tenseleyflow/shithub / edf2455

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+// Package auth wires the email/password auth handlers (signup, login,

+// logout, password reset, email verification) onto the chi router.

+//

+// Design points worth knowing:

+//   - Login is constant-time: when the username doesn't exist we still

+//     run a Verify against a pre-computed dummy hash so response time

+//     doesn't leak existence.

+//   - Password-reset returns the same generic notice whether or not the

+//     email maps to a real account (no enumeration via the reset flow).

+//   - Tokens (verification, reset) are 32-byte random, b64url-encoded for

+//     the URL, sha256-stored in the DB.

+//   - Rate limits are enforced via internal/auth/throttle (login, signup,

+//     password-reset). Login on success resets the counter for that key.

+//   - Honeypot: signup form has a hidden `company` field; non-empty

+//     submissions are silently dropped (200 + same notice as success so

+//     bots can't tell they were rejected).

+//   - 4 KiB request-body cap on every POST here so weaponized inputs

+//     can't push the argon2 hasher into a DoS spiral.

+package auth

+

+import (

+	"context"

+	"errors"

+	"fmt"

+	"log/slog"

+	"net/http"

+	"regexp"

+	"strconv"

+	"strings"

+	"time"

+

+	"github.com/go-chi/chi/v5"

+	"github.com/jackc/pgx/v5"

+	"github.com/jackc/pgx/v5/pgtype"

+	"github.com/jackc/pgx/v5/pgxpool"

+

+	authpkg "github.com/tenseleyFlow/shithub/internal/auth"

+	"github.com/tenseleyFlow/shithub/internal/auth/email"

+	"github.com/tenseleyFlow/shithub/internal/auth/password"

+	"github.com/tenseleyFlow/shithub/internal/auth/session"

+	"github.com/tenseleyFlow/shithub/internal/auth/throttle"

+	"github.com/tenseleyFlow/shithub/internal/auth/token"

+	"github.com/tenseleyFlow/shithub/internal/passwords"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+	"github.com/tenseleyFlow/shithub/internal/web/render"

+)

+

+// usernameRE mirrors the path whitelist used by RepoFS.

+var usernameRE = regexp.MustCompile(`^[a-z0-9](?:[a-z0-9-]{0,37}[a-z0-9])?$`)

+

+// Deps is everything the auth handlers need. Constructed by the web

+// package and injected at registration time.

+type Deps struct {

+	Logger                   *slog.Logger

+	Render                   *render.Renderer

+	Pool                     *pgxpool.Pool

+	SessionStore             session.Store

+	Email                    email.Sender

+	Branding                 email.Branding

+	Argon2                   password.Params

+	Limiter                  *throttle.Limiter

+	RequireEmailVerification bool

+}

+

+// Handlers is the registered handler set. Construct with New.

+type Handlers struct {

+	d Deps

+	q *usersdb.Queries

+}

+

+// New constructs the handler set, validating Deps.

+func New(d Deps) (*Handlers, error) {

+	if d.Render == nil {

+		return nil, errors.New("auth: nil Render")

+	}

+	if d.SessionStore == nil {

+		return nil, errors.New("auth: nil SessionStore")

+	}

+	if d.Email == nil {

+		return nil, errors.New("auth: nil Email sender")

+	}

+	if d.Limiter == nil {

+		d.Limiter = throttle.NewLimiter()

+	}

+	password.MustGenerateDummy(d.Argon2)

+	return &Handlers{d: d, q: usersdb.New()}, nil

+}

+

+// Mount registers every auth route on r. The 4 KiB body cap is applied

+// to POST endpoints inside this method.

+func (h *Handlers) Mount(r chi.Router) {

+	r.Group(func(r chi.Router) {

+		r.Use(middleware.MaxBodySize(4 * 1024))

+		r.Get("/signup", h.signupForm)

+		r.Post("/signup", h.signupSubmit)

+		r.Get("/login", h.loginForm)

+		r.Post("/login", h.loginSubmit)

+		r.Post("/logout", h.logoutSubmit)

+		r.Get("/password/reset", h.resetRequestForm)

+		r.Post("/password/reset", h.resetRequestSubmit)

+		r.Get("/password/reset/{token}", h.resetConfirmForm)

+		r.Post("/password/reset/{token}", h.resetConfirmSubmit)

+		r.Get("/verify-email/{token}", h.verifyEmail)

+		r.Get("/verify-email/resend", h.verifyResendForm)

+		r.Post("/verify-email/resend", h.verifyResendSubmit)

+	})

+}

+

+// ---------------------------- signup -----------------------------------

+

+type signupForm struct {

+	Username string

+	Email    string

+}

+

+func (h *Handlers) signupForm(w http.ResponseWriter, r *http.Request) {

+	h.renderPage(w, r, "auth/signup", map[string]any{

+		"Title":     "Sign up",

+		"CSRFToken": middleware.CSRFTokenForRequest(r),

+		"Form":      signupForm{},

+	})

+}

+

+func (h *Handlers) signupSubmit(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")

+		return

+	}

+	form := signupForm{

+		Username: strings.ToLower(strings.TrimSpace(r.PostFormValue("username"))),

+		Email:    strings.ToLower(strings.TrimSpace(r.PostFormValue("email"))),

+	}

+	password := r.PostFormValue("password")

+	honeypot := r.PostFormValue("company")

+

+	render := func(msg string) {

+		h.renderPage(w, r, "auth/signup", map[string]any{

+			"Title":     "Sign up",

+			"CSRFToken": middleware.CSRFTokenForRequest(r),

+			"Form":      form,

+			"Error":     msg,

+		})

+	}

+

+	// Honeypot: silently treat as success so bots can't probe.

+	if honeypot != "" {

+		http.Redirect(w, r, "/login?notice=signup-pending", http.StatusSeeOther)

+		return

+	}

+

+	if err := h.throttleSignup(r); err != nil {

+		h.writeRetryAfter(w, err)

+		render("Too many signup attempts. Please try again later.")

