Add HTMX-based UI templates and handlers for account and audit management

- Introduced `web/templates/` for HTMX-fragmented pages (`dashboard`, `accounts`, `account_detail`, `error_fragment`, etc.). - Implemented UI routes for account CRUD, audit log display, and login/logout with CSRF protection. - Added `internal/ui/` package for handlers, CSRF manager, session validation, and token issuance. - Updated documentation to include new UI features and templates directory structure. - Security: Double-submit CSRF cookies, constant-time HMAC validation, login password/Argon2id re-verification at all steps to prevent bypass.
2026-03-11 18:02:53 -07:00
parent 0c441f5c4f
commit a80242ae3e
21 changed files with 1425 additions and 20 deletions
--- a/internal/ui/ui.go
+++ b/internal/ui/ui.go
@@ -0,0 +1,365 @@
+// Package ui provides the HTMX-based management web interface for MCIAS.
+//
+// Security design:
+//   - Session tokens are stored as HttpOnly, Secure, SameSite=Strict cookies.
+//     They are never accessible to JavaScript.
+//   - CSRF protection uses the HMAC-signed Double-Submit Cookie pattern.
+//     The mcias_csrf cookie is non-HttpOnly so HTMX can include it in the
+//     X-CSRF-Token header on every mutating request. SameSite=Strict is the
+//     primary browser-level CSRF defence.
+//   - UI handlers call internal Go functions directly — no internal HTTP round-trips.
+//   - All templates are parsed once at startup via embed.FS; no dynamic template
+//     loading from disk at request time.
+package ui
+
+import (
+	"bytes"
+	"crypto/ed25519"
+	"embed"
+	"fmt"
+	"html/template"
+	"io/fs"
+	"log/slog"
+	"net/http"
+	"strings"
+	"time"
+
+	"git.wntrmute.dev/kyle/mcias/internal/config"
+	"git.wntrmute.dev/kyle/mcias/internal/db"
+	"git.wntrmute.dev/kyle/mcias/internal/model"
+)
+
+//go:embed all:../../web/templates
+var templateFS embed.FS
+
+//go:embed all:../../web/static
+var staticFS embed.FS
+
+const (
+	sessionCookieName = "mcias_session"
+	csrfCookieName    = "mcias_csrf"
+)
+
+// UIServer serves the HTMX-based management UI.
+type UIServer struct {
+	db        *db.DB
+	cfg       *config.Config
+	pubKey    ed25519.PublicKey
+	privKey   ed25519.PrivateKey
+	masterKey []byte
+	logger    *slog.Logger
+	csrf      *CSRFManager
+	tmpl      *template.Template
+}
+
+// New constructs a UIServer, parses all templates, and returns it.
+// Returns an error if template parsing fails.
+func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed25519.PublicKey, masterKey []byte, logger *slog.Logger) (*UIServer, error) {
+	csrf := newCSRFManager(masterKey)
+
+	funcMap := template.FuncMap{
+		"formatTime": func(t time.Time) string {
+			if t.IsZero() {
+				return ""
+			}
+			return t.UTC().Format("2006-01-02 15:04:05")
+		},
+		"truncateJTI": func(jti string) string {
+			if len(jti) > 8 {
+				return jti[:8]
+			}
+			return jti
+		},
+		"string": func(v interface{}) string {
+			switch s := v.(type) {
+			case model.AccountStatus:
+				return string(s)
+			case model.AccountType:
+				return string(s)
+			default:
+				return fmt.Sprintf("%v", v)
+			}
+		},
+		"hasRole": func(roles []string, role string) bool {
+			for _, r := range roles {
+				if r == role {
+					return true
+				}
+			}
+			return false
+		},
+		"not": func(b bool) bool { return !b },
+		"add": func(a, b int) int { return a + b },
+		"sub": func(a, b int) int { return a - b },
+		"gt":  func(a, b int) bool { return a > b },
+		"lt":  func(a, b int) bool { return a < b },
+	}
+
+	tmpl, err := template.New("").Funcs(funcMap).ParseFS(templateFS,
+		"web/templates/base.html",
+		"web/templates/login.html",
+		"web/templates/dashboard.html",
+		"web/templates/accounts.html",
+		"web/templates/account_detail.html",
+		"web/templates/audit.html",
+		"web/templates/fragments/account_row.html",
+		"web/templates/fragments/account_status.html",
+		"web/templates/fragments/roles_editor.html",
+		"web/templates/fragments/token_list.html",
+		"web/templates/fragments/totp_step.html",
+		"web/templates/fragments/error.html",
+		"web/templates/fragments/audit_rows.html",
+	)
+	if err != nil {
+		return nil, fmt.Errorf("ui: parse templates: %w", err)
+	}
+
+	return &UIServer{
+		db:        database,
+		cfg:       cfg,
+		pubKey:    pub,
+		privKey:   priv,
+		masterKey: masterKey,
+		logger:    logger,
+		csrf:      csrf,
+		tmpl:      tmpl,
+	}, nil
+}
+
+// Register attaches all UI routes to mux.
