From 6e069484cb0a911ba541e07bf04331fadbb76612 Mon Sep 17 00:00:00 2001
From: Julien Dessaux
Date: Mon, 6 Jan 2025 00:41:32 +0100
Subject: feat(webui): bootstrap session handling and login process

---
 pkg/webui/cache.go           |  10 ++++
 pkg/webui/error.go           |  21 ++++++++
 pkg/webui/html/base.html     |  20 ++++++++
 pkg/webui/html/error.html    |   6 +++
 pkg/webui/html/index.html    |   3 ++
 pkg/webui/html/login.html    |  29 +++++++++++
 pkg/webui/index.go           |  16 ++++++
 pkg/webui/login.go           | 115 +++++++++++++++++++++++++++++++++++++++++++
 pkg/webui/render.go          |  22 +++++++++
 pkg/webui/routes.go          |   6 +++
 pkg/webui/run.go             |   7 +++
 pkg/webui/sessions.go        |  55 +++++++++++++++++++++
 pkg/webui/static/favicon.svg |   3 ++
 pkg/webui/static/main.css    |   3 ++
 14 files changed, 316 insertions(+)
 create mode 100644 pkg/webui/cache.go
 create mode 100644 pkg/webui/error.go
 create mode 100644 pkg/webui/html/base.html
 create mode 100644 pkg/webui/html/error.html
 create mode 100644 pkg/webui/html/index.html
 create mode 100644 pkg/webui/html/login.html
 create mode 100644 pkg/webui/index.go
 create mode 100644 pkg/webui/login.go
 create mode 100644 pkg/webui/render.go
 create mode 100644 pkg/webui/sessions.go
 create mode 100644 pkg/webui/static/favicon.svg
 create mode 100644 pkg/webui/static/main.css

(limited to 'pkg/webui')

