C1: thread IsSuspended through CurrentUser to policy.UserActor

Status	File	+	-
M	`internal/web/auth_wiring.go`	13	6
M	`internal/web/handlers/auth/auth_test.go`	15	7
M	`internal/web/handlers/auth/tokens_test.go`	15	7
M	`internal/web/handlers/repo/lifecycle.go`	13	6
M	`internal/web/handlers/repo/repo.go`	10	4
M	`internal/web/middleware/auth.go`	26	9

internal/web/auth_wiring.gomodified

  	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"
  	apih "github.com/tenseleyFlow/shithub/internal/web/handlers/api"
  	authh "github.com/tenseleyFlow/shithub/internal/web/handlers/auth"
++	"github.com/tenseleyFlow/shithub/internal/web/middleware"
  	"github.com/tenseleyFlow/shithub/internal/web/render"
+ )
+ }
  // usernameLookup returns the lookup function consumed by middleware.OptionalUser.
--// It resolves both the username and the user's current session_epoch so the
++// It resolves the username, the user's current session_epoch (so the auth
--// auth middleware can refuse stale cookies (bumped by "log out everywhere").
++// middleware can refuse stale cookies bumped by "log out everywhere"), and
--func usernameLookup(pool *pgxpool.Pool) func(context.Context, int64) (string, int32, error) {
++// the suspended state (so policy.UserActor can deny writes by suspended
++// accounts at the web layer — the audit found this gap, S00-S25 audit C1).
++func usernameLookup(pool *pgxpool.Pool) middleware.UserLookup {
  	q := usersdb.New()
--	return func(ctx context.Context, id int64) (string, int32, error) {
++	return func(ctx context.Context, id int64) (middleware.UserLookupResult, error) {
  		u, err := q.GetUserByID(ctx, pool, id)
  		if err != nil {
--			return "", 0, err
++			return middleware.UserLookupResult{}, err
+ 		}
--		return u.Username, u.SessionEpoch, nil
++		return middleware.UserLookupResult{
++			Username:     u.Username,
++			SessionEpoch: u.SessionEpoch,
++			IsSuspended:  u.SuspendedAt.Valid,
++		}, nil
+ 	}
+ }

internal/web/handlers/auth/auth_test.gomodified

  import (
  	"context"
++	"database/sql"
  	"html"
  	"io"
  	"io/fs"
  	r.Use(middleware.RequestID)
  	r.Use(middleware.RealIP(middleware.RealIPConfig{}))
  	r.Use(middleware.SessionLoader(store, logger))
--	r.Use(middleware.OptionalUser(func(ctx context.Context, id int64) (string, int32, error) {
++	r.Use(middleware.OptionalUser(func(ctx context.Context, id int64) (middleware.UserLookupResult, error) {
  		// Cheap lookup against the test pool — settings handlers use the
  		// username, and the epoch comparison enforces log-out-everywhere
  		// across the same suite.
  		u, err := pool.Acquire(ctx)
  		if err != nil {
--			return "", 0, err
++			return middleware.UserLookupResult{}, err
+ 		}
  		defer u.Release()
--		var name string
++		var (
--		var epoch int32
++			name        string
++			epoch       int32
++			suspendedAt sql.NullTime
++		)
  		err = u.QueryRow(ctx,
--			"SELECT username, session_epoch FROM users WHERE id = $1", id,
++			"SELECT username, session_epoch, suspended_at FROM users WHERE id = $1", id,
--		).Scan(&name, &epoch)
++		).Scan(&name, &epoch, &suspendedAt)
--		return name, epoch, err
++		return middleware.UserLookupResult{
++			Username:     name,
++			SessionEpoch: epoch,
++			IsSuspended:  suspendedAt.Valid,
++		}, err
  	}))
  	csrf := middleware.CSRF(middleware.CSRFConfig{
  		FailureHandler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

