upaas/internal/handlers/auth.go

package handlers

import (
	"net/http"

	"sneak.berlin/go/upaas/internal/models"
	"sneak.berlin/go/upaas/templates"
)

// HandleLoginGET returns the login page handler.
func (h *Handlers) HandleLoginGET() http.HandlerFunc {
	tmpl := templates.GetParsed()

	return func(writer http.ResponseWriter, request *http.Request) {
		data := h.addGlobals(map[string]any{}, request)

		h.renderTemplate(writer, tmpl, "login.html", data)
	}
}

// HandleLoginPOST handles the login form submission.
func (h *Handlers) HandleLoginPOST() http.HandlerFunc {
	tmpl := templates.GetParsed()

	return func(writer http.ResponseWriter, request *http.Request) {
		parseErr := request.ParseForm()
		if parseErr != nil {
			http.Error(writer, "Bad Request", http.StatusBadRequest)

			return
		}

		username := request.FormValue("username")
		password := request.FormValue("password")

		data := h.addGlobals(map[string]any{
			"Username": username,
		}, request)

		if username == "" || password == "" {
			data["Error"] = "Username and password are required"
			h.renderTemplate(writer, tmpl, "login.html", data)

			return
		}

		user, authErr := h.auth.Authenticate(request.Context(), username, password)
		if authErr != nil {
			data["Error"] = "Invalid username or password"
			h.renderTemplate(writer, tmpl, "login.html", data)

			return
		}

		sessionErr := h.auth.CreateSession(writer, request, user)
		if sessionErr != nil {
			h.log.Error("failed to create session", "error", sessionErr)

			data["Error"] = "Failed to create session"
			h.renderTemplate(writer, tmpl, "login.html", data)

			return
		}

		h.auditLog(request, models.AuditActionLogin,
			models.AuditResourceSession, "", "user logged in")

		http.Redirect(writer, request, "/", http.StatusSeeOther)
	}
}

// HandleLogout handles logout requests.
func (h *Handlers) HandleLogout() http.HandlerFunc {
	return func(writer http.ResponseWriter, request *http.Request) {
		h.auditLog(request, models.AuditActionLogout,
			models.AuditResourceSession, "", "user logged out")

		destroyErr := h.auth.DestroySession(writer, request)
		if destroyErr != nil {
			h.log.Error("failed to destroy session", "error", destroyErr)
		}

		http.Redirect(writer, request, "/login", http.StatusSeeOther)
	}
}