nidus-sync/auth/auth.go

package auth

import (
	"context"
	"errors"
	"fmt"
	"net/http"
	"strconv"
	"strings"

	"github.com/Gleipnir-Technology/bob/dialect/psql"
	"github.com/Gleipnir-Technology/bob/dialect/psql/sm"
	"github.com/Gleipnir-Technology/nidus-sync/db"
	"github.com/Gleipnir-Technology/nidus-sync/db/enums"
	"github.com/Gleipnir-Technology/nidus-sync/db/models"
	"github.com/Gleipnir-Technology/nidus-sync/db/sql"
	"github.com/Gleipnir-Technology/nidus-sync/debug"
	"github.com/aarondl/opt/omit"
	"github.com/rs/zerolog/log"
	"golang.org/x/crypto/bcrypt"
)

type NoCredentialsError struct{}

func (e NoCredentialsError) Error() string { return "No credentials were present in the request" }

type NoUserError struct{}

func (e NoUserError) Error() string { return "That user does not exist" }

type InvalidCredentials struct{}

func (e InvalidCredentials) Error() string { return "No username with that password exists" }

type InvalidUsername struct{}

func (e InvalidUsername) Error() string { return "That username doesn't exist" }

type AuthenticatedHandler func(http.ResponseWriter, *http.Request, *models.User)
type EnsureAuth struct {
	handler AuthenticatedHandler
}

func AddUserSession(r *http.Request, user *models.User) {
	id := strconv.Itoa(int(user.ID))
	sessionManager.Put(r.Context(), "user_id", id)
	sessionManager.Put(r.Context(), "username", user.Username)
}

func GetAuthenticatedUser(r *http.Request) (*models.User, error) {
	//user_id := sessionManager.GetInt(r.Context(), "user_id")
	user_id_str := sessionManager.GetString(r.Context(), "user_id")
	if user_id_str != "" {
		user_id, err := strconv.Atoi(user_id_str)
		if err != nil {
			return nil, fmt.Errorf("Failed to convert user_id to int: %w", err)
		}
		username := sessionManager.GetString(r.Context(), "username")
		if user_id > 0 && username != "" {
			return findUser(r.Context(), user_id)
		}
	}
	// If we can't get the user from the session try to get from auth headers
	username, password, ok := r.BasicAuth()
	if !ok {
		return nil, &NoCredentialsError{}
	}
	user, err := validateUser(r.Context(), username, password)
	if err != nil {
		return nil, err
	}
	AddUserSession(r, user)
	return user, nil
}

func NewEnsureAuth(handlerToWrap AuthenticatedHandler) *EnsureAuth {
	return &EnsureAuth{handlerToWrap}
}

func (ea *EnsureAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) {
	// If this is an API request respond with a more machine-readable error state
	accept := r.Header.Values("Accept")
	offers := []string{"application/json", "text/html"}

	content_type := NegotiateContent(accept, offers)
	user, err := GetAuthenticatedUser(r)
	if err != nil || user == nil {
		var msg []byte
		// Separate return codes for different authentication failures
		if _, ok := err.(*NoCredentialsError); ok {
			fmt.Println("No credentials present and no session")
			w.Header().Set("WWW-Authenticate-Error", "no-credentials")
			msg = []byte("Please provide credentials.\n")
		} else if _, ok := err.(*NoUserError); ok {
			w.Header().Set("WWW-Authenticate-Error", "invalid-credentials")
			msg = []byte("Invalid credentials provided.\n")
		} else if _, ok := err.(*InvalidCredentials); ok {
			w.Header().Set("WWW-Authenticate-Error", "invalid-credentials")
			msg = []byte("Invalid credentials provided.\n")
		}

		if content_type == "text/html" {
			http.Redirect(w, r, "/signin?next="+r.URL.Path, http.StatusSeeOther)
			return
		}
		w.Header().Set("WWW-Authenticate", `Basic realm="Nidus Sync"`)
		w.WriteHeader(401)
		w.Write(msg)
		return
	}

	ea.handler(w, r, user)
}
func SigninUser(r *http.Request, username string, password string) (*models.User, error) {
	user, err := validateUser(r.Context(), username, password)
	if err != nil {
		return nil, err
	}
	if user == nil {
		return nil, errors.New("No matching user")
	}
	AddUserSession(r, user)
	return user, nil
}

