// Package ui provides the HTMX-based management web interface for MCIAS. // // Security design: // - Session tokens are stored as HttpOnly, Secure, SameSite=Strict cookies. // They are never accessible to JavaScript. // - CSRF protection uses the HMAC-signed Double-Submit Cookie pattern. // The mcias_csrf cookie is non-HttpOnly so HTMX can include it in the // X-CSRF-Token header on every mutating request. SameSite=Strict is the // primary browser-level CSRF defence. // - UI handlers call internal Go functions directly — no internal HTTP round-trips. // - All templates are parsed once at startup via embed.FS; no dynamic template // loading from disk at request time. package ui import ( "bytes" "crypto/ed25519" "crypto/rand" "encoding/hex" "encoding/json" "fmt" "html/template" "io/fs" "log/slog" "net/http" "strings" "sync" "time" "git.wntrmute.dev/kyle/mcias/internal/auth" "git.wntrmute.dev/kyle/mcias/internal/config" "git.wntrmute.dev/kyle/mcias/internal/db" "git.wntrmute.dev/kyle/mcias/internal/model" "git.wntrmute.dev/kyle/mcias/web" ) const ( sessionCookieName = "mcias_session" csrfCookieName = "mcias_csrf" totpNonceTTL = 90 * time.Second // single-use TOTP step nonce lifetime totpNonceBytes = 16 // 128 bits of entropy ) // pendingLogin is a short-lived record created after password verification // succeeds but before TOTP confirmation. It holds the account ID so the // TOTP step never needs to re-transmit the password. // // Security: the nonce is single-use (deleted on first lookup) and expires // after totpNonceTTL to bound the window of a stolen nonce. type pendingLogin struct { expiresAt time.Time accountID int64 } // UIServer serves the HTMX-based management UI. type UIServer struct { pendingLogins sync.Map // nonce (string) → *pendingLogin tmpls map[string]*template.Template // page name → template set db *db.DB cfg *config.Config logger *slog.Logger csrf *CSRFManager pubKey ed25519.PublicKey privKey ed25519.PrivateKey masterKey []byte } // issueTOTPNonce creates a random single-use nonce for the TOTP step and // stores the account ID it corresponds to. Returns the hex-encoded nonce. func (u *UIServer) issueTOTPNonce(accountID int64) (string, error) { raw := make([]byte, totpNonceBytes) if _, err := rand.Read(raw); err != nil { return "", fmt.Errorf("ui: generate TOTP nonce: %w", err) } nonce := hex.EncodeToString(raw) u.pendingLogins.Store(nonce, &pendingLogin{ accountID: accountID, expiresAt: time.Now().Add(totpNonceTTL), }) return nonce, nil } // consumeTOTPNonce looks up and deletes the nonce, returning the associated // account ID. Returns (0, false) if the nonce is unknown or expired. func (u *UIServer) consumeTOTPNonce(nonce string) (int64, bool) { v, ok := u.pendingLogins.LoadAndDelete(nonce) if !ok { return 0, false } pl, ok2 := v.(*pendingLogin) if !ok2 { return 0, false } if time.Now().After(pl.expiresAt) { return 0, false } return pl.accountID, true } // dummyHash returns the pre-computed Argon2id PHC hash for constant-time dummy // verification when an account is unknown or inactive (F-07). // Delegates to auth.DummyHash() which uses sync.Once for one-time computation. func (u *UIServer) dummyHash() string { return auth.DummyHash() } // New constructs a UIServer, parses all templates, and returns it. // Returns an error if template parsing fails. func New(database *db.DB, cfg *config.Config, priv ed25519.PrivateKey, pub ed25519.PublicKey, masterKey []byte, logger *slog.Logger) (*UIServer, error) { csrf := newCSRFManager(masterKey) funcMap := template.FuncMap{ "formatTime": func(t time.Time) string { if t.IsZero() { return "" } return t.UTC().Format("2006-01-02 15:04:05") }, "truncateJTI": func(jti string) string { if len(jti) > 8 { return jti[:8] } return jti }, "string": func(v interface{}) string { switch s := v.