mirror of
https://github.com/Theodor-Springmann-Stiftung/musenalm.git
synced 2025-10-29 09:15:33 +00:00
166 lines
4.4 KiB
Go
166 lines
4.4 KiB
Go
package pages
|
|
|
|
import (
|
|
"fmt"
|
|
"net/http"
|
|
"time"
|
|
|
|
"github.com/Theodor-Springmann-Stiftung/musenalm/app"
|
|
"github.com/Theodor-Springmann-Stiftung/musenalm/dbmodels"
|
|
"github.com/Theodor-Springmann-Stiftung/musenalm/helpers/security"
|
|
"github.com/Theodor-Springmann-Stiftung/musenalm/pagemodels"
|
|
"github.com/Theodor-Springmann-Stiftung/musenalm/templating"
|
|
"github.com/pocketbase/pocketbase/core"
|
|
"github.com/pocketbase/pocketbase/tools/router"
|
|
)
|
|
|
|
const (
|
|
URL_LOGIN = "/login/"
|
|
TEMPLATE_LOGIN = "/login/"
|
|
)
|
|
|
|
var CSRF_CACHE *security.CSRFProtector
|
|
|
|
// TODO:
|
|
// - rate limiting
|
|
|
|
func init() {
|
|
csrf_cache, err := security.NewCSRFProtector(time.Minute*5, time.Minute)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
CSRF_CACHE = csrf_cache
|
|
|
|
lp := &LoginPage{
|
|
StaticPage: pagemodels.StaticPage{
|
|
Name: pagemodels.P_LOGIN_NAME,
|
|
Layout: "blank",
|
|
Template: TEMPLATE_LOGIN,
|
|
URL: URL_LOGIN,
|
|
},
|
|
}
|
|
app.Register(lp)
|
|
}
|
|
|
|
type LoginPage struct {
|
|
pagemodels.StaticPage
|
|
}
|
|
|
|
func (p *LoginPage) Setup(router *router.Router[*core.RequestEvent], app core.App, engine *templating.Engine) error {
|
|
router.GET(URL_LOGIN, p.GET(engine, app))
|
|
router.POST(URL_LOGIN, p.POST(engine, app))
|
|
return nil
|
|
}
|
|
|
|
func (p *LoginPage) GET(engine *templating.Engine, app core.App) HandleFunc {
|
|
return func(e *core.RequestEvent) error {
|
|
data := make(map[string]any)
|
|
data["record"] = p
|
|
nonce, token, err := CSRF_CACHE.GenerateTokenBundle()
|
|
if err != nil {
|
|
return engine.Response500(e, err, data)
|
|
}
|
|
data["csrf_nonce"] = nonce
|
|
data["csrf_token"] = token
|
|
|
|
Logout(e, &app)
|
|
|
|
return engine.Response200(e, p.Template, data, p.Layout)
|
|
}
|
|
}
|
|
|
|
func Unauthorized(
|
|
engine *templating.Engine,
|
|
e *core.RequestEvent,
|
|
error error,
|
|
data map[string]any) error {
|
|
|
|
nonce, token, err := CSRF_CACHE.GenerateTokenBundle()
|
|
if err != nil {
|
|
return engine.Response500(e, err, data)
|
|
}
|
|
|
|
data["csrf_nonce"] = nonce
|
|
data["csrf_token"] = token
|
|
data["error"] = error.Error()
|
|
|
|
htm, err := engine.RenderToString(e, data, TEMPLATE_LOGIN, "blank")
|
|
if err != nil {
|
|
return engine.Response500(e, err, data)
|
|
}
|
|
|
|
return e.HTML(http.StatusUnauthorized, htm)
|
|
}
|
|
|
|
func (p *LoginPage) POST(engine *templating.Engine, app core.App) HandleFunc {
|
|
return func(e *core.RequestEvent) error {
|
|
data := make(map[string]any)
|
|
data["record"] = p
|
|
|
|
formdata := struct {
|
|
Username string `json:"username" form:"username"`
|
|
Password string `json:"password" form:"password"`
|
|
CsrfNonce string `json:"csrf_nonce" form:"csrf_nonce"`
|
|
CsrfToken string `json:"csrf_token" form:"csrf_token"`
|
|
Persistent string `json:"persist" form:"persist"`
|
|
}{}
|
|
|
|
if err := e.BindBody(&formdata); err != nil {
|
|
return engine.Response500(e, err, data)
|
|
}
|
|
|
|
data["formdata"] = formdata
|
|
|
|
if _, err := CSRF_CACHE.ValidateTokenBundle(formdata.CsrfNonce, formdata.CsrfToken); err != nil {
|
|
return Unauthorized(engine, e, fmt.Errorf("Ungültiges CSRF-Token oder Zeit abgelaufen. Bitte versuchen Sie es erneut."), data)
|
|
}
|
|
|
|
if formdata.Username == "" || formdata.Password == "" {
|
|
return Unauthorized(engine, e, fmt.Errorf("Benuztername oder Passwort falsch. Bitte versuchen Sie es erneut."), data)
|
|
}
|
|
|
|
record, err := app.FindFirstRecordByData(dbmodels.USERS_TABLE, dbmodels.USERS_EMAIL_FIELD, formdata.Username)
|
|
if err != nil || !record.ValidatePassword(formdata.Password) {
|
|
return Unauthorized(engine, e, fmt.Errorf("Benuztername oder Passwort falsch. Bitte versuchen Sie es erneut."), data)
|
|
}
|
|
|
|
user := dbmodels.NewUser(record)
|
|
if user.Deactivated() {
|
|
return Unauthorized(engine, e, fmt.Errorf("Ihr Benutzerkonto ist deaktiviert. Bitte kontaktieren Sie den Administrator."), data)
|
|
}
|
|
|
|
duration := time.Minute * 60
|
|
if formdata.Persistent == "on" {
|
|
duration = time.Hour * 24 * 90
|
|
}
|
|
|
|
token, err := dbmodels.CreateSessionToken(app, record.Id, e.RealIP(), e.Request.UserAgent(), formdata.Persistent == "on", duration)
|
|
if err != nil {
|
|
return engine.Response500(e, err, data)
|
|
}
|
|
|
|
if formdata.Persistent == "on" {
|
|
e.SetCookie(&http.Cookie{
|
|
Name: dbmodels.SESSION_COOKIE_NAME,
|
|
Path: "/",
|
|
MaxAge: int(duration.Seconds()),
|
|
Value: token.Token(),
|
|
SameSite: http.SameSiteLaxMode,
|
|
HttpOnly: true,
|
|
Secure: true,
|
|
})
|
|
} else {
|
|
e.SetCookie(&http.Cookie{
|
|
Name: dbmodels.SESSION_COOKIE_NAME,
|
|
Path: "/",
|
|
Value: token.Token(),
|
|
SameSite: http.SameSiteLaxMode,
|
|
HttpOnly: true,
|
|
Secure: true,
|
|
})
|
|
}
|
|
|
|
return RedirectTo(e)
|
|
}
|
|
}
|