xtablo-source

arthur/xtablo-source

Fork 0

Commit graph

Author	SHA1	Message	Date
Arthur Belleville	389e1bc8b4	feat(02-07): gorilla/csrf integration — mount middleware, wire all forms, env-driven key - auth.Mount(env, key) wraps csrf.Protect with locked D-14/D-24 options - auth.LoadKeyFromEnv() reads SESSION_SECRET, hex-decodes, validates 32 bytes; fails fast on error - ui.CSRFField(token) templ component renders hidden _csrf input - Layout, LoginPage/Fragment, SignupPage/Fragment, Index all embed @ui.CSRFField(csrfToken) - Handlers thread csrf.Token(r) into every page/fragment render call - NewRouter mounts auth.Mount after ResolveSession, before all route groups (D-24) - main.go calls auth.LoadKeyFromEnv(); logs.Fatalf on missing/invalid SESSION_SECRET - SESSION_SECRET documented in .env.example with openssl rand -hex 32 instruction - go.mod: gorilla/csrf v1.7.3 (direct); prior tests updated with getCSRFToken helper - All Plan 04/05/06 tests updated to acquire and submit valid _csrf tokens	2026-05-14 22:59:06 +02:00
Arthur Belleville	b5c3fc4d48	test(02-06): add failing tests for logout, protected routes, and layout auth - TestLogout_Success: POST /logout with valid cookie -> 303, cookie cleared, session deleted - TestLogout_UnauthRedirectsToLogin: POST /logout without cookie -> 303 from RequireAuth - TestLogout_HXRedirect: HTMX logout -> 200 + HX-Redirect: /login - TestLogout_AfterLogoutSubsequentRequestUnauth: stale cookie blocked after logout - TestProtected_HomeUnauthRedirects: GET / without session -> 303 /login - TestProtected_HomeUnauthHXRedirect: HTMX GET / without session -> 200 + HX-Redirect - TestProtected_HomeAuthRendersUserEmail: authed GET / -> 200 with user email - TestLayout_LogoutFormVisibleWhenAuthed: Layout with user shows logout form - TestLayout_LogoutFormHiddenWhenUnauthed: Layout with nil user hides logout form	2026-05-14 22:32:33 +02:00

Author

SHA1

Message

Date

Arthur Belleville

389e1bc8b4

feat(02-07): gorilla/csrf integration — mount middleware, wire all forms, env-driven key

- auth.Mount(env, key) wraps csrf.Protect with locked D-14/D-24 options
- auth.LoadKeyFromEnv() reads SESSION_SECRET, hex-decodes, validates 32 bytes; fails fast on error
- ui.CSRFField(token) templ component renders hidden _csrf input
- Layout, LoginPage/Fragment, SignupPage/Fragment, Index all embed @ui.CSRFField(csrfToken)
- Handlers thread csrf.Token(r) into every page/fragment render call
- NewRouter mounts auth.Mount after ResolveSession, before all route groups (D-24)
- main.go calls auth.LoadKeyFromEnv(); logs.Fatalf on missing/invalid SESSION_SECRET
- SESSION_SECRET documented in .env.example with openssl rand -hex 32 instruction
- go.mod: gorilla/csrf v1.7.3 (direct); prior tests updated with getCSRFToken helper
- All Plan 04/05/06 tests updated to acquire and submit valid _csrf tokens

2026-05-14 22:59:06 +02:00

Arthur Belleville

b5c3fc4d48

test(02-06): add failing tests for logout, protected routes, and layout auth

- TestLogout_Success: POST /logout with valid cookie -> 303, cookie cleared, session deleted
- TestLogout_UnauthRedirectsToLogin: POST /logout without cookie -> 303 from RequireAuth
- TestLogout_HXRedirect: HTMX logout -> 200 + HX-Redirect: /login
- TestLogout_AfterLogoutSubsequentRequestUnauth: stale cookie blocked after logout
- TestProtected_HomeUnauthRedirects: GET / without session -> 303 /login
- TestProtected_HomeUnauthHXRedirect: HTMX GET / without session -> 200 + HX-Redirect
- TestProtected_HomeAuthRendersUserEmail: authed GET / -> 200 with user email
- TestLayout_LogoutFormVisibleWhenAuthed: Layout with user shows logout form
- TestLayout_LogoutFormHiddenWhenUnauthed: Layout with nil user hides logout form

2026-05-14 22:32:33 +02:00

2 commits