upaas/internal/handlers/setup.go

package handlers

import (
	"net/http"

	"sneak.berlin/go/upaas/internal/models"
	"sneak.berlin/go/upaas/templates"
)

const (
	// minPasswordLength is the minimum required password length.
	minPasswordLength = 8
)

// HandleSetupGET returns the setup page handler.
func (h *Handlers) HandleSetupGET() http.HandlerFunc {
	tmpl := templates.GetParsed()

	return func(writer http.ResponseWriter, request *http.Request) {
		data := h.addGlobals(map[string]any{}, request)

		h.renderTemplate(writer, tmpl, "setup.html", data)
	}
}

// setupFormData holds form data for the setup page.
type setupFormData struct {
	username        string
	password        string
	passwordConfirm string
}

// validateSetupForm validates the setup form and returns an error message if invalid.
func validateSetupForm(formData setupFormData) string {
	if formData.username == "" || formData.password == "" {
		return "Username and password are required"
	}

	if len(formData.password) < minPasswordLength {
		return "Password must be at least 8 characters"
	}

	if formData.password != formData.passwordConfirm {
		return "Passwords do not match"
	}

	return ""
}

// renderSetupError renders the setup page with an error message.
func (h *Handlers) renderSetupError(
	tmpl *templates.TemplateExecutor,
	writer http.ResponseWriter,
	request *http.Request,
	username string,
	errorMsg string,
) {
	data := h.addGlobals(map[string]any{
		"Username": username,
		"Error":    errorMsg,
	}, request)
	h.renderTemplate(writer, tmpl, "setup.html", data)
}

// HandleSetupPOST handles the setup form submission.
func (h *Handlers) HandleSetupPOST() http.HandlerFunc {
	tmpl := templates.GetParsed()

	return func(writer http.ResponseWriter, request *http.Request) {
		parseErr := request.ParseForm()
		if parseErr != nil {
			http.Error(writer, "Bad Request", http.StatusBadRequest)

			return
		}

		formData := setupFormData{
			username:        request.FormValue("username"),
			password:        request.FormValue("password"),
			passwordConfirm: request.FormValue("password_confirm"),
		}

		if validationErr := validateSetupForm(formData); validationErr != "" {
			h.renderSetupError(tmpl, writer, request, formData.username, validationErr)

			return
		}

		user, createErr := h.auth.CreateUser(
			request.Context(),
			formData.username,
			formData.password,
		)
		if createErr != nil {
			h.log.Error("failed to create user", "error", createErr)
			h.renderSetupError(tmpl, writer, request, formData.username, "Failed to create user")

			return
		}

		sessionErr := h.auth.CreateSession(writer, request, user)
		if sessionErr != nil {
			h.log.Error("failed to create session", "error", sessionErr)
			h.renderSetupError(
				tmpl,
				writer,
				request,
				formData.username,
				"Failed to create session",
			)

			return
		}

		h.auditLog(request, models.AuditActionSetup,
			models.AuditResourceUser, "", "initial setup completed")

		http.Redirect(writer, request, "/", http.StatusSeeOther)
	}
}