arthur/xtablo-source
1
0
Fork 0
Code Issues 2 Pull requests 1 Projects 1 Releases Packages Wiki Activity Actions 5
xtablo-source/backend/templates/auth_forms.go
Arthur Belleville 7d8c498980
feat(02-05): login vertical slice with rate limiting 
- auth_login.templ: LoginPage + LoginFormFragment (mirrors signup shape)
- LoginForm + LoginErrors types added to templates/auth_forms.go
- LoginPageHandler + LoginPostHandler in handlers_auth.go
  - Rate-limit check before user lookup (D-16, T-2-14)
  - Single errInvalidCreds constant for D-20 enumeration defense
  - Session rotation via Store.Rotate on success (D-10, T-2-04)
  - HTMX-aware redirect and fragment responses (D-19, D-21)
- AuthDeps extended with Limiter *auth.LimiterStore field
- router.go: GET /login in RedirectIfAuthed group (D-23)
- main.go: LimiterStore created with janitor goroutine (D-16)
- Export NewLimiterStoreWithClock + SetLimiterClock for cross-package tests
- 12 TestLogin_* integration tests all pass with real DB
2026-05-14 22:27:54 +02:00

34 lines
1.2 KiB
Go
Raw Blame History

package templates
// SignupForm carries the submitted field values back to the template so
// the email field can be repopulated on validation failure.
// Password is intentionally never echoed back to the client (T-2-01, D-25).
type SignupForm struct {
Email string
Password string // held here only for length validation; never passed to templates
}
// SignupErrors holds per-field and general error messages for the signup form.
// A field with an empty string means "no error for this field".
type SignupErrors struct {
Email string
Password string
General string
}
// LoginForm carries the submitted email value back to the template so the
// email field can be repopulated on validation failure.
// Password is intentionally never echoed back to the client (T-2-21, D-25).
type LoginForm struct {
Email string
}
// LoginErrors holds per-field and general error messages for the login form.
// A field with an empty string means "no error for this field".
// Note: the general error for credential failures uses the intentionally generic
// string "Invalid email or password" to prevent user enumeration (D-20).
type LoginErrors struct {
Email string
Password string
General string
}
Reference in a new issue View git blame Copy permalink