enhance bug report handling with pagination, filtering, and improved response structure

2026-03-19 09:00:07 +01:00
parent 9df575067a
commit da650c2b82
13 changed files with 708 additions and 16 deletions
--- a/internal/handlers/admin_auth.route.go
+++ b/internal/handlers/admin_auth.route.go
@@ -0,0 +1,251 @@
+package handlers
+
+import (
+	"crypto/rand"
+	"crypto/subtle"
+	"encoding/base64"
+	"encoding/hex"
+	"encoding/json"
+	"fmt"
+	"log"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/jmoiron/sqlx"
+	"golang.org/x/crypto/argon2"
+
+	"emly-api-go/internal/models"
+)
+
+// argon2id params — mirror @node-rs/argon2 defaults used in the TypeScript service.
+const (
+	argonMemory      = 19456
+	argonTime        = 2
+	argonKeyLen      = 32
+	argonParallelism = 1
+	argonSaltLen     = 16
+
+	sessionExpiryDays = 30
+)
+
+// hashPassword produces a PHC-formatted argon2id string compatible with
+// the @node-rs/argon2 library used in the TypeScript service.
+func hashPassword(password string) (string, error) {
+	salt := make([]byte, argonSaltLen)
+	if _, err := rand.Read(salt); err != nil {
+		return "", err
+	}
+	hash := argon2.IDKey([]byte(password), salt, argonTime, argonMemory, argonParallelism, argonKeyLen)
+	b64Salt := base64.RawStdEncoding.EncodeToString(salt)
+	b64Hash := base64.RawStdEncoding.EncodeToString(hash)
+	return fmt.Sprintf("$argon2id$v=19$m=%d,t=%d,p=%d$%s$%s",
+		argonMemory, argonTime, argonParallelism, b64Salt, b64Hash), nil
+}
+
+// verifyPassword checks a password against a PHC-formatted argon2id hash.
+func verifyPassword(phc, password string) (bool, error) {
+	parts := strings.Split(phc, "$")
+	// Expected: ["", "argon2id", "v=19", "m=...,t=...,p=...", "<salt>", "<hash>"]
+	if len(parts) != 6 || parts[1] != "argon2id" {
+		return false, fmt.Errorf("invalid hash format")
+	}
+	var memory, timeCost uint32
+	var parallelism uint8
+	if _, err := fmt.Sscanf(parts[3], "m=%d,t=%d,p=%d", &memory, &timeCost, &parallelism); err != nil {
+		return false, fmt.Errorf("invalid params: %w", err)
+	}
+	salt, err := base64.RawStdEncoding.DecodeString(parts[4])
+	if err != nil {
+		return false, fmt.Errorf("invalid salt: %w", err)
+	}
+	hashBytes, err := base64.RawStdEncoding.DecodeString(parts[5])
+	if err != nil {
+		return false, fmt.Errorf("invalid hash: %w", err)
+	}
+	computed := argon2.IDKey([]byte(password), salt, timeCost, memory, parallelism, uint32(len(hashBytes)))
+	return subtle.ConstantTimeCompare(computed, hashBytes) == 1, nil
+}
+
+// generateUUID generates a random UUID v4.
+func generateUUID() (string, error) {
+	b := make([]byte, 16)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	b[6] = (b[6] & 0x0f) | 0x40
+	b[8] = (b[8] & 0x3f) | 0x80
+	return fmt.Sprintf("%08x-%04x-%04x-%04x-%012x",
+		b[0:4], b[4:6], b[6:8], b[8:10], b[10:16]), nil
+}
+
+// generateSessionID returns a 64-char hex string (32 random bytes),
+// matching the TypeScript generateSessionId() implementation.
+func generateSessionID() (string, error) {
+	b := make([]byte, 32)
+	if _, err := rand.Read(b); err != nil {
+		return "", err
+	}
+	return hex.EncodeToString(b), nil
+}
+
+// authUser is the public representation returned to callers after login/validate.
+type authUser struct {
+	ID          string          `json:"id"`
+	Username    string          `json:"username"`
+	Displayname string          `json:"displayname"`
+	Role        models.UserRole `json:"role"`
+	Enabled     bool            `json:"enabled"`
+}
+
+// sessionHeader is the header name used to pass the session ID.
