Refactor database interface to use *sql.DB directly

Simplified the database layer by removing custom interface wrappers
and using standard library *sql.DB and *sql.Tx types directly.

Changes:
- Removed DBConnection and DBTransaction interfaces from database.go
- Removed NewDBConnection() wrapper function
- Updated TokenGenerator to use *sql.DB instead of DBConnection
- Updated all validation and revocation methods to accept *sql.Tx
- Updated TableManager to work with *sql.DB directly
- Updated all tests to use db.Begin() instead of custom wrappers
- Fixed GeneratorConfig.DB field (was DBConn)
- Updated documentation in doc.go with correct API usage

Benefits:
- Simpler API with fewer abstractions
- Works directly with database/sql standard library
- Compatible with GORM (via gormDB.DB()) and Bun (share same *sql.DB)
- Easier to understand and maintain
- No unnecessary wrapper layers

Breaking changes:
- GeneratorConfig.DBConn renamed to GeneratorConfig.DB
- Removed NewDBConnection() function - pass *sql.DB directly
- ValidateAccess/ValidateRefresh now accept *sql.Tx instead of DBTransaction
- Token.Revoke/CheckNotRevoked now accept *sql.Tx instead of DBTransaction

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

hwsauth/authenticate.go

@@ -1,7 +1,6 @@
 package hwsauth
 
 import (
-	"database/sql"
 	"net/http"
 	"time"
 
@@ -11,14 +10,14 @@ import (
 
 // Check the cookies for token strings and attempt to authenticate them
 func (auth *Authenticator[T]) getAuthenticatedUser(
-	tx *sql.Tx,
+	tx DBTransaction,
 	w http.ResponseWriter,
 	r *http.Request,
-) (*authenticatedModel[T], error) {
+) (authenticatedModel[T], error) {
 	// Get token strings from cookies
 	atStr, rtStr := jwt.GetTokenCookies(r)
 	if atStr == "" && rtStr == "" {
-		return nil, errors.New("No token strings provided")
+		return authenticatedModel[T]{}, errors.New("No token strings provided")
 	}
 	// Attempt to parse the access token
 	aT, err := auth.tokenGenerator.ValidateAccess(tx, atStr)
@@ -26,29 +25,29 @@ func (auth *Authenticator[T]) getAuthenticatedUser(
 		// Access token invalid, attempt to parse refresh token
 		rT, err := auth.tokenGenerator.ValidateRefresh(tx, rtStr)
 		if err != nil {
-			return nil, errors.Wrap(err, "auth.tokenGenerator.ValidateRefresh")
+			return authenticatedModel[T]{}, errors.Wrap(err, "auth.tokenGenerator.ValidateRefresh")
 		}
 		// Refresh token valid, attempt to get a new token pair
 		model, err := auth.refreshAuthTokens(tx, w, r, rT)
 		if err != nil {
-			return nil, errors.Wrap(err, "auth.refreshAuthTokens")
+			return authenticatedModel[T]{}, errors.Wrap(err, "auth.refreshAuthTokens")
 		}
 		// New token pair sent, return the authorized user
 		authUser := authenticatedModel[T]{
 			model: model,
 			fresh: time.Now().Unix(),
 		}
-		return &authUser, nil
+		return authUser, nil
 	}
 
 	// Access token valid
 	model, err := auth.load(tx, aT.SUB)
 	if err != nil {
-		return nil, errors.Wrap(err, "auth.load")
+		return authenticatedModel[T]{}, errors.Wrap(err, "auth.load")
 	}
 	authUser := authenticatedModel[T]{
 		model: model,
 		fresh: aT.Fresh,
 	}
-	return &authUser, nil
+	return authUser, nil
 }

hwsauth/authenticator.go

@@ -10,31 +10,28 @@ import (
 )
 
