197 lines
5.1 KiB
Go
197 lines
5.1 KiB
Go
package handler
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/hex"
|
|
"net/http"
|
|
"time"
|
|
|
|
"dealroom/templates"
|
|
|
|
"golang.org/x/crypto/bcrypt"
|
|
)
|
|
|
|
func (h *Handler) handleLoginPage(w http.ResponseWriter, r *http.Request) {
|
|
// If already logged in, redirect to dashboard
|
|
cookie, err := r.Cookie("session")
|
|
if err == nil && cookie.Value != "" {
|
|
var count int
|
|
h.db.QueryRow("SELECT COUNT(*) FROM sessions WHERE token = ? AND expires_at > datetime('now')", cookie.Value).Scan(&count)
|
|
if count > 0 {
|
|
http.Redirect(w, r, "/", http.StatusSeeOther)
|
|
return
|
|
}
|
|
}
|
|
templates.Login().Render(r.Context(), w)
|
|
}
|
|
|
|
func (h *Handler) handleLogin(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
email := r.FormValue("email")
|
|
password := r.FormValue("password")
|
|
|
|
var userID string
|
|
var passHash string
|
|
err := h.db.QueryRow("SELECT id, password_hash FROM profiles WHERE email = ?", email).Scan(&userID, &passHash)
|
|
if err != nil || bcrypt.CompareHashAndPassword([]byte(passHash), []byte(password)) != nil {
|
|
http.Redirect(w, r, "/login?error=invalid", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
h.createSession(w, userID)
|
|
http.Redirect(w, r, "/", http.StatusSeeOther)
|
|
}
|
|
|
|
func hashPassword(password string) (string, error) {
|
|
hash, err := bcrypt.GenerateFromPassword([]byte(password), 12)
|
|
if err != nil {
|
|
return "", err
|
|
}
|
|
return string(hash), nil
|
|
}
|
|
|
|
func (h *Handler) handleLogout(w http.ResponseWriter, r *http.Request) {
|
|
cookie, err := r.Cookie("session")
|
|
if err == nil {
|
|
h.db.Exec("DELETE FROM sessions WHERE token = ?", cookie.Value)
|
|
}
|
|
http.SetCookie(w, &http.Cookie{Name: "session", Value: "", MaxAge: -1, Path: "/"})
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
}
|
|
|
|
func (h *Handler) createSession(w http.ResponseWriter, userID string) {
|
|
token := generateToken()
|
|
expires := time.Now().Add(24 * time.Hour)
|
|
h.db.Exec("INSERT INTO sessions (token, user_id, expires_at) VALUES (?, ?, ?)", token, userID, expires)
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "session",
|
|
Value: token,
|
|
Path: "/",
|
|
Expires: expires,
|
|
HttpOnly: true,
|
|
SameSite: http.SameSiteLaxMode,
|
|
})
|
|
}
|
|
|
|
func (h *Handler) handleViewToggle(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
|
|
return
|
|
}
|
|
|
|
profile := getProfile(r.Context())
|
|
if profile.Role != "owner" && profile.Role != "admin" {
|
|
http.Error(w, "Forbidden", http.StatusForbidden)
|
|
return
|
|
}
|
|
|
|
// Toggle the cookie
|
|
current := false
|
|
if c, err := r.Cookie("view_as_buyer"); err == nil && c.Value == "1" {
|
|
current = true
|
|
}
|
|
|
|
value := "1"
|
|
if current {
|
|
value = ""
|
|
}
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "view_as_buyer",
|
|
Value: value,
|
|
Path: "/",
|
|
HttpOnly: true,
|
|
SameSite: http.SameSiteLaxMode,
|
|
})
|
|
|
|
// Redirect back to referrer or dashboard
|
|
ref := r.Header.Get("Referer")
|
|
if ref == "" {
|
|
ref = "/"
|
|
}
|
|
http.Redirect(w, r, ref, http.StatusSeeOther)
|
|
}
|
|
|
|
func generateToken() string {
|
|
b := make([]byte, 32)
|
|
rand.Read(b)
|
|
return hex.EncodeToString(b)
|
|
}
|
|
|
|
func (h *Handler) handleSignupPage(w http.ResponseWriter, r *http.Request) {
|
|
// If already logged in, redirect to dashboard
|
|
cookie, err := r.Cookie("session")
|
|
if err == nil && cookie.Value != "" {
|
|
var count int
|
|
h.db.QueryRow("SELECT COUNT(*) FROM sessions WHERE token = ? AND expires_at > datetime('now')", cookie.Value).Scan(&count)
|
|
if count > 0 {
|
|
http.Redirect(w, r, "/", http.StatusSeeOther)
|
|
return
|
|
}
|
|
}
|
|
templates.Signup().Render(r.Context(), w)
|
|
}
|
|
|
|
func (h *Handler) handleSignup(w http.ResponseWriter, r *http.Request) {
|
|
if r.Method != http.MethodPost {
|
|
http.Redirect(w, r, "/signup", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
// Parse form
|
|
err := r.ParseForm()
|
|
if err != nil {
|
|
http.Redirect(w, r, "/signup", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
orgName := r.FormValue("org_name")
|
|
name := r.FormValue("name")
|
|
email := r.FormValue("email")
|
|
password := r.FormValue("password")
|
|
|
|
// Create organization
|
|
orgID := generateID()
|
|
_, err = h.db.Exec(`INSERT INTO organizations (id, name, slug) VALUES (?, ?, ?)`, orgID, orgName, orgName)
|
|
if err != nil {
|
|
http.Redirect(w, r, "/signup", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
// Create user
|
|
hashedPassword, _ := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
|
userID := generateID()
|
|
_, err = h.db.Exec(`INSERT INTO profiles (id, email, full_name, role, organization_id, hashed_password) VALUES (?, ?, ?, ?, ?, ?)`,
|
|
userID, email, name, "owner", orgID, hashedPassword)
|
|
if err != nil {
|
|
http.Redirect(w, r, "/signup", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
// Auto login
|
|
token := make([]byte, 32)
|
|
rand.Read(token)
|
|
tokenHex := hex.EncodeToString(token)
|
|
|
|
_, err = h.db.Exec(`INSERT INTO sessions (id, user_id, token, expires_at) VALUES (?, ?, ?, datetime('now', '+24 hours'))`,
|
|
generateID(), userID, tokenHex)
|
|
if err != nil {
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
http.SetCookie(w, &http.Cookie{
|
|
Name: "session",
|
|
Value: tokenHex,
|
|
Path: "/",
|
|
Expires: time.Now().Add(24 * time.Hour),
|
|
HttpOnly: true,
|
|
})
|
|
|
|
http.Redirect(w, r, "/", http.StatusSeeOther)
|
|
}
|
|
|