gonotes/internal/middleware/session.go

// Package middleware to deal with sessions
package middleware

import (
	"context"
	"crypto/rand"
	"log"
	"net/http"

	urls "forgejo.gwairfelin.com/max/gispatcho"
	"forgejo.gwairfelin.com/max/gonotes/internal/auth"
	"golang.org/x/oauth2"
)

type Session struct {
	User string
}

type SessionStore struct {
	sessions map[string]Session
	oauth    *oauth2.Config
	Routes   urls.URLs
}

type ContextKey string

func NewSessionStore(oauth *oauth2.Config, prefix string) SessionStore {
	store := SessionStore{
		sessions: make(map[string]Session, 10),
		oauth:    oauth,
	}
	store.Routes = urls.URLs{
		Prefix: prefix,
		URLs: map[string]urls.URL{
			"login":    {Path: "/login/", Protocol: "GET", Handler: store.LoginViewOAUTH},
			"callback": {Path: "/callback/", Protocol: "GET", Handler: store.CallbackViewOAUTH},
			"logout":   {Path: "/logout/", Protocol: "GET", Handler: store.LogoutView},
		},
	}
	return store
}

// Log a user in
func (s *SessionStore) Login(user string, w http.ResponseWriter) string {
	sessionID := rand.Text()
	s.sessions[sessionID] = Session{User: user}

	cookie := http.Cookie{
		Name: "id", Value: sessionID, MaxAge: 3600,
		Secure: true, HttpOnly: true, Path: "/",
	}

	http.SetCookie(w, &cookie)
	return sessionID
}

// View to logout a user
func (s *SessionStore) LogoutView(w http.ResponseWriter, r *http.Request) {
	session := r.Context().Value(ContextKey("session")).(string)

	delete(s.sessions, session)
	cookie := http.Cookie{
		Name: "id", Value: "", MaxAge: -1,
		Secure: true, HttpOnly: true, Path: "/",
	}

	http.SetCookie(w, &cookie)
	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
}

// View to log in a user via oauth
func (s *SessionStore) LoginViewOAUTH(w http.ResponseWriter, r *http.Request) {
	log.Printf("%+v", *s.oauth)

	oauthState := auth.GenerateStateOAUTHCookie(w, s.Routes.Prefix)

	url := s.oauth.AuthCodeURL(oauthState)
	log.Printf("Redirecting to %s", url)
	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
}

// Oauth callback view
func (s *SessionStore) CallbackViewOAUTH(w http.ResponseWriter, r *http.Request) {
	// Read oauthState from Cookie
	oauthState, err := r.Cookie("oauthstate")
	if err != nil {
		log.Printf("An error occured during login: %s", err)
		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
		return
	}

	log.Printf("%v", oauthState)

	if r.FormValue("state") != oauthState.Value {
		log.Println("invalid oauth state")
		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
		return
	}

	username, err := auth.GetUserFromForgejo(r.FormValue("code"), s.oauth)
	if err != nil {
		log.Println(err.Error())
		http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
		return
	}

	s.Login(username, w)
	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
}

// Turn the session store into a middleware.
// Sets the user on the context based on the available session cookie
func (s *SessionStore) AsMiddleware(next http.Handler) http.Handler {
	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		sessionCookie, err := r.Cookie("id")
		user := "anon"
		var cookieVal string
		// Session exists
		if err == nil {
			session, ok := s.sessions[sessionCookie.Value]

			// Session not expired
			if ok {
				user = session.User
				cookieVal = sessionCookie.Value
			}
		}

		nextWithSessionContext(w, r, next, user, cookieVal)
	})
}

func nextWithSessionContext(w http.ResponseWriter, r *http.Request, next http.Handler, user string, sessionID string) {
	ctx := r.Context()
	ctx = context.WithValue(
		context.WithValue(
			ctx,
			ContextKey("user"),
			user,
		),
		ContextKey("session"),
		sessionID,
	)

	next.ServeHTTP(w, r.WithContext(ctx))
}
Add half arsed user separation 2025-07-30 13:41:03 +01:00			`// Package middleware to deal with sessions`
Make start on session management 2025-07-30 09:35:01 +01:00			`package middleware`

