0.0.17a / Alpha. Introduce users and page editing.v0.0.17a

Breaking changes:

inc/base.html is now tpl/base.md by default. This can be overridden
on the command line.

404.md is now tpl/404.md. This can be overridden with templatedirectory
in the configuration file.

Additional files:

`auth.json` file that stores credentials and settings for
authorization cookie.

Further notes:

This will likely receive some major updates and changes over
the next few commits. The scaffolidng is now in place for
user accounts, login handling, and page editing.

It's all extremely basic at the moment, on the idea list:

Listing of all markdown files
File uploader and general content management
Flags to turn on/off git integration for edits.
Download / Upload of all markdown files as a backup/restore.

It's of course, all subject to change.

8 files changed, 373 insertions, 6 deletions

diff --git a/cmd/server/app.go b/cmd/server/app.go
index 4f62a09..d4977ab 100644
--- a/cmd/server/app.go
+++ b/cmd/server/app.go
@@ -16,11 +16,15 @@ type App struct {
 	redisPool *redis.Pool
 	RedisKey  string
 
-	ReIndexPath     string
-	StaticDirectory string
-	BaseTemplate    string
-	DocumentSplit   string
-	Suffix          string
+	ReIndexPath       string
+	StaticDirectory   string
+	BaseTemplate      string
+	TemplateDirectory string
+	DocumentSplit     string
+	Suffix            string
+
+	// Related to user authentication
+	auth *Auth
 
 	// 	Related to the Atom feed
 	Title       string
@@ -59,6 +63,10 @@ func loadConf(fn string) (*App, error) {
 		page.BaseTemplate = app.BaseTemplate
 	}
 
