Valid HTML
", + Fields: models.FormFields{}, + Settings: models.FormSettings{}, + } + jsonBody, _ := json.Marshal(body) + + req := httptest.NewRequest(http.MethodPost, "/forms", bytes.NewBuffer(jsonBody)) + req.Header.Set("Content-Type", "application/json") + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusCreated { + t.Errorf("expected status %d, got %d: %s", http.StatusCreated, w.Code, w.Body.String()) + } + + var response models.Form + if err := json.Unmarshal(w.Body.Bytes(), &response); err != nil { + t.Fatalf("failed to unmarshal response: %v", err) + } + + // Title should have script tags stripped + if response.Title == "Test Form" { + t.Error("XSS script tag was not stripped from title") + } + // Description should have script stripped but valid HTML kept + if response.Description == "Valid HTML
" { + t.Error("XSS script tag was not stripped from description") + } +} + +func TestFormHandler_List(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + // Create test forms + form1 := &models.Form{UserID: user.ID, Title: "Form 1", Status: models.FormStatusDraft} + form2 := &models.Form{UserID: user.ID, Title: "Form 2", Status: models.FormStatusPublished} + db.Create(form1) + db.Create(form2) + + handler := NewFormHandler() + router := gin.New() + router.GET("/forms", func(c *gin.Context) { + c.Set("user_id", user.ID) + handler.List(c) + }) + + req := httptest.NewRequest(http.MethodGet, "/forms", nil) + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusOK { + t.Errorf("expected status %d, got %d", http.StatusOK, w.Code) + } + + var response pagination.Result + if err := json.Unmarshal(w.Body.Bytes(), &response); err != nil { + t.Fatalf("failed to unmarshal response: %v", err) + } + + if response.TotalItems != 2 { + t.Errorf("expected 2 forms, got %d", response.TotalItems) + } +} + +func TestFormHandler_List_Pagination(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + // Create 25 test forms + for i := 0; i < 25; i++ { + form := &models.Form{UserID: user.ID, Title: "Form", Status: models.FormStatusDraft} + db.Create(form) + } + + handler := NewFormHandler() + router := gin.New() + router.GET("/forms", func(c *gin.Context) { + c.Set("user_id", user.ID) + handler.List(c) + }) + + // Test first page + req := httptest.NewRequest(http.MethodGet, "/forms?page=1&page_size=10", nil) + w := httptest.NewRecorder() + router.ServeHTTP(w, req) + + var response pagination.Result + json.Unmarshal(w.Body.Bytes(), &response) + + if response.TotalItems != 25 { + t.Errorf("expected total 25 forms, got %d", response.TotalItems) + } + if response.TotalPages != 3 { + t.Errorf("expected 3 pages, got %d", response.TotalPages) + } + if response.Page != 1 { + t.Errorf("expected page 1, got %d", response.Page) + } +} + +func TestFormHandler_Get(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{UserID: user.ID, Title: "Test Form", Status: models.FormStatusDraft} + db.Create(form) + + handler := NewFormHandler() + router := gin.New() + router.GET("/forms/:id", func(c *gin.Context) { + c.Set("user_id", user.ID) + handler.Get(c) + }) + + req := httptest.NewRequest(http.MethodGet, "/forms/"+form.ID, nil) + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusOK { + t.Errorf("expected status %d, got %d", http.StatusOK, w.Code) + } + + var response models.Form + if err := json.Unmarshal(w.Body.Bytes(), &response); err != nil { + t.Fatalf("failed to unmarshal response: %v", err) + } + + if response.Title != "Test Form" { + t.Errorf("expected title 'Test Form', got %s", response.Title) + } +} + +func TestFormHandler_Get_NotFound(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + handler := NewFormHandler() + router := gin.New() + router.GET("/forms/:id", func(c *gin.Context) { + c.Set("user_id", user.ID) + handler.Get(c) + }) + + req := httptest.NewRequest(http.MethodGet, "/forms/non-existent-id", nil) + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusNotFound { + t.Errorf("expected status %d, got %d", http.StatusNotFound, w.Code) + } +} + +func TestFormHandler_Get_WrongUser(t *testing.T) { + db := testutil.SetupTestDB(t) + owner := testutil.CreateTestUser(t, db, "owner@example.com", "password123", models.RoleUser) + otherUser := testutil.CreateTestUser(t, db, "other@example.com", "password123", models.RoleUser) + + form := &models.Form{UserID: owner.ID, Title: "Test Form", Status: models.FormStatusDraft} + db.Create(form) + + handler := NewFormHandler() + router := gin.New() + router.GET("/forms/:id", func(c *gin.Context) { + c.Set("user_id", otherUser.ID) // Different user trying to access + handler.Get(c) + }) + + req := httptest.NewRequest(http.MethodGet, "/forms/"+form.ID, nil) + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusNotFound { + t.Errorf("expected status %d, got %d", http.StatusNotFound, w.Code) + } +} + +func TestFormHandler_Update(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{UserID: user.ID, Title: "Original Title", Status: models.FormStatusDraft} + db.Create(form) + + handler := NewFormHandler() + router := gin.New() + router.PUT("/forms/:id", func(c *gin.Context) { + c.Set("user_id", user.ID) + handler.Update(c) + }) + + body := UpdateFormRequest{ + Title: "Updated Title", + Status: models.FormStatusPublished, + } + jsonBody, _ := json.Marshal(body) + + req := httptest.NewRequest(http.MethodPut, "/forms/"+form.ID, bytes.NewBuffer(jsonBody)) + req.Header.Set("Content-Type", "application/json") + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusOK { + t.Errorf("expected status %d, got %d: %s", http.StatusOK, w.Code, w.Body.String()) + } + + var response models.Form + if err := json.Unmarshal(w.Body.Bytes(), &response); err != nil { + t.Fatalf("failed to unmarshal response: %v", err) + } + + if response.Title != "Updated Title" { + t.Errorf("expected title 'Updated Title', got %s", response.Title) + } + if response.Status != models.FormStatusPublished { + t.Errorf("expected status 'published', got %s", response.Status) + } +} + +func TestFormHandler_Delete(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{UserID: user.ID, Title: "Test Form", Status: models.FormStatusDraft} + db.Create(form) + + // Create some submissions for this form + submission := &models.Submission{FormID: form.ID, Data: map[string]interface{}{"field1": "value1"}} + db.Create(submission) + + handler := NewFormHandler() + router := gin.New() + router.DELETE("/forms/:id", func(c *gin.Context) { + c.Set("user_id", user.ID) + handler.Delete(c) + }) + + req := httptest.NewRequest(http.MethodDelete, "/forms/"+form.ID, nil) + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusOK { + t.Errorf("expected status %d, got %d: %s", http.StatusOK, w.Code, w.Body.String()) + } + + // Verify form is deleted + var deletedForm models.Form + result := db.First(&deletedForm, "id = ?", form.ID) + if result.Error == nil { + t.Error("form should have been deleted") + } + + // Verify submissions are deleted (transaction test) + var deletedSubmission models.Submission + result = db.First(&deletedSubmission, "form_id = ?", form.ID) + if result.Error == nil { + t.Error("submissions should have been deleted with form") + } +} + +func TestFormHandler_Duplicate(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{ + UserID: user.ID, + Title: "Original Form", + Description: "Original description", + Status: models.FormStatusPublished, + } + db.Create(form) + + handler := NewFormHandler() + router := gin.New() + router.POST("/forms/:id/duplicate", func(c *gin.Context) { + c.Set("user_id", user.ID) + handler.Duplicate(c) + }) + + req := httptest.NewRequest(http.MethodPost, "/forms/"+form.ID+"/duplicate", nil) + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusCreated { + t.Errorf("expected status %d, got %d: %s", http.StatusCreated, w.Code, w.Body.String()) + } + + var response models.Form + if err := json.Unmarshal(w.Body.Bytes(), &response); err != nil { + t.Fatalf("failed to unmarshal response: %v", err) + } + + if response.Title != "Original Form (Kopie)" { + t.Errorf("expected title 'Original Form (Kopie)', got %s", response.Title) + } + if response.Status != models.FormStatusDraft { + t.Errorf("expected status 'draft', got %s", response.Status) + } + if response.ID == form.ID { + t.Error("duplicated form should have a new ID") + } +} + +func TestFormHandler_GetPublic(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{ + UserID: user.ID, + Title: "Public Form", + Slug: "public-form", + Status: models.FormStatusPublished, + } + db.Create(form) + + handler := NewFormHandler() + router := gin.New() + router.GET("/public/forms/:id", handler.GetPublic) + + // Test by ID + req := httptest.NewRequest(http.MethodGet, "/public/forms/"+form.ID, nil) + w := httptest.NewRecorder() + router.ServeHTTP(w, req) + + if w.Code != http.StatusOK { + t.Errorf("expected status %d, got %d", http.StatusOK, w.Code) + } + + // Test by slug + req = httptest.NewRequest(http.MethodGet, "/public/forms/public-form", nil) + w = httptest.NewRecorder() + router.ServeHTTP(w, req) + + if w.Code != http.StatusOK { + t.Errorf("expected status %d for slug lookup, got %d", http.StatusOK, w.Code) + } +} + +func TestFormHandler_GetPublic_Draft(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{ + UserID: user.ID, + Title: "Draft Form", + Status: models.FormStatusDraft, // Not published + } + db.Create(form) + + handler := NewFormHandler() + router := gin.New() + router.GET("/public/forms/:id", handler.GetPublic) + + req := httptest.NewRequest(http.MethodGet, "/public/forms/"+form.ID, nil) + w := httptest.NewRecorder() + router.ServeHTTP(w, req) + + if w.Code != http.StatusNotFound { + t.Errorf("expected status %d for draft form, got %d", http.StatusNotFound, w.Code) + } +} diff --git a/backend/internal/handlers/setup.go b/backend/internal/handlers/setup.go index b8d6956..d6d0b7e 100644 --- a/backend/internal/handlers/setup.go +++ b/backend/internal/handlers/setup.go @@ -39,6 +39,13 @@ type SetupRequest struct { AllowRegistration bool `json:"allow_registration"` } +// GetStatus godoc +// @Summary Get setup status +// @Description Get application setup status and public settings +// @Tags Setup +// @Produce json +// @Success 200 {object} SetupStatusResponse +// @Router /setup/status [get] func (h *SetupHandler) GetStatus(c *gin.Context) { var settings models.Settings database.DB.First(&settings) @@ -63,6 +70,16 @@ func (h *SetupHandler) GetStatus(c *gin.Context) { }) } +// CompleteSetup godoc +// @Summary Complete initial setup +// @Description Create the first admin user and complete setup +// @Tags Setup +// @Accept json +// @Produce json +// @Param request body SetupRequest true "Setup data" +// @Success 200 {object} AuthResponse +// @Failure 400 {object} ErrorResponse "Setup already completed or invalid data" +// @Router /setup/complete [post] func (h *SetupHandler) CompleteSetup(c *gin.Context) { var userCount int64 database.DB.Model(&models.User{}).Count(&userCount) @@ -118,6 +135,16 @@ func (h *SetupHandler) CompleteSetup(c *gin.Context) { }) } +// GetSettings godoc +// @Summary Get settings +// @Description Get application settings (admin only) +// @Tags Settings +// @Produce json +// @Success 200 {object} models.Settings +// @Failure 401 {object} ErrorResponse +// @Failure 403 {object} ErrorResponse "Admin access required" +// @Security BearerAuth +// @Router /settings [get] func (h *SetupHandler) GetSettings(c *gin.Context) { var settings models.Settings database.DB.First(&settings) @@ -138,6 +165,19 @@ type UpdateSettingsRequest struct { Theme string `json:"theme"` } +// UpdateSettings godoc +// @Summary Update settings +// @Description Update application settings (admin only) +// @Tags Settings +// @Accept json +// @Produce json +// @Param request body UpdateSettingsRequest true "Settings data" +// @Success 200 {object} models.Settings +// @Failure 400 {object} ErrorResponse +// @Failure 401 {object} ErrorResponse +// @Failure 403 {object} ErrorResponse "Admin access required" +// @Security BearerAuth +// @Router /settings [put] func (h *SetupHandler) UpdateSettings(c *gin.Context) { var req UpdateSettingsRequest if err := c.ShouldBindJSON(&req); err != nil { diff --git a/backend/internal/handlers/submission.go b/backend/internal/handlers/submission.go index 54b03c4..81fdf32 100644 --- a/backend/internal/handlers/submission.go +++ b/backend/internal/handlers/submission.go @@ -9,6 +9,8 @@ import ( "formera/internal/database" "formera/internal/models" + "formera/internal/pagination" + "formera/internal/sanitizer" "github.com/gin-gonic/gin" ) @@ -24,6 +26,20 @@ type SubmitRequest struct { Metadata map[string]string `json:"metadata,omitempty"` } +// Submit godoc +// @Summary Submit form +// @Description Submit a response to a published form +// @Tags Public +// @Accept json +// @Produce json +// @Param id path string true "Form ID" +// @Param request body SubmitRequest true "Submission data" +// @Success 201 {object} models.Submission +// @Failure 400 {object} ErrorResponse +// @Failure 403 {object} ErrorResponse "Form closed or max submissions reached" +// @Failure 404 {object} ErrorResponse +// @Failure 429 {object} ErrorResponse "Rate limit exceeded" +// @Router /public/forms/{id}/submit [post] func (h *SubmissionHandler) Submit(c *gin.Context) { formID := c.Param("id") @@ -116,9 +132,12 @@ func (h *SubmissionHandler) Submit(c *gin.Context) { } } + // Sanitize submission data to prevent XSS + sanitizedData := sanitizer.SanitizeSubmissionData(req.Data) + submission := &models.Submission{ FormID: formID, - Data: req.Data, + Data: sanitizedData, Metadata: metadata, } @@ -133,9 +152,23 @@ func (h *SubmissionHandler) Submit(c *gin.Context) { }) } +// List godoc +// @Summary List submissions +// @Description Get paginated list of form submissions +// @Tags Submissions +// @Produce json +// @Param id path string true "Form ID" +// @Param page query int false "Page number" default(1) +// @Param page_size query int false "Items per page" default(20) +// @Success 200 {object} SubmissionListResponse +// @Failure 401 {object} ErrorResponse +// @Failure 404 {object} ErrorResponse +// @Security BearerAuth +// @Router /forms/{id}/submissions [get] func (h *SubmissionHandler) List(c *gin.Context) { userID := c.GetString("user_id") formID := c.Param("id") + params := pagination.GetParams(c) var form models.Form if result := database.DB.Where("id = ? AND user_id = ?", formID, userID).First(&form); result.Error != nil { @@ -143,19 +176,36 @@ func (h *SubmissionHandler) List(c *gin.Context) { return } + var totalItems int64 + database.DB.Model(&models.Submission{}).Where("form_id = ?", formID).Count(&totalItems) + var submissions []models.Submission - if result := database.DB.Where("form_id = ?", formID).Order("created_at DESC").Find(&submissions); result.Error != nil { + if result := database.DB.Where("form_id = ?", formID). + Order("created_at DESC"). + Scopes(pagination.Paginate(params)). + Find(&submissions); result.Error != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch submissions"}) return } c.JSON(http.StatusOK, gin.H{ "form": form, - "submissions": submissions, - "count": len(submissions), + "submissions": pagination.CreateResult(submissions, params, totalItems), }) } +// Get godoc +// @Summary Get submission +// @Description Get a specific submission by ID +// @Tags Submissions +// @Produce json +// @Param id path string true "Form ID" +// @Param submissionId path string true "Submission ID" +// @Success 200 {object} models.Submission +// @Failure 401 {object} ErrorResponse +// @Failure 404 {object} ErrorResponse +// @Security BearerAuth +// @Router /forms/{id}/submissions/{submissionId} [get] func (h *SubmissionHandler) Get(c *gin.Context) { userID := c.GetString("user_id") formID := c.Param("id") @@ -176,6 +226,18 @@ func (h *SubmissionHandler) Get(c *gin.Context) { c.JSON(http.StatusOK, submission) } +// Delete godoc +// @Summary Delete submission +// @Description Delete a specific submission +// @Tags Submissions +// @Produce json +// @Param id path string true "Form ID" +// @Param submissionId path string true "Submission ID" +// @Success 200 {object} MessageResponse +// @Failure 401 {object} ErrorResponse +// @Failure 404 {object} ErrorResponse +// @Security BearerAuth +// @Router /forms/{id}/submissions/{submissionId} [delete] func (h *SubmissionHandler) Delete(c *gin.Context) { userID := c.GetString("user_id") formID := c.Param("id") @@ -195,6 +257,17 @@ func (h *SubmissionHandler) Delete(c *gin.Context) { c.JSON(http.StatusOK, gin.H{"message": "Submission deleted successfully"}) } +// Stats godoc +// @Summary Get form statistics +// @Description Get submission statistics for a form +// @Tags Submissions +// @Produce json +// @Param id path string true "Form ID" +// @Success 200 {object} FormStatsResponse +// @Failure 401 {object} ErrorResponse +// @Failure 404 {object} ErrorResponse +// @Security BearerAuth +// @Router /forms/{id}/stats [get] func (h *SubmissionHandler) Stats(c *gin.Context) { userID := c.GetString("user_id") formID := c.Param("id") @@ -236,6 +309,17 @@ func (h *SubmissionHandler) Stats(c *gin.Context) { }) } +// ExportCSV godoc +// @Summary Export submissions as CSV +// @Description Download all submissions as a CSV file +// @Tags Submissions +// @Produce text/csv +// @Param id path string true "Form ID" +// @Success 200 {file} file "CSV file" +// @Failure 401 {object} ErrorResponse +// @Failure 404 {object} ErrorResponse +// @Security BearerAuth +// @Router /forms/{id}/export/csv [get] func (h *SubmissionHandler) ExportCSV(c *gin.Context) { userID := c.GetString("user_id") formID := c.Param("id") @@ -285,6 +369,17 @@ func (h *SubmissionHandler) ExportCSV(c *gin.Context) { } } +// ExportJSON godoc +// @Summary Export submissions as JSON +// @Description Download all submissions as a JSON file +// @Tags Submissions +// @Produce json +// @Param id path string true "Form ID" +// @Success 200 {array} map[string]interface{} "JSON array of submissions" +// @Failure 401 {object} ErrorResponse +// @Failure 404 {object} ErrorResponse +// @Security BearerAuth +// @Router /forms/{id}/export/json [get] func (h *SubmissionHandler) ExportJSON(c *gin.Context) { userID := c.GetString("user_id") formID := c.Param("id") @@ -318,6 +413,17 @@ func (h *SubmissionHandler) ExportJSON(c *gin.Context) { c.JSON(http.StatusOK, exportData) } +// SubmissionsByDate godoc +// @Summary Get submissions by date +// @Description Get submission counts grouped by date +// @Tags Submissions +// @Produce json +// @Param id path string true "Form ID" +// @Success 200 {array} SubmissionsByDateResponse +// @Failure 401 {object} ErrorResponse +// @Failure 404 {object} ErrorResponse +// @Security BearerAuth +// @Router /forms/{id}/submissions/by-date [get] func (h *SubmissionHandler) SubmissionsByDate(c *gin.Context) { userID := c.GetString("user_id") formID := c.Param("id") diff --git a/backend/internal/handlers/submission_test.go b/backend/internal/handlers/submission_test.go new file mode 100644 index 0000000..2951bd7 --- /dev/null +++ b/backend/internal/handlers/submission_test.go @@ -0,0 +1,342 @@ +package handlers + +import ( + "bytes" + "encoding/json" + "net/http" + "net/http/httptest" + "testing" + + "formera/internal/models" + "formera/internal/testutil" + + "github.com/gin-gonic/gin" +) + +func TestSubmissionHandler_Submit(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{ + UserID: user.ID, + Title: "Test Form", + Status: models.FormStatusPublished, + Fields: models.FormFields{ + {ID: "field1", Label: "Field 1", Type: "text", Required: true}, + }, + Settings: models.FormSettings{ + SuccessMessage: "Thank you!", + }, + } + db.Create(form) + + handler := NewSubmissionHandler() + router := gin.New() + router.POST("/public/forms/:id/submit", handler.Submit) + + body := SubmitRequest{ + Data: map[string]interface{}{ + "field1": "test value", + }, + } + jsonBody, _ := json.Marshal(body) + + req := httptest.NewRequest(http.MethodPost, "/public/forms/"+form.ID+"/submit", bytes.NewBuffer(jsonBody)) + req.Header.Set("Content-Type", "application/json") + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusCreated { + t.Errorf("expected status %d, got %d: %s", http.StatusCreated, w.Code, w.Body.String()) + } + + var response map[string]interface{} + if err := json.Unmarshal(w.Body.Bytes(), &response); err != nil { + t.Fatalf("failed to unmarshal response: %v", err) + } + + if response["message"] != "Thank you!" { + t.Errorf("expected success message 'Thank you!', got %v", response["message"]) + } +} + +func TestSubmissionHandler_Submit_RequiredFieldMissing(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{ + UserID: user.ID, + Title: "Test Form", + Status: models.FormStatusPublished, + Fields: models.FormFields{ + {ID: "field1", Label: "Field 1", Type: "text", Required: true}, + }, + } + db.Create(form) + + handler := NewSubmissionHandler() + router := gin.New() + router.POST("/public/forms/:id/submit", handler.Submit) + + body := SubmitRequest{ + Data: map[string]interface{}{}, // Missing required field + } + jsonBody, _ := json.Marshal(body) + + req := httptest.NewRequest(http.MethodPost, "/public/forms/"+form.ID+"/submit", bytes.NewBuffer(jsonBody)) + req.Header.Set("Content-Type", "application/json") + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusBadRequest { + t.Errorf("expected status %d, got %d", http.StatusBadRequest, w.Code) + } +} + +func TestSubmissionHandler_Submit_FormNotPublished(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{ + UserID: user.ID, + Title: "Test Form", + Status: models.FormStatusDraft, // Not published + } + db.Create(form) + + handler := NewSubmissionHandler() + router := gin.New() + router.POST("/public/forms/:id/submit", handler.Submit) + + body := SubmitRequest{ + Data: map[string]interface{}{"field1": "value"}, + } + jsonBody, _ := json.Marshal(body) + + req := httptest.NewRequest(http.MethodPost, "/public/forms/"+form.ID+"/submit", bytes.NewBuffer(jsonBody)) + req.Header.Set("Content-Type", "application/json") + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusNotFound { + t.Errorf("expected status %d, got %d", http.StatusNotFound, w.Code) + } +} + +func TestSubmissionHandler_Submit_MaxSubmissionsReached(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{ + UserID: user.ID, + Title: "Test Form", + Status: models.FormStatusPublished, + Settings: models.FormSettings{ + MaxSubmissions: 1, + }, + } + db.Create(form) + + // Create existing submission + db.Create(&models.Submission{FormID: form.ID, Data: map[string]interface{}{}}) + + handler := NewSubmissionHandler() + router := gin.New() + router.POST("/public/forms/:id/submit", handler.Submit) + + body := SubmitRequest{ + Data: map[string]interface{}{"field1": "value"}, + } + jsonBody, _ := json.Marshal(body) + + req := httptest.NewRequest(http.MethodPost, "/public/forms/"+form.ID+"/submit", bytes.NewBuffer(jsonBody)) + req.Header.Set("Content-Type", "application/json") + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusForbidden { + t.Errorf("expected status %d, got %d", http.StatusForbidden, w.Code) + } +} + +func TestSubmissionHandler_Submit_SanitizesXSS(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{ + UserID: user.ID, + Title: "Test Form", + Status: models.FormStatusPublished, + Fields: models.FormFields{ + {ID: "field1", Label: "Field 1", Type: "text", Required: true}, + }, + } + db.Create(form) + + handler := NewSubmissionHandler() + router := gin.New() + router.POST("/public/forms/:id/submit", handler.Submit) + + body := SubmitRequest{ + Data: map[string]interface{}{ + "field1": "Hello", + }, + } + jsonBody, _ := json.Marshal(body) + + req := httptest.NewRequest(http.MethodPost, "/public/forms/"+form.ID+"/submit", bytes.NewBuffer(jsonBody)) + req.Header.Set("Content-Type", "application/json") + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusCreated { + t.Errorf("expected status %d, got %d: %s", http.StatusCreated, w.Code, w.Body.String()) + } + + // Check the stored submission + var submission models.Submission + db.First(&submission, "form_id = ?", form.ID) + + if val, ok := submission.Data["field1"].(string); ok { + if val == "Hello" { + t.Error("XSS script tag was not stripped from submission data") + } + } +} + +func TestSubmissionHandler_List(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{UserID: user.ID, Title: "Test Form", Status: models.FormStatusPublished} + db.Create(form) + + // Create submissions + db.Create(&models.Submission{FormID: form.ID, Data: map[string]interface{}{"field1": "value1"}}) + db.Create(&models.Submission{FormID: form.ID, Data: map[string]interface{}{"field1": "value2"}}) + + handler := NewSubmissionHandler() + router := gin.New() + router.GET("/forms/:id/submissions", func(c *gin.Context) { + c.Set("user_id", user.ID) + handler.List(c) + }) + + req := httptest.NewRequest(http.MethodGet, "/forms/"+form.ID+"/submissions", nil) + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusOK { + t.Errorf("expected status %d, got %d", http.StatusOK, w.Code) + } +} + +func TestSubmissionHandler_List_WrongUser(t *testing.T) { + db := testutil.SetupTestDB(t) + owner := testutil.CreateTestUser(t, db, "owner@example.com", "password123", models.RoleUser) + otherUser := testutil.CreateTestUser(t, db, "other@example.com", "password123", models.RoleUser) + + form := &models.Form{UserID: owner.ID, Title: "Test Form", Status: models.FormStatusPublished} + db.Create(form) + + handler := NewSubmissionHandler() + router := gin.New() + router.GET("/forms/:id/submissions", func(c *gin.Context) { + c.Set("user_id", otherUser.ID) // Different user + handler.List(c) + }) + + req := httptest.NewRequest(http.MethodGet, "/forms/"+form.ID+"/submissions", nil) + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusNotFound { + t.Errorf("expected status %d, got %d", http.StatusNotFound, w.Code) + } +} + +func TestSubmissionHandler_Delete(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{UserID: user.ID, Title: "Test Form", Status: models.FormStatusPublished} + db.Create(form) + + submission := &models.Submission{FormID: form.ID, Data: map[string]interface{}{"field1": "value1"}} + db.Create(submission) + + handler := NewSubmissionHandler() + router := gin.New() + router.DELETE("/forms/:id/submissions/:submissionId", func(c *gin.Context) { + c.Set("user_id", user.ID) + handler.Delete(c) + }) + + req := httptest.NewRequest(http.MethodDelete, "/forms/"+form.ID+"/submissions/"+submission.ID, nil) + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusOK { + t.Errorf("expected status %d, got %d: %s", http.StatusOK, w.Code, w.Body.String()) + } + + // Verify submission is deleted + var deletedSubmission models.Submission + result := db.First(&deletedSubmission, "id = ?", submission.ID) + if result.Error == nil { + t.Error("submission should have been deleted") + } +} + +func TestSubmissionHandler_Stats(t *testing.T) { + db := testutil.SetupTestDB(t) + user := testutil.CreateTestUser(t, db, "test@example.com", "password123", models.RoleUser) + + form := &models.Form{ + UserID: user.ID, + Title: "Test Form", + Status: models.FormStatusPublished, + Fields: models.FormFields{ + {ID: "rating", Label: "Rating", Type: "select"}, + }, + } + db.Create(form) + + // Create submissions with different values + db.Create(&models.Submission{FormID: form.ID, Data: map[string]interface{}{"rating": "good"}}) + db.Create(&models.Submission{FormID: form.ID, Data: map[string]interface{}{"rating": "good"}}) + db.Create(&models.Submission{FormID: form.ID, Data: map[string]interface{}{"rating": "bad"}}) + + handler := NewSubmissionHandler() + router := gin.New() + router.GET("/forms/:id/stats", func(c *gin.Context) { + c.Set("user_id", user.ID) + handler.Stats(c) + }) + + req := httptest.NewRequest(http.MethodGet, "/forms/"+form.ID+"/stats", nil) + w := httptest.NewRecorder() + + router.ServeHTTP(w, req) + + if w.Code != http.StatusOK { + t.Errorf("expected status %d, got %d", http.StatusOK, w.Code) + } + + var response map[string]interface{} + if err := json.Unmarshal(w.Body.Bytes(), &response); err != nil { + t.Fatalf("failed to unmarshal response: %v", err) + } + + if response["total_submissions"].(float64) != 3 { + t.Errorf("expected 3 total submissions, got %v", response["total_submissions"]) + } +} diff --git a/backend/internal/handlers/types.go b/backend/internal/handlers/types.go new file mode 100644 index 0000000..3691e24 --- /dev/null +++ b/backend/internal/handlers/types.go @@ -0,0 +1,39 @@ +package handlers + +// Swagger API Types - used for documentation only +// Types that are already defined in other files are not duplicated here + +// ErrorResponse represents an error response +type ErrorResponse struct { + Error string `json:"error" example:"Invalid request"` +} + +// MessageResponse represents a simple message response +type MessageResponse struct { + Message string `json:"message" example:"Operation successful"` +} + +// SlugCheckResponse represents slug availability check +type SlugCheckResponse struct { + Available bool `json:"available" example:"true"` + Slug string `json:"slug" example:"contact-form"` + Reason string `json:"reason,omitempty" example:"taken"` +} + +// SubmissionListResponse represents paginated submissions +type SubmissionListResponse struct { + Form interface{} `json:"form"` + Submissions interface{} `json:"submissions"` +} + +// FormStatsResponse represents form statistics +type FormStatsResponse struct { + TotalSubmissions int `json:"total_submissions" example:"150"` + FieldStats map[string]interface{} `json:"field_stats"` +} + +// SubmissionsByDateResponse represents submissions grouped by date +type SubmissionsByDateResponse struct { + Date string `json:"date" example:"2025-01-15"` + Count int `json:"count" example:"25"` +} diff --git a/backend/internal/handlers/upload.go