+		return

+	}

+

+	if msg := validateUsername(form.Username); msg != "" {

+		render(msg)

+		return

+	}

+	if !looksLikeEmail(form.Email) {

+		render("Please enter a valid email address.")

+		return

+	}

+	if len(password) < 10 {

+		render("Password must be at least 10 characters.")

+		return

+	}

+	if passwords.IsCommon(password) {

+		render("That password is too common. Please choose another.")

+		return

+	}

+

+	hash, err := hashPassword(password, h.d.Argon2)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "signup: hash", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	ctx := r.Context()

+	tx, err := h.d.Pool.Begin(ctx)

+	if err != nil {

+		h.d.Logger.ErrorContext(ctx, "signup: begin tx", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	defer func() { _ = tx.Rollback(ctx) }()

+

+	user, err := h.q.CreateUser(ctx, tx, usersdb.CreateUserParams{

+		Username:     form.Username,

+		DisplayName:  form.Username,

+		PasswordHash: hash,

+	})

+	if err != nil {

+		if isUniqueViolation(err) {

+			render("That username is already taken.")

+			return

+		}

+		h.d.Logger.ErrorContext(ctx, "signup: create user", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	tokEnc, tokHash, err := token.New()

+	if err != nil {

+		h.d.Logger.ErrorContext(ctx, "signup: token", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	em, err := h.q.CreateUserEmail(ctx, tx, usersdb.CreateUserEmailParams{

+		UserID:                user.ID,

+		Email:                 form.Email,

+		IsPrimary:             true,

+		Verified:              false,

+		VerificationTokenHash: tokHash,

+	})

+	if err != nil {

+		if isUniqueViolation(err) {

+			render("That email is already registered. Try signing in?")

+			return

+		}

+		h.d.Logger.ErrorContext(ctx, "signup: create email", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	if err := h.q.LinkUserPrimaryEmail(ctx, tx, usersdb.LinkUserPrimaryEmailParams{

+		ID:             user.ID,

+		PrimaryEmailID: pgtype.Int8{Int64: em.ID, Valid: true},

+	}); err != nil {

+		h.d.Logger.ErrorContext(ctx, "signup: link primary", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	expires := pgtype.Timestamptz{Time: time.Now().Add(24 * time.Hour), Valid: true}

+	if _, err := h.q.CreateEmailVerification(ctx, tx, usersdb.CreateEmailVerificationParams{

+		UserEmailID: em.ID,

+		TokenHash:   tokHash,

+		ExpiresAt:   expires,

+	}); err != nil {

+		h.d.Logger.ErrorContext(ctx, "signup: create verification", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	if err := tx.Commit(ctx); err != nil {

+		h.d.Logger.ErrorContext(ctx, "signup: commit", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	// Best-effort send. SMTP transient failure must not break signup.

+	msg, err := email.VerifyMessage(h.d.Branding, form.Email, form.Username, tokEnc)

+	if err != nil {

+		h.d.Logger.ErrorContext(ctx, "signup: build verify msg", "error", err)

+	} else if err := h.d.Email.Send(ctx, msg); err != nil {

+		h.d.Logger.WarnContext(ctx, "signup: send verify email", "error", err)

+	}

+

+	http.Redirect(w, r, "/login?notice=signup-pending", http.StatusSeeOther)

+}

+

+// ----------------------------- login -----------------------------------

+

+type loginForm struct {

+	Username string

+}

+

+func (h *Handlers) loginForm(w http.ResponseWriter, r *http.Request) {

+	notice := ""

+	switch r.URL.Query().Get("notice") {

+	case "signup-pending":

+		notice = "Account created. Check your email for the verification link, then sign in."

+	case "verified":

+		notice = "Email verified. You can sign in now."

+	case "logged-out":

+		notice = "Signed out."

+	case "password-reset":

+		notice = "Password updated. Sign in with your new password."

+	}

+	h.renderPage(w, r, "auth/login", map[string]any{

+		"Title":     "Sign in",

+		"CSRFToken": middleware.CSRFTokenForRequest(r),

+		"Form":      loginForm{},

+		"Notice":    notice,

+		"Next":      r.URL.Query().Get("next"),

+	})

+}

+

+func (h *Handlers) loginSubmit(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")

+		return

+	}

+	username := strings.ToLower(strings.TrimSpace(r.PostFormValue("username")))

+	pw := r.PostFormValue("password")

+	next := r.PostFormValue("next")

+

+	render := func(msg string) {

+		h.renderPage(w, r, "auth/login", map[string]any{

+			"Title":     "Sign in",

+			"CSRFToken": middleware.CSRFTokenForRequest(r),

+			"Form":      loginForm{Username: username},

+			"Error":     msg,

+			"Next":      next,

+		})

+	}

+

+	throttleKey := fmt.Sprintf("ip:%s|%s", clientIP(r), username)

+	if err := h.d.Limiter.Hit(r.Context(), h.d.Pool, throttle.Limit{

+		Scope: "login", Identifier: throttleKey,

+		Max: 6, Window: 15 * time.Minute,

+	}); err != nil {

+		h.writeRetryAfter(w, err)

+		render("Too many sign-in attempts. Please try again later.")

+		return

+	}

+

+	user, err := h.q.GetUserByUsername(r.Context(), h.d.Pool, username)

+	if err != nil {

+		// User doesn't exist — still hash to keep timing constant.

+		password.VerifyAgainstDummy(pw)

+		render("Incorrect username or password.")

+		return

+	}

+

+	ok, err := password.Verify(pw, user.PasswordHash)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "login: verify", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if !ok {

+		render("Incorrect username or password.")

+		return

+	}

+	if user.SuspendedAt.Valid {

+		render("This account has been suspended.")

