MiauRizius/MiauInv
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases 4 Wiki Activity

Compare commits

base: MiauRizius:28bf03d1a3737f047e19e61cb018e31b4904aafb
Branches Tags
MiauRizius:main MiauRizius:feature/13-activity-log
MiauRizius:v1.1.1 MiauRizius:v1.1.0 MiauRizius:v1.0.2 MiauRizius:v1.0.0
..
compare: MiauRizius:feature/13-activity-log
Branches Tags
MiauRizius:feature/13-activity-log MiauRizius:main
MiauRizius:v1.1.1 MiauRizius:v1.1.0 MiauRizius:v1.0.2 MiauRizius:v1.0.0

62 Commits
28bf03d1a3 ... feature/13

Author SHA1 Message Date
miaurizius
0442e4f699 feat: added activity log 2026-06-10 14:17:33 +02:00
MiauRizius
96f1a40266 Merge pull request 'bugfix/15-docker-deployment' (#21) from bugfix/15-docker-deployment into main
All checks were successful
Build and Push Docker Image on Release / build-and-push (release) Successful in 3m55s
Details
test-and-lint / test-and-lint (push) Successful in 2m46s
Details 
Reviewed-on: #21
 2026-06-10 04:31:19 +02:00
MiauRizius
959ba7d2d1 Merge branch 'main' into bugfix/15-docker-deployment
Some checks failed
test-and-lint / test-and-lint (pull_request) Has been cancelled
Details
2026-06-10 04:31:12 +02:00
miaurizius
c579fc95be Merge remote-tracking branch 'origin/bugfix/15-docker-deployment' into bugfix/15-docker-deployment
Some checks failed
test-and-lint / test-and-lint (pull_request) Has been cancelled
Details
2026-06-10 04:30:30 +02:00
miaurizius
d70aa85f99 tried again to fix #15 (im gonna crash out) 2026-06-10 04:30:27 +02:00
MiauRizius
e5276053f2 Merge pull request 'bugfix/15-docker-deployment' (#20) from bugfix/15-docker-deployment into main
Some checks failed
test-and-lint / test-and-lint (push) Has been cancelled
Details
Build and Push Docker Image on Release / build-and-push (release) Has been cancelled
Details 
Reviewed-on: #20
 2026-06-10 04:27:52 +02:00
MiauRizius
9f9386eba8 Merge branch 'main' into bugfix/15-docker-deployment
Some checks failed
test-and-lint / test-and-lint (pull_request) Has been cancelled
Details
2026-06-10 04:27:46 +02:00
miaurizius
1ff7d6b776 Merge remote-tracking branch 'origin/bugfix/15-docker-deployment' into bugfix/15-docker-deployment
Some checks failed
test-and-lint / test-and-lint (pull_request) Has been cancelled
Details
2026-06-10 04:27:13 +02:00
miaurizius
9fd789bb6a tried again to fix #15 2026-06-10 04:27:01 +02:00
MiauRizius
043d4c0d5e Merge pull request 'bugfix/15-docker-deployment' (#19) from bugfix/15-docker-deployment into main
Some checks failed
test-and-lint / test-and-lint (push) Has been cancelled
Details
Build and Push Docker Image on Release / build-and-push (release) Failing after 4s
Details 
Reviewed-on: #19
 2026-06-10 04:23:59 +02:00
MiauRizius
59ba5a00e1 Merge branch 'main' into bugfix/15-docker-deployment
Some checks failed
test-and-lint / test-and-lint (pull_request) Has been cancelled
Details
2026-06-10 04:23:52 +02:00
miaurizius
50da145feb Merge remote-tracking branch 'origin/bugfix/15-docker-deployment' into bugfix/15-docker-deployment
Some checks failed
test-and-lint / test-and-lint (pull_request) Has been cancelled
Details
2026-06-10 04:23:21 +02:00
miaurizius
0b5943f792 changed "runs-on" (#15) 2026-06-10 04:23:18 +02:00
MiauRizius
ba31c4f582 Merge pull request 'bugfix/15-docker-deployment' (#18) from bugfix/15-docker-deployment into main
Some checks failed
test-and-lint / test-and-lint (push) Has been cancelled
Details
Build and Push Docker Image on Release / build-and-push (release) Failing after 4s
Details 
Reviewed-on: #18
 2026-06-10 04:20:29 +02:00
MiauRizius
370b875df1 Merge branch 'main' into bugfix/15-docker-deployment
Some checks failed
test-and-lint / test-and-lint (pull_request) Has been cancelled
Details
2026-06-10 04:20:20 +02:00
miaurizius
9393004434 Merge remote-tracking branch 'origin/bugfix/15-docker-deployment' into bugfix/15-docker-deployment
Some checks failed
test-and-lint / test-and-lint (pull_request) Has been cancelled
Details
2026-06-10 04:19:25 +02:00
miaurizius
aec68c3ea5 tried to fix #15 again 2026-06-10 04:19:20 +02:00
MiauRizius
baad115f01 Merge pull request 'tried to fix #15 again' (#17) from bugfix/15-docker-deployment into main
Some checks failed
test-and-lint / test-and-lint (push) Has been cancelled
Details
Build and Push Docker Image on Release / build-and-push (release) Failing after 33s
Details 
Reviewed-on: #17
 2026-06-10 03:55:32 +02:00
MiauRizius
09e1b2bcdc Merge branch 'main' into bugfix/15-docker-deployment
Some checks failed
test-and-lint / test-and-lint (pull_request) Has been cancelled
Details
2026-06-10 03:55:22 +02:00
miaurizius
2ffe17ca60 tried to fix #15 again
Some checks failed
test-and-lint / test-and-lint (pull_request) Has been cancelled
Details
2026-06-10 03:54:24 +02:00
MiauRizius
3596998f28 Merge pull request 'tried to fix #15' (#16) from bugfix/15-docker-deployment into main
Some checks failed
test-and-lint / test-and-lint (push) Successful in 4m18s
Details
Build and Push Docker Image on Release / build-and-push (release) Failing after 12s
Details 
Reviewed-on: #16
 2026-06-10 03:43:29 +02:00
miaurizius
2dc854c65a tried to fix #15
All checks were successful
test-and-lint / test-and-lint (pull_request) Successful in 4m12s
Details
2026-06-10 03:42:31 +02:00
MiauRizius
c080c51aec Merge pull request 'added passkey support (closes #6)' (#14) from feature/6-passkey-support into main
Some checks failed
test-and-lint / test-and-lint (push) Successful in 2m34s
Details
Build and Push Docker Image on Release / build-and-push (release) Failing after 6s
Details 
Reviewed-on: #14
 2026-06-10 03:30:39 +02:00
miaurizius
fb3be56959 added passkey support (closes #6)
All checks were successful
test-and-lint / test-and-lint (pull_request) Successful in 2m50s
Details
2026-06-10 03:24:31 +02:00
MiauRizius
01ec41288a Merge pull request 'docs: add contribution guidelines' (#12) from docs/9-missing-contribution-guidelines into main
Some checks failed
test-and-lint / test-and-lint (push) Failing after 4s
Details 
Reviewed-on: #12
 2026-06-10 02:19:35 +02:00
miaurizius
afea712f43 docs: add contribution guidelines
Some checks failed
test-and-lint / test-and-lint (pull_request) Failing after 6s
Details
2026-06-10 02:17:50 +02:00
MiauRizius
d854c8e02a Merge pull request 'fixed #10' (#11) from chore/10-workflow-optimization into main
Some checks failed
test-and-lint / test-and-lint (push) Failing after 1m16s
Details 
Reviewed-on: #11
 2026-06-10 02:00:21 +02:00
miaurizius
36ff377ac9 fixed #10
Some checks failed
test-and-lint / test-and-lint (pull_request) Failing after 1m33s
Details
2026-06-10 01:57:29 +02:00
MiauRizius
2c30f9c055 Merge pull request 'feature/5-mfa-support' (#8) from feature/5-mfa-support into main
Some checks failed
Code Quality and Testing / test-and-lint (push) Has been cancelled
Details 
Reviewed-on: #8
 2026-06-10 01:46:55 +02:00
MiauRizius
6acfde5617 Merge branch 'main' into feature/5-mfa-support
Some checks failed
Code Quality and Testing / test-and-lint (push) Has been cancelled
Details
Code Quality and Testing / test-and-lint (pull_request) Has been cancelled
Details
2026-06-10 01:38:50 +02:00
miaurizius
58f098d4ca add rate limiting and 2fa hardening 2026-06-10 01:35:36 +02:00
miaurizius
ae41b96fa4 updated docs for new feature 2026-06-10 01:10:23 +02:00
miaurizius
fabe5319ae Added UI for mfa and other profile settings 2026-06-10 01:00:45 +02:00
miaurizius
e2926df62c updated dependencies 2026-06-10 00:38:16 +02:00
miaurizius
ea8ea45c4c started with 2fa support 2026-06-09 22:50:29 +02:00
MiauRizius
26b363fc34 Merge pull request 'chore/setup-gitea-actions' (#7) from chore/setup-gitea-actions into main
All checks were successful
Code Quality and Testing / test-and-lint (push) Successful in 12m10s
Details 
Reviewed-on: #7
 2026-06-09 22:17:11 +02:00
miaurizius
4700faf03c Added more issue templates etc.
All checks were successful
Code Quality and Testing / test-and-lint (push) Successful in 16m1s
Details
Code Quality and Testing / test-and-lint (pull_request) Successful in 12m28s
Details
2026-06-09 15:31:12 +02:00
miaurizius
79f3692ad2 chore: add automated docker release workflow 2026-06-09 15:24:24 +02:00
miaurizius
5485fd135d new version 2026-06-09 14:45:04 +02:00
miaurizius
5558d42bdb fixed #2 2026-06-09 14:44:28 +02:00
miaurizius
b74df36bda fixed #4 2026-06-09 14:40:49 +02:00
miaurizius
918b9a6b74 removed unnecessary comments 2026-06-09 14:36:03 +02:00
miaurizius
6d32ca13ca added more docs 2026-06-09 14:30:46 +02:00
miaurizius
feffff0898 Updated README/fixed #3 2026-06-09 14:21:49 +02:00
miaurizius
5089f94a21 updated README 2026-06-09 13:50:37 +02:00
miaurizius
f5f5da51c8 embedded frontend to docker image 2026-06-09 13:45:03 +02:00
miaurizius
089998d45b updated deploy 2026-06-08 15:35:43 +02:00
miaurizius
e2d51c6cdf updated dockerfile and deploy 2026-06-08 15:30:49 +02:00
miaurizius
0f8c7f57ac fixed #1 2026-06-08 15:27:06 +02:00
miaurizius
8d2be395b9 added .min.* support 2026-06-08 15:03:24 +02:00
miaurizius
339d5a709c dashboard locations and projects will now show items 2026-06-08 14:46:52 +02:00
miaurizius
405502cb20 added ad page 2026-06-08 00:34:54 +02:00
miaurizius
1a454dd201 Updated README.md 2026-06-08 00:25:40 +02:00
miaurizius
15cc33eb23 added README.md 2026-06-08 00:24:08 +02:00
miaurizius
f367188c08 Under construction page and dynamic profile loading 2026-06-08 00:00:45 +02:00
miaurizius
dcc6dc0b98 item and location names will be shown instead of their ids 2026-06-07 23:28:03 +02:00
miaurizius
d771ebba13 logout is now possible again 2026-06-07 23:04:12 +02:00
miaurizius
92e7ea4667 Added more things to dashboard 2026-06-07 02:29:27 +02:00
miaurizius
b93d9382ac made registration disableable 2026-06-07 02:08:49 +02:00
miaurizius
a31c516e8f Fixed quantity bug 2026-06-07 01:54:09 +02:00
miaurizius
eba273be49 Added stock management 2026-06-07 01:25:07 +02:00
miaurizius
e46b4904e3 Added functionality to all pages 2026-06-07 01:15:30 +02:00
60 changed files with 6877 additions and 423 deletions
Expand all files Collapse all files

24
.gitea/ISSUE_TEMPLATE/bug_report.md Normal file
View File

@@ -0,0 +1,24 @@
---
name: "Bug Report"
about: Report an error or unexpected behavior in MiauInv
title: "[BUG] "
labels: ["Kind/Bug"]
---
### Description
A clear and concise description of what the bug is.
### Steps to Reproduce
1. Go to '...'
2. Click on '...'
3. Scroll down to '...'
4. See error
### Expected Behavior
A clear and concise description of what you expected to happen.
### Logs and Error Messages
If applicable, add server logs or browser console outputs here:
```text
Insert logs here
```

18
.gitea/ISSUE_TEMPLATE/feature_request.md Normal file
View File

@@ -0,0 +1,18 @@
---
name: "Feature Request"
about: Suggest an idea or enhancement for MiauInv
title: "[FEATURE] "
labels: ["Kind/Feature"]
---
### Problem Statement
Is your feature request related to a problem? Please describe. (e.g., I am frustrated when...)
### Proposed Solution
A clear and concise description of what you want to happen.
### Alternative Solutions
A clear and concise description of any alternative solutions or features you have considered.
### Additional Context
Add any other context, screenshots, or mockup ideas about the feature request here.

14
.gitea/pull_request_template.md Normal file
View File

@@ -0,0 +1,14 @@
## Description
Please include a summary of the changes and which issue is fixed.
Closes # (Issue Number)
## Type of Change
- [ ] Bug fix (non-breaking change which fixes an issue)
- [ ] New feature (non-breaking change which adds functionality)
- [ ] Chore / Refactoring (code cleanup or configuration updates)
## Testing Environment
- [ ] Verified via local development server
- [ ] Verified compilation inside the Docker container
- [ ] All unit tests passing successfully

43
.gitea/workflows/release-docker.yaml Normal file
View File

@@ -0,0 +1,43 @@
name: Build and Push Docker Image on Release
on:
release:
types: [published]
jobs:
build-and-push:
runs-on: docker-builder
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Enable QEMU for multi-arch builds
run: |
docker run --privileged --rm tonistiigi/binfmt --install all
- name: Create and use Docker Buildx builder
run: |
docker buildx create --name miauinv-builder --use || docker buildx use miauinv-builder
docker buildx inspect --bootstrap
- name: Log in to Gitea Container Registry
run: |
echo "${{ secrets.REGISTRY_TOKEN }}" | docker login git.miaurizius.de \
--username "${{ secrets.REGISTRY_USER }}" \
--password-stdin
- name: Prepare Docker image tags
run: |
IMAGE_REPO="$(echo "git.miaurizius.de/${{ gitea.repository }}" | tr '[:upper:]' '[:lower:]')"
echo "IMAGE_REPO=$IMAGE_REPO" >> "$GITHUB_ENV"
- name: Build and push multi-arch Docker image
run: |
docker buildx build \
--platform linux/amd64,linux/arm64 \
--file ./Dockerfile \
--tag "$IMAGE_REPO:latest" \
--tag "$IMAGE_REPO:${{ gitea.event.release.tag_name }}" \
--push \
.

33
.gitea/workflows/test-and-lint.yaml Normal file
View File

@@ -0,0 +1,33 @@
name: test-and-lint
on:
pull_request:
branches: [main]
push:
branches: [main]
jobs:
test-and-lint:
runs-on: go-1.26
steps:
- uses: actions/checkout@v4
- name: Check formatting
run: |
files="$(gofmt -l .)"
if [ -n "$files" ]; then
echo "$files"
exit 1
fi
- name: Check modules
run: |
go mod tidy
git diff --exit-code go.mod go.sum
- name: Vet
run: go vet ./...
- name: Test
run: go test ./...

3
.gitignore vendored
View File

@@ -2,4 +2,5 @@ appdata
.idea
*.exe
*.cmd
.run
.run
*.out

238
CONTRIBUTING.md Normal file
View File

@@ -0,0 +1,238 @@
# Contributing to MiauInv
Thank you for considering a contribution to MiauInv.
MiauInv is a self-hosted/private inventory management system. Contributions are accepted through pull requests only. Direct pushes to the `main` branch are not allowed.
## Contribution Model
All changes must be submitted through pull requests.
This applies to:
- new features,
- bug fixes,
- refactoring,
- documentation updates,
- CI/CD changes,
- security improvements,
- release preparation work.
Contributors should work from a fork of the repository. Changes should be developed in a dedicated branch in the fork and then submitted as a pull request to the upstream repository.
Code snippets, patches, or implementation ideas are only accepted into the project if they are submitted through a pull request.
## Protected Main Branch
The `main` branch is protected.
The following rules apply:
- nobody may push directly to `main`,
- all changes must go through pull requests,
- pull requests must target `main` unless a maintainer explicitly requests a different target,
- every commit in a pull request must be signed,
- unsigned commits will not be accepted.
## Signed Commits
All commits must be signed.
This is mandatory for:
- commits on feature branches,
- commits on bugfix branches,
- commits on chore/refactoring branches,
- commits in pull requests,
- release preparation commits.
Pull requests containing unsigned commits must be fixed before they can be merged.
Example:
```bash
git commit -S -m "feat(auth): add account recovery flow"
```
To check whether commits are signed:
```bash
git log --show-signature
```
If a commit was created without a signature, rewrite or recreate it before opening the pull request.
## Branch Naming
Branches should use lowercase, hyphen-separated descriptions and include the related issue ID where possible.
Recommended format:
```text
<type>/<issue-id>-<lowercase-description>
```
Examples:
```text
feature/5-mfa-support
bugfix/12-fix-refresh-token-rotation
chore/18-update-ci-workflow
docs/21-update-authentication-docs
refactor/24-clean-up-storage-layer
```
Common branch types:
| Type | Usage |
| --- | --- |
| `feature` | New functionality. |
| `bugfix` | Bug fixes. |
| `chore` | Maintenance work, tooling, dependency updates, CI changes. |
| `docs` | Documentation-only changes. |
| `refactor` | Code restructuring without functional behavior changes. |
| `release` | Release preparation branches. |
## Feature and Bugfix Workflow
When working on a feature, bugfix, or other change:
1. Create or choose the related issue.
2. Fork the repository.
3. Create a branch in your fork using the branch naming scheme.
4. Implement the change.
5. Keep commits signed.
6. Push the branch to your fork.
7. Open a pull request against the upstream `main` branch.
8. Use the pull request template.
9. Ensure the pull request describes the change and links the issue.
When a feature, bugfix, or chore branch is complete, a pull request may be created from that branch into `main`.
## Pull Requests
Pull requests must:
- use the repository pull request template,
- describe the change clearly,
- link the related issue where applicable,
- contain signed commits only,
- avoid unrelated changes,
- keep documentation updated when behavior changes,
- keep the implementation consistent with the existing code structure.
Pull requests should be focused. A pull request should usually address one feature, one bug, or one maintenance task.
If a pull request changes authentication, authorization, account security, database schema, or deployment behavior, the relevant documentation should be updated in the same pull request.
## Issues
Issues should use the available issue templates whenever possible.
A good issue should include:
- a clear description,
- expected behavior,
- actual behavior, if reporting a bug,
- reproduction steps, if applicable,
- relevant logs, screenshots, or configuration snippets,
- the affected version or branch, if known.
Feature requests should describe the use case and the expected behavior instead of only describing an implementation detail.
## Releases
Release preparation work should happen on release branches.
Release branch format:
```text
release/vX.Y.Z
```
Example:
```text
release/v1.0.1
```
Version identifiers follow the `vX.Y.Z` format, for example:
```text
v1.0.1
```
When the changes for a version are complete:
1. finalize the release branch,
2. open a pull request from the release branch into `main`,
3. merge the release changes into `main`,
4. create the release,
5. update and publish Docker images.
Release branches should only contain changes intended for that release.
## Documentation
Documentation should be updated when a change affects:
- setup,
- configuration,
- deployment,
- API behavior,
- authentication,
- authorization,
- database schema,
- security behavior,
- CI/CD behavior.
Documentation should be technical, accurate, and written in English.
## Code Style
Follow the existing project structure and style.
General expectations:
- keep handlers in `handlers/`,
- keep database access in `storage/`,
- keep shared types in `models/`,
- keep authentication helpers in `auth/`,
- keep frontend behavior in `frontend/assets/js/`,
- keep server route wiring in `server/`,
- use clear names,
- avoid unrelated rewrites,
- keep changes as small as reasonably possible.
Go code must be formatted with:
```bash
gofmt -w .
```
## Validation
Before opening a pull request, run the checks that are relevant to the change.
Recommended commands:
```bash
gofmt -w .
go test ./...
go vet ./...
```
If the change affects Docker deployment, also verify that the Docker image builds successfully.
## Security-Relevant Changes
Changes affecting authentication, authorization, session handling, 2FA, recovery codes, cookies, rate limiting, or database security should be kept especially focused.
Security-sensitive pull requests should clearly explain:
- what behavior changed,
- what threat or issue is addressed,
- whether sessions, tokens, or stored secrets are affected,
- whether existing users or deployments need migration steps.
Do not include secrets, private keys, real tokens, production database files, or private configuration values in commits or pull requests.

6
Dockerfile
View File

@@ -11,9 +11,15 @@ COPY . .
ARG TARGETOS
ARG TARGETARCH
LABEL org.opencontainers.image.source="https://git.miaurizius.de/miaurizius/miauinv"
RUN CGO_ENABLED=0 GOOS=$TARGETOS GOARCH=$TARGETARCH \
go build -ldflags "-s -w" -o MiauInv .
FROM scratch
COPY --from=builder /app/MiauInv /MiauInv
COPY --from=builder /app/frontend /frontend
ENTRYPOINT ["/MiauInv"]

168
README.md Normal file
View File

@@ -0,0 +1,168 @@
# MiauInv
MiauInv is a secure, lightweight inventory, stock, and project allocation tracking system written in Go. It uses server-rendered HTML blocks with a small HTMX-style frontend layer for a dynamic single-page feel, backed by signed JWT access tokens, database-backed refresh-token rotation, optional TOTP 2FA, optional WebAuthn passkeys, an authenticated activity log, and embedded SQLite storage.
It is built for self-hosted/private deployments where you want a small, understandable asset and stock tracker without running a large enterprise inventory suite.
## Features
- Inventory item tracking with categories, descriptions, and quantities.
- Location management for physical or logical storage places.
- Stock distribution between items and locations.
- Project allocation tracking for reserving item quantities for projects.
- Dashboard overview for items, locations, and projects.
- Account settings for username, password, 2FA, and passkey management.
- Optional TOTP two-factor authentication with QR setup and recovery codes.
- Optional discoverable WebAuthn passkey login.
- Activity log for account, authentication, security, and inventory changes.
- Docker-ready deployment with SQLite persistence.
## Current Status
MiauInv is an active private project. Core inventory workflows, authentication, account security settings, passkeys, and activity logging are implemented. Automated testing is currently limited and should be expanded before treating the project as high-assurance software.
## Technical Stack
| Area | Technology |
| --- | --- |
| Backend | Go 1.26 |
| Routing | Go standard library `net/http` |
| Database | SQLite via `github.com/glebarez/go-sqlite` |
| Authentication | JWT via `github.com/golang-jwt/jwt/v5` |
| Password hashing | bcrypt via `golang.org/x/crypto/bcrypt` |
| 2FA | TOTP via `github.com/pquerna/otp/totp` |
| Passkeys | WebAuthn via `github.com/go-webauthn/webauthn` |
| Frontend | Server-rendered HTML, HTMX-style structure, vanilla JavaScript |
| Deployment | Docker / Docker Compose |
## Project Structure
| Path | Purpose |
| --- | --- |
| `main.go` | Application entrypoint. |
| `server/` | Route registration, TLS listener, and rate limiting. |
| `config/` | Runtime configuration creation and loading. |
| `auth/` | JWT, middleware, roles, and password helpers. |
| `handlers/` | JSON API handlers for auth, activity, account security, and inventory. |
| `storage/` | SQLite schema, migrations, and database access helpers. |
| `models/` | Shared data structures and constants. |
| `frontend/` | HTML templates, CSS, and JavaScript. |
| `docs/` | Technical documentation. |
## Documentation
- [Authentication](docs/AUTHENTICATION.md)
- [Database](docs/DATABASE.md)
- [API Endpoints](docs/ENDPOINTS.md)
- [Security](docs/SECURITY.md)
- [Contributing](CONTRIBUTING.md)
## Configuration
On first startup, MiauInv creates a config file if none exists. The server also requires a `JWT_SECRET` environment variable with at least 32 characters.
```bash
export JWT_SECRET="replace-this-with-a-random-secret-of-at-least-32-chars"
```
For local development, generate TLS files first:
```bash
mkdir -p appdata
openssl req -x509 -newkey rsa:4096 \
-keyout appdata/key.pem \
-out appdata/cert.pem \
-days 365 \
-nodes \
-subj "/CN=localhost"
```
Run locally:
```bash
go mod tidy
go build -o miauinv .
./miauinv
```
Then open:
```text
https://localhost:8080
```
## Docker Deployment
Example `docker-compose.yaml`:
```yaml
services:
miauinv:
image: git.miaurizius.de/miaurizius/miauinv:latest
container_name: MiauInv
restart: unless-stopped
ports:
- "8080:8080"
environment:
- JWT_SECRET=replace-this-with-a-random-secret-of-at-least-32-chars
volumes:
- ./appdata:/appdata
```
Start or update the container:
```bash
docker compose pull
docker compose up -d
```
View logs:
```bash
docker compose logs -f
```
For production updates, pin a versioned image tag and back up `appdata` before upgrading:
```yaml
image: git.miaurizius.de/miaurizius/miauinv:v1.1.1
```
## Reverse Proxy Deployment
MiauInv currently listens with native TLS. When using Caddy or another reverse proxy, either proxy to the backend with HTTPS or intentionally adjust the server to listen without TLS.
Example Caddy configuration with a self-signed backend certificate:
```caddy
inv.example.com {
encode zstd gzip
reverse_proxy https://miauinv:8080 {
transport http {
tls_insecure_skip_verify
}
}
header {
X-Content-Type-Options nosniff
Referrer-Policy strict-origin-when-cross-origin
}
}
```
For Docker deployments, place Caddy and MiauInv on the same Docker network and reverse proxy to the service name.
## Screenshots
#### Dashboard
<img src="docs/img/dashboard.png">
#### Inventory
<img src="docs/img/inventory.png">
#### Locations
<img src="docs/img/locations.png">
#### Projects
<img src="docs/img/projects.png">

200
ad.html Normal file
View File

@@ -0,0 +1,200 @@
<!DOCTYPE html>
<html lang="en" data-lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>MiauInv - Lightweight Inventory Tracking</title>
<style>
:root {
--bg: #0b0f19;
--card: #111827;
--card-soft: #151f31;
--border: #233047;
--text: #f9fafb;
--muted: #9ca3af;
--accent: #3b82f6;
--success: #10b981;
}
* { box-sizing: border-box; margin: 0; padding: 0; }
body {
min-height: 100vh;
background:
radial-gradient(circle at top left, rgba(59, 130, 246, 0.18), transparent 34rem),
radial-gradient(circle at bottom right, rgba(16, 185, 129, 0.10), transparent 30rem),
var(--bg);
color: var(--text);
font-family: system-ui, -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, sans-serif;
line-height: 1.6;
}
.container { max-width: 1120px; margin: 0 auto; padding: 1.25rem 1.5rem 4rem; }
.topbar { display: flex; justify-content: flex-end; margin-bottom: 3rem; }
.lang-switch {
border: 1px solid var(--border);
background: rgba(17, 24, 39, 0.8);
color: var(--text);
border-radius: 999px;
padding: 0.45rem 0.9rem;
font-weight: 700;
cursor: pointer;
}
.hero { text-align: center; padding: 2.5rem 0 3.5rem; }
.brand { font-size: clamp(3rem, 7vw, 5.5rem); font-weight: 900; letter-spacing: -0.07em; line-height: 0.95; }
.brand span { color: var(--accent); }
.tagline { max-width: 820px; margin: 1.25rem auto 0; color: var(--muted); font-size: clamp(1.05rem, 2vw, 1.35rem); }
.hero-actions { display: flex; justify-content: center; flex-wrap: wrap; gap: 0.8rem; margin-top: 1.75rem; }
.hero-link {
display: inline-flex;
align-items: center;
gap: 0.5rem;
border-radius: 999px;
padding: 0.75rem 1.1rem;
text-decoration: none;
font-weight: 800;
border: 1px solid var(--border);
color: var(--text);
background: rgba(17, 24, 39, 0.78);
transition: transform 0.18s ease, border-color 0.18s ease, background-color 0.18s ease;
}
.hero-link:hover { transform: translateY(-1px); border-color: rgba(59, 130, 246, 0.7); background: rgba(59, 130, 246, 0.12); }
.hero-link.primary { border-color: rgba(59, 130, 246, 0.48); background: rgba(59, 130, 246, 0.18); color: #dbeafe; }
.hero-link svg { width: 1rem; height: 1rem; }
.badges { display: flex; justify-content: center; flex-wrap: wrap; gap: 0.75rem; margin-top: 2rem; }
.badge {
border: 1px solid rgba(59, 130, 246, 0.28);
background: rgba(59, 130, 246, 0.10);
color: #bfdbfe;
border-radius: 999px;
padding: 0.4rem 0.8rem;
font-size: 0.88rem;
font-weight: 700;
}
.badge.green { border-color: rgba(16, 185, 129, 0.28); background: rgba(16, 185, 129, 0.10); color: #a7f3d0; }
.grid { display: grid; grid-template-columns: repeat(3, 1fr); gap: 1rem; margin: 1rem 0 3rem; }
.card {
background: linear-gradient(180deg, rgba(21, 31, 49, 0.92), rgba(17, 24, 39, 0.92));
border: 1px solid var(--border);
border-radius: 20px;
padding: 1.5rem;
box-shadow: 0 20px 45px rgba(0, 0, 0, 0.28);
}
.card h2 { font-size: 1.1rem; margin-bottom: 0.65rem; }
.card p { color: var(--muted); }
.check { color: var(--success); font-weight: 900; margin-right: 0.4rem; }
.install {
background: rgba(17, 24, 39, 0.82);
border: 1px solid var(--border);
border-radius: 24px;
padding: 2rem;
}
.install h2 { font-size: 1.7rem; margin-bottom: 0.5rem; }
.install > p { color: var(--muted); margin-bottom: 1.25rem; }
pre {
background: #050816;
border: 1px solid var(--border);
border-radius: 14px;
padding: 1rem;
overflow-x: auto;
color: #e5e7eb;
font-size: 0.92rem;
}
footer { text-align: center; color: var(--muted); padding-top: 3rem; }
[lang="de"] { display: none; }
html[data-lang="de"] [lang="de"] { display: initial; }
html[data-lang="de"] [lang="en"] { display: none; }
html[data-lang="de"] p[lang="de"], html[data-lang="de"] div[lang="de"] { display: block; }
html[data-lang="de"] span[lang="de"], html[data-lang="de"] strong[lang="de"] { display: inline; }
@media (max-width: 860px) { .grid { grid-template-columns: 1fr; } }
</style>
</head>
<body>
<div class="container">
<div class="topbar">
<button class="lang-switch" id="langBtn" onclick="toggleLanguage()">DE</button>
</div>
<section class="hero">
<div class="brand">Miau<span>Inv</span></div>
<p class="tagline" lang="en">Secure, lightweight inventory, stock, and project allocation tracking for self-hosted environments.</p>
<p class="tagline" lang="de">Sicheres, leichtgewichtiges Inventory-, Lager- und Projektzuweisungs-Tracking für Self-Hosting.</p>
<div class="hero-actions">
<a class="hero-link primary" href="https://git.miaurizius.de/MiauRizius/MiauInv" target="_blank" rel="noopener noreferrer">
<span lang="en">View repository</span>
<span lang="de">Repository ansehen</span>
<svg viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" aria-hidden="true"><path d="M7 17L17 7"></path><path d="M7 7h10v10"></path></svg>
</a>
<a class="hero-link" href="https://git.miaurizius.de/MiauRizius/MiauInv/packages" target="_blank" rel="noopener noreferrer">
<span lang="en">Container image</span>
<span lang="de">Container-Image</span>
</a>
</div>
<div class="badges">
<span class="badge">Go</span>
<span class="badge">SQLite</span>
<span class="badge">HTMX-style UI</span>
<span class="badge green">Docker ready</span>
</div>
</section>
<section class="grid">
<article class="card">
<h2 lang="en"><span class="check"></span>Track stock clearly</h2>
<h2 lang="de"><span class="check"></span>Bestände klar verfolgen</h2>
<p lang="en">Manage items, locations, quantities, and project allocations from one small dashboard.</p>
<p lang="de">Verwalte Items, Lagerorte, Mengen und Projektzuweisungen in einem kleinen Dashboard.</p>
</article>
<article class="card">
<h2 lang="en"><span class="check"></span>Built-in account security</h2>
<h2 lang="de"><span class="check"></span>Account-Sicherheit inklusive</h2>
<p lang="en">Signed JWT sessions, refresh-token rotation, TOTP 2FA, recovery codes, passkeys, and an activity log.</p>
<p lang="de">Signierte JWT-Sessions, Refresh-Token-Rotation, TOTP-2FA, Recovery-Codes, Passkeys und Activity Log.</p>
</article>
<article class="card">
<h2 lang="en"><span class="check"></span>Small deployment footprint</h2>
<h2 lang="de"><span class="check"></span>Kleiner Deployment-Footprint</h2>
<p lang="en">A compiled Go binary with embedded SQLite persistence and a minimal Docker image.</p>
<p lang="de">Kompilierte Go-Binary mit eingebetteter SQLite-Persistenz und minimalem Docker-Image.</p>
</article>
</section>
<section class="install">
<h2 lang="en">Run with Docker Compose</h2>
<h2 lang="de">Mit Docker Compose starten</h2>
<p lang="en">Create an appdata directory, provide TLS files, set a strong JWT secret, and start the container.</p>
<p lang="de">Appdata-Ordner erstellen, TLS-Dateien bereitstellen, starkes JWT-Secret setzen und Container starten.</p>
<pre>services:
miauinv:
image: git.miaurizius.de/miaurizius/miauinv:latest
container_name: MiauInv
restart: unless-stopped
ports:
- "8080:8080"
environment:
- JWT_SECRET=replace-this-with-a-random-secret-of-at-least-32-chars
volumes:
- ./appdata:/appdata</pre>
</section>
<footer>
<p>&copy; 2026 Maurice Larivière.</p>
</footer>
</div>
<script>
function setLanguage(lang) {
document.documentElement.setAttribute('data-lang', lang);
document.getElementById('langBtn').innerText = lang === 'en' ? 'DE' : 'EN';
localStorage.setItem('miauinv-lang', lang);
}
function toggleLanguage() {
const current = document.documentElement.getAttribute('data-lang') || 'en';
setLanguage(current === 'en' ? 'de' : 'en');
}
setLanguage(localStorage.getItem('miauinv-lang') || 'en');
</script>
</body>
</html>