b/backend/internal/handlers/upload.go index bbca5ca..502915c 100644 --- a/backend/internal/handlers/upload.go +++ b/backend/internal/handlers/upload.go @@ -71,7 +71,19 @@ func NewUploadHandler(store storage.Storage) *UploadHandler { } } -// UploadImage handles image uploads for form design backgrounds +// UploadImage godoc +// @Summary Upload image +// @Description Upload an image file (for form design backgrounds) +// @Tags Uploads +// @Accept multipart/form-data +// @Produce json +// @Param file formData file true "Image file" +// @Success 200 {object} storage.UploadResult +// @Failure 400 {object} ErrorResponse "Invalid file" +// @Failure 401 {object} ErrorResponse +// @Failure 429 {object} ErrorResponse "Rate limit exceeded" +// @Security BearerAuth +// @Router /uploads/image [post] func (h *UploadHandler) UploadImage(c *gin.Context) { // Get authenticated user userID := c.GetString("user_id") @@ -154,7 +166,17 @@ func (h *UploadHandler) UploadImage(c *gin.Context) { c.JSON(http.StatusOK, result) } -// UploadFile handles general file uploads (for form submissions) +// UploadFile godoc +// @Summary Upload file +// @Description Upload a file (for form submissions) +// @Tags Uploads +// @Accept multipart/form-data +// @Produce json +// @Param file formData file true "File to upload" +// @Success 200 {object} storage.UploadResult +// @Failure 400 {object} ErrorResponse "Invalid file" +// @Failure 429 {object} ErrorResponse "Rate limit exceeded" +// @Router /public/upload [post] func (h *UploadHandler) UploadFile(c *gin.Context) { // Get authenticated user (or allow anonymous for public form submissions) userID := c.GetString("user_id") @@ -230,7 +252,16 @@ func (h *UploadHandler) UploadFile(c *gin.Context) { c.JSON(http.StatusOK, result) } -// GetFile serves a file by redirecting to the appropriate URL (local or S3 presigned) +// GetFile godoc +// @Summary Get file +// @Description Serve a file by path (streams from storage) +// @Tags Files +// @Produce octet-stream +// @Param path path string true "File path" +// @Success 200 {file} file "File content" +// @Failure 400 {object} ErrorResponse +// @Failure 404 {object} ErrorResponse +// @Router /files/{path} [get] func (h *UploadHandler) GetFile(c *gin.Context) { // Get the file path from URL parameter (e.g., "images/2025/12/abc123.png") filePath := c.Param("path") @@ -251,8 +282,8 @@ func (h *UploadHandler) GetFile(c *gin.Context) { return } - // Get URL for the file (generates presigned URL for S3, returns local URL for local storage) - url, err := h.storage.GetURLByPath(filePath) + // Get file content for streaming + fileContent, err := h.storage.GetFileByPath(filePath) if err != nil { if err == storage.ErrFileNotFound { c.JSON(http.StatusNotFound, gin.H{"error": "File not found"}) @@ -261,13 +292,27 @@ func (h *UploadHandler) GetFile(c *gin.Context) { c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to get file"}) return } + defer fileContent.Reader.Close() - // For S3, redirect to presigned URL - // For local storage, the URL points to our static file server - c.Redirect(http.StatusTemporaryRedirect, url) + // Set headers for caching (1 year for immutable content-addressed files) + c.Header("Cache-Control", "public, max-age=31536000, immutable") + + // Use Gin's DataFromReader for efficient streaming + c.DataFromReader(http.StatusOK, fileContent.Size, fileContent.ContentType, fileContent.Reader, nil) } -// DeleteFile handles file deletion +// DeleteFile godoc +// @Summary Delete file +// @Description Delete an uploaded file +// @Tags Uploads +// @Produce json +// @Param id path string true "File ID" +// @Success 200 {object} MessageResponse +// @Failure 400 {object} ErrorResponse +// @Failure 401 {object} ErrorResponse +// @Failure 404 {object} ErrorResponse +// @Security BearerAuth +// @Router /uploads/{id} [delete] func (h *UploadHandler) DeleteFile(c *gin.Context) { // Only authenticated users can delete userID := c.GetString("user_id") diff --git a/backend/internal/handlers/user.go b/backend/internal/handlers/user.go index 6075f00..5f5eeb7 100644 --- a/backend/internal/handlers/user.go +++ b/backend/internal/handlers/user.go @@ -5,6 +5,7 @@ import ( "formera/internal/database" "formera/internal/models" + "formera/internal/pagination" "github.com/gin-gonic/gin" ) @@ -30,13 +31,20 @@ type UpdateUserRequest struct { } func (h *UserHandler) List(c *gin.Context) { + params := pagination.GetParams(c) + + var totalItems int64 + database.DB.Model(&models.User{}).Count(&totalItems) + var users []models.User - if result := database.DB.Find(&users); result.Error != nil { + if result := database.DB.Order("created_at DESC"). + Scopes(pagination.Paginate(params)). + Find(&users); result.Error != nil { c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to fetch users"}) return } - c.JSON(http.StatusOK, users) + c.JSON(http.StatusOK, pagination.CreateResult(users, params, totalItems)) } func (h *UserHandler) Get(c *gin.Context) { @@ -174,10 +182,44 @@ func (h *UserHandler) Delete(c *gin.Context) { } } - if result := database.DB.Delete(&user); result.Error != nil { + // Use transaction to delete user and all their data + tx := database.DB.Begin() + if tx.Error != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to start transaction"}) + return + } + + // Get all forms by this user + var formIDs []string + tx.Model(&models.Form{}).Where("user_id = ?", id).Pluck("id", &formIDs) + + // Delete all submissions for user's forms + if len(formIDs) > 0 { + if result := tx.Where("form_id IN ?", formIDs).Delete(&models.Submission{}); result.Error != nil { + tx.Rollback() + c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to delete submissions"}) + return + } + } + + // Delete all forms by this user + if result := tx.Where("user_id = ?", id).Delete(&models.Form{}); result.Error != nil { + tx.Rollback() + c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to delete forms"}) + return + } + + // Delete the user + if result := tx.Delete(&user); result.Error != nil { + tx.Rollback() c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to delete user"}) return } + if err := tx.Commit().Error; err != nil { + c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to commit transaction"}) + return + } + c.JSON(http.StatusOK, gin.H{"message": "User deleted successfully"}) } diff --git a/backend/internal/handlers/user_test.go b/backend/internal/handlers/user_test.go index 9d0dc6f..8d19bfb 100644 --- a/backend/internal/handlers/user_test.go +++ b/backend/internal/handlers/user_test.go @@ -8,6 +8,7 @@ import ( "testing" "formera/internal/models" + "formera/internal/pagination" "formera/internal/testutil" "github.com/gin-gonic/gin" @@ -31,13 +32,13 @@ func TestUserHandler_List(t *testing.T) { t.Errorf("expected status %d, got %d", http.StatusOK, w.Code) } - var users []models.User - if err := json.Unmarshal(w.Body.Bytes(), &users); err != nil { + var response pagination.Result + if err := json.Unmarshal(w.Body.Bytes(), &response); err != nil { t.Fatalf("failed to unmarshal response: %v", err) } - if len(users) != 2 { - t.Errorf("expected 2 users, got %d", len(users)) + if response.TotalItems != 2 { + t.Errorf("expected 2 users, got %d", response.TotalItems) } } diff --git a/backend/internal/logger/logger.go b/backend/internal/logger/logger.go new file mode 100644 index 0000000..349348c --- /dev/null +++ b/backend/internal/logger/logger.go @@ -0,0 +1,136 @@ +package logger + +import ( + "io" + "os" + "time" + + "github.com/gin-gonic/gin" + "github.com/rs/zerolog" +) + +var Log zerolog.Logger + +// Config holds logger configuration +type Config struct { + Level string // debug, info, warn, error + Pretty bool // Human-readable output (for development) + TimeFormat string // Time format +} + +// Initialize sets up the global logger +func Initialize(cfg Config) { + var output io.Writer = os.Stdout + + if cfg.Pretty { + output = zerolog.ConsoleWriter{ + Out: os.Stdout, + TimeFormat: time.RFC3339, + } + } + + level := parseLevel(cfg.Level) + + Log = zerolog.New(output). + Level(level). + With(). + Timestamp(). + Caller(). + Logger() +} + +func parseLevel(level string) zerolog.Level { + switch level { + case "debug": + return zerolog.DebugLevel + case "info": + return zerolog.InfoLevel + case "warn": + return zerolog.WarnLevel + case "error": + return zerolog.ErrorLevel + default: + return zerolog.InfoLevel + } +} + +// GinLogger returns a gin middleware for HTTP request logging +func GinLogger() gin.HandlerFunc { + return func(c *gin.Context) { + start := time.Now() + path := c.Request.URL.Path + query := c.Request.URL.RawQuery + + c.Next() + + latency := time.Since(start) + status := c.Writer.Status() + + event := Log.Info() + if status >= 400 && status < 500 { + event = Log.Warn() + } else if status >= 500 { + event = Log.Error() + } + + event. + Str("method", c.Request.Method). + Str("path", path). + Str("query", query). + Int("status", status). + Dur("latency", latency). + Str("ip", c.ClientIP()). + Str("user_agent", c.Request.UserAgent()). + Msg("HTTP request") + } +} + +// GinRecovery returns a gin middleware for panic recovery with logging +func GinRecovery() gin.HandlerFunc { + return func(c *gin.Context) { + defer func() { + if err := recover(); err != nil { + Log.Error(). + Interface("error", err). + Str("path", c.Request.URL.Path). + Str("method", c.Request.Method). + Msg("Panic recovered") + + c.AbortWithStatus(500) + } + }() + c.Next() + } +} + +// Helper functions for common logging patterns + +func Debug() *zerolog.Event { + return Log.Debug() +} + +func Info() *zerolog.Event { + return Log.Info() +} + +func Warn() *zerolog.Event { + return Log.Warn() +} + +func Error() *zerolog.Event { + return Log.Error() +} + +func Fatal() *zerolog.Event { + return Log.Fatal() +} + +// WithRequestID adds request context to logs +func WithRequestID(requestID string) zerolog.Logger { + return Log.With().Str("request_id", requestID).Logger() +} + +// WithUserID adds user context to logs +func WithUserID(userID string) zerolog.Logger { + return Log.With().Str("user_id", userID).Logger() +} diff --git a/backend/internal/middleware/auth.go b/backend/internal/middleware/auth.go index 12e7b2a..209533b 100644 --- a/backend/internal/middleware/auth.go +++ b/backend/internal/middleware/auth.go @@ -4,7 +4,6 @@ import ( "net/http" "strings" - "formera/internal/database" "formera/internal/models" "github.com/gin-gonic/gin" @@ -14,6 +13,7 @@ import ( type Claims struct { UserID string `json:"user_id"` Email string `json:"email"` + Role string `json:"role"` jwt.RegisteredClaims } @@ -48,34 +48,28 @@ func AuthMiddleware(jwtSecret string) gin.HandlerFunc { c.Set("user_id", claims.UserID) c.Set("email", claims.Email) + c.Set("user_role", claims.Role) c.Next() } } // AdminMiddleware checks if the authenticated user has admin role +// Uses the role from JWT claims instead of querying the database func AdminMiddleware() gin.HandlerFunc { return func(c *gin.Context) { - userID := c.GetString("user_id") - if userID == "" { + role := c.GetString("user_role") + if role == "" { c.JSON(http.StatusUnauthorized, gin.H{"error": "Authentication required"}) c.Abort() return } - var user models.User - if result := database.DB.First(&user, "id = ?", userID); result.Error != nil { - c.JSON(http.StatusUnauthorized, gin.H{"error": "User not found"}) - c.Abort() - return - } - - if user.Role != models.RoleAdmin { + if role != string(models.RoleAdmin) { c.JSON(http.StatusForbidden, gin.H{"error": "Admin access required"}) c.Abort() return } - c.Set("user_role", string(user.Role)) c.Next() } } diff --git a/backend/internal/middleware/auth_test.go b/backend/internal/middleware/auth_test.go index 725082a..b1b7923 100644 --- a/backend/internal/middleware/auth_test.go +++ b/backend/internal/middleware/auth_test.go @@ -7,7 +7,6 @@ import ( "time" "formera/internal/models" - "formera/internal/testutil" "github.com/gin-gonic/gin" "github.com/golang-jwt/jwt/v5" @@ -17,7 +16,7 @@ func init() { gin.SetMode(gin.TestMode) } -func generateTestToken(secret, userID, email string, expired bool) string { +func generateTestToken(secret, userID, email, role string, expired bool) string { expiresAt := time.Now().Add(time.Hour) if expired { expiresAt = time.Now().Add(-time.Hour) @@ -26,6 +25,7 @@ func generateTestToken(secret, userID, email string, expired bool) string { claims := &Claims{ UserID: userID, Email: email, + Role: role, RegisteredClaims: jwt.RegisteredClaims{ ExpiresAt: jwt.NewNumericDate(expiresAt), IssuedAt: jwt.NewNumericDate(time.Now()), @@ -39,7 +39,7 @@ func generateTestToken(secret, userID, email string, expired bool) string { func TestAuthMiddleware_ValidToken(t *testing.T) { secret := "test-secret" - token := generateTestToken(secret, "user-123", "test@example.com", false) + token := generateTestToken(secret, "user-123", "test@example.com", "user", false) router := gin.New() router.Use(AuthMiddleware(secret)) @@ -111,7 +111,7 @@ func TestAuthMiddleware_InvalidFormat(t *testing.T) { func TestAuthMiddleware_ExpiredToken(t *testing.T) { secret := "test-secret" - token := generateTestToken(secret, "user-123", "test@example.com", true) + token := generateTestToken(secret, "user-123", "test@example.com", "user", true) router := gin.New() router.Use(AuthMiddleware(secret)) @@ -131,7 +131,7 @@ func TestAuthMiddleware_ExpiredToken(t *testing.T) { } func TestAuthMiddleware_InvalidSecret(t *testing.T) { - token := generateTestToken("correct-secret", "user-123", "test@example.com", false) + token := generateTestToken("correct-secret", "user-123", "test@example.com", "user", false) router := gin.New() router.Use(AuthMiddleware("wrong-secret")) @@ -151,12 +151,10 @@ func TestAuthMiddleware_InvalidSecret(t *testing.T) { } func TestAdminMiddleware_AdminUser(t *testing.T) { - db := testutil.SetupTestDB(t) - admin := testutil.CreateTestUser(t, db, "admin@example.com", "password123", models.RoleAdmin) - router := gin.New() router.Use(func(c *gin.Context) { - c.Set("user_id", admin.ID) + c.Set("user_id", "admin-123") + c.Set("user_role", string(models.RoleAdmin)) c.Next() }) router.Use(AdminMiddleware()) @@ -175,12 +173,10 @@ func TestAdminMiddleware_AdminUser(t *testing.T) { } func TestAdminMiddleware_NonAdminUser(t *testing.T) { - db := testutil.SetupTestDB(t) - user := testutil.CreateTestUser(t, db, "user@example.com", "password123", models.RoleUser) - router := gin.New() router.Use(func(c *gin.Context) { - c.Set("user_id", user.ID) + c.Set("user_id", "user-123") + c.Set("user_role", string(models.RoleUser)) c.Next() }) router.Use(AdminMiddleware()) @@ -198,33 +194,9 @@ func TestAdminMiddleware_NonAdminUser(t *testing.T) { } } -func TestAdminMiddleware_NoUserID(t *testing.T) { - testutil.SetupTestDB(t) - +func TestAdminMiddleware_NoRole(t *testing.T) { router := gin.New() - router.Use(AdminMiddleware()) - router.GET("/admin", func(c *gin.Context) { - c.JSON(http.StatusOK, gin.H{}) - }) - - req := httptest.NewRequest(http.MethodGet, "/admin", nil) - w := httptest.NewRecorder() - - router.ServeHTTP(w, req) - - if w.Code != http.StatusUnauthorized { - t.Errorf("expected status %d, got %d", http.StatusUnauthorized, w.Code) - } -} - -func TestAdminMiddleware_UserNotFound(t *testing.T) { - testutil.SetupTestDB(t) - - router := gin.New() - router.Use(func(c *gin.Context) { - c.Set("user_id", "non-existent-id") - c.Next() - }) + // No user_role set in context router.Use(AdminMiddleware()) router.GET("/admin", func(c *gin.Context) { c.JSON(http.StatusOK, gin.H{}) diff --git a/backend/internal/middleware/ratelimit.go b/backend/internal/middleware/ratelimit.go new file mode 100644 index 0000000..107d057 --- /dev/null +++ b/backend/internal/middleware/ratelimit.go @@ -0,0 +1,199 @@ +package middleware + +import ( + "net/http" + "sync" + "time" + + "github.com/gin-gonic/gin" +) + +// RateLimiter implements a token bucket rate limiter +type RateLimiter struct { + mu sync.RWMutex + clients map[string]*clientLimit + rate int // requests per window + window time.Duration // time window + cleanup time.Duration // cleanup interval for old entries +} + +type clientLimit struct { + count int + resetTime time.Time +} + +// NewRateLimiter creates a new rate limiter +// rate: maximum requests per window +// window: time window (e.g., 1 minute) +func NewRateLimiter(rate int, window time.Duration) *RateLimiter { + rl := &RateLimiter{ + clients: make(map[string]*clientLimit), + rate: rate, + window: window, + cleanup: 5 * time.Minute, + } + + // Start cleanup goroutine + go rl.cleanupLoop() + + return rl +} + +// Allow checks if a request from the given key should be allowed +func (rl *RateLimiter) Allow(key string) bool { + rl.mu.Lock() + defer rl.mu.Unlock() + + now := time.Now() + + client, exists := rl.clients[key] + if !exists || now.After(client.resetTime) { + rl.clients[key] = &clientLimit{ + count: 1, + resetTime: now.Add(rl.window), + } + return true + } + + if client.count >= rl.rate { + return false + } + + client.count++ + return true +} + +// Remaining returns the number of remaining requests for a key +func (rl *RateLimiter) Remaining(key string) int { + rl.mu.RLock() + defer rl.mu.RUnlock() + + client, exists := rl.clients[key] + if !exists || time.Now().After(client.resetTime) { + return rl.rate + } + + remaining := rl.rate - client.count + if remaining < 0 { + return 0 + } + return remaining +} + +// ResetTime returns when the rate limit resets for a key +func (rl *RateLimiter) ResetTime(key string) time.Time { + rl.mu.RLock() + defer rl.mu.RUnlock() + + client, exists := rl.clients[key] + if !exists { + return time.Now().Add(rl.window) + } + return client.resetTime +} + +// cleanupLoop periodically removes expired entries +func (rl *RateLimiter) cleanupLoop() { + ticker := time.NewTicker(rl.cleanup) + for range ticker.C { + rl.mu.Lock() + now := time.Now() + for key, client := range rl.clients { + if now.After(client.resetTime) { + delete(rl.clients, key) + } + } + rl.mu.Unlock() + } +} + +// RateLimitConfig holds configuration for the rate limit middleware +type RateLimitConfig struct { + // Rate is the number of requests allowed per window + Rate int + // Window is the time window for rate limiting + Window time.Duration + // KeyFunc extracts the rate limit key from the request (default: IP address) + KeyFunc func(*gin.Context) string + // SkipFunc determines if rate limiting should be skipped for a request + SkipFunc func(*gin.Context) bool +} + +// DefaultKeyFunc returns the client IP as the rate limit key +func DefaultKeyFunc(c *gin.Context) string { + return c.ClientIP() +} + +// RateLimitMiddleware creates a Gin middleware for rate limiting +func RateLimitMiddleware(config RateLimitConfig) gin.HandlerFunc { + if config.Rate <= 0 { + config.Rate = 100 // default: 100 requests + } + if config.Window <= 0 { + config.Window = time.Minute // default: per minute + } + if config.KeyFunc == nil { + config.KeyFunc = DefaultKeyFunc + } + + limiter := NewRateLimiter(config.Rate, config.Window) + + return func(c *gin.Context) { + // Skip rate limiting if configured + if config.SkipFunc != nil && config.SkipFunc(c) { + c.Next() + return + } + + key := config.KeyFunc(c) + + if !limiter.Allow(key) { + remaining := limiter.Remaining(key) + resetTime := limiter.ResetTime(key) + + c.Header("X-RateLimit-Limit", string(rune(config.Rate))) + c.Header("X-RateLimit-Remaining", string(rune(remaining))) + c.Header("X-RateLimit-Reset", resetTime.Format(time.RFC3339)) + c.Header("Retry-After", resetTime.Sub(time.Now()).String()) + + c.AbortWithStatusJSON(http.StatusTooManyRequests, gin.H{ + "error": "Rate limit exceeded", + "retry_after": resetTime.Sub(time.Now()).Seconds(), + }) + return + } + + // Add rate limit headers to response + c.Header("X-RateLimit-Limit", string(rune(config.Rate))) + c.Header("X-RateLimit-Remaining", string(rune(limiter.Remaining(key)))) + + c.Next() + } +} + +// APIRateLimiter creates a rate limiter for general API endpoints +// Default: 100 requests per minute per IP +func APIRateLimiter() gin.HandlerFunc { + return RateLimitMiddleware(RateLimitConfig{ + Rate: 100, + Window: time.Minute, + }) +} + +// AuthRateLimiter creates a stricter rate limiter for auth endpoints +// Default: 10 requests per minute per IP (to prevent brute force) +func AuthRateLimiter() gin.HandlerFunc { + return RateLimitMiddleware(RateLimitConfig{ + Rate: 10, + Window: time.Minute, + }) +} + +// SubmissionRateLimiter creates a rate limiter for form submissions +// Default: 30 requests per minute per IP +func SubmissionRateLimiter() gin.HandlerFunc { + return RateLimitMiddleware(RateLimitConfig{ + Rate: 30, + Window: time.Minute, + }) +} diff --git a/backend/internal/middleware/security.go b/backend/internal/middleware/security.go new file mode 100644 index 0000000..a95105c --- /dev/null +++ b/backend/internal/middleware/security.go @@ -0,0 +1,35 @@ +package middleware + +import ( + "github.com/gin-gonic/gin" +) + +// SecurityHeaders adds security-related HTTP headers to responses +func SecurityHeaders() gin.HandlerFunc { + return func(c *gin.Context) { + // Prevent MIME type sniffing + c.Header("X-Content-Type-Options", "nosniff") + + // Prevent clickjacking + c.Header("X-Frame-Options", "DENY") + + // Enable XSS filter in browsers + c.Header("X-XSS-Protection", "1; mode=block") + + // Control referrer information + c.Header("Referrer-Policy", "strict-origin-when-cross-origin") + + // Prevent caching of sensitive data + c.Header("Cache-Control", "no-store, no-cache, must-revalidate, proxy-revalidate") + c.Header("Pragma", "no-cache") + c.Header("Expires", "0") + + // Content Security Policy - adjust as needed for your frontend + c.Header("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self' data:; connect-src 'self'") + + // Permissions Policy (formerly Feature-Policy) + c.Header("Permissions-Policy", "geolocation=(), microphone=(), camera=()") + + c.Next() + } +} diff --git a/backend/internal/pagination/pagination.go b/backend/internal/pagination/pagination.go new file mode 100644 index 0000000..04d221a --- /dev/null +++ b/backend/internal/pagination/pagination.go @@ -0,0 +1,78 @@ +package pagination + +import ( + "strconv" + + "github.com/gin-gonic/gin" + "gorm.io/gorm" +) + +const ( + DefaultPage = 1 + DefaultPageSize = 20 + MaxPageSize = 100 +) + +// Params holds pagination parameters +type Params struct { + Page int `json:"page"` + PageSize