0489d9916f
Some checks failed
check / check (push) Has been cancelled
- Add SecurityHeaders middleware applied globally: HSTS, X-Content-Type-Options, X-Frame-Options, CSP, Referrer-Policy, and Permissions-Policy headers on every response. - Add session regeneration (Regenerate method) after successful login to prevent session fixation attacks. Old session is destroyed and a new ID is issued. - Add MaxBodySize middleware using http.MaxBytesReader to limit POST/PUT/PATCH request bodies to 1 MB on all form endpoints (/pages, /sources, /source/*). Closes #34, closes #38, closes #39
137 lines
3.7 KiB
Go
137 lines
3.7 KiB
Go
package handlers
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"sneak.berlin/go/webhooker/internal/database"
|
|
)
|
|
|
|
// HandleLoginPage returns a handler for the login page (GET)
|
|
func (h *Handlers) HandleLoginPage() http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
// Check if already logged in
|
|
sess, err := h.session.Get(r)
|
|
if err == nil && h.session.IsAuthenticated(sess) {
|
|
http.Redirect(w, r, "/", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
// Render login page
|
|
data := map[string]interface{}{
|
|
"Error": "",
|
|
}
|
|
|
|
h.renderTemplate(w, r, "login.html", data)
|
|
}
|
|
}
|
|
|
|
// HandleLoginSubmit handles the login form submission (POST)
|
|
func (h *Handlers) HandleLoginSubmit() http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
// Parse form data
|
|
if err := r.ParseForm(); err != nil {
|
|
h.log.Error("failed to parse form", "error", err)
|
|
http.Error(w, "Bad request", http.StatusBadRequest)
|
|
return
|
|
}
|
|
|
|
username := r.FormValue("username")
|
|
password := r.FormValue("password")
|
|
|
|
// Validate input
|
|
if username == "" || password == "" {
|
|
data := map[string]interface{}{
|
|
"Error": "Username and password are required",
|
|
}
|
|
w.WriteHeader(http.StatusBadRequest)
|
|
h.renderTemplate(w, r, "login.html", data)
|
|
return
|
|
}
|
|
|
|
// Find user in database
|
|
var user database.User
|
|
if err := h.db.DB().Where("username = ?", username).First(&user).Error; err != nil {
|
|
h.log.Debug("user not found", "username", username)
|
|
data := map[string]interface{}{
|
|
"Error": "Invalid username or password",
|
|
}
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
h.renderTemplate(w, r, "login.html", data)
|
|
return
|
|
}
|
|
|
|
// Verify password
|
|
valid, err := database.VerifyPassword(password, user.Password)
|
|
if err != nil {
|
|
h.log.Error("failed to verify password", "error", err)
|
|
http.Error(w, "Internal server error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
if !valid {
|
|
h.log.Debug("invalid password", "username", username)
|
|
data := map[string]interface{}{
|
|
"Error": "Invalid username or password",
|
|
}
|
|
w.WriteHeader(http.StatusUnauthorized)
|
|
h.renderTemplate(w, r, "login.html", data)
|
|
return
|
|
}
|
|
|
|
// Get the current session (may be pre-existing / attacker-set)
|
|
oldSess, err := h.session.Get(r)
|
|
if err != nil {
|
|
h.log.Error("failed to get session", "error", err)
|
|
http.Error(w, "Internal server error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Regenerate the session to prevent session fixation attacks.
|
|
// This destroys the old session ID and creates a new one.
|
|
sess, err := h.session.Regenerate(r, w, oldSess)
|
|
if err != nil {
|
|
h.log.Error("failed to regenerate session", "error", err)
|
|
http.Error(w, "Internal server error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
// Set user in session
|
|
h.session.SetUser(sess, user.ID, user.Username)
|
|
|
|
// Save session
|
|
if err := h.session.Save(r, w, sess); err != nil {
|
|
h.log.Error("failed to save session", "error", err)
|
|
http.Error(w, "Internal server error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
h.log.Info("user logged in", "username", username, "user_id", user.ID)
|
|
|
|
// Redirect to home page
|
|
http.Redirect(w, r, "/", http.StatusSeeOther)
|
|
}
|
|
}
|
|
|
|
// HandleLogout handles user logout
|
|
func (h *Handlers) HandleLogout() http.HandlerFunc {
|
|
return func(w http.ResponseWriter, r *http.Request) {
|
|
sess, err := h.session.Get(r)
|
|
if err != nil {
|
|
h.log.Error("failed to get session", "error", err)
|
|
http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
// Destroy session
|
|
h.session.Destroy(sess)
|
|
|
|
// Save the destroyed session
|
|
if err := h.session.Save(r, w, sess); err != nil {
|
|
h.log.Error("failed to save destroyed session", "error", err)
|
|
}
|
|
|
|
// Redirect to login page
|
|
http.Redirect(w, r, "/pages/login", http.StatusSeeOther)
|
|
}
|
|
}
|