Files
veola/internal/handlers/auth.go
prosolis 72f4bdd88a Add ntfy Basic auth, sign-out button, config-only credentials
- ntfy client supports HTTP Basic auth (username/password) for servers with
  access control; [ntfy] config gains username/password. Scheduler + Test Ntfy
  use it instead of the old settings-only bearer token.
- Settings page no longer has credential inputs (Apify/eBay/ntfy/Resend); they
  are managed in config.toml. Read-only status + Test buttons remain.
- Sidebar gains a Sign out button; in forward-auth mode it routes through the
  Authentik outpost sign_out so the IdP session is cleared.
2026-06-20 14:56:24 -07:00

127 lines
3.5 KiB
Go

package handlers
import (
"net/http"
"strings"
"veola/internal/auth"
"veola/internal/models"
"veola/templates"
)
func (a *App) GetLogin(w http.ResponseWriter, r *http.Request) {
if auth.CurrentUserFromRequest(r) != nil {
http.Redirect(w, r, "/", http.StatusSeeOther)
return
}
render(w, r, templates.Login(templates.LoginData{
Page: a.page(r, "Sign in", ""),
}))
}
func (a *App) PostLogin(w http.ResponseWriter, r *http.Request) {
if err := r.ParseForm(); err != nil {
http.Error(w, "bad form", http.StatusBadRequest)
return
}
username := strings.TrimSpace(r.PostFormValue("username"))
password := r.PostFormValue("password")
u, err := a.Store.GetUserByUsername(r.Context(), username)
if err != nil || u == nil {
// Run a bcrypt comparison anyway so a missing username takes the
// same time as a wrong password (no user-enumeration oracle).
auth.EqualizeLoginTiming()
}
if err != nil || u == nil || !auth.CheckPassword(u.PasswordHash, password) {
render(w, r, templates.Login(templates.LoginData{
Page: a.page(r, "Sign in", ""),
Error: "Invalid username or password",
Username: username,
}))
return
}
if err := a.Auth.LogIn(r.Context(), u.ID); err != nil {
http.Error(w, "session error", http.StatusInternalServerError)
return
}
http.Redirect(w, r, "/", http.StatusSeeOther)
}
func (a *App) PostLogout(w http.ResponseWriter, r *http.Request) {
_ = a.Auth.LogOut(r.Context())
// In forward-auth mode, destroying only the local session is pointless: the
// next request still carries a valid Authentik proxy session and would be
// re-provisioned immediately. Send the user through the Authentik outpost
// sign-out so the IdP session is cleared too.
if a.Cfg.Auth.ForwardAuthEnabled() {
http.Redirect(w, r, "/outpost.goauthentik.io/sign_out", http.StatusSeeOther)
return
}
http.Redirect(w, r, "/login", http.StatusSeeOther)
}
func (a *App) GetSetup(w http.ResponseWriter, r *http.Request) {
n, err := a.Store.UserCount(r.Context())
if err != nil {
http.Error(w, "db error", http.StatusInternalServerError)
return
}
if n > 0 {
http.NotFound(w, r)
return
}
render(w, r, templates.Setup(templates.SetupData{
Page: a.page(r, "Setup", ""),
}))
}
func (a *App) PostSetup(w http.ResponseWriter, r *http.Request) {
n, err := a.Store.UserCount(r.Context())
if err != nil {
http.Error(w, "db error", http.StatusInternalServerError)
return
}
if n > 0 {
http.NotFound(w, r)
return
}
if err := r.ParseForm(); err != nil {
http.Error(w, "bad form", http.StatusBadRequest)
return
}
username := strings.TrimSpace(r.PostFormValue("username"))
password := r.PostFormValue("password")
confirm := r.PostFormValue("password_confirm")
errMsg := ""
switch {
case username == "":
errMsg = "Username is required"
case len(password) < auth.MinPasswordLen:
errMsg = "Password must be at least 12 characters"
case password != confirm:
errMsg = "Passwords do not match"
}
if errMsg != "" {
render(w, r, templates.Setup(templates.SetupData{
Page: a.page(r, "Setup", ""),
Error: errMsg,
Username: username,
}))
return
}
hash, err := auth.HashPassword(password)
if err != nil {
http.Error(w, "hash error", http.StatusInternalServerError)
return
}
if _, err := a.Store.CreateUser(r.Context(), username, hash, models.RoleAdmin); err != nil {
render(w, r, templates.Setup(templates.SetupData{
Page: a.page(r, "Setup", ""),
Error: "Could not create user: " + err.Error(),
Username: username,
}))
return
}
http.Redirect(w, r, "/login", http.StatusSeeOther)
}