refactor: use pinned golangci-lint Docker image for linting (#55)

Closes [issue #50](#50) ## Summary Refactors the Dockerfile to use a separate lint stage with a pinned golangci-lint Docker image, following the pattern used by [sneak/pixa](https://git.eeqj.de/sneak/pixa). This replaces the previous approach of installing golangci-lint via curl in the builder stage. ## Changes ### Dockerfile - **New `lint` stage** using `golangci/golangci-lint:v2.11.3` (Debian-based, pinned by sha256 digest) as a separate build stage - **Builder stage** depends on lint via `COPY --from=lint /src/go.sum /dev/null` — build won't proceed unless linting passes - **Go bumped** from 1.24 to 1.26.1 (`golang:1.26.1-bookworm`, pinned by sha256) - **golangci-lint bumped** from v1.64.8 to v2.11.3 - All three Docker images (golangci-lint, golang, alpine) pinned by sha256 digest - Debian-based golangci-lint image used (not Alpine) because mattn/go-sqlite3 CGO does not compile on musl (off64_t) ### Linter Config (.golangci.yml) - Migrated from v1 to v2 format (`version: "2"` added) - Removed linters no longer available in v2: `gofmt` (handled by `make fmt-check`), `gosimple` (merged into `staticcheck`), `typecheck` (always-on in v2) - Same set of linters enabled — no rules weakened ### Code Fixes (all lint issues from v2 upgrade) - Added package comments to all packages - Added doc comments to all exported types, functions, and methods - Fixed unchecked errors flagged by `errcheck` (sqlDB.Close, os.Setenv in tests, resp.Body.Close, fmt.Fprint) - Fixed unused parameters flagged by `revive` (renamed to `_`) - Fixed `gosec` G120 warnings: added `http.MaxBytesReader` before `r.ParseForm()` calls - Fixed `staticcheck` QF1012: replaced `WriteString(fmt.Sprintf(...))` with `fmt.Fprintf` - Fixed `staticcheck` QF1003: converted if/else chain to tagged switch - Renamed `DeliveryTask` → `Task` to avoid package stutter (`delivery.Task` instead of `delivery.DeliveryTask`) - Renamed shadowed builtin `max` parameter to `upperBound` in `cryptoRandInt` - Used `t.Setenv` instead of `os.Setenv` in tests (auto-restores) ### README.md - Updated version requirements: Go 1.26+, golangci-lint v2.11+ - Updated Dockerfile description in project structure ## Verification `docker build .` passes cleanly — formatting check, linting, all tests, and build all succeed. Co-authored-by: clawbot <clawbot@noreply.git.eeqj.de> Reviewed-on: #55 Co-authored-by: clawbot <clawbot@noreply.example.org> Co-committed-by: clawbot <clawbot@noreply.example.org>
2026-03-25 02:16:38 +01:00
parent d771fe14df
commit afe88c601a
59 changed files with 7792 additions and 4282 deletions
--- a/internal/handlers/auth.go
+++ b/internal/handlers/auth.go
@@ -13,11 +13,12 @@ func (h *Handlers) HandleLoginPage() http.HandlerFunc {
 		sess, err := h.session.Get(r)
 		if err == nil && h.session.IsAuthenticated(sess) {
 			http.Redirect(w, r, "/", http.StatusSeeOther)
+
 			return
 		}

 		// Render login page
-		data := map[string]interface{}{
+		data := map[string]any{
 			"Error": "",
 		}

@@ -28,10 +29,15 @@ func (h *Handlers) HandleLoginPage() http.HandlerFunc {
 // HandleLoginSubmit handles the login form submission (POST)
 func (h *Handlers) HandleLoginSubmit() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+		// Limit request body to prevent memory exhaustion
+		r.Body = http.MaxBytesReader(w, r.Body, 1<<maxBodyShift)
+
 		// Parse form data
-		if err := r.ParseForm(); err != nil {
+		err := r.ParseForm()
+		if err != nil {
 			h.log.Error("failed to parse form", "error", err)
 			http.Error(w, "Bad request", http.StatusBadRequest)
+
 			return
 		}

@@ -40,85 +46,159 @@ func (h *Handlers) HandleLoginSubmit() http.HandlerFunc {

 		// Validate input
 		if username == "" || password == "" {
-			data := map[string]interface{}{
-				"Error": "Username and password are required",
-			}
-			w.WriteHeader(http.StatusBadRequest)
-			h.renderTemplate(w, r, "login.html", data)
+			h.renderLoginError(
+				w, r,
+				"Username and password are required",
+				http.StatusBadRequest,
+			)
+
 			return
 		}

-		// Find user in database
-		var user database.User
-		if err := h.db.DB().Where("username = ?", username).First(&user).Error; err != nil {
-			h.log.Debug("user not found", "username", username)
-			data := map[string]interface{}{
-				"Error": "Invalid username or password",
-			}
-			w.WriteHeader(http.StatusUnauthorized)
-			h.renderTemplate(w, r, "login.html", data)
-			return
-		}
-
-		// Verify password
-		valid, err := database.VerifyPassword(password, user.Password)
+		user, err := h.authenticateUser(
+			w, r, username, password,
+		)
 		if err != nil {
-			h.log.Error("failed to verify password", "error", err)
-			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}

