login

assets/login.html

@@ -26,11 +26,11 @@
         <img src="./static/graphicarts/anchor.svg" alt="">
         <div class="form-group">
             <label for="username">Username</label>
-            <input class="form-control" id="username">
+            <input name="username" class="form-control" id="username" autocomplete="off">
         </div>
         <div class="form-group">
             <label for="password">Password</label>
-            <input class="form-control" id="password" type="password">
+            <input name="password" class="form-control" id="password" type="password">
         </div>
         <button class="btn btn-block btn-default" type="submit">Login</button>
     </form>

server/auth.go

@@ -2,6 +2,8 @@ package server
 
 import (
 	"net/http"
+	"crypto/subtle"
+	"time"
 )
 
 
@@ -18,5 +20,11 @@ func userIsAuthenticated(req *http.Request, username, password string) bool {
 }
 
 func userAuthenticate(rw http.ResponseWriter, username, password string) {
-
+	expires := time.Now().Add(time.Hour * 24 * 7)  // 1 week
+	cookie := http.Cookie{Name: "auth", Value: username, Expires: expires}
+	http.SetCookie(rw, &cookie)
+}
+
+func safeCompare(p1, p2 string) bool {
+	return subtle.ConstantTimeCompare([]byte(p1), []byte(p2)) == 1
 }

server/handlers.go

@@ -93,7 +93,13 @@ func IndexHandler(rw http.ResponseWriter, req *http.Request) {
 	h := handler(req)
 	if h.requiresAuth() && !userIsAuthenticated(req, h.Username, h.Password) {
 		if req.Method == "POST" {
-			// TODO: implement
+			username := req.FormValue("username")
+			password := req.FormValue("password")
+			if safeCompare(username, h.Username) && safeCompare(password, h.Password) {
+				userAuthenticate(rw, username, password)
+				http.Redirect(rw, req, req.URL.Path, http.StatusFound)
+				return
+			}
 		}
 
 		if assets != nil {