steve/restic-manager
1
0
Fork 0
Code Issues Pull Requests Actions Projects Releases 1 Wiki Activity
Files
88f1959a6aaeb33f57b8d397e1ef191afb658ede
restic-manager/internal/server/http/setup_handler.go
T
steve 57a13f0759 http: POST /setup — set password, drop session, audit setup_completed 
Replaces the 501 stub with the full handler: validates the token and
password, hashes and stores the password, deletes the setup token,
mints an 8-hour session cookie, appends a user.setup_completed audit
entry, and redirects to /. Adds TestSetupPostHappyPath covering the
full round-trip including normal-login verification after setup.
2026-05-05 10:57:24 +01:00

174 lines
5.3 KiB
Go
Raw Blame History

// setup_handler.go — public landing page for the user-setup link
// emitted by the admin's "+ Add user" / "Regenerate setup link" flow.
//
// Routes (wired in server.go):
//
// GET /setup → handleUISetupGet
// POST /setup → handleUISetupPost (lands in Task D2)
//
// The token in the querystring (`?token=<raw>`) is the credential.
// Auth middleware does not run on these routes.
package http
import (
"crypto/sha256"
"encoding/hex"
"log/slog"
stdhttp "net/http"
"time"
"github.com/oklog/ulid/v2"
"gitea.dcglab.co.uk/steve/restic-manager/internal/auth"
"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ui"
"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
)
type setupPage struct {
Username string
Token string // round-tripped to the POST form
Error string // displayed when password validation fails or token is invalid
}
// hashSetupToken is the canonical hashing for setup tokens. Must
// match what the admin handler uses when SetSetupToken is called,
// so the digest at rest matches what GET /setup hashes.
func hashSetupToken(raw string) string {
h := sha256.Sum256([]byte(raw))
return hex.EncodeToString(h[:])
}
func (s *Server) handleUISetupGet(w stdhttp.ResponseWriter, r *stdhttp.Request) {
raw := r.URL.Query().Get("token")
if raw == "" {
s.renderSetupExpired(w, r)
return
}
tok, err := s.deps.Store.LookupSetupToken(r.Context(), hashSetupToken(raw))
if err != nil {
s.renderSetupExpired(w, r)
return
}
if tok.ExpiresAt.Before(time.Now().UTC()) {
s.renderSetupExpired(w, r)
return
}
u, err := s.deps.Store.GetUserByID(r.Context(), tok.UserID)
if err != nil {
s.renderSetupExpired(w, r)
return
}
view := s.baseView(r, nil)
view.Title = "Set your password · restic-manager"
view.Page = setupPage{Username: u.Username, Token: raw}
if err := s.deps.UI.Render(w, "setup", view); err != nil {
slog.Error("ui setup: render", "err", err)
}
}
func (s *Server) renderSetupExpired(w stdhttp.ResponseWriter, r *stdhttp.Request) {
w.WriteHeader(stdhttp.StatusGone)
view := s.baseView(r, nil)
view.Title = "Link expired · restic-manager"
view.Page = setupPage{Error: "expired"}
_ = s.deps.UI.Render(w, "setup", view)
_ = ui.User{} // keep ui import alive
}
func (s *Server) handleUISetupPost(w stdhttp.ResponseWriter, r *stdhttp.Request) {
if err := r.ParseForm(); err != nil {
stdhttp.Error(w, "bad request", stdhttp.StatusBadRequest)
return
}
raw := r.PostForm.Get("token")
pw := r.PostForm.Get("password")
pw2 := r.PostForm.Get("password_confirm")
if raw == "" {
s.renderSetupExpired(w, r)
return
}
if pw == "" || pw2 == "" || pw != pw2 || len(pw) < 12 {
s.renderSetupForm(w, r, raw, "Passwords must match and be at least 12 characters.")
return
}
tok, err := s.deps.Store.LookupSetupToken(r.Context(), hashSetupToken(raw))
if err != nil || tok.ExpiresAt.Before(time.Now().UTC()) {
s.renderSetupExpired(w, r)
return
}
u, err := s.deps.Store.GetUserByID(r.Context(), tok.UserID)
if err != nil {
s.renderSetupExpired(w, r)
return
}
hash, err := auth.HashPassword(pw)
if err != nil {
slog.Error("setup: hash password", "err", err)
stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
return
}
if err := s.deps.Store.SetPasswordHash(r.Context(), u.ID, hash); err != nil {
slog.Error("setup: set password", "err", err)
stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
return
}
if err := s.deps.Store.DeleteSetupToken(r.Context(), u.ID); err != nil {
slog.Warn("setup: delete token", "err", err)
// Non-fatal — password is set, audit will reflect it.
}
// Drop a session cookie so the user lands authenticated on /.
rawSession, err := auth.NewToken()
if err != nil {
slog.Error("setup: session token", "err", err)
stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
return
}
hashed := auth.HashToken(rawSession)
now := time.Now().UTC()
if err := s.deps.Store.CreateSession(r.Context(), store.Session{
ID: hashed, UserID: u.ID, CreatedAt: now,
ExpiresAt: now.Add(8 * time.Hour),
}, hashed); err != nil {
slog.Error("setup: create session", "err", err)
stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
return
}
stdhttp.SetCookie(w, &stdhttp.Cookie{
Name: sessionCookieName, Value: rawSession,
Path: "/", HttpOnly: true,
SameSite: stdhttp.SameSiteLaxMode,
Secure: s.deps.Cfg.CookieSecure,
Expires: now.Add(8 * time.Hour),
})
_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
ID: ulid.Make().String(),
UserID: &u.ID,
Actor: "user",
Action: "user.setup_completed",
TargetKind: ptr("user"),
TargetID: &u.ID,
TS: now,
})
stdhttp.Redirect(w, r, "/", stdhttp.StatusSeeOther)
}
// renderSetupForm re-renders the setup page with an inline error
// (e.g. password mismatch). 200 OK with the form intact so the user
// can correct without losing the token.
func (s *Server) renderSetupForm(w stdhttp.ResponseWriter, r *stdhttp.Request, token, errMsg string) {
view := s.baseView(r, nil)
view.Title = "Set your password · restic-manager"
username := ""
if tok, err := s.deps.Store.LookupSetupToken(r.Context(), hashSetupToken(token)); err == nil {
if u, err := s.deps.Store.GetUserByID(r.Context(), tok.UserID); err == nil {
username = u.Username
}
}
view.Page = setupPage{Username: username, Token: token, Error: errMsg}
_ = s.deps.UI.Render(w, "setup", view)
}
Reference in New Issue View Git Blame Copy Permalink