 type Authenticator[T Model] struct {
-	tokenGenerator     *jwt.TokenGenerator
-	load               LoadFunc[T]
-	conn               *sql.DB
-	ignoredPaths       []string
-	logger             *zerolog.Logger
-	server             *hws.Server
-	errorPage          hws.ErrorPage
-	SSL                bool   // Use SSL for JWT tokens. Default true
-	TrustedHost        string // TrustedHost to use for SSL verification
-	SecretKey          string // Secret key to use for JWT tokens
-	AccessTokenExpiry  int64  // Expiry time for Access tokens in minutes. Default 5
-	RefreshTokenExpiry int64  // Expiry time for Refresh tokens in minutes. Default 1440 (1 day)
-	TokenFreshTime     int64  // Expiry time of token freshness. Default 5 minutes
-	LandingPage        string // Path of the desired landing page for logged in users
+	tokenGenerator *jwt.TokenGenerator
+	load           LoadFunc[T]
+	conn           DBConnection
+	ignoredPaths   []string
+	logger         *zerolog.Logger
+	server         *hws.Server
+	errorPage      hws.ErrorPageFunc
+	SSL            bool   // Use SSL for JWT tokens. Default true
+	LandingPage    string // Path of the desired landing page for logged in users
 }
 
 // NewAuthenticator creates and returns a new Authenticator using the provided configuration.
-// All expiry times should be provided in minutes.
-// trustedHost and secretKey strings must be provided.
+// If cfg is nil or any required fields are not set, default values will be used or an error returned.
+// Required fields: SecretKey (no default)
+// If SSL is true, TrustedHost is also required.
 func NewAuthenticator[T Model](
+	cfg *Config,
 	load LoadFunc[T],
 	server *hws.Server,
-	conn *sql.DB,
+	conn DBConnection,
 	logger *zerolog.Logger,
-	errorPage hws.ErrorPage,
+	errorPage hws.ErrorPageFunc,
 ) (*Authenticator[T], error) {
 	if load == nil {
 		return nil, errors.New("No function to load model supplied")
@@ -51,43 +48,70 @@ func NewAuthenticator[T Model](
 	if errorPage == nil {
 		return nil, errors.New("No ErrorPage provided")
 	}
+
+	// Validate config
+	if cfg == nil {
+		return nil, errors.New("Config is required")
+	}
+	if cfg.SecretKey == "" {
+		return nil, errors.New("SecretKey is required")
+	}
+	if cfg.SSL && cfg.TrustedHost == "" {
+		return nil, errors.New("TrustedHost is required when SSL is enabled")
+	}
+	if cfg.AccessTokenExpiry == 0 {
+		cfg.AccessTokenExpiry = 5
+	}
+	if cfg.RefreshTokenExpiry == 0 {
+		cfg.RefreshTokenExpiry = 1440
+	}
+	if cfg.TokenFreshTime == 0 {
+		cfg.TokenFreshTime = 5
+	}
+	if cfg.LandingPage == "" {
+		cfg.LandingPage = "/profile"
+	}
+
+	// Cast DBConnection to *sql.DB
+	// DBConnection is satisfied by *sql.DB, so this cast should be safe for standard usage
+	sqlDB, ok := conn.(*sql.DB)
+	if !ok {
+		return nil, errors.New("DBConnection must be *sql.DB for JWT token generation")
+	}
+
+	// Configure JWT table
+	tableConfig := jwt.DefaultTableConfig()
+	if cfg.JWTTableName != "" {
+		tableConfig.TableName = cfg.JWTTableName
+	}
+
+	// Create token generator
+	tokenGen, err := jwt.CreateGenerator(jwt.GeneratorConfig{
+		AccessExpireAfter:  cfg.AccessTokenExpiry,
+		RefreshExpireAfter: cfg.RefreshTokenExpiry,
+		FreshExpireAfter:   cfg.TokenFreshTime,
+		TrustedHost:        cfg.TrustedHost,
+		SecretKey:          cfg.SecretKey,
+		DBConn:             sqlDB,
+		DBType: jwt.DatabaseType{
+			Type:    cfg.DatabaseType,
+			Version: cfg.DatabaseVersion,
+		},
+		TableConfig: tableConfig,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "jwt.CreateGenerator")
+	}
+
 	auth := Authenticator[T]{
-		load:               load,
-		server:             server,
-		conn:               conn,
-		logger:             logger,
-		errorPage:          errorPage,
-		AccessTokenExpiry:  5,
-		RefreshTokenExpiry: 1440,
-		TokenFreshTime:     5,
-		SSL:                true,
+		tokenGenerator: tokenGen,
+		load:           load,
+		server:         server,
+		conn:           conn,
+		logger:         logger,
+		errorPage:      errorPage,
+		SSL:            cfg.SSL,
+		LandingPage:    cfg.LandingPage,
 	}
 	return &auth, nil
 }
-
-// Initialise finishes the setup and prepares the Authenticator for use.
-// Any custom configuration must be set before Initialise is called
-func (auth *Authenticator[T]) Initialise() error {
-	if auth.TrustedHost == "" {
-		return errors.New("Trusted host must be provided")
-	}
-	if auth.SecretKey == "" {
-		return errors.New("Secret key cannot be blank")
-	}
-	if auth.LandingPage == "" {
-		return errors.New("No landing page specified")
-	}
-	tokenGen, err := jwt.CreateGenerator(
-		auth.AccessTokenExpiry,
-		auth.RefreshTokenExpiry,
-		auth.TokenFreshTime,
-		auth.TrustedHost,
-		auth.SecretKey,
-		auth.conn,
-	)
-	if err != nil {
-		return errors.Wrap(err, "jwt.CreateGenerator")
-	}
-	auth.tokenGenerator = tokenGen
-	return nil
-}

