`29c7714`

Accept email login identifiers

Authored by

espadonne 4 days ago

SHA: 29c771476165dbae240baae69184dbef83d552cf
Parents: e4f8a82
Tree: 13c9835

3 changed files

Status	File	+	-
M	`internal/web/handlers/auth/auth.go`	15	4
M	`internal/web/handlers/auth/auth_test.go`	26	0
M	`internal/web/templates/auth/login.html`	1	1

internal/web/handlers/auth/auth.gomodified

  	Username string
+ }
 +func (h *Handlers) loginUser(ctx context.Context, identifier string) (usersdb.User, error) {
 +	if strings.Contains(identifier, "@") {
 +		em, err := h.q.GetUserEmailByAddress(ctx, h.d.Pool, identifier)
 +		if err != nil {
 +			return usersdb.User{}, err
 +		}
 +		return h.q.GetUserIncludingDeleted(ctx, h.d.Pool, em.UserID)
 +	}
 +	return h.q.GetUserByUsernameIncludingDeleted(ctx, h.d.Pool, identifier)
 +}
++
  func (h *Handlers) loginForm(w http.ResponseWriter, r *http.Request) {
  	notice := ""
  	switch r.URL.Query().Get("notice") {
  		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")
  		return
+ 	}
 -	username := strings.ToLower(strings.TrimSpace(r.PostFormValue("username")))
 +	identifier := strings.ToLower(strings.TrimSpace(r.PostFormValue("username")))
  	pw := r.PostFormValue("password")
  	next := r.PostFormValue("next")
  		h.renderPage(w, r, "auth/login", map[string]any{
  			"Title":     "Sign in",
  			"CSRFToken": middleware.CSRFTokenForRequest(r),
 -			"Form":      loginForm{Username: username},
 +			"Form":      loginForm{Username: identifier},
  			"Error":     msg,
  			"Next":      next,
  		})
+ 	}
 -	throttleKey := fmt.Sprintf("ip:%s|%s", clientIP(r), username)
 +	throttleKey := fmt.Sprintf("ip:%s|%s", clientIP(r), identifier)
  	if err := h.d.Limiter.Hit(r.Context(), h.d.Pool, throttle.Limit{
  		Scope: "login", Identifier: throttleKey,
  		Max: 6, Window: 15 * time.Minute,
  	// IncludingDeleted lets us spot soft-deleted users so we can restore
  	// them on login during the grace window. Past the window they look
  	// indistinguishable from "doesn't exist" — same response, same timing.
 -	user, err := h.q.GetUserByUsernameIncludingDeleted(r.Context(), h.d.Pool, username)
 +	user, err := h.loginUser(r.Context(), identifier)
  	if err != nil {
  		// User doesn't exist — still hash to keep timing constant.
  		password.VerifyAgainstDummy(pw)

internal/web/handlers/auth/auth_test.gomodified

  	_ = resp.Body.Close()
+ }
 +func TestLogin_AcceptsEmailAddress(t *testing.T) {
 +	t.Parallel()
 +	srv, sender := newTestServer(t, true)
 +	cli := newClient(t, srv)
++
 +	mustSignup(t, cli, "emailuser", "emailuser@example.com", "correct horse battery staple")
 +	tok := extractTokenFromMessage(t, sender.all()[0], "/verify-email")
 +	resp := cli.get(t, "/verify-email/"+tok)
 +	_ = resp.Body.Close()
++
 +	csrf := cli.extractCSRF(t, "/login")
 +	resp = cli.post(t, "/login", url.Values{
 +		"csrf_token": {csrf},
 +		"username":   {"EmailUser@Example.com"},
 +		"password":   {"correct horse battery staple"},
 +	})
 +	if resp.StatusCode != http.StatusSeeOther {
 +		body, _ := io.ReadAll(resp.Body)
 +		t.Fatalf("email login: status %d body=%s", resp.StatusCode, body)
 +	}
 +	if loc := resp.Header.Get("Location"); loc != "/" {
 +		t.Fatalf("email login redirect: %q, want /", loc)
 +	}
 +	_ = resp.Body.Close()
 +}
++
  func TestPasswordReset_EndToEnd(t *testing.T) {
  	t.Parallel()
  	srv, sender := newTestServer(t, false)

internal/web/templates/auth/login.htmlmodified

      <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
      <input type="hidden" name="next" value="{{ .Next }}">
      <label>
 -      <span>Username</span>
 +      <span>Username or email address</span>
        <input type="text" name="username" required autocomplete="username" autofocus
               value="{{ .Form.Username }}">
      </label>