olemd/favoritter
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
favoritter/internal/handler/handler.go
Ole-Morten Duesund fc1f7259c5 feat: implement Phase 1 (auth) and Phase 2 (faves CRUD) foundation 
Go backend with server-rendered HTML/HTMX frontend, SQLite database,
and filesystem image storage. Self-hostable single-binary architecture.

Phase 1 — Authentication & project foundation:
- Argon2id password hashing with timing-attack prevention
- Session management with cookie-based auth and periodic cleanup
- Login, signup (open/requests/closed modes), logout, forced password reset
- CSRF double-submit cookie pattern with HTMX auto-inclusion
- Proxy-aware real IP extraction (WireGuard/Tailscale support)
- Configurable base path for subdomain and subpath deployment
- Rate limiting on auth endpoints with background cleanup
- Security headers (CSP, X-Frame-Options, Referrer-Policy)
- Structured logging with slog, graceful shutdown
- Pico CSS + HTMX vendored and embedded via go:embed

Phase 2 — Faves CRUD with tags and images:
- Full CRUD for favorites with ownership checks
- Image upload with EXIF stripping, resize to 1920px, UUID filenames
- Tag system with HTMX autocomplete (prefix search, popularity-sorted)
- Privacy controls (public/private per fave, user-configurable default)
- Tag browsing, pagination, batch tag loading (avoids N+1)
- OpenGraph meta tags on public fave detail pages

Includes code quality pass: extracted shared helpers, fixed signup
request persistence bug, plugged rate limiter memory leak, removed
dead code, and logged previously-swallowed errors.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 15:55:22 +02:00

107 lines
3.4 KiB
Go
Raw Blame History

// SPDX-License-Identifier: AGPL-3.0-or-later
// Package handler contains HTTP handlers for all web and API routes.
package handler
import (
"context"
"io/fs"
"net/http"
"time"
"kode.naiv.no/olemd/favoritter/internal/config"
"kode.naiv.no/olemd/favoritter/internal/middleware"
"kode.naiv.no/olemd/favoritter/internal/render"
"kode.naiv.no/olemd/favoritter/internal/store"
"kode.naiv.no/olemd/favoritter/web"
)
// Deps bundles all dependencies injected into handlers.
type Deps struct {
Config *config.Config
Users *store.UserStore
Sessions *store.SessionStore
Settings *store.SettingsStore
Faves *store.FaveStore
Tags *store.TagStore
SignupRequests *store.SignupRequestStore
Renderer *render.Renderer
}
// Handler holds all HTTP handler methods and their dependencies.
type Handler struct {
deps Deps
rateLimiter *middleware.RateLimiter
}
// New creates a new Handler with the given dependencies.
func New(deps Deps) *Handler {
return &Handler{
deps: deps,
rateLimiter: middleware.NewRateLimiter(deps.Config.RateLimit),
}
}
// RateLimiterCleanupLoop periodically evicts stale rate limiter entries.
func (h *Handler) RateLimiterCleanupLoop(ctx context.Context, interval time.Duration) {
ticker := time.NewTicker(interval)
defer ticker.Stop()
for {
select {
case <-ctx.Done():
return
case <-ticker.C:
h.rateLimiter.Cleanup()
}
}
}
// Routes registers all routes on a new ServeMux and returns it.
func (h *Handler) Routes() *http.ServeMux {
mux := http.NewServeMux()
// Static files (served from embedded filesystem).
staticFS, err := fs.Sub(web.StaticFS, "static")
if err != nil {
panic("embedded static filesystem missing: " + err.Error())
}
mux.Handle("GET /static/", http.StripPrefix("/static/", http.FileServer(http.FS(staticFS))))
// Uploaded images (served from the filesystem upload directory).
mux.Handle("GET /uploads/", http.StripPrefix("/uploads/",
http.FileServer(http.Dir(h.deps.Config.UploadDir))))
// Health check.
mux.HandleFunc("GET /health", h.handleHealth)
// Auth routes (rate-limited).
mux.Handle("POST /login", h.rateLimiter.Limit(http.HandlerFunc(h.handleLoginPost)))
mux.Handle("POST /signup", h.rateLimiter.Limit(http.HandlerFunc(h.handleSignupPost)))
mux.HandleFunc("GET /login", h.handleLoginGet)
mux.HandleFunc("GET /signup", h.handleSignupGet)
mux.HandleFunc("POST /logout", h.handleLogout)
// Password reset (for must-reset-password flow).
mux.HandleFunc("GET /reset-password", h.handleResetPasswordGet)
mux.HandleFunc("POST /reset-password", h.handleResetPasswordPost)
// Home page.
mux.HandleFunc("GET /{$}", h.handleHome)
// Faves — authenticated routes use requireLogin wrapper.
requireLogin := middleware.RequireLogin(h.deps.Config.BasePath)
mux.Handle("GET /faves", requireLogin(http.HandlerFunc(h.handleFaveList)))
mux.Handle("GET /faves/new", requireLogin(http.HandlerFunc(h.handleFaveNew)))
mux.Handle("POST /faves", requireLogin(http.HandlerFunc(h.handleFaveCreate)))
mux.HandleFunc("GET /faves/{id}", h.handleFaveDetail)
mux.Handle("GET /faves/{id}/edit", requireLogin(http.HandlerFunc(h.handleFaveEdit)))
mux.Handle("POST /faves/{id}", requireLogin(http.HandlerFunc(h.handleFaveUpdate)))
mux.Handle("DELETE /faves/{id}", requireLogin(http.HandlerFunc(h.handleFaveDelete)))
// Tags.
mux.HandleFunc("GET /tags/search", h.handleTagSearch)
mux.HandleFunc("GET /tags/{name}", h.handleTagBrowse)
return mux
}
Reference in a new issue View git blame Copy permalink