Only show logout (now CSRF protected) if user is authenticated, include relevant authentication logic in GET controllers (this should be moved to middleware)

Add GET verb to static handler
Fix boolean column migration example
2024-02-14 13:20:35 -06:00 · 2024-02-14 13:16:52 -06:00 · 2024-02-14 13:16:15 -06:00 · 2024-02-12 14:46:26 -06:00
9 changed files with 73 additions and 34 deletions
--- a/README.md
+++ b/README.md
@@ -19,7 +19,7 @@ fine with getting your hands dirty, but I plan on having it ready to go for more
 - Config file handling
 - Scheduled tasks
 - Entire website compiles into a single binary (~10mb) (excluding env.json)
- Minimal dependencies (just standard library, postgres driver, and x/crypto for bcrypt)
+- Minimal dependencies (just standard library, postgres driver, and experimental package for bcrypt)

 <hr>

@@ -59,7 +59,7 @@ fine with getting your hands dirty, but I plan on having it ready to go for more
 ### License and disclaimer 😤

 - You are free to use this project under the terms of the MIT license. See LICENSE for more details.
- You are responsible for the security and everything else regarding your application.
+- You and you alone are responsible for the security and everything else regarding your application.
 - It is not required, but I ask that when you use this project you give me credit by linking to this repository.
 - I also ask that when releasing self-hosted or other end-user applications that you release it under
  the [GPLv3](https://www.gnu.org/licenses/gpl-3.0.html) license. This too is not required, but I would appreciate it.
--- a/controllers/get.go
+++ b/controllers/get.go
@@ -13,13 +13,28 @@ type Get struct {
 	App *app.App
 }

-func (g *Get) ShowHome(w http.ResponseWriter, _ *http.Request) {
+func (g *Get) ShowHome(w http.ResponseWriter, r *http.Request) {
 	type dataStruct struct {
+		CsrfToken       string
+		IsAuthenticated bool
 		Test            string
 	}

+	CsrfToken, err := security.GenerateCsrfToken(w, r)
+	if err != nil {
+		return
+	}
+
+	isAuthenticated := true
+	user, err := models.CurrentUser(g.App, r)
+	if err != nil || user.Id == 0 {
+		isAuthenticated = false
+	}
+
 	data := dataStruct{
+		CsrfToken:       CsrfToken,
 		Test:            "Hello World!",
+		IsAuthenticated: isAuthenticated,
 	}

 	templating.RenderTemplate(w, "templates/pages/home.html", data)
@@ -28,6 +43,7 @@ func (g *Get) ShowHome(w http.ResponseWriter, _ *http.Request) {
 func (g *Get) ShowRegister(w http.ResponseWriter, r *http.Request) {
 	type dataStruct struct {
 		CsrfToken       string
+		IsAuthenticated bool
 	}

 	CsrfToken, err := security.GenerateCsrfToken(w, r)
@@ -35,8 +51,15 @@ func (g *Get) ShowRegister(w http.ResponseWriter, r *http.Request) {
 		return
 	}

+	isAuthenticated := true
+	user, err := models.CurrentUser(g.App, r)
+	if err != nil || user.Id == 0 {
+		isAuthenticated = false
+	}
+
 	data := dataStruct{
 		CsrfToken:       CsrfToken,
+		IsAuthenticated: isAuthenticated,
 	}

 	templating.RenderTemplate(w, "templates/pages/register.html", data)
@@ -45,6 +68,7 @@ func (g *Get) ShowRegister(w http.ResponseWriter, r *http.Request) {
 func (g *Get) ShowLogin(w http.ResponseWriter, r *http.Request) {
 	type dataStruct struct {
 		CsrfToken       string
+		IsAuthenticated bool
 	}

 	CsrfToken, err := security.GenerateCsrfToken(w, r)
@@ -58,8 +82,3 @@ func (g *Get) ShowLogin(w http.ResponseWriter, r *http.Request) {

 	templating.RenderTemplate(w, "templates/pages/login.html", data)
 }
-
-func (g *Get) Logout(w http.ResponseWriter, r *http.Request) {
-	models.LogoutUser(g.App, w, r)
-	http.Redirect(w, r, "/", http.StatusFound)
-}
--- a/controllers/post.go
+++ b/controllers/post.go
@@ -50,3 +50,8 @@ func (p *Post) Register(w http.ResponseWriter, r *http.Request) {

