fix: address code review findings for Phase 7-8

Bugs fixed: - Renderer.Error set WriteHeader before Content-Type, causing the header to be silently dropped. Now sets Content-Type first. - truncate template function operated on bytes, not runes — could split multi-byte UTF-8 characters (Norwegian æøå). Now uses []rune for correct Unicode handling. Performance: - Skip session DB lookup (2 queries) on /static/ and /uploads/ requests — these never use user context. UX consistency: - Replace all http.NotFound and http.Error("Forbidden") in handler layer with styled error pages via Renderer.Error. - Add notFound/forbidden helper methods on Handler. Deployment fixes: - Remove false libc6/glibc deps from nfpm.yaml (binary is statically linked with CGO_ENABLED=0). - Add CGO_ENABLED=0 to Makefile build target for consistency. - Add .dockerignore to exclude .git, dist/, data/ from build context. - Remove phantom 'lint' from Makefile .PHONY. - Document ProtectSystem=strict constraint in systemd service. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 16:39:10 +02:00 · 2026-03-29 16:39:10 +02:00 · aa5ab6b415
commit aa5ab6b415
parent 1fc42bf1b2
9 changed files with 73 additions and 32 deletions
--- a/internal/handler/fave.go
+++ b/internal/handler/fave.go
@ -125,14 +125,14 @@ func (h *Handler) handleFaveCreate(w http.ResponseWriter, r *http.Request) {
 func (h *Handler) handleFaveDetail(w http.ResponseWriter, r *http.Request) {
 	id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
 	if err != nil {
-		http.NotFound(w, r)
+		h.notFound(w, r)
 		return
 	}

 	fave, err := h.deps.Faves.GetByID(id)
 	if err != nil {
 		if errors.Is(err, store.ErrFaveNotFound) {
-			http.NotFound(w, r)
+			h.notFound(w, r)
 			return
 		}
 		slog.Error("get fave error", "error", err)
@ -143,7 +143,7 @@ func (h *Handler) handleFaveDetail(w http.ResponseWriter, r *http.Request) {
 	// Check access: private faves are only visible to their owner.
 	user := middleware.UserFromContext(r.Context())
 	if fave.Privacy == "private" && (user == nil || user.ID != fave.UserID) {
-		http.NotFound(w, r)
+		h.notFound(w, r)
 		return
 	}

@ -169,14 +169,14 @@ func (h *Handler) handleFaveEdit(w http.ResponseWriter, r *http.Request) {

 	id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
 	if err != nil {
-		http.NotFound(w, r)
+		h.notFound(w, r)
 		return
 	}

 	fave, err := h.deps.Faves.GetByID(id)
 	if err != nil {
 		if errors.Is(err, store.ErrFaveNotFound) {
-			http.NotFound(w, r)
+			h.notFound(w, r)
 			return
 		}
 		slog.Error("get fave error", "error", err)
@ -186,7 +186,7 @@ func (h *Handler) handleFaveEdit(w http.ResponseWriter, r *http.Request) {

 	// Only the owner can edit.
 	if user.ID != fave.UserID {
-		http.Error(w, "Forbidden", http.StatusForbidden)
+		h.forbidden(w, r)
 		return
 	}

@ -217,14 +217,14 @@ func (h *Handler) handleFaveUpdate(w http.ResponseWriter, r *http.Request) {

 	id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
 	if err != nil {
-		http.NotFound(w, r)
+		h.notFound(w, r)
 		return
 	}

 	fave, err := h.deps.Faves.GetByID(id)
 	if err != nil {
 		if errors.Is(err, store.ErrFaveNotFound) {
-			http.NotFound(w, r)
+			h.notFound(w, r)
 			return
 		}
 		slog.Error("get fave error", "error", err)
@ -233,7 +233,7 @@ func (h *Handler) handleFaveUpdate(w http.ResponseWriter, r *http.Request) {
 	}

 	if user.ID != fave.UserID {
-		http.Error(w, "Forbidden", http.StatusForbidden)
+		h.forbidden(w, r)
 		return
 	}

@ -304,14 +304,14 @@ func (h *Handler) handleFaveDelete(w http.ResponseWriter, r *http.Request) {

 	id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
 	if err != nil {
-		http.NotFound(w, r)
+		h.notFound(w, r)
 		return
 	}

 	fave, err := h.deps.Faves.GetByID(id)
 	if err != nil {
 		if errors.Is(err, store.ErrFaveNotFound) {
-			http.NotFound(w, r)
+			h.notFound(w, r)
 			return
 		}
 		slog.Error("get fave error", "error", err)
@ -320,7 +320,7 @@ func (h *Handler) handleFaveDelete(w http.ResponseWriter, r *http.Request) {
 	}

 	if user.ID != fave.UserID {
-		http.Error(w, "Forbidden", http.StatusForbidden)
+		h.forbidden(w, r)
 		return
 	}

