Split "auth" and "user" routes

internal/dis/component/auth/panel/panel.go

@@ -0,0 +1,76 @@
+package panel
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/auth"
+	"github.com/FAU-CDI/wisski-distillery/internal/models"
+	"github.com/FAU-CDI/wisski-distillery/pkg/httpx"
+	"github.com/julienschmidt/httprouter"
+)
+
+type UserPanel struct {
+	component.Base
+	Dependencies struct {
+		Auth *auth.Auth
+	}
+}
+
+var (
+	_ component.Routeable = (*UserPanel)(nil)
+)
+
+func (panel *UserPanel) Routes() []string { return []string{"/user/"} }
+
+func (panel *UserPanel) HandleRoute(ctx context.Context, route string) (http.Handler, error) {
+	router := httprouter.New()
+
+	{
+		user := panel.routeUser(ctx)
+		router.Handler(http.MethodGet, route, user)
+	}
+
+	{
+		password := panel.routePassword(ctx)
+		router.Handler(http.MethodGet, route+"password", password)
+		router.Handler(http.MethodPost, route+"password", password)
+	}
+
+	{
+		totpenable := panel.routeTOTPEnable(ctx)
+		router.Handler(http.MethodGet, route+"totp/enable", totpenable)
+		router.Handler(http.MethodPost, route+"totp/enable", totpenable)
+	}
+
+	{
+		totpenroll := panel.routeTOTPEnroll(ctx)
+		router.Handler(http.MethodGet, route+"totp/enroll", totpenroll)
+		router.Handler(http.MethodPost, route+"totp/enroll", totpenroll)
+	}
+
+	{
+		totpdisable := panel.routeTOTPDisable(ctx)
+		router.Handler(http.MethodGet, route+"totp/disable", totpdisable)
+		router.Handler(http.MethodPost, route+"totp/disable", totpdisable)
+	}
+
+	// ensure that the user is logged in!
+	return panel.Dependencies.Auth.Protect(router, nil), nil
+}
+
+type userFormContext struct {
+	httpx.FormContext
+	User *models.User
+}
+
+func (panel *UserPanel) UserFormContext(ctx httpx.FormContext, r *http.Request) any {
+	user, err := panel.Dependencies.Auth.UserOf(r)
+
+	uctx := userFormContext{FormContext: ctx}
+	if err == nil {
+		uctx.User = &user.User
+	}
+	return uctx
+}

internal/dis/component/auth/panel/password.go

@@ -0,0 +1,78 @@
+package panel
+
+import (
+	"context"
+	"errors"
+	"net/http"
+
+	_ "embed"
+
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/control/static"
+	"github.com/FAU-CDI/wisski-distillery/pkg/httpx"
+)
+
+//go:embed "templates/password.html"
+var passwordHTMLString string
+var passwordTemplate = static.AssetsUser.MustParseShared("password.html", passwordHTMLString)
+
+var (
+	errPasswordsNotIdentical = errors.New("passwords are not identical")
+	errPasswordIsEmpty       = errors.New("password is empty")
+	errCredentialsIncorrect  = errors.New("credentials are not correct")
+	errPasswordSetFailure    = errors.New("error saving new password")
+	errTOTPSetFailure        = errors.New("unable to disable totp")
+	errPasswordSet           = errors.New("password was updated")
+)
+
+func (panel *UserPanel) routePassword(ctx context.Context) http.Handler {
+	return &httpx.Form[struct{}]{
+		Fields: []httpx.Field{
+			{Name: "old", Type: httpx.PasswordField, EmptyOnError: true, Label: "Current Password"},
+			{Name: "otp", Type: httpx.TextField, EmptyOnError: true, Label: "Current Passcode (optional)"},
+			{Name: "new", Type: httpx.PasswordField, EmptyOnError: true, Label: "New Password"},
+			{Name: "new2", Type: httpx.PasswordField, EmptyOnError: true, Label: "New Password (again)"},
+		},
+		FieldTemplate: httpx.PureCSSFieldTemplate,
+
+		CSRF: panel.Dependencies.Auth.CSRF(),
+
+		RenderTemplate:        passwordTemplate,
+		RenderTemplateContext: panel.UserFormContext,
+
+		Validate: func(r *http.Request, values map[string]string) (struct{}, error) {
+			old, passcode, new, new2 := values["old"], values["otp"], values["new"], values["new2"]
+
+			if new != new2 {
+				return struct{}{}, errPasswordsNotIdentical
+			}
+
+			if new == "" {
+				return struct{}{}, errPasswordIsEmpty
+			}
+
+			user, err := panel.Dependencies.Auth.UserOf(r)
+			if err != nil {
+				return struct{}{}, err
+			}
+
+			{
+				err := user.CheckCredentials(r.Context(), []byte(old), passcode)
+				if err != nil {
+					return struct{}{}, errCredentialsIncorrect
+				}
+			}
+			{
+				err := user.SetPassword(r.Context(), []byte(new))
+				if err != nil {
+					return struct{}{}, errPasswordSetFailure
+				}
+			}
+
+			return struct{}{}, nil
+		},
+
+		RenderSuccess: func(_ struct{}, values map[string]string, w http.ResponseWriter, r *http.Request) error {
+			return errPasswordSet
+		},
+	}
+}

