mycorrhiza/web/auth.go

package web

import (
	"fmt"
	"io"
	"log"
	"mime"
	"net/http"

	"github.com/bouncepaw/mycorrhiza/cfg"
	"github.com/bouncepaw/mycorrhiza/user"
	"github.com/bouncepaw/mycorrhiza/util"
	"github.com/bouncepaw/mycorrhiza/views"
)

func initAuth() {
	if !cfg.UseAuth {
		return
	}
	if cfg.AllowRegistration {
		http.HandleFunc("/register", handlerRegister)
	}
	http.HandleFunc("/login", handlerLogin)
	http.HandleFunc("/login-data", handlerLoginData)
	http.HandleFunc("/logout", handlerLogout)
	http.HandleFunc("/logout-confirm", handlerLogoutConfirm)
}

// handlerRegister both displays the register form (GET) and registers users (POST).
func handlerRegister(w http.ResponseWriter, rq *http.Request) {
	util.PrepareRq(rq)
	if !cfg.AllowRegistration {
		w.WriteHeader(http.StatusForbidden)
	}
	if rq.Method == http.MethodGet {
		io.WriteString(
			w,
			views.BaseHTML(
				"Register",
				views.RegisterHTML(rq),
				user.FromRequest(rq),
			),
		)
	} else if rq.Method == http.MethodPost {
		var (
			username = rq.PostFormValue("username")
			password = rq.PostFormValue("password")
			err      = user.Register(username, password, "editor", false)
		)
		if err != nil {
			log.Printf("Failed to register \"%s\": %s", username, err.Error())
			w.Header().Set("Content-Type", mime.TypeByExtension(".html"))
			w.WriteHeader(http.StatusBadRequest)
			fmt.Fprint(
				w,
				views.BaseHTML(
					"Register",
					fmt.Sprintf(
						`<main class="main-width"><p>%s</p><p><a href="/register">Try again<a></p></main>`,
						err.Error(),
					),
					user.FromRequest(rq),
				),
			)
		} else {
			log.Printf("Successfully registered \"%s\"", username)
			user.LoginDataHTTP(w, rq, username, password)
			http.Redirect(w, rq, "/"+rq.URL.RawQuery, http.StatusSeeOther)
		}
	}
}

// handlerLogout shows the logout form.
func handlerLogout(w http.ResponseWriter, rq *http.Request) {
	var (
		u   = user.FromRequest(rq)
		can = u != nil
	)
	w.Header().Set("Content-Type", "text/html;charset=utf-8")
	if can {
		log.Println("User", u.Name, "tries to log out")
		w.WriteHeader(http.StatusOK)
	} else {
		log.Println("Unknown user tries to log out")
		w.WriteHeader(http.StatusForbidden)
	}
	w.Write([]byte(views.BaseHTML("Logout?", views.LogoutHTML(can), u)))
}

// handlerLogoutConfirm logs the user out.
//
// TODO: merge into handlerLogout as POST method.
func handlerLogoutConfirm(w http.ResponseWriter, rq *http.Request) {
	user.LogoutFromRequest(w, rq)
	http.Redirect(w, rq, "/", http.StatusSeeOther)
}

// handlerLogin shows the login form.
func handlerLogin(w http.ResponseWriter, rq *http.Request) {
	util.PrepareRq(rq)
	w.Header().Set("Content-Type", "text/html;charset=utf-8")
	if cfg.UseAuth {
		w.WriteHeader(http.StatusOK)
	} else {
		w.WriteHeader(http.StatusForbidden)
	}
	w.Write([]byte(views.BaseHTML("Login", views.LoginHTML(), user.EmptyUser())))
}

// handlerLoginData logs the user in.
//
// TODO: merge into handlerLogin as POST method.
func handlerLoginData(w http.ResponseWriter, rq *http.Request) {
	util.PrepareRq(rq)
	var (
		username = util.CanonicalName(rq.PostFormValue("username"))
		password = rq.PostFormValue("password")
		err      = user.LoginDataHTTP(w, rq, username, password)
	)
	if err != "" {
		w.Write([]byte(views.BaseHTML(err, views.LoginErrorHTML(err), user.EmptyUser())))
	} else {
		http.Redirect(w, rq, "/", http.StatusSeeOther)
	}
}
Move all web-related stuff to a new module 2021-05-09 10:42:12 +00:00			`package web`
Implement logging out 2020-11-14 13:03:06 +00:00
			`import (`
Actually check for illegal username, pretty errors 2021-07-01 08:45:03 +00:00			`"fmt"`
Implement register form and some registration-related code 2021-04-12 17:40:43 +00:00			`"io"`
Implement logging out 2020-11-14 13:03:06 +00:00			`"log"`
Actually check for illegal username, pretty errors 2021-07-01 08:45:03 +00:00			`"mime"`
Implement logging out 2020-11-14 13:03:06 +00:00			`"net/http"`