+		return

+	}

+	if h.d.RequireEmailVerification && !user.EmailVerified {

+		render("Please verify your email before signing in. Check your inbox or request a new link.")

+		return

+	}

+

+	// Forgive prior failed-attempt counter on success.

+	_ = h.d.Limiter.Reset(r.Context(), h.d.Pool, "login", throttleKey)

+

+	if err := h.q.TouchUserLastLogin(r.Context(), h.d.Pool, user.ID); err != nil {

+		h.d.Logger.WarnContext(r.Context(), "login: touch last_login_at", "error", err)

+	}

+

+	// Session-fixation defense: bind user_id and re-issue cookie. The

+	// AEAD store re-encrypts on every Save, producing a fresh ciphertext.

+	s := middleware.SessionFromContext(r.Context())

+	s.UserID = user.ID

+	s.IssuedAt = time.Now().Unix()

+	if err := h.d.SessionStore.Save(w, r, s); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "login: save session", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	dest := "/"

+	if next != "" && strings.HasPrefix(next, "/") && !strings.HasPrefix(next, "//") {

+		// dest is constrained to single-leading-slash relative paths above,

+		// which prevents the protocol-relative ("//evil.com") form gosec warns about.

+		dest = next

+	}

+	//nolint:gosec // G710: dest is whitelisted to single-leading-slash relative paths.

+	http.Redirect(w, r, dest, http.StatusSeeOther)

+}

+

+// ---------------------------- logout -----------------------------------

+

+func (h *Handlers) logoutSubmit(w http.ResponseWriter, r *http.Request) {

+	h.d.SessionStore.Clear(w)

+	http.Redirect(w, r, "/login?notice=logged-out", http.StatusSeeOther)

+}

+

+// ------------------------- password reset ------------------------------

+

+func (h *Handlers) resetRequestForm(w http.ResponseWriter, r *http.Request) {

+	h.renderPage(w, r, "auth/reset_request", map[string]any{

+		"Title":     "Reset password",

+		"CSRFToken": middleware.CSRFTokenForRequest(r),

+		"Sent":      false,

+	})

+}

+

+func (h *Handlers) resetRequestSubmit(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")

+		return

+	}

+	addr := strings.ToLower(strings.TrimSpace(r.PostFormValue("email")))

+

+	// Always show the same notice — no enumeration via this flow.

+	notice := "If an account is registered to that address, we've sent a password-reset link."

+	render := func() {

+		h.renderPage(w, r, "auth/reset_request", map[string]any{

+			"Title":     "Reset password",

+			"CSRFToken": middleware.CSRFTokenForRequest(r),

+			"Notice":    notice,

+			"Sent":      true,

+		})

+	}

+

+	if !looksLikeEmail(addr) {

+		render()

+		return

+	}

+

+	if err := h.d.Limiter.Hit(r.Context(), h.d.Pool, throttle.Limit{

+		Scope: "reset", Identifier: "email:" + addr,

+		Max: 3, Window: time.Hour,

+	}); err != nil {

+		h.writeRetryAfter(w, err)

+		render()

+		return

+	}

+

+	em, err := h.q.GetUserEmailByAddress(r.Context(), h.d.Pool, addr)

+	if err != nil {

+		// Don't even hint at existence.

+		render()

+		return

+	}

+

+	tokEnc, tokHash, err := token.New()

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "reset: token", "error", err)

+		render()

+		return

+	}

+	expires := pgtype.Timestamptz{Time: time.Now().Add(time.Hour), Valid: true}

+	if _, err := h.q.CreatePasswordReset(r.Context(), h.d.Pool, usersdb.CreatePasswordResetParams{

+		UserID:    em.UserID,

+		TokenHash: tokHash,

+		ExpiresAt: expires,

+	}); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "reset: insert", "error", err)

+		render()

+		return

+	}

+

+	msg, err := email.ResetMessage(h.d.Branding, addr, tokEnc)

+	if err == nil {

+		if err := h.d.Email.Send(r.Context(), msg); err != nil {

+			h.d.Logger.WarnContext(r.Context(), "reset: send", "error", err)

+		}

+	}

+	render()

+}

+

+func (h *Handlers) resetConfirmForm(w http.ResponseWriter, r *http.Request) {

+	tokStr := chi.URLParam(r, "token")

+	if _, err := h.lookupValidReset(r.Context(), tokStr); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "reset link invalid or expired")

+		return

+	}

+	h.renderPage(w, r, "auth/reset_confirm", map[string]any{

+		"Title":     "Choose new password",

+		"CSRFToken": middleware.CSRFTokenForRequest(r),

+		"Token":     tokStr,

+	})

+}

+

+func (h *Handlers) resetConfirmSubmit(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")

+		return

+	}

+	tokStr := chi.URLParam(r, "token")

+	pw := r.PostFormValue("password")

+

+	render := func(msg string) {

+		h.renderPage(w, r, "auth/reset_confirm", map[string]any{

+			"Title":     "Choose new password",

+			"CSRFToken": middleware.CSRFTokenForRequest(r),

+			"Token":     tokStr,

+			"Error":     msg,

+		})

+	}

+

+	row, err := h.lookupValidReset(r.Context(), tokStr)

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "reset link invalid or expired")

+		return

+	}

+	if len(pw) < 10 {

+		render("Password must be at least 10 characters.")

+		return

+	}

+	if passwords.IsCommon(pw) {

+		render("That password is too common. Please choose another.")