func SignoutUser(r *http.Request, user *models.User) {
	sessionManager.Put(r.Context(), "user_id", "")
	sessionManager.Put(r.Context(), "username", "")
	log.Info().Str("username", user.Username).Int32("user_id", user.ID).Msg("Ended user session")
}

func SignupUser(ctx context.Context, username string, name string, password string) (*models.User, error) {
	passwordHash, err := HashPassword(password)
	if err != nil {
		return nil, fmt.Errorf("Cannot signup user, failed to create hashed password: %w", err)
	}
	o_setter := models.OrganizationSetter{
		Name: omit.From(fmt.Sprintf("%s's organization", username)),
	}
	o, err := models.Organizations.Insert(&o_setter).One(ctx, db.PGInstance.BobDB)
	if err != nil {
		return nil, fmt.Errorf("Failed to create organization: %w", err)
	}
	log.Info().Int32("id", o.ID).Msg("Created organization")
	u_setter := models.UserSetter{
		DisplayName:      omit.From(name),
		OrganizationID:   omit.From(o.ID),
		PasswordHash:     omit.From(passwordHash),
		PasswordHashType: omit.From(enums.HashtypeBcrypt14),
		Role:             omit.From(enums.UserroleAccountOwner),
		Username:         omit.From(username),
	}
	u, err := models.Users.Insert(&u_setter).One(ctx, db.PGInstance.BobDB)
	if err != nil {
		return nil, fmt.Errorf("Failed to create user: %w", err)
	}
	log.Info().Int32("id", u.ID).Str("username", u.Username).Msg("Created user")

	return u, nil
}

// Helper function to translate strings into solid error types for operating on
func findUser(ctx context.Context, user_id int) (*models.User, error) {
	//user, err := models.FindUser(ctx, db.PGInstance.BobDB, int32(user_id))
	user, err := models.Users.Query(
		models.Preload.User.Organization(),
		sm.Where(models.Users.Columns.ID.EQ(psql.Arg(user_id))),
	).One(ctx, db.PGInstance.BobDB)
	if err != nil {
		if err.Error() == "No such user" || err.Error() == "sql: no rows in result set" {
			return nil, &NoUserError{}
		} else {
			debug.LogErrorTypeInfo(err)
			log.Error().Err(err).Msg("Unrecognized error. This should be updated in the findUser code")
			return nil, err
		}
	}
	//log.Info().Int32("user_id", user.ID).Int32("org_id", user.OrganizationID).Msg("Found user")
	return user, err
}

func HashPassword(password string) (string, error) {
	bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)
	return string(bytes), err
}

func redact(s string) string {
	if len(s) <= 4 {
		return s
	}

	first_two := s[:2]
	last_two := s[len(s)-2:]
	middle_length := len(s) - 4

	return first_two + strings.Repeat("*", middle_length) + last_two
}

func validatePassword(password, hash string) bool {
	err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))
	return err == nil
}

func validateUser(ctx context.Context, username string, password string) (*models.User, error) {
	passwordHash, err := HashPassword(password)
	if err != nil {
		return nil, fmt.Errorf("Failed to hash password: %w", err)
	}
	result, err := sql.UserByUsername(username).All(ctx, db.PGInstance.BobDB)
	if err != nil {
		return nil, fmt.Errorf("Failed to query for user: %w", err)
	}
	switch len(result) {
	case 0:
		log.Info().Str("username", username).Str("password", redact(password)).Msg("Invalid username")
		return nil, InvalidUsername{}
	case 1:
		row := result[0]
		if !validatePassword(password, row.PasswordHash) {
			log.Info().Str("username", username).Str("password", redact(password)).Str("hash", passwordHash).Msg("Invalid password for user")
			return nil, InvalidCredentials{}
		}
		user := models.User{
			ID:                        row.ID,
			ArcgisAccessToken:         row.ArcgisAccessToken,
			ArcgisLicense:             row.ArcgisLicense,
			ArcgisRefreshToken:        row.ArcgisRefreshToken,
			ArcgisRefreshTokenExpires: row.ArcgisRefreshTokenExpires,
			ArcgisRole:                row.ArcgisRole,
			DisplayName:               row.DisplayName,
			Email:                     row.Email,
			OrganizationID:            row.OrganizationID,
			Username:                  row.Username,
		}
		log.Info().Str("username", username).Msg("Validated user")
		return &user, nil
	default:
		return nil, errors.New("More than one matching row, this should be impossible.")