+func (u *UIServer) Register(mux *http.ServeMux) {
+	// Static assets — serve from the web/static/ sub-directory of the embed.
+	staticSubFS, err := fs.Sub(staticFS, "web/static")
+	if err != nil {
+		panic(fmt.Sprintf("ui: static sub-FS: %v", err))
+	}
+	mux.Handle("GET /static/", http.StripPrefix("/static/", http.FileServerFS(staticSubFS)))
+
+	// Redirect root to login.
+	mux.HandleFunc("GET /", func(w http.ResponseWriter, r *http.Request) {
+		if r.URL.Path == "/" {
+			http.Redirect(w, r, "/login", http.StatusFound)
+			return
+		}
+		http.NotFound(w, r)
+	})
+
+	// Auth routes (no session required).
+	mux.HandleFunc("GET /login", u.handleLoginPage)
+	mux.HandleFunc("POST /login", u.handleLoginPost)
+	mux.HandleFunc("POST /logout", u.handleLogout)
+
+	// Protected routes.
+	auth := u.requireCookieAuth
+	admin := func(h http.HandlerFunc) http.Handler {
+		return auth(u.requireCSRF(http.HandlerFunc(h)))
+	}
+	adminGet := func(h http.HandlerFunc) http.Handler {
+		return auth(http.HandlerFunc(h))
+	}
+
+	mux.Handle("GET /dashboard", adminGet(u.handleDashboard))
+	mux.Handle("GET /accounts", adminGet(u.handleAccountsList))
+	mux.Handle("POST /accounts", admin(u.handleCreateAccount))
+	mux.Handle("GET /accounts/{id}", adminGet(u.handleAccountDetail))
+	mux.Handle("PATCH /accounts/{id}/status", admin(u.handleUpdateAccountStatus))
+	mux.Handle("DELETE /accounts/{id}", admin(u.handleDeleteAccount))
+	mux.Handle("GET /accounts/{id}/roles/edit", adminGet(u.handleRolesEditForm))
+	mux.Handle("PUT /accounts/{id}/roles", admin(u.handleSetRoles))
+	mux.Handle("DELETE /token/{jti}", admin(u.handleRevokeToken))
+	mux.Handle("POST /accounts/{id}/token", admin(u.handleIssueSystemToken))
+	mux.Handle("GET /audit", adminGet(u.handleAuditPage))
+	mux.Handle("GET /audit/rows", adminGet(u.handleAuditRows))
+}
+
+// ---- Middleware ----
+
+// requireCookieAuth validates the mcias_session cookie and injects claims.
+// On failure, HTMX requests get HX-Redirect; browser requests get a redirect.
+func (u *UIServer) requireCookieAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		cookie, err := r.Cookie(sessionCookieName)
+		if err != nil || cookie.Value == "" {
+			u.redirectToLogin(w, r)
+			return
+		}
+
+		claims, err := validateSessionToken(u.pubKey, cookie.Value, u.cfg.Tokens.Issuer)
+		if err != nil {
+			u.clearSessionCookie(w)
+			u.redirectToLogin(w, r)
+			return
+		}
+
+		// Check revocation.
+		rec, err := u.db.GetTokenRecord(claims.JTI)
+		if err != nil || rec.IsRevoked() {
+			u.clearSessionCookie(w)
+			u.redirectToLogin(w, r)
+			return
+		}
+
+		ctx := contextWithClaims(r.Context(), claims)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+// requireCSRF validates the CSRF token on mutating requests (POST/PUT/PATCH/DELETE).
+// The token is read from X-CSRF-Token header (HTMX) or _csrf form field (fallback).
+func (u *UIServer) requireCSRF(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		cookie, err := r.Cookie(csrfCookieName)
+		if err != nil || cookie.Value == "" {
+			http.Error(w, "CSRF cookie missing", http.StatusForbidden)
+			return
+		}
+
+		// Header takes precedence (HTMX sets it automatically via hx-headers on body).
