Added reauthentication (token freshness) and protected username change

contexts/user.go

@@ -5,14 +5,19 @@ import (
 	"projectreshoot/db"
 )
 
+type AuthenticatedUser struct {
+	*db.User
+	Fresh int64
+}
+
 // Return a new context with the user added in
-func SetUser(ctx context.Context, u *db.User) context.Context {
+func SetUser(ctx context.Context, u *AuthenticatedUser) context.Context {
 	return context.WithValue(ctx, contextKeyAuthorizedUser, u)
 }
 
 // Retrieve a user from the given context. Returns nil if not set
-func GetUser(ctx context.Context) *db.User {
+func GetUser(ctx context.Context) *AuthenticatedUser {
-	user, ok := ctx.Value(contextKeyAuthorizedUser).(*db.User)
+	user, ok := ctx.Value(contextKeyAuthorizedUser).(*AuthenticatedUser)
 	if !ok {
 		return nil
 	}

handlers/account.go

@@ -12,6 +12,7 @@ import (
 	"github.com/rs/zerolog"
 )
 
+// Renders the account page on the 'General' subpage
 func HandleAccountPage() http.Handler {
 	return http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
@@ -20,6 +21,7 @@ func HandleAccountPage() http.Handler {
 	)
 }
 
+// Handles a request to change the subpage for the Account page
 func HandleAccountSubpage() http.Handler {
 	return http.HandlerFunc(
 		func(w http.ResponseWriter, r *http.Request) {
@@ -30,6 +32,7 @@ func HandleAccountSubpage() http.Handler {
 	)
 }
 
+// Handles a request to change the users username
 func HandleChangeUsername(
 	logger *zerolog.Logger,
 	conn *sql.DB,

handlers/reauthenticatate.go

@@ -0,0 +1,119 @@
+package handlers
+
+import (
+	"database/sql"
+	"net/http"
+
+	"projectreshoot/config"
+	"projectreshoot/contexts"
+	"projectreshoot/cookies"
+	"projectreshoot/jwt"
+	"projectreshoot/view/component/form"
+
+	"github.com/pkg/errors"
+	"github.com/rs/zerolog"
+)
+
+// Get the tokens from the request
+func getTokens(
+	config *config.Config,
+	conn *sql.DB,
+	r *http.Request,
+) (*jwt.AccessToken, *jwt.RefreshToken, error) {
+	// get the existing tokens from the cookies
+	atStr, rtStr := cookies.GetTokenStrings(r)
+	aT, err := jwt.ParseAccessToken(config, conn, atStr)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "jwt.ParseAccessToken")
+	}
+	rT, err := jwt.ParseRefreshToken(config, conn, rtStr)
+	if err != nil {
+		return nil, nil, errors.Wrap(err, "jwt.ParseRefreshToken")
+	}
+	return aT, rT, nil
+}
+
+// Revoke the given token pair
+func revokeTokenPair(
+	conn *sql.DB,
+	aT *jwt.AccessToken,
+	rT *jwt.RefreshToken,
+) error {
+	err := jwt.RevokeToken(conn, aT)
+	if err != nil {
+		return errors.Wrap(err, "jwt.RevokeToken")
+	}
+	err = jwt.RevokeToken(conn, rT)
+	if err != nil {
+		return errors.Wrap(err, "jwt.RevokeToken")
+	}
+	return nil
+}
+
+// Issue new tokens for the user, invalidating the old ones
+func refreshTokens(
+	config *config.Config,
+	conn *sql.DB,
+	w http.ResponseWriter,
+	r *http.Request,
+) error {
+	aT, rT, err := getTokens(config, conn, r)
+	if err != nil {
+		return errors.Wrap(err, "getTokens")
+	}
+	rememberMe := map[string]bool{
+		"session": false,
+		"exp":     true,
+	}[aT.TTL]
+	// issue new tokens for the user
+	user := contexts.GetUser(r.Context())
+	err = cookies.SetTokenCookies(w, r, config, user.User, true, rememberMe)
+	if err != nil {
+		return errors.Wrap(err, "cookies.SetTokenCookies")
+	}
+	err = revokeTokenPair(conn, aT, rT)
+	if err != nil {
+		return errors.Wrap(err, "revokeTokenPair")
+	}
+
+	return nil
+}
+
+// Validate the provided password
+func validatePassword(
+	r *http.Request,
+) error {
+	r.ParseForm()
+	password := r.FormValue("password")
+	user := contexts.GetUser(r.Context())
+	err := user.CheckPassword(password)
+	if err != nil {
+		return errors.Wrap(err, "user.CheckPassword")
+	}
+	return nil
+}
+
+// Handle request to reauthenticate (i.e. make token fresh again)
+func HandleReauthenticate(
+	logger *zerolog.Logger,
+	config *config.Config,
+	conn *sql.DB,
+) http.Handler {
+	return http.HandlerFunc(
+		func(w http.ResponseWriter, r *http.Request) {
+			err := validatePassword(r)
+			if err != nil {
+				w.WriteHeader(445)
+				form.ConfirmPassword("Incorrect password").Render(r.Context(), w)
+				return
+			}
+			err = refreshTokens(config, conn, w, r)
+			if err != nil {
+				logger.Error().Err(err).Msg("Failed to refresh user tokens")
+				w.WriteHeader(http.StatusInternalServerError)
+				return
+			}
+			w.WriteHeader(http.StatusOK)
+		},
+	)
+}

