txeo/cv-site
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add plain text CV endpoint and contact form with security

Browse Source 
Plain text endpoint:
- Add /text route for plain text CV (for curl/AI crawlers)
- Use k3a/html2text library for HTML-to-text conversion
- Add Plain Text button to hamburger menu with UI translations

Contact form feature:
- Add ContactHandler with proper email service integration
- Add CSRF protection middleware
- Add rate limiting (5 submissions/hour per IP)
- Add honeypot and timing-based bot protection
- Add input validation with detailed error messages
- Add security logging middleware
- Add browser-only middleware for API protection

Code quality:
- Fix all golangci-lint errcheck warnings for w.Write calls
- Remove duplicate getClientIP functions
- Wire up ContactHandler in routes.Setup
This commit is contained in:
juanatsap
2025-11-30 13:47:49 +00:00
parent ae430e6ea7
commit f91a24ea9b
26 changed files with 3213 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/handlers/contact.go
+215
View File
@@ -0,0 +1,215 @@
package handlers
import (
"fmt"
"log"
"net/http"
"strings"
"time"
"github.com/juanatsap/cv-site/internal/services"
"github.com/juanatsap/cv-site/internal/templates"
)
// ContactHandler handles contact form submissions
type ContactHandler struct {
templates *templates.Manager
emailService *services.EmailService
}
// NewContactHandler creates a new contact handler
func NewContactHandler(tmpl *templates.Manager, emailService *services.EmailService) *ContactHandler {
return &ContactHandler{
templates: tmpl,
emailService: emailService,
}
}
// ContactFormRequest represents the contact form submission
type ContactFormRequest struct {
Email string
Name string
Company string
Subject string
Message string
Honeypot string // Hidden field - should be empty
SubmitTime time.Time // Set by client, checked server-side
CSRFToken string
}
// Submit handles POST /api/contact
func (h *ContactHandler) Submit(w http.ResponseWriter, r *http.Request) {
// Only accept POST
if r.Method != http.MethodPost {
HandleError(w, r, NewAppError(nil, "Method not allowed", http.StatusMethodNotAllowed, false))
return
}
// Parse form
if err := r.ParseForm(); err != nil {
log.Printf("ERROR parsing contact form: %v", err)
h.renderError(w, r, "Invalid form data. Please try again.")
return
}
// Extract form data
req := &ContactFormRequest{
Email: strings.TrimSpace(r.FormValue("email")),
Name: strings.TrimSpace(r.FormValue("name")),
Company: strings.TrimSpace(r.FormValue("company")),
Subject: strings.TrimSpace(r.FormValue("subject")),
Message: strings.TrimSpace(r.FormValue("message")),
Honeypot: r.FormValue("website"), // Honeypot field
CSRFToken: r.FormValue("csrf_token"),
}
// Bot protection: Honeypot check
if req.Honeypot != "" {
log.Printf("SECURITY: Honeypot triggered from IP %s", getClientIP(r))
// Don't reveal that we detected a bot - just show success
h.renderSuccess(w, r)
return
}
// Bot protection: Timing check
submitTimeStr := r.FormValue("submit_time")
if submitTimeStr != "" {
// Parse submit time (Unix timestamp in milliseconds)
var submitTimeMs int64
if _, err := fmt.Sscanf(submitTimeStr, "%d", &submitTimeMs); err == nil {
submitTime := time.Unix(0, submitTimeMs*int64(time.Millisecond))
elapsed := time.Since(submitTime)
// Reject if submitted too fast (< 2 seconds)
if elapsed < 2*time.Second {
log.Printf("SECURITY: Form submitted too fast (%v) from IP %s", elapsed, getClientIP(r))
h.renderError(w, r, "Please take your time filling out the form.")
return
}
}
}
// CSRF validation is handled by middleware
// Validate required fields
if req.Email == "" {
h.renderError(w, r, "Email address is required.")
return
}
if req.Message == "" {
h.renderError(w, r, "Message is required.")
return
}
// Create email data
emailData := &services.ContactFormData{
Email: req.Email,
Name: req.Name,
Company: req.Company,
Subject: req.Subject,
Message: req.Message,
IP: getClientIP(r),
Time: time.Now(),
}
// Send email
if err := h.emailService.SendContactForm(emailData); err != nil {
log.Printf("ERROR sending contact email: %v", err)
// Check if it's a validation error or server error
if strings.Contains(err.Error(), "validation failed") {
h.renderError(w, r, err.Error())
return
}
// Internal server error
h.renderError(w, r, "Failed to send message. Please try again later.")
return
}
// Log successful submission (without sensitive data)
log.Printf("Contact form submitted successfully from %s (%s)", req.Email, getClientIP(r))
// Render success response
h.renderSuccess(w, r)
}
// renderSuccess renders the success partial
func (h *ContactHandler) renderSuccess(w http.ResponseWriter, r *http.Request) {
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(http.StatusOK)
tmpl, err := h.templates.Render("contact_success.html")
if err != nil {
log.Printf("ERROR loading success template: %v", err)
// Fallback to simple HTML
_, _ = w.Write([]byte(`<div class="alert alert-success">
<h3>Message Sent!</h3>
<p>Thank you for your message. I'll get back to you soon.</p>
</div>`))
return
}
if err := tmpl.Execute(w, nil); err != nil {
log.Printf("ERROR rendering success template: %v", err)
_, _ = w.Write([]byte(`<div class="alert alert-success">
<h3>Message Sent!</h3>
<p>Thank you for your message. I'll get back to you soon.</p>
</div>`))
}
}
// renderError renders the error partial
func (h *ContactHandler) renderError(w http.ResponseWriter, r *http.Request, message string) {
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(http.StatusBadRequest)
data := map[string]interface{}{
"Message": message,
}
tmpl, err := h.templates.Render("contact_error.html")
if err != nil {
log.Printf("ERROR loading error template: %v", err)
// Fallback to simple HTML
_, _ = w.Write([]byte(`<div class="alert alert-error">
<h3>Error</h3>
<p>` + message + `</p>
</div>`))
return
}
if err := tmpl.Execute(w, data); err != nil {
log.Printf("ERROR rendering error template: %v", err)
_, _ = w.Write([]byte(`<div class="alert alert-error">
<h3>Error</h3>
<p>` + message + `</p>
</div>`))
}
}
// getClientIP extracts the client IP address from the request
func getClientIP(r *http.Request) string {
// Check X-Forwarded-For header (for proxies)
ip := r.Header.Get("X-Forwarded-For")
if ip != "" {
// X-Forwarded-For can contain multiple IPs, take the first one
ips := strings.Split(ip, ",")
return strings.TrimSpace(ips[0])
}
// Check X-Real-IP header
ip = r.Header.Get("X-Real-IP")
if ip != "" {
return ip
}
// Fallback to RemoteAddr
ip = r.RemoteAddr
// Remove port if present
if colonIndex := strings.LastIndex(ip, ":"); colonIndex != -1 {
ip = ip[:colonIndex]
}
return ip
}
internal/handlers/cv_contact.go
+253
View File
@@ -0,0 +1,253 @@
package handlers
import (
"fmt"
"log"
"net/http"
"strconv"
"strings"
"time"
uimodel "github.com/juanatsap/cv-site/internal/models/ui"
)
// ==============================================================================
// CONTACT FORM SUBMISSION HANDLER
// Part of CVHandler - handles POST /api/contact
// ==============================================================================
// ContactFormData represents the contact form submission
type ContactFormData struct {
Email string
Name string
Company string
Subject string
Message string
Website string // Honeypot field - should be empty
FormLoadedAt string // Timing field - Unix timestamp in milliseconds
Lang string
}
// HandleContact handles contact form submissions
func (h *CVHandler) HandleContact(w http.ResponseWriter, r *http.Request) {
// Only accept POST requests
if r.Method != http.MethodPost {
http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
return
}
// Parse form data
if err := r.ParseForm(); err != nil {
log.Printf("Error parsing contact form: %v", err)
h.renderContactError(w, r, "Invalid form data. Please try again.")
