From 4697556cac819c47d068819b9fc9c3b4ea84e279 Mon Sep 17 00:00:00 2001
From: Leonardo Bishop <me@leonardobishop.com>
Date: Thu, 14 Aug 2025 18:07:12 +0100
Subject: Merge confplanner-web and replace fiber with native net/http

---
 api/middleware/auth.go | 62 +++++++++++++++++++++++++++-----------------------
 1 file changed, 34 insertions(+), 28 deletions(-)

(limited to 'api/middleware')

diff --git a/api/middleware/auth.go b/api/middleware/auth.go
index 611276a..eb362b0 100644
--- a/api/middleware/auth.go
+++ b/api/middleware/auth.go
@@ -1,46 +1,52 @@
 package middleware
 
 import (
+	"context"
 	"errors"
+	"net/http"
 
 	"github.com/LMBishop/confplanner/api/dto"
+	"github.com/LMBishop/confplanner/pkg/session"
 	"github.com/LMBishop/confplanner/pkg/user"
-	"github.com/gofiber/fiber/v2"
-	"github.com/gofiber/fiber/v2/middleware/session"
 )
 
-func RequireAuthenticated(service user.Service, store *session.Store) fiber.Handler {
-	return func(c *fiber.Ctx) error {
-		s, err := store.Get(c)
-		if err != nil {
-			return err
-		}
-
-		if s.Fresh() || len(s.Keys()) == 0 {
-			return &dto.ErrorResponse{
-				Code:    fiber.StatusUnauthorized,
-				Message: "Unauthorized",
+func MustAuthenticate(service user.Service, store session.Service) func(http.HandlerFunc) http.HandlerFunc {
+	return func(next http.HandlerFunc) http.HandlerFunc {
+		return func(w http.ResponseWriter, r *http.Request) {
+			var sessionToken string
+			for _, cookie := range r.Cookies() {
+				if cookie.Name == "confplanner_session" {
+					sessionToken = cookie.Value
+					break
+				}
 			}
-		}
 
-		uid := s.Get("uid").(int32)
+			s := store.GetByToken(sessionToken)
+			if s == nil {
+				dto.WriteDto(w, r, &dto.ErrorResponse{
+					Code:    http.StatusUnauthorized,
+					Message: "Unauthorized",
+				})
+				return
+			}
 
-		fetchedUser, err := service.GetUserByID(uid)
-		if err != nil {
-			if errors.Is(err, user.ErrUserNotFound) {
-				s.Destroy()
-				return &dto.ErrorResponse{
-					Code:    fiber.StatusUnauthorized,
-					Message: "Invalid session",
+			_, err := service.GetUserByID(s.UserID)
+			if err != nil {
+				if errors.Is(err, user.ErrUserNotFound) {
+					store.Destroy(s.SessionID)
+					dto.WriteDto(w, r, &dto.ErrorResponse{
+						Code:    http.StatusForbidden,
+						Message: "Invalid session",
+					})
+					return
 				}
-			}
 
-			return err
-		}
+				return
+			}
 
-		c.Locals("uid", uid)
-		c.Locals("username", fetchedUser.Username)
+			ctx := context.WithValue(r.Context(), "session", s)
 
-		return c.Next()
+			next(w, r.WithContext(ctx))
+		}
 	}
 }
-- 
cgit v1.2.3-70-g09d2