website/pkg/controller/account/login.go

package account

import (
	"net/http"
	"strings"

	"code.nonshy.com/nonshy/website/pkg/config"
	"code.nonshy.com/nonshy/website/pkg/log"
	"code.nonshy.com/nonshy/website/pkg/middleware"
	"code.nonshy.com/nonshy/website/pkg/models"
	"code.nonshy.com/nonshy/website/pkg/ratelimit"
	"code.nonshy.com/nonshy/website/pkg/session"
	"code.nonshy.com/nonshy/website/pkg/templates"
	"golang.org/x/crypto/bcrypt"
)

// Login controller.
func Login() http.HandlerFunc {
	tmpl := templates.Must("account/login.html")
	tmpl2fa := templates.Must("account/two_factor_login.html")
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		var next = r.FormValue("next")

		// Posting?
		if r.Method == http.MethodPost {
			var (
				// Collect form fields.
				username = strings.ToLower(r.PostFormValue("username"))
				password = r.PostFormValue("password")
			)

			// Rate limit login attempts by email or username they are trying (whether it exists or not).
			limiter := &ratelimit.Limiter{
				Namespace:  "login",
				ID:         username,
				Limit:      config.LoginRateLimit,
				Window:     config.LoginRateLimitWindow,
				CooldownAt: config.LoginRateLimitCooldownAt,
				Cooldown:   config.LoginRateLimitCooldown,
			}
			if err := limiter.Ping(); err != nil {
				session.FlashError(w, r, err.Error())
				templates.Redirect(w, r.URL.Path)
				return
			}

			// Look up their account.
			user, err := models.FindUser(username)
			if err != nil {
				// The user wasn't found, but still hash the incoming password to take time:
				// so a mischievous user can't infer whether the username was valid based
				// on the server response time.
				bcrypt.GenerateFromPassword([]byte(password), config.BcryptCost)

				session.FlashError(w, r, "Incorrect username or password.")
				templates.Redirect(w, r.URL.Path)
				return
			}

			// Verify password.
			if err := user.CheckPassword(password); err != nil {
				session.FlashError(w, r, "Incorrect username or password.")
				templates.Redirect(w, r.URL.Path)
				return
			}

			// Is their account banned or disabled?
			if user.Status != models.UserStatusActive {
				session.FlashError(w, r, "Your account has been %s. If you believe this was done in error, please contact support.", user.Status)
				templates.Redirect(w, r.URL.Path)
				return
			}

			// Maintenance mode check.
			if middleware.LoginMaintenance(user, w, r) {
				return
			}

			// Clear their login rate limiter.
			limiter.Clear()

			// Does the user have Two-Factor Auth enabled?
			var (
				tf          = models.Get2FA(user.ID)
				twoFactorOK bool // has successfully entered the code
			)
			if tf.Enabled {
				// Are they submitting the 2FA code?
				var (
					intent = r.PostFormValue("intent")
					code   = strings.ReplaceAll(r.PostFormValue("code"), " ", "")
				)

				// Validate the submitted code.
				if intent == "two-factor" {
					// Verify the TOTP code.
					if err := tf.Validate(code); err != nil {
						session.FlashError(w, r, "Invalid authentication code; please try again.")
					} else {
						// We're in!
						twoFactorOK = true
					}
				}

				// Show the 2FA login form.
				if !twoFactorOK {
					var vars = map[string]interface{}{
						"Next":     next,
						"Username": username,
						"Password": password,
					}
					if err := tmpl2fa.Execute(w, r, vars); err != nil {
						http.Error(w, err.Error(), http.StatusInternalServerError)
					}
					return
				}
			}

			// OK. Log in the user's session.
			session.LoginUser(w, r, user)

			// Clear their rate limiter.
			if err := limiter.Clear(); err != nil {
				log.Error("Failed to clear login rate limiter: %s", err)
			}

			// Redirect to their dashboard.
			session.Flash(w, r, "Login successful.")
			if strings.HasPrefix(next, "/") {
				templates.Redirect(w, next)
			} else {
				templates.Redirect(w, "/me")
			}
			return
		}

		var vars = map[string]interface{}{
			"Next": next,
		}
		if err := tmpl.Execute(w, r, vars); err != nil {
			http.Error(w, err.Error(), http.StatusInternalServerError)
			return
		}
	})
}