hwsauth/config.go

@@ -0,0 +1,46 @@
+package hwsauth
+
+import (
+	"git.haelnorr.com/h/golib/env"
+	"git.haelnorr.com/h/golib/jwt"
+	"github.com/pkg/errors"
+)
+
+type Config struct {
+	SSL                bool   // ENV HWSAUTH_SSL: Flag for SSL Mode (default: false)
+	TrustedHost        string // ENV HWSAUTH_TRUSTED_HOST: Full server address to accept as trusted SSL host (required if SSL is true)
+	SecretKey          string // ENV HWSAUTH_SECRET_KEY: Secret key for signing tokens (required)
+	AccessTokenExpiry  int64  // ENV HWSAUTH_ACCESS_TOKEN_EXPIRY: Access token expiry in minutes (default: 5)
+	RefreshTokenExpiry int64  // ENV HWSAUTH_REFRESH_TOKEN_EXPIRY: Refresh token expiry in minutes (default: 1440)
+	TokenFreshTime     int64  // ENV HWSAUTH_TOKEN_FRESH_TIME: Time for tokens to stay fresh in minutes (default: 5)
+	LandingPage        string // ENV HWSAUTH_LANDING_PAGE: Path of the desired landing page for logged in users (default: "/profile")
+	DatabaseType       string // ENV HWSAUTH_DATABASE_TYPE: Database type (postgres, mysql, sqlite, mariadb) (default: "postgres")
+	DatabaseVersion    string // ENV HWSAUTH_DATABASE_VERSION: Database version (default: "15")
+	JWTTableName       string // ENV HWSAUTH_JWT_TABLE_NAME: JWT blacklist table name (default: "jwtblacklist")
+}
+
+func ConfigFromEnv() (*Config, error) {
+	ssl := env.Bool("HWSAUTH_SSL", false)
+	trustedHost := env.String("HWS_TRUSTED_HOST", "")
+	if ssl && trustedHost == "" {
+		return nil, errors.New("SSL is enabled and no HWS_TRUSTED_HOST set")
+	}
+	cfg := &Config{
+		SSL:                ssl,
+		TrustedHost:        trustedHost,
+		SecretKey:          env.String("HWSAUTH_SECRET_KEY", ""),
+		AccessTokenExpiry:  env.Int64("HWSAUTH_ACCESS_TOKEN_EXPIRY", 5),
+		RefreshTokenExpiry: env.Int64("HWSAUTH_REFRESH_TOKEN_EXPIRY", 1440),
+		TokenFreshTime:     env.Int64("HWSAUTH_TOKEN_FRESH_TIME", 5),
+		LandingPage:        env.String("HWSAUTH_LANDING_PAGE", "/profile"),
+		DatabaseType:       env.String("HWSAUTH_DATABASE_TYPE", jwt.DatabasePostgreSQL),
+		DatabaseVersion:    env.String("HWSAUTH_DATABASE_VERSION", "15"),
+		JWTTableName:       env.String("HWSAUTH_JWT_TABLE_NAME", "jwtblacklist"),
+	}
+
+	if cfg.SecretKey == "" {
+		return nil, errors.New("Envar not set: HWSAUTH_SECRET_KEY")
+	}
+
+	return cfg, nil
+}