Actually check for illegal username, pretty errors 2021-07-01 08:45:03 +00:00			`"github.com/bouncepaw/mycorrhiza/cfg"`
Implement logging out 2020-11-14 13:03:06 +00:00			`"github.com/bouncepaw/mycorrhiza/user"`
Start the Great Refactoring 2021-02-17 18:41:35 +00:00			`"github.com/bouncepaw/mycorrhiza/util"`
Move mutators.qtpl and auth.qtpl to the views 2021-02-23 14:25:07 +00:00			`"github.com/bouncepaw/mycorrhiza/views"`
Implement logging out 2020-11-14 13:03:06 +00:00			`)`

Reorganise and document the web stuff a little 2021-05-09 11:09:27 +00:00			`func initAuth() {`
Drop fixed authorization Important changes: - UseFixedAuth is now UseAuth and toggles all kinds of authorization and registration - UseRegistration is now AllowRegistration to better reflect the meaning - LimitRegistration is now RegistrationLimit because it's not a boolean, it's a value (not "limit registration?", but "registration limit is ...") - registered-users.json is now users.json, because all users are stored there - user.AuthUsed is dropped in favor of new cfg.UseAuth which has the same meaning I hope I have not forgotten anything. 2021-07-02 08:20:03 +00:00			`if !cfg.UseAuth {`
Reorganise and document the web stuff a little 2021-05-09 11:09:27 +00:00			`return`
			`}`
Drop fixed authorization Important changes: - UseFixedAuth is now UseAuth and toggles all kinds of authorization and registration - UseRegistration is now AllowRegistration to better reflect the meaning - LimitRegistration is now RegistrationLimit because it's not a boolean, it's a value (not "limit registration?", but "registration limit is ...") - registered-users.json is now users.json, because all users are stored there - user.AuthUsed is dropped in favor of new cfg.UseAuth which has the same meaning I hope I have not forgotten anything. 2021-07-02 08:20:03 +00:00			`if cfg.AllowRegistration {`
Reorganise and document the web stuff a little 2021-05-09 11:09:27 +00:00			`http.HandleFunc("/register", handlerRegister)`
			`}`
Implement logging out 2020-11-14 13:03:06 +00:00			`http.HandleFunc("/login", handlerLogin)`
			`http.HandleFunc("/login-data", handlerLoginData)`
			`http.HandleFunc("/logout", handlerLogout)`
			`http.HandleFunc("/logout-confirm", handlerLogoutConfirm)`
			`}`

Reorganise and document the web stuff a little 2021-05-09 11:09:27 +00:00			`// handlerRegister both displays the register form (GET) and registers users (POST).`
Implement register form and some registration-related code 2021-04-12 17:40:43 +00:00			`func handlerRegister(w http.ResponseWriter, rq *http.Request) {`
Move all web-related stuff to a new module 2021-05-09 10:42:12 +00:00			`util.PrepareRq(rq)`
Drop fixed authorization Important changes: - UseFixedAuth is now UseAuth and toggles all kinds of authorization and registration - UseRegistration is now AllowRegistration to better reflect the meaning - LimitRegistration is now RegistrationLimit because it's not a boolean, it's a value (not "limit registration?", but "registration limit is ...") - registered-users.json is now users.json, because all users are stored there - user.AuthUsed is dropped in favor of new cfg.UseAuth which has the same meaning I hope I have not forgotten anything. 2021-07-02 08:20:03 +00:00			`if !cfg.AllowRegistration {`
Implement register form and some registration-related code 2021-04-12 17:40:43 +00:00			`w.WriteHeader(http.StatusForbidden)`
			`}`
			`if rq.Method == http.MethodGet {`
			`io.WriteString(`
			`w,`
Move all web-related stuff to a new module 2021-05-09 10:42:12 +00:00			`views.BaseHTML(`
Implement register form and some registration-related code 2021-04-12 17:40:43 +00:00			`"Register",`
			`views.RegisterHTML(rq),`
			`user.FromRequest(rq),`
			`),`
			`)`
			`} else if rq.Method == http.MethodPost {`
You can now register, but the new account is not saved on disk 2021-04-19 16:39:25 +00:00			`var (`
			`username = rq.PostFormValue("username")`
			`password = rq.PostFormValue("password")`
Add -create-admin flag It allows for interactive creation of admin account from the terminal for new wikis. Because we have a chicken-and-egg problem here with the user panel -- you need an admin account to appoint someone as an admin, right? 2021-07-02 10:25:13 +00:00			`err = user.Register(username, password, "editor", false)`
You can now register, but the new account is not saved on disk 2021-04-19 16:39:25 +00:00			`)`
			`if err != nil {`
Add -create-admin flag It allows for interactive creation of admin account from the terminal for new wikis. Because we have a chicken-and-egg problem here with the user panel -- you need an admin account to appoint someone as an admin, right? 2021-07-02 10:25:13 +00:00			`log.Printf("Failed to register \"%s\": %s", username, err.Error())`
Actually check for illegal username, pretty errors 2021-07-01 08:45:03 +00:00			`w.Header().Set("Content-Type", mime.TypeByExtension(".html"))`
			`w.WriteHeader(http.StatusBadRequest)`
			`fmt.Fprint(`
			`w,`
			`views.BaseHTML(`
			`"Register",`
			`fmt.Sprintf(`
			`<main class="main-width"><p>%s</p><p><a href="/register">Try again<a></p></main>`,
			`err.Error(),`
			`),`
			`user.FromRequest(rq),`
			`),`
			`)`
You can now register, but the new account is not saved on disk 2021-04-19 16:39:25 +00:00			`} else {`
Add -create-admin flag It allows for interactive creation of admin account from the terminal for new wikis. Because we have a chicken-and-egg problem here with the user panel -- you need an admin account to appoint someone as an admin, right? 2021-07-02 10:25:13 +00:00			`log.Printf("Successfully registered \"%s\"", username)`
You can now register, but the new account is not saved on disk 2021-04-19 16:39:25 +00:00			`user.LoginDataHTTP(w, rq, username, password)`
			`http.Redirect(w, rq, "/"+rq.URL.RawQuery, http.StatusSeeOther)`
			`}`
Implement register form and some registration-related code 2021-04-12 17:40:43 +00:00			`}`
			`}`

