Phase 2: auth, session management, layout, PWA manifest

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-11 11:54:37 +03:00
parent 0bc9160d97
commit d9de37d3d8
17 changed files with 487 additions and 1 deletions
@@ -0,0 +1,63 @@
+package handlers
+
+import (
+	"log/slog"
+	"net/http"
+
+	"golang.org/x/crypto/bcrypt"
+
+	"qbank/internal/auth"
+	"qbank/internal/db"
+)
+
+type AuthHandler struct {
+	auth   *auth.Manager
+	repo   *db.Repo
+	render *Renderer
+}
+
+func NewAuthHandler(a *auth.Manager, repo *db.Repo, r *Renderer) *AuthHandler {
+	return &AuthHandler{auth: a, repo: repo, render: r}
+}
+
+func (h *AuthHandler) LoginGet(w http.ResponseWriter, r *http.Request) {
+	h.render.Render(w, http.StatusOK, "login", map[string]any{
+		"CSRFToken": h.auth.CSRFToken(r),
+	})
+}
+
+func (h *AuthHandler) LoginPost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, 4096)
+
+	if !h.auth.CheckCSRF(r) {
+		HTTPError(w, http.StatusForbidden)
+		return
+	}
+
+	username := r.FormValue("username")
+	password := r.FormValue("password")
+
+	user, err := h.repo.GetUserByName(username)
+	if err != nil || bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(password)) != nil {
+		slog.Info("login failed", "username", username)
+		h.render.Render(w, http.StatusUnauthorized, "login", map[string]any{
+			"CSRFToken": h.auth.CSRFToken(r),
+			"Error":     "Invalid username or password.",
+		})
+		return
+	}
+
+	h.auth.SetUser(r, user.ID, user.Name)
+	http.Redirect(w, r, "/", http.StatusSeeOther)
+}
+
+func (h *AuthHandler) Logout(w http.ResponseWriter, r *http.Request) {
+	if !h.auth.CheckCSRF(r) {
+		HTTPError(w, http.StatusForbidden)
+		return
+	}
+	if err := h.auth.ClearUser(r); err != nil {
+		slog.Error("logout", "err", err)
+	}
+	http.Redirect(w, r, "/login", http.StatusSeeOther)
+}