Phase 2: auth, session management, layout, PWA manifest

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

internal/handlers/auth.go

@@ -0,0 +1,63 @@
+package handlers
+
+import (
+	"log/slog"
+	"net/http"
+
+	"golang.org/x/crypto/bcrypt"
+
+	"qbank/internal/auth"
+	"qbank/internal/db"
+)
+
+type AuthHandler struct {
+	auth   *auth.Manager
+	repo   *db.Repo
+	render *Renderer
+}
+
+func NewAuthHandler(a *auth.Manager, repo *db.Repo, r *Renderer) *AuthHandler {
+	return &AuthHandler{auth: a, repo: repo, render: r}
+}
+
+func (h *AuthHandler) LoginGet(w http.ResponseWriter, r *http.Request) {
+	h.render.Render(w, http.StatusOK, "login", map[string]any{
+		"CSRFToken": h.auth.CSRFToken(r),
+	})
+}
+
+func (h *AuthHandler) LoginPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, 4096)
+
+	if !h.auth.CheckCSRF(r) {
+		HTTPError(w, http.StatusForbidden)
+		return
+	}
+
+	username := r.FormValue("username")
+	password := r.FormValue("password")
+
+	user, err := h.repo.GetUserByName(username)
+	if err != nil || bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(password)) != nil {
+		slog.Info("login failed", "username", username)
+		h.render.Render(w, http.StatusUnauthorized, "login", map[string]any{
+			"CSRFToken": h.auth.CSRFToken(r),
+			"Error":     "Invalid username or password.",
+		})
+		return
+	}
+
+	h.auth.SetUser(r, user.ID, user.Name)
+	http.Redirect(w, r, "/", http.StatusSeeOther)
+}
+
+func (h *AuthHandler) Logout(w http.ResponseWriter, r *http.Request) {
+	if !h.auth.CheckCSRF(r) {
+		HTTPError(w, http.StatusForbidden)
+		return
+	}
+	if err := h.auth.ClearUser(r); err != nil {
+		slog.Error("logout", "err", err)
+	}
+	http.Redirect(w, r, "/login", http.StatusSeeOther)
+}

internal/handlers/home.go

@@ -0,0 +1,20 @@
+package handlers
+
+import (
+	"net/http"
+
+	"qbank/internal/auth"
+)
+
+type HomeHandler struct {
+	auth   *auth.Manager
+	render *Renderer
+}
+
+func NewHomeHandler(a *auth.Manager, r *Renderer) *HomeHandler {
+	return &HomeHandler{auth: a, render: r}
+}
+
+func (h *HomeHandler) Handle(w http.ResponseWriter, r *http.Request) {
+	h.render.Render(w, http.StatusOK, "home", BaseData(h.auth, r))
+}

internal/handlers/render.go

@@ -0,0 +1,49 @@
+package handlers
+
+import (
+	"html/template"
+	"log/slog"
+	"net/http"
+	"path/filepath"
+
+	"qbank/internal/auth"
+)
+
+// Renderer parses and executes HTML templates from a directory.
+type Renderer struct {
+	dir string
+}
+
+func NewRenderer(dir string) *Renderer { return &Renderer{dir: dir} }
+
+// Render executes layout.html + <name>.html, passing data to the "layout" template.
+func (r *Renderer) Render(w http.ResponseWriter, status int, name string, data any) {
+	t, err := template.ParseFiles(
+		filepath.Join(r.dir, "layout.html"),
+		filepath.Join(r.dir, name+".html"),
+	)
+	if err != nil {
+		slog.Error("parse template", "name", name, "err", err)
+		http.Error(w, "internal error", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.WriteHeader(status)
+	if err := t.ExecuteTemplate(w, "layout", data); err != nil {
+		slog.Error("execute template", "name", name, "err", err)
+	}
+}
+
+// HTTPError writes a plain-text HTTP error.
+func HTTPError(w http.ResponseWriter, status int) {
+	http.Error(w, http.StatusText(status), status)
+}
+
+// BaseData builds the common template map (User, CSRFToken, Flash).
+func BaseData(a *auth.Manager, r *http.Request) map[string]any {
+	return map[string]any{
+		"User":      auth.UserFromCtx(r.Context()),
+		"CSRFToken": a.CSRFToken(r),
+		"Flash":     a.PopFlash(r),
+	}
+}