`f080f02`

S10: Sessions V1 — current session view + log out everywhere

Authored by mfwolffe <wolffemf@dukes.jmu.edu> 6 days ago

SHA: f080f0276d373c943fbffb310934fba86d0e98d2
Parents: 440f2be
Tree: 48e5393

4 changed files

Status	File	+
A	`internal/web/handlers/auth/sessions.go`	67
A	`internal/web/handlers/auth/sessions_test.go`	96
M	`internal/web/static/css/shithub.css`	9
A	`internal/web/templates/settings/sessions.html`	29

internal/web/handlers/auth/sessions.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package auth
++
 +import (
 +	"net/http"
 +	"time"
++
 +	"github.com/tenseleyFlow/shithub/internal/web/middleware"
 +)
++
 +// settingsSessionsList renders GET /settings/sessions.
 +//
 +// V1 surfaces only the current session (we use AEAD-encrypted cookies,
 +// no server-side session table — there's no enumerable list). The page's
 +// real value is the "Sign out everywhere" affordance, which bumps
 +// users.session_epoch and invalidates every cookie that carries the old
 +// epoch on its next request.
 +func (h *Handlers) settingsSessionsList(w http.ResponseWriter, r *http.Request) {
 +	h.renderSessionsList(w, r, "")
 +}
++
 +// settingsSessionsLogoutAll handles POST /settings/sessions/logout-everywhere.
 +func (h *Handlers) settingsSessionsLogoutAll(w http.ResponseWriter, r *http.Request) {
 +	user := middleware.CurrentUserFromContext(r.Context())
++
 +	if err := h.q.BumpUserSessionEpoch(r.Context(), h.d.Pool, user.ID); err != nil {
 +		h.d.Logger.ErrorContext(r.Context(), "sessions: bump", "error", err)
 +		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")
 +		return
 +	}
++
 +	// Re-sync the current session's epoch so this browser doesn't sign
 +	// itself out alongside the others.
 +	epoch, err := h.q.GetUserSessionEpoch(r.Context(), h.d.Pool, user.ID)
 +	if err != nil {
 +		h.d.Logger.ErrorContext(r.Context(), "sessions: read epoch", "error", err)
 +		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")
 +		return
 +	}
 +	s := middleware.SessionFromContext(r.Context())
 +	s.Epoch = epoch
 +	if err := h.d.SessionStore.Save(w, r, s); err != nil {
 +		h.d.Logger.ErrorContext(r.Context(), "sessions: save", "error", err)
 +		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")
 +		return
 +	}
++
 +	h.renderSessionsList(w, r, "Signed out of every other session.")
 +}
++
 +// renderSessionsList is the shared render path. The "current session"
 +// row pulls IssuedAt out of the loaded session struct.
 +func (h *Handlers) renderSessionsList(w http.ResponseWriter, r *http.Request, successMsg string) {
 +	s := middleware.SessionFromContext(r.Context())
 +	issued := time.Unix(s.IssuedAt, 0)
++
 +	h.renderPage(w, r, "settings/sessions", map[string]any{
 +		"Title":          "Sessions",
 +		"CSRFToken":      middleware.CSRFTokenForRequest(r),
 +		"SettingsActive": "sessions",
 +		"Issued":         issued,
 +		"UserAgent":      r.Header.Get("User-Agent"),
 +		"ClientIP":       clientIP(r),
 +		"Success":        successMsg,
 +	})
 +}