101
auth/jwt.go
View File

@@ -1,17 +1,36 @@
package auth
import (
"errors"
"time"
"github.com/golang-jwt/jwt/v5"
)
const (
PurposeTwoFactorLogin = "2fa_login"
PurposeTwoFactorSetup = "2fa_setup"
)
type Claims struct {
UserID string `json:"user_id"`
Role string `json:"role"`
jwt.RegisteredClaims
}
type PurposeClaims struct {
UserID string `json:"user_id"`
Purpose string `json:"purpose"`
jwt.RegisteredClaims
}
type TwoFactorSetupClaims struct {
UserID string `json:"user_id"`
Purpose string `json:"purpose"`
Secret string `json:"secret"`
jwt.RegisteredClaims
}
func GenerateJWT(userID, role string, secret []byte) (string, error) {
claims := Claims{
UserID: userID,
@@ -25,8 +44,41 @@ func GenerateJWT(userID, role string, secret []byte) (string, error) {
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString(secret)
}
func GeneratePurposeJWT(userID, purpose string, secret []byte, ttl time.Duration) (string, error) {
claims := PurposeClaims{
UserID: userID,
Purpose: purpose,
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(time.Now().Add(ttl)),
IssuedAt: jwt.NewNumericDate(time.Now()),
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString(secret)
}
func GenerateTwoFactorSetupJWT(userID, twoFactorSecret string, secret []byte, ttl time.Duration) (string, error) {
claims := TwoFactorSetupClaims{
UserID: userID,
Purpose: PurposeTwoFactorSetup,
Secret: twoFactorSecret,
RegisteredClaims: jwt.RegisteredClaims{
ExpiresAt: jwt.NewNumericDate(time.Now().Add(ttl)),
IssuedAt: jwt.NewNumericDate(time.Now()),
},
}
token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
return token.SignedString(secret)
}
func ValidateJWT(tokenStr string, secret []byte) (*Claims, error) {
token, err := jwt.ParseWithClaims(tokenStr, &Claims{}, func(token *jwt.Token) (interface{}, error) {
if token.Method != jwt.SigningMethodHS256 {
return nil, errors.New("unexpected signing method")
}
return secret, nil
})
if err != nil {
@@ -35,7 +87,54 @@ func ValidateJWT(tokenStr string, secret []byte) (*Claims, error) {
claims, ok := token.Claims.(*Claims)
if !ok || !token.Valid {
return nil, err
return nil, errors.New("invalid token")
}
return claims, nil
}
func ValidatePurposeJWT(tokenStr, expectedPurpose string, secret []byte) (*PurposeClaims, error) {
token, err := jwt.ParseWithClaims(tokenStr, &PurposeClaims{}, func(token *jwt.Token) (interface{}, error) {
if token.Method != jwt.SigningMethodHS256 {
return nil, errors.New("unexpected signing method")
}
return secret, nil
})
if err != nil {
return nil, err
}
claims, ok := token.Claims.(*PurposeClaims)
if !ok || !token.Valid {
return nil, errors.New("invalid token")
}
if claims.Purpose != expectedPurpose {
return nil, errors.New("invalid token purpose")
}
return claims, nil
}
func ValidateTwoFactorSetupJWT(tokenStr string, secret []byte) (*TwoFactorSetupClaims, error) {
token, err := jwt.ParseWithClaims(tokenStr, &TwoFactorSetupClaims{}, func(token *jwt.Token) (interface{}, error) {
if token.Method != jwt.SigningMethodHS256 {
return nil, errors.New("unexpected signing method")
}
return secret, nil
})
if err != nil {
return nil, err
}
claims, ok := token.Claims.(*TwoFactorSetupClaims)
if !ok || !token.Valid {
return nil, errors.New("invalid token")
}
if claims.Purpose != PurposeTwoFactorSetup {
return nil, errors.New("invalid token purpose")
}
if claims.Secret == "" {
return nil, errors.New("missing 2FA setup secret")
}
return claims, nil

22
auth/middleware.go
View File

@@ -10,9 +10,16 @@ type contextKey string
const UserContextKey contextKey = contextKey("user")
// middleware.go
func AuthMiddleware(secret []byte) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path == "/login" || r.URL.Path == "/register" || r.URL.Path == "/" {
next.ServeHTTP(w, r)
return
}
tokenStr := ""
authHeader := r.Header.Get("Authorization")
@@ -37,22 +44,23 @@ func AuthMiddleware(secret []byte) func(http.Handler) http.Handler {
}
claims, err := ValidateJWT(tokenStr, secret)
if err != nil {
if strings.HasPrefix(r.URL.Path, "/api/") {
http.Error(w, "Invalid token", http.StatusUnauthorized)
} else {
http.SetCookie(w, &http.Cookie{
Name: "access_token",
Value: "",
Path: "/",
MaxAge: -1,
HttpOnly: false,
})
http.Redirect(w, r, "/login", http.StatusSeeOther)
}
return
}
ctx := context.WithValue(
r.Context(),
UserContextKey,
claims,
)
ctx := context.WithValue(r.Context(), UserContextKey, claims)
next.ServeHTTP(w, r.WithContext(ctx))
})
}

18
config/config.go
View File

@@ -9,10 +9,11 @@ import (
)
type Config struct {
Port string `yaml:"port"`
DatabasePath string `yaml:"database_path"`
CertificatePath string `yaml:"certificate_path"`
PrivateKeyPath string `yaml:"private_key_path"`
Port string `yaml:"port"`
DatabasePath string `yaml:"database_path"`
CertificatePath string `yaml:"certificate_path"`
PrivateKeyPath string `yaml:"private_key_path"`
AllowRegistration bool `yaml:"allow_registration"`
}
const configPath = "./appdata/config.yaml"
@@ -34,10 +35,11 @@ func CheckIfExists() error {
}
defaultConfig := Config{
Port: "8080",
DatabasePath: "./appdata/database.db",
CertificatePath: "./appdata/cert.pem",
PrivateKeyPath: "./appdata/key.pem",
Port: "8080",
DatabasePath: "./appdata/database.db",
CertificatePath: "./appdata/cert.pem",
PrivateKeyPath: "./appdata/key.pem",
AllowRegistration: true,
}
data, err := yaml.Marshal(defaultConfig)

1
deploy.sh
View File

@@ -1 +0,0 @@
sudo docker buildx build --platform linux/amd64,linux/arm64 -t git.miaurizius.de/miaurizius/miauinv:latest --push .

285
docs/AUTHENTICATION.md Normal file
View File

@@ -0,0 +1,285 @@
# Authentication Architecture
MiauInv uses signed JWT access tokens, database-backed refresh tokens, optional TOTP-based two-factor authentication, and optional WebAuthn passkey authentication. The authentication flow is implemented in the `auth/`, `handlers/`, `storage/`, and `frontend/assets/js/` packages.
JWTs are signed with a symmetric secret from the `JWT_SECRET` environment variable. They are not encrypted. Access tokens and normal purpose tokens should therefore contain identity and authorization metadata only, not secrets. The short-lived 2FA setup token intentionally carries the not-yet-enabled TOTP secret because the same secret is already returned to the authenticated browser for QR/manual setup and is not stored server-side until confirmation.
## Components
| Component | Location | Responsibility |
| --- | --- | --- |
| JWT helpers | `auth/jwt.go` | Access-token and purpose-token generation/validation. |
| Middleware | `auth/middleware.go` | Extracts access tokens from bearer headers or cookies and injects claims into the request context. |
| Password helpers | `auth/password.go` | bcrypt hashing and verification. |
| Login/account handlers | `handlers/account.go` | Register, login, 2FA, refresh, logout, account settings, and user metadata. |
| Activity handlers | `handlers/activity.go` | Activity log endpoint, activity metadata recording, and audit middleware. |
| Passkey handlers | `handlers/passkeys.go` | WebAuthn/passkey registration, login, removal, and disable flows. |
| Persistent session storage | `storage/storage.go`, `storage/passkeys.go` | Refresh tokens, 2FA state, TOTP secret, recovery-code hashes, passkey credentials, and WebAuthn challenge state. |
| Frontend auth logic | `frontend/assets/js/auth.js`, `frontend/assets/js/login.js`, `frontend/assets/js/api.js` | Login UI, passkey login, token refresh, account settings, 2FA UI interactions, and passkey UI interactions. |
## Token Types
| Token | Storage/Transport | Lifetime | Purpose |
| --- | --- | --- | --- |
| Access token | `access_token` HTTP-only secure cookie and JSON response body | 15 minutes | Authenticates normal API and page requests. |
| Refresh token | `refresh_token` HTTP-only secure cookie and JSON response body | 7 days | Rotates sessions after access-token expiry. Stored in the database only as a hash. |
| 2FA challenge token | JSON response from `/api/login` | 5 minutes | Allows `/api/login/2fa` to complete login after password verification. It is purpose-bound to `2fa_login`. |
| 2FA setup token | JSON response from `/api/2fa/setup` | 10 minutes | Carries the not-yet-enabled TOTP secret until `/api/2fa/enable` validates the first code. It is purpose-bound to `2fa_setup`. |
| Passkey ceremony token | JSON response from `/api/passkeys/*/options` | 5 minutes | Opaque server-side reference to WebAuthn session data stored in `passkey_challenges`. Used for passkey registration and login. |
## Normal Login Flow Without 2FA
1. Client sends `POST /api/login` with `username` and `password`.
2. Server loads the user by username.
3. Server verifies the bcrypt password hash.
4. If 2FA is disabled, the server issues:
- a signed access token,
- a high-entropy refresh token,
- HTTP-only secure cookies for both tokens,
- a JSON response containing the same token values and user metadata.
5. The refresh token is hashed before being stored in the `refresh_tokens` table.
## Login Flow With 2FA Enabled
1. Client sends `POST /api/login` with `username` and `password`.
2. Server verifies the password.
3. If `two_factor_enabled` is true, the server does not issue a full session.
4. Instead, the server returns:
```json
{
"requires_2fa": true,
"two_factor_token": "..."
}
```
5. The frontend shows the second login step.
6. Client sends `POST /api/login/2fa` with:
```json
{
"two_factor_token": "...",
"code": "123456"
}
```
7. The server validates the purpose token against the expected purpose `2fa_login`.
8. The server loads the user from the purpose-token claim.
9. The supplied code is checked as a TOTP code first.
10. If the TOTP check fails, the supplied value is normalized and checked as a recovery code.
11. If either check succeeds, the server issues the normal access/refresh token session.
12. If a recovery code was used, it is marked as used and cannot be used again.
## Passkey Registration Flow
Passkeys are managed from `/profile/settings`. Registration requires an authenticated session and current-password confirmation.
1. Client sends `POST /api/passkeys/register/options` with a passkey name and the current password.
2. Server verifies the password.
3. Server creates WebAuthn registration options with resident-key and user-verification requirements.
4. Server stores the WebAuthn session data in `passkey_challenges` and returns only an opaque `session_token` plus the public registration options.
5. Browser calls `navigator.credentials.create()` with the returned public-key options.
6. Client sends the browser credential response to `POST /api/passkeys/register/finish`.
7. Server consumes the one-time challenge, verifies the WebAuthn response, stores the credential, revokes existing refresh sessions, and issues a new current session.
The server stores credential metadata and public-key credential data. It does not store private keys.
## Passkey Login Flow
Passkey login is available from the normal login page.
1. Client sends `POST /api/passkeys/login/options`.
2. Server creates a discoverable passkey login challenge without requiring a username.
3. Server stores the WebAuthn session data in `passkey_challenges` and returns an opaque `session_token` plus assertion options.
4. Browser calls `navigator.credentials.get()` with the returned public-key options.
5. Client sends the browser assertion response to `POST /api/passkeys/login/finish`.
6. Server consumes the one-time challenge and verifies the WebAuthn assertion.
7. The stored credential data is updated after successful login.
8. Server issues a normal access/refresh session.
Passkey login is treated as a complete phishing-resistant sign-in method. The application requires WebAuthn user verification for passkey registration and login, so a valid passkey assertion is not followed by a separate TOTP challenge.
## Passkey Management
The account settings page supports:
- listing registered passkeys,
- adding a passkey,
- removing a single passkey,
- disabling all passkeys.
Adding, removing, or disabling passkeys revokes existing refresh sessions and issues a fresh session for the current browser. Removing or disabling passkeys requires current-password confirmation.
## TOTP Setup Flow
The account settings page at `/profile/settings` exposes the UI for TOTP setup.
1. Authenticated user calls `POST /api/2fa/setup`.
2. Server creates a TOTP secret using issuer `MiauInv` and the current username as the account name.
3. Server creates a short-lived setup token containing the not-yet-enabled TOTP secret.
4. The secret is not written to `users.two_factor_secret` during setup.
5. Server returns:
```json
{
"secret": "BASE32SECRET",
"setup_token": "...",
"otpauth_url": "otpauth://totp/...",
"qr_code": "data:image/png;base64,..."
}
```
6. The frontend displays the QR code and the manual setup key.
7. User scans the QR code or enters the secret manually into an authenticator app.
8. User submits the setup token and a current TOTP code to `POST /api/2fa/enable`.
9. Server validates the setup token and the TOTP code.
10. Server stores the TOTP secret, enables 2FA, invalidates any previous recovery codes, and generates a fresh recovery-code set.
11. Server revokes existing refresh sessions and issues a new current session.
12. Recovery codes are returned once to the client for download/copying.
## Recovery Codes
Recovery codes are generated when 2FA is enabled and when the user regenerates them. Enabling 2FA deletes any old recovery-code rows before inserting the new set.
Properties:
- Generated with cryptographically secure randomness.
- Formatted as four groups of five hexadecimal characters.
- Normalized before hashing by removing spaces and hyphens and lowercasing the value.
- Stored only as hashes in `two_factor_recovery_codes`.
- Single-use only.
- Displayed only immediately after generation/regeneration.
- Downloaded client-side from the account settings page as `miauinv-recovery-codes.txt`.
Recovery-code login flow:
1. User enters a recovery code in the same field as the TOTP code during the second login step.
2. Server first attempts normal TOTP validation.
3. If TOTP validation fails, server hashes the normalized recovery code.
4. Server updates the matching unused row with `used_at = now`.
5. If exactly one row was updated, the recovery-code login succeeds.
## Recovery-Code Regeneration
`POST /api/2fa/recovery-codes/regenerate` requires:
```json
{
"password": "current-password",
"code": "123456"
}
```
The server verifies the current password and a current TOTP code. If both are valid, all previous recovery codes are deleted and a new set is inserted. The new plaintext codes are returned once. The account settings UI warns the user when the number of unused recovery codes is low.
## Disabling 2FA
`POST /api/2fa/disable` requires:
```json
{
"password": "current-password",
"code": "123456"
}
```
If the password and TOTP code are valid, the server:
1. Sets `two_factor_enabled = 0`.
2. Clears `two_factor_secret`.
3. Deletes recovery codes for the user.
4. Revokes refresh tokens for the user.
5. Clears authentication cookies.
The frontend redirects the user to `/login` after disabling 2FA because existing sessions are revoked.
## Refresh Token Rotation
`POST /api/refresh` accepts the refresh token either from JSON:
```json
{
"refresh_token": "..."
}
```
or from the `refresh_token` cookie.
The server:
1. Hashes the supplied token.
2. Looks it up in `refresh_tokens`.
3. Rejects revoked or expired tokens.
4. Marks the used refresh token as revoked.
5. Issues a new access token and refresh token.
6. Stores the new refresh token hash.
7. Updates the auth cookies.
## Account Settings Security
The account settings page currently supports:
- username changes,
- password changes,
- passkey registration,
- passkey removal,
- passkey disable,
- TOTP 2FA setup,
- TOTP 2FA disable,
- recovery-code download after generation,
- recovery-code regeneration.
Username changes require the current password.
Password changes require the current password, reject passwords longer than bcrypt's 72-byte effective limit, revoke existing refresh tokens, and issue a new session.
2FA activation also revokes existing refresh tokens and issues a new session for the current browser. Passkey changes also revoke existing refresh tokens and issue a new current session. Other devices must log in again and complete the configured authentication flow.
## Middleware Behavior
Protected routes use `AuthMiddleware`.
The middleware checks tokens in this order:
1. `Authorization: Bearer <token>` header.
2. `access_token` cookie.
If no token is found:
- `/api/*` routes receive `401 Unauthorized`.
- non-API routes redirect to `/login`.
If token validation fails:
- `/api/*` routes receive `401 Unauthorized`.
- non-API routes clear the access cookie and redirect to `/login`.
## Security Limitations and Follow-up Work
The current implementation is usable for private/self-hosted deployments, but these improvements should be prioritized before exposing it to untrusted public traffic:
- Replace the current in-memory rate limiter with persistent or distributed rate limiting if the app is deployed across multiple instances.
- Add audit logging for account security changes.
- Add optional session/device management UI.
- Consider encrypting TOTP secrets and passkey credential data at rest if the deployment threat model includes database disclosure.
- Expand tests for all authentication and account settings handlers.
## Activity Log
MiauInv records account, authentication, security, and inventory activity in the `activity_logs` table. The log is designed for user-visible traceability and lightweight security review.
Recorded examples include:
- password login success and failure,
- 2FA login success and failure,
- refresh-token rotation,
- logout,
- username and password changes,
- TOTP setup, enable, disable, and recovery-code regeneration,
- passkey registration, login, removal, and disable,
- inventory, location, project, stock, and allocation mutations.
The log does not store request bodies or secret values. Passwords, TOTP codes, recovery codes, refresh tokens, and WebAuthn payloads are excluded.
`GET /api/activity` returns the current user's recent activity with bounded `limit` and `offset` pagination. Admin users may request all activity with `?all=true`.

282
docs/DATABASE.md Normal file
View File

@@ -0,0 +1,282 @@
# Database Documentation
MiauInv uses SQLite for persistent storage. The schema is initialized in `storage.InitDB` and foreign-key enforcement is explicitly enabled with:
```sql
PRAGMA foreign_keys = ON;
```
The database stores users, refresh tokens, 2FA recovery codes, passkey credentials, passkey challenge state, activity log entries, inventory items, locations, projects, stock mappings, and project allocations.
## Entity Overview
```text
[users] 1 ──── N [refresh_tokens]
[users] 1 ──── N [two_factor_recovery_codes]
[users] 1 ──── N [passkey_credentials]
[users] 1 ──── N [activity_logs]
[passkey_challenges] stores short-lived WebAuthn ceremony state
[items] 1 ──── N [stock] N ──── 1 [locations]
[items] 1 ──── N [project_items] N ──── 1 [projects]
```
## Tables
### `users`
Stores account credentials, roles, and 2FA state.
| Column | Type | Constraints | Description |
| --- | --- | --- | --- |
| `id` | `TEXT` | Primary key | User UUID. |
| `username` | `TEXT` | Not null, unique | Lowercased account name. |
| `password` | `TEXT` | Not null | bcrypt password hash. |
| `role` | `TEXT` | Not null | User role, for example `user` or `admin`. |
| `two_factor_enabled` | `INTEGER` | Not null, default `0` | Boolean flag for TOTP 2FA state. |
| `two_factor_secret` | `TEXT` | Not null, default `''` | TOTP secret used to validate authenticator codes. Empty when 2FA is disabled. During setup the secret is held in a short-lived signed setup token and is only stored after the first valid TOTP code. |
Migration note: existing databases are migrated with `ALTER TABLE` statements for `two_factor_enabled` and `two_factor_secret` if those columns do not exist yet.
### `refresh_tokens`
Stores refresh-token sessions. Tokens are stored as hashes, not plaintext.
| Column | Type | Constraints | Description |
| --- | --- | --- | --- |
| `id` | `TEXT` | Primary key | Refresh-token row UUID. |
| `user_id` | `TEXT` | Not null, foreign key to `users(id)` | Owning user. |
| `token_hash` | `TEXT` | Not null | Hash of the refresh token. |
| `expires_at` | `INTEGER` | Not null | Unix timestamp for expiry. |
| `created_at` | `INTEGER` | Not null | Unix timestamp for creation. |
| `revoked` | `INTEGER` | Not null, default `0` | Boolean revocation flag. |
| `device_info` | `TEXT` | Optional | User-Agent string recorded when the session is created. |
Refresh-token rotation revokes the used refresh token and inserts a new row for the next token.
### `two_factor_recovery_codes`
Stores recovery-code hashes for 2FA fallback login.
| Column | Type | Constraints | Description |
| --- | --- | --- | --- |
| `id` | `TEXT` | Primary key | Recovery-code row UUID. |
| `user_id` | `TEXT` | Not null, foreign key to `users(id)` with `ON DELETE CASCADE` | Owning user. |
| `code_hash` | `TEXT` | Not null, unique with `user_id` | Hash of the normalized recovery code. |
| `created_at` | `INTEGER` | Not null | Unix timestamp for creation. |
| `used_at` | `INTEGER` | Nullable | Unix timestamp when the code was consumed. `NULL` means unused. |
Recovery codes are deleted and replaced when the user regenerates them. A recovery code is consumed with an atomic update that only matches unused codes.
### `passkey_credentials`
Stores WebAuthn passkey credentials for account login. Private keys are not stored by MiauInv; they remain in the authenticator, platform passkey provider, browser, or security key.
| Column | Type | Constraints | Description |
| --- | --- | --- | --- |
| `id` | `TEXT` | Primary key | Passkey row UUID. |
| `user_id` | `TEXT` | Not null, foreign key to `users(id)` with `ON DELETE CASCADE` | Owning user. |
| `credential_id` | `TEXT` | Not null, unique | Base64url-encoded WebAuthn credential ID. |
| `name` | `TEXT` | Not null | User-visible passkey name. |
| `credential_data` | `TEXT` | Not null | Serialized WebAuthn credential data, including public-key material and authenticator metadata. |
| `created_at` | `INTEGER` | Not null | Unix timestamp for creation. |
| `last_used_at` | `INTEGER` | Nullable | Unix timestamp when the passkey was last used successfully. |
### `passkey_challenges`
Stores short-lived server-side WebAuthn session data for registration and login ceremonies. The browser receives only an opaque `session_token`.
| Column | Type | Constraints | Description |
| --- | --- | --- | --- |
| `token` | `TEXT` | Primary key | Opaque challenge token returned to the client. |
| `user_id` | `TEXT` | Not null, default `''` | Owning user for registration challenges. Empty for discoverable login challenges. |
| `ceremony` | `TEXT` | Not null | Challenge type, for example `register` or `login`. |
| `session_data` | `TEXT` | Not null | Serialized WebAuthn session data. |
| `expires_at` | `INTEGER` | Not null | Unix timestamp after which the challenge is rejected. |
Challenge rows are consumed once during the finish step and expired rows are cleaned up opportunistically.
### `activity_logs`
Stores account, authentication, security, and inventory activity metadata. Request bodies, passwords, TOTP codes, recovery codes, passkey payloads, and token values are not stored.
| Column | Type | Constraints | Description |
| --- | --- | --- | --- |
| `id` | `TEXT` | Primary key | Activity row UUID. |
| `user_id` | `TEXT` | Not null, default `''` | User associated with the activity. Empty for unknown-user failed login attempts. |
| `username` | `TEXT` | Not null, default `''` | Username known at the time of the event. |
| `action` | `TEXT` | Not null | Normalized action name, for example `auth.login.succeeded` or `inventory.update`. |
| `entity_type` | `TEXT` | Not null, default `''` | Logical entity, for example `auth`, `security`, `item`, `location`, or `project`. |
| `entity_id` | `TEXT` | Not null, default `''` | Optional target ID when available. |
| `details` | `TEXT` | Not null, default `''` | Short sanitized status summary. |
| `method` | `TEXT` | Not null, default `''` | HTTP method. |
| `path` | `TEXT` | Not null, default `''` | Request path without query parameters. |
| `status_code` | `INTEGER` | Not null, default `0` | Final HTTP status code. |
| `success` | `INTEGER` | Not null, default `0` | Boolean success flag derived from the status code. |
| `ip_address` | `TEXT` | Not null, default `''` | Client IP address, considering common reverse-proxy headers. |
| `user_agent` | `TEXT` | Not null, default `''` | User-Agent metadata. |
| `created_at` | `INTEGER` | Not null | Unix timestamp for the event. |
Indexes are created for per-user timeline lookups, global timestamp ordering, and action filtering. Non-admin users can only read their own activity through `/api/activity`. Admin users can request all activity with `?all=true`.
### `items`
Stores tracked inventory items.
| Column | Type | Constraints | Description |
| --- | --- | --- | --- |
| `id` | `INTEGER` | Primary key, autoincrement | Item ID. |
| `name` | `TEXT` | Not null | Item name. |
| `category` | `TEXT` | Optional | Category label. |
| `description` | `TEXT` | Optional | Item description. |
| `total_quantity` | `INTEGER` | Not null, default `0` | Global quantity baseline. |
### `locations`
Stores physical or logical storage locations.
| Column | Type | Constraints | Description |
| --- | --- | --- | --- |
| `id` | `INTEGER` | Primary key, autoincrement | Location ID. |
| `name` | `TEXT` | Not null, unique | Location name. |
### `projects`
Stores project contexts for item allocation.
| Column | Type | Constraints | Description |
| --- | --- | --- | --- |
| `id` | `INTEGER` | Primary key, autoincrement | Project ID. |
| `name` | `TEXT` | Not null, unique | Project name. |
| `description` | `TEXT` | Optional | Project description. |
### `stock`
Maps item quantities to locations.
| Column | Type | Constraints | Description |
| --- | --- | --- | --- |
| `id` | `INTEGER` | Primary key, autoincrement | Stock row ID. |
| `item_id` | `INTEGER` | Not null, foreign key to `items(id)` | Item reference. |
| `location_id` | `INTEGER` | Not null, foreign key to `locations(id)` | Location reference. |
| `quantity` | `INTEGER` | Not null | Quantity at this location. |
### `project_items`
Maps item quantities to projects.
| Column | Type | Constraints | Description |
| --- | --- | --- | --- |
| `id` | `INTEGER` | Primary key, autoincrement | Association row ID. |
| `item_id` | `INTEGER` | Not null, foreign key to `items(id)` | Item reference. |
| `project_id` | `INTEGER` | Not null, foreign key to `projects(id)` | Project reference. |
| `quantity` | `INTEGER` | Not null | Quantity allocated to the project. |
## Data Integrity
### Foreign keys
Foreign keys are enabled per connection. Because most inventory foreign keys do not define explicit cascade behavior, SQLite blocks deletion of referenced items, locations, or projects while dependent rows exist.
`two_factor_recovery_codes.user_id` and `passkey_credentials.user_id` use `ON DELETE CASCADE`, so deleting a user also deletes their recovery-code and passkey rows.
### Uniqueness
The following values are unique:
- `users.username`
- `locations.name`
- `projects.name`
- `two_factor_recovery_codes(user_id, code_hash)`
- `passkey_credentials.credential_id`
### Current schema limitations
The current schema does not yet enforce all business rules at the database level. In particular:
- `items.total_quantity` has no explicit `CHECK(total_quantity >= 0)` constraint.
- `stock.quantity` has no explicit `CHECK(quantity >= 0)` constraint.
- `project_items.quantity` has no explicit `CHECK(quantity >= 0)` constraint.
- Duplicate stock rows for the same `(item_id, location_id)` pair are not prevented by a unique constraint.
- Duplicate project allocations for the same `(item_id, project_id)` pair are not prevented by a unique constraint.
These constraints should be added in a future migration once the desired application behavior is finalized.
## Important Queries and Behaviors
### User lookup
Users can be loaded by lowercased username or ID. Username updates store the new username lowercased.
### Password update
When the password is updated:
1. The new password is bcrypt-hashed.
2. The `users.password` field is updated.
3. Existing refresh tokens for that user are revoked.
4. A new session is issued.
### Passkey registration
When a passkey is registered:
1. The current password is verified.
2. A WebAuthn registration challenge is stored in `passkey_challenges`.
3. The finish step consumes the challenge.
4. The WebAuthn credential is verified.
5. A row is inserted into `passkey_credentials`.
6. Existing refresh tokens for the user are revoked.
7. A new session is issued for the current browser.
### Passkey login
When passkey login completes:
1. A discoverable WebAuthn login challenge is consumed from `passkey_challenges`.
2. The credential assertion is verified against the stored credential data.
3. The stored credential data and `last_used_at` value are updated.
4. A normal access/refresh session is issued.
### Passkey removal
When a passkey is removed or all passkeys are disabled:
1. The current password is verified.
2. The matching passkey row, or all rows for the user, are deleted.
3. Existing refresh tokens for the user are revoked.
4. A new session is issued for the current browser.
### 2FA enable
When 2FA is enabled:
1. The temporary setup token is validated.
2. The supplied TOTP code is validated against the setup secret.
3. Existing recovery codes are deleted.
4. New recovery-code hashes are inserted.
5. `users.two_factor_enabled` is set to `1` and `users.two_factor_secret` is set to the confirmed secret.
6. Existing refresh tokens are revoked and a new session is issued for the current browser.
### 2FA disable
When 2FA is disabled:
1. `two_factor_enabled` is set to `0`.
2. `two_factor_secret` is cleared.
3. Recovery-code rows for the user are deleted.
4. Refresh tokens for the user are revoked.
### Recovery-code use
A recovery code is consumed with an update equivalent to:
```sql
UPDATE two_factor_recovery_codes
SET used_at = ?
WHERE user_id = ? AND code_hash = ? AND used_at IS NULL;
```
The login succeeds only if exactly one row is updated.

