Immanuel
/
skouter
1
0
Vork 0
Code Kwesties 0 Pull-aanvragen 0 Publicaties 0 Wiki Activiteit
Skouter mortgage estimates. Web application with view written in PHP and Vue, but controller and models in Go.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
54 Commits
1 Branch
11 MiB
 
 
 
 
 
 
Tree: 84d6807b94
Branches Labels
${ item.name }
Maak branch ${ searchTerm }
van '84d6807b94'
${ noResults }
skouter/skouter.go

964 lines
21 KiB
Ruw Blame Geschiedenis 

  1. package main

  2. 

  3. import (

  4. 		"net/http"

  5. 		"net/mail"

  6. 		"log"

  7. 		"sync"

  8. 		"regexp"

  9. 		"html/template"

  10. 		"database/sql"

  11. 		_ "github.com/go-sql-driver/mysql"

  12. 		"fmt"

  13. 		"encoding/json"

  14. 		"strconv"

  15. 		"bytes"

  16. 		"time"

  17. 		"errors"

  18. 		"strings"

  19. 		// pdf "github.com/SebastiaanKlippert/go-wkhtmltopdf"

  20. 		"github.com/golang-jwt/jwt/v4"

  21. )

  22. 

  23. type User struct {

  24. 	Id		int 	`json:"id"`

  25. 	Email 	string 	`json:"email"`

  26. 	FirstName 	string 	`json:"firstName"`

  27. 	LastName 	string 	`json:"lastName"`

  28. 	BranchId 	int 	`json:"branchId"`

  29. 	Status 	string 	`json:"status"`

  30. 	Country 	string 	`json:"country"`

  31. 	Title 	string 	`json:"title"`

  32. 	Verified 	bool 	`json:"verified"`

  33. 	Role 	string 	`json:"role"`

  34. 	Password 	string 	`json:"password,omitempty"`

  35. }

  36. 

  37. type UserClaims struct {

  38. 	Id 	int 	`json:"id"`

  39. 	Role 	string 	`json:"role"`

  40. 	Exp 	string 	`json:"exp"`

  41. }

  42. 

  43. type Page struct {

  44. 	tpl *template.Template

  45. 	Title string

  46. 	Name string

  47. }

  48. 

  49. type Borrower struct {

  50. 	Id	int	`json:"id"`

  51. 	Credit	int 	`json:"credit"`

  52. 	Income	int 	`json:"income"`

  53. 	Num	int	`json:"num"`

  54. }

  55. 

  56. type FeeTemplate struct {

  57. 	Id		int 	`json:"id"`

  58. 	User	int 	`json:"user"`

  59. 	Branch	int 	`json:"branch"`

  60. 	Amount	int 	`json:"amount"`

  61. 	Perc	int 	`json:"perc"`

  62. 	Type	string 	`json:"type"`

  63. 	Notes	string 	`json:"notes"`

  64. 	Name	string 	`json:"name"`

  65. 	Category	string 	`json:"category"`

  66. 	Auto	bool 	`json:"auto"`

  67. }

  68. 

  69. type Fee struct {

  70. 	Id		int 	`json:"id"`

  71. 	LoanId	int 	`json:"loan_id"`

  72. 	Amount	int 	`json:"amount"`

  73. 	Perc	int 	`json:"perc"`

  74. 	Type	string 	`json:"type"`

  75. 	Notes	string 	`json:"notes"`

  76. 	Name	string 	`json:"name"`

  77. 	Category	string 	`json:"category"`

  78. }

  79. 

  80. type LoanType struct {

  81. 	Id 	int 	`json:"id"`

  82. 	User 	int 	`json:"user"`

  83. 	Branch 	int 	`json:"branch"`

  84. 	Name 	string 	`json:"name"`

  85. }

  86. 

  87. type Loan struct {

  88. 	Id  	int 	`json:id`

  89. 	EstimateId  	int 	`json:estimate_id`

  90. 	Type	LoanType 	`json:"loanType"`

  91. 	Amount	int 	`json:"loanAmount"`

  92. 	Term		int 	`json:"term"`

  93. 	Ltv 	float32 	`json:"ltv"`

  94. 	Dti 	float32 	`json:"dti"`

  95. 	Hoi		int 	`json:"hoi"`

  96. 	Interest	int 	`json:"interest"`

  97. 	Mi 	MI 	`json:"mi"`

  98. 	Fees		[]Fee 	`json:"fees"`

  99. 	Name		string 	`json:"name"`

  100. }

  101. 

