Migrate to mcdsl: auth, config, csrf, web

- Replace internal/auth with mcdsl/auth - Replace internal/config with mcdsl/config (embed config.Base) - Replace internal/webserver/csrf.go with mcdsl/csrf - Use mcdsl/web for session cookies and template rendering - Use mcdsl/httpserver for server setup and StatusWriter - Remove direct mcias client library dependency - Update .golangci.yaml to v2 format (formatters section) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 17:53:15 -07:00
commit 0cada7e64e
21 changed files with 1042 additions and 0 deletions
--- a/internal/webserver/server.go
+++ b/internal/webserver/server.go
@@ -0,0 +1,191 @@
+package webserver
+
+import (
+	"crypto/rand"
+	"errors"
+	"fmt"
+	"io/fs"
+	"log/slog"
+	"net/http"
+
+	"github.com/go-chi/chi/v5"
+
+	"git.wntrmute.dev/kyle/mcdsl/auth"
+	"git.wntrmute.dev/kyle/mcdsl/csrf"
+	"git.wntrmute.dev/kyle/mcdsl/httpserver"
+	"git.wntrmute.dev/kyle/mcdsl/web"
+
+	mcatweb "git.wntrmute.dev/kyle/mcat/web"
+)
+
+const (
+	sessionCookieName = "mcat_token"
+	csrfCookieName    = "mcat_csrf"
+	csrfFieldName     = "csrf_token"
+)
+
+// Config holds the webserver configuration. Extracted from the service
+// config so the webserver doesn't depend on the full config package.
+type Config struct {
+	ServiceName string
+	Tags        []string
+}
+
+// Server is the mcat web UI server.
+type Server struct {
+	wsCfg    Config
+	auth     *auth.Authenticator
+	logger   *slog.Logger
+	csrf     *csrf.Protect
+	staticFS fs.FS
+	handler  http.Handler
+}
+
+// New creates a new web UI server.
+func New(wsCfg Config, authenticator *auth.Authenticator, logger *slog.Logger) (*Server, error) {
+	staticFS, err := fs.Sub(mcatweb.FS, "static")
+	if err != nil {
+		return nil, fmt.Errorf("webserver: static fs: %w", err)
+	}
+
+	secret := make([]byte, 32)
+	if _, err := rand.Read(secret); err != nil {
+		return nil, fmt.Errorf("webserver: generate CSRF secret: %w", err)
+	}
+
+	s := &Server{
+		wsCfg:    wsCfg,
+		auth:     authenticator,
+		logger:   logger,
+		csrf:     csrf.New(secret, csrfCookieName, csrfFieldName),
+		staticFS: staticFS,
+	}
+
+	r := chi.NewRouter()
+	r.Use(s.loggingMiddleware)
+	r.Use(s.csrf.Middleware)
+	s.registerRoutes(r)
+	s.handler = r
+
+	return s, nil
+}
+
+// Handler returns the HTTP handler for the web server.
+func (s *Server) Handler() http.Handler {
+	return s.handler
+}
+
+func (s *Server) registerRoutes(r chi.Router) {
+	r.Handle("/static/*", http.StripPrefix("/static/", http.FileServer(http.FS(s.staticFS))))
+
+	r.Get("/", s.handleRoot)
+	r.Get("/login", s.handleLogin)
+	r.Post("/login", s.handleLogin)
+	r.Post("/logout", s.requireAuth(s.handleLogout))
+	r.Get("/dashboard", s.requireAuth(s.handleDashboard))
+}
+
+func (s *Server) handleRoot(w http.ResponseWriter, r *http.Request) {
+	token := web.GetSessionToken(r, sessionCookieName)
+	if token != "" {
+		if _, err := s.auth.ValidateToken(token); err == nil {
+			http.Redirect(w, r, "/dashboard", http.StatusFound)
+			return
+		}
+	}
+	http.Redirect(w, r, "/login", http.StatusFound)
+}
+
+func (s *Server) handleLogin(w http.ResponseWriter, r *http.Request) {
+	if r.Method == http.MethodGet {
+		s.renderTemplate(w, "login.html", map[string]interface{}{})
+		return
+	}
+
+	if err := r.ParseForm(); err != nil { //nolint:gosec // form size bounded by http.Server ReadTimeout
+		s.renderTemplate(w, "login.html", map[string]interface{}{
+			"Error": "Invalid form data.",
+		})
+		return
+	}
+
+	username := r.FormValue("username")  //nolint:gosec // parsed above
+	password := r.FormValue("password")  //nolint:gosec // parsed above
+	totpCode := r.FormValue("totp_code") //nolint:gosec // parsed above
+
+	token, _, err := s.auth.Login(username, password, totpCode)
+	if err != nil {
+		msg := "Login failed."
+		if errors.Is(err, auth.ErrInvalidCredentials) {
+			msg = "Invalid username or password."
+		} else if errors.Is(err, auth.ErrForbidden) {
+			msg = "Login denied by policy."
+		}
+		s.renderTemplate(w, "login.html", map[string]interface{}{
+			"Error": msg,
+		})
+		return
+	}
+
+	web.SetSessionCookie(w, sessionCookieName, token)
+	http.Redirect(w, r, "/dashboard", http.StatusFound)
+}
+
+func (s *Server) handleLogout(w http.ResponseWriter, r *http.Request) {
+	token := web.GetSessionToken(r, sessionCookieName)
+	if token != "" {
+		if err := s.auth.Logout(token); err != nil {
+			s.logger.Warn("logout failed", "error", err)
+		}
+	}
+	web.ClearSessionCookie(w, sessionCookieName)
+	http.Redirect(w, r, "/login", http.StatusFound)
+}
+
+func (s *Server) handleDashboard(w http.ResponseWriter, r *http.Request) {
+	info := auth.TokenInfoFromContext(r.Context())
+	s.renderTemplate(w, "dashboard.html", map[string]interface{}{
+		"Username":    info.Username,
+		"Roles":       info.Roles,
+		"IsAdmin":     info.IsAdmin,
+		"ServiceName": s.wsCfg.ServiceName,
+		"Tags":        s.wsCfg.Tags,
+	})
+}
+
+// requireAuth wraps a handler that requires a valid MCIAS session.
+func (s *Server) requireAuth(next http.HandlerFunc) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		token := web.GetSessionToken(r, sessionCookieName)
+		if token == "" {
+			http.Redirect(w, r, "/login", http.StatusFound)
+			return
+		}
+
+		info, err := s.auth.ValidateToken(token)
+		if err != nil {
+			http.Redirect(w, r, "/login", http.StatusFound)
+			return
+		}
+
+		ctx := auth.ContextWithTokenInfo(r.Context(), info)
+		next(w, r.WithContext(ctx))
+	}
+}
+
+func (s *Server) renderTemplate(w http.ResponseWriter, name string, data interface{}) {
+	web.RenderTemplate(w, mcatweb.FS, name, data, s.csrf.TemplateFunc(w))
+}
+
+func (s *Server) loggingMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		sw := &httpserver.StatusWriter{ResponseWriter: w, Status: http.StatusOK}
+		next.ServeHTTP(sw, r)
+		s.logger.Info("http",
+			"method", r.Method,
+			"path", r.URL.Path,
+			"status", sw.Status,
+			"remote", r.RemoteAddr,
+		)
+	})
+}