return
}
// Get language from query parameter
lang := r.URL.Query().Get("lang")
if lang == "" {
lang = "en"
}
// Validate language
if lang != "en" && lang != "es" {
lang = "en"
}
// Extract form data
formData := &ContactFormData{
Email: strings.TrimSpace(r.FormValue("email")),
Name: strings.TrimSpace(r.FormValue("name")),
Company: strings.TrimSpace(r.FormValue("company")),
Subject: strings.TrimSpace(r.FormValue("subject")),
Message: strings.TrimSpace(r.FormValue("message")),
Website: r.FormValue("website"), // Honeypot
FormLoadedAt: r.FormValue("form_loaded_at"), // Timing
Lang: lang,
}
// Validate form data (includes bot protection)
if err := validateContactForm(formData, r); err != nil {
log.Printf("Contact form validation failed from IP %s: %v", getClientIP(r), err)
// Don't reveal specific errors to potential bots
if strings.Contains(err.Error(), "spam detected") {
// Silently succeed for bots
h.renderContactSuccess(w, r, lang)
return
}
h.renderContactError(w, r, err.Error())
return
}
// Log the contact form submission (in production, send email or save to database)
log.Printf("Contact form submission from %s (IP: %s)", formData.Email, getClientIP(r))
log.Printf(" Name: %s, Company: %s", formData.Name, formData.Company)
log.Printf(" Subject: %s", formData.Subject)
log.Printf(" Message length: %d characters", len(formData.Message))
// TODO: Implement actual email sending or database storage here
// For now, we just log and return success
// Render success response
h.renderContactSuccess(w, r, lang)
}
// validateContactForm validates the contact form data and performs bot protection
func validateContactForm(data *ContactFormData, r *http.Request) error {
// Bot protection: Honeypot check - website field should be empty
if data.Website != "" {
return fmt.Errorf("spam detected: honeypot field filled")
}
// Bot protection: Timing check - form should take at least 2 seconds to fill
if data.FormLoadedAt != "" {
loadedAt, err := strconv.ParseInt(data.FormLoadedAt, 10, 64)
if err == nil {
now := time.Now().UnixMilli()
elapsed := now - loadedAt
// Form filled too quickly (< 2 seconds) - likely a bot
if elapsed < 2000 {
return fmt.Errorf("spam detected: form filled too quickly (%dms)", elapsed)
}
// Form took too long (> 1 hour) - timestamp expired
if elapsed > 3600000 {
return fmt.Errorf("form session expired, please refresh and try again")
}
}
}
// Required field validation
if data.Email == "" {
return fmt.Errorf("email address is required")
}
if data.Message == "" {
return fmt.Errorf("message is required")
}
// Email format validation (basic)
if !strings.Contains(data.Email, "@") || !strings.Contains(data.Email, ".") {
return fmt.Errorf("invalid email format")
}
// Message length validation
if len(data.Message) < 10 {
return fmt.Errorf("message is too short (minimum 10 characters)")
}
if len(data.Message) > 5000 {
return fmt.Errorf("message is too long (maximum 5000 characters)")
}
return nil
}
// renderContactSuccess renders the contact success partial
func (h *CVHandler) renderContactSuccess(w http.ResponseWriter, r *http.Request, lang string) {
// Load UI data for the specified language
ui, err := uimodel.LoadUI(lang)
if err != nil {
log.Printf("Error loading UI data: %v", err)
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
// Create template data
data := map[string]interface{}{
"UI": ui,
"Lang": lang,
}
// Render the success template
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(http.StatusOK)
tmpl, err := h.templates.Render("contact-success")
if err != nil {
log.Printf("Error loading contact success template: %v", err)
// Fallback to simple HTML
_, _ = w.Write([]byte(`<div class="contact-message contact-success">
<iconify-icon icon="mdi:check-circle" width="24" height="24"></iconify-icon>
<div class="contact-message-content">
<strong>Message Sent!</strong>
<p>Thank you for your message. I'll get back to you soon.</p>
</div>
</div>`))
return
}
if err := tmpl.Execute(w, data); err != nil {
log.Printf("Error rendering contact success template: %v", err)
_, _ = w.Write([]byte(`<div class="contact-message contact-success">
<iconify-icon icon="mdi:check-circle" width="24" height="24"></iconify-icon>
<div class="contact-message-content">
<strong>Message Sent!</strong>
<p>Thank you for your message. I'll get back to you soon.</p>
</div>
</div>`))
}
}
// renderContactError renders the contact error partial
func (h *CVHandler) renderContactError(w http.ResponseWriter, r *http.Request, errorMessage string) {
// Get language from query parameter
lang := r.URL.Query().Get("lang")
if lang == "" {
lang = "en"
}
// Validate language
if lang != "en" && lang != "es" {
lang = "en"
}
// Load UI data for the specified language
ui, err := uimodel.LoadUI(lang)
if err != nil {
log.Printf("Error loading UI data: %v", err)
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
// Create template data
data := map[string]interface{}{
"UI": ui,
"Lang": lang,
"ErrorMessage": errorMessage,
}
// Render the error template
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(http.StatusBadRequest)
tmpl, err := h.templates.Render("contact-error")
if err != nil {
log.Printf("Error loading contact error template: %v", err)
// Fallback to simple HTML
_, _ = w.Write([]byte(`<div class="contact-message contact-error">
<iconify-icon icon="mdi:alert-circle" width="24" height="24"></iconify-icon>
<div class="contact-message-content">
<strong>Error</strong>
<p>` + errorMessage + `</p>
</div>
</div>`))
return
}
if err := tmpl.Execute(w, data); err != nil {
log.Printf("Error rendering contact error template: %v", err)
_, _ = w.Write([]byte(`<div class="contact-message contact-error">
<iconify-icon icon="mdi:alert-circle" width="24" height="24"></iconify-icon>
<div class="contact-message-content">
<strong>Error</strong>
<p>` + errorMessage + `</p>
</div>
</div>`))
}
}
// Note: getClientIP is defined in contact.go
internal/handlers/cv_text.go
+68
View File
@@ -0,0 +1,68 @@
package handlers
import (
"bytes"
"log"
"net/http"
"github.com/k3a/html2text"
)
// ==============================================================================
// PLAIN TEXT HANDLER
// Converts HTML CV to readable plain text for terminal/AI consumption
// ==============================================================================
// PlainText renders the CV as plain text
// Useful for: curl users, AI crawlers, accessibility, copy-paste
func (h *CVHandler) PlainText(w http.ResponseWriter, r *http.Request) {
// Get language from query parameter, default to English
lang := r.URL.Query().Get("lang")
if lang == "" {
lang = "en"
}
// Validate language
if lang != "en" && lang != "es" {
http.Error(w, "Unsupported language. Use 'en' or 'es'", http.StatusBadRequest)
return
}
// Prepare template data using shared helper
data, err := h.prepareTemplateData(lang)
if err != nil {
log.Printf("PlainText: Failed to load CV data: %v", err)
http.Error(w, "Failed to load CV data", http.StatusInternalServerError)
return
}
// Add preferences for full CV display (show everything)
data["CVLengthClass"] = "cv-long"
data["ShowIcons"] = false // Icons don't render in text
data["ThemeClean"] = false
// Render HTML template to buffer
tmpl, err := h.templates.Render("index.html")
if err != nil {
log.Printf("PlainText: Failed to load template: %v", err)
http.Error(w, "Failed to load template", http.StatusInternalServerError)
return
}
var htmlBuffer bytes.Buffer
if err := tmpl.Execute(&htmlBuffer, data); err != nil {
log.Printf("PlainText: Failed to execute template: %v", err)
http.Error(w, "Failed to render template: "+err.Error(), http.StatusInternalServerError)
return
}
// Convert HTML to plain text
text := html2text.HTML2Text(htmlBuffer.String())
// Set response headers
w.Header().Set("Content-Type", "text/plain; charset=utf-8")
w.Header().Set("X-Content-Type-Options", "nosniff")
// Write plain text response