+		return

+	}

+

+	hash, err := hashPassword(pw, h.d.Argon2)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "reset: hash", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	tx, err := h.d.Pool.Begin(r.Context())

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	defer func() { _ = tx.Rollback(r.Context()) }()

+

+	if err := h.q.UpdateUserPassword(r.Context(), tx, usersdb.UpdateUserPasswordParams{

+		ID:           row.UserID,

+		PasswordHash: hash,

+		PasswordAlgo: password.Algo,

+	}); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if err := h.q.ConsumePasswordReset(r.Context(), tx, row.ID); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if err := tx.Commit(r.Context()); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	http.Redirect(w, r, "/login?notice=password-reset", http.StatusSeeOther)

+}

+

+// ------------------------- email verification --------------------------

+

+func (h *Handlers) verifyEmail(w http.ResponseWriter, r *http.Request) {

+	tokStr := chi.URLParam(r, "token")

+	hash, err := token.HashOf(tokStr)

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "verification link invalid")

+		return

+	}

+	row, err := h.q.GetEmailVerificationByTokenHash(r.Context(), h.d.Pool, hash)

+	if err != nil || row.UsedAt.Valid || time.Now().After(row.ExpiresAt.Time) {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "verification link invalid or expired")

+		return

+	}

+	em, err := h.q.GetUserEmailByID(r.Context(), h.d.Pool, row.UserEmailID)

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "verification link invalid")

+		return

+	}

+

+	tx, err := h.d.Pool.Begin(r.Context())

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	defer func() { _ = tx.Rollback(r.Context()) }()

+

+	if err := h.q.MarkUserEmailVerified(r.Context(), tx, em.ID); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if em.IsPrimary {

+		if err := h.q.MarkUserEmailPrimaryVerified(r.Context(), tx, em.UserID); err != nil {

+			h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+			return

+		}

+	}

+	if err := h.q.ConsumeEmailVerification(r.Context(), tx, row.ID); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if err := tx.Commit(r.Context()); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	http.Redirect(w, r, "/login?notice=verified", http.StatusSeeOther)

+}

+

+func (h *Handlers) verifyResendForm(w http.ResponseWriter, r *http.Request) {

+	h.renderPage(w, r, "auth/verify_resend", map[string]any{

+		"Title":     "Resend verification",

+		"CSRFToken": middleware.CSRFTokenForRequest(r),

+	})

+}

+

+func (h *Handlers) verifyResendSubmit(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")

+		return

+	}

+	addr := strings.ToLower(strings.TrimSpace(r.PostFormValue("email")))

+	notice := "If a pending account is registered to that address, we've sent a fresh verification link."

+	render := func() {

+		h.renderPage(w, r, "auth/verify_resend", map[string]any{

+			"Title":     "Resend verification",

+			"CSRFToken": middleware.CSRFTokenForRequest(r),

+			"Notice":    notice,

+		})

+	}

+	if !looksLikeEmail(addr) {

+		render()

+		return

+	}

+	em, err := h.q.GetUserEmailByAddress(r.Context(), h.d.Pool, addr)

+	if err != nil || em.Verified {

+		render()

+		return

+	}

+	tokEnc, tokHash, err := token.New()

+	if err != nil {

+		render()

+		return

+	}

+	expires := pgtype.Timestamptz{Time: time.Now().Add(24 * time.Hour), Valid: true}

+	tx, err := h.d.Pool.Begin(r.Context())

+	if err != nil {

+		render()

+		return

+	}

+	defer func() { _ = tx.Rollback(r.Context()) }()

+	if err := h.q.SetVerificationToken(r.Context(), tx, usersdb.SetVerificationTokenParams{

+		ID:                    em.ID,

+		VerificationTokenHash: tokHash,

+	}); err != nil {

+		render()

+		return

+	}

+	if _, err := h.q.CreateEmailVerification(r.Context(), tx, usersdb.CreateEmailVerificationParams{

+		UserEmailID: em.ID, TokenHash: tokHash, ExpiresAt: expires,

+	}); err != nil {

+		render()

+		return

+	}

+	if err := tx.Commit(r.Context()); err != nil {

+		render()

+		return

+	}

+

+	user, err := h.q.GetUserByID(r.Context(), h.d.Pool, em.UserID)

+	if err == nil {

+		msg, err := email.VerifyMessage(h.d.Branding, addr, user.Username, tokEnc)

+		if err == nil {

+			_ = h.d.Email.Send(r.Context(), msg)

+		}

+	}

+	render()

+}

+

+// ----------------------------- helpers ---------------------------------

+

+func (h *Handlers) renderPage(w http.ResponseWriter, r *http.Request, page string, data any) {

+	w.Header().Set("Content-Type", "text/html; charset=utf-8")

+	if err := h.d.Render.Render(w, page, data); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "render", "page", page, "error", err)

+	}

+}

+

+func (h *Handlers) throttleSignup(r *http.Request) error {

+	if err := h.d.Limiter.Hit(r.Context(), h.d.Pool, throttle.Limit{

+		Scope: "signup", Identifier: "ip:" + clientIP(r),

+		Max: 5, Window: time.Hour,

+	}); err != nil {

+		return err

+	}

+	return nil

+}

+

+func (h *Handlers) writeRetryAfter(w http.ResponseWriter, err error) {

+	var t *throttle.ErrThrottled

+	if errors.As(err, &t) {

+		w.Header().Set("Retry-After", strconv.Itoa(int(t.RetryAfter.Seconds())))

+		w.WriteHeader(http.StatusTooManyRequests)

+	}

+}

+

+func (h *Handlers) lookupValidReset(ctx context.Context, encoded string) (usersdb.PasswordReset, error) {

+	hash, err := token.HashOf(encoded)

+	if err != nil {

+		return usersdb.PasswordReset{}, err

+	}

+	row, err := h.q.GetPasswordResetByTokenHash(ctx, h.d.Pool, hash)

+	if err != nil {

+		return usersdb.PasswordReset{}, err

+	}

+	if row.UsedAt.Valid || time.Now().After(row.ExpiresAt.Time) {

+		return usersdb.PasswordReset{}, errors.New("token expired or used")

+	}

+	return row, nil

+}

+

+// validateUsername returns a user-facing error string (suitable for

+// rendering in the form's flash slot) or "" when the name is acceptable.