  102. type MI struct {

  103. 	Type	string

  104. 	Label	string

  105. 	Lender	string

  106. 	Rate	float32

  107. 	Premium	float32

  108. 	Upfront	float32

  109. 	FiveYearTotal	float32

  110. 	InitialAllInPremium	float32

  111. 	InitialAllInRate	float32

  112. 	InitialAmount	float32

  113. }

  114. 

  115. type Estimate struct {

  116. 	Id		int 	`json:"id"`

  117. 	User		int 	`json:"user"`

  118. 	Borrower	Borrower 	`json:"borrower"`

  119. 	Transaction	string 	`json:"transaction"`

  120. 	Price		int 	`json:"price"`

  121. 	Property	string 	`json:"property"`

  122. 	Occupancy	string	`json:"occupancy"`

  123. 	Zip		string 	`json:"zip"`

  124. 	Pud		bool 	`json:"pud"`

  125. 	Loans 	[]Loan 	`json:"loans"`

  126. }

  127. 

  128. var (

  129.     regexen = make(map[string]*regexp.Regexp)

  130.     relock  sync.Mutex

  131. 	address = "127.0.0.1:8001"

  132. )

  133. 

  134. var paths = map[string]string {

  135. 	"home": "home.tpl",

  136. 	"terms": "terms.tpl",

  137. 	"app": "app.tpl",

  138. }

  139. 

  140. var pages = map[string]Page {

  141. 	"home": cache("home", "Home"),

  142. 	"terms": cache("terms", "Terms and Conditions"),

  143. 	"app": cache("app", "App"),

  144. }

  145. 

  146. var roles = map[string]int{

  147. 	"User": 1,

  148. 	"Manager": 2,

  149. 	"Admin": 3,

  150. }

  151. 

  152. // Used to validate claim in JWT token body. Checks if user id is greater than

  153. // zero and time format is valid

  154. func (c UserClaims) Valid() error {

  155. 	if c.Id < 1 { return errors.New("Invalid id") }

  156. 	t, err := time.Parse(time.UnixDate, c.Exp)

  157. 	if err != nil { return err }

  158. 	if t.Before(time.Now()) { return errors.New("Token expired.") }

  159. 	return err

  160. }

  161. 

  162. func cache(name string, title string) Page {

  163. 	var p = []string{"master.tpl", paths[name]}

  164. 	tpl := template.Must(template.ParseFiles(p...))

  165. 	return Page{tpl: tpl,

  166. 				Title: title,

  167. 				Name: name,

  168. 				}

  169. }

  170. 

  171. func (page Page) Render(w http.ResponseWriter) {

  172. 	err := page.tpl.Execute(w, page)

  173. 	if err != nil {

  174. 		log.Print(err)

  175. 	}

  176. }

  177. 

  178. func match(path, pattern string, args *[]string) bool {

  179. 	relock.Lock()

  180. 	defer relock.Unlock()

  181. 	regex := regexen[pattern]

  182. 

  183. 	if regex == nil {

  184. 		regex = regexp.MustCompile("^" + pattern + "$")

  185. 		regexen[pattern] = regex

  186. 	}

  187. 

  188. 	matches := regex.FindStringSubmatch(path)

  189. 	if len(matches) <= 0 {

  190. 		return false

  191. 	}

  192. 

  193. 	*args = matches[1:]

  194. 	return true

  195. }

  196. 

  197. func getLoanType(

  198. 	db *sql.DB,

  199. 	user int,

  200. 	branch int,

  201. 	isUser bool) ([]LoanType, error) {

  202. 	var loans []LoanType

  203. 

  204. 	// Should be changed to specify user

  205. 	rows, err :=

  206. 	db.Query(`SELECT * FROM loan_type WHERE user_id = ? AND branch_id = ? ` +

  207. 	"OR (user_id = 0 AND branch_id = 0)", user, branch)

  208. 

  209. 	if err != nil {

  210. 		return nil, fmt.Errorf("loan_type error: %v", err)

  211. 	}

  212. 

  213. 	defer rows.Close()

  214. 

  215. 	for rows.Next() {

  216. 		var loan LoanType

  217. 

  218. 		if err := rows.Scan(

  219. 			&loan.Id,

  220. 			&loan.User,

  221. 			&loan.Branch,

  222. 			&loan.Name)

  223. 		err != nil {

  224. 			log.Printf("Error occured fetching loan: %v", err)

  225. 			return nil, fmt.Errorf("Error occured fetching loan: %v", err)

  226.         }

  227. 

  228. 		loans = append(loans, loan)

  229. 	}

  230. 

  231. 	log.Printf("The loans: %v", loans)

  232. 	return loans, nil

  233. }

  234. 

  235. func getEstimate(db *sql.DB, id int) (Estimate, error) {

  236. 	var estimate Estimate

  237. 	var err error

  238. 