_, _ = w.Write([]byte(text))
}
internal/middleware/browser_only.go
+120
View File
@@ -0,0 +1,120 @@
package middleware
import (
"log"
"net/http"
"strings"
)
const (
// Custom header that browser JavaScript must set
browserHeaderName = "X-Requested-With"
browserHeaderValue = "XMLHttpRequest"
)
// BrowserOnly restricts endpoint access to browser requests only
// Blocks curl, Postman, and other HTTP clients
// Requires:
// 1. User-Agent header (not curl/wget/etc)
// 2. Referer or Origin header from same domain
// 3. Custom header set by JavaScript (X-Requested-With: XMLHttpRequest)
func BrowserOnly(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Check 1: User-Agent validation
userAgent := r.Header.Get("User-Agent")
if userAgent == "" || isBotUserAgent(userAgent) {
log.Printf("SECURITY: Blocked non-browser User-Agent from IP %s: %s", getRequestIP(r), userAgent)
http.Error(w, "Forbidden: Browser access only", http.StatusForbidden)
return
}
// Check 2: Require Referer or Origin header
referer := r.Header.Get("Referer")
origin := r.Header.Get("Origin")
if referer == "" && origin == "" {
log.Printf("SECURITY: Blocked request without Referer/Origin from IP %s", getRequestIP(r))
http.Error(w, "Forbidden: Browser access only", http.StatusForbidden)
return
}
// Check 3: Custom header validation (set by JavaScript)
// For HTMX requests, check HX-Request header
// For fetch/XMLHttpRequest, check X-Requested-With header
hasHTMXHeader := r.Header.Get("HX-Request") == "true"
hasXMLHTTPHeader := r.Header.Get(browserHeaderName) == browserHeaderValue
hasCustomBrowserHeader := r.Header.Get("X-Browser-Request") == "true"
if !hasHTMXHeader && !hasXMLHTTPHeader && !hasCustomBrowserHeader {
log.Printf("SECURITY: Blocked request without browser headers from IP %s", getRequestIP(r))
http.Error(w, "Forbidden: Browser access only", http.StatusForbidden)
return
}
// All checks passed
next.ServeHTTP(w, r)
})
}
// isBotUserAgent checks if the User-Agent is from a known HTTP client/bot
func isBotUserAgent(ua string) bool {
ua = strings.ToLower(ua)
// Known HTTP clients and tools
blockedAgents := []string{
"curl",
"wget",
"postman",
"insomnia",
"httpie",
"python-requests",
"python-urllib",
"java",
"okhttp",
"go-http-client",
"axios", // Node.js axios without proper browser headers
"node-fetch",
"apache-httpclient",
"libwww-perl",
"php",
"ruby",
"scrapy",
"bot",
"crawler",
"spider",
}
for _, blocked := range blockedAgents {
if strings.Contains(ua, blocked) {
return true
}
}
return false
}
// getRequestIP extracts the client IP from the request
func getRequestIP(r *http.Request) string {
// Try X-Forwarded-For first (for proxies/load balancers)
ip := r.Header.Get("X-Forwarded-For")
if ip != "" {
// Take first IP if multiple
ips := strings.Split(ip, ",")
return strings.TrimSpace(ips[0])
}
// Try X-Real-IP
ip = r.Header.Get("X-Real-IP")
if ip != "" {
return ip
}
// Fallback to RemoteAddr
ip = r.RemoteAddr
// Remove port
if idx := strings.LastIndex(ip, ":"); idx != -1 {
ip = ip[:idx]
}
return ip
}
internal/middleware/contact_rate_limit.go
+131
View File
@@ -0,0 +1,131 @@
package middleware
import (
"net/http"
"strings"
"sync"
"time"
)
// contactRateLimitEntry tracks rate limiting for contact form per IP
type contactRateLimitEntry struct {
count int
resetTime time.Time
}
// ContactRateLimiter provides rate limiting specifically for contact form
// Allows 5 submissions per hour per IP address
type ContactRateLimiter struct {
mu sync.RWMutex
clients map[string]*contactRateLimitEntry
}
// NewContactRateLimiter creates a new contact form rate limiter
// Default: 5 requests per hour per IP
func NewContactRateLimiter() *ContactRateLimiter {
rl := &ContactRateLimiter{
clients: make(map[string]*contactRateLimitEntry),
}
// Cleanup expired entries every 10 minutes
go rl.cleanup()
return rl
}
// Middleware returns rate limiting middleware for contact form
func (rl *ContactRateLimiter) Middleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Get client IP (handle X-Forwarded-For for proxies)
ip := r.Header.Get("X-Forwarded-For")
if ip == "" {
ip = r.Header.Get("X-Real-IP")
}
if ip == "" {
ip = strings.Split(r.RemoteAddr, ":")[0]
}
// Extract first IP if multiple IPs in X-Forwarded-For
if strings.Contains(ip, ",") {
ip = strings.TrimSpace(strings.Split(ip, ",")[0])
}
if !rl.allow(ip) {
// Check if HTMX request
isHTMX := r.Header.Get("HX-Request") != ""
if isHTMX {
// Return HTMX-friendly error
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(http.StatusTooManyRequests)
_, _ = w.Write([]byte(`<div class="alert alert-error">
<h3>Too Many Requests</h3>
<p>You've submitted too many contact forms. Please wait an hour before trying again.</p>
</div>`))
} else {
w.Header().Set("Retry-After", "3600") // 1 hour
http.Error(w, "Too many contact form submissions. Please try again in an hour.", http.StatusTooManyRequests)
}
return
}
next.ServeHTTP(w, r)
})
}
// allow checks if the request is allowed based on rate limit
// Limit: 5 submissions per hour
func (rl *ContactRateLimiter) allow(ip string) bool {
rl.mu.Lock()
defer rl.mu.Unlock()
now := time.Now()
limit := 5
window := 1 * time.Hour
entry, exists := rl.clients[ip]
if !exists || now.After(entry.resetTime) {
// New client or window expired
rl.clients[ip] = &contactRateLimitEntry{
count: 1,
resetTime: now.Add(window),
}
return true
}
if entry.count >= limit {
return false
}
entry.count++
return true
}
// cleanup removes expired entries periodically
func (rl *ContactRateLimiter) cleanup() {
ticker := time.NewTicker(10 * time.Minute)
defer ticker.Stop()
for range ticker.C {
rl.mu.Lock()
now := time.Now()
for ip, entry := range rl.clients {
if now.After(entry.resetTime) {
delete(rl.clients, ip)
}
}
rl.mu.Unlock()
}
}
// GetStats returns current rate limit statistics (for monitoring/debugging)
func (rl *ContactRateLimiter) GetStats() map[string]interface{} {
rl.mu.RLock()
defer rl.mu.RUnlock()
return map[string]interface{}{
"total_clients": len(rl.clients),
"limit": 5,
"window": "1 hour",
}
}
internal/middleware/csrf.go
+200
View File
@@ -0,0 +1,200 @@
package middleware
import (
"crypto/rand"
"encoding/base64"
"fmt"
"log"
"net/http"
"sync"
"time"
)
const (
csrfTokenLength = 32
csrfCookieName = "csrf_token"
csrfFormField = "csrf_token"
csrfTokenTTL = 24 * time.Hour
)
// csrfTokenEntry stores token with expiration
type csrfTokenEntry struct {
token string
expiresAt time.Time
}
// CSRFProtection provides CSRF token generation and validation
type CSRFProtection struct {
mu sync.RWMutex
tokens map[string]*csrfTokenEntry // map[token]entry
}
// NewCSRFProtection creates a new CSRF protection instance
func NewCSRFProtection() *CSRFProtection {
csrf := &CSRFProtection{
tokens: make(map[string]*csrfTokenEntry),
}
// Cleanup expired tokens every hour
go csrf.cleanup()
return csrf
}
// Middleware provides CSRF protection for state-changing operations
// GET requests: Generate and set CSRF token
// POST/PUT/DELETE: Validate CSRF token
func (c *CSRFProtection) Middleware(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// Only validate on state-changing methods
if r.Method == http.MethodPost || r.Method == http.MethodPut || r.Method == http.MethodDelete {
if !c.validateToken(r) {
log.Printf("SECURITY: CSRF validation failed from IP %s", getClientIP(r))
// Check if HTMX request
isHTMX := r.Header.Get("HX-Request") != ""
if isHTMX {
w.Header().Set("Content-Type", "text/html; charset=utf-8")
w.WriteHeader(http.StatusForbidden)
_, _ = w.Write([]byte(`<div class="alert alert-error">
<h3>Security Error</h3>
<p>Invalid security token. Please refresh the page and try again.</p>
</div>`))
} else {
http.Error(w, "CSRF validation failed", http.StatusForbidden)
}
return
}
}
next.ServeHTTP(w, r)
})
}
// generateToken creates a new CSRF token
func (c *CSRFProtection) generateToken() (string, error) {
bytes := make([]byte, csrfTokenLength)