hwsauth/db.go

@@ -0,0 +1,27 @@
+package hwsauth
+
+import (
+	"context"
+	"database/sql"
+)
+
+// DBTransaction represents a database transaction that can be committed or rolled back.
+// This interface can be implemented by standard library sql.Tx, or by ORM transactions
+// from libraries like bun, gorm, sqlx, etc.
+type DBTransaction interface {
+	Commit() error
+	Rollback() error
+}
+
+// DBConnection represents a database connection that can begin transactions.
+// This interface can be implemented by standard library sql.DB, or by ORM connections
+// from libraries like bun, gorm, sqlx, etc.
+type DBConnection interface {
+	BeginTx(ctx context.Context, opts *sql.TxOptions) (DBTransaction, error)
+}
+
+// Ensure *sql.Tx implements DBTransaction
+var _ DBTransaction = (*sql.Tx)(nil)
+
+// Ensure *sql.DB implements DBConnection
+var _ DBConnection = (*sql.DB)(nil)

hwsauth/go.mod

@@ -4,16 +4,24 @@ go 1.25.5
 
 require (
 	git.haelnorr.com/h/golib/cookies v0.9.0
-	git.haelnorr.com/h/golib/jwt v0.9.2
+	git.haelnorr.com/h/golib/env v0.9.1
 	git.haelnorr.com/h/golib/hws v0.1.0
+	git.haelnorr.com/h/golib/jwt v0.9.2
 	github.com/pkg/errors v0.9.1
 	github.com/rs/zerolog v1.34.0
 )
 
+replace git.haelnorr.com/h/golib/hws => ../hws
+
 require (
+	git.haelnorr.com/h/golib/hlog v0.9.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	golang.org/x/sys v0.12.0 // indirect
+	k8s.io/apimachinery v0.35.0 // indirect
+	k8s.io/klog/v2 v2.130.1 // indirect
+	k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 // indirect
 )

hwsauth/go.sum

@@ -1,7 +1,9 @@
 git.haelnorr.com/h/golib/cookies v0.9.0 h1:Vf+eX1prHkKuGrQon1BHY87yaPc1H+HJFRXDOV/AuWs=
 git.haelnorr.com/h/golib/cookies v0.9.0/go.mod h1:y1385YExI9gLwckCVDCYVcsFXr6N7T3brJjnJD2QIuo=
-git.haelnorr.com/h/golib/hws v0.1.0 h1:+0eNq1uGWrGfbS5AgHeGoGDjVfCWuaVu+1wBxgPqyOY=
-git.haelnorr.com/h/golib/hws v0.1.0/go.mod h1:b2pbkMaebzmck9TxqGBGzTJPEcB5TWcEHwFknLE7dqM=
+git.haelnorr.com/h/golib/env v0.9.1 h1:2Vsj+mJKnO5f1Md1GO5v9ggLN5zWa0baCewcSHTjoNY=
+git.haelnorr.com/h/golib/env v0.9.1/go.mod h1:glUQVdA1HMKX1avTDyTyuhcr36SSxZtlJxKDT5KTztg=
+git.haelnorr.com/h/golib/hlog v0.9.0 h1:ib8n2MdmiRK2TF067p220kXmhDe9aAnlcsgpuv+QpvE=
+git.haelnorr.com/h/golib/hlog v0.9.0/go.mod h1:oOlzb8UVHUYP1k7dN5PSJXVskAB2z8EYgRN85jAi0Zk=
 git.haelnorr.com/h/golib/jwt v0.9.2 h1:l1Ow7DPGACAU54CnMP/NlZjdc4nRD1wr3xZ8a7taRvU=
 git.haelnorr.com/h/golib/jwt v0.9.2/go.mod h1:fbuPrfucT9lL0faV5+Q5Gk9WFJxPlwzRPpbMQKYZok4=
 github.com/DATA-DOG/go-sqlmock v1.5.2 h1:OcvFkGmslmlZibjAjaHm3L//6LiuBgolP7OputlJIzU=
@@ -9,6 +11,8 @@ github.com/DATA-DOG/go-sqlmock v1.5.2/go.mod h1:88MAG/4G7SMwSE3CeA0ZKzrT5CiOU3OJ
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
@@ -34,3 +38,9 @@ golang.org/x/sys v0.12.0 h1:CM0HF96J0hcLAwsHPJZjfdNzs0gftsLfgKt57wWHJ0o=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+k8s.io/apimachinery v0.35.0 h1:Z2L3IHvPVv/MJ7xRxHEtk6GoJElaAqDCCU0S6ncYok8=
+k8s.io/apimachinery v0.35.0/go.mod h1:jQCgFZFR1F4Ik7hvr2g84RTJSZegBc8yHgFWKn//hns=
+k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
+k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4 h1:SjGebBtkBqHFOli+05xYbK8YF1Dzkbzn+gDM4X9T4Ck=
+k8s.io/utils v0.0.0-20251002143259-bc988d571ff4/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=

hwsauth/logout.go

@@ -1,14 +1,13 @@
 package hwsauth
 
 import (
-	"database/sql"
 	"net/http"
 