91
docs/ENDPOINTS.md Normal file
View File

@@ -0,0 +1,91 @@
# API Endpoints
This document lists the public page routes and JSON API endpoints exposed by MiauInv. API endpoints that modify account or inventory state require authentication unless explicitly marked as public.
## Page Routes
| Route | Authentication | Purpose |
| --- | --- | --- |
| `/` | No | Landing page. |
| `/login` | No | Login page with password and passkey login. |
| `/register` | Optional | Registration page when registration is enabled. |
| `/dashboard` | Yes | Dashboard overview. |
| `/inventory` | Yes | Inventory item management. |
| `/items` | Yes | Item list view. |
| `/locations` | Yes | Location management. |
| `/projects` | Yes | Project allocation management. |
| `/profile/settings` | Yes | Account, 2FA, and passkey settings. |
| `/profile/activity` | Yes | User activity log. |
## Authentication and Account API
| Endpoint | Method | Authentication | Purpose |
| --- | --- | --- | --- |
| `/api/register` | `POST` | No | Create a user when registration is enabled. |
| `/api/login` | `POST` | No | Password login. Returns a 2FA challenge if required. |
| `/api/login/2fa` | `POST` | No | Complete TOTP or recovery-code login. |
| `/api/passkeys/login/options` | `POST` | No | Start discoverable passkey login. |
| `/api/passkeys/login/finish` | `POST` | No | Complete passkey login. |
| `/api/refresh` | `POST` | No | Rotate a refresh token and issue a new session. |
| `/api/logout` | `POST` | Yes | Revoke refresh sessions and clear auth cookies. |
| `/api/userinfo` | `GET` | Yes | Return current user metadata and security status. |
| `/api/profile` | `GET` | Yes | Alias for current user metadata. |
| `/api/account/username` | `POST` | Yes | Change username with password confirmation. |
| `/api/account/password` | `POST` | Yes | Change password and refresh the current session. |
## Two-Factor Authentication API
| Endpoint | Method | Authentication | Purpose |
| --- | --- | --- | --- |
| `/api/2fa/setup` | `POST` | Yes | Create a short-lived setup challenge, QR code, and manual setup secret. |
| `/api/2fa/enable` | `POST` | Yes | Confirm the setup challenge, enable 2FA, and generate recovery codes. |
| `/api/2fa/disable` | `POST` | Yes | Disable 2FA with password and TOTP confirmation. |
| `/api/2fa/recovery-codes/regenerate` | `POST` | Yes | Replace recovery codes with password and TOTP confirmation. |
## Passkey Management API
| Endpoint | Method | Authentication | Purpose |
| --- | --- | --- | --- |
| `/api/passkeys` | `GET` | Yes | List registered passkeys. |
| `/api/passkeys` | `DELETE` | Yes | Remove a passkey with password confirmation. |
| `/api/passkeys/register/options` | `POST` | Yes | Start passkey registration. |
| `/api/passkeys/register/finish` | `POST` | Yes | Finish passkey registration and store the credential. |
| `/api/passkeys/disable` | `POST` | Yes | Remove all passkeys with password confirmation. |
## Activity API
| Endpoint | Method | Authentication | Purpose |
| --- | --- | --- | --- |
| `/api/activity` | `GET` | Yes | Return recent activity entries for the current user. Admin users may request `?all=true`. |
Query parameters:
| Parameter | Default | Max | Purpose |
| --- | --- | --- | --- |
| `limit` | `50` | `100` | Number of entries to return. |
| `offset` | `0` | `100000` | Offset for pagination. |
| `all` | `false` | n/a | Admin-only flag for reading all users' activity. |
## Inventory API
| Endpoint | Method | Authentication | Purpose |
| --- | --- | --- | --- |
| `/api/item` | `GET` | Yes | List items or read an item by `id`. |
| `/api/item` | `POST` | Yes | Create an item. |
| `/api/item` | `PUT` | Yes | Update an item by `id`. |
| `/api/item` | `DELETE` | Yes | Delete an item by `id`. |
| `/api/location` | `GET` | Yes | List locations, read a location by `id`, or read location contents with `content=true`. |
| `/api/location` | `POST` | Yes | Create a location. |
| `/api/location` | `PUT` | Yes | Update a location by `id`. |
| `/api/location` | `DELETE` | Yes | Delete a location by `id`. |
| `/api/project` | `GET` | Yes | List projects, read a project by `id`, or read project allocation details with `details=true`. |
| `/api/project` | `POST` | Yes | Create a project. |
| `/api/project` | `PUT` | Yes | Update a project by `id`. |
| `/api/project` | `DELETE` | Yes | Delete a project by `id`. |
| `/api/stock` | `GET` | Yes | List stock rows, optionally filtered by `item_id`. |
| `/api/stock` | `POST` | Yes | Add stock to a location. |
| `/api/stock` | `DELETE` | Yes | Delete a stock row by `id`. |
| `/api/association` | `GET` | Yes | List project-item allocations, optionally filtered by `project_id`. |
| `/api/association` | `POST` | Yes | Allocate item quantity to a project. |
| `/api/association` | `PUT` | Yes | Update an allocation by `id`. |
| `/api/association` | `DELETE` | Yes | Delete an allocation by `id`. |

104
docs/SECURITY.md Normal file
View File

@@ -0,0 +1,104 @@
# Security
This document summarizes the current security-relevant behavior of MiauInv. It is intended as implementation documentation, not as a guarantee that the application is production-ready for untrusted public deployments.
## Authentication
MiauInv uses signed JWT access tokens, database-backed refresh tokens, optional TOTP-based two-factor authentication, and optional WebAuthn passkeys.
JWTs are signed with `JWT_SECRET`. They are not encrypted. Normal access tokens and purpose tokens should therefore contain only identity and authorization metadata.
The short-lived 2FA setup token is a narrow exception: it carries the not-yet-enabled TOTP secret until the first authenticator code is validated. This avoids storing the setup secret in the database before 2FA is confirmed.
## Passwords
Passwords are hashed with bcrypt. Password updates require the current password. New passwords longer than bcrypt's effective 72-byte limit are rejected.
When a password is changed:
1. The new password is bcrypt-hashed.
2. The stored password hash is updated.
3. Existing refresh tokens for the user are revoked.
4. A new session is issued for the current browser.
## Sessions
Access tokens expire after 15 minutes. Refresh tokens expire after 7 days.
Refresh tokens are stored only as hashes in the database. Refresh-token rotation revokes the used refresh token and inserts a new token hash.
Security-sensitive account changes revoke existing refresh-token sessions.
## Cookies
Authentication cookies are set as HTTP-only secure cookies using `SameSite=Lax`.
Because the cookies are marked `Secure`, local development should use HTTPS. If the application is placed behind a reverse proxy, the deployment should preserve HTTPS semantics between the user and the proxy.
## Two-Factor Authentication
TOTP 2FA is optional per account.
The setup flow returns a QR code, a manual setup key, and a short-lived setup token. The TOTP secret is stored only after the user submits a valid code from their authenticator app.
When 2FA is enabled:
1. Any previous recovery codes are deleted.
2. A new recovery-code set is generated.
3. The TOTP secret is stored.
4. Existing refresh sessions are revoked.
5. A new current session is issued.
When 2FA is disabled:
1. The TOTP secret is cleared.
2. Recovery codes are deleted.
3. Existing refresh sessions are revoked.
4. Authentication cookies are cleared.
## Recovery Codes
Recovery codes are generated with cryptographically secure randomness and stored only as hashes.
They are displayed only immediately after generation or regeneration. They cannot be recovered later because the plaintext values are not stored.
Recovery codes are single-use. During login, a submitted value is first checked as a TOTP code. If that fails, the value is normalized, hashed, and matched against unused recovery-code hashes.
The account settings UI warns the user when the remaining unused recovery-code count is low.
## Passkeys
Passkeys use WebAuthn public-key credentials. The server stores credential metadata and public-key material, but not private keys. Private keys remain controlled by the authenticator, browser, operating system, or security key.
Passkey registration requires the current account password. Registration uses a server-side challenge stored in `passkey_challenges` and returned to the browser only as an opaque challenge token. The browser response is verified before the credential is stored.
Passkey login creates a one-time server-side challenge. The login flow uses discoverable passkeys and does not require entering a username first. User verification is required for passkey registration and login.
Passkey login is treated as a complete phishing-resistant sign-in method. Because passkey registration and login require WebAuthn user verification, the server issues a normal session after a valid passkey assertion instead of asking for an additional TOTP code.
When passkeys are added, removed, or disabled, existing refresh sessions are revoked and a fresh current session is issued.
Passkey ceremonies require HTTPS except for localhost. Reverse proxy deployments must preserve the correct public `Host`, `X-Forwarded-Host`, and `X-Forwarded-Proto` information so that the relying party origin and ID match the browser-visible origin.
## Activity Logging
MiauInv stores an authenticated activity log for security-relevant and state-changing actions, including login attempts, refresh-token rotation, account changes, 2FA changes, passkey management, logout, and inventory mutations.
The activity log intentionally stores metadata only: action name, entity type, optional target ID, HTTP method, path, status, success flag, IP address, user agent, and timestamp. Request bodies are not logged, so passwords, TOTP codes, recovery codes, refresh tokens, and WebAuthn payloads are not persisted in the activity table.
Users can read their own entries from `/profile/activity` and `/api/activity`. Admin users may request all users' activity with `?all=true`. The API enforces authentication, bounds pagination limits, and is protected by rate limiting.
## Rate Limiting
Basic in-memory rate limiting protects login, passkey ceremonies, 2FA, refresh, registration, activity, and sensitive account endpoints.
This is suitable for a single-instance private deployment. It is not sufficient for multi-instance deployments because limiter state is process-local. A public or multi-instance deployment should use persistent or distributed rate limiting at the application, reverse proxy, or infrastructure layer.
## Known Limitations
- Automated testing is currently limited.
- TOTP secrets are stored in the database after confirmation because the server must validate future codes.
- Passkey credential metadata and public-key data are stored in the database after registration.
- TOTP secrets are not encrypted at rest.
- There is no dedicated session/device management UI yet.
- The current rate limiter is process-local and memory-only.

BIN
docs/img/dashboard.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 57 KiB

BIN
docs/img/inventory.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 38 KiB

BIN
docs/img/locations.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
docs/img/projects.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 37 KiB

295
frontend/assets/css/dashboard.css
View File

@@ -1,3 +1,9 @@
.dashboard-layout {
justify-content: flex-start;
align-items: stretch;
padding: 0;
}
main {
max-width: 1400px;
width: 100%;
@@ -6,17 +12,18 @@ main {
flex: 1;
}
h1 {
font-size: 2rem;
.page-header h1 {
font-size: 2.2rem;
font-weight: 700;
letter-spacing: -0.03em;
margin-bottom: 2rem;
color: var(--text);
}
header {
width: 100%;
border-bottom: 1px solid var(--border);
background: rgba(31, 41, 55, 0.6);
background: rgba(31, 41, 55, 0.8);
backdrop-filter: blur(12px);
position: sticky;
top: 0;
@@ -27,7 +34,7 @@ header {
max-width: 1400px;
margin: 0 auto;
padding: 0 2rem;
height: 4rem;
height: 4.5rem;
display: flex;
justify-content: space-between;
align-items: center;
@@ -42,7 +49,7 @@ header {
.brand {
font-weight: 800;
font-size: 1.2rem;
font-size: 1.4rem;
letter-spacing: -0.03em;
}
@@ -65,7 +72,7 @@ nav a {
align-items: center;
border-bottom: 2px solid transparent;
padding: 0 0.25rem;
transition: color 0.15s ease, border-color 0.15s ease;
transition: color 0.2s ease, border-color 0.2s ease;
}
nav a:hover, nav a.active {
@@ -75,10 +82,9 @@ nav a:hover, nav a.active {
.profile-dropdown {
position: relative;
display: inline-block;
height: 100%;
display: flex;
align-items: center;
height: 100%;
}
.profile-trigger {
@@ -99,8 +105,8 @@ nav a:hover, nav a.active {
}
.avatar {
width: 2rem;
height: 2rem;
width: 2.2rem;
height: 2.2rem;
background-color: var(--accent);
color: #ffffff;
border-radius: 50%;
@@ -114,17 +120,24 @@ nav a:hover, nav a.active {
.username {
font-size: 0.95rem;
font-weight: 500;
display: none;
}
@media (min-width: 640px) {
.username {
display: block;
}
}
.dropdown-menu {
position: absolute;
top: calc(100% - 0.5rem);
right: 0;
width: 200px;
width: 220px;
background: #1f2937;
border: 1px solid var(--border);
border-radius: 8px;
box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.3);
border-radius: 12px;
box-shadow: 0 10px 25px -5px rgba(0, 0, 0, 0.5);
display: none;
flex-direction: column;
padding: 0.5rem 0;
@@ -138,8 +151,8 @@ nav a:hover, nav a.active {
.dropdown-menu a, .logout-btn {
width: 100%;
padding: 0.6rem 1.2rem;
font-size: 0.9rem;
padding: 0.75rem 1.25rem;
font-size: 0.95rem;
color: var(--text-muted);
text-decoration: none;
text-align: left;
@@ -148,6 +161,9 @@ nav a:hover, nav a.active {
cursor: pointer;
transition: background-color 0.15s ease, color 0.15s ease;
box-sizing: border-box;
display: flex;
align-items: center;
gap: 0.5rem;
}
.dropdown-menu a:hover {
@@ -158,7 +174,7 @@ nav a:hover, nav a.active {
.dropdown-divider {
border: 0;
border-top: 1px solid var(--border);
margin: 0.4rem 0;
margin: 0.5rem 0;
}
.logout-btn {
@@ -173,7 +189,7 @@ nav a:hover, nav a.active {
.stats-grid {
display: grid;
grid-template-columns: repeat(auto-fit, minmax(240px, 1fr));
grid-template-columns: repeat(auto-fit, minmax(280px, 1fr));
gap: 1.5rem;
margin-bottom: 2rem;
}
@@ -181,26 +197,45 @@ nav a:hover, nav a.active {
.stat-card {
background: var(--card);
border: 1px solid var(--border);
border-radius: 12px;
padding: 1.5rem;
text-align: left;
border-radius: 16px;
padding: 1.75rem;
display: flex;
align-items: center;
gap: 1.5rem;
box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1);
transition: transform 0.2s ease, box-shadow 0.2s ease;
}
.stat-card h2 {
font-size: 2.25rem;
.stat-card:hover {
transform: translateY(-2px);
box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.2);
}
.stat-icon {
width: 3.5rem;
height: 3.5rem;
border-radius: 12px;
display: flex;
align-items: center;
justify-content: center;
}
.stat-info h2 {
font-size: 2rem;
font-weight: 700;
letter-spacing: -0.03em;
margin-bottom: 0.25rem;
margin: 0;
color: var(--text);
line-height: 1.2;
}
.stat-card p {
.stat-info p {
color: var(--text-muted);
font-size: 0.9rem;
font-weight: 500;
text-transform: uppercase;
letter-spacing: 0.05em;
margin: 0 0 0.25rem 0;
}
.action-bar {
@@ -219,7 +254,7 @@ nav a:hover, nav a.active {
width: 100%;
background: var(--card);
border: 1px solid var(--border);
border-radius: 12px;
border-radius: 16px;
overflow: hidden;
box-shadow: 0 4px 6px -1px rgba(0, 0, 0, 0.1);
}
@@ -235,7 +270,7 @@ th {
background: #111827;
color: var(--text-muted);
font-weight: 600;
padding: 1rem 1.5rem;
padding: 1.25rem 1.5rem;
font-size: 0.85rem;
text-transform: uppercase;
letter-spacing: 0.05em;
@@ -243,7 +278,7 @@ th {
}
td {
padding: 1rem 1.5rem;
padding: 1.25rem 1.5rem;
border-bottom: 1px solid var(--border);
color: var(--text);
}
@@ -253,7 +288,153 @@ tr:last-child td {
}
tr:hover td {
background: rgba(255, 255, 255, 0.01);
background: rgba(255, 255, 255, 0.02);
}
.activity-header {
display: flex;
justify-content: space-between;
align-items: flex-start;
gap: 1rem;
flex-wrap: wrap;
}
.activity-header h1 {
margin-bottom: 0.5rem;
}
.activity-header p {
color: var(--text-muted);
margin: 0;
}
.activity-refresh,
.activity-load-more {
width: auto;
padding: 0.6rem 1.2rem;
}
.activity-controls-card {
max-width: 100%;
text-align: left;
padding: 1.35rem;
margin-bottom: 1.5rem;
display: grid;
grid-template-columns: minmax(260px, 1fr) minmax(260px, 1.25fr);
gap: 1rem;
align-items: stretch;
}
.activity-control-panel {
display: flex;
justify-content: space-between;
align-items: center;
gap: 1rem;
background: rgba(17, 24, 39, 0.62);
border: 1px solid var(--border);
border-radius: 14px;
padding: 1rem;
}
.activity-control-copy h2 {
color: var(--text);
font-size: 1rem;
margin: 0.1rem 0 0.25rem;
}
.activity-control-copy p,
.activity-note {
color: var(--text-muted);
margin: 0;
font-size: 0.92rem;
}
.activity-eyebrow {
color: var(--accent);
font-size: 0.75rem;
font-weight: 800;
letter-spacing: 0.08em;
text-transform: uppercase;
}
.activity-entry-menu {
display: inline-flex;
align-items: center;
gap: 0.35rem;
padding: 0.35rem;
background: #0f172a;
border: 1px solid var(--border);
border-radius: 999px;
box-shadow: inset 0 1px 0 rgba(255, 255, 255, 0.04);
}
.activity-entry-option {
min-width: 3.2rem;
border: 0;
border-radius: 999px;
padding: 0.55rem 0.85rem;
background: transparent;
color: var(--text-muted);
cursor: pointer;
font-weight: 800;
transition: background-color 0.18s ease, color 0.18s ease, box-shadow 0.18s ease;
}
.activity-entry-option:hover,
.activity-entry-option:focus-visible {
color: var(--text);
outline: none;
background: rgba(255, 255, 255, 0.05);
}
.activity-entry-option.active {
color: #ffffff;
background: var(--accent);
box-shadow: 0 8px 18px rgba(59, 130, 246, 0.28);
}
.activity-note {
display: flex;
align-items: center;
border: 1px solid rgba(59, 130, 246, 0.22);
border-radius: 14px;
padding: 1rem;
background: rgba(59, 130, 246, 0.08);
}
.activity-note strong {
color: #bfdbfe;
margin-right: 0.35rem;
}
.activity-load-more-wrap {
display: flex;
justify-content: center;
margin-top: 1.5rem;
}
#activity-load-more {
display: none;
}
@media (max-width: 860px) {
.activity-controls-card {
grid-template-columns: 1fr;
}
.activity-control-panel {
align-items: flex-start;
flex-direction: column;
}
.activity-entry-menu {
width: 100%;
}
.activity-entry-option {
flex: 1;
}
}
#modal {
@@ -261,47 +442,49 @@ tr:hover td {
z-index: 100;
}
.dropdown-menu {
position: absolute;
top: 100%;
right: 0;
width: 200px;
background: #1f2937;
border: 1px solid var(--border);
border-radius: 8px;
box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.3);
display: none;
flex-direction: column;
z-index: 1000;
}
.dropdown-menu.show {
display: flex !important;
}
#main-nav {
z-index: 900;
}
@media (max-width: 768px) {
.menu-trigger { display: block; background: none; border: 1px solid var(--border); color: var(--text); padding: 0.4rem 0.8rem; border-radius: 6px; }
.menu-trigger {
display: flex;
align-items: center;
justify-content: center;
background: none;
border: 1px solid var(--border);
color: var(--text);
padding: 0.5rem;
border-radius: 8px;
cursor: pointer;
}
#main-nav {
display: none;
flex-direction: column;
position: absolute;
top: 4rem;
top: 4.5rem;
left: 0;
width: 100%;
background: #111827;
background: rgba(17, 24, 39, 0.95);
backdrop-filter: blur(12px);
padding: 1rem;
z-index: 100;
z-index: 1000;
border-bottom: 1px solid var(--border);
}
#main-nav.show { display: flex; }
#main-nav.show {
display: flex;
}
#main-nav a {
padding: 1rem;
border-bottom: 1px solid var(--border);
}
#main-nav a:last-child {
border-bottom: none;
}
}
@media (min-width: 769px) {
.menu-trigger { display: none; }
.menu-trigger {
display: none;
}
}

108
frontend/assets/css/register-blocked.css Normal file
View File

@@ -0,0 +1,108 @@
:root {
--bg: #111827;
--card: #1f2937;
--border: #374151;
--text: #f9fafb;
--text-muted: #9ca3af;
--accent: #3b82f6;
--accent-hover: #2563eb;
--success: #10b981;
--error: #ef4444;
}
* {
box-sizing: border-box;
margin: 0;
padding: 0;
}
body {
min-height: 100vh;
background: var(--bg);
color: var(--text);
font-family: system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
display: flex;
flex-direction: column;
}
body:not(.dashboard-layout) {
justify-content: center;
align-items: center;
padding: 1rem;
}
.card {
width: 100%;
max-width: 400px;
background: var(--card);
border: 1px solid var(--border);
border-radius: 16px;
padding: 2.5rem 2rem;
box-shadow: 0 10px 15px -3px rgba(0, 0, 0, 0.3), 0 4px 6px -4px rgba(0, 0, 0, 0.3);
text-align: center;
}
.card h1 {
margin: 0 0 0.5rem 0;
font-size: 1.75rem;
font-weight: 700;
letter-spacing: -0.025em;
}
.card .subtitle {
color: var(--text-muted);
font-size: 0.95rem;
margin-bottom: 2rem;
}
.btn {
display: inline-flex;
justify-content: center;
align-items: center;
width: 100%;
padding: 0.85rem;
font-size: 1rem;
font-weight: 600;
border-radius: 10px;
border: none;
cursor: pointer;
text-decoration: none;
transition: background-color 0.15s ease, border-color 0.15s ease, transform 0.1s ease;
}
.btn:active {
transform: scale(0.98);
}
.btn-secondary {
background: #1f2937;
color: white;
border: 1px solid var(--border);
}
.btn-secondary:hover {
background: var(--accent);
border-color: var(--accent);
}
.footer-text {
margin-top: 1.5rem;
font-size: 0.9rem;
color: var(--text-muted);
}
.message {
margin-top: 1.25rem;
padding: 0.85rem 1rem;
border-radius: 10px;
font-size: 0.9rem;
line-height: 1.4;
text-align: left;
}
.message.error {
background: rgba(239, 68, 68, 0.1);
border: 1px solid rgba(239, 68, 68, 0.2);
color: var(--error);
display: block;
}

171
frontend/assets/css/theme.css
View File

@@ -1,4 +1,3 @@
/* theme.css */
:root {
--bg: #111827;
--card: #1f2937;
@@ -18,19 +17,20 @@
}
body {
margin: 0;
min-height: 100vh;
background: var(--bg);
color: var(--text);
font-family: system-ui, -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
display: flex;
flex-direction: column;
}
body:not(.dashboard-layout) {
justify-content: center;
align-items: center;
padding: 1rem;
}
/* Gemeinsames Card-Layout für Home, Login, Register und 404 */
.card {
width: 100%;
max-width: 400px;
@@ -55,7 +55,6 @@ body {
margin-bottom: 2rem;
}
/* Button & Link Standard-Skins */
.btn {
display: inline-flex;
justify-content: center;
@@ -95,7 +94,6 @@ body {
border-color: var(--accent);
}
/* Formular-Elemente */
.form-group {
margin-bottom: 1.25rem;
}
@@ -132,6 +130,51 @@ input::placeholder {
color: #4b5563;
}
.password-input-wrapper {
position: relative;
width: 100%;
}
.password-input-wrapper input {
padding-right: 3rem;
}
.password-toggle {
position: absolute;
top: 50%;
right: 0.45rem;
width: 2.25rem;
height: 2.25rem;
transform: translateY(-50%);
display: inline-flex;
align-items: center;
justify-content: center;
color: var(--text-muted);
background: transparent;
border: 1px solid transparent;
border-radius: 8px;
cursor: pointer;
transition: color 0.15s ease, background-color 0.15s ease, border-color 0.15s ease, box-shadow 0.15s ease;
}
.password-toggle:hover {
color: var(--text);
background: rgba(255, 255, 255, 0.06);
}
.password-toggle:focus-visible {
outline: none;
border-color: var(--accent);
box-shadow: 0 0 0 3px rgba(59, 130, 246, 0.2);
}
.password-toggle svg {
width: 1.15rem;
height: 1.15rem;
pointer-events: none;
}
.footer-text {
margin-top: 1.5rem;
font-size: 0.9rem;
@@ -147,7 +190,6 @@ input::placeholder {
text-decoration: underline;
}
/* Feedback-Boxen */
.message {
display: none;
margin-top: 1.25rem;
@@ -168,4 +210,121 @@ input::placeholder {
background: rgba(16, 185, 129, 0.1);
border: 1px solid rgba(16, 185, 129, 0.2);
color: var(--success);
}
.modal {
position: fixed;
top: 0;
left: 0;
width: 100%;
height: 100%;
background: rgba(17, 24, 39, 0.7);
backdrop-filter: blur(4px);
display: none;
justify-content: center;
align-items: center;
z-index: 1000;
}
.modal.show {
display: flex;
}
.modal-content {
background: var(--card);
border: 1px solid var(--border);
border-radius: 16px;
padding: 2rem;
width: 90%;
max-width: 500px;
box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.3);
position: relative;
transform: translateY(20px);
opacity: 0;
animation: modalSlideIn 0.3s forwards ease-out;
}
@keyframes modalSlideIn {
to {
transform: translateY(0);
opacity: 1;
}
}
.modal-content h2 {
margin-top: 0;
margin-bottom: 1.5rem;
font-size: 1.5rem;
}
.button-group {
display: flex;
gap: 1rem;
margin-top: 2rem;
}
.danger-btn {
background: rgba(239, 68, 68, 0.1) !important;
color: var(--error) !important;
border: 1px solid rgba(239, 68, 68, 0.2) !important;
}
.danger-btn:hover {
background: var(--error) !important;
color: white !important;
}
.table-loader {
padding: 3rem;
text-align: center;
color: var(--text-muted);
}
.modal-split {
display: grid;
grid-template-columns: 1fr;
gap: 2rem;
margin-top: 1.5rem;
}
@media (min-width: 768px) {
.modal-split {
grid-template-columns: 1fr 1fr;
}
}
.modal-content.large {
max-width: 800px;
}
.inner-table {
width: 100%;
margin-top: 1rem;
border: 1px solid var(--border);
border-radius: 8px;
overflow: hidden;
}
.inner-table th, .inner-table td {
padding: 0.75rem 1rem;
font-size: 0.85rem;
}
.inner-table th {
background: #111827;
}
.badge {
background: rgba(255, 255, 255, 0.05);
padding: 0.25rem 0.6rem;
border-radius: 999px;
font-size: 0.8rem;
color: var(--text-muted);
border: 1px solid var(--border);
}
.badge.success {
background: rgba(16, 185, 129, 0.1);
color: var(--success);
border-color: rgba(16, 185, 129, 0.2);
}

24
frontend/assets/css/under-construction.css Normal file
View File

@@ -0,0 +1,24 @@
.construction-icon-wrapper {
display: inline-flex;
align-items: center;
justify-content: center;
width: 80px;
height: 80px;
background: rgba(59, 130, 246, 0.1); /* Nutzt die var(--accent) Transparenz */
border: 1px solid rgba(59, 130, 246, 0.2);
border-radius: 50%;
margin-bottom: 1.5rem;
}
.gear-icon {
animation: gearRotate 8s linear infinite;
}
@keyframes gearRotate {
0% {
transform: rotate(0deg);
}
100% {
transform: rotate(360deg);
}
}