if _, err := rand.Read(bytes); err != nil {
return "", err
}
token := base64.URLEncoding.EncodeToString(bytes)
// Store token with expiration
c.mu.Lock()
c.tokens[token] = &csrfTokenEntry{
token: token,
expiresAt: time.Now().Add(csrfTokenTTL),
}
c.mu.Unlock()
return token, nil
}
// GetToken retrieves or generates a CSRF token for the request
// This should be called when rendering forms
func (c *CSRFProtection) GetToken(w http.ResponseWriter, r *http.Request) (string, error) {
// Check if token exists in cookie
cookie, err := r.Cookie(csrfCookieName)
if err == nil && cookie.Value != "" {
// Validate existing token
c.mu.RLock()
entry, exists := c.tokens[cookie.Value]
c.mu.RUnlock()
if exists && time.Now().Before(entry.expiresAt) {
// Token is valid, return it
return cookie.Value, nil
}
}
// Generate new token
token, err := c.generateToken()
if err != nil {
return "", fmt.Errorf("failed to generate CSRF token: %w", err)
}
// Set cookie
http.SetCookie(w, &http.Cookie{
Name: csrfCookieName,
Value: token,
Path: "/",
HttpOnly: true,
Secure: r.TLS != nil, // Only set Secure flag if using HTTPS
SameSite: http.SameSiteStrictMode,
MaxAge: int(csrfTokenTTL.Seconds()),
})
return token, nil
}
// validateToken validates the CSRF token from the request
func (c *CSRFProtection) validateToken(r *http.Request) bool {
// Get token from form
var formToken string
// Try form value first
if err := r.ParseForm(); err == nil {
formToken = r.FormValue(csrfFormField)
}
// If not in form, try header (for AJAX requests)
if formToken == "" {
formToken = r.Header.Get("X-CSRF-Token")
}
if formToken == "" {
log.Printf("CSRF: No token in request")
return false
}
// Get token from cookie
cookie, err := r.Cookie(csrfCookieName)
if err != nil || cookie.Value == "" {
log.Printf("CSRF: No token in cookie")
return false
}
// Tokens must match
if formToken != cookie.Value {
log.Printf("CSRF: Token mismatch")
return false
}
// Validate token exists and is not expired
c.mu.RLock()
entry, exists := c.tokens[formToken]
c.mu.RUnlock()
if !exists {
log.Printf("CSRF: Token not found in store")
return false
}
if time.Now().After(entry.expiresAt) {
log.Printf("CSRF: Token expired")
return false
}
return true
}
// cleanup removes expired tokens periodically
func (c *CSRFProtection) cleanup() {
ticker := time.NewTicker(1 * time.Hour)
defer ticker.Stop()
for range ticker.C {
c.mu.Lock()
now := time.Now()
for token, entry := range c.tokens {
if now.After(entry.expiresAt) {
delete(c.tokens, token)
}
}
c.mu.Unlock()
}
}
// Note: getClientIP is defined in security_logger.go
internal/middleware/security_logger.go
+228
View File
@@ -0,0 +1,228 @@
package middleware
import (
"encoding/json"
"log"
"net/http"
"os"
"strings"
"time"
)
// SecurityEvent represents a security-related event
type SecurityEvent struct {
Timestamp time.Time `json:"timestamp"`
EventType string `json:"event_type"`
Severity string `json:"severity"`
IP string `json:"ip"`
UserAgent string `json:"user_agent"`
Method string `json:"method"`
Path string `json:"path"`
Details string `json:"details"`
}
// EventSeverity levels
const (
SeverityCritical = "CRITICAL"
SeverityHigh = "HIGH"
SeverityMedium = "MEDIUM"
SeverityLow = "LOW"
SeverityInfo = "INFO"
)
// Event types
const (
EventBlocked = "BLOCKED"
EventCSRFViolation = "CSRF_VIOLATION"
EventOriginViolation = "ORIGIN_VIOLATION"
EventRateLimitExceeded = "RATE_LIMIT_EXCEEDED"
EventValidationFailed = "VALIDATION_FAILED"
EventSuspiciousUserAgent = "SUSPICIOUS_USER_AGENT"
EventContactFormSent = "CONTACT_FORM_SENT"
EventContactFormFailed = "CONTACT_FORM_FAILED"
EventPDFGenerated = "PDF_GENERATED"
EventPDFGenerationFailed = "PDF_GENERATION_FAILED"
EventEmailSendFailed = "EMAIL_SEND_FAILED"
EventBotDetected = "BOT_DETECTED"
)
// LogSecurityEvent logs a security event in structured JSON format
func LogSecurityEvent(eventType string, r *http.Request, details string) {
severity := getSeverity(eventType)
event := SecurityEvent{
Timestamp: time.Now(),
EventType: eventType,
Severity: severity,
IP: getClientIP(r),
UserAgent: r.Header.Get("User-Agent"),
Method: r.Method,
Path: r.URL.Path,
Details: details,
}
// JSON format for easy parsing by SIEM systems
eventJSON, err := json.Marshal(event)
if err != nil {
log.Printf("ERROR: Failed to marshal security event: %v", err)
return
}
// Log to stdout (captured by systemd/Docker)
log.Printf("[SECURITY] %s", eventJSON)
// Also log to separate security log file in production
if os.Getenv("GO_ENV") == "production" {
logToSecurityFile(eventJSON)
}
}
// getSeverity determines the severity level based on event type
func getSeverity(eventType string) string {
switch eventType {
case EventBlocked, EventCSRFViolation, EventOriginViolation:
return SeverityHigh
case EventRateLimitExceeded, EventValidationFailed, EventSuspiciousUserAgent,
EventContactFormFailed, EventPDFGenerationFailed, EventEmailSendFailed:
return SeverityMedium
case EventBotDetected:
return SeverityLow
case EventContactFormSent, EventPDFGenerated:
return SeverityInfo
default:
return SeverityLow
}
}
// getClientIP extracts the real client IP from request headers
func getClientIP(r *http.Request) string {
// Check X-Forwarded-For header (proxy/load balancer)
if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
// Take first IP from comma-separated list
ips := strings.Split(xff, ",")
return strings.TrimSpace(ips[0])
}
// Check X-Real-IP header
if xri := r.Header.Get("X-Real-IP"); xri != "" {
return xri
}
// Fallback to RemoteAddr (remove port)
ip := r.RemoteAddr
if idx := strings.LastIndex(ip, ":"); idx != -1 {
ip = ip[:idx]
}
return ip
}
// logToSecurityFile appends security events to a dedicated log file
func logToSecurityFile(eventJSON []byte) {
// Create log directory if it doesn't exist
logDir := "/var/log/cv-app"
if err := os.MkdirAll(logDir, 0755); err != nil {
log.Printf("WARNING: Failed to create log directory: %v", err)
return
}
// Open security log file (append mode)
logPath := logDir + "/security.log"
f, err := os.OpenFile(logPath, os.O_APPEND|os.O_CREATE|os.O_WRONLY, 0644)
if err != nil {
log.Printf("WARNING: Failed to open security log file: %v", err)
return
}
defer f.Close()
// Write event with newline
if _, err := f.Write(eventJSON); err != nil {
log.Printf("WARNING: Failed to write to security log: %v", err)
return
}
if _, err := f.WriteString("\n"); err != nil {
log.Printf("WARNING: Failed to write newline to security log: %v", err)
}
}
// SecurityLogger middleware logs all requests with security context
func SecurityLogger(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
start := time.Now()
// Wrap response writer to capture status
wrapped := &responseWriter{
ResponseWriter: w,
status: http.StatusOK,
}
// Process request
next.ServeHTTP(wrapped, r)
// Log security-relevant requests
duration := time.Since(start)
// Log high-value endpoints
if isSecurityRelevantPath(r.URL.Path) {
details := map[string]interface{}{
"status": wrapped.status,
"duration_ms": duration.Milliseconds(),
"bytes": wrapped.written,
}
detailsJSON, _ := json.Marshal(details)
event := SecurityEvent{
Timestamp: time.Now(),
EventType: "REQUEST",
Severity: SeverityInfo,
IP: getClientIP(r),
UserAgent: r.Header.Get("User-Agent"),
Method: r.Method,
Path: r.URL.Path,
Details: string(detailsJSON),
}
eventJSON, _ := json.Marshal(event)
log.Printf("[SECURITY] %s", eventJSON)
}
// Log errors and security failures
if wrapped.status >= 400 {
severity := SeverityLow
if wrapped.status == 403 || wrapped.status == 429 {
severity = SeverityMedium
}
event := SecurityEvent{
Timestamp: time.Now(),
EventType: "HTTP_ERROR",
Severity: severity,
IP: getClientIP(r),
UserAgent: r.Header.Get("User-Agent"),
Method: r.Method,
Path: r.URL.Path,
Details: http.StatusText(wrapped.status),
}
eventJSON, _ := json.Marshal(event)
log.Printf("[SECURITY] %s", eventJSON)
}
})
}
// isSecurityRelevantPath determines if a path should be logged for security
