From 3696bbde43f9762c55dc936e894901e5ce955876 Mon Sep 17 00:00:00 2001
From: Jan Bader <jan@javil.eu>
Date: Tue, 1 Mar 2022 18:37:07 +0000
Subject: [PATCH] Check empty secret in other spots

---
 jwt/login.go           | 18 +++++++++++++-----
 server/account_test.go |  7 +++----
 2 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/jwt/login.go b/jwt/login.go
index d58baef..190ebd7 100644
--- a/jwt/login.go
+++ b/jwt/login.go
@@ -11,18 +11,18 @@ import (
 )
 
 // TokenVerifier verifies Tokens.
-type tokenVerifier struct {
+type TokenVerifier struct {
 	secret string
 }
 
 var ErrEmptySecret = fmt.Errorf("secret is required")
 
-func NewTokenVerifier(secret string) (*tokenVerifier, error) {
+func NewTokenVerifier(secret string) (*TokenVerifier, error) {
 	if secret == "" {
 		return nil, ErrEmptySecret
 	}
 
-	return &tokenVerifier{
+	return &TokenVerifier{
 		secret: secret,
 	}, nil
 }
@@ -40,7 +40,11 @@ const (
 )
 
 // CreateToken creates a new token from username and name.
-func (tv *tokenVerifier) CreateToken(user *postgres.User) (string, error) {
+func (tv *TokenVerifier) CreateToken(user *postgres.User) (string, error) {
+	if tv.secret == "" {
+		return "", ErrEmptySecret
+	}
+
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
 		"usr":  user.Email,
 		"name": user.Name,
@@ -64,7 +68,11 @@ var (
 )
 
 // VerifyToken verifys a given string-token.
-func (tv *tokenVerifier) VerifyToken(tokenString string) (budgeteer.Token, error) { //nolint:ireturn
+func (tv *TokenVerifier) VerifyToken(tokenString string) (budgeteer.Token, error) { //nolint:ireturn
+	if tv.secret == "" {
+		return nil, ErrEmptySecret
+	}
+
 	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
 		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("method '%v': %w", token.Header["alg"], ErrUnexpectedSigningMethod)
diff --git a/server/account_test.go b/server/account_test.go
index 1af33c1..061b1bd 100644
--- a/server/account_test.go
+++ b/server/account_test.go
@@ -28,11 +28,10 @@ func TestRegisterUser(t *testing.T) { //nolint:funlen
 		return
 	}
 
+	tokenVerifier, _ := jwt.NewTokenVerifier("this_is_my_demo_secret_for_unit_tests")
 	h := Handler{
-		Service: database,
-		TokenVerifier: &jwt.TokenVerifier{
-			Secret: "this_is_my_demo_secret_for_unit_tests",
-		},
+		Service:             database,
+		TokenVerifier:       tokenVerifier,
 		CredentialsVerifier: &bcrypt.Verifier{},
 	}