Mrixs/MrixsCraft-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
43 Commits 1 Branch 0 Tags
master
Commit Graph

10 Commits

Author SHA1 Message Date
Vladimir Zagainov
75ea7c70c2 auth: implement cookie-based auth for HTML endpoints and Bearer token auth for API endpoints
Some checks failed
CI / lint (push) Failing after 15s
Details
CI / test (push) Has been skipped
Details
CI / build (push) Has been skipped
Details
CI / docker (push) Has been skipped
Details 
Details:

  • HTML endpoints (/, /profile, /admin, /login, /register):

    - Authenticate via HTTP-only cookie named 'token'

    - Handlers in internal/templates/templates.go check cookie validity

    - /admin endpoint additionally checks for role='admin'

    - Unauthenticated users redirected to /login

    - Non-admin users accessing /admin get HTTP 403 Forbidden

  • API endpoints (/api/*):

    - Authenticate via Bearer token in Authorization header only

    - Handlers in internal/api/api.go use authenticateRequest() function

    - Function extracts token from 'Authorization: Bearer <token>' header

    - Validates token against yggdrasil_sessions table

    - No cookie checking for API endpoints (launcher compatibility)

  • Web login (/api/web/login):

    - Sets HTTP-only cookie 'token' for browser storage

    - Returns JSON with token, UUID, username for JS localStorage

    - Maintains backward compatibility with existing JavaScript

  • JavaScript in HTML pages:

    - Gets token from localStorage (set by login response)

    - Sets Authorization: Bearer <token> header for API fetch calls

    - Updated admin.html and profile.js to include token in headers

This separation ensures:

  • HTML endpoints work automatically with browser cookies

  • API endpoints work with browsers (via JS) and launchers (Bearer tokens)

  • Security sensitive actions require proper role validation

  • Clean separation of concerns between document and API interfaces
 2026-06-07 23:11:51 +03:00
Vladimir Zagainov
b9e986d25a feat: добавить веб-интерфейс админ-панели для управления модпаками
All checks were successful
CI / lint (push) Successful in 1m1s
Details
CI / test (push) Successful in 42s
Details
CI / build (push) Successful in 18s
Details
CI / docker (push) Successful in 1m16s
Details
2026-06-07 19:06:27 +03:00
Vladimir Zagainov
4efcc770ac fix: format all Go files with gofmt
All checks were successful
CI / lint (push) Successful in 9m54s
Details
CI / test (push) Successful in 10m19s
Details
CI / build (push) Successful in 9m58s
Details
CI / docker (push) Has been skipped
Details 
- Fix alignment in struct fields (sessionProfileResponse, textureInfo, Handler)
- Align struct field values in internal/templates/templates.go, internal/api/api.go
 2026-05-30 20:00:54 +03:00
Vladimir Zagainov
7ad02cb1b2 feat: implement email validation, CI/CD pipeline, migration history, and web templates
Some checks failed
CI / lint (push) Failing after 21s
Details
CI / build (push) Has been skipped
Details
CI / test (push) Has been skipped
Details
CI / docker (push) Has been skipped
Details 
Email validation:
- Replace @/. check with net/mail.ParseAddress on register
- Add size limit check (max 254 chars, RFC 5321)

CI/CD Pipeline:
- Add .gitea/workflows/ci.yml (lint → test → build → docker push)
- Registry: gitea.mrixs.me/Mrixs/MrixsCraft-server
- Push only on main branch

Database:
- Add migrations/002_migration_history.sql (tracking applied migrations)
- Add migrations/README.md (manual apply instructions)