  239. 	query := `SELECT e.id, e.user_id, e.transaction,

  240. 	e.price, e.property, e.occupancy, e.zip, e.pud,

  241. 	b.id, b.credit_score, b.monthly_income, b.num

  242. 	FROM estimate e

  243. 	INNER JOIN borrower b ON e.borrower_id = b.id

  244. 	WHERE e.id = ?

  245. 	`

  246. 	// Inner join should always be valid because a borrower is a required

  247. 	// foreign key.

  248. 	row := db.QueryRow(query, id)

  249. 	

  250. 	if err = row.Scan(

  251. 		&estimate.Id,

  252. 		&estimate.User,

  253. 		&estimate.Transaction,

  254. 		&estimate.Price,

  255. 		&estimate.Property,

  256. 		&estimate.Occupancy,

  257. 		&estimate.Zip,

  258. 		&estimate.Pud,

  259. 		&estimate.Borrower.Id,

  260. 		&estimate.Borrower.Credit,

  261. 		&estimate.Borrower.Income,

  262. 		&estimate.Borrower.Num,

  263. 		)

  264. 	err != nil {

  265. 		return estimate, fmt.Errorf("Estimate scanning error: %v", err)

  266.         }

  267. 

  268. 	estimate.Loans, err = getLoans(db, estimate.Id)

  269. 

  270. 	return estimate, err

  271. }

  272. 

  273. func getFees(db *sql.DB, loan int) ([]Fee, error) {

  274. 	var fees []Fee

  275. 

  276. 	rows, err := db.Query(

  277. 		"SELECT * FROM fees " +

  278. 		"WHERE loan_id = ?",

  279. 	loan)

  280. 	

  281. 	if err != nil {

  282. 		return nil, fmt.Errorf("Fee query error %v", err)

  283. 	}

  284. 

  285. 	defer rows.Close()

  286. 

  287. 	for rows.Next() {

  288. 		var fee Fee

  289. 

  290. 		if err := rows.Scan(

  291. 			&fee.Id,

  292. 			&fee.LoanId,

  293. 			&fee.Amount,

  294. 			&fee.Perc,

  295. 			&fee.Type,

  296. 			&fee.Notes,

  297. 			&fee.Name,

  298. 			&fee.Category,

  299. 			)

  300. 		err != nil {

  301. 			return nil, fmt.Errorf("Fees scanning error: %v", err)

  302.         }

  303. 

  304. 		fees = append(fees, fee)

  305. 	}

  306. 	

  307. 	return fees, nil

  308. }

  309. 

  310. func fetchFeesTemp(db *sql.DB, user int, branch int) ([]FeeTemplate, error) {

  311. 	var fees []FeeTemplate

  312. 	rows, err := db.Query(

  313. 		"SELECT * FROM fee_template " +

  314. 		"WHERE user_id = ? OR branch_id = ?",

  315. 	user, branch)

  316. 	

  317. 	if err != nil {

  318. 		return nil, fmt.Errorf("Fee template query error %v", err)

  319. 	}

  320. 

  321. 	defer rows.Close()

  322. 

  323. 	for rows.Next() {

  324. 		var fee FeeTemplate

  325. 

  326. 		if err := rows.Scan(

  327. 			&fee.Id,

  328. 			&fee.User,

  329. 			&fee.Branch,

  330. 			&fee.Amount,

  331. 			&fee.Perc,

  332. 			&fee.Type,

  333. 			&fee.Notes,

  334. 			&fee.Name,

  335. 			&fee.Category,

  336. 			&fee.Auto)

  337. 		err != nil {

  338. 			return nil, fmt.Errorf("FeesTemplate scanning error: %v", err)

  339.         }

  340. 

  341. 		fees = append(fees, fee)

  342. 	}

  343. 	

  344. 	return fees, nil

  345. }

  346. 

  347. // Fetch fees from the database

  348. func getFeesTemp(w http.ResponseWriter, db *sql.DB, r *http.Request) {

  349. 	var fees []FeeTemplate

  350. 	claims, err := getClaims(r)

  351. 	if err != nil { w.WriteHeader(500); return }

  352. 	users, err := queryUsers(db, claims.Id)

  353. 	if err != nil { w.WriteHeader(422); return }

  354. 

  355. 	fees, err = fetchFeesTemp(db, claims.Id, users[0].BranchId)

  356. 	json.NewEncoder(w).Encode(fees)

  357. }

  358. 

  359. func getMi(db *sql.DB, loan int) (MI, error) {

  360. 	var mi MI

  361. 

