package controllers import ( "fmt" "net/http" "time" "github.com/Theodor-Springmann-Stiftung/musenalm/app" "github.com/Theodor-Springmann-Stiftung/musenalm/dbmodels" "github.com/Theodor-Springmann-Stiftung/musenalm/helpers/security" "github.com/Theodor-Springmann-Stiftung/musenalm/pagemodels" "github.com/Theodor-Springmann-Stiftung/musenalm/templating" "github.com/pocketbase/pocketbase/core" "github.com/pocketbase/pocketbase/tools/router" ) const ( URL_LOGIN = "/login/" TEMPLATE_LOGIN = "/login/" ) var CSRF_CACHE *security.CSRFProtector // TODO: // - rate limiting func init() { csrf_cache, err := security.NewCSRFProtector(time.Minute*10, time.Minute) if err != nil { panic(err) } CSRF_CACHE = csrf_cache lp := &LoginPage{ StaticPage: pagemodels.StaticPage{ Name: pagemodels.P_LOGIN_NAME, Layout: "blank", Template: TEMPLATE_LOGIN, URL: URL_LOGIN, }, } app.Register(lp) } type LoginPage struct { pagemodels.StaticPage } func (p *LoginPage) Setup(router *router.Router[*core.RequestEvent], app core.App, engine *templating.Engine) error { router.GET(URL_LOGIN, p.GET(engine, app)) router.POST(URL_LOGIN, p.POST(engine, app)) return nil } func (p *LoginPage) GET(engine *templating.Engine, app core.App) HandleFunc { return func(e *core.RequestEvent) error { data := make(map[string]any) data["record"] = p nonce, token, err := CSRF_CACHE.GenerateTokenBundle() if err != nil { return engine.Response500(e, err, data) } data["csrf_nonce"] = nonce data["csrf_token"] = token Logout(e, &app) SetRedirect(data, e) return engine.Response200(e, p.Template, data, p.Layout) } } func Unauthorized( engine *templating.Engine, e *core.RequestEvent, error error, data map[string]any) error { nonce, token, err := CSRF_CACHE.GenerateTokenBundle() if err != nil { return engine.Response500(e, err, data) } data["csrf_nonce"] = nonce data["csrf_token"] = token data["error"] = error.Error() SetRedirect(data, e) htm, err := engine.RenderToString(e, data, TEMPLATE_LOGIN, "blank") if err != nil { return engine.Response500(e, err, data) } return e.HTML(http.StatusUnauthorized, htm) } func (p *LoginPage) POST(engine *templating.Engine, app core.App) HandleFunc { return func(e *core.RequestEvent) error { data := make(map[string]any) data["record"] = p formdata := struct { Username string `json:"username" form:"username"` Password string `json:"password" form:"password"` CsrfNonce string `json:"csrf_nonce" form:"csrf_nonce"` CsrfToken string `json:"csrf_token" form:"csrf_token"` Persistent string `json:"persist" form:"persist"` }{} if err := e.BindBody(&formdata); err != nil { return engine.Response500(e, err, data) } data["formdata"] = formdata if _, err := CSRF_CACHE.ValidateTokenBundle(formdata.CsrfNonce, formdata.CsrfToken); err != nil { return Unauthorized(engine, e, fmt.Errorf("Ungültiges CSRF-Token oder Zeit abgelaufen. Bitte versuchen Sie es erneut."), data) } if formdata.Username == "" || formdata.Password == "" { return Unauthorized(engine, e, fmt.Errorf("Benuztername oder Passwort falsch. Bitte versuchen Sie es erneut."), data) } record, err := app.FindFirstRecordByData(dbmodels.USERS_TABLE, dbmodels.USERS_EMAIL_FIELD, formdata.Username) if err != nil || !record.ValidatePassword(formdata.Password) { return Unauthorized(engine, e, fmt.Errorf("Benuztername oder Passwort falsch. Bitte versuchen Sie es erneut."), data) } user := dbmodels.NewUser(record) if user.Deactivated() { return Unauthorized(engine, e, fmt.Errorf("Ihr Benutzerkonto ist deaktiviert. Bitte kontaktieren Sie den Administrator."), data) } duration := time.Minute * 60 if formdata.Persistent == "on" { duration = time.Hour * 24 * 90 } token, err := dbmodels.CreateSessionToken(app, record.Id, e.RealIP(), e.Request.UserAgent(), formdata.Persistent == "on", duration) if err != nil { return engine.Response500(e, err, data) } if formdata.Persistent == "on" { e.SetCookie(&http.Cookie{ Name: dbmodels.SESSION_COOKIE_NAME, Path: "/", MaxAge: int(duration.Seconds()), Value: token.Token(), SameSite: http.SameSiteLaxMode, HttpOnly: true, Secure: true, }) } else { e.SetCookie(&http.Cookie{ Name: dbmodels.SESSION_COOKIE_NAME, Path: "/", Value: token.Token(), SameSite: http.SameSiteLaxMode, HttpOnly: true, Secure: true, }) } SetRedirect(data, e) return RedirectTo(e) } }