feat: Add thread and post editing functionality

- Implement thread and post editing capabilities
- Enhance CSRF token handling
- Improve user authentication
- Update database queries for editing support
- Add new HTML templates for edit pages
- Refactor code for better error handling and logging
- Add new routes for edit pages
- Update existing routes to use new user middleware

Change-Id: I5a8339fea53bac56c60a5207d548cb052d0f55a1
Signed-off-by: Ian Meyer <[email protected]>

Author: imeyer

BUILD.bazel

@@ -25,6 +25,8 @@ go_library(
     ],
     embedsrcs = [
         "tmpl/edit-profile.html",
+        "tmpl/edit-thread.html",
+        "tmpl/edit-thread-post.html",
         "tmpl/error.html",
         "tmpl/footer.html",
         "tmpl/header.html",
@@ -42,13 +44,15 @@ go_library(
         "gitSha": "{STABLE_GIT_SHA}",
     },
     deps = [
+        "@com_github_google_uuid//:uuid",
         "@com_github_jackc_pgx_v5//:pgx",
         "@com_github_jackc_pgx_v5//pgconn",
         "@com_github_jackc_pgx_v5//pgtype",
         "@com_github_jackc_pgx_v5//pgxpool",
         "@com_github_microcosm_cc_bluemonday//:bluemonday",
         "@com_github_prometheus_client_golang//prometheus",
         "@com_github_prometheus_client_golang//prometheus/promhttp",
+        "@com_github_prometheus_client_golang//prometheus/testutil",
         "@com_github_yuin_goldmark//:goldmark",
         "@com_github_yuin_goldmark//extension",
         "@com_github_yuin_goldmark//renderer/html",
@@ -76,6 +80,7 @@ go_test(
         "config_test.go",
         "csrf_test.go",
         "helpers_test.go",
+        "metrics_test.go",
         "parser_test.go",
         "server_test.go",
     ],

MODULE.bazel

@@ -16,6 +16,7 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//:go.mod")
 use_repo(
     go_deps,
+    "com_github_google_uuid",
     "com_github_jackc_pgx_v5",
     "com_github_microcosm_cc_bluemonday",
     "com_github_prometheus_client_golang",

Makefile

@@ -8,6 +8,8 @@ else
 	$(error Unsupported platform: $(UNAME_S))
 endif
 
+SUDO_C := $(shell which sudo)
+
 # Detect architecture
 UNAME_M := $(shell uname -m)
 ifeq ($(UNAME_M),arm64)
@@ -28,9 +30,9 @@ BAZEL_RELEASE_ARGS := build --config=silent --stamp --workspace_status_command="
 BAZEL_TEST_ARGS := test --config=silent --build_tests_only --test_output=errors
 BAZEL_RUN_ARGS := run
 # Change the hostname to anything you wish to use for testing
-BAZEL_RUN_TRAILING_ARGS := -hostname discuss-dev
+BAZEL_RUN_TRAILING_ARGS := -hostname discuss-dev -debug
 
-.PHONY: all clean test run run-binary genhtml release coverage
+.PHONY: all clean test run run-binary genhtml release coverage setup-db
 
 all: test build
 
@@ -63,6 +65,10 @@ genhtml:
 	@[ -d "$(shell pwd)/genhtml" ] && rm -rf "$(shell pwd)/genhtml" && echo "Removed previous genhtml/"
 	@genhtml --branch-coverage --output genhtml "$(shell $(BAZEL) info output_path)/_coverage/_coverage_report.dat" 2>&1>/dev/null
 
+clean-db:
+	@dropdb -U discuss discuss
+	@createdb -U discuss discuss
+	@psql -U discuss discuss < sqlc/schema.sql
 
 clean:
 	$(BAZEL) clean

csrf.go

@@ -15,11 +15,14 @@ const (
 	csrfTokenLength = 32
 	csrfCookieName  = "csrf_token"
 	csrfHeaderName  = "X-CSRF-Token"
+	csrfContextKey  = "CSRFToken"
+	cleanupInterval = 1 * time.Hour
+	tokenExpiryTime = 12 * time.Hour
 )
 
 var (
 	tokenStore   = make(map[string]time.Time)
-	tokenStoreMu sync.Mutex
+	tokenStoreMu sync.RWMutex
 	timeNow      = time.Now
 	csrfLogger   *slog.Logger
 )
@@ -28,47 +31,54 @@ func initCSRFLogger(logger *slog.Logger) {
 	csrfLogger = logger
 }
 
-func generateCSRFToken() (string, error) {
+func generateCSRFToken() string {
 	b := make([]byte, csrfTokenLength)
-	_, err := rand.Read(b)
-	if err != nil {
-		return "", err
+	if _, err := rand.Read(b); err != nil {
+		if csrfLogger != nil {
+			csrfLogger.Error("Failed to generate CSRF token", "error", err)
+		}
+		return ""
 	}
-	return base64.StdEncoding.EncodeToString(b), nil
+	return base64.StdEncoding.EncodeToString(b)
 }
 
