tenseleyflow/shithub / ad881a7

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth

+

+import (

+	"errors"

+	"net/http"

+	"strings"

+	"time"

+

+	"github.com/jackc/pgx/v5"

+	"github.com/jackc/pgx/v5/pgconn"

+	"github.com/jackc/pgx/v5/pgtype"

+

+	authpkg "github.com/tenseleyFlow/shithub/internal/auth"

+	"github.com/tenseleyFlow/shithub/internal/auth/audit"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+// usernameChangeWindow is the rolling rate-limit window for renames.

+// Counted against username_redirects.changed_at — the redirect row IS

+// the audit trail, so no separate counter table is needed.

+const usernameChangeWindow = 60 * 24 * time.Hour

+

+// usernameChangeMax caps how many renames a user can make in

+// usernameChangeWindow. Three is GitHub's posted ceiling.

+const usernameChangeMax = 3

+

+// settingsAccountForm renders GET /settings/account.

+func (h *Handlers) settingsAccountForm(w http.ResponseWriter, r *http.Request) {

+	h.renderAccountForm(w, r, "", "")

+}

+

+// settingsAccountUsername handles POST /settings/account/username.

+func (h *Handlers) settingsAccountUsername(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")

+		return

+	}

+	user := middleware.CurrentUserFromContext(r.Context())

+	desired := strings.ToLower(strings.TrimSpace(r.PostFormValue("new_username")))

+

+	// Quick local checks: shape, reservation, no-op.

+	if desired == user.Username {

+		h.renderAccountForm(w, r, "That's already your username.", "")

+		return

+	}

+	if !usernameRE.MatchString(desired) {

+		h.renderAccountForm(w, r, "Username must be 1–39 characters: lowercase letters, digits, and hyphens (no leading/trailing hyphen).", "")

+		return

+	}

+	if authpkg.IsReserved(desired) {

+		h.renderAccountForm(w, r, "That username is reserved.", "")

+		return

+	}

+

+	// Rate limit.

+	count, err := h.q.CountRecentUsernameChanges(r.Context(), h.d.Pool, usersdb.CountRecentUsernameChangesParams{

+		UserID:    user.ID,

+		ChangedAt: pgtype.Timestamptz{Time: time.Now().Add(-usernameChangeWindow), Valid: true},

+	})

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "account: count renames", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if count >= usernameChangeMax {

+		h.renderAccountForm(w, r, "You've changed your username too many times recently. Try again later.", "")

+		return

+	}

+

+	// Tx: redirect-row + rename. The unique constraint on

+	// username_redirects.old_username AND users.username (citext) blocks

+	// taking a name held by either an active user or a recent redirect.

+	tx, err := h.d.Pool.Begin(r.Context())

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "account: begin tx", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	defer func() { _ = tx.Rollback(r.Context()) }()

+

+	if err := h.q.InsertUsernameRedirect(r.Context(), tx, usersdb.InsertUsernameRedirectParams{

+		OldUsername: user.Username,

+		UserID:      user.ID,

+	}); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "account: insert redirect", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	if err := h.q.RenameUser(r.Context(), tx, usersdb.RenameUserParams{

+		ID:       user.ID,

+		Username: desired,

+	}); err != nil {

+		if isUsernameTaken(err) {

+			h.renderAccountForm(w, r, "That username is taken.", "")

+			return

+		}

+		h.d.Logger.ErrorContext(r.Context(), "account: rename", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	if err := tx.Commit(r.Context()); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "account: commit", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	if err := h.d.Audit.Record(r.Context(), h.d.Pool, user.ID,

+		audit.ActionUsernameChanged, audit.TargetUser, user.ID, map[string]any{

+			"from": user.Username,

+			"to":   desired,

+		}); err != nil {

+		h.d.Logger.WarnContext(r.Context(), "account: audit rename", "error", err)

+	}

+

+	h.renderAccountForm(w, r, "", "Username updated to "+desired+".")

+}

+

+// renderAccountForm is the shared render path. The current username is

+// pulled out of context so it reflects post-rename state on success.

+func (h *Handlers) renderAccountForm(w http.ResponseWriter, r *http.Request, errMsg, successMsg string) {

+	user := middleware.CurrentUserFromContext(r.Context())

+	// Re-read the canonical username from the DB so the form always

+	// reflects post-commit state when called after a successful rename.