	}
}
WIP migration of API from fieldseeker-sync 2025-12-16 16:37:53 +00:00			`package auth`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00
			`import (`
			`"context"`
			`"errors"`
			`"fmt"`
			`"net/http"`
			`"strconv"`
Add API signin URL That was we can have much more specific failure modes for API clients 2026-01-25 19:36:56 +00:00			`"strings"`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00
Add ability to make LLM agent forget the conversation history This is extremely useful for testing. In order to do this I needed to actually deploy the migration to a bob fork so I could start to add support for behaviors I really want. Specifically the ability to search for ids in a slice. 2026-01-27 18:44:02 +00:00			`"github.com/Gleipnir-Technology/bob/dialect/psql"`
			`"github.com/Gleipnir-Technology/bob/dialect/psql/sm"`
Move database logic into separate subdirectory I'm trying to see if this speeds up builds a bit. May not without a module boundary, but for now it's nice organization to have as the program grows. 2025-11-24 18:08:24 +00:00			`"github.com/Gleipnir-Technology/nidus-sync/db"`
			`"github.com/Gleipnir-Technology/nidus-sync/db/enums"`
			`"github.com/Gleipnir-Technology/nidus-sync/db/models"`
			`"github.com/Gleipnir-Technology/nidus-sync/db/sql"`
Begin work on debugging user behavior in early setup 2026-01-06 14:46:31 +00:00			`"github.com/Gleipnir-Technology/nidus-sync/debug"`
Format all source files. 2025-11-06 22:31:51 +00:00			`"github.com/aarondl/opt/omit"`
Migrate auth to zerolog 2025-11-24 19:49:19 +00:00			`"github.com/rs/zerolog/log"`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`"golang.org/x/crypto/bcrypt"`
			`)`

			`type NoCredentialsError struct{}`
Format all source files. 2025-11-06 22:31:51 +00:00
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`func (e NoCredentialsError) Error() string { return "No credentials were present in the request" }`

Create settings page placeholder, add auth pattern This adds a pattern for creating pages that require authentication. The settings page is currently empty, but it's helpful to figure out how to do this pattern. 2025-11-13 15:50:10 +00:00			`type NoUserError struct{}`

			`func (e NoUserError) Error() string { return "That user does not exist" }`

Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`type InvalidCredentials struct{}`
Format all source files. 2025-11-06 22:31:51 +00:00
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`func (e InvalidCredentials) Error() string { return "No username with that password exists" }`

			`type InvalidUsername struct{}`
Format all source files. 2025-11-06 22:31:51 +00:00
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`func (e InvalidUsername) Error() string { return "That username doesn't exist" }`

Create settings page placeholder, add auth pattern This adds a pattern for creating pages that require authentication. The settings page is currently empty, but it's helpful to figure out how to do this pattern. 2025-11-13 15:50:10 +00:00			`type AuthenticatedHandler func(http.ResponseWriter, http.Request, models.User)`
			`type EnsureAuth struct {`
			`handler AuthenticatedHandler`
			`}`

WIP migration of API from fieldseeker-sync 2025-12-16 16:37:53 +00:00			`func AddUserSession(r http.Request, user models.User) {`
			`id := strconv.Itoa(int(user.ID))`
			`sessionManager.Put(r.Context(), "user_id", id)`
			`sessionManager.Put(r.Context(), "username", user.Username)`
			`}`