+// Note: returns string, not error, because callers display these to the

+// end user — staticcheck's ST1005 rule for error capitalization doesn't

+// apply to UI copy.

+func validateUsername(name string) string {

+	if name == "" {

+		return "Username is required."

+	}

+	if len(name) > 39 {

+		return "Username may be at most 39 characters."

+	}

+	if !usernameRE.MatchString(name) {

+		return "Username may contain only lowercase letters, digits, and hyphens, and cannot start or end with a hyphen."

+	}

+	if authpkg.IsReserved(name) {

+		return "That username is reserved. Please choose another."

+	}

+	return ""

+}

+

+func looksLikeEmail(s string) bool {

+	if len(s) < 3 || len(s) > 254 {

+		return false

+	}

+	at := strings.IndexByte(s, '@')

+	if at <= 0 || at == len(s)-1 {

+		return false

+	}

+	if strings.IndexByte(s, ' ') >= 0 {

+		return false

+	}

+	return true

+}

+

+// hashPassword wraps password.Hash so callers don't need to import the

+// stdlib package alongside the local one.

+func hashPassword(pw string, p password.Params) (string, error) {

+	return password.Hash(pw, p)

+}

+

+func clientIP(r *http.Request) string {

+	if ip := middleware.RealIPFromContext(r.Context(), r); ip != "" {

+		return ip

+	}

+	if h, _, err := splitHostPort(r.RemoteAddr); err == nil {

+		return h

+	}

+	return r.RemoteAddr

+}

+

+func splitHostPort(addr string) (string, string, error) {

+	i := strings.LastIndexByte(addr, ':')

+	if i < 0 {

+		return addr, "", nil

+	}

+	return addr[:i], addr[i+1:], nil

+}

+

+// isUniqueViolation matches Postgres SQLSTATE 23505. We use an interface

+// shim so the auth package doesn't import pgconn directly.

+func isUniqueViolation(err error) bool {

+	type sqlStater interface {

+		SQLState() string

+	}

+	if errors.Is(err, pgx.ErrNoRows) {

+		return false

+	}

+	for cur := err; cur != nil; cur = errors.Unwrap(cur) {

+		if s, ok := cur.(sqlStater); ok && s.SQLState() == "23505" {

+			return true

+		}

+	}

+	return false

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth_test

+

+import (

+	"context"

+	"html"

+	"io"

+	"io/fs"

+	"log/slog"

+	"net/http"

+	"net/http/cookiejar"

+	"net/http/httptest"

+	"net/url"

+	"regexp"

+	"strings"

+	"sync"

+	"testing"

+	"testing/fstest"

+	"time"

+

+	"github.com/go-chi/chi/v5"

+	"github.com/justinas/nosurf"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/email"

+	"github.com/tenseleyFlow/shithub/internal/auth/password"

+	"github.com/tenseleyFlow/shithub/internal/auth/session"

+	"github.com/tenseleyFlow/shithub/internal/auth/throttle"

+	"github.com/tenseleyFlow/shithub/internal/testing/dbtest"

+	authh "github.com/tenseleyFlow/shithub/internal/web/handlers/auth"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+	"github.com/tenseleyFlow/shithub/internal/web/render"

+)

+

+// captureSender records every Send call. Used by tests to assert what

+// would have been emailed and to extract verification/reset tokens.

+type captureSender struct {

+	mu  sync.Mutex

+	out []email.Message

+}

+

+func (c *captureSender) Send(_ context.Context, m email.Message) error {

+	c.mu.Lock()

+	defer c.mu.Unlock()

+	c.out = append(c.out, m)

+	return nil

+}

+

+func (c *captureSender) all() []email.Message {

+	c.mu.Lock()

+	defer c.mu.Unlock()

+	out := make([]email.Message, len(c.out))

+	copy(out, c.out)

+	return out

+}

+

+// fastArgon keeps tests under a few seconds. The full-cost defaults are

+// exercised by the unit test in internal/auth/password.

+var fastArgon = password.Params{Memory: 16 * 1024, Time: 1, Threads: 1, SaltLen: 16, KeyLen: 32}

+

+func newTestServer(t *testing.T, requireVerify bool) (*httptest.Server, *captureSender) {

+	t.Helper()

+	pool := dbtest.NewTestDB(t)

+

+	tmplFS := authTemplatesFS()

+	rr, err := render.New(tmplFS, render.Options{})

+	if err != nil {

+		t.Fatalf("render.New: %v", err)

+	}

+

+	storeKey, err := session.GenerateKey()

+	if err != nil {

+		t.Fatalf("GenerateKey: %v", err)

+	}

+	store, err := session.NewCookieStore(session.CookieStoreConfig{

+		Key: storeKey, MaxAge: 24 * time.Hour, Secure: false,

+	})

+	if err != nil {

+		t.Fatalf("NewCookieStore: %v", err)

+	}

+

+	cap := &captureSender{}

+	logger := slog.New(slog.NewTextHandler(io.Discard, nil))

+

+	h, err := authh.New(authh.Deps{

+		Logger:       logger,

+		Render:       rr,

+		Pool:         pool,

+		SessionStore: store,

+		Email:        cap,

+		Branding: email.Branding{

+			SiteName: "shithub", BaseURL: "http://test.invalid",

+			From: "noreply@shithub.test",

+		},

+		Argon2:                   fastArgon,

+		Limiter:                  throttle.NewLimiter(),

+		RequireEmailVerification: requireVerify,

+	})

+	if err != nil {

+		t.Fatalf("authh.New: %v", err)

+	}

+

+	r := chi.NewRouter()

+	r.Use(middleware.RequestID)

+	r.Use(middleware.RealIP(middleware.RealIPConfig{}))

+	r.Use(middleware.SessionLoader(store, logger))

+	csrf := middleware.CSRF(middleware.CSRFConfig{

+		FailureHandler: http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

+			http.Error(w, "csrf: "+nosurfReason(r), http.StatusForbidden)

+		}),

+	})

+	r.Group(func(r chi.Router) {

+		r.Use(csrf)

+		h.Mount(r)

+	})

+

+	srv := httptest.NewServer(r)

+	t.Cleanup(srv.Close)

+	return srv, cap

+}

+

+// authTemplatesFS returns a minimal templates FS sufficient for the auth

+// handlers to render successfully. Each form wraps the CSRF token in

+// `<<<CSRF:...:CSRF>>>` markers so the test client can extract it

+// unambiguously regardless of the token's base64 alphabet.