			`import (`
			`"context"`
Add half arsed user separation 2025-07-30 13:41:03 +01:00			`"crypto/rand"`
Refactor oauth login 2025-12-10 20:40:41 +00:00			`"log"`
Make start on session management 2025-07-30 09:35:01 +01:00			`"net/http"`
Refactor oauth login 2025-12-10 20:40:41 +00:00
			`urls "forgejo.gwairfelin.com/max/gispatcho"`
			`"forgejo.gwairfelin.com/max/gonotes/internal/auth"`
			`"golang.org/x/oauth2"`
Make start on session management 2025-07-30 09:35:01 +01:00			`)`

Add half arsed user separation 2025-07-30 13:41:03 +01:00			`type Session struct {`
			`User string`
			`}`

			`type SessionStore struct {`
			`sessions map[string]Session`
Refactor oauth login 2025-12-10 20:40:41 +00:00			`oauth *oauth2.Config`
			`Routes urls.URLs`
Add half arsed user separation 2025-07-30 13:41:03 +01:00			`}`

			`type ContextKey string`

Refactor oauth login 2025-12-10 20:40:41 +00:00			`func NewSessionStore(oauth *oauth2.Config, prefix string) SessionStore {`
			`store := SessionStore{`
			`sessions: make(map[string]Session, 10),`
			`oauth: oauth,`
			`}`
			`store.Routes = urls.URLs{`
			`Prefix: prefix,`
			`URLs: map[string]urls.URL{`
			`"login": {Path: "/login/", Protocol: "GET", Handler: store.LoginViewOAUTH},`
			`"callback": {Path: "/callback/", Protocol: "GET", Handler: store.CallbackViewOAUTH},`
Comment some session functions 2025-12-10 20:45:33 +00:00			`"logout": {Path: "/logout/", Protocol: "GET", Handler: store.LogoutView},`
Refactor oauth login 2025-12-10 20:40:41 +00:00			`},`
			`}`
			`return store`
Add half arsed user separation 2025-07-30 13:41:03 +01:00			`}`

Comment some session functions 2025-12-10 20:45:33 +00:00			`// Log a user in`
Avoid referencing bad variable 2025-09-30 10:28:58 +01:00			`func (s *SessionStore) Login(user string, w http.ResponseWriter) string {`
Add half arsed user separation 2025-07-30 13:41:03 +01:00			`sessionID := rand.Text()`
			`s.sessions[sessionID] = Session{User: user}`

			`cookie := http.Cookie{`
			`Name: "id", Value: sessionID, MaxAge: 3600,`
			`Secure: true, HttpOnly: true, Path: "/",`
			`}`

			`http.SetCookie(w, &cookie)`
Avoid referencing bad variable 2025-09-30 10:28:58 +01:00			`return sessionID`
Add half arsed user separation 2025-07-30 13:41:03 +01:00			`}`

Comment some session functions 2025-12-10 20:45:33 +00:00			`// View to logout a user`
			`func (s SessionStore) LogoutView(w http.ResponseWriter, r http.Request) {`
Add half arsed user separation 2025-07-30 13:41:03 +01:00			`session := r.Context().Value(ContextKey("session")).(string)`

			`delete(s.sessions, session)`
			`cookie := http.Cookie{`
			`Name: "id", Value: "", MaxAge: -1,`
			`Secure: true, HttpOnly: true, Path: "/",`
			`}`

			`http.SetCookie(w, &cookie)`
Implement oidc client of sorts 2025-12-10 16:34:40 +00:00			`http.Redirect(w, r, "/", http.StatusTemporaryRedirect)`
Add half arsed user separation 2025-07-30 13:41:03 +01:00			`}`