			`func GetAuthenticatedUser(r http.Request) (models.User, error) {`
			`//user_id := sessionManager.GetInt(r.Context(), "user_id")`
			`user_id_str := sessionManager.GetString(r.Context(), "user_id")`
			`if user_id_str != "" {`
			`user_id, err := strconv.Atoi(user_id_str)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to convert user_id to int: %w", err)`
			`}`
			`username := sessionManager.GetString(r.Context(), "username")`
			`if user_id > 0 && username != "" {`
			`return findUser(r.Context(), user_id)`
			`}`
			`}`
			`// If we can't get the user from the session try to get from auth headers`
			`username, password, ok := r.BasicAuth()`
			`if !ok {`
			`return nil, &NoCredentialsError{}`
			`}`
			`user, err := validateUser(r.Context(), username, password)`
			`if err != nil {`
			`return nil, err`
			`}`
			`AddUserSession(r, user)`
			`return user, nil`
			`}`

Create settings page placeholder, add auth pattern This adds a pattern for creating pages that require authentication. The settings page is currently empty, but it's helpful to figure out how to do this pattern. 2025-11-13 15:50:10 +00:00			`func NewEnsureAuth(handlerToWrap AuthenticatedHandler) *EnsureAuth {`
			`return &EnsureAuth{handlerToWrap}`
			`}`

			`func (ea EnsureAuth) ServeHTTP(w http.ResponseWriter, r http.Request) {`
			`// If this is an API request respond with a more machine-readable error state`
			`accept := r.Header.Values("Accept")`
			`offers := []string{"application/json", "text/html"}`

			`content_type := NegotiateContent(accept, offers)`
WIP migration of API from fieldseeker-sync 2025-12-16 16:37:53 +00:00			`user, err := GetAuthenticatedUser(r)`
Avoid crashing when getting oauth with an expired user 2025-11-24 18:09:06 +00:00			`if err != nil \|\| user == nil {`
Create settings page placeholder, add auth pattern This adds a pattern for creating pages that require authentication. The settings page is currently empty, but it's helpful to figure out how to do this pattern. 2025-11-13 15:50:10 +00:00			`var msg []byte`
			`// Separate return codes for different authentication failures`
			`if _, ok := err.(*NoCredentialsError); ok {`
			`fmt.Println("No credentials present and no session")`
			`w.Header().Set("WWW-Authenticate-Error", "no-credentials")`
			`msg = []byte("Please provide credentials.\n")`
			`} else if _, ok := err.(*NoUserError); ok {`
			`w.Header().Set("WWW-Authenticate-Error", "invalid-credentials")`
			`msg = []byte("Invalid credentials provided.\n")`
			`} else if _, ok := err.(*InvalidCredentials); ok {`
			`w.Header().Set("WWW-Authenticate-Error", "invalid-credentials")`
			`msg = []byte("Invalid credentials provided.\n")`
			`}`

			`if content_type == "text/html" {`
Create separate signin page, make auth redirect there. 2025-11-19 15:19:42 +00:00			`http.Redirect(w, r, "/signin?next="+r.URL.Path, http.StatusSeeOther)`
Create settings page placeholder, add auth pattern This adds a pattern for creating pages that require authentication. The settings page is currently empty, but it's helpful to figure out how to do this pattern. 2025-11-13 15:50:10 +00:00			`return`
			`}`
			w.Header().Set("WWW-Authenticate", `Basic realm="Nidus Sync"`)
			`w.WriteHeader(401)`
			`w.Write(msg)`
			`return`
			`}`

			`ea.handler(w, r, user)`
			`}`
WIP migration of API from fieldseeker-sync 2025-12-16 16:37:53 +00:00			`func SigninUser(r http.Request, username string, password string) (models.User, error) {`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`user, err := validateUser(r.Context(), username, password)`
			`if err != nil {`
			`return nil, err`
			`}`
			`if user == nil {`
			`return nil, errors.New("No matching user")`
			`}`
WIP migration of API from fieldseeker-sync 2025-12-16 16:37:53 +00:00			`AddUserSession(r, user)`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`return user, nil`
			`}`

Creat signout logic, make links use it. 2026-01-15 00:20:19 +00:00			`func SignoutUser(r http.Request, user models.User) {`
			`sessionManager.Put(r.Context(), "user_id", "")`
			`sessionManager.Put(r.Context(), "username", "")`
			`log.Info().Str("username", user.Username).Int32("user_id", user.ID).Msg("Ended user session")`
			`}`