(type) { case model.AccountStatus: return string(s) case model.AccountType: return string(s) default: return fmt.Sprintf("%v", v) } }, "hasRole": func(roles []string, role string) bool { for _, r := range roles { if r == role { return true } } return false }, "not": func(b bool) bool { return !b }, // derefInt64 safely dereferences a *int64, returning 0 for nil. // Used in templates to compare owner IDs without triggering nil panics. "derefInt64": func(p *int64) int64 { if p == nil { return 0 } return *p }, // isPGCredOwner returns true when actorID and cred are both non-nil // and actorID matches cred.OwnerID. Safe to call with nil arguments. "isPGCredOwner": func(actorID *int64, cred *model.PGCredential) bool { if actorID == nil || cred == nil || cred.OwnerID == nil { return false } return *actorID == *cred.OwnerID }, "add": func(a, b int) int { return a + b }, "sub": func(a, b int) int { return a - b }, "gt": func(a, b int) bool { return a > b }, "lt": func(a, b int) bool { return a < b }, "prettyJSON": func(s string) string { var v json.RawMessage if json.Unmarshal([]byte(s), &v) != nil { return s } pretty, err := json.MarshalIndent(v, "", " ") if err != nil { return s } return string(pretty) }, } // Parse shared templates (base layout + all fragments) into a base set. // Each page template is then parsed into a clone of this base set so that // competing "content"/"title" definitions do not collide. sharedFiles := []string{ "templates/base.html", "templates/fragments/account_row.html", "templates/fragments/account_status.html", "templates/fragments/roles_editor.html", "templates/fragments/token_list.html", "templates/fragments/totp_step.html", "templates/fragments/error.html", "templates/fragments/audit_rows.html", "templates/fragments/pgcreds_form.html", "templates/fragments/tags_editor.html", "templates/fragments/policy_row.html", "templates/fragments/policy_form.html", "templates/fragments/password_reset_form.html", "templates/fragments/password_change_form.html", } base, err := template.New("").Funcs(funcMap).ParseFS(web.TemplateFS, sharedFiles...) if err != nil { return nil, fmt.Errorf("ui: parse shared templates: %w", err) } // Each page template defines "content" and "title" blocks; parsing them // into separate clones prevents the last-defined block from winning. pageFiles := map[string]string{ "login": "templates/login.html", "dashboard": "templates/dashboard.html", "accounts": "templates/accounts.html", "account_detail": "templates/account_detail.html", "audit": "templates/audit.html", "audit_detail": "templates/audit_detail.html", "policies": "templates/policies.html", "pgcreds": "templates/pgcreds.html", "profile": "templates/profile.html", } tmpls := make(map[string]*template.Template, len(pageFiles)) for name, file := range pageFiles { clone, cloneErr := base.Clone() if cloneErr != nil { return nil, fmt.Errorf("ui: clone base templates for %s: %w", name, cloneErr) } if _, parseErr := clone.ParseFS(web.TemplateFS, file); parseErr != nil { return nil, fmt.Errorf("ui: parse page template %s: %w", name, parseErr) } tmpls[name] = clone } return &UIServer{ db: database, cfg: cfg, pubKey: pub, privKey: priv, masterKey: masterKey, logger: logger, csrf: csrf, tmpls: tmpls, }, nil } // Register attaches all UI routes to mux, wrapped with security headers. // All UI responses (pages, fragments, redirects, static assets) carry the // headers added by securityHeaders. func (u *UIServer) Register(mux *http.ServeMux) { // Build a dedicated child mux for all UI routes so that securityHeaders // can be applied once as a wrapping middleware rather than per-route. uiMux := http.NewServeMux() // Static assets — serve from the web/static/ sub-directory of the embed. staticSubFS, err := fs.Sub(web.StaticFS, "static") if err != nil { panic(fmt.Sprintf("ui: static sub-FS: %v", err)) } uiMux.Handle("GET /static/", http.StripPrefix("/static/", http.FileServerFS(staticSubFS))) // Redirect root to login. uiMux.HandleFunc("GET /", func(w http.ResponseWriter, r *http.Request) { if r.URL.Path == "/" { http.Redirect(w, r, "/login", http.StatusFound) return } http.NotFound(w, r) }) // Auth routes (no session required). uiMux.HandleFunc("GET /login", u.handleLoginPage) uiMux.HandleFunc("POST /login", u.handleLoginPost) uiMux.HandleFunc("POST /logout", u.handleLogout) // Protected routes. auth := u.requireCookieAuth admin := func(h http.HandlerFunc) http.Handler { return auth(u.requireCSRF(http.HandlerFunc(h))) } adminGet := func(h http.HandlerFunc) http.Handler { return auth(http.HandlerFunc(h)) } uiMux.Handle("GET /dashboard", adminGet(u.handleDashboard)) uiMux.Handle("GET /accounts", adminGet(u.handleAccountsList)) uiMux.Handle("POST /accounts", admin(u.handleCreateAccount)) uiMux.Handle("GET /accounts/{id}", adminGet(u.handleAccountDetail)) uiMux.Handle("PATCH /accounts/{id}/status", admin(u.handleUpdateAccountStatus)) uiMux.Handle("DELETE /accounts/{id}", admin(u.handleDeleteAccount)) uiMux.Handle("GET /accounts/{id}/roles/edit", adminGet(u.handleRolesEditForm)) uiMux.Handle("PUT /accounts/{id}/roles", admin(u.handleSetRoles)) uiMux.Handle("DELETE /token/{jti}", admin(u.handleRevokeToken)) uiMux.Handle("POST /accounts/{id}/token", admin(u.handleIssueSystemToken)) uiMux.Handle("PUT /accounts/{id}/pgcreds", admin(u.handleSetPGCreds)) uiMux.Handle("POST /accounts/{id}/pgcreds/access", admin(u.handleGrantPGCredAccess)) uiMux.Handle("DELETE /accounts/{id}/pgcreds/access/{grantee}", admin(u.handleRevokePGCredAccess)) uiMux.Handle("GET /pgcreds", adminGet(u.handlePGCredsList)) uiMux.Handle("POST /pgcreds", admin(u.handleCreatePGCreds)) uiMux.Handle("GET /audit", adminGet(u.handleAuditPage)) uiMux.Handle("GET /audit/rows", adminGet(u.handleAuditRows)) uiMux.Handle("GET /audit/{id}", adminGet(u.handleAuditDetail)) uiMux.Handle("GET /policies", adminGet(u.handlePoliciesPage)) uiMux.Handle("POST /policies", admin(u.handleCreatePolicyRule)) uiMux.Handle("PATCH /policies/{id}/enabled", admin(u.handleTogglePolicyRule)) uiMux.Handle("DELETE /policies/{id}", admin(u.handleDeletePolicyRule)) uiMux.Handle("PUT /accounts/{id}/tags", admin(u.handleSetAccountTags)) uiMux.Handle("PUT /accounts/{id}/password", admin(u.handleAdminResetPassword)) // Profile routes — accessible to any authenticated user (not admin-only). uiMux.Handle("GET /profile", adminGet(u.handleProfilePage)) uiMux.Handle("PUT /profile/password", auth(u.requireCSRF(http.HandlerFunc(u.handleSelfChangePassword)))) // Mount the wrapped UI mux on the parent mux. The "/" pattern acts as a // catch-all for all UI paths; the more-specific /v1/ API patterns registered // on the parent mux continue to take precedence per Go's routing rules. mux.Handle("/", securityHeaders(uiMux)) } // ---- Middleware ---- // requireCookieAuth validates the mcias_session cookie and injects claims. // On failure, HTMX requests get HX-Redirect; browser requests get a redirect. func (u *UIServer) requireCookieAuth(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { cookie, err := r.Cookie(sessionCookieName) if err != nil || cookie.Value == "" { u.redirectToLogin(w, r) return } claims, err := validateSessionToken(u.pubKey, cookie.Value, u.cfg.Tokens.Issuer) if err != nil { u.clearSessionCookie(w) u.redirectToLogin(w, r) return } // Check revocation. rec, err := u.db.GetTokenRecord(claims.JTI) if err != nil || rec.IsRevoked() { u.clearSessionCookie(w) u.redirectToLogin(w, r) return } ctx := contextWithClaims(r.Context(), claims) next.ServeHTTP(w, r.WithContext(ctx)) }) } // requireCSRF validates the CSRF token on mutating requests (POST/PUT/PATCH/DELETE). // The token is read from X-CSRF-Token header (HTMX) or _csrf form field (fallback). func (u *UIServer) requireCSRF(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { cookie, err := r.Cookie(csrfCookieName) if err != nil || cookie.Value == "" { http.Error(w, "CSRF cookie missing", http.StatusForbidden) return } // Header takes precedence (HTMX sets it automatically via hx-headers on body). formVal := r.Header.Get("X-CSRF-Token") if formVal == "" { // Fallback: parse form and read _csrf field. // Security: limit body size to prevent memory exhaustion (gosec G120). r.Body = http.MaxBytesReader(w, r.Body, maxFormBytes) if parseErr := r.ParseForm(); parseErr == nil { formVal = r.FormValue("_csrf") } } if !u.csrf.Validate(cookie.Value, formVal) { http.Error(w, "CSRF token invalid", http.StatusForbidden) return } next.ServeHTTP(w, r) }) } // ---- Helpers ---- // isHTMX reports whether the request was initiated by HTMX. func isHTMX(r *http.Request) bool { return r.Header.Get("HX-Request") == "true" } // redirectToLogin redirects to the login page, using HX-Redirect for HTMX. func (u *UIServer) redirectToLogin(w http.ResponseWriter, r *http.Request) { if