+		formVal := r.Header.Get("X-CSRF-Token")
+		if formVal == "" {
+			// Fallback: parse form and read _csrf field.
+			if parseErr := r.ParseForm(); parseErr == nil {
+				formVal = r.FormValue("_csrf")
+			}
+		}
+
+		if !u.csrf.Validate(cookie.Value, formVal) {
+			http.Error(w, "CSRF token invalid", http.StatusForbidden)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+// ---- Helpers ----
+
+// isHTMX reports whether the request was initiated by HTMX.
+func isHTMX(r *http.Request) bool {
+	return r.Header.Get("HX-Request") == "true"
+}
+
+// redirectToLogin redirects to the login page, using HX-Redirect for HTMX.
+func (u *UIServer) redirectToLogin(w http.ResponseWriter, r *http.Request) {
+	if isHTMX(r) {
+		w.Header().Set("HX-Redirect", "/login")
+		w.WriteHeader(http.StatusUnauthorized)
+		return
+	}
+	http.Redirect(w, r, "/login", http.StatusFound)
+}
+
+// clearSessionCookie expires the session cookie.
+func (u *UIServer) clearSessionCookie(w http.ResponseWriter) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     sessionCookieName,
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+	})
+}
+
+// setCSRFCookies sets the mcias_csrf cookie and returns the header value to
+// embed in the page/form.
+func (u *UIServer) setCSRFCookies(w http.ResponseWriter) (string, error) {
+	cookieVal, headerVal, err := u.csrf.NewToken()
+	if err != nil {
+		return "", err
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:  csrfCookieName,
+		Value: cookieVal,
+		Path:  "/",
+		// Security: non-HttpOnly so that HTMX can embed it in hx-headers;
+		// SameSite=Strict is the primary CSRF defence for browser requests.
+		HttpOnly: false,
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+	})
+	return headerVal, nil
+}
+
+// render executes the named template, writing the result to w.
+// Renders to a buffer first so partial template failures don't corrupt output.
+func (u *UIServer) render(w http.ResponseWriter, name string, data interface{}) {
+	var buf bytes.Buffer
+	if err := u.tmpl.ExecuteTemplate(&buf, name, data); err != nil {
+		u.logger.Error("template render error", "template", name, "error", err)
+		http.Error(w, "internal server error", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	_, _ = w.Write(buf.Bytes())
+}
+
+// renderError returns an error response appropriate for the request type.
+func (u *UIServer) renderError(w http.ResponseWriter, r *http.Request, status int, msg string) {
+	if isHTMX(r) {
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.WriteHeader(status)
+		_, _ = fmt.Fprintf(w, `<div class="alert alert-error" role="alert">%s</div>`, template.HTMLEscapeString(msg))
+		return
+	}
+	http.Error(w, msg, status)
+}
+
+// clientIP extracts the client IP from RemoteAddr (best effort).
+func clientIP(r *http.Request) string {
+	addr := r.RemoteAddr
+	if idx := strings.LastIndex(addr, ":"); idx != -1 {
+		return addr[:idx]
+	}
+	return addr
+}
+
+// ---- Page data types ----
+
+// PageData is embedded in all page-level view structs.
+type PageData struct {
+	CSRFToken string
+	Flash     string
+	Error     string
+}
+
+// LoginData is the view model for the login page.
+type LoginData struct {
+	Error    string
+	Username string // pre-filled on TOTP step
+	Password string // pre-filled on TOTP step (value attr, never logged)
+}
+
+// DashboardData is the view model for the dashboard page.
+type DashboardData struct {
+	PageData
+	TotalAccounts  int
+	ActiveAccounts int
+	RecentEvents   []*db.AuditEventView
+}
+
+// AccountsData is the view model for the accounts list page.
+type AccountsData struct {
+	PageData
+	Accounts []*model.Account
+}
+
+// AccountDetailData is the view model for the account detail page.
+type AccountDetailData struct {
+	PageData
+	Account  *model.Account
+	Roles    []string
+	AllRoles []string
+	Tokens   []*model.TokenRecord
+}
+
+// AuditData is the view model for the audit log page.
+type AuditData struct {
+	PageData
+	Events     []*db.AuditEventView
+	EventTypes []string
+	FilterType string
+	Total      int64
+	Page       int
+	TotalPages int
+}