Always include an organization for every user 2026-01-06 15:06:16 +00:00			`func SignupUser(ctx context.Context, username string, name string, password string) (*models.User, error) {`
Add command to hash password directly Useful for resetting passwords manually. 2026-01-26 18:42:30 +00:00			`passwordHash, err := HashPassword(password)`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`if err != nil {`
Always include an organization for every user 2026-01-06 15:06:16 +00:00			`return nil, fmt.Errorf("Cannot signup user, failed to create hashed password: %w", err)`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`}`
Always include an organization for every user 2026-01-06 15:06:16 +00:00			`o_setter := models.OrganizationSetter{`
remove organization table's old arcgis columns 2026-02-28 23:24:19 +00:00			`Name: omit.From(fmt.Sprintf("%s's organization", username)),`
Always include an organization for every user 2026-01-06 15:06:16 +00:00			`}`
			`o, err := models.Organizations.Insert(&o_setter).One(ctx, db.PGInstance.BobDB)`
			`if err != nil {`
			`return nil, fmt.Errorf("Failed to create organization: %w", err)`
			`}`
			`log.Info().Int32("id", o.ID).Msg("Created organization")`
			`u_setter := models.UserSetter{`
Format all source files. 2025-11-06 22:31:51 +00:00			`DisplayName: omit.From(name),`
Always include an organization for every user 2026-01-06 15:06:16 +00:00			`OrganizationID: omit.From(o.ID),`
Format all source files. 2025-11-06 22:31:51 +00:00			`PasswordHash: omit.From(passwordHash),`
Retroactively fix some SQL schema problems I originally wasn't going to do passwords, but after struggling with webauthn I decided I'd just go for it. It simplifies the code a lot if I assert that I always have a password, displayname, etc. 2025-11-05 17:36:32 +00:00			`PasswordHashType: omit.From(enums.HashtypeBcrypt14),`
Add user account roles 2026-02-18 07:02:36 +00:00			`Role: omit.From(enums.UserroleAccountOwner),`
Format all source files. 2025-11-06 22:31:51 +00:00			`Username: omit.From(username),`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`}`
Always include an organization for every user 2026-01-06 15:06:16 +00:00			`u, err := models.Users.Insert(&u_setter).One(ctx, db.PGInstance.BobDB)`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`if err != nil {`
Wrap errors. Don't emit crash message on no oauth tokens. 2025-11-13 20:53:20 +00:00			`return nil, fmt.Errorf("Failed to create user: %w", err)`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`}`
Always include an organization for every user 2026-01-06 15:06:16 +00:00			`log.Info().Int32("id", u.ID).Str("username", u.Username).Msg("Created user")`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00
			`return u, nil`
			`}`

WIP migration of API from fieldseeker-sync 2025-12-16 16:37:53 +00:00			`// Helper function to translate strings into solid error types for operating on`
			`func findUser(ctx context.Context, user_id int) (*models.User, error) {`
Preload org from user We need this to avoid a nil dereference when querying by org. 2026-01-06 16:21:59 +00:00			`//user, err := models.FindUser(ctx, db.PGInstance.BobDB, int32(user_id))`
			`user, err := models.Users.Query(`
			`models.Preload.User.Organization(),`
			`sm.Where(models.Users.Columns.ID.EQ(psql.Arg(user_id))),`
			`).One(ctx, db.PGInstance.BobDB)`
WIP migration of API from fieldseeker-sync 2025-12-16 16:37:53 +00:00			`if err != nil {`
Begin work on debugging user behavior in early setup 2026-01-06 14:46:31 +00:00			`if err.Error() == "No such user" \|\| err.Error() == "sql: no rows in result set" {`
WIP migration of API from fieldseeker-sync 2025-12-16 16:37:53 +00:00			`return nil, &NoUserError{}`
			`} else {`
Begin work on debugging user behavior in early setup 2026-01-06 14:46:31 +00:00			`debug.LogErrorTypeInfo(err)`
			`log.Error().Err(err).Msg("Unrecognized error. This should be updated in the findUser code")`
WIP migration of API from fieldseeker-sync 2025-12-16 16:37:53 +00:00			`return nil, err`
			`}`
			`}`
Wire in agent to the reporter texting system Also rework the so the platform absorbs all the business logic that was going in the wrong place. 2026-01-27 19:56:26 +00:00			`//log.Info().Int32("user_id", user.ID).Int32("org_id", user.OrganizationID).Msg("Found user")`
WIP migration of API from fieldseeker-sync 2025-12-16 16:37:53 +00:00			`return user, err`
			`}`

