login via magic link

2026-01-04 19:24:01 -05:00 · 2026-01-04 19:24:01 -05:00 · 94a05b0433
commit 94a05b0433
parent 9fe6a6beb1
22 changed files with 815 additions and 122 deletions
--- a/internal/middleware/auth.go
+++ b/internal/middleware/auth.go
@ -10,13 +10,58 @@ import (
 // TODO: implement clearing jwt token in auth service

 // AuthMiddleware checks for JWT token and adds user + profile + subscription to context if valid
-func AuthMiddleware(authService *service.AuthService, userService *service.UserService) func(http.Handler) http.Handler {
+func AuthMiddleware(authService *service.AuthService, userService *service.UserService, profileService *service.ProfileService) func(http.Handler) http.Handler {
 	return func(next http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			// TODO: get auth cookie and verify value
-			// TODO: fetch user information from database if cookie value is valid
-			// TODO: add user to context if valid
-			next.ServeHTTP(w, r)
+			// Get JWT from cookie
+			cookie, err := r.Cookie("auth_token")
+			if err != nil {
+				// No cookie, continue without auth
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Verify token
+			claims, err := authService.VerifyJWT(cookie.Value)
+			if err != nil {
+				// Invalid token, clear cookie and continue
+				authService.ClearJWTCookie(w)
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Get user ID from claims
+			userID, ok := claims["user_id"].(string)
+			if !ok {
+				authService.ClearJWTCookie(w)
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Fetch user from database
+			user, err := userService.ByID(userID)
+			if err != nil {
+
+				authService.ClearJWTCookie(w)
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Security: Remove password hash from context
+			user.PasswordHash = nil
+
+			profile, err := profileService.ByUserID(userID)
+			if err != nil {
+				// Profile not found - this shouldn't happen but handle gracefully
+				authService.ClearJWTCookie(w)
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			// Add user + profile to context
+			ctx := ctxkeys.WithUser(r.Context(), user)
+			ctx = ctxkeys.WithProfile(ctx, profile)
+			next.ServeHTTP(w, r.WithContext(ctx))
 		})
 	}
 }
@ -56,17 +101,17 @@ func RequireAuth(next http.HandlerFunc) http.HandlerFunc {

 		// Check if user has completed onboarding
 		// Uses profile.Name as indicator (empty = incomplete onboarding)
-		profile := ctxkeys.Profile(r.Context())
-		if profile.Name == "" && r.URL.Path != "/auth/onboarding" {
-			// User hasn't completed onboarding, redirect to onboarding
-			if r.Header.Get("HX-Request") == "true" {
-				w.Header().Set("HX-Redirect", "/auth/onboarding")
-				w.WriteHeader(http.StatusSeeOther)
-				return
-			}
-			http.Redirect(w, r, "/auth/onboarding", http.StatusSeeOther)
-			return
-		}
+		// profile := ctxkeys.Profile(r.Context())
+		// if profile.Name == "" && r.URL.Path != "/auth/onboarding" {
+		// 	// User hasn't completed onboarding, redirect to onboarding
+		// 	if r.Header.Get("HX-Request") == "true" {
+		// 		w.Header().Set("HX-Redirect", "/auth/onboarding")
+		// 		w.WriteHeader(http.StatusSeeOther)
+		// 		return
+		// 	}
+		// 	http.Redirect(w, r, "/auth/onboarding", http.StatusSeeOther)
+		// 	return
+		// }

 		next.ServeHTTP(w, r)
 	}