internal/web/handlers/auth/tokens_test.gomodified

  import (
  	"context"
++	"database/sql"
  	"encoding/json"
  	"io"
  	"log/slog"
  	r.Use(middleware.RequestID)
  	r.Use(middleware.RealIP(middleware.RealIPConfig{}))
  	r.Use(middleware.SessionLoader(store, logger))
--	r.Use(middleware.OptionalUser(func(ctx context.Context, id int64) (string, int32, error) {
++	r.Use(middleware.OptionalUser(func(ctx context.Context, id int64) (middleware.UserLookupResult, error) {
  		c, err := pool.Acquire(ctx)
  		if err != nil {
--			return "", 0, err
++			return middleware.UserLookupResult{}, err
+ 		}
  		defer c.Release()
--		var name string
++		var (
--		var epoch int32
++			name        string
++			epoch       int32
++			suspendedAt sql.NullTime
++		)
  		err = c.QueryRow(ctx,
--			"SELECT username, session_epoch FROM users WHERE id = $1", id,
++			"SELECT username, session_epoch, suspended_at FROM users WHERE id = $1", id,
--		).Scan(&name, &epoch)
++		).Scan(&name, &epoch, &suspendedAt)
--		return name, epoch, err
++		return middleware.UserLookupResult{
++			Username:     name,
++			SessionEpoch: epoch,
++			IsSuspended:  suspendedAt.Valid,
++		}, err
  	}))
  	csrf := middleware.CSRF(middleware.CSRFConfig{
  		FailureHandler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

internal/web/handlers/repo/lifecycle.gomodified

  		return reposdb.Repo{}, usersdb.User{}, false
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
--	actor := policy.UserActor(viewer.ID, viewer.Username, false, false)
++	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
  	repoRef := policy.NewRepoRefFromRepo(row)
--	if !policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, action, repoRef).Allow {
++	dec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, action, repoRef)
--		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
++	if !dec.Allow {
++		// Maybe404 picks 404 for "shouldn't know it exists" denials
++		// (private + non-collab) and 403 for honest "you can't do that
++		// to a repo you can see" denials (owner pushing to archived).
++		// Without this we leaked existence by always 404'ing — fixed
++		// per S00-S25 audit, finding H7.
++		h.d.Render.HTTPError(w, r, policy.Maybe404(dec, repoRef, actor), "")
  		return reposdb.Repo{}, usersdb.User{}, false
+ 	}
  	return row, owner, true
  		return
+ 	}
  	viewer := middleware.CurrentUserFromContext(r.Context())
--	actor := policy.UserActor(viewer.ID, viewer.Username, false, false)
++	actor := policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
--	if !policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionRepoAdmin, policy.NewRepoRefFromRepo(repo)).Allow {
++	repoRef := policy.NewRepoRefFromRepo(repo)
--		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")
++	if dec := policy.Can(r.Context(), policy.Deps{Pool: h.d.Pool}, actor, policy.ActionRepoAdmin, repoRef); !dec.Allow {
++		h.d.Render.HTTPError(w, r, policy.Maybe404(dec, repoRef, actor), "")
  		return
+ 	}
  	if err := lifecycle.CancelTransfer(r.Context(), h.lifecycleDeps(), viewer.ID, id); err != nil {