+	if app.TemplateDirectory != "" {
+		page.TemplateDirectory = app.TemplateDirectory
+	}
+
 	if app.DocumentSplit != "" {
 		page.DocumentSplit = app.DocumentSplit
 	}
diff --git a/cmd/server/auth.go b/cmd/server/auth.go
new file mode 100644
index 0000000..caade97
--- /dev/null
+++ b/cmd/server/auth.go
@@ -0,0 +1,108 @@
+package main
+
+import (
+	"crypto/rand"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"os"
+	"strings"
+
+	"riedstra.dev/mitch/go-website/users"
+)
+
+type Auth struct {
+	Users []*users.SiteUser `json:"Users"`
+	// How long are JWTs valid?
+	LoginHours int `json:"LoginHours"`
+	// JWT secret
+	TokenKey string `json:"TokenKey"`
+	// Are cookies HTTP only?
+	HTTPOnly bool `json:"HTTPOnly"`
+	// Do they require HTTPs?
+	Secure bool `json:"SecureCookie"`
+	// See https://pkg.go.dev/net/http#SameSite
+	// You probably want this set to 3
+	SameSiteStrict http.SameSite `json:"SameSiteStrict"`
+}
+
+func GenTokenKey() string {
+	r := make([]byte, 16) // 128 bits
+	_, err := rand.Read(r)
+
+	if err != nil {
+		// Not my favorite thing, but I consider this to be a
+		// critical issue
+		panic(fmt.Errorf("reading random bytes: %w", err))
+	}
+
+	return base64.RawURLEncoding.EncodeToString(r)
+}
+
+func (a *App) ReadAuth(fn string) error { //nolint
+	auth := &Auth{
+		Users: []*users.SiteUser{
+			{
+				Username: "admin",
+				Password: "admin",
+			},
+		},
+		LoginHours:     1,
+		TokenKey:       GenTokenKey(),
+		HTTPOnly:       true,
+		Secure:         true,
+		SameSiteStrict: http.SameSiteStrictMode,
+	}
+
+	var dec *json.Decoder
+
+	fh, err := os.Open(fn)
+	if err != nil {
+		if strings.Contains(err.Error(), "no such file") {
+			goto write
+		}
+
+		return fmt.Errorf("opening %s: %w", fn, err)
+	}
+
+	dec = json.NewDecoder(fh)
+	dec.DisallowUnknownFields()
+
+	err = dec.Decode(auth)
+	if err != nil {
+		return fmt.Errorf("decoding file %s: %w", fn, err)
+	}
+
+	err = fh.Close()
+	if err != nil {
+		return fmt.Errorf("closing file %s: %w", fn, err)
+	}
+
+	for _, u := range auth.Users {
+		err = u.SetPasswordHashIfNecessary()
+		if err != nil {
+			return fmt.Errorf("setting password hash for: %s: %w",
+				u.Username, err)
+		}
+	}
+
+write:
+	fh, err = os.OpenFile(fn, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+
+	if err != nil {
+		return fmt.Errorf("opening file %s: %w", fn, err)
+	}
+
+	enc := json.NewEncoder(fh)
+	enc.SetIndent("", "    ")
+
+	err = enc.Encode(auth)
+	if err != nil {
+		return fmt.Errorf("encoding to file %s: %w", fn, err)
+	}
+
+	a.auth = auth
+
+	return nil
+}
diff --git a/cmd/server/dashboard.go b/cmd/server/dashboard.go
new file mode 100644
index 0000000..a07e722
--- /dev/null
+++ b/cmd/server/dashboard.go
@@ -0,0 +1,5 @@
+package main
+
+// func (a *App) DashboardHandler(w http.ResponseWriter, r *http.Request) {
+// 	page.Render("
+// }
diff --git a/cmd/server/edit.go b/cmd/server/edit.go
new file mode 100644
index 0000000..730e6e9
--- /dev/null
+++ b/cmd/server/edit.go
@@ -0,0 +1,90 @@
+package main
+
+import (
+	"bytes"
+	"html"
+	"io"
+	"log"
+	"net/http"
+	"os"
+	"path/filepath"
+
+	"riedstra.dev/mitch/go-website/page"
+)
+
+func (a *App) EditPage(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "GET" {
+		page.Render(w, r, page.TemplateDirectory+"/4xx", map[string]interface{}{
+			"Title":       "Method Not allowed",
+			"Description": "Method not allowed",
+		}, http.StatusMethodNotAllowed)
+
+		return
+	}
+
+	p := r.URL.Path
+
+	p = filepath.Clean(p)
+
+	fh, err := os.Open("./" + p + page.Suffix)
+	if err != nil {
+		log.Printf("opening page: %s", err)
+		a.Err500Default(w, r)
+
+		return
+	}
+
+	b, err := io.ReadAll(fh)
+	if err != nil {
+		log.Printf("opening page: %s", err)
+		a.Err500Default(w, r)
+
+		return
+	}
+
+	page.Render(w, r, page.TemplateDirectory+"/edit", map[string]interface{}{
+		"Page":    p,
+		"Content": html.EscapeString(string(b)),
+	}, http.StatusOK)
+}
+
+func (a *App) SaveEditPage(w http.ResponseWriter, r *http.Request) {
+	if r.Method != "POST" {
+		a.Err500Default(w, r)
+
+		return
+	}
+
+	p := r.URL.Path
+	content := r.FormValue("content")
+
+	content = html.UnescapeString(content)
+	p = filepath.Clean(p)
+
+	fn := "./" + p + page.Suffix
+
+	fh, err := os.OpenFile(fn, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)
+	if err != nil {
+		log.Printf("opening file %s for writing: %s", fn, err)
+		a.Err500Default(w, r)
+
+		return
+	}
+
+	c := bytes.ReplaceAll([]byte(content), []byte{'\r'}, []byte{})
+
+	_, err = fh.Write(c)
+	if err != nil {
+		log.Printf("opening file %s for writing: %s", fn, err)
+		a.Err500Default(w, r)
+
+		return
+	}
+
+	http.Redirect(w, r, "/"+r.URL.Path, http.StatusFound)
+
+	err = a.ClearRedis() // Clear out the cache if any
+	if err != nil {
+		log.Printf("after editing %s: %s", fn, err)
+	}
+}
diff --git a/cmd/server/feed.go b/cmd/server/feed.go
index 880eeb4..212e5da 100644
--- a/cmd/server/feed.go
+++ b/cmd/server/feed.go
@@ -203,7 +203,7 @@ func (a *App) FeedHandler(w http.ResponseWriter, r *http.Request) { //nolint:fun
 		}
 
 		entry := Entry{
-			Title:   p.Title,
+			Title:   p.Title(),
 			Updated: &p.Date.Time,
 			Links:   []Link{{Href: strings.Join([]string{a.SiteURL, p.Path()}, "/")}},
 		}
diff --git a/cmd/server/handlers.go b/cmd/server/handlers.go
index 205d462..1711ae3 100644
--- a/cmd/server/handlers.go
+++ b/cmd/server/handlers.go
@@ -15,6 +15,13 @@ func (a *App) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	rtr.HandleFunc(a.ReIndexPath, a.RebuildIndexHandler)
 	rtr.PathPrefix("/static/").Handler(a.StaticHandler())
 
+	rtr.HandleFunc("/login", a.LoginHandler)
+	rtr.Handle("/logout", a.RequiresLogin(http.HandlerFunc(a.LogoutHandler)))
+	rtr.PathPrefix("/edit/").Handler(
+		a.RequiresLogin(http.StripPrefix("/edit/", http.HandlerFunc(a.EditPage)))).Methods("GET")
+	rtr.PathPrefix("/edit/").Handler(
+		a.RequiresLogin(http.StripPrefix("/edit/", http.HandlerFunc(a.SaveEditPage)))).Methods("POST")
+
 	if a.redisPool != nil {
 		rtr.PathPrefix(fmt.Sprintf("/%s/{tag}", a.FeedPrefix)).Handler(
 			rediscache.HandleWithParams(a.redisPool, a.RedisKey,
diff --git a/cmd/server/main.go b/cmd/server/main.go
index 912cba0..ee8cf6f 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -28,6 +28,8 @@ func main() { //nolint:funlen
 	directory := fl.String("d", ".", "Directory to serve.")
 	version := fl.Bool("v", false, "Print the version then exit")
 	confFn := fl.String("c", "conf.yml", "Location for the config file")
+	authConfFn := fl.String("ac", "auth.json",
+		"Location for authorization configuration file")
 	verbose := fl.Bool("V", false, "Be more verbose ( dump config, etc ) ")
 	fl.StringVar(&page.TimeFormat, "T", page.TimeFormat,
 		"Set the page time format, be careful with this")
@@ -61,6 +63,11 @@ func main() { //nolint:funlen
 		app = &App{}
 	}
 