internal/web/handlers/auth/sessions_test.goadded

 +// SPDX-License-Identifier: AGPL-3.0-or-later
++
 +package auth_test
++
 +import (
 +	"io"
 +	"net/http"
 +	"net/url"
 +	"strings"
 +	"testing"
 +)
++
 +func loginSessionsUser(t *testing.T, name string) (cli *client, loginAgain func() *client) {
 +	t.Helper()
 +	httpsrv, captor := newTestServer(t, false)
 +	cli = newClient(t, httpsrv)
 +	mustSignup(t, cli, name, name+"@example.com", "correct horse battery staple")
 +	tok := extractTokenFromMessage(t, captor.all()[0], "/verify-email")
 +	_ = cli.get(t, "/verify-email/"+tok).Body.Close()
++
 +	doLogin := func(c *client) {
 +		csrf := c.extractCSRF(t, "/login")
 +		resp := c.post(t, "/login", url.Values{
 +			"csrf_token": {csrf},
 +			"username":   {name},
 +			"password":   {"correct horse battery staple"},
 +		})
 +		if resp.StatusCode != http.StatusSeeOther {
 +			t.Fatalf("login: %d", resp.StatusCode)
 +		}
 +		_ = resp.Body.Close()
 +	}
 +	doLogin(cli)
 +	// loginAgain returns a fresh client that has signed in as the same
 +	// user — useful for testing log-out-everywhere across two browsers.
 +	loginAgain = func() *client {
 +		c := newClient(t, httpsrv)
 +		doLogin(c)
 +		return c
 +	}
 +	return cli, loginAgain
 +}
++
 +func TestSessions_PageRenders(t *testing.T) {
 +	t.Parallel()
 +	cli, _ := loginSessionsUser(t, "sa")
 +	resp := cli.get(t, "/settings/sessions")
 +	defer func() { _ = resp.Body.Close() }()
 +	body, _ := io.ReadAll(resp.Body)
 +	if !strings.Contains(string(body), "Sessions") {
 +		t.Fatalf("missing heading: %s", body)
 +	}
 +	if !strings.Contains(string(body), "UA=Go-http-client") {
 +		t.Fatalf("expected User-Agent surfaced; got: %s", body)
 +	}
 +}
++
 +func TestSessions_LogoutEverywhereInvalidatesOthers(t *testing.T) {
 +	t.Parallel()
 +	cliA, loginAgain := loginSessionsUser(t, "sb")
 +	cliB := loginAgain() // a second "browser"
++
 +	// Both browsers can hit the protected page initially.
 +	resp := cliB.get(t, "/settings/profile")
 +	if resp.StatusCode != http.StatusOK {
 +		t.Fatalf("cliB before bump: status=%d", resp.StatusCode)
 +	}
 +	_ = resp.Body.Close()
++
 +	// cliA bumps the epoch.
 +	csrf := cliA.extractCSRF(t, "/settings/sessions")
 +	resp = cliA.post(t, "/settings/sessions/logout-everywhere", url.Values{
 +		"csrf_token": {csrf},
 +	})
 +	body, _ := io.ReadAll(resp.Body)
 +	_ = resp.Body.Close()
 +	if !strings.Contains(string(body), "Signed out of every other session") {
 +		t.Fatalf("expected success message, got: %s", body)
 +	}
++
 +	// cliA itself stays signed in.
 +	resp = cliA.get(t, "/settings/profile")
 +	if resp.StatusCode != http.StatusOK {
 +		body, _ := io.ReadAll(resp.Body)
 +		t.Fatalf("cliA after bump should still be signed in: %d %s", resp.StatusCode, body)
 +	}
 +	_ = resp.Body.Close()
++
 +	// cliB should now be bounced to /login on the next protected hit
 +	// because its session carries the stale epoch.
 +	resp = cliB.get(t, "/settings/profile")
 +	defer func() { _ = resp.Body.Close() }()
 +	if resp.StatusCode != http.StatusSeeOther && resp.StatusCode != http.StatusFound {
 +		t.Fatalf("cliB after bump expected redirect, got %d", resp.StatusCode)
 +	}
 +}

internal/web/static/css/shithub.cssmodified

  .shithub-notif-row.required { background: rgba(56, 139, 253, 0.06); }
  .shithub-notif-row strong { display: block; font-size: 0.95rem; }
  .shithub-notif-row small { display: block; color: var(--fg-muted); font-size: 0.85rem; }
++
 +.shithub-session-meta {
 +  display: grid;
 +  grid-template-columns: max-content 1fr;
 +  gap: 0.25rem 1rem;
 +  margin: 0;
 +}
 +.shithub-session-meta dt { color: var(--fg-muted); font-weight: 500; }
 +.shithub-session-meta dd { margin: 0; word-break: break-all; }

internal/web/templates/settings/sessions.htmladded

 +{{ define "page" -}}
 +<div class="shithub-settings-page">
 +  {{ template "settings-nav" . }}
 +  <div class="shithub-settings-content">
 +    <h1>Sessions</h1>
++
 +    {{ with .Success }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}
++
 +    <section class="shithub-settings-section">
 +      <h2>This session</h2>
 +      <p>The browser you're using right now.</p>
 +      <dl class="shithub-session-meta">
 +        <dt>Signed in</dt><dd>{{ .Issued.Format "2006-01-02 15:04 MST" }}</dd>
 +        <dt>From</dt><dd><code>{{ .ClientIP }}</code></dd>
 +        <dt>User agent</dt><dd><code>{{ .UserAgent }}</code></dd>
 +      </dl>
 +    </section>
++
 +    <section class="shithub-settings-section">
 +      <h2>Sign out of all other sessions</h2>
 +      <p>Use this if you've signed in on a device you no longer have, or if you suspect your account is compromised. Your current browser stays signed in.</p>
 +      <form method="POST" action="/settings/sessions/logout-everywhere" novalidate>
 +        <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">
 +        <button type="submit" class="shithub-button shithub-button-danger">Sign out everywhere else</button>
 +      </form>
 +    </section>
 +  </div>
 +</div>
 +{{- end }}