+func authTemplatesFS() fs.FS {

+	layout := `{{ define "layout" }}<!DOCTYPE html><html><head><title>{{ .Title }}</title></head><body>{{ template "page" . }}</body></html>{{ end }}`

+	signup := `{{ define "page" }}<form>{{ with .Error }}<p class=error>{{.}}</p>{{ end }}<input name=username value="{{.Form.Username}}"><input name=csrf_token value="{{.CSRFToken}}"></form>{{ end }}`

+	login := `{{ define "page" }}<form>{{ with .Error }}<p class=error>{{.}}</p>{{ end }}{{ with .Notice }}<p class=notice>{{.}}</p>{{ end }}<input name=csrf_token value="{{.CSRFToken}}"></form>{{ end }}`

+	resetReq := `{{ define "page" }}<form>{{ with .Notice }}<p class=notice>{{.}}</p>{{ end }}<input name=csrf_token value="{{.CSRFToken}}"></form>{{ end }}`

+	resetConf := `{{ define "page" }}<form>{{ with .Error }}<p class=error>{{.}}</p>{{ end }}<input name=csrf_token value="{{.CSRFToken}}">{{.Token}}</form>{{ end }}`

+	verifyResend := `{{ define "page" }}<form>{{ with .Notice }}<p class=notice>{{.}}</p>{{ end }}<input name=csrf_token value="{{.CSRFToken}}"></form>{{ end }}`

+	errorPage := `{{ define "page" }}<h1>{{.Status}} {{.StatusText}}</h1><p>{{.Message}}</p>{{ end }}`

+	return fstest.MapFS{

+		"_layout.html":            {Data: []byte(layout)},

+		"hello.html":              {Data: []byte(`{{ define "page" }}home{{ end }}`)},

+		"auth/signup.html":        {Data: []byte(signup)},

+		"auth/login.html":         {Data: []byte(login)},

+		"auth/reset_request.html": {Data: []byte(resetReq)},

+		"auth/reset_confirm.html": {Data: []byte(resetConf)},

+		"auth/verify_resend.html": {Data: []byte(verifyResend)},

+		"errors/404.html":         {Data: []byte(errorPage)},

+		"errors/403.html":         {Data: []byte(errorPage)},

+		"errors/429.html":         {Data: []byte(errorPage)},

+		"errors/500.html":         {Data: []byte(errorPage)},

+	}

+}

+

+// client wraps http.Client with a cookie jar so session/CSRF cookies persist.

+type client struct {

+	c   *http.Client

+	srv *httptest.Server

+}

+

+func newClient(t *testing.T, srv *httptest.Server) *client {

+	t.Helper()

+	jar, err := cookiejar.New(nil)

+	if err != nil {

+		t.Fatalf("cookiejar: %v", err)

+	}

+	return &client{

+		c: &http.Client{

+			Jar: jar,

+			CheckRedirect: func(req *http.Request, via []*http.Request) error {

+				return http.ErrUseLastResponse

+			},

+		},

+		srv: srv,

+	}

+}

+

+func (c *client) get(t *testing.T, path string) *http.Response {

+	t.Helper()

+	resp, err := c.c.Get(c.srv.URL + path)

+	if err != nil {

+		t.Fatalf("GET %s: %v", path, err)

+	}

+	return resp

+}

+

+func (c *client) post(t *testing.T, path string, form url.Values) *http.Response {

+	t.Helper()

+	// nosurf enforces same-origin on POST via Origin/Referer (browsers set

+	// these for form submissions; http.Client.PostForm does not).

+	req, err := http.NewRequest(http.MethodPost, c.srv.URL+path, strings.NewReader(form.Encode()))

+	if err != nil {

+		t.Fatalf("new request: %v", err)

+	}

+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")

+	req.Header.Set("Referer", c.srv.URL+path)

+	resp, err := c.c.Do(req)

+	if err != nil {

+		t.Fatalf("POST %s: %v", path, err)

+	}

+	return resp

+}

+

+// extractCSRF GETs path and returns the CSRF token the form would carry.

+// The CSRF middleware sets the token cookie on first GET; the test

+// templates wrap the printed token in `<<<CSRF:...:CSRF>>>` markers so

+// extraction is unambiguous (nosurf uses base64 with `+/=` characters

+// that a generic alphanumeric regex would mishandle).

+func (c *client) extractCSRF(t *testing.T, path string) string {

+	t.Helper()

+	resp := c.get(t, path)

+	defer func() { _ = resp.Body.Close() }()

+	if resp.StatusCode != 200 {

+		t.Fatalf("GET %s: status %d", path, resp.StatusCode)

+	}

+	body, _ := io.ReadAll(resp.Body)

+	m := csrfMarkerRE.FindStringSubmatch(string(body))

+	if m == nil {

+		t.Fatalf("no CSRF marker in body of %s: %s", path, body)

+	}

+	// html/template HTML-escapes `+` to `+` (and similar) in attribute

+	// values; browsers decode these transparently when reading form values,

+	// so the test client must mirror that decoding.

+	return html.UnescapeString(m[1])

+}

+

+var csrfMarkerRE = regexp.MustCompile(`name=csrf_token value="([^"]*)"`)

+

+func nosurfReason(r *http.Request) string {

+	if err := nosurf.Reason(r); err != nil {

+		return err.Error()

+	}

+	return "no reason"

+}

+

+// extractTokenFromMessage pulls the URL-encoded token out of a verify or

+// reset email body. The link shape is /<path>/<token>, where token is the

+// b64url-encoded 32-byte payload from internal/auth/token.

