refactor: use pinned golangci-lint Docker image for linting

Refactor Dockerfile to use a separate lint stage with a pinned golangci-lint v2.11.3 Docker image instead of installing golangci-lint via curl in the builder stage. This follows the pattern used by sneak/pixa. Changes: - Dockerfile: separate lint stage using golangci/golangci-lint:v2.11.3 (Debian-based, pinned by sha256) with COPY --from=lint dependency - Bump Go from 1.24 to 1.26.1 (golang:1.26.1-bookworm, pinned) - Bump golangci-lint from v1.64.8 to v2.11.3 - Migrate .golangci.yml from v1 to v2 format (same linters, format only) - All Docker images pinned by sha256 digest - Fix all lint issues from the v2 linter upgrade: - Add package comments to all packages - Add doc comments to all exported types, functions, and methods - Fix unchecked errors (errcheck) - Fix unused parameters (revive) - Fix gosec warnings (MaxBytesReader for form parsing) - Fix staticcheck suggestions (fmt.Fprintf instead of WriteString) - Rename DeliveryTask to Task to avoid stutter (delivery.Task) - Rename shadowed builtin 'max' parameter - Update README.md version requirements
2026-03-17 05:46:03 -07:00
parent d771fe14df
commit 32a9170428
59 changed files with 7792 additions and 4282 deletions
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -13,11 +13,12 @@ func (h *Handlers) HandleLoginPage() http.HandlerFunc {
 		sess, err := h.session.Get(r)
 		if err == nil && h.session.IsAuthenticated(sess) {
 			http.Redirect(w, r, "/", http.StatusSeeOther)
+
 			return
 		}

 		// Render login page
-		data := map[string]interface{}{
+		data := map[string]any{
 			"Error": "",
 		}

@@ -28,10 +29,15 @@ func (h *Handlers) HandleLoginPage() http.HandlerFunc {
 // HandleLoginSubmit handles the login form submission (POST)
 func (h *Handlers) HandleLoginSubmit() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		// Limit request body to prevent memory exhaustion
+		r.Body = http.MaxBytesReader(w, r.Body, 1<<maxBodyShift)
+
 		// Parse form data
-		if err := r.ParseForm(); err != nil {
+		err := r.ParseForm()
+		if err != nil {
 			h.log.Error("failed to parse form", "error", err)
 			http.Error(w, "Bad request", http.StatusBadRequest)
+
 			return
 		}

@@ -40,85 +46,159 @@ func (h *Handlers) HandleLoginSubmit() http.HandlerFunc {

 		// Validate input
 		if username == "" || password == "" {
-			data := map[string]interface{}{
-				"Error": "Username and password are required",
-			}
-			w.WriteHeader(http.StatusBadRequest)
-			h.renderTemplate(w, r, "login.html", data)
+			h.renderLoginError(
+				w, r,
+				"Username and password are required",
+				http.StatusBadRequest,
+			)
+
 			return
 		}

-		// Find user in database
-		var user database.User
-		if err := h.db.DB().Where("username = ?", username).First(&user).Error; err != nil {
-			h.log.Debug("user not found", "username", username)
-			data := map[string]interface{}{
-				"Error": "Invalid username or password",
-			}
-			w.WriteHeader(http.StatusUnauthorized)
-			h.renderTemplate(w, r, "login.html", data)
-			return
-		}
-
-		// Verify password
-		valid, err := database.VerifyPassword(password, user.Password)
+		user, err := h.authenticateUser(
+			w, r, username, password,
+		)
 		if err != nil {
-			h.log.Error("failed to verify password", "error", err)
-			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}

-		if !valid {
-			h.log.Debug("invalid password", "username", username)
-			data := map[string]interface{}{
-				"Error": "Invalid username or password",
-			}
-			w.WriteHeader(http.StatusUnauthorized)
-			h.renderTemplate(w, r, "login.html", data)
-			return
-		}
-
-		// Get the current session (may be pre-existing / attacker-set)
-		oldSess, err := h.session.Get(r)
+		err = h.createAuthenticatedSession(w, r, user)
 		if err != nil {
-			h.log.Error("failed to get session", "error", err)
-			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}

