arcodange/dance-lessons-coach
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth): magic-link request + consume HTTP handlers (ADR-0028 Phase A.4) #62

Merged
arcodange merged 1 commits from feat/magic-link-handlers-phase-a4 into main 2026-05-05 11:32:13 +02:00
Conversation 0 Commits 1 Files Changed 4 +701 -4
arcodange commented 2026-05-05 11:32:05 +02:00
Owner
Copy Link

Summary

ADR-0028 Phase A.4 — passwordless-auth HTTP layer.

  • POST /api/v1/auth/magic-link/request — sends one-time link; always 200 (no enumeration)
  • GET /api/v1/auth/magic-link/consume — validates + signs in (signup-on-first-link)
  • Wired into chi router; gated on userRepo implementing user.MagicLinkRepository
  • Config: auth.magic_link.{ttl,base_url} with sane defaults
  • 11 unit tests vs fake repo / service / sender

Test plan

  • go test ./... — green (pkg/user/api +11 tests)
  • go vet ./... clean
## Summary ADR-0028 Phase A.4 — passwordless-auth HTTP layer. - POST /api/v1/auth/magic-link/request — sends one-time link; always 200 (no enumeration) - GET /api/v1/auth/magic-link/consume — validates + signs in (signup-on-first-link) - Wired into chi router; gated on userRepo implementing user.MagicLinkRepository - Config: auth.magic_link.{ttl,base_url} with sane defaults - 11 unit tests vs fake repo / service / sender ## Test plan - go test ./... — green (pkg/user/api +11 tests) - go vet ./... clean
arcodange added 1 commit 2026-05-05 11:32:05 +02:00
feat(auth): magic-link request + consume HTTP handlers (ADR-0028 Phase A.4) cbd2ae7c0e 
Adds the two passwordless-auth endpoints behind /api/v1/auth/:
  POST /magic-link/request   — body {email}; always 200 (no enumeration leak)
  GET  /magic-link/consume   — ?token=...; signs in (signup-on-first-link)

Sign-up flow: first consume for an unknown email creates the user with a
random unguessable bcrypt-hashed password — keeps the schema NOT NULL
constraint while permanently locking the password endpoints out.

Failure modes (missing/expired/already-consumed) collapse to a single
401 to prevent attackers distinguishing them. DB persist failures on
request silently degrade to the generic 200 to avoid leaking internal
state.

Config:
  auth.magic_link.ttl       (default 15m, env DLC_AUTH_MAGIC_LINK_TTL)
  auth.magic_link.base_url  (default http://localhost:8080)

Tests: 11 unit tests against fakes (repo, user service, sender) cover
happy path (new + existing user), normalization, bad JSON, persist
failure, missing/unknown/expired/consumed token, URL builder.
arcodange merged commit f39acf5de5 into main 2026-05-05 11:32:13 +02:00
arcodange deleted branch feat/magic-link-handlers-phase-a4 2026-05-05 11:32:14 +02:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
arcodange
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: arcodange/dance-lessons-coach#62
Delete Branch "feat/magic-link-handlers-phase-a4"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?