1134
frontend/assets/js/api.js Normal file
View File

File diff suppressed because it is too large Load Diff

99
frontend/assets/js/auth.js
View File

@@ -13,23 +13,20 @@
return null;
}
const cookieAccessToken = getCookie("access_token");
const cookieRefreshToken = getCookie("refresh_token");
const localAccessToken = localStorage.getItem("access_token");
const localRefreshToken = localStorage.getItem("refresh_token");
const accessToken = cookieAccessToken || localAccessToken;
const refreshToken = cookieRefreshToken || localRefreshToken;
if (!accessToken && !refreshToken) {
return;
function clearAllAuth() {
console.log("Clearing all auth remnants from everywhere...");
localStorage.removeItem("access_token");
localStorage.removeItem("refresh_token");
sessionStorage.removeItem("is_refreshing");
document.cookie = "access_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 UTC; Secure; SameSite=Lax;";
document.cookie = "refresh_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 UTC; Secure; SameSite=Lax;";
}
async function tryTokenRefresh() {
async function tryTokenRefresh(refreshToken) {
if (!refreshToken) return false;
try {
console.log("Sending refresh token to /api/refresh...");
const response = await fetch("/api/refresh", {
method: "POST",
headers: { "Content-Type": "application/json" },
@@ -38,72 +35,94 @@
if (response.ok) {
const data = await response.json();
localStorage.setItem("access_token", data.access_token);
localStorage.setItem("refresh_token", data.refresh_token);
document.cookie = `access_token=${data.access_token}; path=/; max-age=900; SameSite=Lax; Secure`;
document.cookie = `refresh_token=${data.refresh_token}; path=/; max-age=604800; SameSite=Lax; Secure`;
return true;
}
} catch (err) {
console.error("Refresh request failed:", err);
}
document.cookie = "access_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 UTC;";
document.cookie = "refresh_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 UTC;";
return false;
}
async function checkAuth() {
console.log("Auth check started...");
console.log("AccessToken present:", !!accessToken);
console.log("RefreshToken present:", !!refreshToken);
const cookieAccessToken = getCookie("access_token");
const cookieRefreshToken = getCookie("refresh_token");
const localAccessToken = localStorage.getItem("access_token");
const localRefreshToken = localStorage.getItem("refresh_token");
if (!cookieAccessToken && accessToken) {
console.log("Access token cookie missing, but present in localStorage. Forcing refresh...");
} else if (accessToken) {
const accessToken = cookieAccessToken || localAccessToken;
const refreshToken = cookieRefreshToken || localRefreshToken;
console.log("Auth check started...");
console.log("AccessToken available (Cookie/Local):", !!cookieAccessToken, "/", !!localAccessToken);
console.log("RefreshToken available (Cookie/Local):", !!cookieRefreshToken, "/", !!localRefreshToken);
if (!accessToken && !refreshToken) {
console.log("No tokens found in cookies or localStorage. User is a guest.");
return;
}
if (accessToken) {
try {
console.log("Attempting ping with access token...");
const response = await fetch("/api/ping", {
console.log("Validating token against /api/userinfo...");
const response = await fetch("/api/userinfo", {
method: "GET",
headers: { "Authorization": `Bearer ${accessToken}` }
});
if (response.ok) {
console.log("Ping successful! Redirecting to dashboard...");
console.log("Token is perfectly valid!");
sessionStorage.removeItem("is_refreshing");
if (!cookieAccessToken) {
document.cookie = `access_token=${accessToken}; path=/; max-age=900; SameSite=Lax; Secure`;
}
if (!cookieRefreshToken && localRefreshToken) {
document.cookie = `refresh_token=${localRefreshToken}; path=/; max-age=604800; SameSite=Lax; Secure`;
}
console.log("Redirecting to dashboard...");
window.location.href = "/dashboard";
return;
} else {
console.log("Ping failed. Status:", response.status);
console.log("Token rejected by /api/userinfo. Status:", response.status);
}
} catch (err) {
console.error("Network error during ping:", err);
console.error("Network error during token verification:", err);
}
}
if (sessionStorage.getItem("is_refreshing") === "true") {
console.warn("Loop protection triggered! Tokens appear to be corrupt. Clearing storage.");
clearAllAuth();
return;
}
if (refreshToken) {
console.log("Starting token refresh to rebuild cookies...");
const refreshSuccessful = await tryTokenRefresh();
console.log("Access token has expired. Starting refresh process...");
sessionStorage.setItem("is_refreshing", "true");
const refreshSuccessful = await tryTokenRefresh(refreshToken);
if (refreshSuccessful) {
console.log("Refresh successful! Redirecting to dashboard...");
window.location.href = "/dashboard";
console.log("Refresh successful! Reloading page to apply cookies...");
window.location.reload();
return;
} else {
console.log("Refresh failed. Staying on login.");
console.log("Refresh failed. Refresh token has also expired.");
}
} else {
console.log("No refresh token present. User must log in normally.");
console.log("No refresh token available for recovery.");
}
console.log("Authentication completely failed. Clearing remnants...");
localStorage.removeItem("access_token");
localStorage.removeItem("refresh_token");
document.cookie = "access_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 UTC;";
document.cookie = "refresh_token=; path=/; expires=Thu, 01 Jan 1970 00:00:00 UTC;";
clearAllAuth();
console.log("Authentication completely failed. User remains on login page.");
}
checkAuth();
setTimeout(checkAuth, 50);
})();

243
frontend/assets/js/login.js
View File

@@ -2,22 +2,233 @@
document.addEventListener("DOMContentLoaded", () => {
const form = document.getElementById("login-form");
const errorBox = document.getElementById("error");
const usernameInput = document.getElementById("username");
const passwordInput = document.getElementById("password");
const twoFactorInput = document.getElementById("two-factor-code");
const twoFactorGroup = document.getElementById("two-factor-group");
const submitButton = document.getElementById("login-submit");
const passkeyLoginButton = document.getElementById("passkey-login-button");
const passkeyLoginHint = document.getElementById("passkey-login-hint");
let pendingTwoFactorToken = null;
if (!form) return;
form.addEventListener("submit", async (e) => {
e.preventDefault();
errorBox.style.display = "none";
setupPasswordVisibilityToggles();
const username = document.getElementById("username").value;
const password = document.getElementById("password").value;
function showError(message) {
errorBox.textContent = message || "Login failed.";
errorBox.style.display = "block";
}
function clearError() {
errorBox.textContent = "";
errorBox.style.display = "none";
}
function setupPasswordVisibilityToggles(root = document) {
const eyeIcon = `
<svg viewBox="0 0 24 24" aria-hidden="true" focusable="false">
<path d="M2.25 12s3.5-6.75 9.75-6.75S21.75 12 21.75 12 18.25 18.75 12 18.75 2.25 12 2.25 12Z" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round"/>
<circle cx="12" cy="12" r="2.75" fill="none" stroke="currentColor" stroke-width="1.8"/>
</svg>`;
const eyeOffIcon = `
<svg viewBox="0 0 24 24" aria-hidden="true" focusable="false">
<path d="M3 3l18 18" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round"/>
<path d="M10.58 10.58A2.75 2.75 0 0 0 13.42 13.42" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round"/>
<path d="M7.1 7.7C3.95 9.55 2.25 12 2.25 12s3.5 6.75 9.75 6.75c1.65 0 3.08-.47 4.29-1.15" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round"/>
<path d="M9.8 5.55A9.2 9.2 0 0 1 12 5.25c6.25 0 9.75 6.75 9.75 6.75a15.3 15.3 0 0 1-2.3 2.95" fill="none" stroke="currentColor" stroke-width="1.8" stroke-linecap="round" stroke-linejoin="round"/>
</svg>`;
root.querySelectorAll('input[type="password"]').forEach((input) => {
if (input.dataset.visibilityToggleAttached === 'true') return;
input.dataset.visibilityToggleAttached = 'true';
let wrapper = input.closest('.password-input-wrapper');
if (!wrapper) {
wrapper = document.createElement('div');
wrapper.className = 'password-input-wrapper';
input.parentNode.insertBefore(wrapper, input);
wrapper.appendChild(input);
}
const toggle = document.createElement('button');
toggle.type = 'button';
toggle.className = 'password-toggle';
toggle.innerHTML = eyeIcon;
toggle.setAttribute('aria-label', `Show ${input.placeholder || 'password'}`);
toggle.setAttribute('title', 'Show password');
toggle.addEventListener('click', () => {
const show = input.type === 'password';
input.type = show ? 'text' : 'password';
toggle.innerHTML = show ? eyeOffIcon : eyeIcon;
toggle.setAttribute('aria-label', `${show ? 'Hide' : 'Show'} ${input.placeholder || 'password'}`);
toggle.setAttribute('title', show ? 'Hide password' : 'Show password');
});
wrapper.appendChild(toggle);
});
}
function storeTokens(data) {
localStorage.setItem("access_token", data.access_token);
localStorage.setItem("refresh_token", data.refresh_token);
}
function switchToTwoFactorMode(token) {
pendingTwoFactorToken = token;
usernameInput.disabled = true;
passwordInput.disabled = true;
if (passkeyLoginButton) passkeyLoginButton.disabled = true;
twoFactorGroup.style.display = "block";
twoFactorInput.required = true;
twoFactorInput.focus();
submitButton.textContent = "Verify code";
}
function webauthnSupported() {
return window.PublicKeyCredential && navigator.credentials;
}
function base64URLToBuffer(value) {
const base64 = value.replace(/-/g, "+").replace(/_/g, "/");
const padded = base64.padEnd(base64.length + (4 - base64.length % 4) % 4, "=");
const binary = atob(padded);
const bytes = new Uint8Array(binary.length);
for (let i = 0; i < binary.length; i++) {
bytes[i] = binary.charCodeAt(i);
}
return bytes.buffer;
}
function bufferToBase64URL(buffer) {
const bytes = new Uint8Array(buffer);
let binary = "";
for (const byte of bytes) {
binary += String.fromCharCode(byte);
}
return btoa(binary).replace(/\+/g, "-").replace(/\//g, "_").replace(/=+$/g, "");
}
function prepareCredentialRequestOptions(options) {
const publicKey = options.publicKey || options;
publicKey.challenge = base64URLToBuffer(publicKey.challenge);
if (Array.isArray(publicKey.allowCredentials)) {
publicKey.allowCredentials = publicKey.allowCredentials.map((credential) => ({
...credential,
id: base64URLToBuffer(credential.id)
}));
}
return publicKey;
}
function credentialToJSON(credential) {
const response = credential.response;
return {
id: credential.id,
rawId: bufferToBase64URL(credential.rawId),
type: credential.type,
response: {
clientDataJSON: bufferToBase64URL(response.clientDataJSON),
authenticatorData: bufferToBase64URL(response.authenticatorData),
signature: bufferToBase64URL(response.signature),
userHandle: response.userHandle ? bufferToBase64URL(response.userHandle) : null
},
clientExtensionResults: credential.getClientExtensionResults()
};
}
async function handlePasskeyLogin() {
if (!webauthnSupported()) {
showError("Passkeys are not supported by this browser.");
return;
}
clearError();
if (passkeyLoginButton) passkeyLoginButton.disabled = true;
submitButton.disabled = true;
try {
const response = await fetch("/api/login", {
const optionsResponse = await fetch("/api/passkeys/login/options", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({ username, password })
body: JSON.stringify({})
});
if (!optionsResponse.ok) {
throw new Error(await optionsResponse.text());
}
const optionsData = await optionsResponse.json();
const publicKey = prepareCredentialRequestOptions(optionsData.options);
const assertion = await navigator.credentials.get({ publicKey });
if (!assertion) {
throw new Error("Passkey authentication was cancelled.");
}
const finishResponse = await fetch("/api/passkeys/login/finish", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
session_token: optionsData.session_token,
credential: credentialToJSON(assertion)
})
});
if (!finishResponse.ok) {
throw new Error(await finishResponse.text());
}
const data = await finishResponse.json();
if (data.requires_2fa) {
switchToTwoFactorMode(data.two_factor_token);
return;
}
storeTokens(data);
window.location.href = "/dashboard";
} catch (err) {
showError(err.message);
} finally {
if (!pendingTwoFactorToken && passkeyLoginButton) passkeyLoginButton.disabled = false;
submitButton.disabled = false;
}
}
if (passkeyLoginButton) {
if (!webauthnSupported()) {
passkeyLoginButton.disabled = true;
if (passkeyLoginHint) passkeyLoginHint.textContent = "Passkeys are not supported by this browser.";
} else {
passkeyLoginButton.addEventListener("click", handlePasskeyLogin);
}
}
form.addEventListener("submit", async (e) => {
e.preventDefault();
clearError();
submitButton.disabled = true;
try {
let response;
if (pendingTwoFactorToken) {
response = await fetch("/api/login/2fa", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
two_factor_token: pendingTwoFactorToken,
code: twoFactorInput.value.trim()
})
});
} else {
response = await fetch("/api/login", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({
username: usernameInput.value,
password: passwordInput.value
})
});
}
if (!response.ok) {
const text = await response.text();
@@ -26,17 +237,17 @@ document.addEventListener("DOMContentLoaded", () => {
const data = await response.json();
localStorage.setItem("access_token", data.access_token);
localStorage.setItem("refresh_token", data.refresh_token);
document.cookie = `access_token=${data.access_token}; path=/; max-age=900; SameSite=Lax; Secure`;
document.cookie = `refresh_token=${data.refresh_token}; path=/; max-age=604800; SameSite=Lax; Secure`;
if (data.requires_2fa) {
switchToTwoFactorMode(data.two_factor_token);
return;
}
storeTokens(data);
window.location.href = "/dashboard";
} catch (err) {
errorBox.textContent = err.message || "Login failed.";
errorBox.style.display = "block";
showError(err.message);
} finally {
submitButton.disabled = false;
}
});
});
});

130
frontend/handler.go
View File

@@ -1,10 +1,16 @@
package frontend
import (
"MiauInv/storage"
"html/template"
"net/http"
"os"
"path/filepath"
"strings"
"github.com/tdewolff/minify/v2"
"github.com/tdewolff/minify/v2/css"
"github.com/tdewolff/minify/v2/js"
)
var dashboard = template.Must(template.ParseFiles(
@@ -27,6 +33,14 @@ var projects = template.Must(template.ParseFiles(
"frontend/htmx/contents/dash/base.html",
"frontend/htmx/contents/dash/projects.html"))
var accountSettings = template.Must(template.ParseFiles(
"frontend/htmx/contents/dash/base.html",
"frontend/htmx/contents/dash/account_settings.html"))
var activity = template.Must(template.ParseFiles(
"frontend/htmx/contents/dash/base.html",
"frontend/htmx/contents/dash/activity.html"))
var home = template.Must(template.ParseFiles("frontend/htmx/home.html"))
func Home(w http.ResponseWriter, r *http.Request) {
@@ -39,19 +53,53 @@ func Home(w http.ResponseWriter, r *http.Request) {
err := home.Execute(w, struct {
Name string
}{
Name: "Miau",
Name: "Home",
})
if err != nil {
return
}
}
func Dashboard(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "text/html")
err := dashboard.ExecuteTemplate(w, "base.html", struct {
var itemHive, projectHive, locationHive int
err := storage.DB.QueryRow("SELECT COUNT(*) FROM items").Scan(&itemHive)
if err != nil {
http.Error(w, "Failed to count items", http.StatusInternalServerError)
return
}
err = storage.DB.QueryRow("SELECT COUNT(*) FROM projects").Scan(&projectHive)
if err != nil {
http.Error(w, "Failed to count projects", http.StatusInternalServerError)
return
}
err = storage.DB.QueryRow("SELECT COUNT(*) FROM locations").Scan(&locationHive)
if err != nil {
http.Error(w, "Failed to count locations", http.StatusInternalServerError)
return
}
err = dashboard.ExecuteTemplate(w, "base.html", struct {
Title string
Stats struct {
Items int
Projects int
Locations int
}
}{
Title: "Miau",
Title: "Dashboard",
Stats: struct {
Items int
Projects int
Locations int
}{
Items: itemHive,
Projects: projectHive,
Locations: locationHive,
},
})
if err != nil {
return
@@ -62,7 +110,7 @@ func Inventory(w http.ResponseWriter, r *http.Request) {
err := inventory.ExecuteTemplate(w, "base.html", struct {
Title string
}{
Title: "Miau",
Title: "Inventory",
})
if err != nil {
return
@@ -73,7 +121,7 @@ func Items(w http.ResponseWriter, r *http.Request) {
err := item.ExecuteTemplate(w, "base.html", struct {
Title string
}{
Title: "Miau",
Title: "Items",
})
if err != nil {
return
@@ -84,7 +132,7 @@ func Locations(w http.ResponseWriter, r *http.Request) {
err := locations.ExecuteTemplate(w, "base.html", struct {
Title string
}{
Title: "Miau",
Title: "Locations",
})
if err != nil {
return
@@ -95,14 +143,78 @@ func Projects(w http.ResponseWriter, r *http.Request) {
err := projects.ExecuteTemplate(w, "base.html", struct {
Title string
}{
Title: "Miau",
Title: "Projects",
})
if err != nil {
return
}
}
func AccountSettings(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "text/html")
err := accountSettings.ExecuteTemplate(w, "base.html", struct {
Title string
}{
Title: "Account Settings",
})
if err != nil {
return
}
}
func Activity(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "text/html")
err := activity.ExecuteTemplate(w, "base.html", struct {
Title string
}{
Title: "Activity Log",
})
if err != nil {
return
}
}
var minifier *minify.M
func init() {
minifier = minify.New()
// Füge die Minifier für CSS und JS hinzu
minifier.AddFunc("text/css", css.Minify)
minifier.AddFunc("text/javascript", js.Minify)
}
func Assets(w http.ResponseWriter, r *http.Request) {
path := strings.TrimPrefix(r.URL.Path, "/assets/")
http.ServeFile(w, r, filepath.Join("frontend/assets", path))
fullPath := filepath.Join("frontend/assets", path)
w.Header().Set("Cache-Control", "public, max-age=3600")
var mimeType string
if strings.HasSuffix(path, ".min.js") {
mimeType = "text/javascript"
fullPath = strings.Replace(fullPath, ".min.js", ".js", 1)
} else if strings.HasSuffix(path, ".min.css") {
mimeType = "text/css"
fullPath = strings.Replace(fullPath, ".min.css", ".css", 1)
}
info, err := os.Stat(fullPath)
if err != nil || info.IsDir() {
http.Error(w, "Asset not found", http.StatusNotFound)
return
}
if mimeType != "" {
content, err := os.ReadFile(fullPath)
if err != nil {
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
minifiedContent, err := minifier.Bytes(mimeType, content)
if err == nil {
w.Header().Set("Content-Type", mimeType)
w.Write(minifiedContent)
return
}
}
http.ServeFile(w, r, fullPath)
}

4
frontend/htmx/404.html
View File

@@ -4,8 +4,8 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>404 - Page Not Found | MiauInv</title>
<link rel="stylesheet" href="/assets/css/theme.css">
<link rel="stylesheet" href="/assets/css/error404.css">
<link rel="stylesheet" href="/assets/css/theme.min.css">
<link rel="stylesheet" href="/assets/css/error404.min.css">
</head>
<body>

172
frontend/htmx/contents/dash/account_settings.html Normal file
View File

@@ -0,0 +1,172 @@
{{ define "content" }}
<div class="page-header">
<h1>Account Settings</h1>
</div>
<div id="account-settings-content">
<div id="account-settings-message" class="message" style="display: none; margin-bottom: 1.5rem;"></div>
<div class="modal-split" style="align-items: start;">
<div class="card" style="max-width: 100%; text-align: left; padding: 1.5rem;">
<h2 style="font-size: 1.25rem; margin-bottom: 0.5rem; color: var(--text);">Profile</h2>
<p style="color: var(--text-muted); margin-bottom: 1.5rem;">Change your username.</p>
<form id="username-form" onsubmit="saveAccountUsername(event)">
<div class="form-group">
<label for="settings-username" style="display:block; color: var(--text-muted); font-size: 0.9rem; margin-bottom: 0.5rem;">Username</label>
<input type="text" id="settings-username" placeholder="Username" required>
</div>
<div class="form-group">
<label for="settings-username-password" style="display:block; color: var(--text-muted); font-size: 0.9rem; margin-bottom: 0.5rem;">Current password</label>
<input type="password" id="settings-username-password" placeholder="Confirm with current password" required autocomplete="current-password">
</div>
<button type="submit" class="btn btn-primary">Save username</button>
</form>
</div>
<div class="card" style="max-width: 100%; text-align: left; padding: 1.5rem;">
<h2 style="font-size: 1.25rem; margin-bottom: 0.5rem; color: var(--text);">Password</h2>
<p style="color: var(--text-muted); margin-bottom: 1.5rem;">Change your password. You will receive a fresh session afterwards.</p>
<form id="password-form" onsubmit="saveAccountPassword(event)">
<div class="form-group">
<label for="settings-current-password" style="display:block; color: var(--text-muted); font-size: 0.9rem; margin-bottom: 0.5rem;">Current password</label>
<input type="password" id="settings-current-password" placeholder="Current password" required autocomplete="current-password">
</div>
<div class="form-group">
<label for="settings-new-password" style="display:block; color: var(--text-muted); font-size: 0.9rem; margin-bottom: 0.5rem;">New password</label>
<input type="password" id="settings-new-password" placeholder="New password" required autocomplete="new-password">
</div>
<div class="form-group">
<label for="settings-confirm-password" style="display:block; color: var(--text-muted); font-size: 0.9rem; margin-bottom: 0.5rem;">Confirm new password</label>
<input type="password" id="settings-confirm-password" placeholder="Confirm new password" required autocomplete="new-password">
</div>
<button type="submit" class="btn btn-primary">Change password</button>
</form>
</div>
</div>
<div class="card" style="max-width: 100%; text-align: left; padding: 1.5rem; margin-top: 1.5rem;">
<div style="display: flex; justify-content: space-between; align-items: flex-start; gap: 1rem; flex-wrap: wrap;">
<div>
<h2 style="font-size: 1.25rem; margin-bottom: 0.5rem; color: var(--text);">Two-factor authentication</h2>
<p id="two-factor-status" style="color: var(--text-muted); margin-bottom: 1rem;">Loading 2FA status...</p>
</div>
<span id="two-factor-badge" class="badge">Unknown</span>
</div>
<div id="two-factor-disabled-panel" style="display: none;">
<p style="color: var(--text-muted); margin-bottom: 1rem;">Use an authenticator app. You can scan the QR code or enter the setup key manually.</p>
<button type="button" class="btn btn-primary" style="width: auto; padding: 0.6rem 1.2rem;" onclick="startTwoFactorSetup()">Start 2FA setup</button>
<div id="two-factor-setup-panel" style="display: none; margin-top: 1.5rem; padding-top: 1.5rem; border-top: 1px solid var(--border);">
<div class="modal-split" style="align-items: start;">
<div>
<h3 style="font-size: 1rem; margin-bottom: 0.75rem; color: var(--text);">Scan QR code</h3>
<img id="two-factor-qr" alt="2FA QR code" style="display: none; width: 220px; height: 220px; background: white; padding: 0.5rem; border-radius: 12px;">
</div>
<div>
<h3 style="font-size: 1rem; margin-bottom: 0.75rem; color: var(--text);">Manual setup</h3>
<p style="color: var(--text-muted); margin-bottom: 0.75rem;">If you do not want to scan the QR code, enter this key manually in your authenticator app.</p>
<code id="two-factor-secret" style="display:block; word-break: break-all; background:#111827; border:1px solid var(--border); border-radius:10px; padding:0.85rem; color:var(--text);"></code>
<a id="two-factor-otpauth" href="#" style="display:block; color: var(--accent); margin-top:0.75rem; word-break: break-all;">Open otpauth URL</a>
</div>
</div>
<form id="two-factor-enable-form" onsubmit="enableTwoFactor(event)" style="margin-top: 1.5rem;">
<div class="form-group">
<label for="two-factor-enable-code" style="display:block; color: var(--text-muted); font-size: 0.9rem; margin-bottom: 0.5rem;">Authenticator code</label>
<input type="text" id="two-factor-enable-code" inputmode="numeric" placeholder="123456" required autocomplete="one-time-code">
</div>
<button type="submit" class="btn btn-primary" style="width: auto; padding: 0.6rem 1.2rem;">Enable 2FA</button>
</form>
</div>
</div>
<div id="two-factor-enabled-panel" style="display: none;">
<p style="color: var(--text-muted); margin-bottom: 0.5rem;">Recovery codes remaining: <strong id="recovery-codes-remaining">0</strong></p>
<p id="recovery-codes-warning" class="message error" style="display: none; margin-bottom: 1rem;">You are running low on recovery codes. Generate and download new codes soon.</p>
<div id="recovery-codes-panel" style="display: none; margin-bottom: 1.5rem; padding: 1rem; border: 1px solid var(--border); border-radius: 12px; background: #111827;">
<h3 style="font-size: 1rem; margin-bottom: 0.75rem; color: var(--text);">Recovery codes</h3>
<p style="color: var(--text-muted); margin-bottom: 1rem;">Save these now. They are shown only once.</p>
<pre id="recovery-codes-list" style="white-space: pre-wrap; word-break: break-word; color: var(--text); background: rgba(255,255,255,0.03); border: 1px solid var(--border); border-radius: 10px; padding: 1rem; margin-bottom: 1rem;"></pre>
<button type="button" class="btn btn-primary" style="width: auto; padding: 0.6rem 1.2rem;" onclick="downloadRecoveryCodes()">Download recovery codes</button>
</div>
<div class="modal-split" style="align-items: start;">
<div>
<h3 style="font-size: 1rem; margin-bottom: 0.75rem; color: var(--text);">Regenerate recovery codes</h3>
<p style="color: var(--text-muted); margin-bottom: 1rem;">This invalidates all existing recovery codes.</p>
<form id="recovery-regenerate-form" onsubmit="regenerateRecoveryCodes(event)">
<div class="form-group">
<input type="password" id="recovery-password" placeholder="Current password" required autocomplete="current-password">
</div>
<div class="form-group">
<input type="text" id="recovery-code" inputmode="numeric" placeholder="Authenticator code" required autocomplete="one-time-code">
</div>
<button type="submit" class="btn btn-secondary">Generate new recovery codes</button>
</form>
</div>
<div>
<h3 style="font-size: 1rem; margin-bottom: 0.75rem; color: var(--text);">Disable 2FA</h3>
<p style="color: var(--text-muted); margin-bottom: 1rem;">Disabling 2FA revokes your active refresh sessions.</p>
<form id="two-factor-disable-form" onsubmit="disableTwoFactor(event)">
<div class="form-group">
<input type="password" id="two-factor-disable-password" placeholder="Current password" required autocomplete="current-password">
</div>
<div class="form-group">
<input type="text" id="two-factor-disable-code" inputmode="numeric" placeholder="Authenticator code" required autocomplete="one-time-code">
</div>
<button type="submit" class="btn btn-secondary danger-btn">Disable 2FA</button>
</form>
</div>
</div>
</div>
</div>
<div class="card" style="max-width: 100%; text-align: left; padding: 1.5rem; margin-top: 1.5rem;">
<div style="display: flex; justify-content: space-between; align-items: flex-start; gap: 1rem; flex-wrap: wrap;">
<div>
<h2 style="font-size: 1.25rem; margin-bottom: 0.5rem; color: var(--text);">Passkeys</h2>
<p id="passkey-status" style="color: var(--text-muted); margin-bottom: 1rem;">Loading passkey status...</p>
</div>
<span id="passkey-badge" class="badge">Unknown</span>
</div>
<p style="color: var(--text-muted); margin-bottom: 1rem;">Use device-bound or synced passkeys for phishing-resistant sign-in. Passkeys are protected by your browser, operating system, or security key.</p>
<div id="passkey-unsupported-message" class="message error" style="display: none; margin-bottom: 1rem;">This browser does not support passkeys.</div>
<div id="passkey-list" style="display: grid; gap: 0.75rem; margin-bottom: 1.5rem;"></div>
<div class="modal-split" style="align-items: start;">
<div>
<h3 style="font-size: 1rem; margin-bottom: 0.75rem; color: var(--text);">Add passkey</h3>
<p style="color: var(--text-muted); margin-bottom: 1rem;">Confirm with your current password, then follow your browser's passkey prompt.</p>
<form id="passkey-add-form" onsubmit="addPasskey(event)">
<div class="form-group">
<input type="text" id="passkey-name" placeholder="Passkey name" autocomplete="off">
</div>
<div class="form-group">
<input type="password" id="passkey-add-password" placeholder="Current password" required autocomplete="current-password">
</div>
<button type="submit" class="btn btn-primary" style="width: auto; padding: 0.6rem 1.2rem;">Add passkey</button>
</form>
</div>
<div>
<h3 style="font-size: 1rem; margin-bottom: 0.75rem; color: var(--text);">Disable passkeys</h3>
<p style="color: var(--text-muted); margin-bottom: 1rem;">This removes all stored passkeys and revokes active refresh sessions.</p>
<form id="passkey-disable-form" onsubmit="disablePasskeys(event)">
<div class="form-group">
<input type="password" id="passkey-disable-password" placeholder="Current password" required autocomplete="current-password">
</div>
<button type="submit" class="btn btn-secondary danger-btn">Disable all passkeys</button>
</form>
</div>
</div>
</div>
</div>
{{ end }}

49
frontend/htmx/contents/dash/activity.html Normal file
View File

@@ -0,0 +1,49 @@
{{ define "content" }}
<div class="page-header activity-header">
<div>
<h1>Activity Log</h1>
<p>Recent account, security, and inventory actions for your account.</p>
</div>
<button type="button" class="btn btn-secondary activity-refresh" onclick="loadActivityLog(true)">Refresh</button>
</div>
<div class="card activity-controls-card">
<div class="activity-control-panel">
<div class="activity-control-copy">
<span class="activity-eyebrow">Display</span>
<h2>Entries per page</h2>
<p>Choose how many log entries should be loaded at once.</p>
</div>
<div class="activity-entry-menu" role="group" aria-label="Entries per page">
<button type="button" class="activity-entry-option" data-limit="25" aria-pressed="false" onclick="setActivityLimit(25)">25</button>
<button type="button" class="activity-entry-option active" data-limit="50" aria-pressed="true" onclick="setActivityLimit(50)">50</button>
<button type="button" class="activity-entry-option" data-limit="100" aria-pressed="false" onclick="setActivityLimit(100)">100</button>
</div>
</div>
<div class="activity-note">
<strong>Privacy:</strong> Sensitive request bodies are never stored. The log keeps request metadata, action type, status, IP address, and user agent.
</div>
</div>
<div class="table-container activity-table-container">
<table>
<thead>
<tr>
<th>Time</th>
<th>Action</th>
<th>Target</th>
<th>Status</th>
<th>IP</th>
<th>Client</th>
</tr>
</thead>
<tbody id="activity-log-body">
<tr><td colspan="6" class="table-loader">Loading activity...</td></tr>
</tbody>
</table>
</div>
<div class="activity-load-more-wrap">
<button type="button" id="activity-load-more" class="btn btn-secondary activity-load-more" onclick="loadMoreActivity()">Load more</button>
</div>
{{ end }}