middleware/authentication.go

@@ -3,6 +3,7 @@ package middleware
 import (
 	"database/sql"
 	"net/http"
+	"time"
 
 	"projectreshoot/config"
 	"projectreshoot/contexts"
@@ -52,7 +53,7 @@ func getAuthenticatedUser(
 	conn *sql.DB,
 	w http.ResponseWriter,
 	r *http.Request,
-) (*db.User, error) {
+) (*contexts.AuthenticatedUser, error) {
 	// Get token strings from cookies
 	atStr, rtStr := cookies.GetTokenStrings(r)
 	// Attempt to parse the access token
@@ -69,14 +70,22 @@ func getAuthenticatedUser(
 			return nil, errors.Wrap(err, "refreshAuthTokens")
 		}
 		// New token pair sent, return the authorized user
-		return user, nil
+		authUser := contexts.AuthenticatedUser{
+			User:  user,
+			Fresh: time.Now().Unix(),
+		}
+		return &authUser, nil
 	}
 	// Access token valid
 	user, err := aT.GetUser(conn)
 	if err != nil {
 		return nil, errors.Wrap(err, "rT.GetUser")
 	}
-	return user, nil
+	authUser := contexts.AuthenticatedUser{
+		User:  user,
+		Fresh: aT.Fresh,
+	}
+	return &authUser, nil
 }
 
 // Attempt to authenticate the user and add their account details

middleware/reauthentication.go

@@ -0,0 +1,21 @@
+package middleware
+
+import (
+	"net/http"
+	"projectreshoot/contexts"
+	"time"
+)
+
+func RequiresFresh(
+	next http.Handler,
+) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		user := contexts.GetUser(r.Context())
+		isFresh := time.Now().Before(time.Unix(user.Fresh, 0))
+		if !isFresh {
+			w.WriteHeader(444)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}

server/routes.go

@@ -77,6 +77,12 @@ func addRoutes(
 		))
 	mux.Handle("POST /change-username",
 		middleware.RequiresLogin(
+			middleware.RequiresFresh(
 				handlers.HandleChangeUsername(logger, conn),
+			),
+		))
+	mux.Handle("POST /reauthenticate",
+		middleware.RequiresLogin(
+			handlers.HandleReauthenticate(logger, config, conn),
 		))
 }

view/component/form/confirmpass.templ

@@ -0,0 +1,84 @@
+package form
+
+import "fmt"
+
+templ ConfirmPassword(err string) {
+	{{
+	xdata := fmt.Sprintf(
+		"{ errMsg: '%s'}",
+		err,
+	)
+	}}
+	<form
+		hx-post="/reauthenticate"
+		x-data="{ submitted: false, buttontext: 'Confirm' }"
+		x-on:htmx:xhr:loadstart="submitted=true;buttontext='Loading...'"
+	>
+		<div
+			class="grid gap-y-4"
+			x-data={ xdata }
+		>
+			<div class="mt-5">
+				<div class="relative">
+					<input
+						type="password"
+						id="password"
+						name="password"
+						class="py-3 px-4 block w-full rounded-lg text-sm
+                        focus:border-blue focus:ring-blue bg-base
+                        disabled:opacity-50 disabled:pointer-events-none"
+						placeholder="Confirm password"
+						required
+						aria-describedby="password-error"
+					/>
+					<div
+						class="absolute inset-y-0 end-0 
+                        pointer-events-none pe-3 pt-3"
+						x-show="errMsg"
+						x-cloak
+					>
+						<svg
+							class="size-5 text-red"
+							width="16"
+							height="16"
+							fill="currentColor"
+							viewBox="0 0 16 16"
+							aria-hidden="true"
+						>
+							<path
+								d="M16 8A8 8 0 1 1 0 8a8 8 0 0 1 16 0zM8 
+                                4a.905.905 0 0 0-.9.995l.35 3.507a.552.552 0 0
+                                0 1.1 0l.35-3.507A.905.905 0 0 0 8 4zm.002 6a1
+                                1 0 1 0 0 2 1 1 0 0 0 0-2z"
+							></path>
+						</svg>
+					</div>
+				</div>
+				<p
+					class="text-center text-xs text-red mt-2"
+					id="password-error"
+					x-show="errMsg"
+					x-cloak
+					x-text="errMsg"
+				></p>
+			</div>
+			<button
+				x-bind:disabled="submitted"
+				x-text="buttontext"
+				type="submit"
+				class="w-full py-3 px-4 inline-flex justify-center items-center 
+                gap-x-2 rounded-lg border border-transparent transition
+                bg-blue hover:bg-blue/75 text-mantle hover:cursor-pointer
+                disabled:bg-blue/60 disabled:cursor-default"
+			></button>
+			<button
+				type="button"
+				class="w-full py-3 px-4 inline-flex justify-center items-center 
+                gap-x-2 rounded-lg border border-transparent transition
+                bg-surface2 hover:bg-surface1 hover:cursor-pointer
+                disabled:cursor-default"
+				@click="showConfirmPasswordModal=false"
+			>Cancel</button>
+		</div>
+	</form>
+}