func isSecurityRelevantPath(path string) bool {
securityPaths := []string{
"/api/contact",
"/export/pdf",
"/toggle/",
"/switch-language",
}
for _, sp := range securityPaths {
if strings.HasPrefix(path, sp) {
return true
}
}
return false
}
internal/models/ui/ui.go
+36
View File
@@ -12,6 +12,7 @@ type UI struct {
PdfModal PdfModal `json:"pdfModal"`
ShortcutsModal ShortcutsModal `json:"shortcutsModal"`
InfoModal InfoModal `json:"infoModal"`
ContactModal ContactModal `json:"contactModal"`
Widgets Widgets `json:"widgets"`
}
@@ -142,6 +143,38 @@ type TechStack struct {
CSS3 string `json:"css3"`
}
// ContactModal labels
type ContactModal struct {
Title string `json:"title"`
Subtitle string `json:"subtitle"`
Description string `json:"description"`
Close string `json:"close"`
Form ContactFormLabel `json:"form"`
Success ContactResult `json:"success"`
Error ContactResult `json:"error"`
}
type ContactFormLabel struct {
Email string `json:"email"`
EmailPlaceholder string `json:"emailPlaceholder"`
Name string `json:"name"`
NamePlaceholder string `json:"namePlaceholder"`
Company string `json:"company"`
CompanyPlaceholder string `json:"companyPlaceholder"`
Subject string `json:"subject"`
SubjectPlaceholder string `json:"subjectPlaceholder"`
Message string `json:"message"`
MessagePlaceholder string `json:"messagePlaceholder"`
Submit string `json:"submit"`
Sending string `json:"sending"`
Note string `json:"note"`
}
type ContactResult struct {
Title string `json:"title"`
Message string `json:"message,omitempty"`
}
// Widget label types
type Widgets struct {
BackToTop WidgetLabel `json:"backToTop"`
@@ -152,6 +185,7 @@ type Widgets struct {
ZoomToggle WidgetLabel `json:"zoomToggle"`
ZoomControl ZoomControlLabel `json:"zoomControl"`
PdfToast PdfToastLabel `json:"pdfToast"`
Contact WidgetLabel `json:"contact"`
ActionButtons ActionButtonsLabel `json:"actionButtons"`
}
@@ -177,4 +211,6 @@ type PdfToastLabel struct {
type ActionButtonsLabel struct {
DownloadPdf string `json:"downloadPdf"`
PrintFriendly string `json:"printFriendly"`
PlainText string `json:"plainText"`
Contact string `json:"contact"`
}
internal/routes/routes.go
+9 -1
View File
@@ -9,7 +9,7 @@ import (
)
// Setup configures all application routes and middleware
func Setup(cvHandler *handlers.CVHandler, healthHandler *handlers.HealthHandler) http.Handler {
func Setup(cvHandler *handlers.CVHandler, healthHandler *handlers.HealthHandler, contactHandler *handlers.ContactHandler) http.Handler {
mux := http.NewServeMux()
// Shortcut routes for default CV (year-aware) - MUST be before "/" route
@@ -19,6 +19,7 @@ func Setup(cvHandler *handlers.CVHandler, healthHandler *handlers.HealthHandler)
// Public routes
mux.HandleFunc("/", cvHandler.Home)
mux.HandleFunc("/cv", cvHandler.CVContent)
mux.HandleFunc("/text", cvHandler.PlainText) // Plain text version for curl/AI
mux.HandleFunc("/health", healthHandler.Check)
// HTMX endpoints for interactive controls
@@ -27,6 +28,13 @@ func Setup(cvHandler *handlers.CVHandler, healthHandler *handlers.HealthHandler)
mux.HandleFunc("/toggle/icons", cvHandler.ToggleIcons)
mux.HandleFunc("/toggle/theme", cvHandler.ToggleTheme)
// Contact form endpoint (simple rate limiting)
contactRateLimiter := middleware.NewRateLimiter(5, 1*time.Hour)
protectedContactHandler := contactRateLimiter.Middleware(
http.HandlerFunc(contactHandler.Submit),
)
mux.Handle("/api/contact", protectedContactHandler)
// Protected PDF endpoint with rate limiting (3 requests/minute per IP)
pdfRateLimiter := middleware.NewRateLimiter(3, 1*time.Minute)
protectedPDFHandler := middleware.OriginChecker(
internal/services/email.go
+274
View File
@@ -0,0 +1,274 @@
package services
import (
"bytes"
"crypto/tls"
"fmt"
"html/template"
"log"
"net/smtp"
"strings"
"time"
)
// EmailConfig holds SMTP configuration
type EmailConfig struct {
SMTPHost string
SMTPPort string
SMTPUser string
SMTPPassword string
FromEmail string
ToEmail string
}
// EmailService handles email sending operations
type EmailService struct {
config *EmailConfig
}
// NewEmailService creates a new email service
func NewEmailService(config *EmailConfig) *EmailService {
return &EmailService{
config: config,
}
}
// ContactFormData represents contact form submission data
type ContactFormData struct {
Email string
Name string
Company string
Subject string
Message string
IP string
Time time.Time
}
// Validate performs validation on contact form data
func (c *ContactFormData) Validate() error {
// Sanitize inputs
c.Email = strings.TrimSpace(c.Email)
c.Name = strings.TrimSpace(c.Name)
c.Company = strings.TrimSpace(c.Company)
c.Subject = strings.TrimSpace(c.Subject)
c.Message = strings.TrimSpace(c.Message)
// Required fields
if c.Email == "" {
return fmt.Errorf("email is required")
}
if c.Message == "" {
return fmt.Errorf("message is required")
}
// Email format validation (basic)
if !strings.Contains(c.Email, "@") || !strings.Contains(c.Email, ".") {
return fmt.Errorf("invalid email format")
}
// Prevent email header injection
if containsNewlines(c.Email) {
return fmt.Errorf("invalid email: contains prohibited characters")
}
if containsNewlines(c.Subject) {
return fmt.Errorf("invalid subject: contains prohibited characters")
}
// Length validation
if len(c.Email) > 254 {
return fmt.Errorf("email too long (max 254 characters)")
}
if len(c.Name) > 100 {
return fmt.Errorf("name too long (max 100 characters)")
}
if len(c.Company) > 100 {
return fmt.Errorf("company too long (max 100 characters)")
}
if len(c.Subject) > 200 {
return fmt.Errorf("subject too long (max 200 characters)")
}
if len(c.Message) > 5000 {
return fmt.Errorf("message too long (max 5000 characters)")
}
if len(c.Message) < 10 {
return fmt.Errorf("message too short (min 10 characters)")
}
return nil
}
// containsNewlines checks for newline characters that could enable header injection
func containsNewlines(s string) bool {
return strings.ContainsAny(s, "\r\n")
}
// SendContactForm sends a contact form email
func (e *EmailService) SendContactForm(data *ContactFormData) error {
// Validate data
if err := data.Validate(); err != nil {
return fmt.Errorf("validation failed: %w", err)
}
// Prepare email content
subject := "[CV Contact] "
if data.Subject != "" {
subject += data.Subject
} else {
subject += "New Message"
}
// Build email body
body, err := e.buildEmailBody(data)
if err != nil {
return fmt.Errorf("failed to build email body: %w", err)
}
// Send email
if err := e.sendEmail(subject, body); err != nil {
return fmt.Errorf("failed to send email: %w", err)
}
// Log successful send (without sensitive data)
log.Printf("Contact form email sent successfully to %s from %s", e.config.ToEmail, data.Email)
return nil
}
// buildEmailBody creates the email body from template
func (e *EmailService) buildEmailBody(data *ContactFormData) (string, error) {
emailTemplate := `New contact form submission:
From: {{.Email}}
Name: {{if .Name}}{{.Name}}{{else}}Not provided{{end}}
Company: {{if .Company}}{{.Company}}{{else}}Not provided{{end}}
Subject: {{if .Subject}}{{.Subject}}{{else}}Not provided{{end}}
Message:
{{.Message}}
---
IP: {{.IP}}
Time: {{.Time.Format "2006-01-02 15:04:05 MST"}}
`
tmpl, err := template.New("contact").Parse(emailTemplate)
if err != nil {
return "", err
}
var body bytes.Buffer
if err := tmpl.Execute(&body, data); err != nil {
return "", err
}
return body.String(), nil
}
// sendEmail sends an email using SMTP
func (e *EmailService) sendEmail(subject, body string) error {
// Validate config
if e.config.SMTPHost == "" || e.config.SMTPPort == "" {
return fmt.Errorf("SMTP configuration incomplete")
}
if e.config.SMTPUser == "" || e.config.SMTPPassword == "" {
return fmt.Errorf("SMTP credentials missing")
}
if e.config.ToEmail == "" {
return fmt.Errorf("recipient email not configured")
}
// Build email message
from := e.config.FromEmail
if from == "" {