diff --git a/pkg/webui/cache.go b/pkg/webui/cache.go
new file mode 100644
index 0000000..cef999b
--- /dev/null
+++ b/pkg/webui/cache.go
@@ -0,0 +1,10 @@
+package webui
+
+import "net/http"
+
+func cache(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Cache-Control", "public, max-age=31536000, immutable")
+		next.ServeHTTP(w, r)
+	})
+}
diff --git a/pkg/webui/error.go b/pkg/webui/error.go
new file mode 100644
index 0000000..05d8e9e
--- /dev/null
+++ b/pkg/webui/error.go
@@ -0,0 +1,21 @@
+package webui
+
+import (
+	"html/template"
+	"net/http"
+)
+
+var errorTemplates = template.Must(template.ParseFS(htmlFS, "html/base.html", "html/error.html"))
+
+func errorResponse(w http.ResponseWriter, status int, err error) {
+	type ErrorData struct {
+		Err        error
+		Status     int
+		StatusText string
+	}
+	render(w, errorTemplates, status, &ErrorData{
+		Err:        err,
+		Status:     status,
+		StatusText: http.StatusText(status),
+	})
+}
diff --git a/pkg/webui/html/base.html b/pkg/webui/html/base.html
new file mode 100644
index 0000000..1c15cc5
--- /dev/null
+++ b/pkg/webui/html/base.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="UTF-8">
+    <meta name="viewport" content="width=device-width, initial-scale=1">
+    <link rel="icon" href="/static/favicon.svg">
+    <link rel="stylesheet" href="/static/main.css">
+    <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/@picocss/pico@2/css/pico.min.css">
+    <title>tfstated</title>
+  </head>
+  <body>
+    <header>
+    </header>
+    <main class="container">
+      {{ template "main" . }}
+    </main>
+    <footer>
+    </footer>
+  </body>
+</html>
diff --git a/pkg/webui/html/error.html b/pkg/webui/html/error.html
new file mode 100644
index 0000000..d2ea7e1
--- /dev/null
+++ b/pkg/webui/html/error.html
@@ -0,0 +1,6 @@
+{{ define "main" }}
+<article>
+  <h1>{{ .Status }} - {{ .StatusText }}</h1>
+  <p>{{ .Err }}</p>
+</article>
+{{ end }}
diff --git a/pkg/webui/html/index.html b/pkg/webui/html/index.html
new file mode 100644
index 0000000..5c50159
--- /dev/null
+++ b/pkg/webui/html/index.html
@@ -0,0 +1,3 @@
+{{ define "main" }}
+<h1>TODO</h1>
+{{ end }}
diff --git a/pkg/webui/html/login.html b/pkg/webui/html/login.html
new file mode 100644
index 0000000..0c2a167
--- /dev/null
+++ b/pkg/webui/html/login.html
@@ -0,0 +1,29 @@
+{{ define "main" }}
+{{ if .Forbidden }}
+<article>
+  <p class="error-message">Invalid username or password</p>
+</article>
+{{ end }}
+<form action="/login" method="post">
+  <fieldset>
+	<label>
+      Username
+	  <input type="text"
+             placeholder="Username"
+             name="username"
+             value="{{ .Username }}"
+             {{ if .Forbidden }}aria-invalid="true"{{ end }}
+             required>
+    </label>
+	<label>
+      Password
+      <input type="password"
+             placeholder="Password"
+             name="password"
+             {{ if .Forbidden }}aria-invalid="true"{{ end }}
+             required>
+    </label>
+  </fieldset>
+  <button type="submit" value="login">Login</button>
+</form>
+{{ end }}
diff --git a/pkg/webui/index.go b/pkg/webui/index.go
new file mode 100644
index 0000000..9c81729
--- /dev/null
+++ b/pkg/webui/index.go
@@ -0,0 +1,16 @@
+package webui
+
+import (
+	"html/template"
+	"net/http"
+)
+
+var indexTemplates = template.Must(template.ParseFS(htmlFS, "html/base.html", "html/index.html"))
+
+func handleIndexGET() http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Cache-Control", "no-store, no-cache")
+
+		render(w, indexTemplates, http.StatusOK, nil)
+	})
+}
diff --git a/pkg/webui/login.go b/pkg/webui/login.go
new file mode 100644
index 0000000..d004d82
--- /dev/null
+++ b/pkg/webui/login.go
@@ -0,0 +1,115 @@
+package webui
+
+import (
+	"context"
+	"fmt"
+	"html/template"
+	"net/http"
+	"regexp"
+
+	"git.adyxax.org/adyxax/tfstated/pkg/database"
+	"git.adyxax.org/adyxax/tfstated/pkg/model"
+)
+
+var loginTemplate = template.Must(template.ParseFS(htmlFS, "html/base.html", "html/login.html"))
+
+type loginPage struct {
+	Forbidden bool
+	Username  string
+}
+
+func handleLoginGET() http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Cache-Control", "no-store, no-cache")
+
+		session := r.Context().Value(model.SessionContextKey{})
+		if session != nil {
+			http.Redirect(w, r, "/", http.StatusFound)
+			return
+		}
+
+		render(w, loginTemplate, http.StatusOK, loginPage{})
+	})
+}
+
+func handleLoginPOST(db *database.DB) http.Handler {
+	var validUsername = regexp.MustCompile(`^[a-zA-Z]\w*$`)
+	renderForbidden := func(w http.ResponseWriter, username string) {
+		render(w, loginTemplate, http.StatusForbidden, loginPage{
+			Forbidden: true,
+			Username:  username,
+		})
+	}
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if err := r.ParseForm(); err != nil {
+			errorResponse(w, http.StatusBadRequest, err)
+			return
+		}
+		username := r.FormValue("username")
+		password := r.FormValue("password")
+
+		if username == "" || password == "" { // the webui cannot issue this
+			errorResponse(w, http.StatusBadRequest, fmt.Errorf("Forbidden"))
+			return
+		}
+		if ok := validUsername.MatchString(username); !ok {
+			renderForbidden(w, username)
+			return
+		}
+		account, err := db.LoadAccountByUsername(username)
+		if err != nil {
+			errorResponse(w, http.StatusInternalServerError, err)
+			return
+		}
+		if account == nil || !account.CheckPassword(password) {
+			renderForbidden(w, username)
+			return
+		}
+		if err := db.TouchAccount(account); err != nil {
+			errorResponse(w, http.StatusInternalServerError, err)
+			return
+		}
+		sessionId, err := db.CreateSession(account)
+		if err != nil {
+			errorResponse(w, http.StatusInternalServerError, err)
+			return
+		}
+		http.SetCookie(w, &http.Cookie{
+			Name:     cookieName,
+			Value:    sessionId,
+			Quoted:   false,
+			Path:     "/",
+			MaxAge:   8 * 3600, // 1 hour sessions
+			HttpOnly: true,
+			SameSite: http.SameSiteStrictMode,
+			Secure:   true,
+		})
+		http.Redirect(w, r, "/", http.StatusFound)
+	})
+}
+
+func loginMiddleware(db *database.DB) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Cache-Control", "no-store, no-cache")
+			session := r.Context().Value(model.SessionContextKey{})
+			if session == nil {
+				http.Redirect(w, r, "/login", http.StatusFound)
+				return
+			}
+			account, err := db.LoadAccountById(session.(*model.Session).AccountId)
+			if err != nil {
+				errorResponse(w, http.StatusInternalServerError, err)
+				return
+			}
+			if account == nil {
+				// this could happen if the account was deleted in the short
+				// time between retrieving the session and here
+				http.Redirect(w, r, "/login", http.StatusFound)
+				return
+			}
+			ctx := context.WithValue(r.Context(), model.AccountContextKey{}, account)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
diff --git a/pkg/webui/render.go b/pkg/webui/render.go
new file mode 100644
index 0000000..23f5e51
--- /dev/null
+++ b/pkg/webui/render.go
@@ -0,0 +1,22 @@
+package webui
+
+import (
+	"bytes"
+	"fmt"
+	"html/template"
+	"net/http"
+)
+
+func render(w http.ResponseWriter, t *template.Template, status int, data any) {
+	var buf bytes.Buffer
+	if err := t.ExecuteTemplate(&buf, "base.html", data); err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		_, _ = w.Write([]byte(fmt.Sprintf(
+			"%s: failed to execute template: %+v",
+			http.StatusText(http.StatusInternalServerError),
+			err)))
+	} else {
+		w.WriteHeader(status)
+		_, _ = buf.WriteTo(w)
+	}
+}
diff --git a/pkg/webui/routes.go b/pkg/webui/routes.go
index ef16040..5cf31c0 100644
--- a/pkg/webui/routes.go
+++ b/pkg/webui/routes.go
@@ -10,5 +10,11 @@ func addRoutes(
 	mux *http.ServeMux,
 	db *database.DB,
 ) {
+	session := sessionsMiddleware(db)
+	requireLogin := loginMiddleware(db)
 	mux.Handle("GET /healthz", handleHealthz())
+	mux.Handle("GET /login", session(handleLoginGET()))
+	mux.Handle("POST /login", session(handleLoginPOST(db)))
+	mux.Handle("GET /static/", cache(http.FileServer(http.FS(staticFS))))
+	mux.Handle("GET /", session(requireLogin(handleIndexGET())))
 }
diff --git a/pkg/webui/run.go b/pkg/webui/run.go
index f1b20cb..664b9e5 100644
--- a/pkg/webui/run.go
+++ b/pkg/webui/run.go
@@ -2,6 +2,7 @@ package webui
 
