package http import ( "html/template" "net/http" "time" _ "embed" "forge.cadoles.com/arcad/edge/pkg/module/auth" "forge.cadoles.com/arcad/edge/pkg/module/auth/http/passwd" "github.com/go-chi/chi/v5" "github.com/lestrrat-go/jwx/v2/jwa" "github.com/lestrrat-go/jwx/v2/jwk" "github.com/pkg/errors" "gitlab.com/wpetit/goweb/logger" ) //go:embed templates/login.html.tmpl var rawLoginTemplate string var loginTemplate *template.Template var ( errNotFound = errors.New("not found") errInvalidPassword = errors.New("invalid password") ) func init() { loginTemplate = template.Must(template.New("").Parse(rawLoginTemplate)) } type LocalHandler struct { router chi.Router algo jwa.KeyAlgorithm key jwk.Key accounts map[string]LocalAccount } func (h *LocalHandler) initRouter(prefix string) { router := chi.NewRouter() router.Route(prefix, func(r chi.Router) { r.Get("/login", h.serveForm) r.Post("/login", h.handleForm) r.Get("/logout", h.handleLogout) }) h.router = router } type loginTemplateData struct { URL string Username string Password string Message string } func (h *LocalHandler) serveForm(w http.ResponseWriter, r *http.Request) { ctx := r.Context() data := loginTemplateData{ URL: r.URL.String(), Username: "", Password: "", Message: "", } if err := loginTemplate.Execute(w, data); err != nil { logger.Error(ctx, "could not execute login page template", logger.E(errors.WithStack(err))) } } func (h *LocalHandler) handleForm(w http.ResponseWriter, r *http.Request) { ctx := r.Context() if err := r.ParseForm(); err != nil { logger.Error(ctx, "could not parse form", logger.E(errors.WithStack(err))) http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest) return } username := r.Form.Get("username") password := r.Form.Get("password") data := loginTemplateData{ URL: r.URL.String(), Username: username, Password: password, Message: "", } account, err := h.authenticate(username, password) if err != nil { if errors.Is(err, errNotFound) || errors.Is(err, errInvalidPassword) { data.Message = "Invalid username or password." if err := loginTemplate.Execute(w, data); err != nil { logger.Error(ctx, "could not execute login page template", logger.E(errors.WithStack(err))) } return } logger.Error(ctx, "could not authenticate account", logger.E(errors.WithStack(err))) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } token, err := generateSignedToken(h.algo, h.key, account.Claims) if err != nil { logger.Error(ctx, "could not generate signed token", logger.E(errors.WithStack(err))) http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError) return } cookie := http.Cookie{ Name: auth.CookieName, Value: string(token), HttpOnly: false, Path: "/", } http.SetCookie(w, &cookie) http.Redirect(w, r, "/", http.StatusSeeOther) } func (h *LocalHandler) handleLogout(w http.ResponseWriter, r *http.Request) { http.SetCookie(w, &http.Cookie{ Name: auth.CookieName, Value: "", HttpOnly: false, Expires: time.Unix(0, 0), Path: "/", }) http.Redirect(w, r, "/", http.StatusSeeOther) } func (h *LocalHandler) authenticate(username, password string) (*LocalAccount, error) { account, exists := h.accounts[username] if !exists { return nil, errors.WithStack(errNotFound) } matches, err := passwd.Match(account.Algo, password, account.Password) if err != nil { return nil, errors.WithStack(err) } if !matches { return nil, errors.WithStack(errInvalidPassword) } return &account, nil } func NewLocalHandler(algo jwa.KeyAlgorithm, key jwk.Key, funcs ...LocalHandlerOptionFunc) *LocalHandler { opts := defaultLocalHandlerOptions() for _, fn := range funcs { fn(opts) } handler := &LocalHandler{ algo: algo, key: key, accounts: toAccountsMap(opts.Accounts), } handler.initRouter(opts.RoutePrefix) return handler } // ServeHTTP implements http.Handler. func (h *LocalHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) { h.router.ServeHTTP(w, r) } var _ http.Handler = &LocalHandler{}