Release 0.1.8: Unlinked-access support and Landing page

.github/golangci.yml

@@ -3,7 +3,7 @@ linters:
   default: none
   enable:
     - errcheck
-    - goconst
+    # - goconst  # temporarily disabled — golangci-lint v1.12.1 surfaced ~50 new findings; tracked for cleanup in a separate PR.
     - gocritic
     - gocyclo
     - gosec

Makefile

@@ -156,14 +156,12 @@ dev_check: ## Starts the development dnscheck service.
 	docker exec -it dnscheck make gow
 
 gen_python_client: ## Generates the python client from swagger spec (renamed to moddns_client, package moddns).
-	sudo rm -r tests/moddns_client/ || true
-	docker run -v ${CWD}:/app -w /app/api/docs --rm -it openapitools/openapi-generator-cli generate --package-name moddns -i swagger.yaml -g python -o /app/tests/moddns_client --skip-validate-spec
-	sudo chmod -R 777 tests/moddns_client/
+	rm -rf tests/moddns_client/ || true
+	docker run -v ${CWD}:/app -w /app/api/docs --user $$(id -u):$$(id -g) --rm openapitools/openapi-generator-cli generate --package-name moddns -i swagger.yaml -g python -o /app/tests/moddns_client --skip-validate-spec
 
 gen_ts_client: ## Generates the typescript client from swagger spec.
-	sudo rm -r app/src/api/client/ || true
-	docker run -v ${CWD}:/app -w /app/api/docs --rm -it openapitools/openapi-generator-cli generate --package-name idns -i swagger.yaml -g typescript-axios -o /app/app/src/api/client --skip-validate-spec
-	sudo chmod -R 777 app/src/api/client/
+	rm -rf app/src/api/client/ || true
+	docker run -v ${CWD}:/app -w /app/api/docs --user $$(id -u):$$(id -g) --rm openapitools/openapi-generator-cli generate --package-name idns -i swagger.yaml -g typescript-axios -o /app/app/src/api/client --skip-validate-spec
 
 build_tests_image: ## Builds the smoke / integration tests image.
 	docker build -f tests/Dockerfile -t dns_tests:latest .

api/.env.sample

@@ -28,6 +28,11 @@ API_SIGNUP_WEBHOOK_URL=""
 API_SIGNUP_WEBHOOK_PSK=""
 PROFILE_ID_MIN_LENGTH=10
 
+### ZLA PRE-AUTH CONFIG
+PREAUTH_URL=
+PREAUTH_PSK=
+PREAUTH_TTL=60m
+
 ### DB CONFIG
 DB_URI="mongodb://mongodb:27017"
 DB_NAME="dns"

api/api/accounts.go

@@ -43,7 +43,8 @@ func (s *APIServer) registerAccount() fiber.Handler {
 			return HandleError(c, ErrValidationFailed, "validation failed", tags...)
 		}
 
-		_, err := s.Service.GetUnfinishedSignupOrPostAccount(c.Context(), p.Email, p.Password, p.SubID)
+		sessionID := c.Cookies(PASessionCookie)
+		_, err := s.Service.GetUnfinishedSignupOrPostAccount(c.Context(), p.Email, p.Password, p.SubID, sessionID)
 		if err != nil {
 			// Map specific service errors to unified user-facing failure
 			if _, ok := err.(*account.ServiceAccountError); ok && err == account.ErrUnableToCreateAccount {

api/api/accounts_test.go

@@ -796,7 +796,7 @@ func (suite *AccountsAPITestSuite) TestRegisterAccount_SuccessNewAccount() {
 
 	// Mock service returning newly created finished account
 	acc := &model.Account{ID: primitive.NewObjectID(), Email: email, Password: &password}
-	suite.mockService.On("GetUnfinishedSignupOrPostAccount", mock.Anything, email, password, subID).Return(acc, nil)
+	suite.mockService.On("GetUnfinishedSignupOrPostAccount", mock.Anything, email, password, subID, mock.Anything).Return(acc, nil)
 
 	resp, err := suite.doRegister(email, password, subID)
 	suite.Require().NoError(err)
@@ -814,7 +814,7 @@ func (suite *AccountsAPITestSuite) TestRegisterAccount_SuccessUnfinishedReuse()
 
 	// Unfinished account simulated by nil Password in returned account (service after reuse sets password internally)
 	acc := &model.Account{ID: primitive.NewObjectID(), Email: email, Password: nil}
-	suite.mockService.On("GetUnfinishedSignupOrPostAccount", mock.Anything, email, password, subID).Return(acc, nil)
+	suite.mockService.On("GetUnfinishedSignupOrPostAccount", mock.Anything, email, password, subID, mock.Anything).Return(acc, nil)
 
 	resp, err := suite.doRegister(email, password, subID)
 	suite.Require().NoError(err)
@@ -830,7 +830,7 @@ func (suite *AccountsAPITestSuite) TestRegisterAccount_ErrorCacheMissing() {
 	password := "StrongPass123!"
 	subID := "550e8400-e29b-41d4-a716-446655440002"
 
-	suite.mockService.On("GetUnfinishedSignupOrPostAccount", mock.Anything, email, password, subID).Return(nil, account.ErrUnableToCreateAccount)
+	suite.mockService.On("GetUnfinishedSignupOrPostAccount", mock.Anything, email, password, subID, mock.Anything).Return(nil, account.ErrUnableToCreateAccount)
 
 	resp, err := suite.doRegister(email, password, subID)
 	suite.Require().NoError(err)
@@ -846,7 +846,7 @@ func (suite *AccountsAPITestSuite) TestRegisterAccount_ErrorSubscriptionDuplicat
 	password := "StrongPass123!"
 	subID := "550e8400-e29b-41d4-a716-446655440003"
 
