Add web package: session cookies, auth middleware, templates

- SetSessionCookie/ClearSessionCookie/GetSessionToken with HttpOnly, Secure, SameSite=Strict - RequireAuth middleware: validates token, redirects to login, sets TokenInfo in context - RenderTemplate: layout + page block pattern with FuncMap merge - 9 tests with mock MCIAS and fstest Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 16:30:52 -07:00
parent 27f81c81ac
commit aba90a1de5
2 changed files with 345 additions and 0 deletions
--- a/web/web.go
+++ b/web/web.go
@@ -0,0 +1,104 @@
+// Package web provides session cookie management, auth middleware, and
+// template rendering helpers for Metacircular web UIs built with htmx
+// and Go html/template.
+package web
+
+import (
+	"html/template"
+	"io/fs"
+	"net/http"
+
+	"git.wntrmute.dev/kyle/mcdsl/auth"
+)
+
+// SetSessionCookie sets a session cookie with the standard Metacircular
+// security flags: HttpOnly, Secure, SameSite=Strict.
+func SetSessionCookie(w http.ResponseWriter, name, token string) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
+		Value:    token,
+		Path:     "/",
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+	})
+}
+
+// ClearSessionCookie removes a session cookie by setting it to empty
+// with MaxAge=-1.
+func ClearSessionCookie(w http.ResponseWriter, name string) {
+	http.SetCookie(w, &http.Cookie{
+		Name:     name,
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+		Secure:   true,
+		SameSite: http.SameSiteStrictMode,
+	})
+}
+
+// GetSessionToken extracts the session token from the named cookie.
+// Returns empty string if the cookie is missing or empty.
+func GetSessionToken(r *http.Request, name string) string {
+	c, err := r.Cookie(name)
+	if err != nil {
+		return ""
+	}
+	return c.Value
+}
+
+// RequireAuth returns middleware that validates the session token via
+// the Authenticator. If the token is missing or invalid, the user is
+// redirected to loginPath. On success, the [auth.TokenInfo] is stored
+// in the request context (retrievable via [auth.TokenInfoFromContext]).
+func RequireAuth(authenticator *auth.Authenticator, cookieName, loginPath string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			token := GetSessionToken(r, cookieName)
+			if token == "" {
+				http.Redirect(w, r, loginPath, http.StatusFound)
+				return
+			}
+
+			info, err := authenticator.ValidateToken(token)
+			if err != nil {
+				ClearSessionCookie(w, cookieName)
+				http.Redirect(w, r, loginPath, http.StatusFound)
+				return
+			}
+
+			ctx := auth.ContextWithTokenInfo(r.Context(), info)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
+// RenderTemplate parses and executes a template from an embedded FS.
+// It parses "templates/layout.html" and "templates/<name>", merges
+// any provided FuncMaps, and executes the "layout" template with data.
+//
+// This matches the layout + page block pattern used by all Metacircular
+// web UIs.
+func RenderTemplate(w http.ResponseWriter, fsys fs.FS, name string, data any, funcs ...template.FuncMap) {
+	merged := template.FuncMap{}
+	for _, fm := range funcs {
+		for k, v := range fm {
+			merged[k] = v
+		}
+	}
+
+	tmpl, err := template.New("").Funcs(merged).ParseFS(fsys,
+		"templates/layout.html",
+		"templates/"+name,
+	)
+	if err != nil {
+		http.Error(w, "template error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if err := tmpl.ExecuteTemplate(w, "layout", data); err != nil {
+		http.Error(w, "template error", http.StatusInternalServerError)
+	}
+}