6 files changed, 53 insertions, 42 deletions

diff --git a/pkg/basic_auth/middleware.go b/pkg/basic_auth/middleware.go
index 7f8fb4a..0e22ad3 100644
--- a/pkg/basic_auth/middleware.go
+++ b/pkg/basic_auth/middleware.go
@@ -2,10 +2,12 @@ package basic_auth
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"time"
 
 	"git.adyxax.org/adyxax/tfstated/pkg/database"
+	"git.adyxax.org/adyxax/tfstated/pkg/helpers"
 	"git.adyxax.org/adyxax/tfstated/pkg/model"
 )
 
@@ -15,26 +17,22 @@ func Middleware(db *database.DB) func(http.Handler) http.Handler {
 			username, password, ok := r.BasicAuth()
 			if !ok {
 				w.Header().Set("WWW-Authenticate", `Basic realm="tfstated", charset="UTF-8"`)
-				http.Error(w, "Unauthorized", http.StatusUnauthorized)
+				helpers.ErrorResponse(w, http.StatusUnauthorized, fmt.Errorf("Unauthorized"))
 				return
 			}
 			account, err := db.LoadAccountByUsername(username)
 			if err != nil {
-				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+				helpers.ErrorResponse(w, http.StatusInternalServerError, err)
 				return
 			}
-			if account == nil {
-				http.Error(w, "Forbidden", http.StatusForbidden)
-				return
-			}
-			if !account.CheckPassword(password) {
-				http.Error(w, "Forbidden", http.StatusForbidden)
+			if account == nil || !account.CheckPassword(password) {
+				helpers.ErrorResponse(w, http.StatusForbidden, fmt.Errorf("Forbidden"))
 				return
 			}
 			now := time.Now().UTC()
 			_, err = db.Exec(`UPDATE accounts SET last_login = ? WHERE id = ?`, now.Unix(), account.Id)
 			if err != nil {
-				http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+				helpers.ErrorResponse(w, http.StatusInternalServerError, err)
 				return
 			}
 			ctx := context.WithValue(r.Context(), model.AccountContextKey{}, account)
diff --git a/pkg/database/accounts.go b/pkg/database/accounts.go
index 6400d5a..f506155 100644
--- a/pkg/database/accounts.go
+++ b/pkg/database/accounts.go
@@ -7,6 +7,7 @@ import (
 	"log/slog"
 	"time"
 
+	"git.adyxax.org/adyxax/tfstated/pkg/helpers"
 	"git.adyxax.org/adyxax/tfstated/pkg/model"
 	"go.n16f.net/uuid"
 )
@@ -69,8 +70,8 @@ func (db *DB) InitAdminAccount() error {
 		if err = password.Generate(uuid.V4); err != nil {
 			return fmt.Errorf("failed to generate initial admin password: %w", err)
 		}
-		salt := model.GenerateSalt()
-		hash := model.HashPassword(password.String(), salt)
+		salt := helpers.GenerateSalt()
+		hash := helpers.HashPassword(password.String(), salt)
 		if _, err = tx.ExecContext(db.ctx,
 			`INSERT INTO accounts(username, salt, password_hash, is_admin)
 		       VALUES ("admin", :salt, :hash, TRUE)
diff --git a/pkg/helpers/crypto.go b/pkg/helpers/crypto.go
new file mode 100644
index 0000000..ce73cd3
--- /dev/null
+++ b/pkg/helpers/crypto.go
@@ -0,0 +1,21 @@
+package helpers
+
+import (
+	"crypto/sha256"
+
+	"git.adyxax.org/adyxax/tfstated/pkg/scrypto"
+	"golang.org/x/crypto/pbkdf2"
+)
+
+const (
+	PBKDF2Iterations = 600000
+	SaltSize         = 32
+)
+
+func GenerateSalt() []byte {
+	return scrypto.RandomBytes(SaltSize)
+}
+
+func HashPassword(password string, salt []byte) []byte {
+	return pbkdf2.Key([]byte(password), salt, PBKDF2Iterations, 32, sha256.New)
+}
diff --git a/pkg/helpers/error.go b/pkg/helpers/error.go
new file mode 100644
index 0000000..006759d
--- /dev/null
+++ b/pkg/helpers/error.go
@@ -0,0 +1,17 @@
+package helpers
+
+import (
+	"fmt"
+	"net/http"
+)
+
+func ErrorResponse(w http.ResponseWriter, status int, err error) {
+	type errorResponse struct {
+		Msg    string `json:"msg"`
+		Status int    `json:"status"`
+	}
+	_ = Encode(w, status, &errorResponse{
+		Msg:    fmt.Sprintf("%+v", err),
+		Status: status,
+	})
+}
diff --git a/cmd/tfstated/helpers.go b/pkg/helpers/json.go
index 33e14a4..664a984 100644
--- a/cmd/tfstated/helpers.go
+++ b/pkg/helpers/json.go
@@ -1,4 +1,4 @@
-package main
+package helpers
 
 import (
 	"encoding/json"
@@ -7,14 +7,14 @@ import (
 	"net/http"
 )
 
-func decode(r *http.Request, data any) error {
+func Decode(r *http.Request, data any) error {
 	if err := json.NewDecoder(r.Body).Decode(&data); err != nil {
 		return fmt.Errorf("failed to decode json: %w", err)
 	}
 	return nil
 }
 
-func encode(w http.ResponseWriter, status int, data any) error {
+func Encode(w http.ResponseWriter, status int, data any) error {
 	w.Header().Set("Content-Type", "application/json")
 	w.WriteHeader(status)
 	if err := json.NewEncoder(w).Encode(data); err != nil {
@@ -23,14 +23,3 @@ func encode(w http.ResponseWriter, status int, data any) error {
 	}
 	return nil
 }
-
-func errorResponse(w http.ResponseWriter, status int, err error) error {
-	type errorResponse struct {
-		Msg    string `json:"msg"`
-		Status int    `json:"status"`
-	}
-	return encode(w, status, &errorResponse{
-		Msg:    fmt.Sprintf("%+v", err),
-		Status: status,
-	})
-}
diff --git a/pkg/model/account.go b/pkg/model/account.go
index 4336dfa..7a69685 100644
--- a/pkg/model/account.go
+++ b/pkg/model/account.go
@@ -1,17 +1,10 @@
 package model
 
 import (
-	"crypto/sha256"
 	"crypto/subtle"
 	"time"
 
-	"git.adyxax.org/adyxax/tfstated/pkg/scrypto"
-	"golang.org/x/crypto/pbkdf2"
-)
-
-const (
-	PBKDF2Iterations = 600000
-	SaltSize         = 32
+	"git.adyxax.org/adyxax/tfstated/pkg/helpers"
 )
 
 type AccountContextKey struct{}
@@ -28,14 +21,6 @@ type Account struct {
 }
 
 func (account *Account) CheckPassword(password string) bool {
-	hash := HashPassword(password, account.Salt)
+	hash := helpers.HashPassword(password, account.Salt)
 	return subtle.ConstantTimeCompare(hash, account.PasswordHash) == 1
 }
-
-func GenerateSalt() []byte {
-	return scrypto.RandomBytes(SaltSize)
-}
-
-func HashPassword(password string, salt []byte) []byte {
-	return pbkdf2.Key([]byte(password), salt, PBKDF2Iterations, 32, sha256.New)
-}