45
frontend/htmx/contents/dash/base.html
View File

@@ -5,17 +5,20 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>{{ .Title }} | MiauInv</title>
<script src="https://unpkg.com/htmx.org@2.0.4"></script>
<link rel="stylesheet" href="/assets/css/theme.css">
<link rel="stylesheet" href="/assets/css/dashboard.css">
<script src="/assets/js/api.min.js"></script>
<link rel="stylesheet" href="/assets/css/theme.min.css">
<link rel="stylesheet" href="/assets/css/dashboard.min.css">
</head>
<body>
<body class="dashboard-layout">
<header>
<div class="nav-container">
<div class="nav-left">
<div class="brand">Miau<span>Inv</span></div>
<button class="menu-trigger" id="menu-btn" aria-label="Menu">Menu</button>
<button class="menu-trigger" id="menu-btn" aria-label="Menu">
<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><line x1="3" y1="12" x2="21" y2="12"></line><line x1="3" y1="6" x2="21" y2="6"></line><line x1="3" y1="18" x2="21" y2="18"></line></svg>
</button>
<nav id="main-nav">
<a href="/dashboard">Dashboard</a>
@@ -27,13 +30,15 @@
<div class="profile-dropdown">
<button class="profile-trigger" id="profile-btn">
<div class="avatar">M</div>
<div id="avatar" class="avatar">M</div>
<span id="username" class="username">Loading...</span>
<svg width="16" height="16" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polyline points="6 9 12 15 18 9"></polyline></svg>
</button>
<div class="dropdown-menu" id="dropdown-menu">
<a href="/profile/settings">Account Settings</a>
<a href="/profile/activity">Activity Log</a>
<hr class="dropdown-divider">
<button class="logout-btn"
<button id="logout-btn" class="logout-btn"
hx-post="/api/logout"
hx-on::after-request="window.location.href='/login'">
Log Out
@@ -47,34 +52,6 @@
{{ template "content" . }}
</main>
<script>
const profileBtn = document.getElementById('profile-btn');
const dropdownMenu = document.getElementById('dropdown-menu');
const menuBtn = document.getElementById('menu-btn');
const mainNav = document.getElementById('main-nav');
// Profil-Menü Toggle
profileBtn.addEventListener('click', (e) => {
e.stopPropagation();
dropdownMenu.classList.toggle('show');
mainNav.classList.remove('show'); // Mobile Nav schließen
});
// Mobile Nav Toggle
menuBtn.addEventListener('click', (e) => {
console.log("Button wurde geklickt!"); // Wird das im Browser angezeigt?
e.stopPropagation();
e.preventDefault(); // Verhindert Standard-Browser-Aktionen
mainNav.classList.toggle('show');
dropdownMenu.classList.remove('show');
});
// Alles schließen bei Klick in den Body
window.addEventListener('click', () => {
dropdownMenu.classList.remove('show');
mainNav.classList.remove('show');
});
</script>
</body>
</html>
{{ end }}

112
frontend/htmx/contents/dash/dashboard.html
View File

@@ -1,20 +1,110 @@
{{ define "content" }}
<h1>Dashboard</h1>
<div class="page-header">
<h1>Dashboard Overview</h1>
</div>
<div class="stats-grid">
<div class="stat-card">
<h2>{{ .Stats.Items }}</h2>
<p>Items</p>
<div class="stats-grid" style="margin-bottom: 2rem; display: grid; grid-template-columns: repeat(auto-fit, minmax(200px, 1fr)); gap: 1.5rem;">
<div class="stat-card" style="background: var(--card); border: 1px solid var(--border); border-radius: 12px; padding: 1.5rem; display: flex; align-items: center; gap: 1rem;">
<div class="stat-icon" style="background: rgba(59, 130, 246, 0.1); color: var(--accent); padding: 0.75rem; border-radius: 10px; display: flex; align-items: center; justify-content: center;">
<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><polygon points="12 2 2 7 12 12 22 7 12 2"></polygon><polyline points="2 17 12 22 22 17"></polyline><polyline points="2 12 12 17 22 12"></polyline></svg>
</div>
<div class="stat-info">
<p style="color: var(--text-muted); font-size: 0.9rem; margin: 0;">Total Items</p>
<h2 style="font-size: 1.5rem; font-weight: 700; margin: 0;">
{{ if .Stats }}{{ .Stats.Items }}{{ else }}0{{ end }}
</h2>
</div>
</div>
<div class="stat-card">
<h2>{{ .Stats.Projects }}</h2>
<p>Projects</p>
<div class="stat-card" style="background: var(--card); border: 1px solid var(--border); border-radius: 12px; padding: 1.5rem; display: flex; align-items: center; gap: 1rem;">
<div class="stat-icon" style="background: rgba(16, 185, 129, 0.1); color: var(--success); padding: 0.75rem; border-radius: 10px; display: flex; align-items: center; justify-content: center;">
<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M22 19a2 2 0 0 1-2 2H4a2 2 0 0 1-2-2V5a2 2 0 0 1 2-2h5l2 3h9a2 2 0 0 1 2 2z"></path></svg>
</div>
<div class="stat-info">
<p style="color: var(--text-muted); font-size: 0.9rem; margin: 0;">Active Projects</p>
<h2 style="font-size: 1.5rem; font-weight: 700; margin: 0;">
{{ if .Stats }}{{ .Stats.Projects }}{{ else }}0{{ end }}
</h2>
</div>
</div>
<div class="stat-card">
<h2>{{ .Stats.Locations }}</h2>
<p>Locations</p>
<div class="stat-card" style="background: var(--card); border: 1px solid var(--border); border-radius: 12px; padding: 1.5rem; display: flex; align-items: center; gap: 1rem;">
<div class="stat-icon" style="background: rgba(245, 158, 11, 0.1); color: #f59e0b; padding: 0.75rem; border-radius: 10px; display: flex; align-items: center; justify-content: center;">
<svg width="24" height="24" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 10c0 7-9 13-9 13s-9-6-9-13a9 9 0 0 1 18 0z"></path><circle cx="12" cy="10" r="3"></circle></svg>
</div>
<div class="stat-info">
<p style="color: var(--text-muted); font-size: 0.9rem; margin: 0;">Locations</p>
<h2 style="font-size: 1.5rem; font-weight: 700; margin: 0;">
{{ if .Stats }}{{ .Stats.Locations }}{{ else }}0{{ end }}
</h2>
</div>
</div>
</div>
<div class="modal-split">
<div class="card" style="max-width: 100%; text-align: left; padding: 1.5rem;">
<h2 style="font-size: 1.25rem; margin-bottom: 1rem; color: var(--text);">Locations</h2>
<div class="table-container">
<table class="inner-table" style="margin-top: 0; border-radius: 8px; width: 100%;">
<thead>
<tr>
<th style="text-align: left; padding: 0.75rem 1rem; background: #111827;">Name</th>
</tr>
</thead>
<tbody id="dash-locations-body">
<tr><td class="table-loader" style="padding: 1.5rem; text-align: center; color: var(--text-muted);">Loading locations...</td></tr>
</tbody>
</table>
</div>
</div>
<div class="card" style="max-width: 100%; text-align: left; padding: 1.5rem;">
<h2 style="font-size: 1.25rem; margin-bottom: 1rem; color: var(--text);">Active Projects</h2>
<div class="table-container">
<table class="inner-table" style="margin-top: 0; border-radius: 8px; width: 100%;">
<thead>
<tr>
<th style="text-align: left; padding: 0.75rem 1rem; background: #111827;">Project Name</th>
</tr>
</thead>
<tbody id="dash-projects-body">
<tr><td class="table-loader" style="padding: 1.5rem; text-align: center; color: var(--text-muted);">Loading projects...</td></tr>
</tbody>
</table>
</div>
</div>
</div>
<div id="dash-details-modal" class="modal">
<div class="modal-content">
<h2 id="dash-modal-title">Details</h2>
<div class="table-container">
<table class="inner-table" style="width: 100%;">
<thead>
<tr>
<th style="text-align: left; padding: 0.75rem 1rem;">Item</th>
<th style="text-align: right; width: 100px; padding: 0.75rem 1rem;">Quantity</th>
</tr>
</thead>
<tbody id="dash-modal-body"></tbody>
</table>
</div>
<div class="button-group">
<button type="button" class="btn btn-secondary" onclick="document.getElementById('dash-details-modal').classList.remove('show')">Close</button>
</div>
</div>
</div>
<script>
if (typeof handleDashboardView === "function") {
handleDashboardView();
}
if (window.htmx) {
htmx.on("htmx:afterOnLoad", function() {
if (typeof handleDashboardView === "function") {
handleDashboardView();
}
});
}
</script>
{{ end }}

98
frontend/htmx/contents/dash/inventory.html
View File

@@ -1,24 +1,88 @@
{{ define "content" }}
<h1>Inventory</h1>
<div class="action-bar">
<input
type="search"
name="q"
class="search-input"
placeholder="Search..."
hx-get="/api/item/search"
hx-trigger="keyup changed delay:300ms"
hx-target="#items"
>
<div class="page-header action-bar">
<h1>Inventory</h1>
<button class="btn btn-primary" style="width: auto; padding: 0.6rem 1.2rem; font-size: 0.95rem;" onclick="openItemModal()">
Add Item
</button>
</div>
<div class="table-container">
<div
id="items"
hx-get="/api/item"
hx-trigger="load"
>
<table>
<thead>
<tr>
<th>Name</th>
<th>Category</th>
<th>Total Quantity</th>
<th style="text-align: right;">Actions</th>
</tr>
</thead>
<tbody id="items-table-body">
<tr><td colspan="4" class="table-loader">Loading inventory...</td></tr>
</tbody>
</table>
</div>
<div id="item-modal" class="modal">
<div class="modal-content">
<h2 id="item-modal-title">New Item</h2>
<form id="item-form" onsubmit="saveItem(event)">
<input type="hidden" id="item-id">
<div class="form-group">
<input type="text" id="item-name" placeholder="Item Name" required>
</div>
<div class="form-group">
<input type="text" id="item-category" placeholder="Category" required>
</div>
<div class="form-group">
<input type="text" id="item-desc" placeholder="Description">
</div>
<div class="button-group">
<button type="submit" class="btn btn-primary">Save Item</button>
<button type="button" class="btn btn-secondary" onclick="closeModal('item-modal')">Cancel</button>
</div>
</form>
</div>
</div>
<div id="stock-modal" class="modal">
<div class="modal-content large">
<h2 id="stock-modal-title">Manage Stock</h2>
<div class="modal-split">
<div>
<h3>Current Locations</h3>
<div class="inner-table">
<table>
<thead>
<tr>
<th>Location</th>
<th>Quantity</th>
<th></th>
</tr>
</thead>
<tbody id="stock-table-body">
</tbody>
</table>
</div>
</div>
<div>
<h3>Update Stock</h3>
<form id="stock-form" onsubmit="saveStock(event)" style="margin-top: 1rem;">
<input type="hidden" id="stock-item-id">
<div class="form-group">
<select id="stock-location" class="search-input" style="width: 100%; padding: 0.85rem 1rem; background: #111827; color: white; border: 1px solid var(--border); border-radius: 10px;" required>
<option value="">Select Location...</option>
</select>
</div>
<div class="form-group">
<input type="number" id="stock-qty" placeholder="Quantity to add/set" required>
</div>
<div class="button-group">
<button type="submit" class="btn btn-primary">Update Stock</button>
<button type="button" class="btn btn-secondary" onclick="closeModal('stock-modal')">Done</button>
</div>
</form>
</div>
</div>
</div>
</div>
{{ end }}

14
frontend/htmx/contents/dash/itemlist.html
View File

@@ -5,15 +5,23 @@
<th>Category</th>
<th>Total</th>
<th>Free</th>
<th style="text-align: right;">Actions</th>
</tr>
</thead>
<tbody>
{{ range . }}
<tr>
<td style="font-weight: 600;">{{ .Name }}</td>
<td><span style="color: var(--text-muted);">{{ .Category }}</span></td>
<td style="font-family: monospace;">{{ .TotalQuantity }}</td>
<td style="font-family: monospace; color: var(--success);">{{ .FreeQuantity }}</td>
<td>
<span style="background: rgba(255,255,255,0.05); padding: 0.25rem 0.6rem; border-radius: 999px; font-size: 0.8rem; color: var(--text-muted); border: 1px solid var(--border);">
{{ .Category }}
</span>
</td>
<td style="font-family: monospace; font-size: 1.05rem;">{{ .TotalQuantity }}</td>
<td style="font-family: monospace; font-size: 1.05rem; color: var(--success);">{{ .FreeQuantity }}</td>
<td style="text-align: right;">
<button class="btn btn-secondary" style="width: auto; padding: 0.4rem 0.8rem; font-size: 0.85rem;">Edit</button>
</td>
</tr>
{{ end }}
</tbody>

37
frontend/htmx/contents/dash/locations.html
View File

@@ -1,11 +1,38 @@
{{ define "content" }}
<h1>Locations</h1>
<div class="page-header action-bar">
<h1>Locations</h1>
<button class="btn btn-primary" style="width: auto; padding: 0.6rem 1.2rem; font-size: 0.95rem;" onclick="openLocationModal()">
Add Location
</button>
</div>
<div class="table-container">
<div
hx-get="/api/locations"
hx-trigger="load"
>
<table>
<thead>
<tr>
<th>Name</th>
<th style="text-align: right;">Actions</th>
</tr>
</thead>
<tbody id="locations-table-body">
<tr><td colspan="2" class="table-loader">Loading locations...</td></tr>
</tbody>
</table>
</div>
<div id="location-modal" class="modal">
<div class="modal-content">
<h2 id="location-modal-title">New Location</h2>
<form id="location-form" onsubmit="saveLocation(event)">
<input type="hidden" id="location-id">
<div class="form-group">
<input type="text" id="location-name" placeholder="Location Name" required>
</div>
<div class="button-group">
<button type="submit" class="btn btn-primary">Save Location</button>
<button type="button" class="btn btn-secondary" onclick="closeModal('location-modal')">Cancel</button>
</div>
</form>
</div>
</div>
{{ end }}

88
frontend/htmx/contents/dash/projects.html
View File

@@ -1,22 +1,84 @@
{{ define "content" }}
<div class="action-bar">
<div class="page-header action-bar">
<h1>Projects</h1>
<button
class="btn btn-primary"
style="width: auto; padding: 0.6rem 1.2rem; font-size: 0.95rem;"
hx-get="/project/new"
hx-target="#modal"
>
<button class="btn btn-primary" style="width: auto; padding: 0.6rem 1.2rem; font-size: 0.95rem;" onclick="openProjectModal()">
New Project
</button>
</div>
<div
hx-get="/api/project"
hx-trigger="load"
hx-target="this"
>
<div class="table-container">
<table>
<thead>
<tr>
<th>Name</th>
<th>Description</th>
<th style="text-align: right;">Actions</th>
</tr>
</thead>
<tbody id="projects-table-body">
<tr><td colspan="3" class="table-loader">Loading projects...</td></tr>
</tbody>
</table>
</div>
<div id="modal"></div>
<div id="project-modal" class="modal">
<div class="modal-content">
<h2 id="project-modal-title">New Project</h2>
<form id="project-form" onsubmit="saveProject(event)">
<input type="hidden" id="project-id">
<div class="form-group">
<input type="text" id="project-name" placeholder="Project Name" required>
</div>
<div class="form-group">
<input type="text" id="project-desc" placeholder="Description">
</div>
<div class="button-group">
<button type="submit" class="btn btn-primary">Save Project</button>
<button type="button" class="btn btn-secondary" onclick="closeModal('project-modal')">Cancel</button>
</div>
</form>
</div>
</div>
<div id="association-modal" class="modal">
<div class="modal-content large">
<h2 id="association-modal-title">Manage Project Items</h2>
<div class="modal-split">
<div>
<h3>Allocated Items</h3>
<div class="inner-table">
<table>
<thead>
<tr>
<th>Item</th>
<th>Quantity</th>
<th></th>
</tr>
</thead>
<tbody id="association-table-body">
</tbody>
</table>
</div>
</div>
<div>
<h3>Allocate New Item</h3>
<form id="association-form" onsubmit="saveAssociation(event)" style="margin-top: 1rem;">
<input type="hidden" id="assoc-project-id">
<div class="form-group">
<select id="assoc-item" class="search-input" style="width: 100%; padding: 0.85rem 1rem; background: #111827; color: white; border: 1px solid var(--border); border-radius: 10px;" required>
<option value="">Select Item...</option>
</select>
</div>
<div class="form-group">
<input type="number" id="assoc-qty" placeholder="Quantity needed" required>
</div>
<div class="button-group">
<button type="submit" class="btn btn-primary">Allocate</button>
<button type="button" class="btn btn-secondary" onclick="closeModal('association-modal')">Done</button>
</div>
</form>
</div>
</div>
</div>
</div>
{{ end }}

4
frontend/htmx/home.html
View File

@@ -5,8 +5,8 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>MiauInv | Private Instance</title>
<script src="/assets/js/auth.js"></script>
<link rel="stylesheet" href="/assets/css/theme.css">
<link rel="stylesheet" href="/assets/css/home.css">
<link rel="stylesheet" href="/assets/css/theme.min.css">
<link rel="stylesheet" href="/assets/css/home.min.css">
</head>
<body>

18
frontend/htmx/login.html
View File

@@ -5,10 +5,10 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Sign In | MiauInv</title>
<script src="/assets/js/auth.js" defer></script>
<script src="/assets/js/login.js" defer></script>
<script src="/assets/js/auth.min.js" defer></script>
<script src="/assets/js/login.min.js" defer></script>
<link rel="stylesheet" href="/assets/css/theme.css">
<link rel="stylesheet" href="/assets/css/theme.min.css">
</head>
<body>
@@ -24,12 +24,20 @@
<input type="text" id="username" placeholder="Username" autocomplete="username" required>
</div>
<div class="form-group">
<div class="form-group" id="password-group">
<label for="password" class="sr-only">Password</label>
<input type="password" id="password" placeholder="Password" autocomplete="current-password" required>
</div>
<button type="submit" class="btn btn-primary">Sign In</button>
<div class="form-group" id="two-factor-group" style="display: none;">
<label for="two-factor-code" class="sr-only">2FA code</label>
<input type="text" id="two-factor-code" placeholder="Authenticator or recovery code" autocomplete="one-time-code" inputmode="text" pattern="[0-9A-Za-z\- ]*">
<p class="subtitle" style="margin-top: 0.75rem;">Enter your 6-digit authenticator code or one recovery code.</p>
</div>
<button type="submit" id="login-submit" class="btn btn-primary">Sign In</button>
<button type="button" id="passkey-login-button" class="btn btn-secondary" style="margin-top: 0.75rem;">Sign in with passkey</button>
<p id="passkey-login-hint" class="subtitle" style="margin-top: 0.75rem;">Use a saved passkey from this device, your browser, or a security key. No username is required for passkey sign-in.</p>
</form>
<div id="error" class="message error"></div>

26
frontend/htmx/register-blocked.html Normal file
View File

@@ -0,0 +1,26 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Registration Disabled - MiauInv</title>
<link rel="stylesheet" href="/assets/css/register-blocked.min.css">
</head>
<body>
<div class="card">
<h1>Registration</h1>
<div class="subtitle">Create a new account</div>
<div class="message error">
<strong>Access Denied:</strong> Public registration is currently disabled for this system. Please contact your system administrator to request an account.
</div>
<div class="footer-text">
<a class="btn btn-secondary" href="/login" style="margin-top: 1.5rem;">Back to Login</a>
</div>
</div>
</body>
</html>

6
frontend/htmx/register.html
View File

@@ -4,8 +4,9 @@
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Register | MiauInv</title>
<script src="/assets/js/auth.js"></script>
<link rel="stylesheet" href="/assets/css/theme.css">
<script src="/assets/js/auth.min.js"></script>
<script src="/assets/js/register.min.js"></script>
<link rel="stylesheet" href="/assets/css/theme.min.css">
</head>
<body>
@@ -36,6 +37,5 @@
</p>
</main>
<script src="/assets/js/register.js"></script>
</body>
</html>

39
frontend/htmx/under-construction.html Normal file
View File

@@ -0,0 +1,39 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Feature Under Development | MiauInv</title>
<link rel="stylesheet" href="/assets/css/theme.min.css">
<link rel="stylesheet" href="/assets/css/under-construction.min.css">
</head>
<body>
<div class="card">
<div class="construction-icon-wrapper">
<svg class="gear-icon" width="48" height="48" viewBox="0 0 24 24" fill="none" stroke="var(--accent)" stroke-width="2" stroke-linecap="round" stroke-linejoin="round">
<circle cx="12" cy="12" r="3"></circle>
<path d="M19.4 15a1.65 1.65 0 0 0 .33 1.82l.06.06a2 2 0 1 1-2.83 2.83l-.06-.06a1.65 1.65 0 0 0-1.82-.33 1.65 1.65 0 0 0-1 1.51V21a2 2 0 0 1-4 0v-.09A1.65 1.65 0 0 0 9 19.4a1.65 1.65 0 0 0-1.82.33l-.06.06a2 2 0 1 1-2.83-2.83l.06-.06a1.65 1.65 0 0 0 .33-1.82 1.65 1.65 0 0 0-1.51-1H3a2 2 0 0 1 0-4h.09A1.65 1.65 0 0 0 4.6 9a1.65 1.65 0 0 0-.33-1.82l-.06-.06a2 2 0 1 1 2.83-2.83l.06.06a1.65 1.65 0 0 0 1.82.33H9a1.65 1.65 0 0 0 1-1.51V3a2 2 0 0 1 4 0v.09a1.65 1.65 0 0 0 1 1.51 1.65 1.65 0 0 0 1.82-.33l.06-.06a2 2 0 1 1 2.83 2.83l-.06.06a1.65 1.65 0 0 0-.33 1.82V9a1.65 1.65 0 0 0 1.51 1H21a2 2 0 0 1 0 4h-.09a1.65 1.65 0 0 0-1.51 1z"></path>
</svg>
</div>
<h1>Coming Soon</h1>
<div class="subtitle">Feature Under Development</div>
<div class="message success" style="display: block; margin-bottom: 2rem;">
<strong>Development in progress!</strong><br>
Our team is actively working on this feature to bring you the best experience possible.
</div>
<a href="/dashboard" class="btn btn-secondary">
<svg width="18" height="18" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round" style="margin-right: 8px;"><line x1="19" y1="12" x2="5" y2="12"></line><polyline points="12 19 5 12 12 5"></polyline></svg>
Back to Dashboard
</a>
<div class="footer-text">
Need urgent assistance? <a href="mailto:maurice@miaurizius.de">Contact Developer</a>
</div>
</div>
</body>
</html>

29
go.mod
View File

@@ -4,19 +4,32 @@ go 1.26
require (
github.com/glebarez/go-sqlite v1.22.0
github.com/go-webauthn/webauthn v0.17.4
github.com/golang-jwt/jwt/v5 v5.3.1
golang.org/x/crypto v0.52.0
github.com/google/uuid v1.6.0
github.com/pquerna/otp v1.5.0
github.com/tdewolff/minify/v2 v2.24.13
golang.org/x/crypto v0.53.0
gopkg.in/yaml.v3 v3.0.1
)
require (
github.com/boombuler/barcode v1.1.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/google/uuid v1.5.0 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/fxamacker/cbor/v2 v2.9.2 // indirect
github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
github.com/go-webauthn/x v0.2.6 // indirect
github.com/google/go-tpm v0.9.8 // indirect
github.com/mattn/go-isatty v0.0.22 // indirect
github.com/ncruces/go-strftime v1.0.0 // indirect
github.com/philhofer/fwd v1.2.0 // indirect
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
golang.org/x/sys v0.45.0 // indirect
modernc.org/libc v1.37.6 // indirect
modernc.org/mathutil v1.6.0 // indirect
modernc.org/memory v1.7.2 // indirect
modernc.org/sqlite v1.28.0 // indirect
github.com/tdewolff/parse/v2 v2.8.13 // indirect
github.com/tinylib/msgp v1.6.4 // indirect
github.com/x448/float16 v0.8.4 // indirect
golang.org/x/sys v0.46.0 // indirect
modernc.org/libc v1.73.0 // indirect
modernc.org/mathutil v1.7.1 // indirect
modernc.org/memory v1.11.0 // indirect
modernc.org/sqlite v1.52.0 // indirect
)

107
go.sum
View File

@@ -1,31 +1,100 @@
github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
github.com/boombuler/barcode v1.1.0 h1:ChaYjBR63fr4LFyGn8E8nt7dBSt3MiU3zMOZqFvVkHo=
github.com/boombuler/barcode v1.1.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
github.com/fxamacker/cbor/v2 v2.9.2 h1:X4Ksno9+x3cz0TZv69ec1hxP/+tymuR8PXQJyDwfh78=
github.com/fxamacker/cbor/v2 v2.9.2/go.mod h1:vM4b+DJCtHn+zz7h3FFp/hDAI9WNWCsZj23V5ytsSxQ=
github.com/glebarez/go-sqlite v1.22.0 h1:uAcMJhaA6r3LHMTFgP0SifzgXg46yJkgxqyuyec+ruQ=
github.com/glebarez/go-sqlite v1.22.0/go.mod h1:PlBIdHe0+aUEFn+r2/uthrWq4FxbzugL0L8Li6yQJbc=
github.com/go-viper/mapstructure/v2 v2.5.0 h1:vM5IJoUAy3d7zRSVtIwQgBj7BiWtMPfmPEgAXnvj1Ro=
github.com/go-viper/mapstructure/v2 v2.5.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
github.com/go-webauthn/webauthn v0.17.4 h1:KFTSz3R2RYDiUn/0cDi3XTJgFenSG74eKTTHlqWhlxk=
github.com/go-webauthn/webauthn v0.17.4/go.mod h1:pZk63EE/BdztlmyS4Yc+9H5g4a8blNlbtGmdHQHbZX8=
github.com/go-webauthn/x v0.2.6 h1:TEyDuQAIiEgYpx60nKiBJIX/5nSUC8LxNbH+uf5U9uk=
github.com/go-webauthn/x v0.2.6/go.mod h1:45bA7YEqyQhRcQJ/TiBb46Ww8yqHBGvgEhQ3WWF0aDo=
github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU=
github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
github.com/google/go-tpm v0.9.8 h1:slArAR9Ft+1ybZu0lBwpSmpwhRXaa85hWtMinMyRAWo=
github.com/google/go-tpm v0.9.8/go.mod h1:h9jEsEECg7gtLis0upRBQU+GhYVH6jMjrFxI8u6bVUY=
github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba h1:qJEJcuLzH5KDR0gKc0zcktin6KSAwL7+jWKBYceddTc=
github.com/google/go-tpm-tools v0.3.13-0.20230620182252-4639ecce2aba/go.mod h1:EFYHy8/1y2KfgTAsx7Luu7NGhoxtuVHnNo8jE7FikKc=
github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
github.com/philhofer/fwd v1.2.0 h1:e6DnBTl7vGY+Gz322/ASL4Gyp1FspeMvx1RNDoToZuM=
github.com/philhofer/fwd v1.2.0/go.mod h1:RqIHx9QI14HlwKwm98g9Re5prTQ6LdeRQn+gXJFxsJM=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/pquerna/otp v1.5.0 h1:NMMR+WrmaqXU4EzdGJEE1aUUI0AMRzsp96fFFWNPwxs=
github.com/pquerna/otp v1.5.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY=
golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
github.com/tdewolff/minify/v2 v2.24.13 h1:xrcF7gKDnUszseEY9WX9mUlZII2v2Go/QAcAwRASw58=
github.com/tdewolff/minify/v2 v2.24.13/go.mod h1:emvwoYeIl8bfAKqRU5ww95LX9Gpggpqv/naal9a8Yq0=
github.com/tdewolff/parse/v2 v2.8.13 h1:si/8rLw5BZZTWCCiMm9A3f6x+RmqYfrkEeXCgpX5ick=
github.com/tdewolff/parse/v2 v2.8.13/go.mod h1:XdsoSFThlVIRIajAuqz1evNY7bagZS8LBOPA3aVopwQ=
github.com/tdewolff/test v1.0.12 h1:7F21DqIajswxuche0geHdrUZRCWE4oko4b7bcmkkrxk=
github.com/tdewolff/test v1.0.12/go.mod h1:XPuWBzvdUzhCuxWO1ojpXsyzsA5bFoS3tO/Q3kFuTG8=
github.com/tinylib/msgp v1.6.4 h1:mOwYbyYDLPj35mkA2BjjYejgJk9BuHxDdvRnb6v2ZcQ=
github.com/tinylib/msgp v1.6.4/go.mod h1:RSp0LW9oSxFut3KzESt5Voq4GVWyS+PSulT77roAqEA=
github.com/x448/float16 v0.8.4 h1:qLwI1I70+NjRFUR3zs1JPUCgaCXSh3SW62uAKT1mSBM=
github.com/x448/float16 v0.8.4/go.mod h1:14CWIYCyZA/cWjXOioeEpHeN/83MdbZDRQHoFcYsOfg=
go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
golang.org/x/crypto v0.53.0 h1:QZ4Muo8THX6CizN2vPPd5fBGHyogrdK9fG4wLPFUsto=
golang.org/x/crypto v0.53.0/go.mod h1:DNLU434OwVakk9PzuwV8w62mAJpRJL3vsgcfp4Qnsio=
golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4=
golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ=
golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
golang.org/x/sys v0.46.0 h1:noSf2Fq6F8DBgS+LysIkx7rIExoNHJsxOAtPp4rthXw=
golang.org/x/sys v0.46.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
golang.org/x/tools v0.45.0 h1:18qN3FAooORvApf5XjCXgsuayZOEtXf6JK18I3+ONa8=
golang.org/x/tools v0.45.0/go.mod h1:LuUGqqaXcXMEFEruIVJVm5mgDD8vww/z/SR1gQ4uE/0=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
modernc.org/libc v1.37.6 h1:orZH3c5wmhIQFTXF+Nt+eeauyd+ZIt2BX6ARe+kD+aw=
modernc.org/libc v1.37.6/go.mod h1:YAXkAZ8ktnkCKaN9sw/UDeUVkGYJ/YquGO4FTi5nmHE=
modernc.org/mathutil v1.6.0 h1:fRe9+AmYlaej+64JsEEhoWuAYBkOtQiMEU7n/XgfYi4=
modernc.org/mathutil v1.6.0/go.mod h1:Ui5Q9q1TR2gFm0AQRqQUaBWFLAhQpCwNcuhBOSedWPo=
modernc.org/memory v1.7.2 h1:Klh90S215mmH8c9gO98QxQFsY+W451E8AnzjoE2ee1E=
modernc.org/memory v1.7.2/go.mod h1:NO4NVCQy0N7ln+T9ngWqOQfi7ley4vpwvARR+Hjw95E=
modernc.org/sqlite v1.28.0 h1:Zx+LyDDmXczNnEQdvPuEfcFVA2ZPyaD7UCZDjef3BHQ=
modernc.org/sqlite v1.28.0/go.mod h1:Qxpazz0zH8Z1xCFyi5GSL3FzbtZ3fvbjmywNogldEW0=
modernc.org/cc/v4 v4.28.4 h1:Hd/4Es+MBj+/7hSdZaisNyu6bv3V0Dp2MdllyfqaH+c=
modernc.org/cc/v4 v4.28.4/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
modernc.org/ccgo/v4 v4.34.4 h1:OVnSOWQjVKOYkFxoHYB+qQmSHK5gqMqARM+K9DpR/Ws=
modernc.org/ccgo/v4 v4.34.4/go.mod h1:qdKqE8FNIYyysougB1RX9MxCzp5oJOcQXSobANJ4TuE=
modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
modernc.org/gc/v3 v3.1.3 h1:6QAplYyVO+KdPW3pGnqmJDUxtkec8ooEWvks/hhU3lc=
modernc.org/gc/v3 v3.1.3/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
modernc.org/libc v1.73.0 h1:Y/KmTxbIN5T3x+NFjYOzV/+Ha7wKClfIecmTCTuYlqQ=
modernc.org/libc v1.73.0/go.mod h1:DXZ3eO8qMCNn2SnmTNCiC71nJ9Rcq3PsnpU6Vc4rWK8=
modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
modernc.org/sqlite v1.52.0 h1:p4dhYh2tXZCiyaqHwRVJDjIGKWyXayiQpThxgDzJaxo=
modernc.org/sqlite v1.52.0/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=