Comment some session functions 2025-12-10 20:45:33 +00:00			`// View to log in a user via oauth`
Refactor oauth login 2025-12-10 20:40:41 +00:00			`func (s SessionStore) LoginViewOAUTH(w http.ResponseWriter, r http.Request) {`
			`log.Printf("%+v", *s.oauth)`

			`oauthState := auth.GenerateStateOAUTHCookie(w, s.Routes.Prefix)`

			`url := s.oauth.AuthCodeURL(oauthState)`
			`log.Printf("Redirecting to %s", url)`
			`http.Redirect(w, r, url, http.StatusTemporaryRedirect)`
			`}`

Comment some session functions 2025-12-10 20:45:33 +00:00			`// Oauth callback view`
Refactor oauth login 2025-12-10 20:40:41 +00:00			`func (s SessionStore) CallbackViewOAUTH(w http.ResponseWriter, r http.Request) {`
			`// Read oauthState from Cookie`
			`oauthState, err := r.Cookie("oauthstate")`
			`if err != nil {`
			`log.Printf("An error occured during login: %s", err)`
			`http.Redirect(w, r, "/", http.StatusTemporaryRedirect)`
			`return`
			`}`

			`log.Printf("%v", oauthState)`

			`if r.FormValue("state") != oauthState.Value {`
			`log.Println("invalid oauth state")`
			`http.Redirect(w, r, "/", http.StatusTemporaryRedirect)`
			`return`
			`}`

Refactor forgejo user interaction 2025-12-10 20:56:17 +00:00			`username, err := auth.GetUserFromForgejo(r.FormValue("code"), s.oauth)`
Refactor oauth login 2025-12-10 20:40:41 +00:00			`if err != nil {`
			`log.Println(err.Error())`
			`http.Redirect(w, r, "/", http.StatusTemporaryRedirect)`
			`return`
			`}`

Refactor forgejo user interaction 2025-12-10 20:56:17 +00:00			`s.Login(username, w)`
Refactor oauth login 2025-12-10 20:40:41 +00:00			`http.Redirect(w, r, "/", http.StatusTemporaryRedirect)`
			`}`

Comment some session functions 2025-12-10 20:45:33 +00:00			`// Turn the session store into a middleware.`
			`// Sets the user on the context based on the available session cookie`
Add half arsed user separation 2025-07-30 13:41:03 +01:00			`func (s *SessionStore) AsMiddleware(next http.Handler) http.Handler {`
Make start on session management 2025-07-30 09:35:01 +01:00			`return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`sessionCookie, err := r.Cookie("id")`
Implement oidc client of sorts 2025-12-10 16:34:40 +00:00			`user := "anon"`
			`var cookieVal string`
			`// Session exists`
			`if err == nil {`
			`session, ok := s.sessions[sessionCookie.Value]`

			`// Session not expired`
			`if ok {`
			`user = session.User`
			`cookieVal = sessionCookie.Value`
Auto login using X-Auth-Request-User header 2025-09-30 09:57:10 +01:00			`}`
Make start on session management 2025-07-30 09:35:01 +01:00			`}`

Implement oidc client of sorts 2025-12-10 16:34:40 +00:00			`nextWithSessionContext(w, r, next, user, cookieVal)`
Make start on session management 2025-07-30 09:35:01 +01:00			`})`
			`}`
Avoid referencing bad variable 2025-09-30 10:28:58 +01:00
			`func nextWithSessionContext(w http.ResponseWriter, r *http.Request, next http.Handler, user string, sessionID string) {`
			`ctx := r.Context()`
			`ctx = context.WithValue(`
			`context.WithValue(`
			`ctx,`
			`ContextKey("user"),`
			`user,`
			`),`
			`ContextKey("session"),`
			`sessionID,`
			`)`

			`next.ServeHTTP(w, r.WithContext(ctx))`
			`}`