.New("user not found")
+	ErrInvalidUserID   = errors.New("invalid user ID")
+	ErrInvalidRefresh  = errors.New("invalid refresh token")
+	ErrRefreshExpired  = errors.New("refresh token expired")
+	ErrLogoutInvalid   = errors.New("refresh token not found or already used")
+	ErrWrongPassword   = errors.New("current password is incorrect")
+	ErrWeakPassword    = errors.New("password must be at least 8 characters with uppercase, lowercase, and digit")
+	ErrSamePassword    = errors.New("new password must differ from current password")
 )
 
 type Service struct {
@@ -53,6 +56,27 @@ func generateRandomToken() (string, error) {
 	return base64.RawURLEncoding.EncodeToString(b), nil
 }
 
+func validatePasswordStrength(password string) error {
+	if len(password) < 8 {
+		return ErrWeakPassword
+	}
+	var hasUpper, hasLower, hasDigit bool
+	for _, ch := range password {
+		switch {
+		case unicode.IsUpper(ch):
+			hasUpper = true
+		case unicode.IsLower(ch):
+			hasLower = true
+		case unicode.IsDigit(ch):
+			hasDigit = true
+		}
+	}
+	if !hasUpper || !hasLower || !hasDigit {
+		return ErrWeakPassword
+	}
+	return nil
+}
+
 func (s *Service) issueTokenPair(ctx context.Context, user *User) (*AuthResponse, error) {
 	accessToken, err := GenerateToken(user.ID, user.Email, s.jwtSecret, s.jwtExp)
 	if err != nil {
@@ -81,8 +105,13 @@ func (s *Service) issueTokenPair(ctx context.Context, user *User) (*AuthResponse
 	}, nil
 }
 
-func (s *Service) Register(ctx context.Context, req RegisterRequest) (*UserPublic, error) {
+func (s *Service) Register(ctx context.Context, req RegisterRequest) (*AuthResponse, error) {
+	if err := validatePasswordStrength(req.Password); err != nil {
+		return nil, err
+	}
+
 	req.Email = strings.ToLower(req.Email)
+
 	existing, err := s.repo.FindByEmail(ctx, req.Email)
 	if err != nil && !errors.Is(err, ErrNoRows) {
 		return nil, fmt.Errorf("failed to check existing user: %w", err)
@@ -103,11 +132,13 @@ func (s *Service) Register(ctx context.Context, req RegisterRequest) (*UserPubli
 	}
 
 	if err := s.repo.CreateUser(ctx, user); err != nil {
+		if isPGUniqueViolation(err) {
+			return nil, ErrEmailExists
+		}
 		return nil, fmt.Errorf("failed to create user: %w", err)
 	}
 
-	public := NewUserPublic(user)
-	return &public, nil
+	return s.issueTokenPair(ctx, user)
 }
 
 func (s *Service) Login(ctx context.Context, req LoginRequest) (*AuthResponse, error) {
@@ -138,13 +169,6 @@ func (s *Service) Refresh(ctx context.Context, rawRefresh string) (*AuthResponse
 		return nil, fmt.Errorf("failed to find refresh token: %w", err)
 	}
 
-	if time.Now().UTC().After(doc.ExpiresAt) {
-		if err := s.repo.DeleteRefreshToken(ctx, doc.ID); err != nil {
-			log.Printf("failed to cleanup expired refresh token: %v", err)
-		}
-		return nil, ErrRefreshExpired
-	}
-
 	if err := s.repo.DeleteRefreshToken(ctx, doc.ID); err != nil {
 		return nil, fmt.Errorf("failed to delete old refresh token: %w", err)
 	}
@@ -187,3 +211,66 @@ func (s *Service) GetUserByID(ctx context.Context, userID string) (*UserPublic,
 	public := NewUserPublic(user)
 	return &public, nil
 }
+
+func (s *Service) ChangePassword(ctx context.Context, userID string, req PasswordChangeRequest) error {
+	if userID == "" {
+		return ErrInvalidUserID
+	}
+
+	user, err := s.repo.FindByID(ctx, userID)
+	if err != nil {
+		if errors.Is(err, ErrNoRows) {
+			return ErrUserNotFound
+		}
+		return fmt.Errorf("failed to find user: %w", err)
+	}
+
+	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(req.OldPassword)); err != nil {
+		return ErrWrongPassword
+	}
+
+	if req.OldPassword == req.NewPassword {
+		return ErrSamePassword
+	}
+
+	if err := validatePasswordStrength(req.NewPassword); err != nil {
+		return err
+	}
+
+	hash, err := bcrypt.GenerateFromPassword([]byte(req.NewPassword), bcrypt.DefaultCost)
+	if err != nil {
+		return fmt.Errorf("failed to hash password: %w", err)
+	}
+
+	if err := s.repo.UpdateUserPassword(ctx, userID, string(hash)); err != nil {
+		return fmt.Errorf("failed to update password: %w", err)
+	}
+
+	return nil
+}
+
+func (s *Service) UpdateProfile(ctx context.Context, userID string, req UpdateProfileRequest) (*UserPublic, error) {
+	if userID == "" {
+		return nil, ErrInvalidUserID
+	}
+
+	user, err := s.repo.FindByID(ctx, userID)
+	if err != nil {
+		if errors.Is(err, ErrNoRows) {
+			return nil, ErrUserNotFound
+		}
+		return nil, fmt.Errorf("failed to find user: %w", err)
+	}
+
+	if err := s.repo.UpdateUserUsername(ctx, userID, req.Username); err != nil {
+		return nil, fmt.Errorf("failed to update username: %w", err)
+	}
+
+	user.Username = req.Username
+	public := NewUserPublic(user)
+	return &public, nil
+}
+
+func isPGUniqueViolation(err error) bool {
+	return err != nil && (strings.Contains(err.Error(), "unique") || strings.Contains(err.Error(), "23505"))
+}