Added signup for users

[LightJack05]

No description provided.

[Copilot]

Pull request overview

This pull request implements user signup functionality for the authentication service. It replaces the stub implementation with a complete user registration endpoint that accepts username, password, and display name, hashes the password with Argon2, and stores the user in the database.

Changes:

• Added request validation and user creation logic in the POST handler
• Implemented database query to insert new users into the users table

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

File	Description
internal/handlers/userhandler/post.go	Implements user signup handler with input validation, password hashing, and user creation
internal/database/user/queries.go	Adds CreateUser function to persist new users to the database

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The error return value from rand.Read must be checked. If rand.Read fails to generate cryptographically secure random bytes, the salt could be all zeros or incomplete, which would severely compromise password security. Add error handling to ensure the salt is properly generated before proceeding with password hashing.

Suggested change

	rand.Read(salt)
	if n, err := rand.Read(salt); err != nil || n != len(salt) {
	c.JSON(http.StatusInternalServerError, gin.H{"error": "Failed to generate secure salt"})
	return
	}

[Copilot]

The CreateUser function does not differentiate between different types of database errors. When a duplicate username is inserted (violating the UNIQUE constraint), the generic "Failed to create user" message is returned instead of a more specific error like "Username already exists". This makes it difficult for clients to handle duplicate username scenarios appropriately. Consider checking for unique constraint violations and returning a more specific error or status code.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 8 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

There's an extra blank line here that should be removed to maintain consistent code formatting.

Suggested change

[Copilot]

The error message returned to the client exposes the internal error details via err.Error(). This can leak sensitive information about the system's internals, including validation logic, field names, or other implementation details. Consider returning a more generic error message to the client while logging the detailed error server-side for debugging purposes.

[Copilot]

There's no validation to check if the username already exists before attempting insertion. While the database has a UNIQUE constraint that will prevent duplicates, it's more efficient and user-friendly to check for existence first and return a clear error message. This would avoid unnecessary database constraint violations and provide better error handling.

[Copilot]

The username validation only checks that it's required, but doesn't validate the format or length. Consider adding validation rules such as maximum length (to match the database VARCHAR(50) constraint), allowed characters (e.g., alphanumeric and certain special characters), and potentially a minimum length to prevent extremely short usernames.

Suggested change

	Username string `json:"username" binding:"required"`
	Username string `json:"username" binding:"required,min=3,max=50,alphanum"`

[Copilot]

The display_name validation only checks that it's required, but doesn't validate the length. The database has a VARCHAR(100) constraint, so attempting to insert a display_name longer than 100 characters will cause a database error. Add a max length validation (e.g., binding:"required,max=100") to catch this at the API level.

Suggested change

	DisplayName string `json:"display_name" binding:"required"`
	DisplayName string `json:"display_name" binding:"required,max=100"`

[Copilot]

The salt generated for password hashing is not being stored anywhere in the database. Without storing the salt, password verification will be impossible because you won't be able to recreate the same hash during login. The salt needs to be either:

1. Stored in a separate column in the users table, or
2. Embedded within the password hash string itself (which the argon-hash-utils library may already do via the ToString() method)

You should verify whether the argon-hash-utils library's ToString() method embeds the salt in the output string, or if you need to add a salt column to the database schema and User struct.

[Copilot]

The error handling when a duplicate username is attempted doesn't provide a meaningful response to the user. The database has a UNIQUE constraint on the username column, so attempting to create a duplicate user will result in a database error. This should be caught and returned as a specific error (e.g., HTTP 409 Conflict with "Username already exists") rather than a generic "Failed to create user" internal server error. Consider checking the error type to distinguish between duplicate key violations and other database errors.

[Copilot]

Using syscall.Kill with SIGABRT to terminate the application is an extreme reaction that bypasses graceful shutdown procedures. This can lead to resource leaks, incomplete transactions, and difficulty in debugging. Consider using panic() or log.Fatal() instead, which allow for proper cleanup via defer statements and provide better stack traces. If you need to signal a critical system issue, panic is the Go idiom for unrecoverable errors.