From 8d4c4426b040cde1b501d2fb28b59ea57905fa04 Mon Sep 17 00:00:00 2001 From: Steve Cliff Date: Tue, 5 May 2026 09:27:53 +0100 Subject: [PATCH] http: GET /setup landing page with expiry handling --- internal/server/http/server.go | 2 + internal/server/http/setup_handler.go | 77 +++++++++++++++++++++++ internal/server/http/setup_test.go | 90 +++++++++++++++++++++++++++ internal/server/ui/ui.go | 2 +- web/templates/pages/setup.html | 44 +++++++++++++ 5 files changed, 214 insertions(+), 1 deletion(-) create mode 100644 internal/server/http/setup_handler.go create mode 100644 internal/server/http/setup_test.go create mode 100644 web/templates/pages/setup.html diff --git a/internal/server/http/server.go b/internal/server/http/server.go index 72ff021..a54b70a 100644 --- a/internal/server/http/server.go +++ b/internal/server/http/server.go @@ -137,6 +137,8 @@ func (s *Server) routes(r chi.Router) { r.Get("/login", s.handleUILoginGet) r.Post("/login", s.handleUILoginPost) r.Post("/logout", s.handleUILogoutPost) + r.Get("/setup", s.handleUISetupGet) + r.Post("/setup", s.handleUISetupPost) } // Viewer band — anyone authenticated can read. diff --git a/internal/server/http/setup_handler.go b/internal/server/http/setup_handler.go new file mode 100644 index 0000000..d2ab3b2 --- /dev/null +++ b/internal/server/http/setup_handler.go @@ -0,0 +1,77 @@ +// setup_handler.go — public landing page for the user-setup link +// emitted by the admin's "+ Add user" / "Regenerate setup link" flow. +// +// Routes (wired in server.go): +// +// GET /setup → handleUISetupGet +// POST /setup → handleUISetupPost (lands in Task D2) +// +// The token in the querystring (`?token=`) is the credential. +// Auth middleware does not run on these routes. +package http + +import ( + "crypto/sha256" + "encoding/hex" + "log/slog" + stdhttp "net/http" + "time" + + "gitea.dcglab.co.uk/steve/restic-manager/internal/server/ui" +) + +type setupPage struct { + Username string + Token string // round-tripped to the POST form + Error string // displayed when password validation fails or token is invalid +} + +// hashSetupToken is the canonical hashing for setup tokens. Must +// match what the admin handler uses when SetSetupToken is called, +// so the digest at rest matches what GET /setup hashes. +func hashSetupToken(raw string) string { + h := sha256.Sum256([]byte(raw)) + return hex.EncodeToString(h[:]) +} + +func (s *Server) handleUISetupGet(w stdhttp.ResponseWriter, r *stdhttp.Request) { + raw := r.URL.Query().Get("token") + if raw == "" { + s.renderSetupExpired(w, r) + return + } + tok, err := s.deps.Store.LookupSetupToken(r.Context(), hashSetupToken(raw)) + if err != nil { + s.renderSetupExpired(w, r) + return + } + if tok.ExpiresAt.Before(time.Now().UTC()) { + s.renderSetupExpired(w, r) + return + } + u, err := s.deps.Store.GetUserByID(r.Context(), tok.UserID) + if err != nil { + s.renderSetupExpired(w, r) + return + } + view := s.baseView(r, nil) + view.Title = "Set your password · restic-manager" + view.Page = setupPage{Username: u.Username, Token: raw} + if err := s.deps.UI.Render(w, "setup", view); err != nil { + slog.Error("ui setup: render", "err", err) + } +} + +func (s *Server) renderSetupExpired(w stdhttp.ResponseWriter, r *stdhttp.Request) { + w.WriteHeader(stdhttp.StatusGone) + view := s.baseView(r, nil) + view.Title = "Link expired · restic-manager" + view.Page = setupPage{Error: "expired"} + _ = s.deps.UI.Render(w, "setup", view) + _ = ui.User{} // keep ui import alive +} + +// handleUISetupPost is a stub — full implementation lands in Task D2. +func (s *Server) handleUISetupPost(w stdhttp.ResponseWriter, r *stdhttp.Request) { + stdhttp.Error(w, "not implemented", stdhttp.StatusNotImplemented) +} diff --git a/internal/server/http/setup_test.go b/internal/server/http/setup_test.go