internal/web/handlers/repo/repo.gomodified

  	owner := chi.URLParam(r, "owner")
  	name := chi.URLParam(r, "repo")
--	row, err := h.lookupRepoForViewer(r.Context(), owner, name, middleware.CurrentUserFromContext(r.Context()).ID)
++	row, err := h.lookupRepoForViewer(r.Context(), owner, name, middleware.CurrentUserFromContext(r.Context()))
  	if err != nil {
  		// Maybe the (owner, name) is a stale name; look up the redirect
  		// table and 301 to the canonical URL so old bookmarks keep
  //   - AND the viewer is allowed to see it (public OR viewer is owner).
  //
  // Anything else returns ErrNoRows so the caller can 404 uniformly.
--func (h *Handlers) lookupRepoForViewer(ctx context.Context, ownerName, repoName string, viewerID int64) (reposdb.Repo, error) {
++func (h *Handlers) lookupRepoForViewer(ctx context.Context, ownerName, repoName string, viewer middleware.CurrentUser) (reposdb.Repo, error) {
  	owner, err := h.uq.GetUserByUsername(ctx, h.d.Pool, ownerName)
  	if err != nil {
  		return reposdb.Repo{}, err
  	// when the decision denies, return ErrNoRows so the caller can 404.
  	repoRef := policy.NewRepoRefFromRepo(row)
  	var actor policy.Actor
--	if viewerID == 0 {
++	if viewer.IsAnonymous() {
  		actor = policy.AnonymousActor()
  	} else {
--		actor = policy.UserActor(viewerID, "", false, false)
++		actor = policy.UserActor(viewer.ID, viewer.Username, viewer.IsSuspended, false)
  	}
++	// ActionRepoRead deny on a private repo with a non-collab viewer is
++	// indistinguishable from "doesn't exist" — Maybe404 returns 404 in
++	// that shape, so the caller's pgx.ErrNoRows fallthrough is the
++	// right shape regardless of whether the row was missing or just
++	// invisible. Honest 403s (e.g. ActionRepoWrite on archived) are
++	// gated through `loadRepoAndAuthorize`, not this read-only helper.
  	if !policy.Can(ctx, policy.Deps{Pool: h.d.Pool}, actor, policy.ActionRepoRead, repoRef).Allow {
  		return reposdb.Repo{}, pgx.ErrNoRows
  	}

internal/web/middleware/auth.gomodified

  // CurrentUser carries the loaded user identity in request context. Handlers
  // pull this out via CurrentUserFromContext. Anonymous requests have ID == 0.
++//
++// IsSuspended is sourced from users.suspended_at and is the canonical input
++// to policy.UserActor for web requests. Without it, every handler that
++// constructs an actor with a hard-coded `false` lets a suspended account
++// keep writing — the audit found this gap (S00-S25 audit, finding C1).
  type CurrentUser struct {
--	ID       int64
++	ID          int64
--	Username string
++	Username    string
++	IsSuspended bool
+ }
  // IsAnonymous reports whether this is an unauthenticated request.
  func (u CurrentUser) IsAnonymous() bool { return u.ID == 0 }
++// UserLookupResult is what UserLookup returns. It's a struct so future
++// fields (e.g. is_admin once S34 lands) don't keep widening the signature
++// and forcing every callsite to update.
++type UserLookupResult struct {
++	Username     string
++	SessionEpoch int32
++	IsSuspended  bool
++}
++
  // UserLookup resolves a user_id into the data the auth middleware needs.
--// epoch is the users.session_epoch column; the middleware compares it to
++// SessionEpoch is the users.session_epoch column; the middleware compares
--// the session's recorded epoch on every request so "log out everywhere"
++// it to the session's recorded epoch on every request so "log out
--// (which bumps the column) invalidates stale cookies on the next hit.
++// everywhere" (which bumps the column) invalidates stale cookies on the
--type UserLookup func(ctx context.Context, userID int64) (username string, epoch int32, err error)
++// next hit.
++type UserLookup func(ctx context.Context, userID int64) (UserLookupResult, error)
  // OptionalUser populates CurrentUser into context from the loaded session
  // when present. Does not redirect or reject — pages that don't need a
  				u := CurrentUser{ID: s.UserID}
  				bind := true
  				if lookup != nil {
--					if name, epoch, err := lookup(ctx, s.UserID); err == nil {
++					if res, err := lookup(ctx, s.UserID); err == nil {
--						if epoch != s.Epoch {
++						if res.SessionEpoch != s.Epoch {
  							bind = false
  						} else {
--							u.Username = name
++							u.Username = res.Username
++							u.IsSuspended = res.IsSuspended
+ 						}
+ 					}
+ 				}

tenseleyflow/shithub / `1f1cde9`

6 changed files