// Logout controller.
func Logout() http.HandlerFunc {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		session.Flash(w, r, "You have been successfully logged out.")
		session.LogoutUser(w, r)
		templates.Redirect(w, "/")
	})
}
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`package account`

			`import (`
			`"net/http"`
			`"strings"`

Rename the module 2022-08-26 04:21:46 +00:00			`"code.nonshy.com/nonshy/website/pkg/config"`
			`"code.nonshy.com/nonshy/website/pkg/log"`
Maintenance Mode + Blockable Admin Scope 2023-08-17 05:09:04 +00:00			`"code.nonshy.com/nonshy/website/pkg/middleware"`
Rename the module 2022-08-26 04:21:46 +00:00			`"code.nonshy.com/nonshy/website/pkg/models"`
			`"code.nonshy.com/nonshy/website/pkg/ratelimit"`
			`"code.nonshy.com/nonshy/website/pkg/session"`
			`"code.nonshy.com/nonshy/website/pkg/templates"`
Various quick fixes * Signup: if entering an existing email, don't admit that the email exists. Instead, send a specialized email to its address. * Search: no longer search for users by email address. * Login: always hash the incoming password on user not found, to take constant time compared to when the user did exist. * Fix a pagination bug when a private (shy account) views a non-friend's photo gallery. 2023-08-16 00:33:33 +00:00			`"golang.org/x/crypto/bcrypt"`
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`)`

			`// Login controller.`
			`func Login() http.HandlerFunc {`
			`tmpl := templates.Must("account/login.html")`
Two Factor Authentication 2023-09-19 00:22:50 +00:00			`tmpl2fa := templates.Must("account/two_factor_login.html")`
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
Photo Quotas & Postgres Fixes * Add photo upload quotas. * Non-certified users can upload few photos; certified users more * Fix foreign key issues around deleting user profile photos for psql 2022-08-21 22:40:24 +00:00			`var next = r.FormValue("next")`
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00
			`// Posting?`
			`if r.Method == http.MethodPost {`
			`var (`
			`// Collect form fields.`
			`username = strings.ToLower(r.PostFormValue("username"))`
			`password = r.PostFormValue("password")`
			`)`

Tweak the login rate limiter 2023-08-21 03:58:51 +00:00			`// Rate limit login attempts by email or username they are trying (whether it exists or not).`
			`limiter := &ratelimit.Limiter{`
			`Namespace: "login",`
			`ID: username,`
			`Limit: config.LoginRateLimit,`
			`Window: config.LoginRateLimitWindow,`
			`CooldownAt: config.LoginRateLimitCooldownAt,`
			`Cooldown: config.LoginRateLimitCooldown,`
			`}`
			`if err := limiter.Ping(); err != nil {`
			`session.FlashError(w, r, err.Error())`
			`templates.Redirect(w, r.URL.Path)`
			`return`
			`}`

Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`// Look up their account.`
			`user, err := models.FindUser(username)`
			`if err != nil {`
Various quick fixes * Signup: if entering an existing email, don't admit that the email exists. Instead, send a specialized email to its address. * Search: no longer search for users by email address. * Login: always hash the incoming password on user not found, to take constant time compared to when the user did exist. * Fix a pagination bug when a private (shy account) views a non-friend's photo gallery. 2023-08-16 00:33:33 +00:00			`// The user wasn't found, but still hash the incoming password to take time:`
			`// so a mischievous user can't infer whether the username was valid based`
			`// on the server response time.`
			`bcrypt.GenerateFromPassword([]byte(password), config.BcryptCost)`

Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`session.FlashError(w, r, "Incorrect username or password.")`
			`templates.Redirect(w, r.URL.Path)`
			`return`
			`}`

			`// Verify password.`
			`if err := user.CheckPassword(password); err != nil {`
			`session.FlashError(w, r, "Incorrect username or password.")`
			`templates.Redirect(w, r.URL.Path)`
			`return`
			`}`