  362. 	query := `SELECT

  363. 	type, label, lender, rate, premium, upfront, five_year_total,

  364. 	initial_premium, initial_rate, initial_amount

  365. 	FROM mi WHERE loan_id = ?`

  366. 

  367. 	row := db.QueryRow(query, loan)

  368. 

  369. 	if err := row.Scan(

  370. 		&mi.Type,

  371. 		&mi.Label,

  372. 		&mi.Lender,

  373. 		&mi.Rate,

  374. 		&mi.Premium,

  375. 		&mi.Upfront,

  376. 		&mi.FiveYearTotal,

  377. 		&mi.InitialAllInPremium,

  378. 		&mi.InitialAllInRate,

  379. 		&mi.InitialAmount,

  380. 		)

  381. 	err != nil {

  382. 		return mi, err

  383. 	}

  384. 

  385. 	return mi, nil

  386. }

  387. 

  388. func getLoans(db *sql.DB, estimate int) ([]Loan, error) {

  389. 	var loans []Loan

  390. 

  391. 	query := `SELECT

  392. 	l.id, l.amount, l.term, l.interest, l.ltv, l.dti, l.hoi,

  393. 	lt.id, lt.user_id, lt.branch_id, lt.name

  394. 	FROM loan l INNER JOIN loan_type lt ON l.type_id = lt.id

  395. 	WHERE l.estimate_id = ?

  396. 	`

  397. 	rows, err := db.Query(query, estimate)

  398. 	

  399. 	if err != nil {

  400. 		return nil, fmt.Errorf("Loan query error %v", err)

  401. 	}

  402. 

  403. 	defer rows.Close()

  404. 

  405. 	for rows.Next() {

  406. 		var loan Loan

  407. 

  408. 		if err := rows.Scan(

  409. 			&loan.Id,

  410. 			&loan.Amount,

  411. 			&loan.Term,

  412. 			&loan.Interest,

  413. 			&loan.Ltv,

  414. 			&loan.Dti,

  415. 			&loan.Hoi,

  416. 			&loan.Type.Id,

  417. 			&loan.Type.User,

  418. 			&loan.Type.Branch,

  419. 			&loan.Type.Name,

  420. 			)

  421. 		err != nil {

  422. 			return loans, fmt.Errorf("Loans scanning error: %v", err)

  423.         }

  424. 		mi, err := getMi(db, loan.Id)

  425. 		if err != nil {

  426. 			return loans, err

  427.         }

  428. 		loan.Mi = mi

  429. 		loans = append(loans, loan)

  430. 	}

  431. 	

  432. 	return loans, nil

  433. }

  434. 

  435. func getBorrower(db *sql.DB, id int) (Borrower, error) {

  436. 	var borrower Borrower

  437. 

  438. 	row := db.QueryRow(

  439. 		"SELECT * FROM borrower " +

  440. 		"WHERE id = ? LIMIT 1",

  441. 	id)

  442. 

  443. 	if err := row.Scan(

  444. 		&borrower.Id,

  445. 		&borrower.Credit,

  446. 		&borrower.Income,

  447. 		&borrower.Num,

  448. 		)

  449. 	err != nil {

  450. 		return borrower, fmt.Errorf("Borrower scanning error: %v", err)

  451.         }

  452. 

  453. 	return borrower, nil

  454. }

  455. 

  456. // Query Lender APIs and parse responses into MI structs

  457. func fetchMi(db *sql.DB, estimate *Estimate, pos int) []MI {

  458. 	var err error

  459. 	var loan Loan = estimate.Loans[pos]

  460. 

  461. 	var ltv = func(l float32) string {

  462. 		switch {

  463. 		case l > 95: return "LTV97"

  464. 		case l > 90: return "LTV95"

  465. 		case l > 85: return "LTV90"

  466. 		default: return "LTV85"

  467. 		}

  468. 	}

  469. 

  470. 	var term = func(t int) string {

  471. 		switch {

  472. 		case t <= 10: return "A10"

  473. 		case t <= 15: return "A15"

  474. 		case t <= 20: return "A20"

  475. 		case t <= 25: return "A25"

  476. 		case t <= 30: return "A30"

  477. 		default: return "A40"

  478. 		}

  479. 	}

  480. 

  481. 	var propertyCodes = map[string]string {

  482. 		"Single Attached": "SFO",

  483. 		"Single Detached": "SFO",

  484. 		"Condo Lo-rise": "CON",

  485. 		"Condo Hi-rise": "CON",

  486. 	}

  487. 

  488. 	var purposeCodes = map[string]string {

  489. 		"Purchase": "PUR",

  490. 		"Refinance": "RRT",

  491. 	}

  492. 

