Initial commit: VPN panel on Go, PostgreSQL 17, Docker, Xray-core

internal/handlers/auth.go

@@ -0,0 +1,138 @@
+package handlers
+
+import (
+	"net/http"
+	"strings"
+
+	"vpn-panel/internal/auth"
+	"vpn-panel/internal/session"
+	"vpn-panel/internal/store"
+)
+
+func (h *Handler) currentUser(r *http.Request) *session.Data {
+	c, err := r.Cookie(session.CookieName())
+	if err != nil {
+		return nil
+	}
+	d, err := session.Verify(h.secret, c.Value)
+	if err != nil {
+		return nil
+	}
+	return d
+}
+
+func (h *Handler) RegisterAdmin(w http.ResponseWriter, r *http.Request) {
+	ctx := r.Context()
+	has, err := h.users.HasAdmin(ctx)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	if has {
+		flashSet(w, "Администратор уже создан. Регистрация закрыта.", "error")
+		http.Redirect(w, r, "/", http.StatusSeeOther)
+		return
+	}
+
+	if r.Method == http.MethodGet {
+		h.render(w, "register", h.pageData(w, r, "Регистрация администратора", nil))
+		return
+	}
+
+	email := strings.TrimSpace(strings.ToLower(r.FormValue("email")))
+	password := r.FormValue("password")
+	confirm := r.FormValue("password_confirm")
+
+	if email == "" || len(password) < 8 {
+		flashSet(w, "Email обязателен, пароль — минимум 8 символов.", "error")
+		http.Redirect(w, r, "/register", http.StatusSeeOther)
+		return
+	}
+	if password != confirm {
+		flashSet(w, "Пароли не совпадают.", "error")
+		http.Redirect(w, r, "/register", http.StatusSeeOther)
+		return
+	}
+
+	hash, err := auth.HashPassword(password)
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	u, err := h.users.CreateAdmin(ctx, email, hash)
+	if err == store.ErrAdminExists {
+		flashSet(w, "Администратор уже существует.", "error")
+		http.Redirect(w, r, "/", http.StatusSeeOther)
+		return
+	}
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	token, err := session.Sign(h.secret, session.Data{
+		UserID: u.ID,
+		Email:  u.Email,
+		Role:   u.Role,
+	})
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     session.CookieName(),
+		Value:    token,
+		Path:     "/",
+		MaxAge:   int((7 * 24 * 60 * 60)),
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		Secure:   r.TLS != nil,
+	})
+	flashSet(w, "Администратор успешно создан. Добро пожаловать!", "success")
+	http.Redirect(w, r, "/", http.StatusSeeOther)
+}
+
+func (h *Handler) Login(w http.ResponseWriter, r *http.Request) {
+	if r.Method == http.MethodGet {
+		h.render(w, "login", h.pageData(w, r, "Вход", nil))
+		return
+	}
+
+	email := strings.TrimSpace(strings.ToLower(r.FormValue("email")))
+	password := r.FormValue("password")
+
+	u, err := h.users.GetByEmail(r.Context(), email)
+	if err != nil || u == nil || !auth.CheckPassword(u.PasswordHash, password) {
+		flashSet(w, "Неверный email или пароль.", "error")
+		http.Redirect(w, r, "/login", http.StatusSeeOther)
+		return
+	}
+
+	token, err := session.Sign(h.secret, session.Data{
+		UserID: u.ID,
+		Email:  u.Email,
+		Role:   u.Role,
+	})
+	if err != nil {
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     session.CookieName(),
+		Value:    token,
+		Path:     "/",
+		MaxAge:   7 * 24 * 60 * 60,
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+		Secure:   r.TLS != nil,
+	})
+	http.Redirect(w, r, "/", http.StatusSeeOther)
+}
+
+func (h *Handler) Logout(w http.ResponseWriter, r *http.Request) {
+	http.SetCookie(w, &http.Cookie{
+		Name: session.CookieName(), Path: "/", MaxAge: -1,
+	})
+	http.Redirect(w, r, "/", http.StatusSeeOther)
+}