Add additional columns to aufit_login for session tokens. fixed requireAuth for loading of some pages as requireauth was threating a valid session as not logged in.
This commit is contained in:
@@ -12,6 +12,7 @@ import (
|
|||||||
"synlotto-website/internal/logging"
|
"synlotto-website/internal/logging"
|
||||||
"synlotto-website/internal/models"
|
"synlotto-website/internal/models"
|
||||||
"synlotto-website/internal/platform/bootstrap"
|
"synlotto-website/internal/platform/bootstrap"
|
||||||
|
"synlotto-website/internal/platform/sessionkeys"
|
||||||
auditlogStorage "synlotto-website/internal/storage/auditlog"
|
auditlogStorage "synlotto-website/internal/storage/auditlog"
|
||||||
usersStorage "synlotto-website/internal/storage/users"
|
usersStorage "synlotto-website/internal/storage/users"
|
||||||
)
|
)
|
||||||
@@ -74,6 +75,8 @@ func LoginPost(c *gin.Context) {
|
|||||||
_ = sm.RenewToken(r.Context())
|
_ = sm.RenewToken(r.Context())
|
||||||
|
|
||||||
sm.Put(r.Context(), "user_id", user.Id)
|
sm.Put(r.Context(), "user_id", user.Id)
|
||||||
|
sm.Put(r.Context(), sessionkeys.Username, user.Username)
|
||||||
|
sm.Put(r.Context(), sessionkeys.IsAdmin, user.IsAdmin)
|
||||||
sm.Put(r.Context(), "last_activity", time.Now().UTC())
|
sm.Put(r.Context(), "last_activity", time.Now().UTC())
|
||||||
sm.Put(r.Context(), "flash", "Welcome back, "+user.Username+"!")
|
sm.Put(r.Context(), "flash", "Welcome back, "+user.Username+"!")
|
||||||
|
|
||||||
|
|||||||
@@ -6,37 +6,78 @@ import (
|
|||||||
"os"
|
"os"
|
||||||
|
|
||||||
templateHelpers "synlotto-website/internal/helpers/template"
|
templateHelpers "synlotto-website/internal/helpers/template"
|
||||||
|
|
||||||
"synlotto-website/internal/models"
|
"synlotto-website/internal/models"
|
||||||
|
"synlotto-website/internal/platform/sessionkeys"
|
||||||
|
|
||||||
"github.com/alexedwards/scs/v2"
|
"github.com/alexedwards/scs/v2"
|
||||||
"github.com/gin-gonic/gin"
|
"github.com/gin-gonic/gin"
|
||||||
)
|
)
|
||||||
|
|
||||||
// RenderStatus renders web/templates/error/<status>.html inside layout.html.
|
// RenderStatus renders web/templates/error/<status>.html inside layout.html,
|
||||||
|
// using ONLY session data (no DB) so 404/500 pages don't crash and still
|
||||||
|
// look "logged in" when a session exists.
|
||||||
func RenderStatus(c *gin.Context, sessions *scs.SessionManager, status int) {
|
func RenderStatus(c *gin.Context, sessions *scs.SessionManager, status int) {
|
||||||
// Base context
|
// Synthesize minimal TemplateData from session only
|
||||||
ctx := templateHelpers.TemplateContext(c.Writer, c.Request, models.TemplateData{})
|
var data models.TemplateData
|
||||||
|
|
||||||
// Flash (SCS)
|
ctx := c.Request.Context()
|
||||||
if f := sessions.PopString(c.Request.Context(), "flash"); f != "" {
|
|
||||||
ctx["Flash"] = f
|
// Read minimal user snapshot from session
|
||||||
|
var uid int64
|
||||||
|
if v := sessions.Get(ctx, sessionkeys.UserID); v != nil {
|
||||||
|
switch t := v.(type) {
|
||||||
|
case int64:
|
||||||
|
uid = t
|
||||||
|
case int:
|
||||||
|
uid = int64(t)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
if uid > 0 {
|
||||||
|
// username and is_admin are optional but make navbar correct
|
||||||
|
var uname string
|
||||||
|
if v := sessions.Get(ctx, sessionkeys.Username); v != nil {
|
||||||
|
if s, ok := v.(string); ok {
|
||||||
|
uname = s
|
||||||
|
}
|
||||||
|
}
|
||||||
|
var isAdmin bool
|
||||||
|
if v := sessions.Get(ctx, sessionkeys.IsAdmin); v != nil {
|
||||||
|
if b, ok := v.(bool); ok {
|
||||||
|
isAdmin = b
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
// Use your finalized paths
|
// Build a lightweight user; avoids DB lookups in error paths
|
||||||
|
data.User = &models.User{
|
||||||
|
Id: uid,
|
||||||
|
Username: uname,
|
||||||
|
IsAdmin: isAdmin,
|
||||||
|
}
|
||||||
|
data.IsAdmin = isAdmin
|
||||||
|
}
|
||||||
|
|
||||||
|
// Turn into the template context map (adds site meta, funcs, etc.)