  493. 	body, err := json.Marshal(map[string]any{

  494. 		"zipCode": estimate.Zip,

  495. 		"stateCode": "CA",

  496. 		"address": "",

  497. 		"propertyTypeCode": propertyCodes[estimate.Property],

  498. 		"occupancyTypeCode": "PRS",

  499. 		"loanPurposeCode": purposeCodes[estimate.Transaction],

  500. 		"loanAmount": loan.Amount,

  501. 		"loanToValue": ltv(loan.Ltv),

  502. 		"amortizationTerm": term(loan.Term),

  503. 		"loanTypeCode": "FXD",

  504. 		"duLpDecisionCode": "DAE",

  505. 		"loanProgramCodes": []any{},

  506. 		"debtToIncome": loan.Dti,

  507. 		"wholesaleLoan": 0,

  508. 		"coveragePercentageCode": "L30",

  509. 		"productCode": "BPM",

  510. 		"renewalTypeCode": "CON",

  511. 		"numberOfBorrowers": 1,

  512. 		"coBorrowerCreditScores": []any{},

  513. 		"borrowerCreditScore": strconv.Itoa(estimate.Borrower.Credit),

  514. 		"masterPolicy": nil,

  515. 		"selfEmployedIndicator": false,

  516. 		"armType": "",

  517. 		"userId": 44504,

  518. 	})

  519. 	

  520. 	if err != nil {

  521. 		log.Printf("Could not marshal NationalMI body: \n%v\n%v\n",

  522. 		bytes.NewBuffer(body), err)

  523. 	}

  524. 

  525. 	req, err := http.NewRequest("POST",

  526. 	"https://rate-gps.nationalmi.com/rates/productRateQuote",

  527. 	bytes.NewBuffer(body))

  528. 	req.Header.Add("Content-Type", "application/json")

  529. 

  530. 	req.AddCookie(&http.Cookie{

  531. 		Name: "nmirategps_email",

  532. 		Value: config["NationalMIEmail"]})

  533. 

  534. 	resp, err := http.DefaultClient.Do(req)

  535. 	var res map[string]interface{}

  536. 	var result []MI

  537. 

  538. 	if resp.StatusCode != 200 {

  539. 		log.Printf("the status: %v\nthe resp: %v\n the req: %v\n the body: %v\n",

  540. 		resp.Status, resp, req.Body, bytes.NewBuffer(body))

  541. 	} else {

  542. 		json.NewDecoder(resp.Body).Decode(&res)

  543. 		// estimate.Loans[pos].Mi = res

  544. 		// Parse res into result here

  545. 	}

  546. 

  547. 	return result

  548. }

  549. 

  550. func login(w http.ResponseWriter, db *sql.DB, r *http.Request) {

  551. 	var id int

  552. 	var role string

  553. 	var err error

  554. 	var user User

  555. 	json.NewDecoder(r.Body).Decode(&user)

  556. 

  557. 	row := db.QueryRow(

  558. 		`SELECT id, role FROM user WHERE email = ? AND password = sha2(?, 256)`,

  559. 		user.Email, user.Password,

  560. 		)

  561. 

  562. 	err = row.Scan(&id, &role)

  563. 	if err != nil {

  564. 		http.Error(w, "Invalid Credentials.", http.StatusUnauthorized)

  565. 		return

  566. 	}

  567. 

  568. 	token := jwt.NewWithClaims(jwt.SigningMethodHS256,

  569. 	UserClaims{ Id: id, Role: role,

  570. 		Exp: time.Now().Add(time.Minute * 30).Format(time.UnixDate)})

  571. 

  572. 	tokenStr, err := token.SignedString([]byte(config["JWT_SECRET"]))

  573. 	if err != nil {

  574. 		log.Println("Token could not be signed: ", err, tokenStr)

  575. 		http.Error(w, "Token generation error.", http.StatusInternalServerError)

  576. 		return

  577. 	}

  578. 

  579. 	cookie := http.Cookie{Name: "skouter",

  580. 	Value: tokenStr,

  581. 	Path: "/",

  582. 	Expires: time.Now().Add(time.Hour * 24)}

  583. 	http.SetCookie(w, &cookie)

  584. 	_, err = w.Write([]byte(tokenStr))

  585. 	if err != nil {

  586. 		http.Error(w,

  587. 		"Could not complete token write.",

  588. 		http.StatusInternalServerError)}

  589. }

  590. 

  591. func getToken(w http.ResponseWriter, db *sql.DB, r *http.Request) {

  592. 	claims, err := getClaims(r)

  593. 	// Will verify existing signature and expiry time

  594. 	token := jwt.NewWithClaims(jwt.SigningMethodHS256,

  595. 	UserClaims{ Id: claims.Id, Role: claims.Role,

  596. 		Exp: time.Now().Add(time.Minute * 30).Format(time.UnixDate)})

  597. 