internal/dis/component/auth/panel/templates/password.html

@@ -0,0 +1,13 @@
+{{ template "_form.html" . }}
+{{ define "form/title" }}Change Password{{ end }}
+{{ define "form/button" }}Update{{ end }}
+
+{{ define "header"}}
+<p>
+    <a class="pure-button" href="/user/">{{ .User.User }}</a> &gt;
+    <a class="pure-button pure-button-primary" href="/user/password/">Change Password</a>
+</p>
+<p>
+    <a class="pure-button pure-button-small" href="/auth/logout/">Logout</a>
+</p>
+{{ end }}

internal/dis/component/auth/panel/templates/totp_disable.html

@@ -0,0 +1,22 @@
+{{ template "_form.html" . }}
+{{ define "form/title" }}Disable TOTP{{ end }}
+{{ define "form/button" }}Disable{{ end }}
+
+{{ define "header"}}
+<p>
+    <a class="pure-button" href="/user/">{{ .User.User }}</a> &gt;
+    <a class="pure-button pure-button-primary" href="/user/totp/disable/">Disable TOTP</a>
+</p>
+<p>
+    <a class="pure-button pure-button-small" href="/auth/logout/">Logout</a>
+</p>
+{{ end }}
+
+{{ define "form/inside" }}
+<div>
+    <ul>
+        <li>remove the TOTP token from your account</li>
+        <li>your account will be less secure, but you will be able to login without it</li>
+    </ul>
+</div>
+{{ end }}

internal/dis/component/auth/panel/templates/totp_enable.html

@@ -0,0 +1,21 @@
+{{ template "_form.html" . }}
+{{ define "form/title" }}Enable TOTP{{ end }}
+{{ define "form/button" }}Enable{{ end }}
+{{ define "header"}}
+<p>
+    <a class="pure-button" href="/user/">{{ .User.User }}</a> &gt;
+    <a class="pure-button pure-button-primary" href="/user/totp/enable/">Enable TOTP</a>
+</p>
+<p>
+    <a class="pure-button pure-button-small" href="/auth/logout/">Logout</a>
+</p>
+{{ end }}
+{{ define "form/inside" }}
+<div>
+    <ul>
+        <li>Use this page to add a <a href="https://en.wikipedia.org/wiki/Time-based_one-time_password">TOTP</a> token to your account</li>
+        <li>You will not be able to login without the second factor</li>
+        <li>If you forget your token, only an administrator can reset it</li>
+    </ul>
+</div>
+{{ end }}

internal/dis/component/auth/panel/templates/totp_enroll.html

@@ -0,0 +1,23 @@
+{{ template "_form.html" . }}
+{{ define "form/title" }}Enable TOTP{{ end }}
+{{ define "form/button" }}Enable{{ end }}
+{{ define "header" }}
+<p>
+    <a class="pure-button" href="/user/">{{ .User.User }}</a> &gt;
+    <a class="pure-button pure-button-primary" href="/user/totp/enroll/">Enroll TOTP</a>
+</p>
+<p>
+    <a class="pure-button pure-button-small" href="/auth/logout/">Logout</a>
+</p>
+{{ end }}
+{{ define "form/inside" }}
+<div>
+    <a href="{{ .TOTPURL }}">
+        <img src="{{ .TOTPImage }}" alt="TOTP Enrollment Image">
+    </a>
+    <ul>
+        <li>scan the token above using a <a href="https://en.wikipedia.org/wiki/Time-based_one-time_password">TOTP</a> app on your phone</li>
+        <li>enter your current password and the now generated token to confirm</li>
+    </ul>
+</div>
+{{ end }}