-		// Regenerate the session to prevent session fixation attacks.
-		// This destroys the old session ID and creates a new one.
-		sess, err := h.session.Regenerate(r, w, oldSess)
-		if err != nil {
-			h.log.Error("failed to regenerate session", "error", err)
-			http.Error(w, "Internal server error", http.StatusInternalServerError)
-			return
-		}
-
-		// Set user in session
-		h.session.SetUser(sess, user.ID, user.Username)
-
-		// Save session
-		if err := h.session.Save(r, w, sess); err != nil {
-			h.log.Error("failed to save session", "error", err)
-			http.Error(w, "Internal server error", http.StatusInternalServerError)
-			return
-		}
-
-		h.log.Info("user logged in", "username", username, "user_id", user.ID)
+		h.log.Info(
+			"user logged in",
+			"username", username,
+			"user_id", user.ID,
+		)

 		// Redirect to home page
 		http.Redirect(w, r, "/", http.StatusSeeOther)
 	}
 }

+// renderLoginError renders the login page with an error message.
+func (h *Handlers) renderLoginError(
+	w http.ResponseWriter,
+	r *http.Request,
+	msg string,
+	status int,
+) {
+	data := map[string]any{
+		"Error": msg,
+	}
+
+	w.WriteHeader(status)
+	h.renderTemplate(w, r, "login.html", data)
+}
+
+// authenticateUser looks up and verifies a user's credentials.
+// On failure it writes an HTTP response and returns an error.
+func (h *Handlers) authenticateUser(
+	w http.ResponseWriter,
+	r *http.Request,
+	username, password string,
+) (database.User, error) {
+	var user database.User
+
+	err := h.db.DB().Where(
+		"username = ?", username,
+	).First(&user).Error
+	if err != nil {
+		h.log.Debug("user not found", "username", username)
+		h.renderLoginError(
+			w, r,
+			"Invalid username or password",
+			http.StatusUnauthorized,
+		)
+
+		return user, err
+	}
+
+	valid, err := database.VerifyPassword(password, user.Password)
+	if err != nil {
+		h.log.Error("failed to verify password", "error", err)
+		http.Error(
+			w, "Internal server error",
+			http.StatusInternalServerError,
+		)
+
+		return user, err
+	}
+
+	if !valid {
+		h.log.Debug("invalid password", "username", username)
+		h.renderLoginError(
+			w, r,
+			"Invalid username or password",
+			http.StatusUnauthorized,
+		)
+
+		return user, errInvalidPassword
+	}
+
+	return user, nil
+}
+
+// createAuthenticatedSession regenerates the session and stores
+// user info. On failure it writes an HTTP response and returns
+// an error.
+func (h *Handlers) createAuthenticatedSession(
+	w http.ResponseWriter,
+	r *http.Request,
+	user database.User,
+) error {
+	oldSess, err := h.session.Get(r)
+	if err != nil {
+		h.log.Error("failed to get session", "error", err)
+		http.Error(
+			w, "Internal server error",
+			http.StatusInternalServerError,
+		)
+
+		return err
+	}
+
+	sess, err := h.session.Regenerate(r, w, oldSess)
+	if err != nil {
+		h.log.Error(
+			"failed to regenerate session", "error", err,
+		)
+		http.Error(
+			w, "Internal server error",
+			http.StatusInternalServerError,
+		)
+
+		return err
+	}
+
+	h.session.SetUser(sess, user.ID, user.Username)
+
+	err = h.session.Save(r, w, sess)
+	if err != nil {
+		h.log.Error("failed to save session", "error", err)
+		http.Error(
+			w, "Internal server error",
+			http.StatusInternalServerError,
+		)
+
+		return err
+	}
+
+	return nil
+}
+
 // HandleLogout handles user logout
 func (h *Handlers) HandleLogout() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		sess, err := h.session.Get(r)
 		if err != nil {
 			h.log.Error("failed to get session", "error", err)
-			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
+			http.Redirect(
+				w, r, "/pages/login", http.StatusSeeOther,
+			)
+
 			return
 		}

@@ -126,8 +206,12 @@ func (h *Handlers) HandleLogout() http.HandlerFunc {
 		h.session.Destroy(sess)

 		// Save the destroyed session
-		if err := h.session.Save(r, w, sess); err != nil {
-			h.log.Error("failed to save destroyed session", "error", err)
+		err = h.session.Save(r, w, sess)
+		if err != nil {
+			h.log.Error(
+				"failed to save destroyed session",
+				"error", err,
+			)
 		}

 		// Redirect to login page