from = e.config.SMTPUser
}
to := e.config.ToEmail
message := e.formatMessage(from, to, subject, body)
// SMTP server address
addr := fmt.Sprintf("%s:%s", e.config.SMTPHost, e.config.SMTPPort)
// Setup authentication
auth := smtp.PlainAuth("", e.config.SMTPUser, e.config.SMTPPassword, e.config.SMTPHost)
// Connect to SMTP server with TLS
client, err := e.connectSMTP(addr)
if err != nil {
return fmt.Errorf("failed to connect to SMTP server: %w", err)
}
defer client.Close()
// Authenticate
if err = client.Auth(auth); err != nil {
return fmt.Errorf("SMTP authentication failed: %w", err)
}
// Set sender and recipient
if err = client.Mail(from); err != nil {
return fmt.Errorf("failed to set sender: %w", err)
}
if err = client.Rcpt(to); err != nil {
return fmt.Errorf("failed to set recipient: %w", err)
}
// Send message
w, err := client.Data()
if err != nil {
return fmt.Errorf("failed to get data writer: %w", err)
}
_, err = w.Write([]byte(message))
if err != nil {
return fmt.Errorf("failed to write message: %w", err)
}
err = w.Close()
if err != nil {
return fmt.Errorf("failed to close writer: %w", err)
}
return client.Quit()
}
// connectSMTP establishes an SMTP connection with TLS
func (e *EmailService) connectSMTP(addr string) (*smtp.Client, error) {
// Connect to server
client, err := smtp.Dial(addr)
if err != nil {
return nil, err
}
// Start TLS
tlsConfig := &tls.Config{
ServerName: e.config.SMTPHost,
MinVersion: tls.VersionTLS12,
}
if err = client.StartTLS(tlsConfig); err != nil {
client.Close()
return nil, err
}
return client, nil
}
// formatMessage formats an email message with proper headers
func (e *EmailService) formatMessage(from, to, subject, body string) string {
headers := make(map[string]string)
headers["From"] = from
headers["To"] = to
headers["Subject"] = subject
headers["MIME-Version"] = "1.0"
headers["Content-Type"] = "text/plain; charset=\"utf-8\""
headers["Date"] = time.Now().Format(time.RFC1123Z)
var message strings.Builder
for k, v := range headers {
message.WriteString(fmt.Sprintf("%s: %s\r\n", k, v))
}
message.WriteString("\r\n")
message.WriteString(body)
return message.String()
}
internal/validation/contact.go
+352
View File
@@ -0,0 +1,352 @@
package validation
import (
"errors"
"html"
"regexp"
"strings"
"time"
"unicode/utf8"
)
// ContactFormRequest represents a validated contact form submission
type ContactFormRequest struct {
Name string `json:"name"`
Email string `json:"email"`
Company string `json:"company"`
Subject string `json:"subject"`
Message string `json:"message"`
Honeypot string `json:"website"` // Should always be empty (bot trap)
Timestamp int64 `json:"timestamp"` // Form load time (set by server)
}
// ValidationError represents a validation error with field context
type ValidationError struct {
Field string
Message string
}
// Error implements the error interface
func (e *ValidationError) Error() string {
return e.Field + ": " + e.Message
}
// ValidateContactForm performs comprehensive validation on contact form data
func ValidateContactForm(req *ContactFormRequest) error {
// 1. Honeypot check (bot detection)
if req.Honeypot != "" {
return &ValidationError{
Field: "website",
Message: "Bot detected",
}
}
// 2. Timing check (form must be displayed for at least 2 seconds)
if req.Timestamp > 0 {
now := time.Now().Unix()
timeTaken := now - req.Timestamp
if timeTaken < 2 {
return &ValidationError{
Field: "timestamp",
Message: "Form submitted too quickly (bot detected)",
}
}
// Also reject if timestamp is in the future or too old (> 24 hours)
if timeTaken < 0 || timeTaken > 86400 {
return &ValidationError{
Field: "timestamp",
Message: "Invalid timestamp",
}
}
}
// 3. Required fields
if strings.TrimSpace(req.Name) == "" {
return &ValidationError{
Field: "name",
Message: "Name is required",
}
}
if strings.TrimSpace(req.Email) == "" {
return &ValidationError{
Field: "email",
Message: "Email is required",
}
}
if strings.TrimSpace(req.Subject) == "" {
return &ValidationError{
Field: "subject",
Message: "Subject is required",
}
}
if strings.TrimSpace(req.Message) == "" {
return &ValidationError{
Field: "message",
Message: "Message is required",
}
}
// 4. Length validation
if utf8.RuneCountInString(req.Name) > 100 {
return &ValidationError{
Field: "name",
Message: "Name must be 100 characters or less",
}
}
if utf8.RuneCountInString(req.Email) > 254 {
return &ValidationError{
Field: "email",
Message: "Email must be 254 characters or less",
}
}
if utf8.RuneCountInString(req.Company) > 100 {
return &ValidationError{
Field: "company",
Message: "Company must be 100 characters or less",
}
}
if utf8.RuneCountInString(req.Subject) > 200 {
return &ValidationError{
Field: "subject",
Message: "Subject must be 200 characters or less",
}
}
if utf8.RuneCountInString(req.Message) > 5000 {
return &ValidationError{
Field: "message",
Message: "Message must be 5000 characters or less",
}
}
// 5. Email validation (RFC 5322)
if !IsValidEmail(req.Email) {
return &ValidationError{
Field: "email",
Message: "Invalid email address format",
}
}
// 6. Email header injection prevention
if ContainsEmailInjection(req.Name) {
return &ValidationError{
Field: "name",
Message: "Name contains invalid characters",
}
}
if ContainsEmailInjection(req.Email) {
return &ValidationError{
Field: "email",
Message: "Email contains invalid characters",
}
}
if ContainsEmailInjection(req.Subject) {
return &ValidationError{
Field: "subject",
Message: "Subject contains invalid characters",
}
}
// 7. Name validation (letters, spaces, hyphens, apostrophes only)
if !IsValidName(req.Name) {
return &ValidationError{
Field: "name",
Message: "Name can only contain letters, spaces, hyphens, and apostrophes",
}
}
// 8. Subject validation (alphanumeric + safe punctuation)
if !IsValidSubject(req.Subject) {
return &ValidationError{
Field: "subject",
Message: "Subject contains invalid characters",
}
}
// 9. Company validation (optional, but if provided must be alphanumeric)
if req.Company != "" && !IsValidCompany(req.Company) {
return &ValidationError{
Field: "company",
Message: "Company name contains invalid characters",
}
}
return nil
}
// IsValidEmail validates email format per RFC 5322 (simplified)
func IsValidEmail(email string) bool {
email = strings.TrimSpace(email)
// Basic length check
if len(email) < 3 || len(email) > 254 {
return false
}
// Must contain @
parts := strings.Split(email, "@")
if len(parts) != 2 {
return false
}
local := parts[0]
domain := parts[1]
// Local part validation
if len(local) == 0 || len(local) > 64 {
return false
}
// Domain must have at least one dot (TLD required)
if !strings.Contains(domain, ".") {
return false
}
// RFC 5322 simplified regex
// This is a reasonable approximation - full RFC 5322 is extremely complex
emailRegex := regexp.MustCompile(`^[a-zA-Z0-9.!#$%&'*+/=?^_` + "`" + `{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)+$`)
return emailRegex.MatchString(email)
}
// ContainsEmailInjection checks for email header injection attempts
// Email header injection: attacker tries to inject additional headers via newlines
func ContainsEmailInjection(s string) bool {
// Check for newlines (CRLF or LF)
if strings.ContainsAny(s, "\r\n") {
return true
}
// Check for email header patterns (case-insensitive)
sLower := strings.ToLower(s)
dangerousPatterns := []string{
"content-type:",
"mime-version:",
"content-transfer-encoding:",
"bcc:",
"cc:",
"to:",
"from:",
"subject:",
"reply-to:",
"x-mailer:",
}
for _, pattern := range dangerousPatterns {
if strings.Contains(sLower, pattern) {
return true
}
}
return false
}
// IsValidName validates name format
// Allows: letters (any language), spaces, hyphens, apostrophes
func IsValidName(name string) bool {
name = strings.TrimSpace(name)
if name == "" {
return false
}
// Allow unicode letters, spaces, hyphens, apostrophes
// This supports international names (Juan José, François, 田中, etc.)
