Use HTTP verbs for authentication routes

Author: svera

internal/webserver/authentication_test.go

@@ -29,7 +29,7 @@ func TestAuthentication(t *testing.T) {
 
 	t.Run("Try to log in with good and bad credentials", func(t *testing.T) {
 		// Check that login page is accessible
-		req, err := http.NewRequest(http.MethodGet, "/en/login", nil)
+		req, err := http.NewRequest(http.MethodGet, "/en/sessions/new", nil)
 		if err != nil {
 			t.Fatalf("Unexpected error: %v", err.Error())
 		}
@@ -42,7 +42,7 @@ func TestAuthentication(t *testing.T) {
 		}
 
 		// Use no credentials to log in
-		req, err = http.NewRequest(http.MethodPost, "/en/login", nil)
+		req, err = http.NewRequest(http.MethodPost, "/en/sessions", nil)
 		req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 		if err != nil {
 			t.Fatalf("Unexpected error: %v", err.Error())
@@ -56,7 +56,7 @@ func TestAuthentication(t *testing.T) {
 		}
 
 		// Use good credentials to log in
-		req, err = http.NewRequest(http.MethodPost, "/en/login", strings.NewReader(data.Encode()))
+		req, err = http.NewRequest(http.MethodPost, "/en/sessions", strings.NewReader(data.Encode()))
 		req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
 		if err != nil {
 			t.Fatalf("Unexpected error: %v", err.Error())
@@ -267,7 +267,7 @@ func TestRecover(t *testing.T) {
 			t.Error("No location header present")
 			return
 		}
-		if expectedURL := "/en/login"; url.Path != expectedURL {
+		if expectedURL := "/en/sessions"; url.Path != expectedURL {
 			t.Errorf("Expected location %s, received %s", expectedURL, url.Path)
 		}
 

internal/webserver/controller/auth/login.go

@@ -29,5 +29,6 @@ func (a *Controller) Login(c *fiber.Ctx) error {
 		"Title":                  "Login",
 		"Message":                msg,
 		"EmailSendingConfigured": emailSendingConfigured,
+		"DisableLoginLink":       true,
 	}, "layout")
 }

internal/webserver/controller/auth/reset-password.go

@@ -45,7 +45,7 @@ func (a *Controller) UpdatePassword(c *fiber.Ctx) error {
 		return fiber.ErrInternalServerError
 	}
 
-	return c.Redirect(fmt.Sprintf("/%s/login", c.Params("lang")))
+	return c.Redirect(fmt.Sprintf("/%s/sessions", c.Params("lang")))
 }
 
 func (a *Controller) validateRecoveryAccess(recoveryUuid string) (*model.User, error) {

internal/webserver/controller/auth/signout.go

@@ -1,8 +1,6 @@
 package auth
 
 import (
-	"fmt"
-
 	"github.com/gofiber/fiber/v2"
 )
 
@@ -16,6 +14,6 @@ func (a *Controller) SignOut(c *fiber.Ctx) error {
 		Secure:   false,
 		HTTPOnly: true,
 	})
-
-	return c.Redirect(fmt.Sprintf("/%s", c.Params("lang")))
+	c.Set("HX-Refresh", "true")
+	return c.SendStatus(fiber.StatusNoContent)
 }

internal/webserver/embedded/views/auth/login.html

@@ -1,4 +1,4 @@
-<form method="post" action="/{{.Lang}}/login">
+<form method="post" action="/{{.Lang}}/sessions">
     <h2 class="h3 mb-3 fw-normal">{{t .Lang "Please sign in"}}</h2>
 
     <div class="form-floating">

internal/webserver/embedded/views/layout.html

@@ -94,7 +94,7 @@ <h5 class="offcanvas-title" id="offcanvasNavbarLabel">Coreander</h5>
                                         <hr class="dropdown-divider">
                                     </li>
                                     <li>
-                                        <a class="dropdown-item" href="/{{.Lang}}/logout">
+                                        <a class="dropdown-item" href="/{{.Lang}}/sessions" hx-delete="/{{.Lang}}/sessions">
                                             <svg xmlns="http://www.w3.org/2000/svg" width="16" height="16"
                                                 fill="currentColor" class="bi bi-box-arrow-right" viewBox="0 0 16 16">
                                                 <path fill-rule="evenodd"
@@ -109,7 +109,7 @@ <h5 class="offcanvas-title" id="offcanvasNavbarLabel">Coreander</h5>
                             </li>
                             {{else if not .DisableLoginLink}}
                             <li class="p-2">
-                                <a href="/{{.Lang}}/login">{{t .Lang "Login"}}</a>
+                                <a href="/{{.Lang}}/sessions/new">{{t .Lang "Login"}}</a>
                             </li>
                             {{end}}
                             <hr class="d-lg-none">

internal/webserver/routes.go

@@ -44,13 +44,13 @@ func routes(app *fiber.App, controllers Controllers, jwtSecret []byte, sender Se
 		return c.Next()
 	})
 
-	langGroup.Get("/login", allowIfNotLoggedIn, controllers.Auth.Login)
-	langGroup.Post("login", allowIfNotLoggedIn, controllers.Auth.SignIn)
+	langGroup.Get("/sessions/new", allowIfNotLoggedIn, controllers.Auth.Login)
+	langGroup.Post("/sessions", allowIfNotLoggedIn, controllers.Auth.SignIn)
 	langGroup.Get("/recover", allowIfNotLoggedIn, controllers.Auth.Recover)
 	langGroup.Post("/recover", allowIfNotLoggedIn, controllers.Auth.Request)
 	langGroup.Get("/reset-password", allowIfNotLoggedIn, controllers.Auth.EditPassword)
 	langGroup.Post("/reset-password", allowIfNotLoggedIn, controllers.Auth.UpdatePassword)
-	langGroup.Get("/logout", alwaysRequireAuthentication, controllers.Auth.SignOut)
+	langGroup.Delete("/sessions", alwaysRequireAuthentication, controllers.Auth.SignOut)
 
 	usersGroup := langGroup.Group("/users", alwaysRequireAuthentication)
 

internal/webserver/user_management_test.go

@@ -428,7 +428,7 @@ func login(app *fiber.App, email, password string, t *testing.T) (*http.Cookie,
 		"password": {password},
 	}
 
-	req, err := http.NewRequest(http.MethodPost, "/en/login", strings.NewReader(data.Encode()))
+	req, err := http.NewRequest(http.MethodPost, "/en/sessions", strings.NewReader(data.Encode()))
 	if err != nil {
 		return nil, err
 	}