Reorganise and document the web stuff a little 2021-05-09 11:09:27 +00:00			`// handlerLogout shows the logout form.`
Implement logging out 2020-11-14 13:03:06 +00:00			`func handlerLogout(w http.ResponseWriter, rq *http.Request) {`
			`var (`
			`u = user.FromRequest(rq)`
			`can = u != nil`
			`)`
			`w.Header().Set("Content-Type", "text/html;charset=utf-8")`
			`if can {`
			`log.Println("User", u.Name, "tries to log out")`
			`w.WriteHeader(http.StatusOK)`
			`} else {`
			`log.Println("Unknown user tries to log out")`
			`w.WriteHeader(http.StatusForbidden)`
			`}`
Move all web-related stuff to a new module 2021-05-09 10:42:12 +00:00			`w.Write([]byte(views.BaseHTML("Logout?", views.LogoutHTML(can), u)))`
Implement logging out 2020-11-14 13:03:06 +00:00			`}`

Reorganise and document the web stuff a little 2021-05-09 11:09:27 +00:00			`// handlerLogoutConfirm logs the user out.`
			`//`
			`// TODO: merge into handlerLogout as POST method.`
Implement logging out 2020-11-14 13:03:06 +00:00			`func handlerLogoutConfirm(w http.ResponseWriter, rq *http.Request) {`
			`user.LogoutFromRequest(w, rq)`
			`http.Redirect(w, rq, "/", http.StatusSeeOther)`
			`}`

Reorganise and document the web stuff a little 2021-05-09 11:09:27 +00:00			`// handlerLogin shows the login form.`
			`func handlerLogin(w http.ResponseWriter, rq *http.Request) {`
			`util.PrepareRq(rq)`
			`w.Header().Set("Content-Type", "text/html;charset=utf-8")`
Drop fixed authorization Important changes: - UseFixedAuth is now UseAuth and toggles all kinds of authorization and registration - UseRegistration is now AllowRegistration to better reflect the meaning - LimitRegistration is now RegistrationLimit because it's not a boolean, it's a value (not "limit registration?", but "registration limit is ...") - registered-users.json is now users.json, because all users are stored there - user.AuthUsed is dropped in favor of new cfg.UseAuth which has the same meaning I hope I have not forgotten anything. 2021-07-02 08:20:03 +00:00			`if cfg.UseAuth {`
Reorganise and document the web stuff a little 2021-05-09 11:09:27 +00:00			`w.WriteHeader(http.StatusOK)`
			`} else {`
			`w.WriteHeader(http.StatusForbidden)`
			`}`
			`w.Write([]byte(views.BaseHTML("Login", views.LoginHTML(), user.EmptyUser())))`
			`}`

			`// handlerLoginData logs the user in.`
			`//`
			`// TODO: merge into handlerLogin as POST method.`
Implement logging out 2020-11-14 13:03:06 +00:00			`func handlerLoginData(w http.ResponseWriter, rq *http.Request) {`
Move all web-related stuff to a new module 2021-05-09 10:42:12 +00:00			`util.PrepareRq(rq)`
Implement logging out 2020-11-14 13:03:06 +00:00			`var (`
Start the Great Refactoring 2021-02-17 18:41:35 +00:00			`username = util.CanonicalName(rq.PostFormValue("username"))`
Implement logging out 2020-11-14 13:03:06 +00:00			`password = rq.PostFormValue("password")`
			`err = user.LoginDataHTTP(w, rq, username, password)`
			`)`
			`if err != "" {`
Move all web-related stuff to a new module 2021-05-09 10:42:12 +00:00			`w.Write([]byte(views.BaseHTML(err, views.LoginErrorHTML(err), user.EmptyUser())))`
Implement logging out 2020-11-14 13:03:06 +00:00			`} else {`
			`http.Redirect(w, rq, "/", http.StatusSeeOther)`
			`}`
			`}`