int `json:"page_size"` +} + +// Result holds paginated results +type Result struct { + Data interface{} `json:"data"` + Page int `json:"page"` + PageSize int `json:"page_size"` + TotalItems int64 `json:"total_items"` + TotalPages int `json:"total_pages"` +} + +// GetParams extracts pagination parameters from request +func GetParams(c *gin.Context) Params { + page, _ := strconv.Atoi(c.DefaultQuery("page", "1")) + pageSize, _ := strconv.Atoi(c.DefaultQuery("page_size", "20")) + + if page < 1 { + page = DefaultPage + } + if pageSize < 1 { + pageSize = DefaultPageSize + } + if pageSize > MaxPageSize { + pageSize = MaxPageSize + } + + return Params{ + Page: page, + PageSize: pageSize, + } +} + +// Offset calculates the offset for database queries +func (p Params) Offset() int { + return (p.Page - 1) * p.PageSize +} + +// Paginate applies pagination to a GORM query +func Paginate(params Params) func(db *gorm.DB) *gorm.DB { + return func(db *gorm.DB) *gorm.DB { + return db.Offset(params.Offset()).Limit(params.PageSize) + } +} + +// CreateResult creates a paginated result +func CreateResult(data interface{}, params Params, totalItems int64) Result { + totalPages := int(totalItems) / params.PageSize + if int(totalItems)%params.PageSize > 0 { + totalPages++ + } + + return Result{ + Data: data, + Page: params.Page, + PageSize: params.PageSize, + TotalItems: totalItems, + TotalPages: totalPages, + } +} diff --git a/backend/internal/sanitizer/sanitizer.go b/backend/internal/sanitizer/sanitizer.go new file mode 100644 index 0000000..d71c731 --- /dev/null +++ b/backend/internal/sanitizer/sanitizer.go @@ -0,0 +1,62 @@ +package sanitizer + +import ( + "github.com/microcosm-cc/bluemonday" +) + +var ( + // strictPolicy strips all HTML - use for text-only fields + strictPolicy *bluemonday.Policy + + // ugcPolicy allows safe HTML for user-generated content + ugcPolicy *bluemonday.Policy +) + +func init() { + // Strict policy: no HTML allowed at all + strictPolicy = bluemonday.StrictPolicy() + + // UGC policy: allows safe HTML tags + ugcPolicy = bluemonday.UGCPolicy() +} + +// StripHTML removes all HTML tags from the input +func StripHTML(input string) string { + return strictPolicy.Sanitize(input) +} + +// SanitizeHTML allows safe HTML while removing dangerous elements +func SanitizeHTML(input string) string { + return ugcPolicy.Sanitize(input) +} + +// SanitizeFormField sanitizes a form field value based on its type +func SanitizeFormField(value interface{}) interface{} { + switch v := value.(type) { + case string: + return StripHTML(v) + case []interface{}: + result := make([]interface{}, len(v)) + for i, item := range v { + result[i] = SanitizeFormField(item) + } + return result + case map[string]interface{}: + result := make(map[string]interface{}) + for key, val := range v { + result[StripHTML(key)] = SanitizeFormField(val) + } + return result + default: + return v + } +} + +// SanitizeSubmissionData sanitizes all values in a submission data map +func SanitizeSubmissionData(data map[string]interface{}) map[string]interface{} { + result := make(map[string]interface{}) + for key, value := range data { + result[key] = SanitizeFormField(value) + } + return result +} diff --git a/backend/internal/storage/local.go b/backend/internal/storage/local.go index fb725bf..2590a6a 100644 --- a/backend/internal/storage/local.go +++ b/backend/internal/storage/local.go @@ -114,6 +114,61 @@ func (s *LocalStorage) GetURLByPath(path string) (string, error) { return fmt.Sprintf("%s/%s", s.baseURL, path), nil } +// GetFileByPath retrieves a file's content from local storage for streaming +func (s *LocalStorage) GetFileByPath(path string) (*FileContent, error) { + fullPath := filepath.Join(s.basePath, path) + + // Check if file exists and get info + info, err := os.Stat(fullPath) + if os.IsNotExist(err) { + return nil, ErrFileNotFound + } + if err != nil { + return nil, err + } + + // Open the file + file, err := os.Open(fullPath) + if err != nil { + return nil, err + } + + // Detect content type from extension + contentType := detectContentTypeFromPath(path) + + return &FileContent{ + Reader: file, + ContentType: contentType, + Size: info.Size(), + }, nil +} + +// detectContentTypeFromPath returns MIME type based on file extension +func detectContentTypeFromPath(path string) string { + ext := filepath.Ext(path) + types := map[string]string{ + ".jpg": "image/jpeg", + ".jpeg": "image/jpeg", + ".png": "image/png", + ".gif": "image/gif", + ".webp": "image/webp", + ".svg": "image/svg+xml", + ".pdf": "application/pdf", + ".txt": "text/plain", + ".csv": "text/csv", + ".json": "application/json", + ".doc": "application/msword", + ".docx": "application/vnd.openxmlformats-officedocument.wordprocessingml.document", + ".xls": "application/vnd.ms-excel", + ".xlsx": "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet", + } + + if ct, ok := types[ext]; ok { + return ct + } + return "application/octet-stream" +} + // GetURL returns the URL for accessing a file func (s *LocalStorage) GetURL(fileID string) (string, error) { // For local storage, we need to find the file diff --git a/backend/internal/storage/s3.go b/backend/internal/storage/s3.go index c87bd12..4cff5f7 100644 --- a/backend/internal/storage/s3.go +++ b/backend/internal/storage/s3.go @@ -140,6 +140,39 @@ func (s *S3Storage) GetURLByPath(path string) (string, error) { return s.getPresignedURL(key) } +// GetFileByPath retrieves a file's content from S3 for streaming/proxying +func (s *S3Storage) GetFileByPath(path string) (*FileContent, error) { + ctx := context.TODO() + + // Build the full S3 key by adding our prefix + key := s.prefix + path + + // Get the object from S3 + result, err := s.client.GetObject(ctx, &s3.GetObjectInput{ + Bucket: aws.String(s.bucket), + Key: aws.String(key), + }) + if err != nil { + return nil, ErrFileNotFound + } + + contentType := "application/octet-stream" + if result.ContentType != nil { + contentType = *result.ContentType + } + + var size int64 + if result.ContentLength != nil { + size = *result.ContentLength + } + + return &FileContent{ + Reader: result.Body, + ContentType: contentType, + Size: size, + }, nil +} + // GetURL returns a presigned URL for accessing a file func (s *S3Storage) GetURL(fileID string) (string, error) { ctx := context.TODO() diff --git a/backend/internal/storage/storage.go b/backend/internal/storage/storage.go index a10aee7..5b1efc0 100644 --- a/backend/internal/storage/storage.go +++ b/backend/internal/storage/storage.go @@ -33,6 +33,13 @@ type UploadResult struct { MimeType string `json:"mimeType"` } +// FileContent represents the content of a file for streaming +type FileContent struct { + Reader io.ReadCloser + ContentType string + Size int64 +} + // Storage defines the interface for file storage backends type Storage interface { // Upload stores a file and returns the result @@ -44,6 +51,9 @@ type Storage interface { // GetURLByPath returns the URL for accessing a file by its relative path GetURLByPath(path string) (string, error) + // GetFileByPath retrieves a file's content for streaming/proxying + GetFileByPath(path string) (*FileContent, error) + // Delete removes a file from storage Delete(fileID string) error diff --git a/frontend/app/components/UI/Pagination.vue b/frontend/app/components/UI/Pagination.vue new file mode 100644 index 0000000..f14efb1 --- /dev/null +++ b/frontend/app/components/UI/Pagination.vue @@ -0,0 +1,232 @@ + + + +