+	canonical := user.Username

+	if row, err := h.q.GetUserByID(r.Context(), h.d.Pool, user.ID); err == nil {

+		canonical = row.Username

+	}

+

+	count, _ := h.q.CountRecentUsernameChanges(r.Context(), h.d.Pool, usersdb.CountRecentUsernameChangesParams{

+		UserID:    user.ID,

+		ChangedAt: pgtype.Timestamptz{Time: time.Now().Add(-usernameChangeWindow), Valid: true},

+	})

+	h.renderPage(w, r, "settings/account", map[string]any{

+		"Title":             "Account",

+		"CSRFToken":         middleware.CSRFTokenForRequest(r),

+		"SettingsActive":    "account",

+		"CurrentUsername":   canonical,

+		"RecentRenames":     count,

+		"MaxRenames":        usernameChangeMax,

+		"WindowDays":        int(usernameChangeWindow / (24 * time.Hour)),

+		"RenameRateLimited": count >= usernameChangeMax,

+		"Error":             errMsg,

+		"Success":           successMsg,

+	})

+}

+

+// isUsernameTaken matches the unique-violation surface for username collisions.

+// Both users.username (citext, unique) and username_redirects.old_username

+// (unique) raise SQLSTATE 23505 here.

+func isUsernameTaken(err error) bool {

+	var pgErr *pgconn.PgError

+	if errors.As(err, &pgErr) {

+		return pgErr.Code == "23505"

+	}

+	// pgx v5 also wraps tx errors; double-check the not-rows path.

+	return errors.Is(err, pgx.ErrNoRows)

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth_test

+

+import (

+	"io"

+	"net/http"

+	"net/url"

+	"strings"

+	"testing"

+)

+

+// loginAccountUser is the same login helper as profile_test.go but

+// against a different account so tests stay isolated when run in

+// parallel.

+func loginAccountUser(t *testing.T, name string) *client {

+	t.Helper()

+	httpsrv, captor := newTestServer(t, false)

+	cli := newClient(t, httpsrv)

+	mustSignup(t, cli, name, name+"@example.com", "correct horse battery staple")

+	tok := extractTokenFromMessage(t, captor.all()[0], "/verify-email")

+	_ = cli.get(t, "/verify-email/"+tok).Body.Close()

+

+	csrf := cli.extractCSRF(t, "/login")

+	resp := cli.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {name},

+		"password":   {"correct horse battery staple"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		t.Fatalf("login: %d", resp.StatusCode)

+	}

+	_ = resp.Body.Close()

+	return cli

+}

+

+func TestAccount_RenameRoundtrip(t *testing.T) {

+	t.Parallel()

+	cli := loginAccountUser(t, "renamea")

+	csrf := cli.extractCSRF(t, "/settings/account")

+

+	resp := cli.post(t, "/settings/account/username", url.Values{

+		"csrf_token":   {csrf},

+		"new_username": {"renameb"},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	if resp.StatusCode != http.StatusOK {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("status=%d body=%s", resp.StatusCode, body)

+	}

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "Username updated to renameb") {

+		t.Errorf("missing success message; got: %s", body)

+	}

+	if !strings.Contains(string(body), "USERNAME=renameb") {

+		t.Errorf("expected USERNAME=renameb in body; got: %s", body)

+	}

+	if !strings.Contains(string(body), "USED=1/3") {

+		t.Errorf("expected USED=1/3 after rename; got: %s", body)

+	}

+

+	// The old name should now redirect to the new profile (/oldname → /newname).

+	resp = cli.get(t, "/renamea")

+	defer func() { _ = resp.Body.Close() }()

+	// /renamea hits the catch-all in this minimal test rig — we don't have

+	// the profile handler mounted, so the only thing we can verify here

+	// is the DB state.

+}

+

+func TestAccount_RejectsReservedName(t *testing.T) {

+	t.Parallel()

+	cli := loginAccountUser(t, "reserveda")

+	csrf := cli.extractCSRF(t, "/settings/account")

+	resp := cli.post(t, "/settings/account/username", url.Values{

+		"csrf_token":   {csrf},

+		"new_username": {"settings"},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "reserved") {

+		t.Fatalf("expected reserved error, got: %s", body)

+	}

+}

+

+func TestAccount_RejectsInvalidShape(t *testing.T) {

+	t.Parallel()

+	cli := loginAccountUser(t, "shapea")

+	csrf := cli.extractCSRF(t, "/settings/account")

+	// UPPER is normalized to lowercase by the handler (user-friendly), so

+	// it isn't on this rejection list.

+	for _, bad := range []string{"-leading", "trailing-", "with spaces", ""} {

+		resp := cli.post(t, "/settings/account/username", url.Values{

+			"csrf_token":   {csrf},

+			"new_username": {bad},

+		})

+		body, _ := io.ReadAll(resp.Body)

+		_ = resp.Body.Close()

+		if !strings.Contains(string(body), "Username must") && !strings.Contains(string(body), "1–39") {

+			t.Errorf("input %q: expected validation error, got: %s", bad, body)

+		}

+	}

+}

+

+func TestAccount_RejectsTaken(t *testing.T) {

+	t.Parallel()

+	// Two clients on the SAME server so they share the same DB.