  598. 	tokenStr, err := token.SignedString([]byte(config["JWT_SECRET"]))

  599. 	if err != nil {

  600. 		log.Println("Token could not be signed: ", err, tokenStr)

  601. 		http.Error(w, "Token generation error.", http.StatusInternalServerError)

  602. 		return

  603. 	}

  604. 

  605. 	cookie := http.Cookie{Name: "skouter",

  606. 	Value: tokenStr,

  607. 	Path: "/",

  608. 	Expires: time.Now().Add(time.Hour * 24)}

  609. 	http.SetCookie(w, &cookie)

  610. 	_, err = w.Write([]byte(tokenStr))

  611. 	if err != nil {

  612. 		http.Error(w,

  613. 		"Could not complete token write.",

  614. 		http.StatusInternalServerError)}

  615. }

  616. 

  617. func validateEstimate() {

  618. 	return

  619. }

  620. 

  621. func getClaims(r *http.Request) (UserClaims, error) {

  622. 	claims := new(UserClaims)

  623. 	_, tokenStr, found := strings.Cut(r.Header.Get("Authorization"), " ")

  624. 

  625. 	if !found {

  626. 		return *claims, errors.New("Token not found")

  627. 	}

  628. 

  629. 	// Pull token payload into UserClaims

  630. 	_, err := jwt.ParseWithClaims(tokenStr, claims,

  631. 	func(token *jwt.Token) (any, error) {

  632. 		return []byte(config["JWT_SECRET"]), nil

  633. 	})

  634. 

  635. 	if err != nil {

  636. 		return *claims, err

  637. 	}

  638. 

  639. 	if err = claims.Valid(); err != nil {

  640. 		return *claims, err

  641. 	}

  642. 

  643. 	return *claims, nil

  644. }

  645. 

  646. func guard(r *http.Request, required int) bool {

  647. 	claims, err := getClaims(r)

  648. 	if err != nil { return false }

  649. 	if roles[claims.Role] < required { return false }

  650. 

  651. 	return true

  652. }

  653. 

  654. func queryUsers(db *sql.DB, id int) ( []User, error ) {

  655. 	var users []User

  656. 	var query string

  657. 	var rows *sql.Rows

  658. 	var err error

  659. 

  660. 	query = `SELECT

  661. 	u.id,

  662. 	u.email,

  663. 	u.first_name,

  664. 	u.last_name,

  665. 	u.branch_id,

  666. 	u.country,

  667. 	u.title,

  668. 	u.status,

  669. 	u.verified,

  670. 	u.role

  671. 	FROM user u WHERE u.id = CASE @e := ? WHEN 0 THEN u.id ELSE @e END

  672. 	`

  673. 	rows, err = db.Query(query, id)

  674. 

  675. 

  676. 	if err != nil {

  677. 		return users, err

  678. 	}

  679. 

  680. 	defer rows.Close()

  681. 

  682. 	for rows.Next() {

  683. 		var user User

  684. 

  685. 		if err := rows.Scan(

  686. 			&user.Id,

  687. 			&user.Email,

  688. 			&user.FirstName,

  689. 			&user.LastName,

  690. 			&user.BranchId,

  691. 			&user.Country,

  692. 			&user.Title,

  693. 			&user.Status,

  694. 			&user.Verified,

  695. 			&user.Role,

  696. 			)

  697. 		err != nil {

  698. 			return users, err

  699.         }

  700. 		users = append(users, user)

  701. 	}

  702. 

  703. 	// Prevents runtime panics

  704. 	if len(users) == 0 { return users, errors.New("User not found.") }

  705. 

  706. 	return users, nil

  707. }

  708. 

  709. func insertUser(db *sql.DB, user User) (User, error){

  710. 	var query string

  711. 	var row *sql.Row

  712. 	var err error

  713. 	var id int // Inserted user's id

  714. 

  715. 	query = `INSERT INTO user

  716. 	(

  717. 		email,

  718. 		first_name,

  719. 		last_name,

  720. 		password,

  721. 		created,

  722. 		role,

  723. 		verified,

  724. 		last_login

  725. 	)

  726. 	VALUES (?, ?, ?, sha2(?, 256), NOW(), ?, ?, NOW())

  727. 	RETURNING id 

  728. 	`

  729. 	row = db.QueryRow(query,

  730. 		user.Email,

  731. 		user.FirstName,

  732. 		user.LastName,

  733. 		user.Password,

  734. 		user.Role,

  735. 		user.Verified,

  736. 	)

  737. 