--- a/internal/handler/handler.go
+++ b/internal/handler/handler.go
@ -144,7 +144,12 @@ func (h *Handler) Routes() *http.ServeMux {
 	return mux
 }

-// handleNotFound renders a styled 404 page.
-func (h *Handler) handleNotFound(w http.ResponseWriter, r *http.Request) {
+// notFound renders a styled 404 error page.
+func (h *Handler) notFound(w http.ResponseWriter, r *http.Request) {
 	h.deps.Renderer.Error(w, r, http.StatusNotFound, "Ikke funnet")
 }
+
+// forbidden renders a styled 403 error page.
+func (h *Handler) forbidden(w http.ResponseWriter, r *http.Request) {
+	h.deps.Renderer.Error(w, r, http.StatusForbidden, "Ingen tilgang")
+}
--- a/internal/handler/profile.go
+++ b/internal/handler/profile.go
@ -22,7 +22,7 @@ func (h *Handler) handlePublicProfile(w http.ResponseWriter, r *http.Request) {
 	profileUser, err := h.deps.Users.GetByUsername(username)
 	if err != nil {
 		if errors.Is(err, store.ErrUserNotFound) {
-			http.NotFound(w, r)
+			h.notFound(w, r)
 			return
 		}
 		slog.Error("get user error", "error", err)
@ -31,7 +31,7 @@ func (h *Handler) handlePublicProfile(w http.ResponseWriter, r *http.Request) {
 	}

 	if profileUser.Disabled {
-		http.NotFound(w, r)
+		h.notFound(w, r)
 		return
 	}

--- a/internal/middleware/auth.go
+++ b/internal/middleware/auth.go
@ -6,6 +6,7 @@ import (
 	"context"
 	"errors"
 	"net/http"
+	"strings"

 	"kode.naiv.no/olemd/favoritter/internal/store"
 )
@ -28,6 +29,15 @@ func ClearSessionCookie(w http.ResponseWriter) {
 func SessionLoader(sessions *store.SessionStore, users *store.UserStore) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Skip session lookup for static assets and uploads — they
+			// never use the user context and this avoids 2 DB queries
+			// per asset per page load.
+			if strings.HasPrefix(r.URL.Path, "/static/") ||
+				strings.HasPrefix(r.URL.Path, "/uploads/") {
+				next.ServeHTTP(w, r)
+				return
+			}
+
 			cookie, err := r.Cookie(SessionCookieName)
 			if err != nil {
 				next.ServeHTTP(w, r)
--- a/internal/render/render.go
+++ b/internal/render/render.go
@ -154,14 +154,32 @@ func (r *Renderer) Page(w http.ResponseWriter, req *http.Request, name string, d

 // Error renders an error page with the given HTTP status code.
 func (r *Renderer) Error(w http.ResponseWriter, req *http.Request, code int, message string) {
-	w.WriteHeader(code)
-	r.Page(w, req, "error", PageData{
+	data := PageData{
 		Title: message,
 		Data: map[string]any{
 			"Code":    code,
 			"Message": message,
 		},
-	})
+	}
+
+	// Populate common fields from context (same as Page does).
+	data.User = middleware.UserFromContext(req.Context())
+	data.CSRFToken = middleware.CSRFTokenFromContext(req.Context())
+	data.BasePath = r.cfg.BasePath
+	data.SiteName = r.cfg.SiteName
+	data.ExternalURL = r.cfg.ExternalURL
+
+	t, ok := r.templates["error"]
+	if !ok {
+		http.Error(w, message, code)
+		return
+	}
+
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	w.WriteHeader(code)
+	if err := t.ExecuteTemplate(w, "base.html", data); err != nil {
+		slog.Error("error template execute failed", "error", err)
+	}
 }

 // Partial renders a partial template (for HTMX responses).
@ -184,12 +202,14 @@ func (r *Renderer) templateFuncs() template.FuncMap {
 		"externalURL": func() string {
 			return r.cfg.ExternalURL
 		},
-		// truncate truncates a string to n characters.
+		// truncate truncates a string to n runes (not bytes) to avoid
+		// splitting multi-byte UTF-8 characters (Norwegian æøå etc.).
 		"truncate": func(n int, s string) string {
-			if len(s) <= n {
+			runes := []rune(s)
+			if len(runes) <= n {
 				return s
 			}
-			return s[:n] + "..."
+			return string(runes[:n]) + "..."
 		},
 		// join joins strings with a separator.
 		"join": strings.Join,