nameRegex := regexp.MustCompile(`^[\p{L}\s'-]+$`)
return nameRegex.MatchString(name)
}
// IsValidSubject validates subject format
// Allows: alphanumeric, spaces, and common punctuation (including #)
func IsValidSubject(subject string) bool {
subject = strings.TrimSpace(subject)
if subject == "" {
return false
}
// Allow alphanumeric (any language), spaces, and safe punctuation (including #)
subjectRegex := regexp.MustCompile(`^[\p{L}\p{N}\s.,!?'"()\-:;#]+$`)
return subjectRegex.MatchString(subject)
}
// IsValidCompany validates company name format
// Allows: alphanumeric, spaces, and common business punctuation
func IsValidCompany(company string) bool {
company = strings.TrimSpace(company)
if company == "" {
return true // Optional field
}
// Allow alphanumeric (any language), spaces, and business punctuation
companyRegex := regexp.MustCompile(`^[\p{L}\p{N}\s.,&'()\-]+$`)
return companyRegex.MatchString(company)
}
// SanitizeContactForm sanitizes contact form data
// This should be called AFTER validation
func SanitizeContactForm(req *ContactFormRequest) {
// 1. Trim whitespace
req.Name = strings.TrimSpace(req.Name)
req.Email = strings.TrimSpace(req.Email)
req.Company = strings.TrimSpace(req.Company)
req.Subject = strings.TrimSpace(req.Subject)
req.Message = strings.TrimSpace(req.Message)
// 2. Remove any newlines from header fields (belt-and-suspenders)
req.Name = removeNewlines(req.Name)
req.Email = removeNewlines(req.Email)
req.Company = removeNewlines(req.Company)
req.Subject = removeNewlines(req.Subject)
// 3. HTML escape message body (prevent XSS in email clients)
req.Message = html.EscapeString(req.Message)
// 4. Normalize whitespace in message (collapse multiple spaces/newlines)
req.Message = normalizeWhitespace(req.Message)
}
// removeNewlines removes all newline characters
func removeNewlines(s string) string {
s = strings.ReplaceAll(s, "\r", "")
s = strings.ReplaceAll(s, "\n", "")
return s
}
// normalizeWhitespace collapses multiple spaces/newlines to single instances
func normalizeWhitespace(s string) string {
// Replace multiple newlines with double newline (paragraph break)
newlineRegex := regexp.MustCompile(`\n{3,}`)
s = newlineRegex.ReplaceAllString(s, "\n\n")
// Replace multiple spaces (but not newlines) with single space
spaceRegex := regexp.MustCompile(`[^\S\n]+`)
s = spaceRegex.ReplaceAllString(s, " ")
return strings.TrimSpace(s)
}
// Common validation errors
var (
ErrBotDetected = errors.New("bot detected")
ErrInvalidEmail = errors.New("invalid email format")
ErrEmailInjection = errors.New("email injection attempt detected")
ErrInvalidName = errors.New("invalid name format")
ErrInvalidSubject = errors.New("invalid subject format")
ErrRequiredField = errors.New("required field missing")
ErrFieldTooLong = errors.New("field exceeds maximum length")
ErrSubmittedTooFast = errors.New("form submitted too quickly")
)
internal/validation/contact_test.go
+524
View File
@@ -0,0 +1,524 @@
package validation
import (
"strings"
"testing"
"time"
)
// ==============================================================================
// EMAIL VALIDATION TESTS
// ==============================================================================
func TestIsValidEmail(t *testing.T) {
tests := []struct {
name string
email string
want bool
}{
// Valid emails
{"Valid standard", "test@example.com", true},
{"Valid with subdomain", "user@mail.example.com", true},
{"Valid with plus", "user+tag@example.com", true},
{"Valid with dot", "first.last@example.com", true},
{"Valid with hyphen", "user-name@example.com", true},
{"Valid with numbers", "user123@example.com", true},
// Invalid emails
{"Empty", "", false},
{"No @", "userexample.com", false},
{"Multiple @", "user@@example.com", false},
{"No domain", "user@", false},
{"No local part", "@example.com", false},
{"Spaces", "user @example.com", false},
{"Missing TLD", "user@example", false},
{"Too long", strings.Repeat("a", 250) + "@example.com", false},
{"Special chars", "user<>@example.com", false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := IsValidEmail(tt.email); got != tt.want {
t.Errorf("IsValidEmail(%q) = %v, want %v", tt.email, got, tt.want)
}
})
}
}
// ==============================================================================
// EMAIL INJECTION TESTS
// ==============================================================================
func TestContainsEmailInjection(t *testing.T) {
tests := []struct {
name string
input string
want bool // true if injection detected
}{
// Safe inputs
{"Normal text", "Hello World", false},
{"Name with apostrophe", "O'Connor", false},
{"Hyphenated name", "Anne-Marie", false},
// Injection attempts
{"CRLF injection", "Name\r\nBcc: attacker@evil.com", true},
{"LF injection", "Name\nBcc: attacker@evil.com", true},
{"Content-Type header", "Name\r\nContent-Type: text/html", true},
{"BCC header", "bcc: attacker@evil.com", true},
{"CC header", "cc: attacker@evil.com", true},
{"To header", "to: victim@example.com", true},
{"From header", "from: fake@example.com", true},
{"Reply-To header", "reply-to: attacker@evil.com", true},
{"MIME-Version", "MIME-Version: 1.0", true},
{"X-Mailer", "X-Mailer: Evil", true},
{"Case insensitive", "BCC: attacker@evil.com", true},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := ContainsEmailInjection(tt.input); got != tt.want {
t.Errorf("ContainsEmailInjection(%q) = %v, want %v", tt.input, got, tt.want)
}
})
}
}
// ==============================================================================
// NAME VALIDATION TESTS
// ==============================================================================
func TestIsValidName(t *testing.T) {
tests := []struct {
name string
input string
want bool
}{
// Valid names
{"Simple name", "John", true},
{"Full name", "John Smith", true},
{"Hyphenated", "Anne-Marie", true},
{"Apostrophe", "O'Connor", true},
{"Multiple words", "Juan José García", true},
{"Spanish characters", "José María", true},
{"French characters", "François Dubois", true},
{"German characters", "Müller", true},
// Invalid names
{"Empty", "", false},
{"Numbers", "John123", false},
{"Special chars", "John@Smith", false},
{"HTML tags", "<script>alert(1)</script>", false},
{"Email", "john@example.com", false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := IsValidName(tt.input); got != tt.want {
t.Errorf("IsValidName(%q) = %v, want %v", tt.input, got, tt.want)
}
})
}
}
// ==============================================================================
// SUBJECT VALIDATION TESTS
// ==============================================================================
func TestIsValidSubject(t *testing.T) {
tests := []struct {
name string
input string
want bool
}{
// Valid subjects
{"Simple", "Hello", true},
{"With spaces", "Hello World", true},
{"With punctuation", "Question about your services!", true},
{"With numbers", "Order #12345", true},
{"Complex", "Re: Your inquiry (urgent)", true},
// Invalid subjects
{"Empty", "", false},
{"HTML tags", "<script>alert(1)</script>", false},
{"Email injection", "Subject\nBcc: evil@example.com", false},
{"Special chars", "Subject $ % ^ &", false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := IsValidSubject(tt.input); got != tt.want {
t.Errorf("IsValidSubject(%q) = %v, want %v", tt.input, got, tt.want)
}
})
}
}
// ==============================================================================
// COMPANY VALIDATION TESTS
// ==============================================================================
func TestIsValidCompany(t *testing.T) {
tests := []struct {
name string
input string
want bool
}{
// Valid company names
{"Empty (optional)", "", true},
{"Simple", "Acme Corp", true},
{"With punctuation", "Smith & Sons, Inc.", true},
{"With hyphen", "Coca-Cola", true},
