1. Top
  2. event_sourcing_user_management_poc
  3. Files
  4. routes
  5. routes.go
event_sourcing_user_management_poc

PoC for user management in Event Sourcing using SQLite3

  1. 1
  2. 2
  3. 3
  4. 4
  5. 5
  6. 6
  7. 7
  8. 8
  9. 9
  10. 10
  11. 11
  12. 12
  13. 13
  14. 14
  15. 15
  16. 16
  17. 17
  18. 18
  19. 19
  20. 20
  21. 21
  22. 22
  23. 23
  24. 24
  25. 25
  26. 26
  27. 27
  28. 28
  29. 29
  30. 30
  31. 31
  32. 32
  33. 33
  34. 34
  35. 35
  36. 36
  37. 37
  38. 38
  39. 39
  40. 40
  41. 41
  42. 42
  43. 43
  44. 44
  45. 45
  46. 46
  47. 47
  48. 48
  49. 49
  50. 50
  51. 51
  52. 52
  53. 53
  54. 54
  55. 55
  56. 56
  57. 57
  58. 58
  59. 59
  60. 60
  61. 61
  62. 62
  63. 63
  64. 64
  65. 65
  66. 66
  67. 67
  68. 68
  69. 69
  70. 70
  71. 71
  72. 72
  73. 73
  74. 74
  75. 75
  76. 76
  77. 77
  78. 78
  79. 79
  80. 80
  81. 81
  82. 82
  83. 83
  84. 84
  85. 85
  86. 86
  87. 87
  88. 88
  89. 89
  90. 90
  91. 91
  92. 92
  93. 93
  94. 94
  95. 95
  96. 96
  97. 97
  98. 98
  99. 99
  100. 100
  101. 101
  102. 102
  103. 103
  104. 104
  105. 105
  106. 106
  107. 107
  108. 108
  109. 109
  110. 110
  111. 111
  112. 112
  113. 113
  114. 114
  115. 115
  116. 116
  117. 117
  118. 118
  119. 119
  120. 120
  121. 121
  122. 122
  123. 123
  124. 124
  125. 125
  126. 126
  127. 127
  128. 128 
// Copyright 2025 Shota FUJI
//
// This source code is licensed under Zero-Clause BSD License.
// You can find a copy of the Zero-Clause BSD License at LICENSES/0BSD.txt
// You may also obtain a copy of the Zero-Clause BSD License at
// <https://opensource.org/license/0bsd>
//
// SPDX-License-Identifier: 0BSD

package routes

import (
	"bytes"
	"database/sql"
	_ "embed"
	"fmt"
	"net/http"

	"github.com/charmbracelet/log"
	"github.com/google/uuid"
	"google.golang.org/protobuf/proto"

	"pocka.jp/x/event_sourcing_user_management_poc/auth"
	"pocka.jp/x/event_sourcing_user_management_poc/events"
	"pocka.jp/x/event_sourcing_user_management_poc/gen/event"
	"pocka.jp/x/event_sourcing_user_management_poc/gen/model"
	"pocka.jp/x/event_sourcing_user_management_poc/projections/initial_admin_creation_password"
)

//go:embed initial_admin_creation.html
var initialAdminCreationHtml string

func Handler(db *sql.DB, logger *log.Logger) http.Handler {
	mux := http.NewServeMux()

	mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
		events, err := events.List(db)
		if err != nil {
			logger.Error(err)
			http.Error(w, "Server error: event loading failure", http.StatusInternalServerError)
			return
		}

		initialAdminPass := initial_admin_creation_password.GetFromUserEvents(events)
		if initialAdminPass != nil {
			fmt.Fprint(w, initialAdminCreationHtml)
			return
		}

		fmt.Fprintf(w, "TODO")
	})

	mux.HandleFunc("/initial-admin", func(w http.ResponseWriter, r *http.Request) {
		if r.Method != "POST" {
			http.Error(w, "Not found", http.StatusMethodNotAllowed)
			return
		}

		evs, err := events.List(db)
		if err != nil {
			logger.Error(err)
			http.Error(w, "Server error: event loading failure", http.StatusInternalServerError)
			return
		}

		initialAdminPass := initial_admin_creation_password.GetFromUserEvents(evs)
		if initialAdminPass == nil {
			logger.Debug("Found no active initial admin creation password at POST /initial-admin, redirecting")
			http.Redirect(w, r, "/", http.StatusSeeOther)
			return
		}

		r.ParseForm()

		username := r.PostForm.Get("username")
		email := r.PostForm.Get("email")
		password := r.PostForm.Get("password")
		initPassword := r.PostForm.Get("init_password")

		if username == "" || email == "" || password == "" || initPassword == "" {
			w.WriteHeader(http.StatusBadRequest)
			fmt.Fprint(w, initialAdminCreationHtml)
			return
		}

		initPwHash := auth.HashPassword(initPassword, initialAdminPass.Salt)
		if !bytes.Equal(initialAdminPass.Hash, initPwHash) {
			w.WriteHeader(http.StatusUnauthorized)
			fmt.Fprint(w, initialAdminCreationHtml)
			return
		}

		pwHash, salt := auth.HashPasswordWithRandomSalt(password)

		id := uuid.New().String()

		if err := events.Insert(db, []proto.Message{
			&event.UserCreated{
				Id:          proto.String(id),
				DisplayName: proto.String(username),
				Email:       proto.String(email),
			},
			&event.PasswordLoginConfigured{
				PasswordHash: pwHash,
				Salt:         salt,
			},
			&event.RoleAssigned{
				UserId: proto.String(id),
				Role:   model.Role.Enum(model.Role_ROLE_ADMIN),
			},
		}); err != nil {
			logger.Error(err)
			w.WriteHeader(http.StatusInternalServerError)
			fmt.Fprint(w, initialAdminCreationHtml)
			return
		}

		// This project is PoC for event sourcing. UI and security is completely out-of-scope.
		http.SetCookie(w, &http.Cookie{
			Name:  "id",
			Value: id,
		})

		http.Redirect(w, r, "/", http.StatusFound)
	})

	return mux
}