-func setCSRFToken(r *http.Request, w http.ResponseWriter) (string, error) {
-	token, err := generateCSRFToken()
-	if err != nil {
-		return "", err
+func setCSRFToken(w http.ResponseWriter, r *http.Request) (string, error) {
+	token := generateCSRFToken()
+	if token == "" {
+		return "", errors.New("Failed to generate CSRF token")
 	}
 
 	isSecure := r.TLS != nil || r.Header.Get("X-Forwarded-Proto") == "https"
 
 	http.SetCookie(w, &http.Cookie{
 		Name:     csrfCookieName,
 		Value:    token,
+		Path:     "/",
 		HttpOnly: true,
-		Secure:   isSecure, // Set to true if using HTTPS
+		Secure:   isSecure,
 		SameSite: http.SameSiteStrictMode,
+		MaxAge:   int(tokenExpiryTime.Seconds()),
 	})
 
-	if csrfLogger != nil {
-		csrfLogger.DebugContext(r.Context(), "set csrf cookie")
-	}
-
 	tokenStoreMu.Lock()
-	tokenStore[token] = timeNow().Add(24 * time.Hour) // Token expires in 24 hours
+	tokenStore[token] = timeNow().Add(tokenExpiryTime)
 	tokenStoreMu.Unlock()
 
 	return token, nil
 }
 
+func GetCSRFToken(r *http.Request) string {
+	if token, ok := r.Context().Value(csrfContextKey).(string); ok {
+		return token
+	}
+	return ""
+}
+
 func validateCSRFToken(r *http.Request) error {
 	cookie, err := r.Cookie(csrfCookieName)
 	if err != nil {
 		if csrfLogger != nil {
-			csrfLogger.DebugContext(r.Context(), "csrf error", slog.String("message", err.Error()))
+			csrfLogger.Debug("CSRF cookie not found", "error", err)
 		}
 		return errors.New("CSRF cookie not found")
 	}
@@ -78,59 +88,99 @@ func validateCSRFToken(r *http.Request) error {
 		token = r.FormValue("csrf_token")
 		if token == "" {
 			if csrfLogger != nil {
-				csrfLogger.DebugContext(r.Context(), "csrf token not found in header or form")
+				csrfLogger.Debug("CSRF token not found in header or form")
 			}
-			return errors.New("CSRF token not found in header or form")
+			return errors.New("CSRF token not found")
 		}
 	}
 
 	if cookie.Value != token {
 		if csrfLogger != nil {
-			csrfLogger.DebugContext(r.Context(), "csrf token mismatch")
+			csrfLogger.Debug("CSRF token mismatch")
 		}
 		return errors.New("CSRF token mismatch")
 	}
 
-	tokenStoreMu.Lock()
-	defer tokenStoreMu.Unlock()
-
+	tokenStoreMu.RLock()
 	expiry, exists := tokenStore[token]
+	tokenStoreMu.RUnlock()
+
 	if !exists {
 		if csrfLogger != nil {
-			csrfLogger.DebugContext(r.Context(), "csrf token not found in store")
+			csrfLogger.Debug("CSRF token not found in store")
 		}
 		return errors.New("CSRF token not found in store")
 	}
 
 	if timeNow().After(expiry) {
-		delete(tokenStore, token)
 		if csrfLogger != nil {
-			csrfLogger.DebugContext(r.Context(), "csrf token expired")
+			csrfLogger.Debug("CSRF token expired")
 		}
 		return errors.New("CSRF token expired")
 	}
 
+	if csrfLogger != nil {
+		csrfLogger.Debug("CSRF validation successful")
+	}
 	return nil
 }
 
 func CSRFMiddleware(next http.HandlerFunc) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if r.Method == "GET" || r.Method == "HEAD" || r.Method == "OPTIONS" {
-			token, err := setCSRFToken(r, w)
+		var token string
+		var err error
+
+		if r.Method == http.MethodGet || r.Method == http.MethodHead {
+			token, err = setCSRFToken(w, r)
 			if err != nil {
-				http.Error(w, "Failed to set CSRF token", http.StatusInternalServerError)
+				http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 				return
 			}
 			w.Header().Set(csrfHeaderName, token)
-
-			ctx := context.WithValue(r.Context(), "CSRFToken", token)
-			next.ServeHTTP(w, r.WithContext(ctx))
 		} else {
 			if err := validateCSRFToken(r); err != nil {
 				http.Error(w, "CSRF validation failed", http.StatusForbidden)
 				return
 			}
+			token = r.Header.Get(csrfHeaderName)
+			if token == "" {
+				token = r.FormValue("csrf_token")
+			}
+		}
+
+		ctx := context.WithValue(r.Context(), csrfContextKey, token)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	}
+}
+
+func cleanupExpiredTokens() {
+	tokenStoreMu.Lock()
+	defer tokenStoreMu.Unlock()
+	now := timeNow()
+	for token, expiry := range tokenStore {
+		if now.After(expiry) {
+			delete(tokenStore, token)
 		}
-		next.ServeHTTP(w, r)
 	}
+
+	if csrfLogger != nil {
+		csrfLogger.Debug("Cleaned up expired CSRF tokens")
+	}
+}
+
+func startCleanupRoutine(ctx context.Context) {
+	ticker := time.NewTicker(cleanupInterval)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-ticker.C:
+			cleanupExpiredTokens()
+		case <-ctx.Done():
+			return
+		}
+	}
+}
+
+func init() {
+	go startCleanupRoutine(context.Background())
 }