811
handlers/account.go
View File

@@ -2,33 +2,49 @@ package handlers
import (
"MiauInv/auth"
"MiauInv/config"
"MiauInv/models"
"MiauInv/storage"
"MiauInv/util"
utils "MiauInv/util"
"bytes"
"crypto/rand"
"encoding/base64"
"encoding/hex"
"encoding/json"
"image/png"
"log"
"net/http"
"os"
"strings"
"time"
"github.com/pquerna/otp/totp"
)
var cfg, _ = config.LoadConfig()
const recoveryCodeWarningThreshold = 3
func APIRegister(w http.ResponseWriter, r *http.Request) {
var user models.User
if err := json.NewDecoder(r.Body).Decode(&user); err != nil {
log.Println("POST [api/register] " + r.RemoteAddr + ": " + err.Error())
RecordActivity(r, "", "", "auth.register.failed", "auth", "", "Invalid request body", http.StatusBadRequest)
http.Error(w, "Invalid request body", http.StatusBadRequest)
return
}
if user.Username == "" || user.Password == "" {
log.Println("POST [api/register] " + r.RemoteAddr + ": Username or Password is empty")
RecordActivity(r, "", strings.ToLower(strings.TrimSpace(user.Username)), "auth.register.failed", "auth", "", "Username and password required", http.StatusBadRequest)
http.Error(w, "username and password required", http.StatusBadRequest)
return
}
if len(user.Password) > 72 {
log.Println("POST [api/register] User password too long")
RecordActivity(r, "", strings.ToLower(strings.TrimSpace(user.Username)), "auth.register.failed", "auth", "", "Password exceeds maximum length", http.StatusUnprocessableEntity)
http.Error(w, "Password exceeds the maximum allowed length of 72 characters", http.StatusUnprocessableEntity)
return
}
hashed, err := auth.HashPassword(user.Password)
if err != nil {
log.Println("POST [api/register] " + r.RemoteAddr + ": " + err.Error())
@@ -41,13 +57,16 @@ func APIRegister(w http.ResponseWriter, r *http.Request) {
if err := storage.AddUser(&user); err != nil {
log.Println("POST [api/register] " + r.RemoteAddr + ": " + err.Error())
RecordActivity(r, "", strings.ToLower(strings.TrimSpace(user.Username)), "auth.register.failed", "auth", "", "User already exists or could not be created", http.StatusBadRequest)
http.Error(w, "user already exists", http.StatusBadRequest)
return
}
RecordActivity(r, user.ID, strings.ToLower(strings.TrimSpace(user.Username)), "auth.register.succeeded", "auth", "", "User registered", http.StatusCreated)
w.WriteHeader(http.StatusCreated)
log.Println("POST [api/register] " + r.RemoteAddr + ": Successfully created user")
}
func APILogin(w http.ResponseWriter, r *http.Request) {
var creds struct {
Username string `json:"username"`
@@ -55,6 +74,7 @@ func APILogin(w http.ResponseWriter, r *http.Request) {
}
if err := json.NewDecoder(r.Body).Decode(&creds); err != nil {
log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
RecordActivity(r, "", "", "auth.login.failed", "auth", "", "Invalid request", http.StatusBadRequest)
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
@@ -62,12 +82,14 @@ func APILogin(w http.ResponseWriter, r *http.Request) {
user, err := storage.GetUserByUsername(creds.Username)
if err != nil {
log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
RecordActivity(r, "", strings.ToLower(strings.TrimSpace(creds.Username)), "auth.login.failed", "auth", "", "Invalid credentials", http.StatusUnauthorized)
http.Error(w, "Invalid credentials", http.StatusUnauthorized)
return
}
if !auth.CheckPasswordHash(creds.Password, user.Password) {
log.Println("POST [api/login] " + r.RemoteAddr + ": Invalid credentials")
RecordActivity(r, user.ID, user.Username, "auth.login.failed", "auth", "", "Invalid credentials", http.StatusUnauthorized)
http.Error(w, "Invalid credentials", http.StatusUnauthorized)
return
}
@@ -79,76 +101,460 @@ func APILogin(w http.ResponseWriter, r *http.Request) {
return
}
accessToken, err := auth.GenerateJWT(user.ID, user.Role, secret)
if err != nil {
log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not generate token", http.StatusInternalServerError)
if user.TwoFactorEnabled {
twoFactorToken, err := auth.GeneratePurposeJWT(user.ID, auth.PurposeTwoFactorLogin, secret, 5*time.Minute)
if err != nil {
log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not generate 2FA challenge", http.StatusInternalServerError)
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{
"requires_2fa": true,
"two_factor_token": twoFactorToken,
})
RecordActivity(r, user.ID, user.Username, "auth.login.password_accepted_2fa_required", "auth", "", "Password accepted; 2FA required", http.StatusOK)
log.Println("POST [api/login] " + r.RemoteAddr + ": Password accepted, 2FA required")
return
}
refreshTokenPlain, err := utils.GenerateRefreshToken()
if err != nil {
log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "could not generate refresh token", http.StatusInternalServerError)
return
}
refreshHash := utils.HashToken(refreshTokenPlain)
refreshID := utils.GenerateUUID()
refreshExpires := time.Now().Add(7 * 24 * time.Hour).Unix() // expiry: 7 days
deviceInfo := r.Header.Get("User-Agent")
if err := storage.AddRefreshToken(&models.RefreshToken{
ID: refreshID,
UserID: user.ID,
Token: refreshHash,
ExpiresAt: refreshExpires,
DeviceInfo: deviceInfo,
CreatedAt: time.Now().Unix(),
Revoked: false,
}); err != nil {
log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "could not save refresh token", http.StatusInternalServerError)
return
}
// Return access + refresh token (refresh in plain for client to store securely)
resp := map[string]interface{}{
"access_token": accessToken,
"refresh_token": refreshTokenPlain,
"user": map[string]interface{}{
"id": user.ID,
"username": user.Username,
"role": user.Role,
},
}
http.SetCookie(w, &http.Cookie{
Name: "access_token",
Value: accessToken,
Path: "/",
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteLaxMode,
})
http.SetCookie(w, &http.Cookie{
Name: "refresh_token",
Value: refreshTokenPlain,
Path: "/",
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteLaxMode,
})
w.Header().Set("Content-Type", "application/json")
err = json.NewEncoder(w).Encode(resp)
if err != nil {
log.Println("POST [api/login] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Something went wrong", http.StatusInternalServerError)
return
}
issueLoginSession(w, r, user)
RecordActivity(r, user.ID, user.Username, "auth.login.succeeded", "auth", "", "Password login succeeded", http.StatusOK)
log.Println("POST [api/login] " + r.RemoteAddr + ": Successfully logged in")
}
func APILoginTwoFactor(w http.ResponseWriter, r *http.Request) {
var req struct {
TwoFactorToken string `json:"two_factor_token"`
Code string `json:"code"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("POST [api/login/2fa] " + r.RemoteAddr + ": " + err.Error())
RecordActivity(r, "", "", "auth.2fa_login.failed", "auth", "", "Invalid request", http.StatusBadRequest)
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
secret := []byte(os.Getenv("JWT_SECRET"))
claims, err := auth.ValidatePurposeJWT(req.TwoFactorToken, auth.PurposeTwoFactorLogin, secret)
if err != nil {
log.Println("POST [api/login/2fa] " + r.RemoteAddr + ": " + err.Error())
RecordActivity(r, "", "", "auth.2fa_login.failed", "auth", "", "Invalid or expired 2FA challenge", http.StatusUnauthorized)
http.Error(w, "Invalid or expired 2FA challenge", http.StatusUnauthorized)
return
}
user, err := storage.GetUserById(claims.UserID)
if err != nil || !user.TwoFactorEnabled || user.TwoFactorSecret == "" {
log.Println("POST [api/login/2fa] " + r.RemoteAddr + ": 2FA not available for user")
http.Error(w, "Invalid 2FA state", http.StatusUnauthorized)
return
}
code := strings.TrimSpace(req.Code)
validTOTP := totp.Validate(code, user.TwoFactorSecret)
usedRecoveryCode := false
if !validTOTP {
recoveryCodeHash := utils.HashToken(normalizeRecoveryCode(code))
usedRecoveryCode, err = storage.UseUserRecoveryCode(user.ID, recoveryCodeHash)
if err != nil {
log.Println("POST [api/login/2fa] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not validate recovery code", http.StatusInternalServerError)
return
}
}
if !validTOTP && !usedRecoveryCode {
log.Println("POST [api/login/2fa] " + r.RemoteAddr + ": Invalid 2FA or recovery code")
RecordActivity(r, user.ID, user.Username, "auth.2fa_login.failed", "auth", "", "Invalid 2FA or recovery code", http.StatusUnauthorized)
http.Error(w, "Invalid 2FA or recovery code", http.StatusUnauthorized)
return
}
issueLoginSession(w, r, user)
if usedRecoveryCode {
RecordActivity(r, user.ID, user.Username, "auth.recovery_code_login.succeeded", "auth", "", "Recovery-code login succeeded", http.StatusOK)
log.Println("POST [api/login/2fa] " + r.RemoteAddr + ": Successfully logged in with recovery code")
return
}
RecordActivity(r, user.ID, user.Username, "auth.2fa_login.succeeded", "auth", "", "2FA login succeeded", http.StatusOK)
log.Println("POST [api/login/2fa] " + r.RemoteAddr + ": Successfully logged in with 2FA")
}
func AccountUpdateUsername(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
var req struct {
Username string `json:"username"`
Password string `json:"password"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("POST [api/account/username] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
username := strings.TrimSpace(req.Username)
if username == "" || req.Password == "" {
http.Error(w, "Username and password required", http.StatusBadRequest)
return
}
claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
user, err := storage.GetUserById(claims.UserID)
if err != nil {
log.Println("POST [api/account/username] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "User not found", http.StatusNotFound)
return
}
if !auth.CheckPasswordHash(req.Password, user.Password) {
http.Error(w, "Invalid password", http.StatusUnauthorized)
return
}
if err := storage.UpdateUserUsername(user.ID, username); err != nil {
log.Println("POST [api/account/username] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Username already exists or could not be saved", http.StatusConflict)
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{
"username": strings.ToLower(username),
})
log.Println("POST [api/account/username] " + r.RemoteAddr + ": Updated username")
}
func AccountUpdatePassword(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
var req struct {
CurrentPassword string `json:"current_password"`
NewPassword string `json:"new_password"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("POST [api/account/password] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
if req.CurrentPassword == "" || req.NewPassword == "" {
http.Error(w, "Current and new password required", http.StatusBadRequest)
return
}
if len(req.NewPassword) > 72 {
http.Error(w, "Password exceeds the maximum allowed length of 72 characters", http.StatusUnprocessableEntity)
return
}
if req.CurrentPassword == req.NewPassword {
http.Error(w, "New password must be different", http.StatusBadRequest)
return
}
claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
user, err := storage.GetUserById(claims.UserID)
if err != nil {
log.Println("POST [api/account/password] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "User not found", http.StatusNotFound)
return
}
if !auth.CheckPasswordHash(req.CurrentPassword, user.Password) {
http.Error(w, "Invalid password", http.StatusUnauthorized)
return
}
hashed, err := auth.HashPassword(req.NewPassword)
if err != nil {
log.Println("POST [api/account/password] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not hash password", http.StatusInternalServerError)
return
}
if err := storage.UpdateUserPassword(user.ID, hashed); err != nil {
log.Println("POST [api/account/password] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not update password", http.StatusInternalServerError)
return
}
if err := storage.RevokeAllRefreshTokensForUser(user.ID); err != nil {
log.Println("POST [api/account/password] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not revoke old sessions", http.StatusInternalServerError)
return
}
user.Password = hashed
issueLoginSession(w, r, user)
log.Println("POST [api/account/password] " + r.RemoteAddr + ": Updated password")
}
func TwoFactorSetup(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
user, err := storage.GetUserById(claims.UserID)
if err != nil {
log.Println("POST [api/2fa/setup] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "User not found", http.StatusNotFound)
return
}
if user.TwoFactorEnabled {
http.Error(w, "2FA is already enabled", http.StatusConflict)
return
}
key, err := totp.Generate(totp.GenerateOpts{
Issuer: "MiauInv",
AccountName: user.Username,
SecretSize: 20,
})
if err != nil {
log.Println("POST [api/2fa/setup] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not generate 2FA secret", http.StatusInternalServerError)
return
}
secret := []byte(os.Getenv("JWT_SECRET"))
if len(secret) == 0 {
log.Println("POST [api/2fa/setup] " + r.RemoteAddr + ": Server misconfiguration")
http.Error(w, "Server misconfiguration", http.StatusInternalServerError)
return
}
setupToken, err := auth.GenerateTwoFactorSetupJWT(user.ID, key.Secret(), secret, 10*time.Minute)
if err != nil {
log.Println("POST [api/2fa/setup] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not create 2FA setup challenge", http.StatusInternalServerError)
return
}
img, err := key.Image(220, 220)
if err != nil {
log.Println("POST [api/2fa/setup] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not generate QR code", http.StatusInternalServerError)
return
}
var qr bytes.Buffer
if err := png.Encode(&qr, img); err != nil {
log.Println("POST [api/2fa/setup] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not encode QR code", http.StatusInternalServerError)
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{
"secret": key.Secret(),
"setup_token": setupToken,
"otpauth_url": key.URL(),
"qr_code": "data:image/png;base64," + base64.StdEncoding.EncodeToString(qr.Bytes()),
})
log.Println("POST [api/2fa/setup] " + r.RemoteAddr + ": Created 2FA setup challenge")
}
func TwoFactorEnable(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
var req struct {
Code string `json:"code"`
SetupToken string `json:"setup_token"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
user, err := storage.GetUserById(claims.UserID)
if err != nil {
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "User not found", http.StatusNotFound)
return
}
setupSecret := ""
secret := []byte(os.Getenv("JWT_SECRET"))
if req.SetupToken != "" {
setupClaims, err := auth.ValidateTwoFactorSetupJWT(req.SetupToken, secret)
if err != nil {
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid or expired 2FA setup challenge", http.StatusUnauthorized)
return
}
if setupClaims.UserID != user.ID {
http.Error(w, "Invalid 2FA setup challenge", http.StatusUnauthorized)
return
}
setupSecret = setupClaims.Secret
} else if !user.TwoFactorEnabled && user.TwoFactorSecret != "" {
// Compatibility for accounts that started setup before temporary setup tokens existed.
setupSecret = user.TwoFactorSecret
}
if setupSecret == "" {
http.Error(w, "2FA setup has not been started", http.StatusBadRequest)
return
}
if !totp.Validate(strings.TrimSpace(req.Code), setupSecret) {
http.Error(w, "Invalid 2FA code", http.StatusUnauthorized)
return
}
recoveryCodes, recoveryCodeHashes, err := generateRecoveryCodes(10)
if err != nil {
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not generate recovery codes", http.StatusInternalServerError)
return
}
if err := storage.EnableUserTwoFactorWithSecretAndRecoveryCodes(user.ID, setupSecret, recoveryCodeHashes); err != nil {
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not enable 2FA", http.StatusInternalServerError)
return
}
if err := storage.RevokeAllRefreshTokensForUser(user.ID); err != nil {
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not revoke old sessions", http.StatusInternalServerError)
return
}
user.TwoFactorEnabled = true
user.TwoFactorSecret = setupSecret
issueLoginSessionWithExtra(w, r, user, map[string]interface{}{
"two_factor_enabled": true,
"recovery_codes": recoveryCodes,
"recovery_codes_remaining": len(recoveryCodes),
"recovery_codes_warning": false,
"recovery_codes_warning_at": recoveryCodeWarningThreshold,
})
log.Println("POST [api/2fa/enable] " + r.RemoteAddr + ": Enabled 2FA, replaced recovery codes, and revoked old sessions")
}
func TwoFactorDisable(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
var req struct {
Password string `json:"password"`
Code string `json:"code"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("POST [api/2fa/disable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
user, err := storage.GetUserById(claims.UserID)
if err != nil {
log.Println("POST [api/2fa/disable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "User not found", http.StatusNotFound)
return
}
if !auth.CheckPasswordHash(req.Password, user.Password) {
http.Error(w, "Invalid password", http.StatusUnauthorized)
return
}
if user.TwoFactorEnabled && !totp.Validate(strings.TrimSpace(req.Code), user.TwoFactorSecret) {
http.Error(w, "Invalid 2FA code", http.StatusUnauthorized)
return
}
if err := storage.DisableUserTwoFactor(user.ID); err != nil {
log.Println("POST [api/2fa/disable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not disable 2FA", http.StatusInternalServerError)
return
}
if err := storage.RevokeAllRefreshTokensForUser(user.ID); err != nil {
log.Println("POST [api/2fa/disable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not revoke sessions", http.StatusInternalServerError)
return
}
clearAuthCookies(w)
writeJSON(w, http.StatusOK, map[string]interface{}{"two_factor_enabled": false})
log.Println("POST [api/2fa/disable] " + r.RemoteAddr + ": Disabled 2FA")
}
func TwoFactorRegenerateRecoveryCodes(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
var req struct {
Password string `json:"password"`
Code string `json:"code"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("POST [api/2fa/recovery-codes/regenerate] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
user, err := storage.GetUserById(claims.UserID)
if err != nil {
log.Println("POST [api/2fa/recovery-codes/regenerate] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "User not found", http.StatusNotFound)
return
}
if !user.TwoFactorEnabled || user.TwoFactorSecret == "" {
http.Error(w, "2FA is not enabled", http.StatusBadRequest)
return
}
if !auth.CheckPasswordHash(req.Password, user.Password) {
http.Error(w, "Invalid password", http.StatusUnauthorized)
return
}
if !totp.Validate(strings.TrimSpace(req.Code), user.TwoFactorSecret) {
http.Error(w, "Invalid 2FA code", http.StatusUnauthorized)
return
}
recoveryCodes, recoveryCodeHashes, err := generateRecoveryCodes(10)
if err != nil {
log.Println("POST [api/2fa/recovery-codes/regenerate] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not generate recovery codes", http.StatusInternalServerError)
return
}
if err := storage.ReplaceUserRecoveryCodes(user.ID, recoveryCodeHashes); err != nil {
log.Println("POST [api/2fa/recovery-codes/regenerate] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not save recovery codes", http.StatusInternalServerError)
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{
"recovery_codes": recoveryCodes,
})
log.Println("POST [api/2fa/recovery-codes/regenerate] " + r.RemoteAddr + ": Regenerated recovery codes")
}
func Logout(w http.ResponseWriter, r *http.Request) {
claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
err := storage.RevokeAllRefreshTokensForUser(claims.UserID)
@@ -157,8 +563,10 @@ func Logout(w http.ResponseWriter, r *http.Request) {
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
w.WriteHeader(204)
clearAuthCookies(w)
w.WriteHeader(http.StatusNoContent)
}
func TestHandler(w http.ResponseWriter, r *http.Request) {
claims, _ := utils.IsLoggedIn(w, r)
@@ -174,13 +582,25 @@ func TestHandler(w http.ResponseWriter, r *http.Request) {
}
log.Println("GET [api/ping] " + r.RemoteAddr + ": Successfully tested connection")
}
func RefreshToken(w http.ResponseWriter, r *http.Request) {
var req struct {
RefreshToken string `json:"refresh_token"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("POST [api/refresh] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid request", http.StatusBadRequest)
if r.Body != nil {
_ = json.NewDecoder(r.Body).Decode(&req)
}
if req.RefreshToken == "" {
cookie, err := r.Cookie("refresh_token")
if err == nil {
req.RefreshToken = cookie.Value
}
}
if req.RefreshToken == "" {
log.Println("POST [api/refresh] " + r.RemoteAddr + ": Missing refresh token")
RecordActivity(r, "", "", "auth.refresh.failed", "auth", "", "Missing refresh token", http.StatusUnauthorized)
http.Error(w, "Invalid refresh token", http.StatusUnauthorized)
return
}
@@ -189,6 +609,7 @@ func RefreshToken(w http.ResponseWriter, r *http.Request) {
tokenRow, err := storage.GetRefreshToken(hashed)
if err != nil || tokenRow.Revoked || tokenRow.ExpiresAt < time.Now().Unix() {
log.Println("POST [api/refresh] " + r.RemoteAddr + ": Invalid refresh token")
RecordActivity(r, tokenRow.UserID, "", "auth.refresh.failed", "auth", "", "Invalid refresh token", http.StatusUnauthorized)
http.Error(w, "Invalid refresh token", http.StatusUnauthorized)
return
}
@@ -197,43 +618,18 @@ func RefreshToken(w http.ResponseWriter, r *http.Request) {
log.Println(err)
}
newToken, _ := utils.GenerateRefreshToken()
newHash := utils.HashToken(newToken)
newExpires := time.Now().Add(7 * 24 * time.Hour).Unix() //7 days
newID := utils.GenerateUUID()
deviceInfo := r.Header.Get("User-Agent")
if err = storage.AddRefreshToken(&models.RefreshToken{
ID: newID,
UserID: tokenRow.UserID,
Token: newHash,
ExpiresAt: newExpires,
CreatedAt: time.Now().Unix(),
Revoked: false,
DeviceInfo: deviceInfo,
}); err != nil {
log.Println("POST [api/refresh] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not generate new refresh token", http.StatusInternalServerError)
return
}
user, err := storage.GetUserById(tokenRow.UserID)
if err != nil {
log.Println("POST [api/refresh] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
accessToken, _ := auth.GenerateJWT(tokenRow.UserID, user.Role, []byte(os.Getenv("JWT_SECRET")))
if err = json.NewEncoder(w).Encode(map[string]string{
"access_token": accessToken,
"refresh_token": newToken,
}); err != nil {
log.Println("POST [api/refresh] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
issueLoginSession(w, r, user)
RecordActivity(r, user.ID, user.Username, "auth.refresh.succeeded", "auth", "", "Refresh token rotated", http.StatusOK)
log.Println("POST [api/refresh] " + r.RemoteAddr + ": Successfully refreshed token")
}
func UserInfo(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
log.Println("GET [api/userinfo] " + r.RemoteAddr + ": Method " + r.Method + " not allowed")
@@ -242,21 +638,228 @@ func UserInfo(w http.ResponseWriter, r *http.Request) {
}
query := r.URL.Query()
idParam := query.Get("id")
if idParam == "" {
tokenStr := ""
authHeader := r.Header.Get("Authorization")
if strings.HasPrefix(authHeader, "Bearer ") {
tokenStr = strings.TrimPrefix(authHeader, "Bearer ")
}
if tokenStr == "" {
cookie, err := r.Cookie("access_token")
if err == nil {
tokenStr = cookie.Value
}
}
if tokenStr == "" {
http.Error(w, "Missing token", http.StatusUnauthorized)
return
}
claims, err := auth.ValidateJWT(tokenStr, models.JWTSecret)
if err != nil {
log.Println("GET [api/userinfo] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Unauthorized: Invalid or expired token", http.StatusUnauthorized)
return
}
idParam = claims.UserID
}
user, err := storage.GetUserById(idParam)
if err != nil {
log.Println("GET [api/userinfo] " + r.RemoteAddr + ": User " + idParam + " not found")
http.Error(w, "User not found", http.StatusNotFound)
return
}
recoveryCodesRemaining := 0
if user.TwoFactorEnabled {
if count, err := storage.CountUnusedRecoveryCodes(user.ID); err == nil {
recoveryCodesRemaining = count
}
}
twoFactorStatus := "disabled"
if user.TwoFactorEnabled {
twoFactorStatus = "enabled"
} else if user.TwoFactorSecret != "" {
twoFactorStatus = "setup_pending"
}
recoveryCodesWarning := user.TwoFactorEnabled && recoveryCodesRemaining <= recoveryCodeWarningThreshold
passkeyCount := 0
if count, err := storage.CountPasskeyCredentials(user.ID); err == nil {
passkeyCount = count
}
w.Header().Set("Content-Type", "application/json")
err = json.NewEncoder(w).Encode(map[string]interface{}{
"id": user.ID,
"name": user.Username,
"avatar_url": "",
"id": user.ID,
"username": user.Username,
"avatar_url": "",
"two_factor_enabled": user.TwoFactorEnabled,
"two_factor_status": twoFactorStatus,
"recovery_codes_remaining": recoveryCodesRemaining,
"recovery_codes_warning": recoveryCodesWarning,
"recovery_codes_warning_at": recoveryCodeWarningThreshold,
"passkeys_enabled": passkeyCount > 0,
"passkey_count": passkeyCount,
})
if err != nil {
log.Println("GET [api/userinfo] " + r.RemoteAddr + ": " + err.Error())
return
}
log.Println("GET [api/userinfo] " + r.RemoteAddr + ": Successfully retrieved user info")
log.Println("GET [api/userinfo] " + r.RemoteAddr + ": Successfully retrieved user info of " + user.Username + " (" + user.ID + ")")
}
func issueLoginSession(w http.ResponseWriter, r *http.Request, user models.User) {
issueLoginSessionWithExtra(w, r, user, nil)
}
func issueLoginSessionWithExtra(w http.ResponseWriter, r *http.Request, user models.User, extra map[string]interface{}) {
secret := []byte(os.Getenv("JWT_SECRET"))
if len(secret) == 0 {
log.Println("AUTH " + r.RemoteAddr + ": Server misconfiguration")
http.Error(w, "Server misconfiguration", http.StatusInternalServerError)
return
}
accessToken, err := auth.GenerateJWT(user.ID, user.Role, secret)
if err != nil {
log.Println("AUTH " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not generate token", http.StatusInternalServerError)
return
}
refreshTokenPlain, err := utils.GenerateRefreshToken()
if err != nil {
log.Println("AUTH " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "could not generate refresh token", http.StatusInternalServerError)
return
}
refreshExpires := time.Now().Add(7 * 24 * time.Hour).Unix()
if err := storage.AddRefreshToken(&models.RefreshToken{
ID: utils.GenerateUUID(),
UserID: user.ID,
Token: utils.HashToken(refreshTokenPlain),
ExpiresAt: refreshExpires,
DeviceInfo: r.Header.Get("User-Agent"),
CreatedAt: time.Now().Unix(),
Revoked: false,
}); err != nil {
log.Println("AUTH " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "could not save refresh token", http.StatusInternalServerError)
return
}
passkeyCount := 0
if count, err := storage.CountPasskeyCredentials(user.ID); err == nil {
passkeyCount = count
}
setAuthCookies(w, accessToken, refreshTokenPlain)
response := map[string]interface{}{
"access_token": accessToken,
"refresh_token": refreshTokenPlain,
"user": map[string]interface{}{
"id": user.ID,
"username": user.Username,
"role": user.Role,
"two_factor_enabled": user.TwoFactorEnabled,
"passkeys_enabled": passkeyCount > 0,
"passkey_count": passkeyCount,
},
}
for key, value := range extra {
response[key] = value
}
writeJSON(w, http.StatusOK, response)
}
func generateRecoveryCodes(count int) ([]string, []string, error) {
codes := make([]string, 0, count)
hashes := make([]string, 0, count)
seen := make(map[string]struct{}, count)
for len(codes) < count {
code, err := generateRecoveryCode()
if err != nil {
return nil, nil, err
}
normalized := normalizeRecoveryCode(code)
if _, exists := seen[normalized]; exists {
continue
}
seen[normalized] = struct{}{}
codes = append(codes, code)
hashes = append(hashes, utils.HashToken(normalized))
}
return codes, hashes, nil
}
func generateRecoveryCode() (string, error) {
bytes := make([]byte, 10)
if _, err := rand.Read(bytes); err != nil {
return "", err
}
raw := hex.EncodeToString(bytes)
return raw[0:5] + "-" + raw[5:10] + "-" + raw[10:15] + "-" + raw[15:20], nil
}
func normalizeRecoveryCode(code string) string {
code = strings.TrimSpace(code)
code = strings.ReplaceAll(code, "-", "")
code = strings.ReplaceAll(code, " ", "")
return strings.ToLower(code)
}
func setAuthCookies(w http.ResponseWriter, accessToken, refreshToken string) {
http.SetCookie(w, &http.Cookie{
Name: "access_token",
Value: accessToken,
Path: "/",
MaxAge: 15 * 60,
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteLaxMode,
})
http.SetCookie(w, &http.Cookie{
Name: "refresh_token",
Value: refreshToken,
Path: "/",
MaxAge: 7 * 24 * 60 * 60,
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteLaxMode,
})
}
func clearAuthCookies(w http.ResponseWriter) {
for _, name := range []string{"access_token", "refresh_token"} {
http.SetCookie(w, &http.Cookie{
Name: name,
Value: "",
Path: "/",
MaxAge: -1,
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteLaxMode,
})
}
}
func writeJSON(w http.ResponseWriter, status int, data interface{}) {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(status)
if err := json.NewEncoder(w).Encode(data); err != nil {
log.Println("JSON response error: " + err.Error())
}
}