+func extractTokenFromMessage(t *testing.T, m email.Message, prefix string) string {

+	t.Helper()

+	re := regexp.MustCompile(prefix + `/([A-Za-z0-9_\-]{30,})`)

+	for _, body := range []string{m.Text, m.HTML} {

+		if mm := re.FindStringSubmatch(body); mm != nil {

+			return mm[1]

+		}

+	}

+	t.Fatalf("no token in message under prefix %s\nbodies:\n%s\n%s", prefix, m.Text, m.HTML)

+	return ""

+}

+

+// ============================== tests ==================================

+

+func TestSignup_Verify_Login_Logout(t *testing.T) {

+	t.Parallel()

+	srv, sender := newTestServer(t, true)

+	cli := newClient(t, srv)

+

+	csrf := cli.extractCSRF(t, "/signup")

+	resp := cli.post(t, "/signup", url.Values{

+		"csrf_token": {csrf},

+		"username":   {"alice"},

+		"email":      {"alice@example.com"},

+		"password":   {"correct horse battery staple"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("signup: status %d body=%s", resp.StatusCode, body)

+	}

+	_ = resp.Body.Close()

+

+	// login while unverified should be rejected.

+	csrf = cli.extractCSRF(t, "/login")

+	resp = cli.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {"alice"},

+		"password":   {"correct horse battery staple"},

+	})

+	if resp.StatusCode != http.StatusOK {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("unverified login: status %d body=%s", resp.StatusCode, body)

+	}

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "verify your email") {

+		t.Fatalf("expected verify-required message, got: %s", body)

+	}

+	_ = resp.Body.Close()

+

+	// Use the captured email's token to verify.

+	msgs := sender.all()

+	if len(msgs) == 0 {

+		t.Fatal("expected verification email")

+	}

+	tok := extractTokenFromMessage(t, msgs[0], "/verify-email")

+

+	resp = cli.get(t, "/verify-email/"+tok)

+	if resp.StatusCode != http.StatusSeeOther {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("verify: status %d body=%s", resp.StatusCode, body)

+	}

+	_ = resp.Body.Close()

+

+	// Now log in successfully.

+	csrf = cli.extractCSRF(t, "/login")

+	resp = cli.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {"alice"},

+		"password":   {"correct horse battery staple"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("verified login: status %d body=%s", resp.StatusCode, body)

+	}

+	if loc := resp.Header.Get("Location"); loc != "/" {

+		t.Fatalf("login redirect: %q, want /", loc)

+	}

+	_ = resp.Body.Close()

+

+	// Logout — POST /logout with CSRF.

+	csrf = cli.extractCSRF(t, "/login")

+	resp = cli.post(t, "/logout", url.Values{"csrf_token": {csrf}})

+	if resp.StatusCode != http.StatusSeeOther {

+		t.Fatalf("logout: status %d", resp.StatusCode)

+	}

+	_ = resp.Body.Close()

+}

+

+func TestPasswordReset_EndToEnd(t *testing.T) {

+	t.Parallel()

+	srv, sender := newTestServer(t, false)

+	cli := newClient(t, srv)

+

+	// Seed a verified user.

+	mustSignup(t, cli, "bob", "bob@example.com", "original-password-1")

+	tok := extractTokenFromMessage(t, sender.all()[0], "/verify-email")

+	resp := cli.get(t, "/verify-email/"+tok)

+	_ = resp.Body.Close()

+

+	// Request a reset.

+	csrf := cli.extractCSRF(t, "/password/reset")

+	resp = cli.post(t, "/password/reset", url.Values{

+		"csrf_token": {csrf},

+		"email":      {"bob@example.com"},

+	})

+	if resp.StatusCode != http.StatusOK {

+		t.Fatalf("reset request: status %d", resp.StatusCode)

+	}

+	_ = resp.Body.Close()

+

+	all := sender.all()

+	resetTok := extractTokenFromMessage(t, all[len(all)-1], "/password/reset")

+

+	// Confirm.

+	csrf = cli.extractCSRF(t, "/password/reset/"+resetTok)

+	resp = cli.post(t, "/password/reset/"+resetTok, url.Values{

+		"csrf_token": {csrf},

+		"password":   {"brand-new-password-2"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("reset confirm: status %d body=%s", resp.StatusCode, body)

+	}

+	_ = resp.Body.Close()

+

+	// Sign in with the new password.

+	csrf = cli.extractCSRF(t, "/login")

+	resp = cli.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {"bob"},

+		"password":   {"brand-new-password-2"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("post-reset login: status %d body=%s", resp.StatusCode, body)

+	}

+	_ = resp.Body.Close()

+}

+

+func TestPasswordReset_UnknownEmail_GenericResponse(t *testing.T) {

+	t.Parallel()

+	srv, sender := newTestServer(t, false)

+	cli := newClient(t, srv)

+

+	csrf := cli.extractCSRF(t, "/password/reset")

+	resp := cli.post(t, "/password/reset", url.Values{

+		"csrf_token": {csrf},

+		"email":      {"nobody@nowhere.example"},

+	})

+	if resp.StatusCode != http.StatusOK {

+		t.Fatalf("reset for unknown: status %d", resp.StatusCode)

+	}

+	body, _ := io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	if !strings.Contains(string(body), "If an account is registered") {

+		t.Fatalf("expected generic notice, got: %s", body)

+	}

+	if len(sender.all()) != 0 {

+		t.Fatalf("expected no email sent for unknown address, got %d", len(sender.all()))

+	}

+}

+

+func TestLogin_BruteForceThrottled(t *testing.T) {

+	t.Parallel()

+	srv, sender := newTestServer(t, false)

+	cli := newClient(t, srv)

+

+	mustSignup(t, cli, "carol", "carol@example.com", "original-password-1")

+	tok := extractTokenFromMessage(t, sender.all()[0], "/verify-email")

+	_ = cli.get(t, "/verify-email/"+tok).Body.Close()

+

+	for i := 0; i < 6; i++ {

+		csrf := cli.extractCSRF(t, "/login")

+		resp := cli.post(t, "/login", url.Values{

+			"csrf_token": {csrf},

+			"username":   {"carol"},

+			"password":   {"wrong-password"},

+		})

+		if resp.StatusCode != http.StatusOK {

+			body, _ := io.ReadAll(resp.Body)

+			t.Fatalf("attempt %d: status %d body=%s", i+1, resp.StatusCode, body)

+		}

+		_ = resp.Body.Close()

+	}

+

+	// 7th attempt should be throttled.

