base dashboard and login

internal/handlers/helpers.go

@@ -0,0 +1,49 @@
+package handlers
+
+import (
+	"crypto/subtle"
+	"net/http"
+	"net/url"
+	"regexp"
+
+	"crowdsec-dashy/internal/middleware"
+)
+
+var validNameRE = regexp.MustCompile(`^[a-zA-Z0-9_\-]{1,64}$`)
+
+func matchName(name string) (bool, error) {
+	return validNameRE.MatchString(name), nil
+}
+
+// flashRedirect redirects with flash type and message as query params.
+func flashRedirect(w http.ResponseWriter, r *http.Request, to, flashType, msg string) {
+	v := url.Values{}
+	v.Set("flash", flashType)
+	v.Set("msg", msg)
+	http.Redirect(w, r, to+"?"+v.Encode(), http.StatusSeeOther)
+}
+
+// readFlash extracts a validated flash message from URL query params.
+func readFlash(r *http.Request) FlashMessage {
+	flash := r.URL.Query().Get("flash")
+	msg := r.URL.Query().Get("msg")
+	if flash == "" || msg == "" {
+		return FlashMessage{}
+	}
+	switch flash {
+	case "success", "error", "warning", "info":
+		return FlashMessage{Type: flash, Message: msg}
+	}
+	return FlashMessage{}
+}
+
+// checkCSRF verifies the _csrf form field against the token in the request context.
+// Must be called after r.ParseForm().
+func checkCSRF(r *http.Request) bool {
+	expected := middleware.CSRFFromContext(r)
+	if expected == "" {
+		return false
+	}
+	got := r.FormValue("_csrf")
+	return subtle.ConstantTimeCompare([]byte(got), []byte(expected)) == 1
+}