steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity

P1-23 / P1-28: base layout, login, session-aware nav + Tailwind build

Browse Source 
P1-28: Tailwind standalone CLI wired into the Makefile. `make tailwind`
downloads the pinned v3.4.17 binary into bin/tailwindcss (gitignored),
builds web/styles/input.css → web/static/css/styles.css. `make build`
now runs the CSS pass first; `make tailwind-watch` for dev. Output is
embedded in the binary via web.FS — single static binary, no Node.

The CSS source carries every component class the v1 mockups defined
(status dots, buttons, host row, log viewer, progress bar, fields,
chips, snippet panel, empty state) so screens that land later can
just reach for them.

P1-23: html/template tree at web/templates with two layouts (base
with chrome, chromeless for login + bootstrap), one nav partial, and
two pages (dashboard placeholder, login). internal/server/ui parses
the tree at startup; ui_handlers.go in the http package wires:

  GET  /         dashboard (303 → /login when unauthed)
  GET  /login    sign-in form
  POST /login    consume form, mint session cookie, 303 → /
  POST /logout   drop cookie, 303 → /login
  GET  /static/* embedded Tailwind bundle

The HTML login flow shares store/session logic with /api/auth/login
via a new authenticateAndSession helper — same security guarantees,
two surface representations (HTML form / JSON).

Verified end-to-end: bootstrap → form-login → authed dashboard →
sign-out → 303 cycle works in the browser; Tailwind output emits
only the component classes referenced in the live templates (9.6kB
minified).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Steve Cliff
2026-05-01 19:19:06 +01:00
parent 8b7b1479a1
commit 55242caf58
17 changed files with 823 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/server/http/auth.go
+31 -13
View File
@@ -34,23 +34,35 @@ func (s *Server) handleLogin(w stdhttp.ResponseWriter, r *stdhttp.Request) {
writeJSONError(w, stdhttp.StatusBadRequest, "invalid_json", err.Error())
return
}
u, err := s.deps.Store.GetUserByUsername(r.Context(), req.Username)
u, err := s.authenticateAndSession(w, r, req.Username, req.Password)
if err != nil {
// Same response for unknown user vs bad password — don't leak
// existence to a probing attacker.
writeJSONError(w, stdhttp.StatusUnauthorized, "invalid_credentials", "")
return
}
if err := auth.VerifyPassword(u.PasswordHash, req.Password); err != nil {
writeJSONError(w, stdhttp.StatusUnauthorized, "invalid_credentials", "")
return
writeJSON(w, stdhttp.StatusOK, loginResponse{UserID: u.ID, Role: string(u.Role)})
}
// authenticateAndSession verifies credentials, mints a session cookie,
// records the login + audit, and returns the user. Any failure
// (unknown user, wrong password, db error) is collapsed into a single
// error — the caller decides how to surface it. Shared by JSON and
// HTML login flows.
func (s *Server) authenticateAndSession(w stdhttp.ResponseWriter, r *stdhttp.Request,
username, password string,
) (*store.User, error) {
u, err := s.deps.Store.GetUserByUsername(r.Context(), username)
if err != nil {
// Same response for unknown user vs bad password — don't leak
// existence to a probing attacker.
return nil, errInvalidCredentials
}
if err := auth.VerifyPassword(u.PasswordHash, password); err != nil {
return nil, errInvalidCredentials
}
token, err := auth.NewToken()
if err != nil {
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
return
return nil, err
}
now := time.Now().UTC()
sess := store.Session{
@@ -61,8 +73,7 @@ func (s *Server) handleLogin(w stdhttp.ResponseWriter, r *stdhttp.Request) {
UA: r.UserAgent(),
}
if err := s.deps.Store.CreateSession(r.Context(), sess, auth.HashToken(token)); err != nil {
writeJSONError(w, stdhttp.StatusInternalServerError, "internal", "")
return
return nil, err
}
_ = s.deps.Store.MarkUserLogin(r.Context(), u.ID, now)
@@ -83,10 +94,17 @@ func (s *Server) handleLogin(w stdhttp.ResponseWriter, r *stdhttp.Request) {
Action: "auth.login",
TS: now,
})
writeJSON(w, stdhttp.StatusOK, loginResponse{UserID: u.ID, Role: string(u.Role)})
return u, nil
}
// errInvalidCredentials is the sentinel returned by
// authenticateAndSession for any failure that maps to a 401 in HTTP.
var errInvalidCredentials = errAuth("invalid_credentials")
type errAuth string
func (e errAuth) Error() string { return string(e) }
func (s *Server) handleLogout(w stdhttp.ResponseWriter, r *stdhttp.Request) {
if c, err := r.Cookie(sessionCookieName); err == nil {
_ = s.deps.Store.DeleteSession(r.Context(), auth.HashToken(c.Value))