|
||||||
|
ctxMap := templateHelpers.TemplateContext(c.Writer, c.Request, data)
|
||||||
|
|
||||||
|
// Flash (SCS)
|
||||||
|
if f := sessions.PopString(ctx, sessionkeys.Flash); f != "" {
|
||||||
|
ctxMap["Flash"] = f
|
||||||
|
}
|
||||||
|
|
||||||
|
// Template paths (layout-first)
|
||||||
pagePath := fmt.Sprintf("web/templates/error/%d.html", status)
|
pagePath := fmt.Sprintf("web/templates/error/%d.html", status)
|
||||||
if _, err := os.Stat(pagePath); err != nil {
|
if _, err := os.Stat(pagePath); err != nil {
|
||||||
c.String(status, http.StatusText(status))
|
c.String(status, http.StatusText(status))
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
// Keep your "layout first" load order
|
|
||||||
tmpl := templateHelpers.LoadTemplateFiles(
|
tmpl := templateHelpers.LoadTemplateFiles(
|
||||||
"web/templates/layout.html",
|
"web/templates/layout.html",
|
||||||
pagePath,
|
pagePath,
|
||||||
)
|
)
|
||||||
|
|
||||||
c.Status(status)
|
c.Status(status)
|
||||||
if err := tmpl.ExecuteTemplate(c.Writer, "layout", ctx); err != nil {
|
if err := tmpl.ExecuteTemplate(c.Writer, "layout", ctxMap); err != nil {
|
||||||
c.String(status, http.StatusText(status))
|
c.String(status, http.StatusText(status))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -21,6 +21,7 @@ func AuthMiddleware() gin.HandlerFunc {
|
|||||||
|
|
||||||
if v := sm.Get(ctx, sessionkeys.LastActivity); v != nil {
|
if v := sm.Get(ctx, sessionkeys.LastActivity); v != nil {
|
||||||
if last, ok := v.(time.Time); ok && time.Since(last) > sm.Lifetime {
|
if last, ok := v.(time.Time); ok && time.Since(last) > sm.Lifetime {
|
||||||
|
// don't destroy here; just rotate and bounce to login with a flash
|
||||||
_ = sm.RenewToken(ctx)
|
_ = sm.RenewToken(ctx)
|
||||||
sm.Put(ctx, sessionkeys.Flash, "Your session has timed out.")
|
sm.Put(ctx, sessionkeys.Flash, "Your session has timed out.")
|
||||||
c.Redirect(http.StatusSeeOther, "/account/login")
|
c.Redirect(http.StatusSeeOther, "/account/login")
|
||||||
@@ -29,7 +30,10 @@ func AuthMiddleware() gin.HandlerFunc {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// if logged in, update last activity
|
||||||
|
if sm.Exists(ctx, sessionkeys.UserID) {
|
||||||
sm.Put(ctx, sessionkeys.LastActivity, time.Now().UTC())
|
sm.Put(ctx, sessionkeys.LastActivity, time.Now().UTC())
|
||||||
|
}
|
||||||
c.Next()
|
c.Next()
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -66,8 +70,7 @@ func RememberMiddleware(app *bootstrap.App) gin.HandlerFunc {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if sessionHelper.HashVerifier(verifier) != hash {
|
if sessionHelper.HashVerifier(verifier) != hash {
|
||||||
// Tampered token – revoke for safety.