 import (
 	"context"
+	"embed"
 	"log/slog"
 	"net"
 	"net/http"
@@ -10,6 +11,12 @@ import (
 	"git.adyxax.org/adyxax/tfstated/pkg/middlewares/logger"
 )
 
+//go:embed html/*
+var htmlFS embed.FS
+
+//go:embed static/*
+var staticFS embed.FS
+
 func Run(
 	ctx context.Context,
 	db *database.DB,
diff --git a/pkg/webui/sessions.go b/pkg/webui/sessions.go
new file mode 100644
index 0000000..6d492d5
--- /dev/null
+++ b/pkg/webui/sessions.go
@@ -0,0 +1,55 @@
+package webui
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+
+	"git.adyxax.org/adyxax/tfstated/pkg/database"
+	"git.adyxax.org/adyxax/tfstated/pkg/model"
+)
+
+const cookieName = "tfstated"
+
+func sessionsMiddleware(db *database.DB) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			cookie, err := r.Cookie(cookieName)
+			if err != nil && !errors.Is(err, http.ErrNoCookie) {
+				errorResponse(w, http.StatusInternalServerError, fmt.Errorf("failed to get request cookie \"%s\": %w", cookieName, err))
+				return
+			}
+			if err == nil {
+				if len(cookie.Value) != 36 {
+					http.SetCookie(w, &http.Cookie{
+						Name:     cookieName,
+						Value:    "",
+						Quoted:   false,
+						Path:     "/",
+						MaxAge:   0, // remove invalid cookie
+						HttpOnly: true,
+						SameSite: http.SameSiteStrictMode,
+						Secure:   true,
+					})
+				} else {
+					session, err := db.LoadSessionById(cookie.Value)
+					if err != nil {
+						errorResponse(w, http.StatusInternalServerError, err)
+						return
+					}
+					if !session.IsExpired() {
+						if err := db.TouchSession(cookie.Value); err != nil {
+							errorResponse(w, http.StatusInternalServerError, err)
+							return
+						}
+						ctx := context.WithValue(r.Context(), model.SessionContextKey{}, session)
+						next.ServeHTTP(w, r.WithContext(ctx))
+						return
+					}
+				}
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}
diff --git a/pkg/webui/static/favicon.svg b/pkg/webui/static/favicon.svg
new file mode 100644
index 0000000..56f9365
--- /dev/null
+++ b/pkg/webui/static/favicon.svg
@@ -0,0 +1,3 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" style="background-color: rgb(0, 0, 0);" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1" width="98px" height="94px" viewBox="-0.5 -0.5 98 94"><defs/><rect fill="#000000" width="100%" height="100%" x="0" y="0"/><g><g data-cell-id="0"><g data-cell-id="1"><g data-cell-id="d8vDQkJiZMsKFp_Zf0So-1"><g><rect x="0" y="0" width="98" height="94" fill="none" stroke="none" pointer-events="all"/><path d="M 89.23 80.02 L 89.23 31.87 L 76.66 31.87 L 76.66 80.02 L 66.61 80.02 L 66.61 31.87 L 54.04 31.87 L 54.04 80.02 L 43.99 80.02 L 43.99 31.87 L 31.42 31.87 L 31.42 80.02 L 21.36 80.02 L 21.36 31.87 L 8.8 31.87 L 8.8 80.02 L 8.79 80.02 L 0 94 L 98 93.98 Z M 2.49 26.57 L 95.51 26.57 L 49 0 Z" fill="#e6e6e6" stroke="none" pointer-events="all"/></g></g></g></g></g></svg>
\ No newline at end of file
diff --git a/pkg/webui/static/main.css b/pkg/webui/static/main.css
new file mode 100644
index 0000000..a2472b7
--- /dev/null
+++ b/pkg/webui/static/main.css
@@ -0,0 +1,3 @@
+.error-message {
+    color:red;
+}
-- 
cgit v1.2.3