website/pkg/middleware/authentication.go

package middleware

import (
	"net/http"
	"time"

	"git.kirsle.net/apps/gosocial/pkg/config"
	"git.kirsle.net/apps/gosocial/pkg/controller/photo"
	"git.kirsle.net/apps/gosocial/pkg/log"
	"git.kirsle.net/apps/gosocial/pkg/session"
	"git.kirsle.net/apps/gosocial/pkg/templates"
)

// LoginRequired middleware.
func LoginRequired(handler http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

		// User must be logged in.
		user, err := session.CurrentUser(r)
		if err != nil {
			log.Error("LoginRequired: %s", err)
			errhandler := templates.MakeErrorPage("Login Required", "You must be signed in to view this page.", http.StatusForbidden)
			errhandler.ServeHTTP(w, r)
			return
		}

		// Ping LastLoginAt for long lived sessions.
		if time.Since(user.LastLoginAt) > config.LastLoginAtCooldown {
			user.LastLoginAt = time.Now()
			if err := user.Save(); err != nil {
				log.Error("LoginRequired: couldn't refresh LastLoginAt for user %s: %s", user.Username, err)
			}
		}

		handler.ServeHTTP(w, r)
	})
}

// AdminRequired middleware.
func AdminRequired(handler http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

		// User must be logged in.
		if currentUser, err := session.CurrentUser(r); err != nil {
			log.Error("AdminRequired: %s", err)
			errhandler := templates.MakeErrorPage("Login Required", "You must be signed in to view this page.", http.StatusForbidden)
			errhandler.ServeHTTP(w, r)
			return
		} else if !currentUser.IsAdmin {
			log.Error("AdminRequired: %s", err)
			errhandler := templates.MakeErrorPage("Admin Required", "You do not have permission for this page.", http.StatusForbidden)
			errhandler.ServeHTTP(w, r)
			return
		}

		handler.ServeHTTP(w, r)
	})
}

// CertRequired middleware: like LoginRequired but user must also have their verification pic certified.
func CertRequired(handler http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

		// User must be logged in.
		currentUser, err := session.CurrentUser(r)
		if err != nil {
			log.Error("LoginRequired: %s", err)
			errhandler := templates.MakeErrorPage("Login Required", "You must be signed in to view this page.", http.StatusForbidden)
			errhandler.ServeHTTP(w, r)
			return
		}

		// User must be certified.
		if !currentUser.Certified || currentUser.ProfilePhoto.ID == 0 {
			log.Error("CertRequired: user is not certified")
			photo.CertificationRequiredError().ServeHTTP(w, r)
			return
		}

		handler.ServeHTTP(w, r)
	})
}
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`package middleware`

			`import (`
			`"net/http"`
User Account Busywork * Add "forgot password" workflow. * Add ability to change user email address (confirmation link sent) * Add ability to change user's password. * Add rate limiter to deter brute force login attempts. * Add user deep delete functionality (delete account). * Ping user LastLoginAt every 8 hours for long-lived session cookies. * Add age filters to user search page. * Add sort options to user search (last login, created, username/name) 2022-08-14 21:40:57 +00:00			`"time"`
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00
User Account Busywork * Add "forgot password" workflow. * Add ability to change user email address (confirmation link sent) * Add ability to change user's password. * Add rate limiter to deter brute force login attempts. * Add user deep delete functionality (delete account). * Ping user LastLoginAt every 8 hours for long-lived session cookies. * Add age filters to user search page. * Add sort options to user search (last login, created, username/name) 2022-08-14 21:40:57 +00:00			`"git.kirsle.net/apps/gosocial/pkg/config"`
Certification Photo Workflow * Add "Site Gallery" page showing all public+gallery member photos. * Add "Certification Required" decorator for gallery and other main pages. * Add the Certification Photo workflow: * Users have a checklist on their dashboard to upload a profile pic and post a certification selfie (two requirements) * Admins notified by email when a new certification pic comes in. * Admin can reject (w/ comment) or approve the pic. * Users can re-upload or delete their pic at the cost of losing certification status if they make any such changes. * Users are emailed when their photo is either approved or rejected. * User Preferences: can now save the explicit pref to your account. * Explicit photos on user pages and site gallery are hidden if the current user hasn't opted-in (user can always see their own explicit photos regardless of the setting) * If a user is viewing a member gallery and explicit pics are hidden, a count of the number of explicit pics is shown to inform the user that more DO exist, they just don't see them. The site gallery does not do this and simply hides explicit photos. 2022-08-13 22:39:31 +00:00			`"git.kirsle.net/apps/gosocial/pkg/controller/photo"`
Photo Upload & Profile Pictures Basic photo upload support. Square cropped images still buggy. 2022-08-12 06:03:06 +00:00			`"git.kirsle.net/apps/gosocial/pkg/log"`
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`"git.kirsle.net/apps/gosocial/pkg/session"`
			`"git.kirsle.net/apps/gosocial/pkg/templates"`
			`)`

