Switch to phone auth via Twilio SMS and add feature flag system

Replace email-based auth (Resend) with phone-based auth (Twilio SMS). Add BBQ_FEATURES env var for toggling features at deploy time — when auth is disabled, no login routes are registered and the app works as before. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-05-18 08:45:15 -04:00
parent b3203a7506
commit 471cc3ad8c
15 changed files with 820 additions and 21 deletions
@@ -0,0 +1,280 @@
+package main
+
+import (
+	"context"
+	"crypto/rand"
+	"database/sql"
+	"encoding/hex"
+	"fmt"
+	"log"
+	"math/big"
+	"net/http"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/ryanchen/bbq/db"
+)
+
+type contextKey string
+
+const userContextKey contextKey = "user"
+
+func (s *Server) currentUser(r *http.Request) *db.User {
+	if !s.features.Auth {
+		return nil
+	}
+	u, _ := r.Context().Value(userContextKey).(*db.User)
+	return u
+}
+
+// sessionMiddleware loads the user from the session cookie into context.
+func (s *Server) sessionMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !s.features.Auth {
+			next.ServeHTTP(w, r)
+			return
+		}
+		cookie, err := r.Cookie("session")
+		if err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+		sess, err := s.q.GetSession(r.Context(), cookie.Value)
+		if err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+		var u db.User
+		row := s.db.QueryRowContext(r.Context(),
+			"SELECT id, phone, name, created_at FROM users WHERE id = ?", sess.UserID)
+		if err := row.Scan(&u.ID, &u.Phone, &u.Name, &u.CreatedAt); err != nil {
+			next.ServeHTTP(w, r)
+			return
+		}
+		ctx := context.WithValue(r.Context(), userContextKey, &u)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+// requireAuth redirects to /login if not logged in.
+func (s *Server) requireAuth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if s.currentUser(r) == nil {
+			http.Redirect(w, r, "/login", http.StatusSeeOther)
+			return
+		}
+		next.ServeHTTP(w, r)
+	})
+}
+
+func (s *Server) handleLoginPage(w http.ResponseWriter, r *http.Request) {
+	if s.currentUser(r) != nil {
+		http.Redirect(w, r, "/dashboard", http.StatusSeeOther)
+		return
+	}
+	pageTmpl["login"].ExecuteTemplate(w, "layout", map[string]any{
+		"Step":        "phone",
+		"AuthEnabled": true,
+	})
+}
+
+func (s *Server) handleLoginSubmit(w http.ResponseWriter, r *http.Request) {
+	phone := normalizePhone(r.FormValue("phone"))
+	if phone == "" {
+		http.Redirect(w, r, "/login", http.StatusSeeOther)
+		return
+	}
+
+	code := generateCode()
+	expiresAt := time.Now().Add(10 * time.Minute)
+	s.q.CreateVerificationCode(r.Context(), db.CreateVerificationCodeParams{
+		Phone:     phone,
+		Code:      code,
+		ExpiresAt: expiresAt,
+	})
+
+	if err := sendVerificationSMS(phone, code); err != nil {
+		log.Printf("failed to send verification SMS to %s: %v", phone, err)
+	}
+
+	pageTmpl["login"].ExecuteTemplate(w, "layout", map[string]any{
+		"Step":        "code",
+		"Phone":       phone,
+		"AuthEnabled": true,
+	})
+}
+
+func (s *Server) handleVerifyCode(w http.ResponseWriter, r *http.Request) {
+	phone := normalizePhone(r.FormValue("phone"))
+	code := strings.TrimSpace(r.FormValue("code"))
+
+	vc, err := s.q.GetVerificationCode(r.Context(), db.GetVerificationCodeParams{
+		Phone: phone,
+		Code:  code,
+	})
+	if err != nil {
+		pageTmpl["login"].ExecuteTemplate(w, "layout", map[string]any{
+			"Step":        "code",
+			"Phone":       phone,
+			"Error":       "Invalid or expired code. Try again.",
+			"AuthEnabled": true,
+		})
+		return
+	}
+
+	s.q.MarkVerificationCodeUsed(r.Context(), vc.ID)
+
+	// Get or create user
+	user, err := s.q.GetUserByPhone(r.Context(), phone)
+	if err == sql.ErrNoRows {
+		user, err = s.q.CreateUser(r.Context(), phone)
+	}
+	if err != nil {