223
handlers/activity.go Normal file
View File

@@ -0,0 +1,223 @@
package handlers
import (
"MiauInv/auth"
"MiauInv/models"
"MiauInv/storage"
"log"
"net"
"net/http"
"strconv"
"strings"
)
type activityResponseWriter struct {
http.ResponseWriter
statusCode int
}
func (w *activityResponseWriter) WriteHeader(statusCode int) {
w.statusCode = statusCode
w.ResponseWriter.WriteHeader(statusCode)
}
func (w *activityResponseWriter) Write(data []byte) (int, error) {
if w.statusCode == 0 {
w.statusCode = http.StatusOK
}
return w.ResponseWriter.Write(data)
}
func ActivityMiddleware(entityType string, includeGET bool) func(http.Handler) http.Handler {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
recorder := &activityResponseWriter{ResponseWriter: w}
next.ServeHTTP(recorder, r)
statusCode := recorder.statusCode
if statusCode == 0 {
statusCode = http.StatusOK
}
if !shouldRecordActivity(r, includeGET) {
return
}
claims, ok := r.Context().Value(auth.UserContextKey).(*auth.Claims)
if !ok || claims == nil {
return
}
username := ""
if user, err := storage.GetUserById(claims.UserID); err == nil {
username = user.Username
}
RecordActivity(r, claims.UserID, username, activityAction(r.Method, r.URL.Path), entityType, activityEntityID(r), activityDetails(statusCode), statusCode)
})
}
}
func ActivityLog(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodGet {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
claims, ok := r.Context().Value(auth.UserContextKey).(*auth.Claims)
if !ok || claims == nil {
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
}
limit := parseBoundedInt(r.URL.Query().Get("limit"), 50, 1, 100)
offset := parseBoundedInt(r.URL.Query().Get("offset"), 0, 0, 100000)
includeAll := claims.Role == models.RoleAdmin && strings.EqualFold(r.URL.Query().Get("all"), "true")
entries, err := storage.ListActivityLogs(claims.UserID, includeAll, limit, offset)
if err != nil {
log.Println("GET [api/activity] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not load activity log", http.StatusInternalServerError)
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{
"activity": entries,
"limit": limit,
"offset": offset,
"all": includeAll,
})
}
func RecordActivity(r *http.Request, userID, username, action, entityType, entityID, details string, statusCode int) {
if statusCode == 0 {
statusCode = http.StatusOK
}
entry := models.ActivityLogEntry{
UserID: userID,
Username: truncateForActivity(username, 120),
Action: truncateForActivity(action, 120),
EntityType: truncateForActivity(entityType, 80),
EntityID: truncateForActivity(entityID, 120),
Details: truncateForActivity(details, 500),
Method: r.Method,
Path: truncateForActivity(r.URL.Path, 255),
StatusCode: statusCode,
Success: statusCode >= 200 && statusCode < 400,
IPAddress: truncateForActivity(clientIP(r), 80),
UserAgent: truncateForActivity(r.UserAgent(), 500),
}
if err := storage.AddActivityLog(entry); err != nil {
log.Println("ACTIVITY " + r.RemoteAddr + ": " + err.Error())
}
}
func shouldRecordActivity(r *http.Request, includeGET bool) bool {
if r.Method == http.MethodOptions || r.Method == http.MethodHead {
return false
}
if includeGET {
return true
}
return r.Method != http.MethodGet
}
func activityAction(method, path string) string {
path = strings.TrimSuffix(path, "/")
switch {
case path == "/api/logout":
return "auth.logout"
case path == "/api/account/username":
return "account.username.update"
case path == "/api/account/password":
return "account.password.update"
case path == "/api/2fa/setup":
return "security.2fa.setup"
case path == "/api/2fa/enable":
return "security.2fa.enable"
case path == "/api/2fa/disable":
return "security.2fa.disable"
case path == "/api/2fa/recovery-codes/regenerate":
return "security.2fa.recovery_codes.regenerate"
case path == "/api/passkeys/register/options":
return "security.passkey.registration.start"
case path == "/api/passkeys/register/finish":
return "security.passkey.registration.finish"
case path == "/api/passkeys/disable":
return "security.passkey.disable"
case path == "/api/passkeys":
if method == http.MethodDelete {
return "security.passkey.delete"
}
return "security.passkey.read"
}
switch method {
case http.MethodPost:
return "inventory.create"
case http.MethodPut:
return "inventory.update"
case http.MethodDelete:
return "inventory.delete"
case http.MethodGet:
return "inventory.read"
default:
return strings.ToLower(method)
}
}
func activityEntityID(r *http.Request) string {
if id := strings.TrimSpace(r.URL.Query().Get("id")); id != "" {
return id
}
return ""
}
func activityDetails(statusCode int) string {
if statusCode >= 200 && statusCode < 400 {
return "Request completed successfully."
}
return http.StatusText(statusCode)
}
func clientIP(r *http.Request) string {
if forwardedFor := strings.TrimSpace(r.Header.Get("X-Forwarded-For")); forwardedFor != "" {
parts := strings.Split(forwardedFor, ",")
return strings.TrimSpace(parts[0])
}
if realIP := strings.TrimSpace(r.Header.Get("X-Real-IP")); realIP != "" {
return realIP
}
host, _, err := net.SplitHostPort(r.RemoteAddr)
if err == nil {
return host
}
return r.RemoteAddr
}
func parseBoundedInt(raw string, fallback, min, max int) int {
if strings.TrimSpace(raw) == "" {
return fallback
}
value, err := strconv.Atoi(raw)
if err != nil {
return fallback
}
if value < min {
return min
}
if value > max {
return max
}
return value
}
func truncateForActivity(value string, max int) string {
value = strings.TrimSpace(value)
runes := []rune(value)
if max <= 0 || len(runes) <= max {
return value
}
return string(runes[:max])
}

115
handlers/api.go
View File

@@ -18,6 +18,42 @@ func Location(w http.ResponseWriter, r *http.Request) {
case http.MethodGet:
idStr := r.URL.Query().Get("id")
contentMode := r.URL.Query().Get("content")
if idStr != "" && contentMode == "true" {
locationID, err := strconv.Atoi(idStr)
if err != nil {
http.Error(w, "Invalid location ID", http.StatusBadRequest)
return
}
query := `
SELECT s.item_id, i.name, s.quantity
FROM stock s
JOIN items i ON s.item_id = i.id
WHERE s.location_id = ? AND s.quantity > 0
`
rows, err := storage.DB.Query(query, locationID)
if err != nil {
http.Error(w, "Database error", http.StatusInternalServerError)
return
}
defer rows.Close()
var contents []models.LocationContent
for rows.Next() {
var c models.LocationContent
if err := rows.Scan(&c.ItemID, &c.ItemName, &c.Quantity); err != nil {
http.Error(w, "Row scan error", http.StatusInternalServerError)
return
}
contents = append(contents, c)
}
json.NewEncoder(w).Encode(map[string]interface{}{"contents": contents})
return
}
if idStr != "" {
id, err := strconv.Atoi(idStr)
@@ -188,9 +224,9 @@ func Item(w http.ResponseWriter, r *http.Request) {
switch r.Method {
case http.MethodGet:
idStr := r.URL.Query().Get("id")
// Read One
if idStr != "" {
id, err := strconv.Atoi(idStr)
if err != nil {
@@ -199,35 +235,50 @@ func Item(w http.ResponseWriter, r *http.Request) {
}
var item models.Item
err = storage.DB.QueryRow("SELECT id, name, category, description, total_quantity FROM items WHERE id = ?", id).
Scan(&item.ID, &item.Name, &item.Category, &item.Description, &item.TotalQuantity)
err = storage.DB.QueryRow("SELECT id, name, category, description, total_quantity FROM items WHERE id = ?", id).Scan(&item.ID, &item.Name, &item.Category, &item.Description, &item.TotalQuantity)
if err != nil {
if err == sql.ErrNoRows {
http.Error(w, "Item not found", http.StatusNotFound)
log.Println("GET [api/locations] " + r.RemoteAddr + ": Location not found (ID " + idStr + ")")
http.Error(w, "Location not found", http.StatusNotFound)
return
}
log.Println("GET [api/item] DB Error: " + err.Error())
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
json.NewEncoder(w).Encode(item)
log.Println("GET [api/item] " + r.RemoteAddr + ": Successfully retrieved item ID " + idStr)
return
}
// Read All
rows, err := storage.DB.Query("SELECT id, name, category, description, total_quantity FROM items ORDER BY name ASC")
query := `
SELECT
i.id, i.name, i.category, i.description,
COALESCE((SELECT SUM(quantity) FROM stock WHERE item_id = i.id), 0) as total_qty,
COALESCE((SELECT SUM(quantity) FROM project_items WHERE item_id = i.id), 0) as allocated_qty
FROM items i
ORDER BY i.name ASC
`
rows, err := storage.DB.Query(query)
if err != nil {
http.Error(w, "Internal server error", http.StatusInternalServerError)
http.Error(w, "Database error", http.StatusInternalServerError)
return
}
defer rows.Close()
items := []models.Item{}
var itemsExtended []models.ItemExtended
for rows.Next() {
var item models.Item
rows.Scan(&item.ID, &item.Name, &item.Category, &item.Description, &item.TotalQuantity)
items = append(items, item)
var ie models.ItemExtended
err := rows.Scan(&ie.ID, &ie.Name, &ie.Category, &ie.Description, &ie.TotalQuantity, &ie.AllocatedQty)
if err != nil {
continue
}
ie.AvailableQty = ie.TotalQuantity - ie.AllocatedQty
itemsExtended = append(itemsExtended, ie)
}
json.NewEncoder(w).Encode(map[string]interface{}{"items": items})
json.NewEncoder(w).Encode(map[string]interface{}{"items": itemsExtended})
return
case http.MethodPost:
var body models.Item
@@ -304,6 +355,43 @@ func Project(w http.ResponseWriter, r *http.Request) {
case http.MethodGet:
idStr := r.URL.Query().Get("id")
detailsMode := r.URL.Query().Get("details")
if idStr != "" && detailsMode == "true" {
projectID, err := strconv.Atoi(idStr)
if err != nil {
http.Error(w, "Invalid project ID", http.StatusBadRequest)
return
}
query := `
SELECT pi.item_id, i.name, pi.quantity
FROM project_items pi
JOIN items i ON pi.item_id = i.id
WHERE pi.project_id = ?
`
rows, err := storage.DB.Query(query, projectID)
if err != nil {
http.Error(w, "Database error", http.StatusInternalServerError)
return
}
defer rows.Close()
var details []models.ProjectDetailItem
for rows.Next() {
var d models.ProjectDetailItem
if err := rows.Scan(&d.ItemID, &d.ItemName, &d.Quantity); err != nil {
http.Error(w, "Row scan error", http.StatusInternalServerError)
return
}
details = append(details, d)
}
json.NewEncoder(w).Encode(map[string]interface{}{"items": details})
return
}
if idStr != "" {
id, _ := strconv.Atoi(idStr)
var p models.Project
@@ -485,7 +573,6 @@ func Associations(w http.ResponseWriter, r *http.Request) {
idStr := r.URL.Query().Get("id")
projectIDStr := r.URL.Query().Get("project_id")
// Optionaler Filter: Alle Items für ein bestimmtes Projekt holen (?project_id=X)
if projectIDStr != "" {
pID, _ := strconv.Atoi(projectIDStr)
rows, err := storage.DB.Query("SELECT id, item_id, project_id, quantity FROM project_items WHERE project_id = ?", pID)
@@ -505,7 +592,6 @@ func Associations(w http.ResponseWriter, r *http.Request) {
return
}
// Einzelne Assoziation anhand der Tabellen-ID (?id=X)
if idStr != "" {
id, _ := strconv.Atoi(idStr)
var pi models.ProjectItem
@@ -519,7 +605,6 @@ func Associations(w http.ResponseWriter, r *http.Request) {
return
}
// Gar kein Parameter -> Komplett-Dump aller Zuweisungen
rows, err := storage.DB.Query("SELECT id, item_id, project_id, quantity FROM project_items")
if err != nil {
http.Error(w, "Internal server error", http.StatusInternalServerError)

583
handlers/passkeys.go Normal file
View File

@@ -0,0 +1,583 @@
package handlers
import (
"MiauInv/auth"
"MiauInv/models"
"MiauInv/storage"
utils "MiauInv/util"
"bytes"
"encoding/json"
"errors"
"io"
"log"
"net"
"net/http"
"net/url"
"strings"
"time"
"github.com/go-webauthn/webauthn/protocol"
"github.com/go-webauthn/webauthn/webauthn"
)
const passkeyChallengeTTL = 5 * time.Minute
type passkeyWebAuthnUser struct {
user models.User
credentials []webauthn.Credential
}
func (user passkeyWebAuthnUser) WebAuthnID() []byte {
return []byte(user.user.ID)
}
func (user passkeyWebAuthnUser) WebAuthnName() string {
return user.user.Username
}
func (user passkeyWebAuthnUser) WebAuthnDisplayName() string {
return user.user.Username
}
func (user passkeyWebAuthnUser) WebAuthnCredentials() []webauthn.Credential {
return user.credentials
}
func Passkeys(w http.ResponseWriter, r *http.Request) {
switch r.Method {
case http.MethodGet:
listPasskeys(w, r)
case http.MethodDelete:
deletePasskey(w, r)
default:
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
}
}
func PasskeyRegisterOptions(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
var req struct {
Name string `json:"name"`
Password string `json:"password"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("POST [api/passkeys/register/options] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
if strings.TrimSpace(req.Password) == "" {
http.Error(w, "Current password required", http.StatusBadRequest)
return
}
claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
user, err := storage.GetUserById(claims.UserID)
if err != nil {
log.Println("POST [api/passkeys/register/options] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "User not found", http.StatusNotFound)
return
}
if !auth.CheckPasswordHash(req.Password, user.Password) {
http.Error(w, "Invalid password", http.StatusUnauthorized)
return
}
waUser, err := loadPasskeyWebAuthnUser(user)
if err != nil {
log.Println("POST [api/passkeys/register/options] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not load passkeys", http.StatusInternalServerError)
return
}
wa, err := webAuthnForRequest(r)
if err != nil {
log.Println("POST [api/passkeys/register/options] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid WebAuthn origin", http.StatusBadRequest)
return
}
creation, sessionData, err := wa.BeginRegistration(waUser,
webauthn.WithResidentKeyRequirement(protocol.ResidentKeyRequirementRequired),
webauthn.WithAuthenticatorSelection(protocol.AuthenticatorSelection{
RequireResidentKey: protocol.ResidentKeyRequired(),
ResidentKey: protocol.ResidentKeyRequirementRequired,
UserVerification: protocol.VerificationRequired,
}),
webauthn.WithExclusions(webauthn.Credentials(waUser.WebAuthnCredentials()).CredentialDescriptors()),
webauthn.WithExtensions(map[string]any{"credProps": true}),
)
if err != nil {
log.Println("POST [api/passkeys/register/options] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not create passkey registration challenge", http.StatusInternalServerError)
return
}
sessionToken, err := utils.GenerateOpaqueToken()
if err != nil {
log.Println("POST [api/passkeys/register/options] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not create passkey challenge", http.StatusInternalServerError)
return
}
if err := storage.SavePasskeyChallenge(sessionToken, user.ID, storage.PasskeyCeremonyRegister, *sessionData, passkeyChallengeTTL); err != nil {
log.Println("POST [api/passkeys/register/options] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not save passkey challenge", http.StatusInternalServerError)
return
}
_ = storage.CleanupExpiredPasskeyChallenges()
writeJSON(w, http.StatusOK, map[string]interface{}{
"session_token": sessionToken,
"options": creation,
})
log.Println("POST [api/passkeys/register/options] " + r.RemoteAddr + ": Created passkey registration challenge")
}
func PasskeyRegisterFinish(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
var req struct {
SessionToken string `json:"session_token"`
Name string `json:"name"`
Credential json.RawMessage `json:"credential"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("POST [api/passkeys/register/finish] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
if req.SessionToken == "" || len(req.Credential) == 0 {
http.Error(w, "Session token and credential required", http.StatusBadRequest)
return
}
claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
user, err := storage.GetUserById(claims.UserID)
if err != nil {
log.Println("POST [api/passkeys/register/finish] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "User not found", http.StatusNotFound)
return
}
challenge, sessionData, err := storage.ConsumePasskeyChallenge(req.SessionToken, storage.PasskeyCeremonyRegister)
if err != nil {
log.Println("POST [api/passkeys/register/finish] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid or expired passkey registration challenge", http.StatusUnauthorized)
return
}
if challenge.UserID != user.ID {
http.Error(w, "Invalid passkey registration challenge", http.StatusUnauthorized)
return
}
waUser, err := loadPasskeyWebAuthnUser(user)
if err != nil {
log.Println("POST [api/passkeys/register/finish] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not load passkeys", http.StatusInternalServerError)
return
}
wa, err := webAuthnForRequest(r)
if err != nil {
log.Println("POST [api/passkeys/register/finish] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid WebAuthn origin", http.StatusBadRequest)
return
}
credentialRequest := cloneRequestWithJSONBody(r, req.Credential)
credential, err := wa.FinishRegistration(waUser, sessionData, credentialRequest)
if err != nil {
log.Println("POST [api/passkeys/register/finish] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not verify passkey registration", http.StatusUnauthorized)
return
}
name := strings.TrimSpace(req.Name)
if name == "" {
name = "Passkey"
}
if _, err := storage.AddPasskeyCredential(user.ID, name, credential); err != nil {
log.Println("POST [api/passkeys/register/finish] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not save passkey", http.StatusInternalServerError)
return
}
if err := storage.RevokeAllRefreshTokensForUser(user.ID); err != nil {
log.Println("POST [api/passkeys/register/finish] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not revoke old sessions", http.StatusInternalServerError)
return
}
passkeys, _ := storage.ListPasskeyCredentials(user.ID)
issueLoginSessionWithExtra(w, r, user, map[string]interface{}{
"passkeys_enabled": true,
"passkey_count": len(passkeys),
"passkeys": publicPasskeys(passkeys),
})
log.Println("POST [api/passkeys/register/finish] " + r.RemoteAddr + ": Registered passkey and revoked old sessions")
}
func PasskeyLoginOptions(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
wa, err := webAuthnForRequest(r)
if err != nil {
log.Println("POST [api/passkeys/login/options] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid WebAuthn origin", http.StatusBadRequest)
return
}
assertion, sessionData, err := wa.BeginDiscoverableLogin(webauthn.WithUserVerification(protocol.VerificationRequired))
if err != nil {
log.Println("POST [api/passkeys/login/options] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not create passkey login challenge", http.StatusInternalServerError)
return
}
sessionToken, err := utils.GenerateOpaqueToken()
if err != nil {
log.Println("POST [api/passkeys/login/options] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not create passkey challenge", http.StatusInternalServerError)
return
}
if err := storage.SavePasskeyChallenge(sessionToken, "", storage.PasskeyCeremonyLogin, *sessionData, passkeyChallengeTTL); err != nil {
log.Println("POST [api/passkeys/login/options] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not save passkey challenge", http.StatusInternalServerError)
return
}
_ = storage.CleanupExpiredPasskeyChallenges()
writeJSON(w, http.StatusOK, map[string]interface{}{
"session_token": sessionToken,
"options": assertion,
})
log.Println("POST [api/passkeys/login/options] " + r.RemoteAddr + ": Created passkey login challenge")
}
func PasskeyLoginFinish(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
var req struct {
SessionToken string `json:"session_token"`
Credential json.RawMessage `json:"credential"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("POST [api/passkeys/login/finish] " + r.RemoteAddr + ": " + err.Error())
RecordActivity(r, "", "", "auth.passkey_login.failed", "auth", "", "Invalid request", http.StatusBadRequest)
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
if req.SessionToken == "" || len(req.Credential) == 0 {
http.Error(w, "Session token and credential required", http.StatusBadRequest)
return
}
challenge, sessionData, err := storage.ConsumePasskeyChallenge(req.SessionToken, storage.PasskeyCeremonyLogin)
if err != nil {
log.Println("POST [api/passkeys/login/finish] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid or expired passkey login challenge", http.StatusUnauthorized)
return
}
wa, err := webAuthnForRequest(r)
if err != nil {
log.Println("POST [api/passkeys/login/finish] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid WebAuthn origin", http.StatusBadRequest)
return
}
credentialRequest := cloneRequestWithJSONBody(r, req.Credential)
var user models.User
var credential *webauthn.Credential
if challenge.UserID == "" {
var webAuthnUser webauthn.User
webAuthnUser, credential, err = wa.FinishPasskeyLogin(passkeyDiscoverableUserHandler, sessionData, credentialRequest)
if err == nil {
resolvedUser, ok := webAuthnUser.(passkeyWebAuthnUser)
if !ok {
err = errors.New("invalid passkey user type")
} else {
user = resolvedUser.user
}
}
} else {
user, err = storage.GetUserById(challenge.UserID)
if err == nil {
waUser, loadErr := loadPasskeyWebAuthnUser(user)
if loadErr != nil {
err = loadErr
} else {
credential, err = wa.FinishLogin(waUser, sessionData, credentialRequest)
}
}
}
if err != nil {
log.Println("POST [api/passkeys/login/finish] " + r.RemoteAddr + ": " + err.Error())
RecordActivity(r, user.ID, user.Username, "auth.passkey_login.failed", "auth", "", "Could not verify passkey login", http.StatusUnauthorized)
http.Error(w, "Could not verify passkey login", http.StatusUnauthorized)
return
}
if err := storage.UpdatePasskeyCredentialAfterLogin(user.ID, credential); err != nil {
log.Println("POST [api/passkeys/login/finish] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not update passkey", http.StatusInternalServerError)
return
}
issueLoginSession(w, r, user)
RecordActivity(r, user.ID, user.Username, "auth.passkey_login.succeeded", "auth", "", "Passkey login succeeded", http.StatusOK)
log.Println("POST [api/passkeys/login/finish] " + r.RemoteAddr + ": Successfully logged in with passkey")
}
func PasskeyDisable(w http.ResponseWriter, r *http.Request) {
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
var req struct {
Password string `json:"password"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("POST [api/passkeys/disable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
user, err := storage.GetUserById(claims.UserID)
if err != nil {
log.Println("POST [api/passkeys/disable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "User not found", http.StatusNotFound)
return
}
if !auth.CheckPasswordHash(req.Password, user.Password) {
http.Error(w, "Invalid password", http.StatusUnauthorized)
return
}
if err := storage.DeleteAllPasskeyCredentials(user.ID); err != nil {
log.Println("POST [api/passkeys/disable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not disable passkeys", http.StatusInternalServerError)
return
}
if err := storage.RevokeAllRefreshTokensForUser(user.ID); err != nil {
log.Println("POST [api/passkeys/disable] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not revoke old sessions", http.StatusInternalServerError)
return
}
issueLoginSessionWithExtra(w, r, user, map[string]interface{}{
"passkeys_enabled": false,
"passkey_count": 0,
"passkeys": []map[string]interface{}{},
})
log.Println("POST [api/passkeys/disable] " + r.RemoteAddr + ": Disabled passkeys and revoked old sessions")
}
func listPasskeys(w http.ResponseWriter, r *http.Request) {
claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
passkeys, err := storage.ListPasskeyCredentials(claims.UserID)
if err != nil {
log.Println("GET [api/passkeys] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not load passkeys", http.StatusInternalServerError)
return
}
writeJSON(w, http.StatusOK, map[string]interface{}{
"passkeys": publicPasskeys(passkeys),
"passkeys_enabled": len(passkeys) > 0,
"passkey_count": len(passkeys),
})
}
func deletePasskey(w http.ResponseWriter, r *http.Request) {
var req struct {
ID string `json:"id"`
Password string `json:"password"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
log.Println("DELETE [api/passkeys] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Invalid request", http.StatusBadRequest)
return
}
if req.ID == "" || req.Password == "" {
http.Error(w, "Passkey ID and password required", http.StatusBadRequest)
return
}
claims := r.Context().Value(auth.UserContextKey).(*auth.Claims)
user, err := storage.GetUserById(claims.UserID)
if err != nil {
log.Println("DELETE [api/passkeys] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "User not found", http.StatusNotFound)
return
}
if !auth.CheckPasswordHash(req.Password, user.Password) {
http.Error(w, "Invalid password", http.StatusUnauthorized)
return
}
if _, err := storage.GetPasskeyCredentialByID(user.ID, req.ID); err != nil {
http.Error(w, "Passkey not found", http.StatusNotFound)
return
}
if err := storage.DeletePasskeyCredential(user.ID, req.ID); err != nil {
log.Println("DELETE [api/passkeys] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not delete passkey", http.StatusInternalServerError)
return
}
if err := storage.RevokeAllRefreshTokensForUser(user.ID); err != nil {
log.Println("DELETE [api/passkeys] " + r.RemoteAddr + ": " + err.Error())
http.Error(w, "Could not revoke old sessions", http.StatusInternalServerError)
return
}
passkeys, _ := storage.ListPasskeyCredentials(user.ID)
issueLoginSessionWithExtra(w, r, user, map[string]interface{}{
"passkeys_enabled": len(passkeys) > 0,
"passkey_count": len(passkeys),
"passkeys": publicPasskeys(passkeys),
})
log.Println("DELETE [api/passkeys] " + r.RemoteAddr + ": Deleted passkey and revoked old sessions")
}
func loadPasskeyWebAuthnUser(user models.User) (passkeyWebAuthnUser, error) {
rows, err := storage.ListPasskeyCredentials(user.ID)
if err != nil {
return passkeyWebAuthnUser{}, err
}
credentials, err := storage.DecodeWebAuthnCredentials(rows)
if err != nil {
return passkeyWebAuthnUser{}, err
}
return passkeyWebAuthnUser{user: user, credentials: credentials}, nil
}
func passkeyDiscoverableUserHandler(rawID, userHandle []byte) (webauthn.User, error) {
row, err := storage.GetPasskeyCredentialByCredentialID(utils.EncodeBase64URL(rawID))
if err != nil {
return nil, err
}
if row.UserID != string(userHandle) {
return nil, errors.New("passkey user handle mismatch")
}
user, err := storage.GetUserById(row.UserID)
if err != nil {
return nil, err
}
return loadPasskeyWebAuthnUser(user)
}
func publicPasskeys(passkeys []models.PasskeyCredential) []map[string]interface{} {
out := make([]map[string]interface{}, 0, len(passkeys))
for _, passkey := range passkeys {
item := map[string]interface{}{
"id": passkey.ID,
"name": passkey.Name,
"credential_id": passkey.CredentialID,
"created_at": passkey.CreatedAt,
}
if passkey.LastUsedAt > 0 {
item["last_used_at"] = passkey.LastUsedAt
}
out = append(out, item)
}
return out
}
func webAuthnForRequest(r *http.Request) (*webauthn.WebAuthn, error) {
origin, rpID, err := passkeyOriginAndRPID(r)
if err != nil {
return nil, err
}
return webauthn.New(&webauthn.Config{
RPID: rpID,
RPDisplayName: "MiauInv",
RPOrigins: []string{origin},
RPTopOrigins: []string{origin},
RPTopOriginVerificationMode: protocol.TopOriginExplicitVerificationMode,
AuthenticatorSelection: protocol.AuthenticatorSelection{
RequireResidentKey: protocol.ResidentKeyRequired(),
ResidentKey: protocol.ResidentKeyRequirementRequired,
UserVerification: protocol.VerificationRequired,
},
})
}
func passkeyOriginAndRPID(r *http.Request) (string, string, error) {
origin := strings.TrimSpace(r.Header.Get("Origin"))
if origin == "" {
scheme := strings.TrimSpace(r.Header.Get("X-Forwarded-Proto"))
if scheme == "" {
scheme = "https"
}
host := requestHost(r)
if host == "" {
return "", "", errors.New("missing request host")
}
origin = scheme + "://" + host
}
parsedOrigin, err := url.Parse(origin)
if err != nil || parsedOrigin.Scheme == "" || parsedOrigin.Host == "" {
return "", "", errors.New("invalid origin")
}
if parsedOrigin.Scheme != "https" && parsedOrigin.Hostname() != "localhost" {
return "", "", errors.New("passkeys require HTTPS except for localhost")
}
originHost := strings.ToLower(parsedOrigin.Hostname())
allowedHost := strings.ToLower(stripPort(requestHost(r)))
if allowedHost != "" && originHost != allowedHost {
return "", "", errors.New("origin host does not match request host")
}
return parsedOrigin.Scheme + "://" + parsedOrigin.Host, originHost, nil
}
func requestHost(r *http.Request) string {
if forwardedHost := strings.TrimSpace(r.Header.Get("X-Forwarded-Host")); forwardedHost != "" {
parts := strings.Split(forwardedHost, ",")
return strings.TrimSpace(parts[0])
}
return strings.TrimSpace(r.Host)
}
func stripPort(host string) string {
if host == "" {
return ""
}
if parsedHost, _, err := net.SplitHostPort(host); err == nil {
return parsedHost
}
if strings.Count(host, ":") == 0 {
return host
}
return host
}
func cloneRequestWithJSONBody(r *http.Request, raw json.RawMessage) *http.Request {
clone := r.Clone(r.Context())
clone.Body = io.NopCloser(bytes.NewReader(raw))
clone.ContentLength = int64(len(raw))
clone.Header = r.Header.Clone()
clone.Header.Set("Content-Type", "application/json")
return clone
}

18
models/activity.go Normal file
View File

@@ -0,0 +1,18 @@
package models
type ActivityLogEntry struct {
ID string `json:"id"`
UserID string `json:"user_id"`
Username string `json:"username"`
Action string `json:"action"`
EntityType string `json:"entity_type"`
EntityID string `json:"entity_id"`
Details string `json:"details"`
Method string `json:"method"`
Path string `json:"path"`
StatusCode int `json:"status_code"`
Success bool `json:"success"`
IPAddress string `json:"ip_address"`
UserAgent string `json:"user_agent"`
CreatedAt int64 `json:"created_at"`
}

2
models/constants.go
View File

@@ -1,5 +1,7 @@
package models
var JWTSecret []byte
// Roles
const (
RoleUser = "user"

10
models/dbmodels.go
View File

@@ -1,8 +1,10 @@
package models
type User struct {
ID string `json:"id"`
Username string `json:"username"`
Password string `json:"password"`
Role string `json:"role"`
ID string `json:"id"`
Username string `json:"username"`
Password string `json:"password"`
Role string `json:"role"`
TwoFactorEnabled bool `json:"two_factor_enabled"`
TwoFactorSecret string `json:"-"`
}

