Merge pull request 'feat: password auth' (#2) from feat/password-auth into main

Reviewed-on: #2
2026-02-07 19:13:01 +00:00 · 2026-02-07 19:13:01 +00:00 · 1c210bde67
commit 1c210bde67
parent a638e8d622 7443547593
7 changed files with 317 additions and 9 deletions
--- a/internal/handler/auth.go
+++ b/internal/handler/auth.go
@ -1,6 +1,7 @@
 package handler

 import (
+	"errors"
 	"log/slog"
 	"net/http"
 	"strings"
@ -31,6 +32,70 @@ func (h *authHandler) PasswordPage(w http.ResponseWriter, r *http.Request) {
 	ui.Render(w, r, pages.AuthPassword(""))
 }

+func (h *authHandler) LoginWithPassword(w http.ResponseWriter, r *http.Request) {
+	email := strings.TrimSpace(r.FormValue("email"))
+	password := r.FormValue("password")
+
+	if email == "" || password == "" {
+		ui.Render(w, r, pages.AuthPassword("Email and password are required"))
+		return
+	}
+
+	user, err := h.authService.LoginWithPassword(email, password)
+	if err != nil {
+		slog.Warn("password login failed", "error", err, "email", email)
+
+		msg := "An error occurred. Please try again."
+		if errors.Is(err, service.ErrInvalidCredentials) {
+			msg = "Invalid email or password"
+		} else if errors.Is(err, service.ErrNoPassword) {
+			msg = "This account uses passwordless login. Please use a magic link."
+		}
+
+		ui.Render(w, r, pages.AuthPassword(msg))
+		return
+	}
+
+	jwtToken, err := h.authService.GenerateJWT(user)
+	if err != nil {
+		slog.Error("failed to generate JWT", "error", err, "user_id", user.ID)
+		ui.Render(w, r, pages.AuthPassword("An error occurred. Please try again."))
+		return
+	}
+
+	h.authService.SetJWTCookie(w, jwtToken, time.Now().Add(7*24*time.Hour))
+
+	// Check for pending invite
+	inviteCookie, err := r.Cookie("pending_invite")
+	if err == nil && inviteCookie.Value != "" {
+		spaceID, err := h.inviteService.AcceptInvite(inviteCookie.Value, user.ID)
+		if err != nil {
+			slog.Error("failed to process pending invite", "error", err, "token", inviteCookie.Value)
+		} else {
+			slog.Info("accepted pending invite", "user_id", user.ID, "space_id", spaceID)
+			http.SetCookie(w, &http.Cookie{
+				Name:     "pending_invite",
+				Value:    "",
+				Path:     "/",
+				MaxAge:   -1,
+				HttpOnly: true,
+			})
+		}
+	}
+
+	needsOnboarding, err := h.authService.NeedsOnboarding(user.ID)
+	if err != nil {
+		slog.Warn("failed to check onboarding status", "error", err, "user_id", user.ID)
+	}
+
+	if needsOnboarding {
+		http.Redirect(w, r, "/auth/onboarding", http.StatusSeeOther)
+		return
+	}
+
+	http.Redirect(w, r, "/app/dashboard", http.StatusSeeOther)
+}
+
 func (h *authHandler) Logout(w http.ResponseWriter, r *http.Request) {
 	h.authService.ClearJWTCookie(w)
 	http.Redirect(w, r, "/", http.StatusSeeOther)
--- a/internal/handler/settings.go
+++ b/internal/handler/settings.go
@ -0,0 +1,74 @@
+package handler
+
+import (
+	"errors"
+	"log/slog"
+	"net/http"
+
+	"git.juancwu.dev/juancwu/budgit/internal/ctxkeys"
+	"git.juancwu.dev/juancwu/budgit/internal/service"
+	"git.juancwu.dev/juancwu/budgit/internal/ui"
+	"git.juancwu.dev/juancwu/budgit/internal/ui/pages"
+)
+
+type settingsHandler struct {
+	authService *service.AuthService
+	userService *service.UserService
+}
+
+func NewSettingsHandler(authService *service.AuthService, userService *service.UserService) *settingsHandler {
+	return &settingsHandler{
+		authService: authService,
+		userService: userService,
+	}
+}
+
+func (h *settingsHandler) SettingsPage(w http.ResponseWriter, r *http.Request) {
+	user := ctxkeys.User(r.Context())
+
+	// Re-fetch user from DB since middleware strips PasswordHash
+	fullUser, err := h.userService.ByID(user.ID)
+	if err != nil {
+		slog.Error("failed to fetch user for settings", "error", err, "user_id", user.ID)
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+
+	ui.Render(w, r, pages.AppSettings(fullUser.HasPassword(), ""))
+}
+
+func (h *settingsHandler) SetPassword(w http.ResponseWriter, r *http.Request) {
+	user := ctxkeys.User(r.Context())
+
+	currentPassword := r.FormValue("current_password")
+	newPassword := r.FormValue("new_password")
+	confirmPassword := r.FormValue("confirm_password")
+
+	// Re-fetch user to check HasPassword
+	fullUser, err := h.userService.ByID(user.ID)
+	if err != nil {
+		slog.Error("failed to fetch user for set password", "error", err, "user_id", user.ID)
+		http.Error(w, "Internal Server Error", http.StatusInternalServerError)
+		return
+	}
+
+	err = h.authService.SetPassword(user.ID, currentPassword, newPassword, confirmPassword)
+	if err != nil {
+		slog.Warn("set password failed", "error", err, "user_id", user.ID)
+
+		msg := "An error occurred. Please try again."
+		if errors.Is(err, service.ErrInvalidCredentials) {
+			msg = "Current password is incorrect"
+		} else if errors.Is(err, service.ErrPasswordsDoNotMatch) {
+			msg = "New passwords do not match"
+		} else if errors.Is(err, service.ErrWeakPassword) {
+			msg = "Password must be at least 12 characters"
+		}
+
+		ui.Render(w, r, pages.AppSettings(fullUser.HasPassword(), msg))
+		return
+	}
+
+	// Password set successfully — render page with success message
+	ui.Render(w, r, pages.AppSettings(true, ""))
+}