-		if !valid {
-			h.log.Debug("invalid password", "username", username)
-			data := map[string]interface{}{
-				"Error": "Invalid username or password",
-			}
-			w.WriteHeader(http.StatusUnauthorized)
-			h.renderTemplate(w, r, "login.html", data)
-			return
-		}
-
-		// Get the current session (may be pre-existing / attacker-set)
-		oldSess, err := h.session.Get(r)
+		err = h.createAuthenticatedSession(w, r, user)
 		if err != nil {
-			h.log.Error("failed to get session", "error", err)
-			http.Error(w, "Internal server error", http.StatusInternalServerError)
 			return
 		}

-		// Regenerate the session to prevent session fixation attacks.
-		// This destroys the old session ID and creates a new one.
-		sess, err := h.session.Regenerate(r, w, oldSess)
-		if err != nil {
-			h.log.Error("failed to regenerate session", "error", err)
-			http.Error(w, "Internal server error", http.StatusInternalServerError)
-			return
-		}
-
-		// Set user in session
-		h.session.SetUser(sess, user.ID, user.Username)
-
-		// Save session
-		if err := h.session.Save(r, w, sess); err != nil {
-			h.log.Error("failed to save session", "error", err)
-			http.Error(w, "Internal server error", http.StatusInternalServerError)
-			return
-		}
-
-		h.log.Info("user logged in", "username", username, "user_id", user.ID)
+		h.log.Info(
+			"user logged in",
+			"username", username,
+			"user_id", user.ID,
+		)

 		// Redirect to home page
 		http.Redirect(w, r, "/", http.StatusSeeOther)
 	}
 }

+// renderLoginError renders the login page with an error message.
+func (h *Handlers) renderLoginError(
+	w http.ResponseWriter,
+	r *http.Request,
+	msg string,
+	status int,
+) {
+	data := map[string]any{
+		"Error": msg,
+	}
+
+	w.WriteHeader(status)
+	h.renderTemplate(w, r, "login.html", data)
+}
+
+// authenticateUser looks up and verifies a user's credentials.
+// On failure it writes an HTTP response and returns an error.
+func (h *Handlers) authenticateUser(
+	w http.ResponseWriter,
+	r *http.Request,
+	username, password string,
+) (database.User, error) {
+	var user database.User
+
+	err := h.db.DB().Where(
+		"username = ?", username,
+	).First(&user).Error
+	if err != nil {
+		h.log.Debug("user not found", "username", username)
+		h.renderLoginError(
+			w, r,
+			"Invalid username or password",
+			http.StatusUnauthorized,
+		)
+
+		return user, err
+	}
+
+	valid, err := database.VerifyPassword(password, user.Password)
+	if err != nil {
+		h.log.Error("failed to verify password", "error", err)
+		http.Error(
+			w, "Internal server error",
+			http.StatusInternalServerError,
+		)
+
+		return user, err
+	}
+
+	if !valid {
+		h.log.Debug("invalid password", "username", username)
+		h.renderLoginError(
+			w, r,
+			"Invalid username or password",
+			http.StatusUnauthorized,
+		)
+
+		return user, errInvalidPassword
+	}
+
+	return user, nil
+}
+
+// createAuthenticatedSession regenerates the session and stores
+// user info. On failure it writes an HTTP response and returns
+// an error.
+func (h *Handlers) createAuthenticatedSession(
+	w http.ResponseWriter,
+	r *http.Request,
+	user database.User,
+) error {
+	oldSess, err := h.session.Get(r)
+	if err != nil {
+		h.log.Error("failed to get session", "error", err)
+		http.Error(
+			w, "Internal server error",
+			http.StatusInternalServerError,
+		)
+
+		return err
+	}
+
+	sess, err := h.session.Regenerate(r, w, oldSess)
+	if err != nil {
+		h.log.Error(
+			"failed to regenerate session", "error", err,
+		)
+		http.Error(
+			w, "Internal server error",
+			http.StatusInternalServerError,
+		)
+
+		return err
+	}
+
+	h.session.SetUser(sess, user.ID, user.Username)
+
+	err = h.session.Save(r, w, sess)
+	if err != nil {
+		h.log.Error("failed to save session", "error", err)
+		http.Error(
+			w, "Internal server error",
+			http.StatusInternalServerError,
+		)
+
+		return err
+	}
+
+	return nil
+}
+
 // HandleLogout handles user logout
 func (h *Handlers) HandleLogout() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		sess, err := h.session.Get(r)
 		if err != nil {
 			h.log.Error("failed to get session", "error", err)
-			http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
+			http.Redirect(
+				w, r, "/pages/login", http.StatusSeeOther,
+			)
+
 			return
 		}

@@ -126,8 +206,12 @@ func (h *Handlers) HandleLogout() http.HandlerFunc {
 		h.session.Destroy(sess)

 		// Save the destroyed session
-		if err := h.session.Save(r, w, sess); err != nil {
-			h.log.Error("failed to save destroyed session", "error", err)
+		err = h.session.Save(r, w, sess)
+		if err != nil {
+			h.log.Error(
+				"failed to save destroyed session",
+				"error", err,
+			)
 		}

 		// Redirect to login page