42
models/inventory.go
View File

@@ -5,7 +5,8 @@ type Item struct {
Name string `json:"name"`
Category string `json:"category"`
Description string `json:"description"`
TotalQuantity int `json:"total_quantity"`
TotalQuantity int `json:"total_quantity"` // Berechnet aus der Summe aller Stocks
FreeQuantity int `json:"free_quantity"` // TotalQuantity minus Summe aller Projekt-Zuweisungen
}
type Location struct {
@@ -20,10 +21,19 @@ type Project struct {
}
type Stock struct {
ID int `json:"id"`
ItemID int `json:"item_id"`
LocationID int `json:"location_id"`
Quantity int `json:"quantity"`
ID int `json:"id"`
ItemID int `json:"item_id"`
LocationID int `json:"location_id"`
Quantity int `json:"quantity"`
LocationName string `json:"location_name"` // Used to display the location in the modal table
}
type Association struct {
ID int `json:"id"`
ProjectID int `json:"project_id"`
ItemID int `json:"item_id"`
Quantity int `json:"quantity"`
ItemName string `json:"item_name"` // Used to display the item name in the modal table
}
type ProjectItem struct {
@@ -32,3 +42,25 @@ type ProjectItem struct {
ProjectID int `json:"project_id"`
Quantity int `json:"quantity"`
}
type ItemExtended struct {
ID int `json:"id"`
Name string `json:"name"`
Category string `json:"category"`
Description string `json:"description"`
TotalQuantity int `json:"total_quantity"` // Summe aus allen Stock-Einträgen
AllocatedQty int `json:"allocated_quantity"` // Summe aus allen Projekt-Zuweisungen
AvailableQty int `json:"available_quantity"` // Total - Allocated
}
type LocationContent struct {
ItemID int `json:"item_id"`
ItemName string `json:"item_name"`
Quantity int `json:"quantity"`
}
type ProjectDetailItem struct {
ItemID int `json:"item_id"`
ItemName string `json:"item_name"`
Quantity int `json:"quantity"`
}

19
models/passkeys.go Normal file
View File

@@ -0,0 +1,19 @@
package models
type PasskeyCredential struct {
ID string `json:"id"`
UserID string `json:"user_id"`
CredentialID string `json:"credential_id"`
Name string `json:"name"`
CredentialData string `json:"-"`
CreatedAt int64 `json:"created_at"`
LastUsedAt int64 `json:"last_used_at,omitempty"`
}
type PasskeyChallenge struct {
Token string `json:"token"`
UserID string `json:"user_id"`
Ceremony string `json:"ceremony"`
SessionData string `json:"-"`
ExpiresAt int64 `json:"expires_at"`
}

101
server/ratelimit.go Normal file
View File

@@ -0,0 +1,101 @@
package server
import (
"log"
"net"
"net/http"
"strconv"
"strings"
"sync"
"time"
)
type rateLimitState struct {
count int
resetAt time.Time
blockedUntil time.Time
}
type rateLimiter struct {
mu sync.Mutex
states map[string]*rateLimitState
maxRequests int
window time.Duration
blockFor time.Duration
}
func newRateLimiter(maxRequests int, window, blockFor time.Duration) *rateLimiter {
return &rateLimiter{
states: make(map[string]*rateLimitState),
maxRequests: maxRequests,
window: window,
blockFor: blockFor,
}
}
func (limiter *rateLimiter) Middleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if !limiter.allow(r) {
w.Header().Set("Retry-After", strconvSeconds(limiter.blockFor))
http.Error(w, "Too many requests", http.StatusTooManyRequests)
return
}
next.ServeHTTP(w, r)
})
}
func (limiter *rateLimiter) allow(r *http.Request) bool {
key := clientIP(r) + ":" + r.URL.Path
now := time.Now()
limiter.mu.Lock()
defer limiter.mu.Unlock()
state, ok := limiter.states[key]
if ok && now.Before(state.blockedUntil) {
return false
}
if !ok || now.After(state.resetAt) {
limiter.states[key] = &rateLimitState{
count: 1,
resetAt: now.Add(limiter.window),
}
return true
}
state.count++
if state.count > limiter.maxRequests {
state.blockedUntil = now.Add(limiter.blockFor)
state.resetAt = now.Add(limiter.window)
state.count = 0
log.Printf("Rate limit triggered for %s on %s", clientIP(r), r.URL.Path)
return false
}
return true
}
func clientIP(r *http.Request) string {
if forwardedFor := r.Header.Get("X-Forwarded-For"); forwardedFor != "" {
parts := strings.Split(forwardedFor, ",")
if ip := strings.TrimSpace(parts[0]); ip != "" {
return ip
}
}
if realIP := strings.TrimSpace(r.Header.Get("X-Real-IP")); realIP != "" {
return realIP
}
if host, _, err := net.SplitHostPort(r.RemoteAddr); err == nil {
return host
}
return r.RemoteAddr
}
func strconvSeconds(duration time.Duration) string {
seconds := int(duration.Seconds())
if seconds < 1 {
seconds = 1
}
return strconv.Itoa(seconds)
}

83
server/server.go
View File

@@ -5,18 +5,21 @@ import (
"MiauInv/config"
"MiauInv/frontend"
"MiauInv/handlers"
"MiauInv/models"
utils "MiauInv/util"
"log"
"net/http"
"os"
"time"
)
type Server struct {
Port string
JWTSecret []byte
DatabasePath string
CertificatePath string
PrivateKeyPath string
Port string
JWTSecret []byte
DatabasePath string
CertificatePath string
PrivateKeyPath string
AllowRegistration bool
}
func InitServer() *Server {
@@ -43,12 +46,15 @@ func InitServer() *Server {
return nil
}
models.JWTSecret = []byte(jwtSecret)
return &Server{
Port: cfg.Port,
JWTSecret: []byte(jwtSecret),
DatabasePath: cfg.DatabasePath,
CertificatePath: cfg.CertificatePath,
PrivateKeyPath: cfg.PrivateKeyPath,
Port: cfg.Port,
JWTSecret: []byte(jwtSecret),
DatabasePath: cfg.DatabasePath,
CertificatePath: cfg.CertificatePath,
PrivateKeyPath: cfg.PrivateKeyPath,
AllowRegistration: cfg.AllowRegistration,
}
}
@@ -61,27 +67,62 @@ func (this *Server) Run() {
//
mux.HandleFunc("/", frontend.Home)
mux.HandleFunc("/login", utils.RenderFile("frontend/htmx/login.html"))
mux.HandleFunc("/register", utils.RenderFile("frontend/htmx/register.html"))
mux.Handle("/dashboard", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(frontend.Dashboard)))
mux.Handle("/inventory", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(frontend.Inventory)))
mux.Handle("/items", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(frontend.Items)))
mux.Handle("/locations", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(frontend.Locations)))
mux.Handle("/projects", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(frontend.Projects)))
mux.Handle("/profile/settings", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(frontend.AccountSettings)))
mux.Handle("/profile/activity", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(frontend.Activity)))
mux.HandleFunc("/profile/", utils.RenderFile("frontend/htmx/under-construction.html"))
if this.AllowRegistration {
mux.HandleFunc("/register", utils.RenderFile("frontend/htmx/register.html"))
} else {
mux.HandleFunc("/register", utils.RenderFile("frontend/htmx/register-blocked.html"))
}
//
// API
//
mux.HandleFunc("/api/login", handlers.APILogin)
mux.HandleFunc("/api/register", handlers.APIRegister)
mux.HandleFunc("/api/refresh", handlers.RefreshToken)
mux.Handle("/api/logout", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(handlers.Logout)))
loginLimiter := newRateLimiter(10, time.Minute, 5*time.Minute)
accountLimiter := newRateLimiter(20, time.Minute, 2*time.Minute)
activityLimiter := newRateLimiter(60, time.Minute, 2*time.Minute)
mux.Handle("/api/item", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(handlers.Item)))
mux.Handle("/api/location", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(handlers.Location)))
mux.Handle("/api/project", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(handlers.Project)))
mux.Handle("/api/stock", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(handlers.Stock)))
mux.Handle("/api/association", auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(handlers.Associations)))
authed := func(handler http.HandlerFunc) http.Handler {
return auth.AuthMiddleware(this.JWTSecret)(http.HandlerFunc(handler))
}
audited := func(entityType string, handler http.HandlerFunc) http.Handler {
return auth.AuthMiddleware(this.JWTSecret)(handlers.ActivityMiddleware(entityType, false)(http.HandlerFunc(handler)))
}
mux.Handle("/api/login", loginLimiter.Middleware(http.HandlerFunc(handlers.APILogin)))
mux.Handle("/api/login/2fa", loginLimiter.Middleware(http.HandlerFunc(handlers.APILoginTwoFactor)))
mux.Handle("/api/refresh", loginLimiter.Middleware(http.HandlerFunc(handlers.RefreshToken)))
mux.Handle("/api/logout", auth.AuthMiddleware(this.JWTSecret)(handlers.ActivityMiddleware("auth", true)(http.HandlerFunc(handlers.Logout))))
mux.Handle("/api/profile", authed(handlers.UserInfo))
mux.Handle("/api/activity", activityLimiter.Middleware(authed(handlers.ActivityLog)))
mux.Handle("/api/2fa/setup", accountLimiter.Middleware(audited("security", handlers.TwoFactorSetup)))
mux.Handle("/api/2fa/enable", loginLimiter.Middleware(audited("security", handlers.TwoFactorEnable)))
mux.Handle("/api/2fa/disable", loginLimiter.Middleware(audited("security", handlers.TwoFactorDisable)))
mux.Handle("/api/2fa/recovery-codes/regenerate", loginLimiter.Middleware(audited("security", handlers.TwoFactorRegenerateRecoveryCodes)))
mux.Handle("/api/userinfo", authed(handlers.UserInfo))
mux.Handle("/api/account/username", accountLimiter.Middleware(audited("account", handlers.AccountUpdateUsername)))
mux.Handle("/api/account/password", loginLimiter.Middleware(audited("account", handlers.AccountUpdatePassword)))
mux.Handle("/api/passkeys", accountLimiter.Middleware(audited("security", handlers.Passkeys)))
mux.Handle("/api/passkeys/register/options", accountLimiter.Middleware(audited("security", handlers.PasskeyRegisterOptions)))
mux.Handle("/api/passkeys/register/finish", accountLimiter.Middleware(audited("security", handlers.PasskeyRegisterFinish)))
mux.Handle("/api/passkeys/disable", loginLimiter.Middleware(audited("security", handlers.PasskeyDisable)))
mux.Handle("/api/passkeys/login/options", loginLimiter.Middleware(http.HandlerFunc(handlers.PasskeyLoginOptions)))
mux.Handle("/api/passkeys/login/finish", loginLimiter.Middleware(http.HandlerFunc(handlers.PasskeyLoginFinish)))
if this.AllowRegistration {
mux.Handle("/api/register", loginLimiter.Middleware(http.HandlerFunc(handlers.APIRegister)))
}
mux.Handle("/api/item", audited("item", handlers.Item))
mux.Handle("/api/location", audited("location", handlers.Location))
mux.Handle("/api/project", audited("project", handlers.Project))
mux.Handle("/api/stock", audited("stock", handlers.Stock))
mux.Handle("/api/association", audited("association", handlers.Associations))
// Assets
mux.HandleFunc("/assets/", frontend.Assets)

262
storage/passkeys.go Normal file
View File

@@ -0,0 +1,262 @@
package storage
import (
"MiauInv/models"
utils "MiauInv/util"
"database/sql"
"encoding/json"
"errors"
"time"
"github.com/go-webauthn/webauthn/webauthn"
)
const (
PasskeyCeremonyRegister = "register"
PasskeyCeremonyLogin = "login"
)
func AddPasskeyCredential(userID, name string, credential *webauthn.Credential) (models.PasskeyCredential, error) {
if DB == nil {
return models.PasskeyCredential{}, errors.New("db not initialized")
}
credentialJSON, err := json.Marshal(credential)
if err != nil {
return models.PasskeyCredential{}, err
}
row := models.PasskeyCredential{
ID: utils.GenerateUUID(),
UserID: userID,
CredentialID: utils.EncodeBase64URL(credential.ID),
Name: name,
CredentialData: string(credentialJSON),
CreatedAt: time.Now().Unix(),
}
if row.Name == "" {
row.Name = "Passkey"
}
_, err = DB.Exec(`
INSERT INTO passkey_credentials(id, user_id, credential_id, name, credential_data, created_at, last_used_at)
VALUES (?, ?, ?, ?, ?, ?, NULL)
`, row.ID, row.UserID, row.CredentialID, row.Name, row.CredentialData, row.CreatedAt)
if err != nil {
return models.PasskeyCredential{}, err
}
return row, nil
}
func ListPasskeyCredentials(userID string) ([]models.PasskeyCredential, error) {
if DB == nil {
return nil, errors.New("db not initialized")
}
rows, err := DB.Query(`
SELECT id, user_id, credential_id, name, credential_data, created_at, COALESCE(last_used_at, 0)
FROM passkey_credentials
WHERE user_id = ?
ORDER BY created_at DESC
`, userID)
if err != nil {
return nil, err
}
defer rows.Close()
credentials := make([]models.PasskeyCredential, 0)
for rows.Next() {
var credential models.PasskeyCredential
if err := rows.Scan(&credential.ID, &credential.UserID, &credential.CredentialID, &credential.Name, &credential.CredentialData, &credential.CreatedAt, &credential.LastUsedAt); err != nil {
return nil, err
}
credentials = append(credentials, credential)
}
return credentials, rows.Err()
}
func CountPasskeyCredentials(userID string) (int, error) {
if DB == nil {
return 0, errors.New("db not initialized")
}
var count int
err := DB.QueryRow("SELECT COUNT(*) FROM passkey_credentials WHERE user_id = ?", userID).Scan(&count)
return count, err
}
func GetPasskeyCredentialByCredentialID(credentialID string) (models.PasskeyCredential, error) {
if DB == nil {
return models.PasskeyCredential{}, errors.New("db not initialized")
}
row := DB.QueryRow(`
SELECT id, user_id, credential_id, name, credential_data, created_at, COALESCE(last_used_at, 0)
FROM passkey_credentials
WHERE credential_id = ?
`, credentialID)
return scanPasskeyCredential(row)
}
func GetPasskeyCredentialByID(userID, id string) (models.PasskeyCredential, error) {
if DB == nil {
return models.PasskeyCredential{}, errors.New("db not initialized")
}
row := DB.QueryRow(`
SELECT id, user_id, credential_id, name, credential_data, created_at, COALESCE(last_used_at, 0)
FROM passkey_credentials
WHERE user_id = ? AND id = ?
`, userID, id)
return scanPasskeyCredential(row)
}
func scanPasskeyCredential(row *sql.Row) (models.PasskeyCredential, error) {
var credential models.PasskeyCredential
err := row.Scan(&credential.ID, &credential.UserID, &credential.CredentialID, &credential.Name, &credential.CredentialData, &credential.CreatedAt, &credential.LastUsedAt)
return credential, err
}
func DecodeWebAuthnCredential(row models.PasskeyCredential) (webauthn.Credential, error) {
var credential webauthn.Credential
err := json.Unmarshal([]byte(row.CredentialData), &credential)
return credential, err
}
func DecodeWebAuthnCredentials(rows []models.PasskeyCredential) ([]webauthn.Credential, error) {
credentials := make([]webauthn.Credential, 0, len(rows))
for _, row := range rows {
credential, err := DecodeWebAuthnCredential(row)
if err != nil {
return nil, err
}
credentials = append(credentials, credential)
}
return credentials, nil
}
func UpdatePasskeyCredentialAfterLogin(userID string, credential *webauthn.Credential) error {
if DB == nil {
return errors.New("db not initialized")
}
credentialID := utils.EncodeBase64URL(credential.ID)
credentialJSON, err := json.Marshal(credential)
if err != nil {
return err
}
res, err := DB.Exec(`
UPDATE passkey_credentials
SET credential_data = ?, last_used_at = ?
WHERE user_id = ? AND credential_id = ?
`, string(credentialJSON), time.Now().Unix(), userID, credentialID)
if err != nil {
return err
}
n, err := res.RowsAffected()
if err != nil {
return err
}
if n == 0 {
return ErrNotFound
}
return nil
}
func DeletePasskeyCredential(userID, id string) error {
if DB == nil {
return errors.New("db not initialized")
}
res, err := DB.Exec("DELETE FROM passkey_credentials WHERE user_id = ? AND id = ?", userID, id)
if err != nil {
return err
}
n, err := res.RowsAffected()
if err != nil {
return err
}
if n == 0 {
return ErrNotFound
}
return nil
}
func DeleteAllPasskeyCredentials(userID string) error {
if DB == nil {
return errors.New("db not initialized")
}
_, err := DB.Exec("DELETE FROM passkey_credentials WHERE user_id = ?", userID)
return err
}
func SavePasskeyChallenge(token, userID, ceremony string, sessionData webauthn.SessionData, ttl time.Duration) error {
if DB == nil {
return errors.New("db not initialized")
}
encodedSession, err := json.Marshal(sessionData)
if err != nil {
return err
}
_, err = DB.Exec(`
INSERT INTO passkey_challenges(token, user_id, ceremony, session_data, expires_at)
VALUES (?, ?, ?, ?, ?)
`, token, userID, ceremony, string(encodedSession), time.Now().Add(ttl).Unix())
return err
}
func ConsumePasskeyChallenge(token, ceremony string) (models.PasskeyChallenge, webauthn.SessionData, error) {
if DB == nil {
return models.PasskeyChallenge{}, webauthn.SessionData{}, errors.New("db not initialized")
}
tx, err := DB.Begin()
if err != nil {
return models.PasskeyChallenge{}, webauthn.SessionData{}, err
}
defer tx.Rollback()
row := tx.QueryRow(`
SELECT token, user_id, ceremony, session_data, expires_at
FROM passkey_challenges
WHERE token = ? AND ceremony = ?
`, token, ceremony)
var challenge models.PasskeyChallenge
if err := row.Scan(&challenge.Token, &challenge.UserID, &challenge.Ceremony, &challenge.SessionData, &challenge.ExpiresAt); err != nil {
return models.PasskeyChallenge{}, webauthn.SessionData{}, err
}
if _, err := tx.Exec("DELETE FROM passkey_challenges WHERE token = ?", token); err != nil {
return models.PasskeyChallenge{}, webauthn.SessionData{}, err
}
if challenge.ExpiresAt < time.Now().Unix() {
return models.PasskeyChallenge{}, webauthn.SessionData{}, errors.New("passkey challenge expired")
}
var sessionData webauthn.SessionData
if err := json.Unmarshal([]byte(challenge.SessionData), &sessionData); err != nil {
return models.PasskeyChallenge{}, webauthn.SessionData{}, err
}
if err := tx.Commit(); err != nil {
return models.PasskeyChallenge{}, webauthn.SessionData{}, err
}
return challenge, sessionData, nil
}
func CleanupExpiredPasskeyChallenges() error {
if DB == nil {
return errors.New("db not initialized")
}
_, err := DB.Exec("DELETE FROM passkey_challenges WHERE expires_at < ?", time.Now().Unix())
return err
}

321
storage/storage.go
View File

@@ -2,10 +2,12 @@ package storage
import (
"MiauInv/models"
utils "MiauInv/util"
"database/sql"
"errors"
"log"
"strings"
"time"
_ "github.com/glebarez/go-sqlite"
)
@@ -27,7 +29,9 @@ func InitDB(filepath string) error {
id TEXT PRIMARY KEY,
username TEXT NOT NULL UNIQUE,
password TEXT NOT NULL,
role TEXT NOT NULL
role TEXT NOT NULL,
two_factor_enabled INTEGER NOT NULL DEFAULT 0,
two_factor_secret TEXT NOT NULL DEFAULT ''
);
CREATE TABLE IF NOT EXISTS refresh_tokens (
@@ -41,6 +45,52 @@ func InitDB(filepath string) error {
FOREIGN KEY(user_id) REFERENCES users(id)
);
CREATE TABLE IF NOT EXISTS two_factor_recovery_codes (
id TEXT PRIMARY KEY,
user_id TEXT NOT NULL,
code_hash TEXT NOT NULL,
created_at INTEGER NOT NULL,
used_at INTEGER DEFAULT NULL,
FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE,
UNIQUE(user_id, code_hash)
);
CREATE TABLE IF NOT EXISTS passkey_credentials (
id TEXT PRIMARY KEY,
user_id TEXT NOT NULL,
credential_id TEXT NOT NULL UNIQUE,
name TEXT NOT NULL,
credential_data TEXT NOT NULL,
created_at INTEGER NOT NULL,
last_used_at INTEGER DEFAULT NULL,
FOREIGN KEY(user_id) REFERENCES users(id) ON DELETE CASCADE
);
CREATE TABLE IF NOT EXISTS passkey_challenges (
token TEXT PRIMARY KEY,
user_id TEXT NOT NULL DEFAULT '',
ceremony TEXT NOT NULL,
session_data TEXT NOT NULL,
expires_at INTEGER NOT NULL
);
CREATE TABLE IF NOT EXISTS activity_logs (
id TEXT PRIMARY KEY,
user_id TEXT NOT NULL DEFAULT '',
username TEXT NOT NULL DEFAULT '',
action TEXT NOT NULL,
entity_type TEXT NOT NULL DEFAULT '',
entity_id TEXT NOT NULL DEFAULT '',
details TEXT NOT NULL DEFAULT '',
method TEXT NOT NULL DEFAULT '',
path TEXT NOT NULL DEFAULT '',
status_code INTEGER NOT NULL DEFAULT 0,
success INTEGER NOT NULL DEFAULT 0,
ip_address TEXT NOT NULL DEFAULT '',
user_agent TEXT NOT NULL DEFAULT '',
created_at INTEGER NOT NULL
);
CREATE TABLE IF NOT EXISTS items (
id INTEGER PRIMARY KEY AUTOINCREMENT,
name TEXT NOT NULL,
@@ -84,27 +134,284 @@ func InitDB(filepath string) error {
log.Fatal(err)
}
if err := ensureUserTwoFactorColumns(); err != nil {
return err
}
if err := ensureActivityLogIndexes(); err != nil {
return err
}
return nil
}
func ensureUserTwoFactorColumns() error {
migrations := []string{
"ALTER TABLE users ADD COLUMN two_factor_enabled INTEGER NOT NULL DEFAULT 0",
"ALTER TABLE users ADD COLUMN two_factor_secret TEXT NOT NULL DEFAULT ''",
}
for _, migration := range migrations {
_, err := DB.Exec(migration)
if err != nil && !strings.Contains(strings.ToLower(err.Error()), "duplicate column") {
return err
}
}
return nil
}
func ensureActivityLogIndexes() error {
indexes := []string{
"CREATE INDEX IF NOT EXISTS idx_activity_logs_user_created ON activity_logs(user_id, created_at DESC)",
"CREATE INDEX IF NOT EXISTS idx_activity_logs_created ON activity_logs(created_at DESC)",
"CREATE INDEX IF NOT EXISTS idx_activity_logs_action ON activity_logs(action)",
}
for _, stmt := range indexes {
if _, err := DB.Exec(stmt); err != nil {
return err
}
}
return nil
}
// Activity logs
func AddActivityLog(entry models.ActivityLogEntry) error {
if DB == nil {
return errors.New("db not initialized")
}
if entry.ID == "" {
entry.ID = utils.GenerateUUID()
}
if entry.CreatedAt == 0 {
entry.CreatedAt = time.Now().Unix()
}
success := 0
if entry.Success {
success = 1
}
_, err := DB.Exec(`
INSERT INTO activity_logs(
id, user_id, username, action, entity_type, entity_id, details,
method, path, status_code, success, ip_address, user_agent, created_at
) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
`, entry.ID, entry.UserID, entry.Username, entry.Action, entry.EntityType, entry.EntityID, entry.Details,
entry.Method, entry.Path, entry.StatusCode, success, entry.IPAddress, entry.UserAgent, entry.CreatedAt)
return err
}
func ListActivityLogs(userID string, includeAll bool, limit, offset int) ([]models.ActivityLogEntry, error) {
if DB == nil {
return nil, errors.New("db not initialized")
}
if limit <= 0 {
limit = 50
}
if limit > 100 {
limit = 100
}
if offset < 0 {
offset = 0
}
query := `
SELECT id, user_id, username, action, entity_type, entity_id, details,
method, path, status_code, success, ip_address, user_agent, created_at
FROM activity_logs
`
args := []interface{}{}
if !includeAll {
query += " WHERE user_id = ?"
args = append(args, userID)
}
query += " ORDER BY created_at DESC, id DESC LIMIT ? OFFSET ?"
args = append(args, limit, offset)
rows, err := DB.Query(query, args...)
if err != nil {
return nil, err
}
defer rows.Close()
logs := []models.ActivityLogEntry{}
for rows.Next() {
var entry models.ActivityLogEntry
var success int
if err := rows.Scan(
&entry.ID, &entry.UserID, &entry.Username, &entry.Action, &entry.EntityType, &entry.EntityID, &entry.Details,
&entry.Method, &entry.Path, &entry.StatusCode, &success, &entry.IPAddress, &entry.UserAgent, &entry.CreatedAt,
); err != nil {
return nil, err
}
entry.Success = success == 1
logs = append(logs, entry)
}
return logs, rows.Err()
}
// Users
func AddUser(user *models.User) error {
_, err := DB.Exec("INSERT INTO users(id, username, password, role) VALUES (?, ?, ?, ?)", user.ID, strings.ToLower(user.Username), user.Password, user.Role)
return err
}
func GetUserByUsername(username string) (models.User, error) {
row := DB.QueryRow("SELECT * FROM users WHERE username = ?", strings.ToLower(username))
var user models.User
err := row.Scan(&user.ID, &user.Username, &user.Password, &user.Role)
return user, err
row := DB.QueryRow(`
SELECT id, username, password, role, two_factor_enabled, two_factor_secret
FROM users
WHERE username = ?
`, strings.ToLower(username))
return scanUser(row)
}
func GetUserById(id string) (models.User, error) {
row := DB.QueryRow("SELECT * FROM users WHERE id = ?", id)
row := DB.QueryRow(`
SELECT id, username, password, role, two_factor_enabled, two_factor_secret
FROM users
WHERE id = ?
`, id)
return scanUser(row)
}
func scanUser(row *sql.Row) (models.User, error) {
var user models.User
err := row.Scan(&user.ID, &user.Username, &user.Password, &user.Role)
var twoFactorEnabled int
err := row.Scan(&user.ID, &user.Username, &user.Password, &user.Role, &twoFactorEnabled, &user.TwoFactorSecret)
user.TwoFactorEnabled = twoFactorEnabled == 1
return user, err
}
func UpdateUserUsername(userID, username string) error {
res, err := DB.Exec("UPDATE users SET username = ? WHERE id = ?", strings.ToLower(username), userID)
if err != nil {
return err
}
n, err := res.RowsAffected()
if err != nil {
return err
}
if n == 0 {
return ErrNotFound
}
return nil
}
func UpdateUserPassword(userID, passwordHash string) error {
res, err := DB.Exec("UPDATE users SET password = ? WHERE id = ?", passwordHash, userID)
if err != nil {
return err
}
n, err := res.RowsAffected()
if err != nil {
return err
}
if n == 0 {
return ErrNotFound
}
return nil
}
func SetUserTwoFactorSecret(userID, secret string) error {
_, err := DB.Exec("UPDATE users SET two_factor_secret = ? WHERE id = ?", secret, userID)
return err
}
func EnableUserTwoFactorWithSecretAndRecoveryCodes(userID, twoFactorSecret string, recoveryCodeHashes []string) error {
tx, err := DB.Begin()
if err != nil {
return err
}
defer tx.Rollback()
if _, err := tx.Exec("DELETE FROM two_factor_recovery_codes WHERE user_id = ?", userID); err != nil {
return err
}
now := time.Now().Unix()
for _, codeHash := range recoveryCodeHashes {
if _, err := tx.Exec(`
INSERT INTO two_factor_recovery_codes(id, user_id, code_hash, created_at)
VALUES (?, ?, ?, ?)
`, utils.GenerateUUID(), userID, codeHash, now); err != nil {
return err
}
}
if _, err := tx.Exec("UPDATE users SET two_factor_enabled = 1, two_factor_secret = ? WHERE id = ?", twoFactorSecret, userID); err != nil {
return err
}
return tx.Commit()
}
func DisableUserTwoFactor(userID string) error {
tx, err := DB.Begin()
if err != nil {
return err
}
defer tx.Rollback()
if _, err := tx.Exec("UPDATE users SET two_factor_enabled = 0, two_factor_secret = '' WHERE id = ?", userID); err != nil {
return err
}
if _, err := tx.Exec("DELETE FROM two_factor_recovery_codes WHERE user_id = ?", userID); err != nil {
return err
}
return tx.Commit()
}
func ReplaceUserRecoveryCodes(userID string, recoveryCodeHashes []string) error {
tx, err := DB.Begin()
if err != nil {
return err
}
defer tx.Rollback()
if _, err := tx.Exec("DELETE FROM two_factor_recovery_codes WHERE user_id = ?", userID); err != nil {
return err
}
now := time.Now().Unix()
for _, codeHash := range recoveryCodeHashes {
if _, err := tx.Exec(`
INSERT INTO two_factor_recovery_codes(id, user_id, code_hash, created_at)
VALUES (?, ?, ?, ?)
`, utils.GenerateUUID(), userID, codeHash, now); err != nil {
return err
}
}
return tx.Commit()
}
func UseUserRecoveryCode(userID, codeHash string) (bool, error) {
res, err := DB.Exec(`
UPDATE two_factor_recovery_codes
SET used_at = ?
WHERE user_id = ? AND code_hash = ? AND used_at IS NULL
`, time.Now().Unix(), userID, codeHash)
if err != nil {
return false, err
}
n, err := res.RowsAffected()
if err != nil {
return false, err
}
return n == 1, nil
}
func CountUnusedRecoveryCodes(userID string) (int, error) {
var count int
err := DB.QueryRow(`
SELECT COUNT(*)
FROM two_factor_recovery_codes
WHERE user_id = ? AND used_at IS NULL
`, userID).Scan(&count)
return count, err
}
// Refresh Tokens
func AddRefreshToken(token *models.RefreshToken) error {
_, err := DB.Exec("INSERT INTO refresh_tokens(id, user_id, token_hash, expires_at, created_at, revoked, device_info) VALUES (?, ?, ?, ?, ?, ?, ?)",

7
util/util.go
View File

@@ -23,12 +23,19 @@ func GenerateSecret() string {
return base64.StdEncoding.EncodeToString(b)
}
func GenerateRefreshToken() (string, error) {
return GenerateOpaqueToken()
}
func GenerateOpaqueToken() (string, error) {
b := make([]byte, 32)
if _, err := rand.Read(b); err != nil {
return "", err
}
return base64.RawURLEncoding.EncodeToString(b), nil
}
func EncodeBase64URL(data []byte) string {
return base64.RawURLEncoding.EncodeToString(data)
}
func HashToken(token string) string {
hash := sha256.Sum256([]byte(token))
return hex.EncodeToString(hash[:])