favoritter/internal/middleware/resetguard.go

// SPDX-License-Identifier: AGPL-3.0-or-later

package middleware

import (
	"net/http"
	"strings"
)

// MustResetPasswordGuard redirects users who must reset their password
// to the reset page. Allows through: static assets, health, logout,
// and the reset-password page itself.
func MustResetPasswordGuard(basePath string) func(http.Handler) http.Handler {
	return func(next http.Handler) http.Handler {
		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
			user := UserFromContext(r.Context())
			if user != nil && user.MustResetPassword {
				path := r.URL.Path
				// Allow these paths through without redirect.
				if path == "/reset-password" ||
					path == "/logout" ||
					path == "/health" ||
					strings.HasPrefix(path, "/static/") {
					next.ServeHTTP(w, r)
					return
				}
				http.Redirect(w, r, basePath+"/reset-password", http.StatusSeeOther)
				return
			}
			next.ServeHTTP(w, r)
		})
	}
}
feat: add profiles, public views, settings, and code quality fixes Phase 3 — Profiles & Public Views: - Public profile page (/u/{username}) with OG meta tags - User settings page (display name, bio, visibility, default privacy) - Avatar upload with image processing - Password change from settings (verifies current password) - Home page shows public fave feed for logged-in users - Must-reset-password guard redirects to /reset-password - Profile visibility: public (full) or limited (username only) Code quality improvements from /simplify review: - Fix signup request persistence bug (was silently discarding data) - Fix health check to use configured listen address, not hardcoded :8080 - Add rate limiter cleanup goroutine (was leaking memory) - Extract shared helpers: ClearSessionCookie, IsSecureRequest, scanTags, scanUserFrom (scanner interface), SignupRequestStore - Replace hand-rolled joinPlaceholders with strings.Join - Remove dead _method hidden field, redundant devMode field - Simplify rate-limited route registration (remove double-mux) - Log previously-swallowed errors (session delete, image delete) - Stop leaking internal error messages to users in image upload Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-29 16:01:41 +02:00			`// SPDX-License-Identifier: AGPL-3.0-or-later`

			`package middleware`

			`import (`
			`"net/http"`
			`"strings"`
			`)`

			`// MustResetPasswordGuard redirects users who must reset their password`
			`// to the reset page. Allows through: static assets, health, logout,`
			`// and the reset-password page itself.`
			`func MustResetPasswordGuard(basePath string) func(http.Handler) http.Handler {`
			`return func(next http.Handler) http.Handler {`
			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`user := UserFromContext(r.Context())`
			`if user != nil && user.MustResetPassword {`
			`path := r.URL.Path`
			`// Allow these paths through without redirect.`
			`if path == "/reset-password" \|\|`
			`path == "/logout" \|\|`
			`path == "/health" \|\|`
			`strings.HasPrefix(path, "/static/") {`
			`next.ServeHTTP(w, r)`
			`return`
			`}`
			`http.Redirect(w, r, basePath+"/reset-password", http.StatusSeeOther)`
			`return`
			`}`
			`next.ServeHTTP(w, r)`
			`})`
			`}`
			`}`