Migrate CSRF, web templates, session cookies, and snapshot to mcdsl

CSRF: Replace local csrfProtect with mcdsl/csrf.Protect. Delete internal/webserver/csrf.go. Web: Replace renderTemplate with web.RenderTemplate + csrf.TemplateFunc. Replace extractCookie with web.GetSessionToken. Replace manual session cookie SetCookie with web.SetSessionCookie. Snapshot: Replace local sqliteBackup with mcdsl/db.Snapshot. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-26 14:14:11 -07:00
parent 2a927e5359
commit 806f63957b
6 changed files with 41 additions and 228 deletions
--- a/internal/webserver/routes.go
+++ b/internal/webserver/routes.go
@@ -16,6 +16,8 @@ import (
 	"github.com/go-chi/chi/v5"
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
+
+	"git.wntrmute.dev/kyle/mcdsl/web"
 )

 // splitLines splits a newline-delimited string into non-empty trimmed lines.
@@ -224,14 +226,7 @@ func (ws *WebServer) handleLogin(w http.ResponseWriter, r *http.Request) {
 			ws.renderTemplate(w, "login.html", map[string]interface{}{"Error": "Invalid credentials"})
 			return
 		}
-		http.SetCookie(w, &http.Cookie{
-			Name:     "metacrypt_token",
-			Value:    token,
-			Path:     "/",
-			HttpOnly: true,
-			Secure:   true,
-			SameSite: http.SameSiteStrictMode,
-		})
+		web.SetSessionCookie(w, "metacrypt_token", token)
 		http.Redirect(w, r, "/dashboard", http.StatusFound)
 	default:
 		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)