xtablo-source/backend/cmd/web/main.go

// Command web is the Phase 1 walking-skeleton HTTP server. It loads env,
// builds a slog handler, opens a pgxpool, mounts the chi router, and serves
// /, /healthz, /demo/time, and /static/* with graceful shutdown on
// SIGINT/SIGTERM (CONTEXT D-19).
//
// No .env parser lives here — `.env` is exported into the process
// environment by `just dev`; production injects real env vars (D-15).
package main

import (
	"context"
	"errors"
	"log/slog"
	"net/http"
	"os"
	"os/signal"
	"syscall"
	"time"

	"backend/internal/auth"
	"backend/internal/db"
	"backend/internal/db/sqlc"
	"backend/internal/web"
)

func main() {
	env := os.Getenv("ENV")
	if env == "" {
		env = "development"
	}
	port := os.Getenv("PORT")
	if port == "" {
		port = "8080"
	}
	dsn := os.Getenv("DATABASE_URL")

	// Logger first so even fatal-on-missing-DSN paths produce structured
	// output. Per Pattern 3: JSON in production, text everywhere else.
	slog.SetDefault(slog.New(web.NewSlogHandler(env, os.Stdout)))

	if dsn == "" {
		slog.Error("DATABASE_URL is required but unset")
		os.Exit(1)
	}

	// Load the CSRF authentication key from SESSION_SECRET env var (D-15).
	// Fails fast with a clear message if missing or wrong length — the server
	// cannot operate without a valid CSRF key (AUTH-06).
	csrfKey, err := auth.LoadKeyFromEnv()
	if err != nil {
		slog.Error("invalid SESSION_SECRET", "err", err,
			"hint", "generate with: openssl rand -hex 32")
		os.Exit(1)
	}

	// signal.NotifyContext (Go 1.21+) is the canonical idiom — equivalent
	// to signal.Notify + a channel but the resulting ctx propagates the
	// cancellation through to handlers, pgxpool dialing, etc.
	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGINT, syscall.SIGTERM)
	defer stop()

	pool, err := db.NewPool(ctx, dsn)
	if err != nil {
		// T-01-12: never log the DSN — only the error type/message.
		slog.Error("db connect failed", "err", err)
		os.Exit(1)
	}

	q := sqlc.New(pool)
	store := auth.NewStore(q)
	secure := env != "development" && env != "dev"

	// Rate limiter for POST /login (D-16, AUTH-07).
	rl := auth.NewLimiterStore()
	stopJanitor := make(chan struct{})
	rl.StartJanitor(time.Minute, stopJanitor)

	deps := web.AuthDeps{Queries: q, Store: store, Secure: secure, Limiter: rl}
	tabloDeps := web.TablosDeps{Queries: q}

	router := web.NewRouter(pool, "./static", deps, tabloDeps, csrfKey, env)

	srv := &http.Server{
		Addr:    ":" + port,
		Handler: router,
		// T-01-10 slow-client mitigation per RESEARCH Security Domain.
		ReadTimeout:  15 * time.Second,
		WriteTimeout: 15 * time.Second,
		IdleTimeout:  60 * time.Second,
	}

	go func() {
		slog.Info("listening", "addr", srv.Addr, "env", env)
		if err := srv.ListenAndServe(); err != nil && !errors.Is(err, http.ErrServerClosed) {
			slog.Error("server error", "err", err)
			os.Exit(1)
		}
	}()

	<-ctx.Done()
	slog.Info("shutting down")

	shutdownCtx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
	defer cancel()
	if err := srv.Shutdown(shutdownCtx); err != nil {
		slog.Error("shutdown error", "err", err)
	}

	// Stop the rate-limiter janitor goroutine after HTTP server is fully shut down.
	close(stopJanitor)

	// Pitfall 4: close the pool AFTER Shutdown returns, NOT via defer in
	// main — defer ordering is unreliable on fatal-exit paths.
	pool.Close()
	slog.Info("shutdown complete")
}