http: POST /setup — set password, drop session, audit setup_completed

Replaces the 501 stub with the full handler: validates the token and password, hashes and stores the password, deletes the setup token, mints an 8-hour session cookie, appends a user.setup_completed audit entry, and redirects to /. Adds TestSetupPostHappyPath covering the full round-trip including normal-login verification after setup.
2026-05-05 09:31:02 +01:00
parent 0407aa420b
commit 81f2852eb1
2 changed files with 160 additions and 2 deletions
@@ -17,7 +17,11 @@ import (
 	stdhttp "net/http"
 	"time"

+	"github.com/oklog/ulid/v2"
+
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/auth"
 	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ui"
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
 )

 type setupPage struct {
@@ -71,7 +75,99 @@ func (s *Server) renderSetupExpired(w stdhttp.ResponseWriter, r *stdhttp.Request
 	_ = ui.User{} // keep ui import alive
 }

-// handleUISetupPost is a stub — full implementation lands in Task D2.
 func (s *Server) handleUISetupPost(w stdhttp.ResponseWriter, r *stdhttp.Request) {
-	stdhttp.Error(w, "not implemented", stdhttp.StatusNotImplemented)
+	if err := r.ParseForm(); err != nil {
+		stdhttp.Error(w, "bad request", stdhttp.StatusBadRequest)
+		return
+	}
+	raw := r.PostForm.Get("token")
+	pw := r.PostForm.Get("password")
+	pw2 := r.PostForm.Get("password_confirm")
+
+	if raw == "" {
+		s.renderSetupExpired(w, r)
+		return
+	}
+	if pw == "" || pw2 == "" || pw != pw2 || len(pw) < 12 {
+		s.renderSetupForm(w, r, raw, "Passwords must match and be at least 12 characters.")
+		return
+	}
+
+	tok, err := s.deps.Store.LookupSetupToken(r.Context(), hashSetupToken(raw))
+	if err != nil || tok.ExpiresAt.Before(time.Now().UTC()) {
+		s.renderSetupExpired(w, r)
+		return
+	}
+	u, err := s.deps.Store.GetUserByID(r.Context(), tok.UserID)
+	if err != nil {
+		s.renderSetupExpired(w, r)
+		return
+	}
+
+	hash, err := auth.HashPassword(pw)
+	if err != nil {
+		slog.Error("setup: hash password", "err", err)
+		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
+		return
+	}
+	if err := s.deps.Store.SetPasswordHash(r.Context(), u.ID, hash); err != nil {
+		slog.Error("setup: set password", "err", err)
+		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
+		return
+	}
+	if err := s.deps.Store.DeleteSetupToken(r.Context(), u.ID); err != nil {
+		slog.Warn("setup: delete token", "err", err)
+		// Non-fatal — password is set, audit will reflect it.
+	}
+
+	// Drop a session cookie so the user lands authenticated on /.
+	rawSession, err := auth.NewToken()
+	if err != nil {
+		slog.Error("setup: session token", "err", err)
+		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
+		return
+	}
+	hashed := auth.HashToken(rawSession)
+	now := time.Now().UTC()
+	if err := s.deps.Store.CreateSession(r.Context(), store.Session{
+		ID: hashed, UserID: u.ID, CreatedAt: now,
+		ExpiresAt: now.Add(8 * time.Hour),
+	}, hashed); err != nil {
+		slog.Error("setup: create session", "err", err)
+		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
+		return
+	}
+	stdhttp.SetCookie(w, &stdhttp.Cookie{
+		Name: sessionCookieName, Value: rawSession,
+		Path: "/", HttpOnly: true,
+		SameSite: stdhttp.SameSiteLaxMode,
+		Secure:   s.deps.Cfg.CookieSecure,
+		Expires:  now.Add(8 * time.Hour),
+	})
+	_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
+		ID:         ulid.Make().String(),
+		UserID:     &u.ID,
+		Actor:      "user",
+		Action:     "user.setup_completed",
+		TargetKind: ptr("user"),
+		TargetID:   &u.ID,
+		TS:         now,
+	})
+	stdhttp.Redirect(w, r, "/", stdhttp.StatusSeeOther)
+}
+
+// renderSetupForm re-renders the setup page with an inline error
+// (e.g. password mismatch). 200 OK with the form intact so the user
+// can correct without losing the token.
+func (s *Server) renderSetupForm(w stdhttp.ResponseWriter, r *stdhttp.Request, token, errMsg string) {
+	view := s.baseView(r, nil)
+	view.Title = "Set your password · restic-manager"
+	username := ""
+	if tok, err := s.deps.Store.LookupSetupToken(r.Context(), hashSetupToken(token)); err == nil {
+		if u, err := s.deps.Store.GetUserByID(r.Context(), tok.UserID); err == nil {
+			username = u.Username
+		}
+	}
+	view.Page = setupPage{Username: username, Token: token, Error: errMsg}
+	_ = s.deps.UI.Render(w, "setup", view)
 }