|
_ = sessionHelper.RevokeToken(app.DB, selector) // tampered
|
||||||
_ = sessionHelper.RevokeToken(app.DB, selector)
|
|
||||||
c.Next()
|
c.Next()
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
@@ -76,6 +79,9 @@ func RememberMiddleware(app *bootstrap.App) gin.HandlerFunc {
|
|||||||
_ = sm.RenewToken(ctx)
|
_ = sm.RenewToken(ctx)
|
||||||
sm.Put(ctx, sessionkeys.UserID, userID)
|
sm.Put(ctx, sessionkeys.UserID, userID)
|
||||||
sm.Put(ctx, sessionkeys.LastActivity, time.Now().UTC())
|
sm.Put(ctx, sessionkeys.LastActivity, time.Now().UTC())
|
||||||
|
// (Optional) if you can look up username/is_admin here, also set:
|
||||||
|
// sm.Put(ctx, sessionkeys.Username, uname)
|
||||||
|
// sm.Put(ctx, sessionkeys.IsAdmin, isAdmin)
|
||||||
|
|
||||||
c.Next()
|
c.Next()
|
||||||
}
|
}
|
||||||
@@ -86,8 +92,10 @@ func RequireAuth() gin.HandlerFunc {
|
|||||||
return func(c *gin.Context) {
|
return func(c *gin.Context) {
|
||||||
app := c.MustGet("app").(*bootstrap.App)
|
app := c.MustGet("app").(*bootstrap.App)
|
||||||
sm := app.SessionManager
|
sm := app.SessionManager
|
||||||
|
ctx := c.Request.Context()
|
||||||
|
|
||||||
if sm.GetInt(c.Request.Context(), sessionkeys.UserID) == 0 {
|
// ✅ Use Exists to be robust to int vs int64 storage
|
||||||
|
if !sm.Exists(ctx, sessionkeys.UserID) {
|
||||||
c.Redirect(http.StatusSeeOther, "/account/login")
|
c.Redirect(http.StatusSeeOther, "/account/login")
|
||||||
c.Abort()
|
c.Abort()
|
||||||
return
|
return
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
package sessionkeys
|
package sessionkeys
|
||||||
|
|
||||||
//ToDo: Is this just putting in "user_id" rather than the users ID?
|
|
||||||
const (
|
const (
|
||||||
UserID = "user_id"
|
UserID = "user_id"
|
||||||
|
Username = "username"
|
||||||
|
IsAdmin = "is_admin"
|
||||||
LastActivity = "last_activity"
|
LastActivity = "last_activity"
|
||||||
Flash = "flash"
|
Flash = "flash"
|
||||||
)
|
)
|
||||||
|
|||||||
@@ -217,14 +217,17 @@ CREATE TABLE IF NOT EXISTS audit_log (
|
|||||||
ON UPDATE CASCADE ON DELETE SET NULL
|
ON UPDATE CASCADE ON DELETE SET NULL
|
||||||
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
|
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
|
||||||
|
|
||||||
-- AUDIT LOGIN (new)
|
|
||||||
CREATE TABLE IF NOT EXISTS audit_login (
|
CREATE TABLE IF NOT EXISTS audit_login (
|
||||||
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
|
id BIGINT UNSIGNED NOT NULL AUTO_INCREMENT PRIMARY KEY,
|
||||||
username VARCHAR(191),
|
user_id BIGINT UNSIGNED NULL,
|
||||||
success TINYINT(1),
|
username VARCHAR(191) NOT NULL,
|
||||||
ip VARCHAR(64),
|
success TINYINT(1) NOT NULL,
|
||||||
|
ip VARCHAR(64) NOT NULL,
|
||||||
user_agent VARCHAR(255),
|
user_agent VARCHAR(255),
|
||||||
timestamp DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP
|
timestamp DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP,
|
||||||
|
KEY idx_audit_login_user_id (user_id),
|
||||||
|
CONSTRAINT fk_audit_login_user
|
||||||
|
FOREIGN KEY (user_id) REFERENCES users(id) ON DELETE SET NULL
|
||||||
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
|
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
|
||||||
|
|
||||||
-- SYNDICATES
|
-- SYNDICATES
|
||||||
|
|||||||
Reference in New Issue
Block a user