Stack of changes to get gin, scs, nosurf running.

internal/http/middleware/remember.go

@@ -0,0 +1,66 @@
+package middleware
+
+import (
+	"strings"
+	"time"
+
+	"github.com/gin-gonic/gin"
+
+	sessionHelper "synlotto-website/internal/helpers/session"
+	"synlotto-website/internal/platform/bootstrap"
+	"synlotto-website/internal/platform/sessionkeys"
+)
+
+// Remember checks if a remember-me cookie exists and restores the session if valid.
+func Remember(app *bootstrap.App) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		sm := app.SessionManager
+		ctx := c.Request.Context()
+
+		// Already logged in? skip.
+		if sm.Exists(ctx, sessionkeys.UserID) {
+			c.Next()
+			return
+		}
+
+		// Look for remember-me cookie
+		cookie, err := c.Request.Cookie(app.Config.Session.RememberCookieName)
+		if err != nil {
+			c.Next()
+			return
+		}
+
+		parts := strings.SplitN(cookie.Value, ":", 2)
+		if len(parts) != 2 {
+			c.Next()
+			return
+		}
+		selector, verifier := parts[0], parts[1]
+		if selector == "" || verifier == "" {
+			c.Next()
+			return
+		}
+
+		userID, hash, expiresAt, revokedAt, err := sessionHelper.FindToken(app.DB, selector)
+		if err != nil || revokedAt != nil || time.Now().After(expiresAt) {
+			c.Next()
+			return
+		}
+
+		// Constant-time compare via hashing the verifier
+		if sessionHelper.HashVerifier(verifier) != hash {
+			_ = sessionHelper.RevokeToken(app.DB, selector) // tampered → revoke
+			c.Next()
+			return
+		}
+
+		// ✅ Valid token → create a new session for the user
+		_ = sm.RenewToken(ctx)
+		sm.Put(ctx, sessionkeys.UserID, userID)
+		sm.Put(ctx, sessionkeys.LastActivity, time.Now().UTC())
+
+		// (Optional TODO): rotate token and set a fresh cookie.
+
+		c.Next()
+	}
+}