veola/internal/handlers/auth.go

package handlers

import (
	"net/http"
	"strings"

	"veola/internal/auth"
	"veola/internal/models"
	"veola/templates"
)

func (a *App) GetLogin(w http.ResponseWriter, r *http.Request) {
	if auth.CurrentUserFromRequest(r) != nil {
		http.Redirect(w, r, "/", http.StatusSeeOther)
		return
	}
	render(w, r, templates.Login(templates.LoginData{
		Page: a.page(r, "Sign in", ""),
	}))
}

func (a *App) PostLogin(w http.ResponseWriter, r *http.Request) {
	if err := r.ParseForm(); err != nil {
		http.Error(w, "bad form", http.StatusBadRequest)
		return
	}
	username := strings.TrimSpace(r.PostFormValue("username"))
	password := r.PostFormValue("password")
	u, err := a.Store.GetUserByUsername(r.Context(), username)
	if err != nil || u == nil {
		// Run a bcrypt comparison anyway so a missing username takes the
		// same time as a wrong password (no user-enumeration oracle).
		auth.EqualizeLoginTiming()
	}
	if err != nil || u == nil || !auth.CheckPassword(u.PasswordHash, password) {
		render(w, r, templates.Login(templates.LoginData{
			Page:     a.page(r, "Sign in", ""),
			Error:    "Invalid username or password",
			Username: username,
		}))
		return
	}
	if err := a.Auth.LogIn(r.Context(), u.ID); err != nil {
		http.Error(w, "session error", http.StatusInternalServerError)
		return
	}
	http.Redirect(w, r, "/", http.StatusSeeOther)
}

func (a *App) PostLogout(w http.ResponseWriter, r *http.Request) {
	_ = a.Auth.LogOut(r.Context())
	http.Redirect(w, r, "/login", http.StatusSeeOther)
}

func (a *App) GetSetup(w http.ResponseWriter, r *http.Request) {
	n, err := a.Store.UserCount(r.Context())
	if err != nil {
		http.Error(w, "db error", http.StatusInternalServerError)
		return
	}
	if n > 0 {
		http.NotFound(w, r)
		return
	}
	render(w, r, templates.Setup(templates.SetupData{
		Page: a.page(r, "Setup", ""),
	}))
}

func (a *App) PostSetup(w http.ResponseWriter, r *http.Request) {
	n, err := a.Store.UserCount(r.Context())
	if err != nil {
		http.Error(w, "db error", http.StatusInternalServerError)
		return
	}
	if n > 0 {
		http.NotFound(w, r)
		return
	}
	if err := r.ParseForm(); err != nil {
		http.Error(w, "bad form", http.StatusBadRequest)
		return
	}
	username := strings.TrimSpace(r.PostFormValue("username"))
	password := r.PostFormValue("password")
	confirm := r.PostFormValue("password_confirm")
	errMsg := ""
	switch {
	case username == "":
		errMsg = "Username is required"
	case len(password) < auth.MinPasswordLen:
		errMsg = "Password must be at least 12 characters"
	case password != confirm:
		errMsg = "Passwords do not match"
	}
	if errMsg != "" {
		render(w, r, templates.Setup(templates.SetupData{
			Page:     a.page(r, "Setup", ""),
			Error:    errMsg,
			Username: username,
		}))
		return
	}
	hash, err := auth.HashPassword(password)
	if err != nil {
		http.Error(w, "hash error", http.StatusInternalServerError)
		return
	}
	if _, err := a.Store.CreateUser(r.Context(), username, hash, models.RoleAdmin); err != nil {
		render(w, r, templates.Setup(templates.SetupData{
			Page:     a.page(r, "Setup", ""),
			Error:    "Could not create user: " + err.Error(),
			Username: username,
		}))
		return
	}
	http.Redirect(w, r, "/login", http.StatusSeeOther)
}