internal/dis/component/auth/panel/templates/user.html

@@ -0,0 +1,62 @@
+{{ template "_base.html" . }}
+{{ define "title" }}User{{ end }}
+
+{{ define "header"}}
+<p>
+    <a class="pure-button pure-button-primary" href="/user/">{{ .User.User }}</a>
+</p>
+<p>
+    <a class="pure-button pure-button-small" href="/auth/logout/">Logout</a>
+</p>
+{{ end }}
+
+{{ define "content" }}
+<div class="pure-u-1">
+    <p>
+        <ul>
+            {{ if .User.IsAdmin }}
+                <li>Role: <b>Administrator</b></li>
+            {{ else }}
+                <li>Role: <b>Regular User</b></li>
+            {{ end }}
+
+            {{ if .User.IsTOTPEnabled }}
+                <li>Passcode Enabled: <b>true</b></li>
+            {{ else }}
+                <li>Passcode Enabled: <b>false</b> <small>(some actions are disabled)</small></li>
+            {{ end }}
+        </ul>
+    </p>
+    <div class="pure-button-group" role="group" role="Actions">
+        <a class="pure-button" href="/user/password/">Change Password</a>
+        {{ if .User.IsTOTPEnabled }}
+            <a class="pure-button" href="/user/totp/disable/">Disable Passcode (TOTP)</a>
+        {{ else }}
+            <a class="pure-button" href="/user/totp/enable/">Enable Passcode (TOTP)</a>
+        {{ end }}
+    </div>
+    <hr /> 
+</div>
+
+{{ if .User.IsAdmin }}
+<div class="pure-u-1">
+    {{ if (not .User.IsTOTPEnabled) }}
+    <div>
+        <p class="error-message">
+            TOTP is required to access these.
+        </p>
+    </div>
+    {{ end }}
+    <div class="pure-button-group" role="group" role="Actions">
+        <a class="pure-button" href="/admin/">Distillery Admin Page</a>
+    </div>
+    <hr />
+</div>
+{{ end }}
+
+<div class="pure-u-1">
+    There will be a list of WissKIs you have access to here.
+</div>
+
+
+{{ end }}