view/component/popup/confirmPasswordModal.templ

@@ -0,0 +1,20 @@
+
+package popup
+
+import "projectreshoot/view/component/form"
+
+templ ConfirmPasswordModal() {
+	<div
+		class="z-50 absolute bg-overlay0/55 top-0 left-0 right-0 bottom-0"
+		x-show="showConfirmPasswordModal"
+	>
+		<div
+			class="p-5 mt-25 w-fit max-w-100 text-center rounded-lg bg-mantle mx-auto"
+		>
+			<div class="text-xl">
+				To complete this action you need to confirm your password
+			</div>
+			@form.ConfirmPassword("")
+		</div>
+	</div>
+}

view/component/popup/errorPopup.templ

@@ -1,4 +1,4 @@
-package component
+package popup
 
 templ ErrorPopup() {
 	<div

view/layout/global.templ

@@ -2,7 +2,7 @@ package layout
 
 import "projectreshoot/view/component/nav"
 import "projectreshoot/view/component/footer"
-import "projectreshoot/view/component"
+import "projectreshoot/view/component/popup"
 
 // Global page layout. Includes HTML document settings, header tags
 // navbar and footer
@@ -40,16 +40,50 @@ templ Global() {
 			<script src="https://unpkg.com/alpinejs" defer></script>
 			<script>
                 // uncomment this line to enable logging of htmx events
-                //htmx.logAll();
+                // htmx.logAll();
+            </script>
+			<script>
+                const popups = {
+                    showError: false,
+                    showConfirmPasswordModal: false,
+                    handleHtmxBeforeOnLoad(event) {
+                        const requestPath = event.detail.pathInfo.requestPath;
+                        if (requestPath === "/reauthenticate") {
+                            // handle password incorrect on refresh attempt
+                            if (event.detail.xhr.status === 445) {
+                                event.detail.shouldSwap = true;
+                                event.detail.isError = false;
+                            } else if (event.detail.xhr.status === 200) {
+                                this.showConfirmPasswordModal = false;
+                            }
+                        }
+                    },
+                    // handle errors from the server on HTMX requests
+                    handleHtmxError(event) {
+                        const errorCode = event.detail.errorInfo.error;
+                  
+                        // internal server error 
+                        if (errorCode.includes('Code 500')) {
+                            this.showError = true;
+                            setTimeout(() => this.showError = false, 6000);
+                        }
+                  
+                        // user is authorized but needs to refresh their login
+                        if (errorCode.includes('Code 444')) {
+                            this.showConfirmPasswordModal = true;
+                        }
+                    },
+                };
             </script>
 		</head>
 		<body
 			class="bg-base text-text ubuntu-mono-regular overflow-x-hidden"
-			x-data="{ showError: false }"
+			x-data="popups"
-			x-on:htmx:error="if ($event.detail.errorInfo.error.includes('Code 500'))
+			x-on:htmx:error="handleHtmxError($event)"
-            showError = true; setTimeout(() => showError = false, 6000)"
+			x-on:htmx:before-on-load="handleHtmxBeforeOnLoad($event)"
 		>
-			@component.ErrorPopup()
+			@popup.ErrorPopup()
+			@popup.ConfirmPasswordModal()
 			<div
 				id="main-content"
 				class="flex flex-col h-screen justify-between"