  738. 	err = row.Scan(&id)

  739. 	if err != nil { return User{}, err }

  740. 

  741. 	users, err := queryUsers(db, id)

  742. 	if err != nil { return User{}, err }

  743. 

  744. 	return users[0], nil

  745. }

  746. 

  747. func updateUser(user User, db *sql.DB) error {

  748. 	query := `

  749. 	UPDATE user

  750. 	SET

  751. 	email = CASE @e := ? WHEN '' THEN email ELSE @e END,

  752. 	first_name = CASE @fn := ? WHEN '' THEN first_name ELSE @fn END,

  753. 	last_name = CASE @ln := ? WHEN '' THEN last_name ELSE @ln END,

  754. 	role = CASE @r := ? WHEN '' THEN role ELSE @r END,

  755. 	password = CASE @p := ? WHEN '' THEN password ELSE sha2(@p, 256) END

  756. 	WHERE id = ?

  757. 	`

  758. 

  759. 	_, err := db.Exec(query,

  760. 	user.Email,

  761. 	user.FirstName,

  762. 	user.LastName,

  763. 	user.Role,

  764. 	user.Password,

  765. 	user.Id,

  766. 	)

  767. 

  768. 	return err

  769. }

  770. 

  771. 

  772. func getUser(w http.ResponseWriter, db *sql.DB, r *http.Request) {

  773. 	claims, err := getClaims(r)

  774. 	if err != nil { w.WriteHeader(500); return }

  775. 	users, err := queryUsers(db, claims.Id)

  776. 	if err != nil { w.WriteHeader(422); log.Println(err); return }

  777. 	json.NewEncoder(w).Encode(users)

  778. }

  779. 

  780. func getUsers(w http.ResponseWriter, db *sql.DB, r *http.Request) {

  781. 	users, err := queryUsers(db, 0)

  782. 	if err != nil {

  783. 		w.WriteHeader(http.StatusInternalServerError)

  784. 		return

  785. 	}

  786. 

  787. 	json.NewEncoder(w).Encode(users)

  788. }

  789. 

  790. // Updates a user using only specified values in the JSON body

  791. func patchUser(w http.ResponseWriter, db *sql.DB, r *http.Request) {

  792. 	var user User

  793. 	err := json.NewDecoder(r.Body).Decode(&user)

  794. 

  795. 	_, err = mail.ParseAddress(user.Email)

  796. 	if err != nil { http.Error(w, "Invalid email.", 422); return }

  797. 

  798. 	if roles[user.Role] == 0 {

  799. 		http.Error(w, "Invalid role.", 422)

  800. 		return

  801. 	}

  802. 

  803. 	err = updateUser(user, db)

  804. 	if err != nil { http.Error(w, "Bad form values.", 422); return }

  805. 

  806. 	users, err := queryUsers(db, user.Id)

  807. 	if err != nil { http.Error(w, "Bad form values.", 422); return }

  808. 	json.NewEncoder(w).Encode(users[0])

  809. }

  810. 

  811. // Update specified fields of the user specified in the claim

  812. func patchSelf(w http.ResponseWriter, db *sql.DB, r *http.Request) {

  813. 	claim, err := getClaims(r)

  814. 	var user User

  815. 	json.NewDecoder(r.Body).Decode(&user)

  816. 

  817. 	// First check that the target user to be updated is the same as the claim id, and

  818. 	// their role is unchanged.

  819. 	if err != nil || claim.Id != user.Id {

  820. 		http.Error(w, "Target user's id does not match claim.", 401)

  821. 		return

  822. 	}

  823. 

  824. 	if claim.Role != user.Role && user.Role != "" {

  825. 		http.Error(w, "Administrator required to escalate role.", 401)

  826. 		return

  827. 	}

  828. 

  829. 	patchUser(w, db, r)

  830. }

  831. 

  832. func deleteUser(w http.ResponseWriter, db *sql.DB, r *http.Request) {

  833. 	var user User

  834. 	err := json.NewDecoder(r.Body).Decode(&user)

  835. 	if err != nil {

  836. 		http.Error(w, "Invalid fields.", 422)

  837. 		return

  838. 	}

  839. 

  840. 	query := `DELETE FROM user WHERE id = ?`

  841. 	_, err = db.Exec(query, user.Id)

  842. 

  843. 	if err != nil {

  844. 		http.Error(w, "Could not delete.", 500)

  845. 	}

  846. }

  847. 

  848. func createUser(w http.ResponseWriter, db *sql.DB, r *http.Request) {

  849. 	var user User

  850. 	err := json.NewDecoder(r.Body).Decode(&user)

  851. 	if err != nil { http.Error(w, "Invalid fields.", 422); return }

  852. 