+	err = app.ReadAuth(*authConfFn)
+	if err != nil {
+		log.Println(err)
+	}
+
 	if app.ReIndexPath == "" || *indexPath != defaultIndexPath {
 		app.ReIndexPath = *indexPath
 	}
diff --git a/cmd/server/middleware.go b/cmd/server/middleware.go
new file mode 100644
index 0000000..5e4bf26
--- /dev/null
+++ b/cmd/server/middleware.go
@@ -0,0 +1,142 @@
+package main
+
+import (
+	"log"
+	"net/http"
+	"time"
+
+	jwt "github.com/dgrijalva/jwt-go"
+	"riedstra.dev/mitch/go-website/page"
+	"riedstra.dev/mitch/go-website/users"
+)
+
+func (a *App) Err5xx(w http.ResponseWriter, r *http.Request,
+	statusCode int, title, desc string) {
+	page.Render5xx(w, r, map[string]interface{}{
+		"Error":       title,
+		"Description": desc,
+	}, statusCode)
+}
+
+func (a *App) Err500Default(w http.ResponseWriter, r *http.Request) {
+	a.Err5xx(w, r, http.StatusInternalServerError, "Internal server error",
+		"Internal server error.")
+}
+
+func (a *App) LogoutHandler(w http.ResponseWriter, r *http.Request) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     "Auth",
+		HttpOnly: a.auth.HTTPOnly,
+		SameSite: a.auth.SameSiteStrict,
+		Secure:   a.auth.Secure,
+		Value:    "logout",
+		Expires:  time.Now().Add(time.Second * 15), //nolint
+	})
+
+	http.Redirect(w, r, "/", http.StatusFound)
+}
+
+func (a *App) LoginHandler(w http.ResponseWriter, r *http.Request) { //nolint
+	if r.Method == "GET" {
+		page.RenderForPath(w, r, "login")
+
+		return
+	}
+
+	if r.Method != "POST" {
+		a.Err500Default(w, r)
+
+		return
+	}
+
+	log.Printf("made it")
+
+	username := r.FormValue("username")
+	password := r.FormValue("password")
+
+	var (
+		err   error = nil
+		u     *users.SiteUser
+		found = false
+	)
+
+	for _, u = range a.auth.Users {
+		if u.Username == username {
+			err = u.CheckPassword(password)
+			found = true
+		}
+	}
+
+	if err != nil || !found {
+		page.Render(w, r, "login", map[string]interface{}{
+			"Error":    "Invalid username or password",
+			"Username": username,
+		}, http.StatusUnauthorized)
+
+		return
+	}
+
+	token := jwt.NewWithClaims(jwt.SigningMethodHS512, &jwt.StandardClaims{
+		ExpiresAt: time.Now().Add(
+			time.Hour * time.Duration(a.auth.LoginHours)).Unix(),
+		Id: u.Username,
+	})
+
+	ss, err := token.SignedString([]byte(a.auth.TokenKey))
+	if err != nil {
+		log.Println("login: encountered while setting up JWT: ", err)
+		a.Err500Default(w, r)
+
+		return
+	}
+
+	log.Println(ss)
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     "Auth",
+		HttpOnly: a.auth.HTTPOnly,
+		SameSite: a.auth.SameSiteStrict,
+		Secure:   a.auth.Secure,
+		Value:    ss,
+	})
+
+	http.Redirect(w, r, "/login", http.StatusFound)
+}
+
+func (a *App) RequiresLogin(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		mustLoginResp := func() {
+			page.Render(w, r, "login", map[string]interface{}{
+				"Error": "You must login to view this page",
+			}, http.StatusUnauthorized)
+		}
+
+		c, err := r.Cookie("Auth")
+		if err != nil {
+			mustLoginResp()
+
+			return
+		}
+
+		token, err := jwt.Parse(c.Value,
+			func(token *jwt.Token) (interface{}, error) {
+				return []byte(a.auth.TokenKey), nil
+			},
+		)
+
+		if err != nil {
+			log.Printf("Unauthorized request %s %s", r.Method, r.URL.Path)
+			mustLoginResp()
+
+			return
+		}
+
+		if !token.Valid {
+			mustLoginResp()
+
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}