nonshy
/
website
1
0
Fork 1
Code Issues 20 Pull Requests Packages Projects Releases Wiki Activity
website/pkg/controller/account/login.go

103 lines
2.7 KiB
Go
Raw Normal View History

Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table)
2022-08-10 05:10:47 +00:00
package account
import (
"net/http"
"strings"
Rename the module
2022-08-26 04:21:46 +00:00
"code.nonshy.com/nonshy/website/pkg/config"
"code.nonshy.com/nonshy/website/pkg/log"
"code.nonshy.com/nonshy/website/pkg/models"
"code.nonshy.com/nonshy/website/pkg/ratelimit"
"code.nonshy.com/nonshy/website/pkg/session"
"code.nonshy.com/nonshy/website/pkg/templates"
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table)
2022-08-10 05:10:47 +00:00
)
// Login controller.
func Login() http.HandlerFunc {
tmpl := templates.Must("account/login.html")
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
Photo Quotas & Postgres Fixes * Add photo upload quotas. * Non-certified users can upload few photos; certified users more * Fix foreign key issues around deleting user profile photos for psql
2022-08-21 22:40:24 +00:00
var next = r.FormValue("next")
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table)
2022-08-10 05:10:47 +00:00
// Posting?
if r.Method == http.MethodPost {
var (
// Collect form fields.
username = strings.ToLower(r.PostFormValue("username"))
password = r.PostFormValue("password")
)
// Look up their account.
user, err := models.FindUser(username)
if err != nil {
session.FlashError(w, r, "Incorrect username or password.")
templates.Redirect(w, r.URL.Path)
return
}
User Account Busywork * Add "forgot password" workflow. * Add ability to change user email address (confirmation link sent) * Add ability to change user's password. * Add rate limiter to deter brute force login attempts. * Add user deep delete functionality (delete account). * Ping user LastLoginAt every 8 hours for long-lived session cookies. * Add age filters to user search page. * Add sort options to user search (last login, created, username/name)
2022-08-14 21:40:57 +00:00
// Rate limit failed login attempts.
limiter := &ratelimit.Limiter{
Namespace: "login",
ID: user.ID,
Limit: config.LoginRateLimit,
Window: config.LoginRateLimitWindow,
CooldownAt: config.LoginRateLimitCooldownAt,
Cooldown: config.LoginRateLimitCooldown,
}
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table)
2022-08-10 05:10:47 +00:00
// Verify password.
if err := user.CheckPassword(password); err != nil {
User Account Busywork * Add "forgot password" workflow. * Add ability to change user email address (confirmation link sent) * Add ability to change user's password. * Add rate limiter to deter brute force login attempts. * Add user deep delete functionality (delete account). * Ping user LastLoginAt every 8 hours for long-lived session cookies. * Add age filters to user search page. * Add sort options to user search (last login, created, username/name)
2022-08-14 21:40:57 +00:00
if err := limiter.Ping(); err != nil {
session.FlashError(w, r, err.Error())
templates.Redirect(w, r.URL.Path)
return
}
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table)
2022-08-10 05:10:47 +00:00
session.FlashError(w, r, "Incorrect username or password.")
templates.Redirect(w, r.URL.Path)
return
}
Admin Actions * Add impersonate feature * Add ban/unban user feature * Add promote/demote admin status feature * Add admin user deletion feature * Admin ability to see other status certification pics * Nav bar indicator of pending admin actions such as cert pics needing approval * Admin ability to search cert pics for specific user
2022-08-14 23:27:57 +00:00
// Is their account banned or disabled?
if user.Status != models.UserStatusActive {
session.FlashError(w, r, "Your account has been %s. If you believe this was done in error, please contact support.", user.Status)
templates.Redirect(w, r.URL.Path)
return
}
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table)
2022-08-10 05:10:47 +00:00
// OK. Log in the user's session.
session.LoginUser(w, r, user)
User Account Busywork * Add "forgot password" workflow. * Add ability to change user email address (confirmation link sent) * Add ability to change user's password. * Add rate limiter to deter brute force login attempts. * Add user deep delete functionality (delete account). * Ping user LastLoginAt every 8 hours for long-lived session cookies. * Add age filters to user search page. * Add sort options to user search (last login, created, username/name)
2022-08-14 21:40:57 +00:00
// Clear their rate limiter.
if err := limiter.Clear(); err != nil {
log.Error("Failed to clear login rate limiter: %s", err)
}
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table)
2022-08-10 05:10:47 +00:00
// Redirect to their dashboard.
session.Flash(w, r, "Login successful.")
Photo Quotas & Postgres Fixes * Add photo upload quotas. * Non-certified users can upload few photos; certified users more * Fix foreign key issues around deleting user profile photos for psql
2022-08-21 22:40:24 +00:00
if strings.HasPrefix(next, "/") {
templates.Redirect(w, next)
} else {
templates.Redirect(w, "/me")
}
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table)
2022-08-10 05:10:47 +00:00
return
}
Photo Quotas & Postgres Fixes * Add photo upload quotas. * Non-certified users can upload few photos; certified users more * Fix foreign key issues around deleting user profile photos for psql
2022-08-21 22:40:24 +00:00
var vars = map[string]interface{}{
"Next": next,
}
if err := tmpl.Execute(w, r, vars); err != nil {
Initial commit * Initial codebase (lot of work!) * Uses vanilla Go net/http and implements by hand: session cookies backed by Redis; log in/out; CSRF protection; email verification flow; initial database models (User table)
2022-08-10 05:10:47 +00:00
http.Error(w, err.Error(), http.StatusInternalServerError)
return
}
})
}
// Logout controller.
func Logout() http.HandlerFunc {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
session.Flash(w, r, "You have been successfully logged out.")
session.LogoutUser(w, r)
templates.Redirect(w, "/")
})
}