phase 2 testing complete

internal/api/router.go

@@ -1,13 +1,13 @@
 package api
 
 import (
+	"encoding/json"
 	"io/fs"
 	"net/http"
 
 	"github.com/go-chi/chi/v5"
 	chimiddleware "github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/cors"
-	gcsrf "github.com/gorilla/csrf"
 	"github.com/gorilla/sessions"
 	"xorm.io/xorm"
 
@@ -30,15 +30,7 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFi
 		MaxAge:           300,
 	}))
 
-	csrfMiddleware := gcsrf.Protect(
-		[]byte(cfg.CSRFSecret),
-		gcsrf.Secure(!cfg.Debug),
-		gcsrf.SameSite(gcsrf.SameSiteLaxMode),
-		gcsrf.ErrorHandler(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			http.Error(w, `{"error":"CSRF validation failed"}`, http.StatusForbidden)
-		})),
-	)
-
+	csrf := middleware.CSRF(!cfg.Debug)
 	auth := middleware.NewAuth(store)
 
 	repoH := handlers.NewRepoHandler(engine, cfg)
@@ -47,57 +39,61 @@ func New(cfg *config.Config, engine *xorm.Engine, store sessions.Store, staticFi
 	pipeH := handlers.NewPipelineHandler(engine)
 	wsH := handlers.NewWSHandler()
 
-	// Health — no auth, no CSRF
-	r.Get("/api/v1/health", func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("Content-Type", "application/json")
-		w.Write([]byte(`{"status":"ok"}`))
-	})
+	r.Route("/api/v1", func(r chi.Router) {
 
-	// CSRF token bootstrap for SPA
-	r.With(csrfMiddleware).Get("/api/v1/csrf", func(w http.ResponseWriter, r *http.Request) {
-		w.Header().Set("X-CSRF-Token", gcsrf.Token(r))
-		w.Header().Set("Content-Type", "application/json")
-		w.Write([]byte(`{"ok":true}`))
-	})
+		// ── Public ────────────────────────────────────────────────────────────
+		r.Get("/health", func(w http.ResponseWriter, r *http.Request) {
+			w.Header().Set("Content-Type", "application/json")
+			w.Write([]byte(`{"status":"ok"}`))
+		})
 
-	// Auth (CSRF protected, no session required)
-	r.With(csrfMiddleware).Route("/api/v1/auth", func(r chi.Router) {
-		r.Post("/login", userH.Login)
-		r.Post("/logout", userH.Logout)
-		r.Post("/register", userH.Register)
-	})
+		// Generates a CSRF token + cookie. SPA calls this once on load.
+		r.Get("/csrf", func(w http.ResponseWriter, r *http.Request) {
+			token, err := middleware.NewCSRFToken(w, !cfg.Debug)
+			if err != nil {
+				http.Error(w, `{"error":"could not generate CSRF token"}`, http.StatusInternalServerError)
+				return
+			}
+			w.Header().Set("Content-Type", "application/json")
+			json.NewEncoder(w).Encode(map[string]string{"token": token})
+		})
 
-	// Authenticated API
-	r.With(csrfMiddleware).With(auth.Require).Route("/api/v1", func(r chi.Router) {
-		r.Get("/me", userH.Me)
+		// ── Auth (CSRF validated, no session required) ─────────────────────────
+		r.With(csrf).Post("/auth/register", userH.Register)
+		r.With(csrf).Post("/auth/login", userH.Login)
+		r.With(csrf).Post("/auth/logout", userH.Logout)
 
-		r.Route("/repos", func(r chi.Router) {
-			r.Get("/", repoH.List)
-			r.Post("/", repoH.Create)
-			r.Route("/{owner}/{repo}", func(r chi.Router) {
-				r.Get("/", repoH.Get)
-				r.Get("/tree", repoH.Tree)
-				r.Get("/blob", repoH.Blob)
-				r.Get("/commits", repoH.Commits)
-				r.Route("/pulls", func(r chi.Router) {
-					r.Get("/", prH.List)
-					r.Post("/", prH.Create)
-					r.Get("/{prID}", prH.Get)
-					r.Post("/{prID}/merge", prH.Merge)
-					r.Post("/{prID}/close", prH.Close)
-				})
-				r.Route("/pipelines", func(r chi.Router) {
-					r.Get("/", pipeH.List)
-					r.Get("/{runID}", pipeH.Get)
+		// ── Protected (session + CSRF for mutations) ──────────────────────────
+		r.Group(func(r chi.Router) {
+			r.Use(auth.Require)
+
+			r.Get("/me", userH.Me)
+
+			r.Route("/repos", func(r chi.Router) {
+				r.Get("/", repoH.List)
+				r.With(csrf).Post("/", repoH.Create)
+				r.Route("/{owner}/{repo}", func(r chi.Router) {
+					r.Get("/", repoH.Get)
+					r.Get("/tree", repoH.Tree)
+					r.Get("/blob", repoH.Blob)
+					r.Get("/commits", repoH.Commits)
+					r.Route("/pulls", func(r chi.Router) {
+						r.Get("/", prH.List)
+						r.With(csrf).Post("/", prH.Create)
+						r.Get("/{prID}", prH.Get)
+						r.With(csrf).Post("/{prID}/merge", prH.Merge)
+						r.With(csrf).Post("/{prID}/close", prH.Close)
+					})
+					r.Route("/pipelines", func(r chi.Router) {
+						r.Get("/", pipeH.List)
+						r.Get("/{runID}", pipeH.Get)
+					})
 				})
 			})
 		})
 	})
 
-	// WebSocket — session auth only, no CSRF needed for WS upgrades
 	r.With(auth.Optional).Get("/ws", wsH.Hub)
-
-	// SPA fallback
 	r.Handle("/*", spaHandler(staticFiles))
 
 	return r