{"With parentheses", "Example (Spain)", true},
// Invalid company names
{"HTML tags", "<script>", false},
{"Email injection", "Company\nBcc: evil@example.com", false},
{"Special chars", "Company$$$", false},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := IsValidCompany(tt.input); got != tt.want {
t.Errorf("IsValidCompany(%q) = %v, want %v", tt.input, got, tt.want)
}
})
}
}
// ==============================================================================
// SANITIZATION TESTS
// ==============================================================================
func TestSanitizeContactForm(t *testing.T) {
req := &ContactFormRequest{
Name: " John \n Smith ",
Email: " john@example.com \r\n",
Company: " Acme Corp ",
Subject: " Test Subject ",
Message: "<script>alert('XSS')</script>\n\n\nHello World\n\n\n\n",
}
SanitizeContactForm(req)
// Check whitespace trimmed
if req.Name != "John Smith" {
t.Errorf("Name not properly sanitized: %q", req.Name)
}
// Check newlines removed from headers
if strings.Contains(req.Email, "\n") || strings.Contains(req.Email, "\r") {
t.Errorf("Email still contains newlines: %q", req.Email)
}
// Check HTML escaped
if !strings.Contains(req.Message, "&lt;script&gt;") {
t.Errorf("Message not properly HTML escaped: %q", req.Message)
}
// Check whitespace normalized
if strings.Contains(req.Message, " ") {
t.Errorf("Message whitespace not normalized: %q", req.Message)
}
}
// ==============================================================================
// FULL VALIDATION TESTS
// ==============================================================================
func TestValidateContactForm(t *testing.T) {
tests := []struct {
name string
req *ContactFormRequest
wantError bool
errorField string
}{
{
name: "Valid form",
req: &ContactFormRequest{
Name: "John Smith",
Email: "john@example.com",
Company: "Acme Corp",
Subject: "Inquiry",
Message: "Hello, I have a question.",
Honeypot: "",
Timestamp: time.Now().Unix() - 10, // 10 seconds ago
},
wantError: false,
},
{
name: "Bot detected - honeypot filled",
req: &ContactFormRequest{
Name: "Bot",
Email: "bot@example.com",
Subject: "Spam",
Message: "Spam message",
Honeypot: "http://evil.com", // Bot filled this
},
wantError: true,
errorField: "website",
},
{
name: "Bot detected - submitted too fast",
req: &ContactFormRequest{
Name: "John",
Email: "john@example.com",
Subject: "Test",
Message: "Test",
Timestamp: time.Now().Unix(), // Just now (< 2 seconds)
},
wantError: true,
errorField: "timestamp",
},
{
name: "Missing required field - name",
req: &ContactFormRequest{
Name: "",
Email: "john@example.com",
Subject: "Test",
Message: "Test",
},
wantError: true,
errorField: "name",
},
{
name: "Invalid email format",
req: &ContactFormRequest{
Name: "John",
Email: "invalid-email",
Subject: "Test",
Message: "Test",
},
wantError: true,
errorField: "email",
},
{
name: "Email injection attempt",
req: &ContactFormRequest{
Name: "Evil\nBcc: attacker@evil.com",
Email: "evil@example.com",
Subject: "Test",
Message: "Test",
},
wantError: true,
errorField: "name",
},
{
name: "Name too long",
req: &ContactFormRequest{
Name: strings.Repeat("a", 101),
Email: "john@example.com",
Subject: "Test",
Message: "Test",
},
wantError: true,
errorField: "name",
},
{
name: "Subject too long",
req: &ContactFormRequest{
Name: "John",
Email: "john@example.com",
Subject: strings.Repeat("a", 201),
Message: "Test",
},
wantError: true,
errorField: "subject",
},
{
name: "Message too long",
req: &ContactFormRequest{
Name: "John",
Email: "john@example.com",
Subject: "Test",
Message: strings.Repeat("a", 5001),
},
wantError: true,
errorField: "message",
},
{
name: "Invalid name characters",
req: &ContactFormRequest{
Name: "John123",
Email: "john@example.com",
Subject: "Test",
Message: "Test",
},
wantError: true,
errorField: "name",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
err := ValidateContactForm(tt.req)
if tt.wantError {
if err == nil {
t.Errorf("Expected error but got none")
return
}
// Check error is ValidationError
valErr, ok := err.(*ValidationError)
if !ok {
t.Errorf("Expected ValidationError, got %T", err)
return
}
// Check correct field
if valErr.Field != tt.errorField {
t.Errorf("Expected error field %q, got %q", tt.errorField, valErr.Field)
}
} else {
if err != nil {
t.Errorf("Expected no error, got: %v", err)
}
}
})
}
}
// ==============================================================================
// SECURITY TESTS (Attack Simulations)
// ==============================================================================
func TestSecurityAttacks(t *testing.T) {
attacks := []struct {
name string
field string
value string
reason string
}{
{
name: "SQL Injection in name",
field: "name",
value: "Robert'; DROP TABLE users; --",
reason: "Should reject SQL injection attempts",
},
// NOTE: XSS in message is allowed during validation - it's escaped during sanitization
// This is intentional - we don't reject valid messages that happen to contain < or >
// The sanitization step handles HTML escaping before sending email
{
name: "Email header injection",
field: "email",
value: "test@example.com\nBcc: attacker@evil.com",
reason: "Should block email header injection",
},
{
name: "Command injection",
field: "name",
value: "Test; rm -rf /",
reason: "Should block command injection attempts",
},
{
name: "Path traversal",
field: "subject",
value: "../../../etc/passwd",
reason: "Should reject path traversal attempts",
},
}
for _, attack := range attacks {
t.Run(attack.name, func(t *testing.T) {
req := &ContactFormRequest{
Name: "John Smith",
Email: "john@example.com",
Subject: "Test",
Message: "Test",
Timestamp: time.Now().Unix() - 10,
}
// Inject attack into specified field
switch attack.field {
case "name":
req.Name = attack.value
case "email":
req.Email = attack.value
case "subject":
req.Subject = attack.value
case "message":
req.Message = attack.value
}
err := ValidateContactForm(req)
if err == nil {
t.Errorf("%s: Expected validation to fail, but it passed", attack.reason)
}
})
}
}
// ==============================================================================
// NORMALIZATION TESTS
// ==============================================================================
func TestRemoveNewlines(t *testing.T) {
tests := []struct {
input string
want string
}{
{"No newlines", "No newlines"},
{"With\nnewline", "Withnewline"},
{"With\r\nCRLF", "WithCRLF"},
{"Multiple\n\n\nnewlines", "Multiplenewlines"},
}
for _, tt := range tests {
if got := removeNewlines(tt.input); got != tt.want {
t.Errorf("removeNewlines(%q) = %q, want %q", tt.input, got, tt.want)
}
}
}
func TestNormalizeWhitespace(t *testing.T) {
tests := []struct {
input string
want string
}{
{"Normal text", "Normal text"},
{"Multiple spaces", "Multiple spaces"},
{"Multiple\n\n\n\nnewlines", "Multiple\n\nnewlines"},
{" Leading and trailing ", "Leading and trailing"},
}
for _, tt := range tests {
if got := normalizeWhitespace(tt.input); got != tt.want {
t.Errorf("normalizeWhitespace(%q) = %q, want %q", tt.input, got, tt.want)
}
}
}
// ==============================================================================
// BENCHMARK TESTS
// ==============================================================================
func BenchmarkIsValidEmail(b *testing.B) {
email := "test@example.com"
for i := 0; i < b.N; i++ {
IsValidEmail(email)
}
}
func BenchmarkContainsEmailInjection(b *testing.B) {
text := "Normal text without injection"
for i := 0; i < b.N; i++ {
ContainsEmailInjection(text)
}
}
func BenchmarkValidateContactForm(b *testing.B) {
req := &ContactFormRequest{
Name: "John Smith",
Email: "john@example.com",
Company: "Acme Corp",
Subject: "Inquiry",
Message: "Hello, I have a question.",
Timestamp: time.Now().Unix() - 10,
}
b.ResetTimer()
for i := 0; i < b.N; i++ {
_ = ValidateContactForm(req)
}
}