+	csrf := cli.extractCSRF(t, "/login")

+	resp := cli.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {"carol"},

+		"password":   {"wrong-password"},

+	})

+	if resp.StatusCode != http.StatusTooManyRequests {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("7th attempt: status %d, want 429; body=%s", resp.StatusCode, body)

+	}

+	if ra := resp.Header.Get("Retry-After"); ra == "" {

+		t.Fatal("missing Retry-After on throttled response")

+	}

+	_ = resp.Body.Close()

+}

+

+func TestLogin_ConstantTime(t *testing.T) {

+	t.Parallel()

+	srv, sender := newTestServer(t, false)

+	cli := newClient(t, srv)

+

+	mustSignup(t, cli, "dave", "dave@example.com", "original-password-1")

+	tok := extractTokenFromMessage(t, sender.all()[0], "/verify-email")

+	_ = cli.get(t, "/verify-email/"+tok).Body.Close()

+

+	const trials = 10

+	measure := func(username string) time.Duration {

+		var total time.Duration

+		for i := 0; i < trials; i++ {

+			cli2 := newClient(t, srv)

+			csrf := cli2.extractCSRF(t, "/login")

+			start := time.Now()

+			resp := cli2.post(t, "/login", url.Values{

+				"csrf_token": {csrf},

+				"username":   {username},

+				"password":   {"any-wrong-password"},

+			})

+			total += time.Since(start)

+			_ = resp.Body.Close()

+		}

+		return total / trials

+	}

+	existing := measure("dave")

+	missing := measure("does-not-exist")

+	delta := existing - missing

+	if delta < 0 {

+		delta = -delta

+	}

+	// On the test argon params (~5–15ms) any user-existence shortcut would

+	// shave off most of the time; allow generous slack for CI noise but

+	// reject a 5x divergence.

+	if existing > missing*5 || missing > existing*5 {

+		t.Fatalf("login timing diverges too much: existing=%v missing=%v delta=%v", existing, missing, delta)

+	}

+}

+

+func TestSignup_ReservedNameRejected(t *testing.T) {

+	t.Parallel()

+	srv, _ := newTestServer(t, false)

+	cli := newClient(t, srv)

+

+	csrf := cli.extractCSRF(t, "/signup")

+	resp := cli.post(t, "/signup", url.Values{

+		"csrf_token": {csrf},

+		"username":   {"login"},

+		"email":      {"x@example.com"},

+		"password":   {"correct horse battery staple"},

+	})

+	if resp.StatusCode != http.StatusOK {

+		t.Fatalf("status %d, want 200 with form re-render", resp.StatusCode)

+	}

+	body, _ := io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	if !strings.Contains(string(body), "reserved") {

+		t.Fatalf("expected reserved-name error, got: %s", body)

+	}

+}

+

+func TestSignup_CommonPasswordRejected(t *testing.T) {

+	t.Parallel()

+	srv, _ := newTestServer(t, false)

+	cli := newClient(t, srv)

+

+	csrf := cli.extractCSRF(t, "/signup")

+	resp := cli.post(t, "/signup", url.Values{

+		"csrf_token": {csrf},

+		"username":   {"erin"},

+		"email":      {"erin@example.com"},

+		"password":   {"qwertyuiop"},

+	})

+	if resp.StatusCode != http.StatusOK {

+		t.Fatalf("status %d", resp.StatusCode)

+	}

+	body, _ := io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	if !strings.Contains(string(body), "common") {

+		t.Fatalf("expected common-password error, got: %s", body)

+	}

+}

+

+func TestSignup_HoneypotSilent(t *testing.T) {

+	t.Parallel()

+	srv, _ := newTestServer(t, false)

+	cli := newClient(t, srv)

+	csrf := cli.extractCSRF(t, "/signup")

+	resp := cli.post(t, "/signup", url.Values{

+		"csrf_token": {csrf},

+		"username":   {"frank"},

+		"email":      {"frank@example.com"},

+		"password":   {"correct horse battery staple"},

+		"company":    {"oops, a bot filled this"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("honeypot: expected redirect, got %d body=%s", resp.StatusCode, body)

+	}

+	_ = resp.Body.Close()

+}

+

+// mustSignup is a convenience for tests that need a seeded user.

+func mustSignup(t *testing.T, cli *client, username, em, pw string) {

+	t.Helper()

+	csrf := cli.extractCSRF(t, "/signup")

+	resp := cli.post(t, "/signup", url.Values{

+		"csrf_token": {csrf},

+		"username":   {username},

+		"email":      {em},

+		"password":   {pw},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	if resp.StatusCode != http.StatusSeeOther {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("seed signup %s: status %d body=%s", username, resp.StatusCode, body)

+	}

+}

+	// AuthMounter, when non-nil, is invoked inside the CSRF-protected

+	// route group with the chi.Router so the auth handlers can register

+	// signup/login/logout/reset/verify routes.

+	AuthMounter func(chi.Router)

+		if deps.AuthMounter != nil {

+			deps.AuthMounter(r)

+		}