+		log.Printf("user lookup/create: %v", err)
+		http.Error(w, "Internal error", 500)
+		return
+	}
+
+	// Create session
+	token := generateSessionToken()
+	expiresAt := time.Now().Add(30 * 24 * time.Hour) // 30 days
+	s.q.CreateSession(r.Context(), db.CreateSessionParams{
+		Token:     token,
+		UserID:    user.ID,
+		ExpiresAt: expiresAt,
+	})
+
+	http.SetCookie(w, &http.Cookie{
+		Name:     "session",
+		Value:    token,
+		Path:     "/",
+		Expires:  expiresAt,
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+
+	// If user has no name, send them to set it
+	if user.Name == "" {
+		http.Redirect(w, r, "/account/name", http.StatusSeeOther)
+		return
+	}
+
+	http.Redirect(w, r, "/dashboard", http.StatusSeeOther)
+}
+
+func (s *Server) handleLogout(w http.ResponseWriter, r *http.Request) {
+	cookie, err := r.Cookie("session")
+	if err == nil {
+		s.q.DeleteSession(r.Context(), cookie.Value)
+	}
+	http.SetCookie(w, &http.Cookie{
+		Name:     "session",
+		Value:    "",
+		Path:     "/",
+		MaxAge:   -1,
+		HttpOnly: true,
+	})
+	http.Redirect(w, r, "/", http.StatusSeeOther)
+}
+
+func (s *Server) handleDashboard(w http.ResponseWriter, r *http.Request) {
+	user := s.currentUser(r)
+	events, err := s.q.ListEventsByUser(r.Context(), sql.NullInt64{Int64: user.ID, Valid: true})
+	if err != nil {
+		log.Printf("list events: %v", err)
+		http.Error(w, "Internal error", 500)
+		return
+	}
+	pageTmpl["dashboard"].ExecuteTemplate(w, "layout", map[string]any{
+		"User":        user,
+		"Events":      events,
+		"AuthEnabled": true,
+	})
+}
+
+func (s *Server) handleNamePage(w http.ResponseWriter, r *http.Request) {
+	user := s.currentUser(r)
+	pageTmpl["name"].ExecuteTemplate(w, "layout", map[string]any{
+		"User":        user,
+		"AuthEnabled": true,
+	})
+}
+
+func (s *Server) handleNameSubmit(w http.ResponseWriter, r *http.Request) {
+	user := s.currentUser(r)
+	name := strings.TrimSpace(r.FormValue("name"))
+	if name == "" {
+		http.Redirect(w, r, "/account/name", http.StatusSeeOther)
+		return
+	}
+	s.q.UpdateUserName(r.Context(), db.UpdateUserNameParams{
+		Name: name,
+		ID:   user.ID,
+	})
+	http.Redirect(w, r, "/dashboard", http.StatusSeeOther)
+}
+
+func generateCode() string {
+	n, _ := rand.Int(rand.Reader, big.NewInt(1000000))
+	return fmt.Sprintf("%06d", n.Int64())
+}
+
+func generateSessionToken() string {
+	b := make([]byte, 32)
+	rand.Read(b)
+	return hex.EncodeToString(b)
+}
+
+// normalizePhone strips non-digit chars and prepends +1 if no country code.
+func normalizePhone(raw string) string {
+	var digits strings.Builder
+	for _, c := range strings.TrimSpace(raw) {
+		if c >= '0' && c <= '9' {
+			digits.WriteRune(c)
+		}
+	}
+	d := digits.String()
+	if d == "" {
+		return ""
+	}
+	// If 10 digits, assume US and prepend 1
+	if len(d) == 10 {
+		d = "1" + d
+	}
+	return "+" + d
+}
+
+func sendVerificationSMS(to, code string) error {
+	sid := os.Getenv("TWILIO_ACCOUNT_SID")
+	token := os.Getenv("TWILIO_AUTH_TOKEN")
+	from := os.Getenv("TWILIO_FROM_NUMBER")
+
+	if sid == "" || token == "" || from == "" {
+		log.Printf("Twilio not configured — code for %s is: %s", to, code)
+		return nil
+	}
+
+	body := fmt.Sprintf("Your bbq login code: %s", code)
+	apiURL := fmt.Sprintf("https://api.twilio.com/2010-04-01/Accounts/%s/Messages.json", sid)
+
+	data := url.Values{}
+	data.Set("To", to)
+	data.Set("From", from)
+	data.Set("Body", body)
+
+	req, _ := http.NewRequest("POST", apiURL, strings.NewReader(data.Encode()))
+	req.SetBasicAuth(sid, token)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+
+	resp, err := http.DefaultClient.Do(req)
+	if err != nil {
+		return err
+	}
+	defer resp.Body.Close()
+	if resp.StatusCode >= 400 {
+		return fmt.Errorf("twilio API returned %d", resp.StatusCode)
+	}
+	return nil
+}