pages -> controllers

2025-10-29 09:15:33 +00:00 · 2025-05-29 02:31:27 +02:00
parent 4a4505d042
commit 0e4e6d4337
22 changed files with 22 additions and 22 deletions
--- a/controllers/login.go
+++ b/controllers/login.go
@@ -0,0 +1,171 @@
+package controllers
+
+import (
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/Theodor-Springmann-Stiftung/musenalm/app"
+	"github.com/Theodor-Springmann-Stiftung/musenalm/dbmodels"
+	"github.com/Theodor-Springmann-Stiftung/musenalm/helpers/security"
+	"github.com/Theodor-Springmann-Stiftung/musenalm/pagemodels"
+	"github.com/Theodor-Springmann-Stiftung/musenalm/templating"
+	"github.com/pocketbase/pocketbase/core"
+	"github.com/pocketbase/pocketbase/tools/router"
+)
+
+const (
+	URL_LOGIN      = "/login/"
+	TEMPLATE_LOGIN = "/login/"
+)
+
+var CSRF_CACHE *security.CSRFProtector
+
+// TODO:
+// - rate limiting
+
+func init() {
+	csrf_cache, err := security.NewCSRFProtector(time.Minute*10, time.Minute)
+	if err != nil {
+		panic(err)
+	}
+	CSRF_CACHE = csrf_cache
+
+	lp := &LoginPage{
+		StaticPage: pagemodels.StaticPage{
+			Name:     pagemodels.P_LOGIN_NAME,
+			Layout:   "blank",
+			Template: TEMPLATE_LOGIN,
+			URL:      URL_LOGIN,
+		},
+	}
+	app.Register(lp)
+}
+
+type LoginPage struct {
+	pagemodels.StaticPage
+}
+
+func (p *LoginPage) Setup(router *router.Router[*core.RequestEvent], app core.App, engine *templating.Engine) error {
+	router.GET(URL_LOGIN, p.GET(engine, app))
+	router.POST(URL_LOGIN, p.POST(engine, app))
+	return nil
+}
+
+func (p *LoginPage) GET(engine *templating.Engine, app core.App) HandleFunc {
+	return func(e *core.RequestEvent) error {
+		data := make(map[string]any)
+		data["record"] = p
+		nonce, token, err := CSRF_CACHE.GenerateTokenBundle()
+		if err != nil {
+			return engine.Response500(e, err, data)
+		}
+		data["csrf_nonce"] = nonce
+		data["csrf_token"] = token
+
+		Logout(e, &app)
+
+		SetRedirect(data, e)
+
+		return engine.Response200(e, p.Template, data, p.Layout)
+	}
+}
+
+func Unauthorized(
+	engine *templating.Engine,
+	e *core.RequestEvent,
+	error error,
+	data map[string]any) error {
+
+	nonce, token, err := CSRF_CACHE.GenerateTokenBundle()
+	if err != nil {
+		return engine.Response500(e, err, data)
+	}
+
+	data["csrf_nonce"] = nonce
+	data["csrf_token"] = token
+	data["error"] = error.Error()
+
+	SetRedirect(data, e)
+
+	htm, err := engine.RenderToString(e, data, TEMPLATE_LOGIN, "blank")
+	if err != nil {
+		return engine.Response500(e, err, data)
+	}
+
+	return e.HTML(http.StatusUnauthorized, htm)
+}
+
+func (p *LoginPage) POST(engine *templating.Engine, app core.App) HandleFunc {
+	return func(e *core.RequestEvent) error {
+		data := make(map[string]any)
+		data["record"] = p
+
+		formdata := struct {
+			Username   string `json:"username" form:"username"`
+			Password   string `json:"password" form:"password"`
+			CsrfNonce  string `json:"csrf_nonce" form:"csrf_nonce"`
+			CsrfToken  string `json:"csrf_token" form:"csrf_token"`
+			Persistent string `json:"persist" form:"persist"`
+		}{}
+
+		if err := e.BindBody(&formdata); err != nil {
+			return engine.Response500(e, err, data)
+		}
+
+		data["formdata"] = formdata
+
+		if _, err := CSRF_CACHE.ValidateTokenBundle(formdata.CsrfNonce, formdata.CsrfToken); err != nil {
+			return Unauthorized(engine, e, fmt.Errorf("Ungültiges CSRF-Token oder Zeit abgelaufen. Bitte versuchen Sie es erneut."), data)
+		}
+
+		if formdata.Username == "" || formdata.Password == "" {
+			return Unauthorized(engine, e, fmt.Errorf("Benuztername oder Passwort falsch. Bitte versuchen Sie es erneut."), data)
+		}
+
+		record, err := app.FindFirstRecordByData(dbmodels.USERS_TABLE, dbmodels.USERS_EMAIL_FIELD, formdata.Username)
+		if err != nil || !record.ValidatePassword(formdata.Password) {
+			return Unauthorized(engine, e, fmt.Errorf("Benuztername oder Passwort falsch. Bitte versuchen Sie es erneut."), data)
+		}
+
+		user := dbmodels.NewUser(record)
+		if user.Deactivated() {
+			return Unauthorized(engine, e, fmt.Errorf("Ihr Benutzerkonto ist deaktiviert. Bitte kontaktieren Sie den Administrator."), data)
+		}
+
+		duration := time.Minute * 60
+		if formdata.Persistent == "on" {
+			duration = time.Hour * 24 * 90
+		}
+
+		token, err := dbmodels.CreateSessionToken(app, record.Id, e.RealIP(), e.Request.UserAgent(), formdata.Persistent == "on", duration)
+		if err != nil {
+			return engine.Response500(e, err, data)
+		}
+
+		if formdata.Persistent == "on" {
+			e.SetCookie(&http.Cookie{
+				Name:     dbmodels.SESSION_COOKIE_NAME,
+				Path:     "/",
+				MaxAge:   int(duration.Seconds()),
+				Value:    token.Token(),
+				SameSite: http.SameSiteLaxMode,
+				HttpOnly: true,
+				Secure:   true,
+			})
+		} else {
+			e.SetCookie(&http.Cookie{
+				Name:     dbmodels.SESSION_COOKIE_NAME,
+				Path:     "/",
+				Value:    token.Token(),
+				SameSite: http.SameSiteLaxMode,
+				HttpOnly: true,
+				Secure:   true,
+			})
+		}
+
+		SetRedirect(data, e)
+
+		return RedirectTo(e)
+	}
+}