Protecting routes on hte FE and improving authentication

2024-08-20 21:45:13 +02:00
parent 2f7300db0f
commit a6d54242bb
14 changed files with 98 additions and 12 deletions
--- a/cmd/web/handlers.go
+++ b/cmd/web/handlers.go
@ -289,3 +289,32 @@ func (app *application) LoginPage(w http.ResponseWriter, r *http.Request) {
 		app.errorLog.Println(err)
 	}
 }
+
+func (app *application) PostLoginPage(w http.ResponseWriter, r *http.Request) {
+	app.Session.RenewToken(r.Context())
+
+	err := r.ParseForm()
+	if err != nil {
+		app.errorLog.Println(err)
+		return
+	}
+
+	email := r.Form.Get("email")
+	password := r.Form.Get("password")
+
+	id, err := app.DB.Authenticate(email, password)
+	if err != nil {
+		http.Redirect(w, r, "/login", http.StatusSeeOther)
+		return
+	}
+
+	app.Session.Put(r.Context(), "userID", id)
+	http.Redirect(w, r, "/", http.StatusSeeOther)
+}
+
+func (app *application) Logout(w http.ResponseWriter, r *http.Request) {
+	app.Session.Destroy(r.Context())
+	app.Session.RenewToken(r.Context())
+
+	http.Redirect(w, r, "/login", http.StatusSeeOther)
+}
--- a/cmd/web/main.go
+++ b/cmd/web/main.go
@ -12,6 +12,7 @@ import (
 	"os"
 	"time"

+	"github.com/alexedwards/scs/mysqlstore"
 	"github.com/alexedwards/scs/v2"
 )

@ -91,16 +92,17 @@ func main() {
 	infoLog := log.New(os.Stdout, "INFO\t", log.Ldate|log.Ltime)
 	errorLog := log.New(os.Stdout, "ERROR\t", log.Ldate|log.Ltime|log.Lshortfile)

-	// set up session
-	session = scs.New()
-	session.Lifetime = 24 * time.Hour
-
 	conn, err := driver.OpenDB(cfg.db.dsn)
 	if err != nil {
 		errorLog.Fatal(err)
 	}
 	defer conn.Close()

+	// set up session
+	session = scs.New()
+	session.Lifetime = 24 * time.Hour
+	session.Store = mysqlstore.New(conn)
+
 	tc := make(map[string]*template.Template)

 	app := &application{
--- a/cmd/web/middleware.go
+++ b/cmd/web/middleware.go
@ -7,3 +7,12 @@ import (
 func SessionLoad(next http.Handler) http.Handler {
 	return session.LoadAndSave(next)
 }
+
+func (app *application) Auth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !app.Session.Exists(r.Context(), "userID") {
+			http.Redirect(w, r, "/login", http.StatusSeeOther)
+		}
+		next.ServeHTTP(w, r)
+	})
+}
--- a/cmd/web/routes.go
+++ b/cmd/web/routes.go
@ -11,9 +11,14 @@ func (app *application) routes() http.Handler {
 	mux.Use(SessionLoad)

 	mux.Get("/", app.Home)
-	mux.Get("/virtual-terminal", app.VirtualTerminal)
-	mux.Post("/virtual-terminal-payment-succeeded", app.VirtualTerminalPaymentSucceeded)
-	mux.Get("/virtual-terminal-receipt", app.VirtualTerminalReceipt)
+
+	mux.Route("/admin", func(mux chi.Router) {
+		mux.Use(app.Auth)
+		mux.Get("/virtual-terminal", app.VirtualTerminal)
+	})
+
+	// mux.Post("/virtual-terminal-payment-succeeded", app.VirtualTerminalPaymentSucceeded)
+	// mux.Get("/virtual-terminal-receipt", app.VirtualTerminalReceipt)

 	mux.Get("/widget/{id}", app.ChargeOnce)
 	mux.Get("/receipt", app.Receipt)
@ -24,6 +29,8 @@ func (app *application) routes() http.Handler {

 	// auth routes
 	mux.Get("/login", app.LoginPage)
+	mux.Post("/login", app.PostLoginPage)
+	mux.Get("/logout", app.Logout)

 	fileServer := http.FileServer(http.Dir("./static"))
 	mux.Handle("/static/*", http.StripPrefix("/static", fileServer))
--- a/cmd/web/templates/base.layout.gohtml
+++ b/cmd/web/templates/base.layout.gohtml
@ -48,7 +48,7 @@
                            </ul>
                        </li>
                        <li id="vt-link" class="nav-item d-none">
-                            <a class="nav-link" href="/virtual-terminal">Virtual Terminal</a>
+                            <a class="nav-link" href="/admin/virtual-terminal">Virtual Terminal</a>
                        </li>
                        <ul class="navbar-nav me-auto mb-2 mb-lg-0">
                            <li id="login-link" class="nav-item d-none">
--- a/cmd/web/templates/login.page.gohtml
+++ b/cmd/web/templates/login.page.gohtml
@ -6,7 +6,7 @@ Login
 <div class="row">
    <div class="col-md-6 offset-md-3">
        <div class="alert alert-danger text-center d-none" id="login-messages"></div>
-        <form action=""
+        <form action="/login"
              method="post"
              name="login-form"
              id="login-form"
--- a/cmd/web/templates/terminal.page.gohtml
+++ b/cmd/web/templates/terminal.page.gohtml
@ -80,7 +80,7 @@ Virtual Terminal
            <strong>Bank Return Code</strong>: <span id="bank-return-code"></span>
        </p>
        <p>
-            <a href="/virtual-terminal" class="btn btn-primary">
+            <a href="/admin/virtual-terminal" class="btn btn-primary">
                Charge another card
            </a>
        </p>