internal/dis/component/auth/panel/totp.go

@@ -0,0 +1,194 @@
+package panel
+
+import (
+	"context"
+	"html/template"
+	"net/http"
+
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/auth"
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/control/static"
+	"github.com/FAU-CDI/wisski-distillery/pkg/httpx"
+
+	_ "embed"
+)
+
+//go:embed "templates/totp_enable.html"
+var totpEnableStr string
+var totpEnableTemplate = static.AssetsUser.MustParseShared("totp_enable.html", totpEnableStr)
+
+func (panel *UserPanel) routeTOTPEnable(ctx context.Context) http.Handler {
+	return &httpx.Form[struct{}]{
+		Fields: []httpx.Field{
+			{Name: "password", Type: httpx.PasswordField, EmptyOnError: true, Label: "Current Password"},
+		},
+		FieldTemplate: httpx.PureCSSFieldTemplate,
+
+		CSRF: panel.Dependencies.Auth.CSRF(),
+
+		SkipForm: func(r *http.Request) (data struct{}, skip bool) {
+			user, err := panel.Dependencies.Auth.UserOf(r)
+			return struct{}{}, err == nil && user != nil && user.IsTOTPEnabled()
+		},
+
+		RenderTemplate:        totpEnableTemplate,
+		RenderTemplateContext: panel.UserFormContext,
+
+		Validate: func(r *http.Request, values map[string]string) (struct{}, error) {
+			password := values["password"]
+
+			user, err := panel.Dependencies.Auth.UserOf(r)
+			if err != nil {
+				return struct{}{}, err
+			}
+
+			{
+				err := user.CheckPassword(r.Context(), []byte(password))
+				if err != nil {
+					return struct{}{}, errCredentialsIncorrect
+				}
+			}
+			{
+				_, err := user.NewTOTP(r.Context())
+				if err != nil {
+					return struct{}{}, errTOTPSetFailure
+				}
+			}
+
+			return struct{}{}, nil
+		},
+
+		RenderSuccess: func(_ struct{}, values map[string]string, w http.ResponseWriter, r *http.Request) error {
+			http.Redirect(w, r, "/user/totp/enroll", http.StatusSeeOther)
+			return nil
+		},
+	}
+}
+
+//go:embed "templates/totp_enroll.html"
+var totpEnrollStr string
+var totpEnrollTemplate = static.AssetsUser.MustParseShared("totp_enroll.html", totpEnrollStr)
+
+type totpEnrollContext struct {
+	userFormContext
+	TOTPImage template.URL
+	TOTPURL   template.URL
+}
+
+func (panel *UserPanel) routeTOTPEnroll(ctx context.Context) http.Handler {
+	return &httpx.Form[struct{}]{
+		Fields: []httpx.Field{
+			{Name: "password", Type: httpx.PasswordField, EmptyOnError: true, Label: "Current Password"},
+			{Name: "otp", Type: httpx.TextField, EmptyOnError: true, Label: "Passcode"},
+		},
+		FieldTemplate: httpx.PureCSSFieldTemplate,
+
+		CSRF: panel.Dependencies.Auth.CSRF(),
+
+		SkipForm: func(r *http.Request) (data struct{}, skip bool) {
+			user, err := panel.Dependencies.Auth.UserOf(r)
+			return struct{}{}, err == nil && user != nil && user.IsTOTPEnabled()
+		},
+		RenderForm: func(context httpx.FormContext, w http.ResponseWriter, r *http.Request) {
+			user, err := panel.Dependencies.Auth.UserOf(r)
+
+			ctx := totpEnrollContext{
+				userFormContext: userFormContext{
+					FormContext: context,
+				},
+			}
+
+			if err == nil && user != nil {
+				ctx.userFormContext.User = &user.User
+				secret, err := user.TOTP()
+				if err == nil {
+					img, _ := auth.TOTPLink(secret, 500, 500)
+
+					ctx.TOTPImage = template.URL(img)
+					ctx.TOTPURL = template.URL(secret.URL())
+				}
+			}
+			httpx.WriteHTML(ctx, nil, totpEnrollTemplate, "", w, r)
+		},
+
+		Validate: func(r *http.Request, values map[string]string) (struct{}, error) {
+			password, otp := values["password"], values["otp"]
+
+			user, err := panel.Dependencies.Auth.UserOf(r)
+			if err != nil {
+				return struct{}{}, err
+			}
+
+			{
+				err := user.CheckPassword(r.Context(), []byte(password))
+				if err != nil {
+					return struct{}{}, errCredentialsIncorrect
+				}
+			}
+			{
+				err := user.EnableTOTP(r.Context(), otp)
+				if err != nil {
+					return struct{}{}, errTOTPSetFailure
+				}
+			}
+
+			return struct{}{}, nil
+		},
+
+		RenderSuccess: func(_ struct{}, values map[string]string, w http.ResponseWriter, r *http.Request) error {
+			http.Redirect(w, r, "/user/", http.StatusSeeOther)
+			return nil
+		},
+	}
+}
+
+//go:embed "templates/totp_disable.html"
+var totpDisableStr string
+var totpDisableTemplate = static.AssetsUser.MustParseShared("totp_disable.html", totpDisableStr)
+
+func (panel *UserPanel) routeTOTPDisable(ctx context.Context) http.Handler {
+	return &httpx.Form[struct{}]{
+		Fields: []httpx.Field{
+			{Name: "password", Type: httpx.PasswordField, EmptyOnError: true, Label: "Current Password"},
+			{Name: "otp", Type: httpx.TextField, EmptyOnError: true, Label: "Current Passcode"},
+		},
+		FieldTemplate: httpx.PureCSSFieldTemplate,
+
+		CSRF: panel.Dependencies.Auth.CSRF(),
+
+		SkipForm: func(r *http.Request) (data struct{}, skip bool) {
+			user, err := panel.Dependencies.Auth.UserOf(r)
+			return struct{}{}, err == nil && user != nil && !user.IsTOTPEnabled()
+		},
+		RenderTemplate:        totpDisableTemplate,
+		RenderTemplateContext: panel.UserFormContext,
+
+		Validate: func(r *http.Request, values map[string]string) (struct{}, error) {
+			password, otp := values["password"], values["otp"]
+
+			user, err := panel.Dependencies.Auth.UserOf(r)
+			if err != nil {
+				return struct{}{}, err
+			}
+
+			{
+				err := user.CheckCredentials(r.Context(), []byte(password), otp)
+				if err != nil {
+					return struct{}{}, errCredentialsIncorrect
+				}
+			}
+			{
+				err := user.DisableTOTP(r.Context())
+				if err != nil {
+					return struct{}{}, errTOTPSetFailure
+				}
+			}
+
+			return struct{}{}, nil
+		},
+
+		RenderSuccess: func(_ struct{}, values map[string]string, w http.ResponseWriter, r *http.Request) error {
+			http.Redirect(w, r, "/user/", http.StatusSeeOther)
+			return nil
+		},
+	}
+}

internal/dis/component/auth/panel/user.go

@@ -0,0 +1,26 @@
+package panel
+
+import (
+	"context"
+	"net/http"
+
+	_ "embed"
+
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/auth"
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/control/static"
+	"github.com/FAU-CDI/wisski-distillery/pkg/httpx"
+)
+
+//go:embed "templates/user.html"
+var userHTMLStr string
+var userTemplate = static.AssetsUser.MustParseShared(
+	"user.html",
+	userHTMLStr,
+)
+
+func (panel *UserPanel) routeUser(ctx context.Context) http.Handler {
+	return &httpx.HTMLHandler[*auth.AuthUser]{
+		Handler:  panel.Dependencies.Auth.UserOf,
+		Template: userTemplate,
+	}
+}