Web Templates:
- Add base.html with Minecraft-themed layout (dark + green accent)
- Add index.html, login.html, register.html with POST forms
- Rewrite templates.go for data-driven rendering with pageData struct
- Fallback placeholder preserved when templates dir missing
 2026-05-30 00:39:51 +03:00
Vladimir Zagainov
e1cc999ea8 refactor: deduplicate sha1Hex/writeJSON/writeError into pkg/utils 
- admin.go: replace local sha1Hex, sha256Hex, writeJSON, writeError with pkg/utils equivalents
- auth.go: replace local writeJSON with utils.WriteJSON; rewrite writeError as thin wrapper
- cas.go: remove local sha1Hex and unused writeJSON; use utils.SHA1Bytes
- pkg/utils.go: add WriteJSON, WriteError; reorder imports
 2026-05-29 23:53:33 +03:00
Vladimir Zagainov
5fba2e78d5 feat: add Docker infrastructure, migrations, CI/CD client, session cleanup, tests 
Docker & Deployment:
- Add Dockerfile (multi-stage, alpine, non-root)
- Add docker-compose.yml (caddy, backend, postgres, watchtower)
- Add Caddyfile (TLS, file_server, reverse proxy)
- Add .env.example

Database:
- Add migrations/001_init.sql (all tables + indexes)

CI/CD:
- Add cmd/ci-release/main.go (launcher binary upload tool)

Session management:
- Add internal/session/cleanup.go (background expired session cleanup)
- Integrate cleanup worker into main.go

Bug fixes:
- Fix launcherLatest download URL to include version segment
- Fix serveLauncherAsset path to match route pattern
- Add Content-Type detection from file extension in CAS serveFile
- Add empty-field validation in webLogin
- Format string fix in ci-release (%d → %s for resp.Status)

Tests:
- Add internal/auth/auth_test.go (8 tests)
- Add internal/cas/cas_test.go (7 tests)
- Add internal/session/cleanup_test.go (1 test)
- Add internal/api/api_test.go (5 tests)
- All tests passing, go vet clean

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-05-29 20:09:00 +03:00
Vladimir Zagainov
81c42e1a9a feat: migrate passwords from SHA-256 to bcrypt 
- Replace SHA-256 hex hashing with bcrypt (cost 10) for password storage
- VerifyPassword now uses bcrypt.CompareHashAndPassword
- HashPassword returns (string, error) instead of string
- Add IsBcryptHash helper to detect legacy hashes for future migration
- Remove duplicate verifyPassword from api.go (already done in prev commit)
- Promote golang.org/x/crypto to direct dependency
 2026-05-27 16:31:38 +03:00
Vladimir Zagainov
01cce981c5 feat: implement skins/capes, profile endpoints, session server 
Skins & capes:
- Fix uploadSkin auth: Bearer token instead of user_id form hack
- Add POST /api/web/profile/cape (upload cape)
- Add DELETE /api/web/profile/skin and DELETE /api/web/profile/cape
- Validate skin PNG dimensions (64x32, 64x64, 128x128, 128x64)
- Add size limits: 1 MB for skins, 2 MB for capes
- Add basic email validation on register

Profile & session server:
- Add GET /api/web/profile/{uuid} — public profile with skin/cape hashes
- Add GET /sessionserver/session/minecraft/profile/{uuid} — Mojang-compatible
  texture response for game client
- Add POST /authserver/invalidate and POST /authserver/signout
- Export VerifyPassword and ExtractBearer from auth package
- Remove duplicate verifyPassword from api.go
- Add PlayerTextures model to database.go
 2026-05-27 11:45:33 +03:00
Vladimir Zagainov
475ff9bfa2 feat: add API handler (register, login, skin, launcher, servers, manifest) 
- register: POST /api/web/register — create user with SHA-256 password hash
- login: POST /api/web/login — credentials check + session token
- uploadSkin: POST /api/web/profile/skin — PNG upload, SHA-1 CAS storage
- launcherLatest: GET /api/launcher/latest — latest launcher version + download URL
- serversList: GET /api/servers.json — active modpacks list
- instanceManifest: GET /api/instances/{slug}/manifest.json — modpack manifest
- serveSkin: GET /skins/{hash}.png — skin file serving with cache headers
- PathValue-based routing (Go 1.22+)

Co-Authored-By: OWL <noreply@anthropic.com>
 2026-05-26 13:31:22 +03:00
Vladimir Zagainov
551c75a232 chore: initial project structure 2026-05-23 17:57:37 +03:00