 	http.Redirect(w, r, "/login", http.StatusFound)
 }
+
+func (p *Post) Logout(w http.ResponseWriter, r *http.Request) {
+	models.LogoutUser(p.App, w, r)
+	http.Redirect(w, r, "/", http.StatusFound)
+}
--- a/go.mod
+++ b/go.mod
@@ -4,5 +4,5 @@ go 1.22

 require (
 	github.com/lib/pq v1.10.9
-	golang.org/x/crypto v0.24.0
+	golang.org/x/crypto v0.19.0
 )
--- a/go.sum
+++ b/go.sum
@@ -1,4 +1,4 @@
 github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
 github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
-golang.org/x/crypto v0.24.0 h1:mnl8DM0o513X8fdIkmyFE/5hTYxbwYOjDS/+rK6qpRI=
-golang.org/x/crypto v0.24.0/go.mod h1:Z1PMYSOR5nyMcyAVAIQSKCDwalqy85Aqn1x3Ws4L5DM=
+golang.org/x/crypto v0.19.0 h1:ENy+Az/9Y1vSrlrvBSyna3PITt4tiZLf7sgCjZBX7Wo=
+golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
--- a/models/migrations.go
+++ b/models/migrations.go
@@ -25,7 +25,7 @@ func RunAllMigrations(app *app.App) error {
 		Id:         1,
 		UserId:     1,
 		AuthToken:  "migrate",
-		RememberMe: false,
+		RememberMe: true, // Booleans must be true to migrate properly
 		CreatedAt:  time.Now(),
 	}
 	err = database.Migrate(app, session)
--- a/routes/get.go
+++ b/routes/get.go
@@ -22,12 +22,11 @@ func Get(app *app.App) {
 		return
 	}
 	staticHandler := http.FileServer(http.FS(staticFS))
-	http.Handle("/static/", http.StripPrefix("/static/", staticHandler))
+	http.Handle("GET /static/", http.StripPrefix("/static/", staticHandler))
 	slog.Info("serving static files from embedded file system /static")

 	// Pages
-	http.HandleFunc("/", getController.ShowHome)
-	http.HandleFunc("/login", getController.ShowLogin)
-	http.HandleFunc("/register", getController.ShowRegister)
-	http.HandleFunc("/logout", getController.Logout)
+	http.HandleFunc("GET /", getController.ShowHome)
+	http.HandleFunc("GET /login", getController.ShowLogin)
+	http.HandleFunc("GET /register", getController.ShowRegister)
 }
--- a/routes/post.go
+++ b/routes/post.go
@@ -15,6 +15,7 @@ func Post(app *app.App) {
 	}

 	// User authentication
-	http.HandleFunc("/register-handle", middleware.Csrf(postController.Register))
-	http.HandleFunc("/login-handle", middleware.Csrf(postController.Login))
+	http.HandleFunc("POST /register-handle", middleware.Csrf(postController.Register))
+	http.HandleFunc("POST /login-handle", middleware.Csrf(postController.Login))
+	http.HandleFunc("POST /logout", middleware.Csrf(postController.Logout))
 }
--- a/templates/base.html
+++ b/templates/base.html
@@ -6,6 +6,21 @@
    <link href="/static/css/style.css" rel="stylesheet">
 </head>
 <body>
+<div class="navbar">
+    {{ if .IsAuthenticated }}
+    <form action="/logout" method="post">
+        <input name="csrf_token" type="hidden" value="{{ .CsrfToken }}">
+        <input type="submit" value="Logout">
+    </form>
+    {{ else }}
+    <form action="/login" method="get">
+        <input type="submit" value="Login">
+    </form>
+    <form action="/register" method="get">
+        <input type="submit" value="Register">
+    </form>
+    {{ end }}
+</div>
 {{ template "content" . }}
 <div class="footer-container">
    <footer>
Author	SHA1	Message	Date
max	6d6aff50b3	Only show logout (now CSRF protected) if user is authenticated, include relevant authentication logic in GET controllers (this should be moved to middleware)	2024-02-14 13:20:35 -06:00
max	a6be73765a	Add GET verb to static handler	2024-02-14 13:16:52 -06:00
max	ddc9e51831	Fix boolean column migration example	2024-02-14 13:16:15 -06:00
max	dc450e26dd	Move logout to POST route and controller with CSRF middleware. Add CsrfToken to home for logout	2024-02-12 14:46:26 -06:00