+	httpsrv, captor := newTestServer(t, false)

+	cliA := newClient(t, httpsrv)

+	cliB := newClient(t, httpsrv)

+

+	mustSignup(t, cliA, "takena", "takena@example.com", "correct horse battery staple")

+	mustSignup(t, cliB, "takenb", "takenb@example.com", "correct horse battery staple")

+	for _, m := range captor.all() {

+		// Verify each.

+		if tok := extractTokenFromMessage(t, m, "/verify-email"); tok != "" {

+			_ = cliA.get(t, "/verify-email/"+tok).Body.Close()

+		}

+	}

+	csrf := cliA.extractCSRF(t, "/login")

+	_ = cliA.post(t, "/login", url.Values{

+		"csrf_token": {csrf}, "username": {"takena"}, "password": {"correct horse battery staple"},

+	}).Body.Close()

+

+	csrf = cliA.extractCSRF(t, "/settings/account")

+	resp := cliA.post(t, "/settings/account/username", url.Values{

+		"csrf_token":   {csrf},

+		"new_username": {"takenb"}, // already used by cliB

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "taken") {

+		t.Fatalf("expected taken error, got: %s", body)

+	}

+}

+

+func TestAccount_RateLimitAtThree(t *testing.T) {

+	t.Parallel()

+	cli := loginAccountUser(t, "ratea")

+

+	// Burn three rename slots.

+	names := []string{"rateb", "ratec", "rated"}

+	for _, n := range names {

+		csrf := cli.extractCSRF(t, "/settings/account")

+		resp := cli.post(t, "/settings/account/username", url.Values{

+			"csrf_token":   {csrf},

+			"new_username": {n},

+		})

+		_ = resp.Body.Close()

+	}

+

+	// Fourth attempt should be blocked.

+	csrf := cli.extractCSRF(t, "/settings/account")

+	resp := cli.post(t, "/settings/account/username", url.Values{

+		"csrf_token":   {csrf},

+		"new_username": {"ratee"},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "too many") {

+		t.Fatalf("expected rate-limit error, got: %s", body)

+	}

+}

+			r.Get("/settings/account", h.settingsAccountForm)

+			r.Post("/settings/account/username", h.settingsAccountUsername)

+	accountTpl := `{{ define "page" }}<h1>Account</h1>{{ with .Error }}<p class=error>{{.}}</p>{{ end }}{{ with .Success }}<p class=notice>{{.}}</p>{{ end }}<form action="/settings/account/username" method=POST><input name=csrf_token value="{{.CSRFToken}}">USERNAME={{.CurrentUsername}};USED={{.RecentRenames}}/{{.MaxRenames}};</form>{{ end }}`

+		"settings/account.html":      {Data: []byte(accountTpl)},

+{{ define "page" -}}

+<div class="shithub-settings-page">

+  {{ template "settings-nav" . }}

+  <div class="shithub-settings-content">

+    <h1>Account</h1>

+

+    {{ with .Error }}<p class="shithub-flash shithub-flash-error" role="alert">{{ . }}</p>{{ end }}

+    {{ with .Success }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}

+

+    <section class="shithub-settings-section">

+      <h2>Change username</h2>

+      <p>Changing your username can have <a href="https://docs.github.com/en/account-and-profile/setting-up-and-managing-your-personal-account-on-github/managing-personal-account-settings/changing-your-github-username">unintended side effects</a>. Your old name becomes a redirect for 30 days, after which it can be claimed by someone else.</p>

+      <p>You've used <strong>{{ .RecentRenames }}/{{ .MaxRenames }}</strong> changes in the last {{ .WindowDays }} days.</p>

+

+      <form method="POST" action="/settings/account/username" novalidate>

+        <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">

+        <label>

+          <span>New username</span>

+          <input type="text" name="new_username" required maxlength="39" pattern="^[a-z0-9](?:[a-z0-9-]{0,37}[a-z0-9])?$"

+                 placeholder="{{ .CurrentUsername }}" autocomplete="off" spellcheck="false">

+          <small>Lowercase letters, digits, and hyphens. 1–39 characters; no leading/trailing hyphen.</small>

+        </label>

+        <button type="submit" class="shithub-button shithub-button-primary"{{ if .RenameRateLimited }} disabled{{ end }}>Change username</button>

+      </form>

+    </section>

+

+    <section class="shithub-settings-section">

+      <h2>Export account data</h2>

+      <p>Download a portable archive of your repositories, issues, and metadata. Coming soon.</p>

+    </section>

+  </div>

+</div>

+{{- end }}