Admin Actions * Add impersonate feature * Add ban/unban user feature * Add promote/demote admin status feature * Add admin user deletion feature * Admin ability to see other status certification pics * Nav bar indicator of pending admin actions such as cert pics needing approval * Admin ability to search cert pics for specific user 2022-08-14 23:27:57 +00:00			`// Is their account banned or disabled?`
			`if user.Status != models.UserStatusActive {`
			`session.FlashError(w, r, "Your account has been %s. If you believe this was done in error, please contact support.", user.Status)`
			`templates.Redirect(w, r.URL.Path)`
			`return`
			`}`

Maintenance Mode + Blockable Admin Scope 2023-08-17 05:09:04 +00:00			`// Maintenance mode check.`
			`if middleware.LoginMaintenance(user, w, r) {`
			`return`
			`}`

Two Factor Authentication 2023-09-19 00:22:50 +00:00			`// Clear their login rate limiter.`
			`limiter.Clear()`

			`// Does the user have Two-Factor Auth enabled?`
			`var (`
			`tf = models.Get2FA(user.ID)`
			`twoFactorOK bool // has successfully entered the code`
			`)`
			`if tf.Enabled {`
			`// Are they submitting the 2FA code?`
			`var (`
			`intent = r.PostFormValue("intent")`
Minor fixes 2023-09-19 00:31:02 +00:00			`code = strings.ReplaceAll(r.PostFormValue("code"), " ", "")`
Two Factor Authentication 2023-09-19 00:22:50 +00:00			`)`

			`// Validate the submitted code.`
			`if intent == "two-factor" {`
			`// Verify the TOTP code.`
			`if err := tf.Validate(code); err != nil {`
			`session.FlashError(w, r, "Invalid authentication code; please try again.")`
			`} else {`
			`// We're in!`
			`twoFactorOK = true`
			`}`
			`}`

			`// Show the 2FA login form.`
			`if !twoFactorOK {`
			`var vars = map[string]interface{}{`
			`"Next": next,`
			`"Username": username,`
			`"Password": password,`
			`}`
			`if err := tmpl2fa.Execute(w, r, vars); err != nil {`
			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`}`
			`return`
			`}`
			`}`

Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`// OK. Log in the user's session.`
			`session.LoginUser(w, r, user)`

User Account Busywork * Add "forgot password" workflow. * Add ability to change user email address (confirmation link sent) * Add ability to change user's password. * Add rate limiter to deter brute force login attempts. * Add user deep delete functionality (delete account). * Ping user LastLoginAt every 8 hours for long-lived session cookies. * Add age filters to user search page. * Add sort options to user search (last login, created, username/name) 2022-08-14 21:40:57 +00:00			`// Clear their rate limiter.`
			`if err := limiter.Clear(); err != nil {`
			`log.Error("Failed to clear login rate limiter: %s", err)`
			`}`

Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`// Redirect to their dashboard.`
			`session.Flash(w, r, "Login successful.")`
Photo Quotas & Postgres Fixes * Add photo upload quotas. * Non-certified users can upload few photos; certified users more * Fix foreign key issues around deleting user profile photos for psql 2022-08-21 22:40:24 +00:00			`if strings.HasPrefix(next, "/") {`
			`templates.Redirect(w, next)`
			`} else {`
			`templates.Redirect(w, "/me")`
			`}`
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`return`
			`}`

Photo Quotas & Postgres Fixes * Add photo upload quotas. * Non-certified users can upload few photos; certified users more * Fix foreign key issues around deleting user profile photos for psql 2022-08-21 22:40:24 +00:00			`var vars = map[string]interface{}{`
			`"Next": next,`
			`}`
			`if err := tmpl.Execute(w, r, vars); err != nil {`
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`http.Error(w, err.Error(), http.StatusInternalServerError)`
			`return`
			`}`
			`})`
			`}`

			`// Logout controller.`
			`func Logout() http.HandlerFunc {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`session.Flash(w, r, "You have been successfully logged out.")`
			`session.LogoutUser(w, r)`
			`templates.Redirect(w, "/")`
			`})`
			`}`