+const sessionHeader = "X-Session-Token"
+
+// LoginUser handles POST /v1/api/admin/auth/login
+func LoginUser(db *sqlx.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var body struct {
+			Username string `json:"username"`
+			Password string `json:"password"`
+		}
+		if err := json.NewDecoder(r.Body).Decode(&body); err != nil {
+			jsonError(w, http.StatusBadRequest, "invalid JSON: "+err.Error())
+			return
+		}
+		if body.Username == "" || body.Password == "" {
+			jsonError(w, http.StatusBadRequest, "username and password are required")
+			return
+		}
+
+		var row struct {
+			models.User
+			PasswordHash string `db:"password_hash"`
+		}
+		err := db.GetContext(r.Context(), &row,
+			"SELECT id, username, displayname, password_hash, role, enabled FROM `user` WHERE username = ? LIMIT 1",
+			body.Username,
+		)
+		if err != nil {
+			// Return 401 whether the user doesn't exist or query failed to avoid enumeration
+			jsonError(w, http.StatusUnauthorized, "invalid credentials")
+			return
+		}
+
+		valid, err := verifyPassword(row.PasswordHash, body.Password)
+		if err != nil || !valid {
+			jsonError(w, http.StatusUnauthorized, "invalid credentials")
+			return
+		}
+
+		if !row.Enabled {
+			jsonError(w, http.StatusForbidden, "account disabled")
+			return
+		}
+
+		sessionID, err := generateSessionID()
+		if err != nil {
+			jsonError(w, http.StatusInternalServerError, "failed to generate session: "+err.Error())
+			return
+		}
+		expiresAt := time.Now().UTC().Add(sessionExpiryDays * 24 * time.Hour)
+
+		if _, err := db.ExecContext(r.Context(),
+			"INSERT INTO session (id, user_id, expires_at) VALUES (?, ?, ?)",
+			sessionID, row.ID, expiresAt,
+		); err != nil {
+			jsonError(w, http.StatusInternalServerError, err.Error())
+			return
+		}
+
+		log.Printf("[AUTH] User logged in: username=%s session=%s...", body.Username, sessionID[:8])
+
+		jsonOK(w, map[string]any{
+			"session_id": sessionID,
+			"user": authUser{
+				ID:          row.ID,
+				Username:    row.Username,
+				Displayname: row.Displayname,
+				Role:        row.Role,
+				Enabled:     row.Enabled,
+			},
+		})
+	}
+}
+
+// ValidateSession handles GET /v1/api/admin/auth/validate
+// Reads the session ID from the X-Session-ID header.
+func ValidateSession(db *sqlx.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		sessionID := r.Header.Get(sessionHeader)
+		if sessionID == "" {
+			jsonError(w, http.StatusUnauthorized, "missing "+sessionHeader+" header")
+			return
+		}
+
+		var row struct {
+			ID          string          `db:"id"`
+			Username    string          `db:"username"`
+			Displayname string          `db:"displayname"`
+			Role        models.UserRole `db:"role"`
+			Enabled     bool            `db:"enabled"`
+			ExpiresAt   time.Time       `db:"expires_at"`
+		}
+		err := db.GetContext(r.Context(), &row,
+			`SELECT u.id, u.username, u.displayname, u.role, u.enabled, s.expires_at
+			 FROM session s
+			 JOIN user  u ON u.id = s.user_id
+			 WHERE s.id = ? LIMIT 1`,
+			sessionID,
+		)
+		if err != nil {
+			jsonError(w, http.StatusUnauthorized, "invalid session")
+			log.Fatalf("Database error during session validation: %v", err)
+			return
+		}
+
+		if time.Now().UTC().After(row.ExpiresAt) {
+			_, _ = db.ExecContext(r.Context(), "DELETE FROM session WHERE id = ?", sessionID)
+			jsonError(w, http.StatusUnauthorized, "session expired")
+			return
+		}
+
+		if !row.Enabled {
+			jsonError(w, http.StatusForbidden, "account disabled")
+			return
+		}
+
+		jsonOK(w, map[string]any{
+			"success": true,
+			"user": authUser{
+				ID:          row.ID,
+				Username:    row.Username,
+				Displayname: row.Displayname,
+				Role:        row.Role,
+				Enabled:     row.Enabled,
+			},
+		})
+	}
+}
+
+// LogoutSession handles POST /v1/api/admin/auth/logout
+// Reads the session ID from the X-Session-ID header.
+func LogoutSession(db *sqlx.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		sessionID := r.Header.Get(sessionHeader)
+		if sessionID == "" {
+			jsonError(w, http.StatusBadRequest, "missing "+sessionHeader+" header")
+			return
+		}
+
+		if _, err := db.ExecContext(r.Context(),
+			"DELETE FROM session WHERE id = ?", sessionID,
+		); err != nil {
+			jsonError(w, http.StatusInternalServerError, err.Error())
+			return
+		}
+
+		log.Printf("[AUTH] Session logged out: %s...", sessionID[:8])
+
+		jsonOK(w, map[string]bool{"logged_out": true})
+	}
+}