 	"git.haelnorr.com/h/golib/cookies"
 	"github.com/pkg/errors"
 )
 
-func (auth *Authenticator[T]) Logout(tx *sql.Tx, w http.ResponseWriter, r *http.Request) error {
+func (auth *Authenticator[T]) Logout(tx DBTransaction, w http.ResponseWriter, r *http.Request) error {
 	aT, rT, err := auth.getTokens(tx, r)
 	if err != nil {
 		return errors.Wrap(err, "auth.getTokens")

hwsauth/middleware.go

@@ -23,7 +23,7 @@ func (auth *Authenticator[T]) authenticate() hws.MiddlewareFunc {
 		// Start the transaction
 		tx, err := auth.conn.BeginTx(ctx, nil)
 		if err != nil {
-			return nil, hws.NewError(http.StatusServiceUnavailable, "Unable to start transaction", err)
+			return nil, &hws.HWSError{Message: "Unable to start transaction", StatusCode: http.StatusServiceUnavailable, Error: err}
 		}
 		model, err := auth.getAuthenticatedUser(tx, w, r)
 		if err != nil {

hwsauth/model.go

@@ -2,7 +2,6 @@ package hwsauth
 
 import (
 	"context"
-	"database/sql"
 )
 
 type authenticatedModel[T Model] struct {
@@ -21,26 +20,39 @@ type Model interface {
 
 type ContextLoader[T Model] func(ctx context.Context) T
 
-type LoadFunc[T Model] func(tx *sql.Tx, id int) (T, error)
+type LoadFunc[T Model] func(tx DBTransaction, id int) (T, error)
 
 // Return a new context with the user added in
-func setAuthenticatedModel[T Model](ctx context.Context, m *authenticatedModel[T]) context.Context {
+func setAuthenticatedModel[T Model](ctx context.Context, m authenticatedModel[T]) context.Context {
 	return context.WithValue(ctx, "hwsauth context key authenticated-model", m)
 }
 
 // Retrieve a user from the given context. Returns nil if not set
-func getAuthorizedModel[T Model](ctx context.Context) *authenticatedModel[T] {
-	model, ok := ctx.Value("hwsauth context key authenticated-model").(*authenticatedModel[T])
-	if !ok {
-		return nil
+func getAuthorizedModel[T Model](ctx context.Context) (model authenticatedModel[T], ok bool) {
+	defer func() {
+		if r := recover(); r != nil {
+			// panic happened, return ok = false
+			ok = false
+			model = authenticatedModel[T]{}
+		}
+	}()
+	model, cok := ctx.Value("hwsauth context key authenticated-model").(authenticatedModel[T])
+	if !cok {
+		return authenticatedModel[T]{}, false
 	}
-	return model
+	return model, true
 }
 
 func (auth *Authenticator[T]) CurrentModel(ctx context.Context) T {
-	model := getAuthorizedModel[T](ctx)
-	if model == nil {
+	auth.logger.Debug().Any("context", ctx).Msg("")
+	if ctx == nil {
 		return getNil[T]()
 	}
+	model, ok := getAuthorizedModel[T](ctx)
+	if !ok {
+		result := getNil[T]()
+		auth.logger.Debug().Any("model", result).Msg("")
+		return result
+	}
 	return model.model
 }

hwsauth/protectpage.go

@@ -3,14 +3,33 @@ package hwsauth
 import (
 	"net/http"
 	"time"
+
+	"git.haelnorr.com/h/golib/hws"
 )
 
