ryan/bbq
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Gate admin routes behind auth and add copy guest link button

Browse Source 
When auth is enabled, admin pages require the logged-in user to be
the event owner — unauthorized visitors get redirected to the guest
view, and admin actions return 403. Also adds a copy-to-clipboard
button in the admin bar and a Makefile for common commands.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Ryan Chen
2026-05-18 09:06:16 -04:00
parent a0c4b28d1e
commit d68a6629ac
4 changed files with 55 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Makefile
+13
View File
@@ -0,0 +1,13 @@
.PHONY: build run dev sqlc
build:
go build -o bbq .
run: build
./bbq
dev: build
BBQ_FEATURES=auth ./bbq
sqlc:
$(shell go env GOPATH)/bin/sqlc generate
auth.go
+2 -2
View File
@@ -109,7 +109,7 @@ func (s *Server) handleLoginSubmit(w http.ResponseWriter, r *http.Request) {
} }
code := generateCode() code := generateCode()
expiresAt := time.Now().Add(10 * time.Minute) expiresAt := time.Now().UTC().Add(10 * time.Minute)
s.q.CreateVerificationCode(r.Context(), db.CreateVerificationCodeParams{ s.q.CreateVerificationCode(r.Context(), db.CreateVerificationCodeParams{
Identifier: identifier, Identifier: identifier,
Code: code, Code: code,
@@ -177,7 +177,7 @@ func (s *Server) handleVerifyCode(w http.ResponseWriter, r *http.Request) {
// Create session // Create session
token := generateSessionToken() token := generateSessionToken()
expiresAt := time.Now().Add(30 * 24 * time.Hour) // 30 days expiresAt := time.Now().UTC().Add(30 * 24 * time.Hour) // 30 days
s.q.CreateSession(r.Context(), db.CreateSessionParams{ s.q.CreateSession(r.Context(), db.CreateSessionParams{
Token: token, Token: token,
UserID: user.ID, UserID: user.ID,
handlers.go
+39 -26
View File
@@ -454,17 +454,42 @@ func (s *Server) handleSSE(w http.ResponseWriter, r *http.Request) {
// --- Admin --- // --- Admin ---
func (s *Server) handleAdmin(w http.ResponseWriter, r *http.Request) { // authorizeAdmin checks the admin token and (when auth is enabled) that the
// logged-in user owns the event. Returns the event on success, nil on failure.
// For page loads (isPage=true) it redirects to the guest view; for actions it
// returns 403.
func (s *Server) authorizeAdmin(w http.ResponseWriter, r *http.Request, isPage bool) *db.Event {
slug := chi.URLParam(r, "slug") slug := chi.URLParam(r, "slug")
token := chi.URLParam(r, "token") token := chi.URLParam(r, "token")
event, err := s.q.GetEventBySlug(r.Context(), slug) event, err := s.q.GetEventBySlug(r.Context(), slug)
if err != nil || event.AdminToken != token { if err != nil || event.AdminToken != token {
http.NotFound(w, r) http.NotFound(w, r)
return nil
}
if s.features.Auth {
user := s.currentUser(r)
if user == nil || !event.UserID.Valid || user.ID != event.UserID.Int64 {
if isPage {
http.Redirect(w, r, "/e/"+slug, http.StatusSeeOther)
} else {
http.Error(w, "Forbidden", http.StatusForbidden)
}
return nil
}
}
return &event
}
func (s *Server) handleAdmin(w http.ResponseWriter, r *http.Request) {
event := s.authorizeAdmin(w, r, true)
if event == nil {
return return
} }
data, err := s.loadEventPage(r, slug, true) data, err := s.loadEventPage(r, event.Slug, true)
if err != nil { if err != nil {
http.Error(w, "error", http.StatusInternalServerError) http.Error(w, "error", http.StatusInternalServerError)
return return
@@ -473,12 +498,8 @@ func (s *Server) handleAdmin(w http.ResponseWriter, r *http.Request) {
} }
func (s *Server) handleUpdateDescription(w http.ResponseWriter, r *http.Request) { func (s *Server) handleUpdateDescription(w http.ResponseWriter, r *http.Request) {