Add command to hash password directly Useful for resetting passwords manually. 2026-01-26 18:42:30 +00:00			`func HashPassword(password string) (string, error) {`
WIP migration of API from fieldseeker-sync 2025-12-16 16:37:53 +00:00			`bytes, err := bcrypt.GenerateFromPassword([]byte(password), 14)`
			`return string(bytes), err`
			`}`

Add API signin URL That was we can have much more specific failure modes for API clients 2026-01-25 19:36:56 +00:00			`func redact(s string) string {`
			`if len(s) <= 4 {`
			`return s`
			`}`

			`first_two := s[:2]`
			`last_two := s[len(s)-2:]`
			`middle_length := len(s) - 4`

			`return first_two + strings.Repeat("*", middle_length) + last_two`
			`}`

Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`func validatePassword(password, hash string) bool {`
			`err := bcrypt.CompareHashAndPassword([]byte(hash), []byte(password))`
			`return err == nil`
			`}`

			`func validateUser(ctx context.Context, username string, password string) (*models.User, error) {`
Add command to hash password directly Useful for resetting passwords manually. 2026-01-26 18:42:30 +00:00			`passwordHash, err := HashPassword(password)`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`if err != nil {`
Wrap errors. Don't emit crash message on no oauth tokens. 2025-11-13 20:53:20 +00:00			`return nil, fmt.Errorf("Failed to hash password: %w", err)`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`}`
Move database logic into separate subdirectory I'm trying to see if this speeds up builds a bit. May not without a module boundary, but for now it's nice organization to have as the program grows. 2025-11-24 18:08:24 +00:00			`result, err := sql.UserByUsername(username).All(ctx, db.PGInstance.BobDB)`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`if err != nil {`
Wrap errors. Don't emit crash message on no oauth tokens. 2025-11-13 20:53:20 +00:00			`return nil, fmt.Errorf("Failed to query for user: %w", err)`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`}`
			`switch len(result) {`
Format all source files. 2025-11-06 22:31:51 +00:00			`case 0:`
Add API signin URL That was we can have much more specific failure modes for API clients 2026-01-25 19:36:56 +00:00			`log.Info().Str("username", username).Str("password", redact(password)).Msg("Invalid username")`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`return nil, InvalidUsername{}`
			`case 1:`
			`row := result[0]`
Retroactively fix some SQL schema problems I originally wasn't going to do passwords, but after struggling with webauthn I decided I'd just go for it. It simplifies the code a lot if I assert that I always have a password, displayname, etc. 2025-11-05 17:36:32 +00:00			`if !validatePassword(password, row.PasswordHash) {`
Add API signin URL That was we can have much more specific failure modes for API clients 2026-01-25 19:36:56 +00:00			`log.Info().Str("username", username).Str("password", redact(password)).Str("hash", passwordHash).Msg("Invalid password for user")`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`return nil, InvalidCredentials{}`
			`}`
			`user := models.User{`
Format all source files. 2025-11-06 22:31:51 +00:00			`ID: row.ID,`
			`ArcgisAccessToken: row.ArcgisAccessToken,`
			`ArcgisLicense: row.ArcgisLicense,`
			`ArcgisRefreshToken: row.ArcgisRefreshToken,`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`ArcgisRefreshTokenExpires: row.ArcgisRefreshTokenExpires,`
Format all source files. 2025-11-06 22:31:51 +00:00			`ArcgisRole: row.ArcgisRole,`
			`DisplayName: row.DisplayName,`
			`Email: row.Email,`
			`OrganizationID: row.OrganizationID,`
			`Username: row.Username,`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`}`
Add API signin URL That was we can have much more specific failure modes for API clients 2026-01-25 19:36:56 +00:00			`log.Info().Str("username", username).Msg("Validated user")`
Add user sessions and login This isn't quite perfect, but gets much of the hard work done. 2025-11-05 17:15:33 +00:00			`return &user, nil`
			`default:`
			`return nil, errors.New("More than one matching row, this should be impossible.")`

			`}`
			`}`