isHTMX(r) { w.Header().Set("HX-Redirect", "/login") w.WriteHeader(http.StatusUnauthorized) return } http.Redirect(w, r, "/login", http.StatusFound) } // clearSessionCookie expires the session cookie. func (u *UIServer) clearSessionCookie(w http.ResponseWriter) { http.SetCookie(w, &http.Cookie{ Name: sessionCookieName, Value: "", Path: "/", MaxAge: -1, HttpOnly: true, Secure: true, SameSite: http.SameSiteStrictMode, }) } // setCSRFCookies sets the mcias_csrf cookie and returns the header value to // embed in the page/form. func (u *UIServer) setCSRFCookies(w http.ResponseWriter) (string, error) { cookieVal, headerVal, err := u.csrf.NewToken() if err != nil { return "", err } http.SetCookie(w, &http.Cookie{ Name: csrfCookieName, Value: cookieVal, Path: "/", // Security: non-HttpOnly so that HTMX can embed it in hx-headers; // SameSite=Strict is the primary CSRF defence for browser requests. HttpOnly: false, Secure: true, SameSite: http.SameSiteStrictMode, }) return headerVal, nil } // render executes the named template, writing the result to w. // Renders to a buffer first so partial template failures don't corrupt output. // For page templates (dashboard, accounts, etc.) the page-specific template set // is used; for fragment templates the name is looked up across all sets. func (u *UIServer) render(w http.ResponseWriter, name string, data interface{}) { tmpl := u.templateFor(name) if tmpl == nil { u.logger.Error("template not found", "template", name) http.Error(w, "internal server error", http.StatusInternalServerError) return } var buf bytes.Buffer if err := tmpl.ExecuteTemplate(&buf, name, data); err != nil { u.logger.Error("template render error", "template", name, "error", err) http.Error(w, "internal server error", http.StatusInternalServerError) return } w.Header().Set("Content-Type", "text/html; charset=utf-8") _, _ = w.Write(buf.Bytes()) } // templateFor returns the template set that contains the named template. // Page templates have a dedicated set; fragment templates exist in every set. func (u *UIServer) templateFor(name string) *template.Template { if t, ok := u.tmpls[name]; ok { return t } // Fragment — available in any page set; pick the first one. for _, t := range u.tmpls { if t.Lookup(name) != nil { return t } } return nil } // renderError returns an error response appropriate for the request type. func (u *UIServer) renderError(w http.ResponseWriter, r *http.Request, status int, msg string) { if isHTMX(r) { w.Header().Set("Content-Type", "text/html; charset=utf-8") w.WriteHeader(status) _, _ = fmt.Fprintf(w, ``, template.HTMLEscapeString(msg)) return } http.Error(w, msg, status) } // maxFormBytes limits the size of UI form submissions (1 MiB). // Security: prevents memory exhaustion from oversized POST bodies (gosec G120). const maxFormBytes = 1 << 20 // securityHeaders returns middleware that adds defensive HTTP headers to every // UI response. // // Security rationale for each header: // - Content-Security-Policy: restricts resource loading to same origin only, // mitigating XSS escalation even if an attacker injects HTML (e.g. via a // malicious stored username rendered in the admin panel). // - X-Content-Type-Options: prevents MIME-sniffing; browsers must honour the // declared Content-Type and not guess an executable type from body content. // - X-Frame-Options: blocks the admin panel from being framed by a third-party // origin, preventing clickjacking against admin actions. // - Strict-Transport-Security: instructs browsers to use HTTPS for all future // requests to this origin for two years, preventing TLS-strip on revisit. // - Referrer-Policy: suppresses the Referer header on outbound navigations so // JWTs or session identifiers embedded in URLs are not leaked to third parties. func securityHeaders(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { h := w.Header() h.Set("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'") h.Set("X-Content-Type-Options", "nosniff") h.Set("X-Frame-Options", "DENY") h.Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains") h.Set("Referrer-Policy", "no-referrer") next.ServeHTTP(w, r) }) } // clientIP extracts the client IP from RemoteAddr (best effort). func clientIP(r *http.Request) string { addr := r.RemoteAddr if idx := strings.LastIndex(addr, ":"); idx != -1 { return addr[:idx] } return addr } // actorName resolves the username of the currently authenticated user from the // request context. Returns an empty string if claims are absent or the account // cannot be found; callers should treat an empty string as "not logged in". func (u *UIServer) actorName(r *http.Request) string { claims := claimsFromContext(r.Context()) if claims == nil { return "" } acct, err := u.db.GetAccountByUUID(claims.Subject) if err != nil { return "" } return acct.Username } // ---- Page data types ---- // PageData is embedded in all page-level view structs. type PageData struct { CSRFToken string Flash string Error string // ActorName is the username of the currently logged-in user, populated by // handlers so the base template can display it in the navigation bar. ActorName string } // LoginData is the view model for the login page. type LoginData struct { Error string Username string // pre-filled on TOTP step // Security (F-02): Password is no longer carried in the HTML form. Instead // a short-lived server-side nonce is issued after successful password // verification, and only the nonce is embedded in the TOTP step form. Nonce string // single-use server-side nonce replacing the password hidden field } // DashboardData is the view model for the dashboard page. type DashboardData struct { PageData RecentEvents []*db.AuditEventView TotalAccounts int ActiveAccounts int } // AccountsData is the view model for the accounts list page. type AccountsData struct { PageData Accounts []*model.Account } // AccountDetailData is the view model for the account detail page. type AccountDetailData struct { Account *model.Account // PGCred is nil if none stored or the account is not a system account. PGCred *model.PGCredential // PGCredGrants lists accounts that have been granted read access to PGCred. // Only populated when the viewing actor is the credential owner. PGCredGrants []*model.PGCredAccessGrant // GrantableAccounts is the list of accounts the owner may grant access to. GrantableAccounts []*model.Account // ActorID is the DB id of the currently logged-in user; used in templates // to decide whether to show the owner-only management controls. ActorID *int64 PageData Roles []string AllRoles []string Tags []string Tokens []*model.TokenRecord } // AuditData is the view model for the audit log page. type AuditData struct { PageData FilterType string Events []*db.AuditEventView EventTypes []string Total int64 TotalPages int Page int } // AuditDetailData is the view model for a single audit event detail page. type AuditDetailData struct { Event *db.AuditEventView PageData } // PolicyRuleView is a single policy rule prepared for template rendering. type PolicyRuleView struct { Description string RuleJSON string CreatedAt string UpdatedAt string NotBefore string // empty if not set ExpiresAt string // empty if not set ID int64 Priority int Enabled bool IsExpired bool // true if expires_at is in the past IsPending bool // true if not_before is in the future } // PoliciesData is the view model for the policies list page. type PoliciesData struct { PageData Rules []*PolicyRuleView AllActions []string } // ProfileData is the view model for the profile/settings page. type ProfileData struct { PageData } // PGCredsData is the view model for the "My PG Credentials" list page. // It shows all pg_credentials sets accessible to the currently logged-in user: // those they own and those they have been granted access to. // UncredentialedAccounts is the list of system accounts that have no credentials // yet, populated to drive the "New Credentials" create form on the same page. // CredGrants maps credential ID to the list of access grants for that credential; // only populated for credentials the actor owns. // AllAccounts is used to populate the grant-access dropdown for owned credentials. // ActorID is the DB id of the currently logged-in user. type PGCredsData struct { CredGrants map[int64][]*model.PGCredAccessGrant ActorID *int64 PageData Creds []*model.PGCredential UncredentialedAccounts []*model.Account AllAccounts []*model.Account }