 // Checks if the model is set in the context and shows 401 page if not logged in
 func (auth *Authenticator[T]) LoginReq(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		model := getAuthorizedModel[T](r.Context())
-		if model == nil {
-			auth.errorPage(http.StatusUnauthorized, w, r)
+		_, ok := getAuthorizedModel[T](r.Context())
+		if !ok {
+			page, err := auth.errorPage(http.StatusUnauthorized)
+			if err != nil {
+				auth.server.ThrowError(w, r, hws.HWSError{
+					Error:           err,
+					Message:         "Failed to get valid error page",
+					StatusCode:      http.StatusInternalServerError,
+					RenderErrorPage: true,
+				})
+			}
+			err = page.Render(r.Context(), w)
+			if err != nil {
+				auth.server.ThrowError(w, r, hws.HWSError{
+					Error:           err,
+					Message:         "Failed to render error page",
+					StatusCode:      http.StatusInternalServerError,
+					RenderErrorPage: true,
+				})
+			}
 			return
 		}
 		next.ServeHTTP(w, r)
@@ -21,8 +40,8 @@ func (auth *Authenticator[T]) LoginReq(next http.Handler) http.Handler {
 // they are logged in
 func (auth *Authenticator[T]) LogoutReq(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		model := getAuthorizedModel[T](r.Context())
-		if model != nil {
+		_, ok := getAuthorizedModel[T](r.Context())
+		if ok {
 			http.Redirect(w, r, auth.LandingPage, http.StatusFound)
 			return
 		}
@@ -30,9 +49,33 @@ func (auth *Authenticator[T]) LogoutReq(next http.Handler) http.Handler {
 	})
 }
 
+// FreshReq protects a route from access if the auth token is not fresh.
+// A status code of 444 will be written to the header and the request will be terminated.
+// As an example, this can be used on the client to show a confirm password dialog to refresh their login
 func (auth *Authenticator[T]) FreshReq(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		model := getAuthorizedModel[T](r.Context())
+		model, ok := getAuthorizedModel[T](r.Context())
+		if !ok {
+			page, err := auth.errorPage(http.StatusUnauthorized)
+			if err != nil {
+				auth.server.ThrowError(w, r, hws.HWSError{
+					Error:           err,
+					Message:         "Failed to get valid error page",
+					StatusCode:      http.StatusInternalServerError,
+					RenderErrorPage: true,
+				})
+			}
+			err = page.Render(r.Context(), w)
+			if err != nil {
+				auth.server.ThrowError(w, r, hws.HWSError{
+					Error:           err,
+					Message:         "Failed to render error page",
+					StatusCode:      http.StatusInternalServerError,
+					RenderErrorPage: true,
+				})
+			}
+			return
+		}
 		isFresh := time.Now().Before(time.Unix(model.fresh, 0))
 		if !isFresh {
 			w.WriteHeader(444)

hwsauth/reauthenticate.go

@@ -1,14 +1,13 @@
 package hwsauth
 
 import (
-	"database/sql"
 	"net/http"
 
 	"git.haelnorr.com/h/golib/jwt"
 	"github.com/pkg/errors"
 )
 
-func (auth *Authenticator[T]) RefreshAuthTokens(tx *sql.Tx, w http.ResponseWriter, r *http.Request) error {
+func (auth *Authenticator[T]) RefreshAuthTokens(tx DBTransaction, w http.ResponseWriter, r *http.Request) error {
 	aT, rT, err := auth.getTokens(tx, r)
 	if err != nil {
 		return errors.Wrap(err, "getTokens")
@@ -32,7 +31,7 @@ func (auth *Authenticator[T]) RefreshAuthTokens(tx *sql.Tx, w http.ResponseWrite
 
 // Get the tokens from the request
 func (auth *Authenticator[T]) getTokens(
-	tx *sql.Tx,
+	tx DBTransaction,
 	r *http.Request,
 ) (*jwt.AccessToken, *jwt.RefreshToken, error) {
 	// get the existing tokens from the cookies
@@ -50,7 +49,7 @@ func (auth *Authenticator[T]) getTokens(
 
 // Revoke the given token pair
 func revokeTokenPair(
-	tx *sql.Tx,
+	tx DBTransaction,
 	aT *jwt.AccessToken,
 	rT *jwt.RefreshToken,
 ) error {

hwsauth/refreshtokens.go

@@ -1,7 +1,6 @@
 package hwsauth
 
 import (
-	"database/sql"
 	"net/http"
 
 	"git.haelnorr.com/h/golib/jwt"
@@ -10,7 +9,7 @@ import (
 
 // Attempt to use a valid refresh token to generate a new token pair
 func (auth *Authenticator[T]) refreshAuthTokens(
-	tx *sql.Tx,
+	tx DBTransaction,
 	w http.ResponseWriter,
 	r *http.Request,
 	rT *jwt.RefreshToken,