  853. 	_, err = mail.ParseAddress(user.Email)

  854. 	if err != nil { http.Error(w, "Invalid email.", 422); return }

  855. 

  856. 	if roles[user.Role] == 0 {

  857. 		http.Error(w, "Invalid role.", 422)

  858. 	}

  859. 

  860. 	user, err = insertUser(db, user)

  861. 	if err != nil { http.Error(w, "Error creating user.", 422); return }

  862. 

  863. 	json.NewEncoder(w).Encode(user)

  864. }

  865. 

  866. func createEstimate(w http.ResponseWriter, db *sql.DB, r *http.Request) {

  867. 	var estimate Estimate

  868. 	err := json.NewDecoder(r.Body).Decode(&estimate)

  869. 	if err != nil { http.Error(w, "Invalid fields.", 422); return }

  870. 

  871. 	if err != nil { http.Error(w, "Error creating user.", 422); return }

  872. 

  873. 	json.NewEncoder(w).Encode(estimate)

  874. }

  875. 

  876. func api(w http.ResponseWriter, r *http.Request) {

  877. 	var args []string

  878. 

  879. 	p := r.URL.Path

  880. 	db, err := sql.Open("mysql",

  881. 		fmt.Sprintf("%s:%s@tcp(127.0.0.1:3306)/skouter",

  882. 			config["DBUser"],

  883. 			config["DBPass"]))

  884. 

  885. 	w.Header().Set("Content-Type", "application/json; charset=UTF-8")

  886. 

  887. 	err = db.Ping()

  888. 	if err != nil {

  889. 		fmt.Println("Bad database configuration: %v\n", err)

  890. 		panic(err)

  891. 		// maybe os.Exit(1) instead

  892. 	}

  893. 	

  894. 	switch {

  895. 	case match(p, "/api/login", &args) &&

  896. 	r.Method == http.MethodPost:

  897. 		login(w, db, r)

  898. 	case match(p, "/api/token", &args) &&

  899. 	r.Method == http.MethodGet && guard(r, 1):

  900. 		getToken(w, db, r)

  901. 	case match(p, "/api/users", &args) && // Array of all users

  902. 	r.Method == http.MethodGet && guard(r, 3):

  903. 		getUsers(w, db, r)

  904. 	case match(p, "/api/user", &args) &&

  905. 	r.Method == http.MethodGet && guard(r, 1):

  906. 		getUser(w, db, r)

  907. 	case match(p, "/api/user", &args) &&

  908. 	r.Method == http.MethodPost &&

  909. 	guard(r, 3):

  910. 		createUser(w, db, r)

  911. 	case match(p, "/api/user", &args) &&

  912. 	r.Method == http.MethodPatch &&

  913. 	guard(r, 3): // For admin to modify any user

  914. 		patchUser(w, db, r)

  915. 	case match(p, "/api/user", &args) &&

  916. 	r.Method == http.MethodPatch &&

  917. 	guard(r, 2): // For employees to modify own accounts

  918. 		patchSelf(w, db, r)

  919. 	case match(p, "/api/user", &args) &&

  920. 	r.Method == http.MethodDelete &&

  921. 	guard(r, 3):

  922. 		deleteUser(w, db, r)

  923. 	case match(p, "/api/fees", &args) &&

  924. 	r.Method == http.MethodGet &&

  925. 	guard(r, 1):

  926. 		getFeesTemp(w, db, r)

  927. 	case match(p, "/api/estimate", &args) &&

  928. 	r.Method == http.MethodPost &&

  929. 	guard(r, 1):

  930. 		createEstimate(w, db, r)

  931. 	}

  932. 

  933. 	db.Close()

  934. }

  935. 

  936. func route(w http.ResponseWriter, r *http.Request) {

  937.     var page Page

  938. 	var args []string

  939.     p := r.URL.Path

  940. 

  941.     switch {

  942.     case r.Method == "GET" && match(p, "/", &args):

  943.         page = pages[ "home" ]

  944.     case match(p, "/terms", &args):

  945.         page = pages[ "terms" ]

  946.     case match(p, "/app", &args):

  947.         page = pages[ "app" ]

  948.     default:

  949.         http.NotFound(w, r)

  950.         return

  951.     }

  952. 

  953.     page.Render(w)

  954. }

  955. 

  956. func main() {

  957. 	files := http.FileServer(http.Dir(""))

  958. 

  959. 	http.Handle("/assets/", files)

  960. 	http.HandleFunc("/api/", api)

  961. 	http.HandleFunc("/", route)

  962. 	log.Fatal(http.ListenAndServe(address, nil))

  963. }