new file mode 100644 index 0000000..739e782 --- /dev/null +++ b/internal/server/http/setup_test.go @@ -0,0 +1,90 @@ +package http + +import ( + "context" + "crypto/sha256" + "encoding/hex" + "io" + stdhttp "net/http" + "strings" + "testing" + "time" + + "github.com/oklog/ulid/v2" + + "gitea.dcglab.co.uk/steve/restic-manager/internal/store" +) + +func sha256Hex(s string) string { + h := sha256.Sum256([]byte(s)) + return hex.EncodeToString(h[:]) +} + +func TestSetupGetValidToken(t *testing.T) { + t.Parallel() + // /setup renders HTML, so we need a real UI renderer. + srv, ts, _ := rawTestServerWithUI(t) + urlBase := ts.URL + now := time.Now().UTC() + + uid := ulid.Make().String() + if err := srv.deps.Store.CreateUser(t.Context(), store.User{ + ID: uid, Username: "newbie", PasswordHash: "", + Role: store.RoleOperator, CreatedAt: now, + MustChangePassword: true, + }); err != nil { + t.Fatalf("create: %v", err) + } + + raw := "raw-token-1234567890" + hash := sha256Hex(raw) + if err := srv.deps.Store.SetSetupToken(context.Background(), store.SetupToken{ + UserID: uid, TokenHash: hash, + ExpiresAt: now.Add(time.Hour), CreatedAt: now, + }); err != nil { + t.Fatalf("set token: %v", err) + } + + res, err := stdhttp.Get(urlBase + "/setup?token=" + raw) + if err != nil { + t.Fatalf("GET: %v", err) + } + defer res.Body.Close() + if res.StatusCode != stdhttp.StatusOK { + t.Errorf("status: got %d want 200", res.StatusCode) + } + body, _ := io.ReadAll(res.Body) + if !strings.Contains(string(body), "newbie") { + t.Errorf("expected username in body: %s", body) + } +} + +func TestSetupGetExpiredToken(t *testing.T) { + t.Parallel() + // /setup renders HTML, so we need a real UI renderer. + srv, ts, _ := rawTestServerWithUI(t) + urlBase := ts.URL + now := time.Now().UTC() + + uid := ulid.Make().String() + _ = srv.deps.Store.CreateUser(t.Context(), store.User{ + ID: uid, Username: "stale", + PasswordHash: "", Role: store.RoleViewer, CreatedAt: now, + MustChangePassword: true, + }) + + raw := "expired-token" + _ = srv.deps.Store.SetSetupToken(context.Background(), store.SetupToken{ + UserID: uid, TokenHash: sha256Hex(raw), + ExpiresAt: now.Add(-time.Minute), CreatedAt: now.Add(-2 * time.Hour), + }) + + res, err := stdhttp.Get(urlBase + "/setup?token=" + raw) + if err != nil { + t.Fatalf("GET: %v", err) + } + defer res.Body.Close() + if res.StatusCode != stdhttp.StatusGone { + t.Errorf("status: got %d want 410", res.StatusCode) + } +} diff --git a/internal/server/ui/ui.go b/internal/server/ui/ui.go index d970b74..68f0e2e 100644 --- a/internal/server/ui/ui.go +++ b/internal/server/ui/ui.go @@ -152,7 +152,7 @@ func (r *Renderer) RenderPartial(w io.Writer, name string, data ViewData) error // chrome-less; everything else uses the standard navigation chrome. func layoutFor(page string) string { switch page { - case "login", "bootstrap": + case "login", "bootstrap", "setup": return "chromeless" default: return "base" diff --git a/web/templates/pages/setup.html b/web/templates/pages/setup.html new file mode 100644 index 0000000..ec8cdb2 --- /dev/null +++ b/web/templates/pages/setup.html @@ -0,0 +1,44 @@ +{{define "title"}}{{.Title}}{{end}} + +{{define "content"}} +{{$page := .Page}} +
+ {{if eq $page.Error "expired"}} +

Link expired

+

+ This setup link has expired or is invalid. Setup links are valid + for one hour from the moment your administrator generates them. +

+

+ Contact your administrator and ask them to regenerate the link. +

+ {{else}} +

+ Welcome, {{$page.Username}} +

+

+ Pick a password to finish setting up your account. The link expires + one hour after your administrator generated it, so don't dawdle. +

+
+ +
+ + +
+
+ + +
+ +
+ {{if and $page.Error (ne $page.Error "expired")}} +

{{$page.Error}}

+ {{end}} + {{end}} +
+{{end}}