			`// LoginRequired middleware.`
			`func LoginRequired(handler http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`

			`// User must be logged in.`
User Account Busywork * Add "forgot password" workflow. * Add ability to change user email address (confirmation link sent) * Add ability to change user's password. * Add rate limiter to deter brute force login attempts. * Add user deep delete functionality (delete account). * Ping user LastLoginAt every 8 hours for long-lived session cookies. * Add age filters to user search page. * Add sort options to user search (last login, created, username/name) 2022-08-14 21:40:57 +00:00			`user, err := session.CurrentUser(r)`
			`if err != nil {`
Photo Upload & Profile Pictures Basic photo upload support. Square cropped images still buggy. 2022-08-12 06:03:06 +00:00			`log.Error("LoginRequired: %s", err)`
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`errhandler := templates.MakeErrorPage("Login Required", "You must be signed in to view this page.", http.StatusForbidden)`
			`errhandler.ServeHTTP(w, r)`
			`return`
			`}`

User Account Busywork * Add "forgot password" workflow. * Add ability to change user email address (confirmation link sent) * Add ability to change user's password. * Add rate limiter to deter brute force login attempts. * Add user deep delete functionality (delete account). * Ping user LastLoginAt every 8 hours for long-lived session cookies. * Add age filters to user search page. * Add sort options to user search (last login, created, username/name) 2022-08-14 21:40:57 +00:00			`// Ping LastLoginAt for long lived sessions.`
			`if time.Since(user.LastLoginAt) > config.LastLoginAtCooldown {`
			`user.LastLoginAt = time.Now()`
			`if err := user.Save(); err != nil {`
			`log.Error("LoginRequired: couldn't refresh LastLoginAt for user %s: %s", user.Username, err)`
			`}`
			`}`

Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table) 2022-08-10 05:10:47 +00:00			`handler.ServeHTTP(w, r)`
			`})`
			`}`
Certification Photo Workflow * Add "Site Gallery" page showing all public+gallery member photos. * Add "Certification Required" decorator for gallery and other main pages. * Add the Certification Photo workflow: * Users have a checklist on their dashboard to upload a profile pic and post a certification selfie (two requirements) * Admins notified by email when a new certification pic comes in. * Admin can reject (w/ comment) or approve the pic. * Users can re-upload or delete their pic at the cost of losing certification status if they make any such changes. * Users are emailed when their photo is either approved or rejected. * User Preferences: can now save the explicit pref to your account. * Explicit photos on user pages and site gallery are hidden if the current user hasn't opted-in (user can always see their own explicit photos regardless of the setting) * If a user is viewing a member gallery and explicit pics are hidden, a count of the number of explicit pics is shown to inform the user that more DO exist, they just don't see them. The site gallery does not do this and simply hides explicit photos. 2022-08-13 22:39:31 +00:00
			`// AdminRequired middleware.`
			`func AdminRequired(handler http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`

			`// User must be logged in.`
			`if currentUser, err := session.CurrentUser(r); err != nil {`
			`log.Error("AdminRequired: %s", err)`
			`errhandler := templates.MakeErrorPage("Login Required", "You must be signed in to view this page.", http.StatusForbidden)`
			`errhandler.ServeHTTP(w, r)`
			`return`
			`} else if !currentUser.IsAdmin {`
			`log.Error("AdminRequired: %s", err)`
			`errhandler := templates.MakeErrorPage("Admin Required", "You do not have permission for this page.", http.StatusForbidden)`
			`errhandler.ServeHTTP(w, r)`
			`return`
			`}`

			`handler.ServeHTTP(w, r)`
			`})`
			`}`

			`// CertRequired middleware: like LoginRequired but user must also have their verification pic certified.`
			`func CertRequired(handler http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`

			`// User must be logged in.`
			`currentUser, err := session.CurrentUser(r)`
			`if err != nil {`
			`log.Error("LoginRequired: %s", err)`
			`errhandler := templates.MakeErrorPage("Login Required", "You must be signed in to view this page.", http.StatusForbidden)`
			`errhandler.ServeHTTP(w, r)`
			`return`
			`}`

			`// User must be certified.`
			`if !currentUser.Certified \|\| currentUser.ProfilePhoto.ID == 0 {`
			`log.Error("CertRequired: user is not certified")`
			`photo.CertificationRequiredError().ServeHTTP(w, r)`
			`return`
			`}`

			`handler.ServeHTTP(w, r)`
			`})`
			`}`