slug := chi.URLParam(r, "slug") event := s.authorizeAdmin(w, r, false)
token := chi.URLParam(r, "token") if event == nil {
event, err := s.q.GetEventBySlug(r.Context(), slug)
if err != nil || event.AdminToken != token {
http.NotFound(w, r)
return return
} }
@@ -491,16 +512,12 @@ func (s *Server) handleUpdateDescription(w http.ResponseWriter, r *http.Request)
ID: event.ID, ID: event.ID,
}) })
http.Redirect(w, r, fmt.Sprintf("/e/%s/admin/%s", slug, token), http.StatusSeeOther) http.Redirect(w, r, fmt.Sprintf("/e/%s/admin/%s", event.Slug, event.AdminToken), http.StatusSeeOther)
} }
func (s *Server) handleCreateSlot(w http.ResponseWriter, r *http.Request) { func (s *Server) handleCreateSlot(w http.ResponseWriter, r *http.Request) {
slug := chi.URLParam(r, "slug") event := s.authorizeAdmin(w, r, false)
token := chi.URLParam(r, "token") if event == nil {
event, err := s.q.GetEventBySlug(r.Context(), slug)
if err != nil || event.AdminToken != token {
http.NotFound(w, r)
return return
} }
@@ -527,7 +544,7 @@ func (s *Server) handleCreateSlot(w http.ResponseWriter, r *http.Request) {
return return
} }
_, err = s.q.CreateSlot(r.Context(), db.CreateSlotParams{ _, err := s.q.CreateSlot(r.Context(), db.CreateSlotParams{
EventID: event.ID, Name: name, Emoji: emoji, MaxClaims: mc, SortOrder: 999, EventID: event.ID, Name: name, Emoji: emoji, MaxClaims: mc, SortOrder: 999,
}) })
if err != nil { if err != nil {
@@ -535,9 +552,9 @@ func (s *Server) handleCreateSlot(w http.ResponseWriter, r *http.Request) {
return return
} }
s.notify(slug) s.notify(event.Slug)
data, err := s.loadEventPage(r, slug, true) data, err := s.loadEventPage(r, event.Slug, true)
if err != nil { if err != nil {
http.Error(w, "error", http.StatusInternalServerError) http.Error(w, "error", http.StatusInternalServerError)
return return
@@ -546,12 +563,8 @@ func (s *Server) handleCreateSlot(w http.ResponseWriter, r *http.Request) {
} }
func (s *Server) handleDeleteSlot(w http.ResponseWriter, r *http.Request) { func (s *Server) handleDeleteSlot(w http.ResponseWriter, r *http.Request) {
slug := chi.URLParam(r, "slug") event := s.authorizeAdmin(w, r, false)
token := chi.URLParam(r, "token") if event == nil {
event, err := s.q.GetEventBySlug(r.Context(), slug)
if err != nil || event.AdminToken != token {
http.NotFound(w, r)
return return
} }
@@ -562,9 +575,9 @@ func (s *Server) handleDeleteSlot(w http.ResponseWriter, r *http.Request) {
} }
s.q.DeleteSlot(r.Context(), slotID) s.q.DeleteSlot(r.Context(), slotID)
s.notify(slug) s.notify(event.Slug)
data, err := s.loadEventPage(r, slug, true) data, err := s.loadEventPage(r, event.Slug, true)
if err != nil { if err != nil {
http.Error(w, "error", http.StatusInternalServerError) http.Error(w, "error", http.StatusInternalServerError)
return return
templates/event.html
+1 -1
View File
@@ -15,7 +15,7 @@
<meta name="twitter:image" content="{{.BaseURL}}/e/{{.Event.Slug}}/og.png"> <meta name="twitter:image" content="{{.BaseURL}}/e/{{.Event.Slug}}/og.png">
{{end}} {{end}}
{{define "admin-bar"}}{{if .IsAdmin}}<div class="admin-bar">ADMIN VIEW — share the guest link: /e/{{.Event.Slug}}</div>{{end}}{{end}} {{define "admin-bar"}}{{if .IsAdmin}}<div class="admin-bar">ADMIN VIEW — <button onclick="navigator.clipboard.writeText(window.location.origin+'/e/{{.Event.Slug}}').then(()=>{this.textContent='Copied!';setTimeout(()=>{this.textContent='Copy guest link'},1500)})" style="background:none;border:none;font-family:inherit;font-size:inherit;cursor:pointer;text-decoration:underline;color:inherit;">Copy guest link</button></div>{{end}}{{end}}
{{define "content"}} {{define "content"}}
<div class="event-header"> <div class="event-header">