-	suite.mockService.On("GetUnfinishedSignupOrPostAccount", mock.Anything, email, password, subID).Return(nil, account.ErrUnableToCreateAccount)
+	suite.mockService.On("GetUnfinishedSignupOrPostAccount", mock.Anything, email, password, subID, mock.Anything).Return(nil, account.ErrUnableToCreateAccount)
 
 	resp, err := suite.doRegister(email, password, subID)
 	suite.Require().NoError(err)
@@ -862,7 +862,7 @@ func (suite *AccountsAPITestSuite) TestRegisterAccount_ErrorFinishedAccountReuse
 	password := "StrongPass123!"
 	subID := "550e8400-e29b-41d4-a716-446655440004"
 
-	suite.mockService.On("GetUnfinishedSignupOrPostAccount", mock.Anything, email, password, subID).Return(nil, account.ErrUnableToCreateAccount)
+	suite.mockService.On("GetUnfinishedSignupOrPostAccount", mock.Anything, email, password, subID, mock.Anything).Return(nil, account.ErrUnableToCreateAccount)
 
 	resp, err := suite.doRegister(email, password, subID)
 	suite.Require().NoError(err)

api/api/auth.go

@@ -96,7 +96,7 @@ func (s *APIServer) login() fiber.Handler {
 			})
 		}
 
-		err = s.Service.SaveSession(c.Context(), sessionData, token, acc.ID.Hex(), "")
+		err = s.Service.SaveSession(c.Context(), sessionData, token, acc.ID.Hex(), "", "")
 		if err != nil {
 			return c.Status(400).JSON(fiber.Map{
 				"error": ErrSaveSession,

api/api/pasession.go

@@ -0,0 +1,108 @@
+package api
+
+import (
+	"strings"
+	"time"
+
+	"github.com/gofiber/fiber/v2"
+	"github.com/ivpn/dns/api/api/requests"
+	"github.com/ivpn/dns/api/model"
+)
+
+// PASessionCookie is the cookie name for the pre-auth session ID.
+const PASessionCookie = "pa_session"
+
+// @Summary Add pre-auth session
+// @Description Add a pre-auth session to cache (called by preauth service)
+// @Tags PASession
+// @Accept json
+// @Produce json
+// @Security ApiKeyAuth
+// @Param body body requests.PASessionReq true "Pre-auth session request"
+// @Success 200 {object} fiber.Map
+// @Failure 400 {object} ErrResponse
+// @Failure 401 {object} ErrResponse
+// @Router /api/v1/pasession/add [post]
+func (s *APIServer) addPASession() fiber.Handler {
+	return func(c *fiber.Ctx) error {
+		req := new(requests.PASessionReq)
+		if err := c.BodyParser(req); err != nil {
+			return HandleError(c, err, ErrInvalidRequestBody.Error())
+		}
+
+		errMsgs := s.Validator.ValidateRequest(c, req, ErrInvalidRequestBody.Error())
+		if len(errMsgs) > 0 {
+			return HandleError(c, ErrInvalidRequestBody, strings.Join(errMsgs, " and "))
+		}
+
+		session := &model.PASession{
+			ID:        req.ID,
+			Token:     req.Token,
+			PreauthID: req.PreauthID,
+		}
+
+		if err := s.Service.AddPASession(c.Context(), session); err != nil {
+			return HandleError(c, err, "failed to add pre-auth session")
+		}
+
+		return c.Status(200).JSON(fiber.Map{"message": "pre-auth session added"})
+	}
+}
+
+// @Summary Rotate pre-auth session ID
+// @Description Rotate pre-auth session ID and set new ID as cookie. The endpoint
+// @Description is idempotent against an already-rotated session: if the URL
+// @Description sessionid is no longer in the cache but the caller already holds
+// @Description a valid pa_session cookie, the call succeeds as a no-op so the
+// @Description user can continue with their existing session.
+// @Tags PASession
+// @Accept json
+// @Produce json
+// @Param body body requests.RotatePASessionReq true "Rotate pre-auth session request"
+// @Success 200
+// @Failure 400 {object} ErrResponse
+// @Router /api/v1/pasession/rotate [put]
+func (s *APIServer) rotatePASession() fiber.Handler {
+	return func(c *fiber.Ctx) error {
+		req := new(requests.RotatePASessionReq)
+		if err := c.BodyParser(req); err != nil {
+			return c.Status(400).JSON(fiber.Map{"error": "This signup link has expired."})
+		}
+
+		errMsgs := s.Validator.ValidateRequest(c, req, "")
+		if len(errMsgs) > 0 {
+			return c.Status(400).JSON(fiber.Map{"error": "This signup link has expired."})
+		}
+
+		if newID, err := s.Service.RotatePASessionID(c.Context(), req.SessionID); err == nil {
+			setPASessionCookie(c, newID)
+			return c.SendStatus(fiber.StatusOK)
+		}
+
+		// Fallback: the URL sessionid was already consumed (typical when the
+		// signup link is opened a second time in the same browser). If the
+		// existing pa_session cookie still points to a valid cache entry, the
+		// caller can continue with what they have — no rotate needed.
+		if existing := c.Cookies(PASessionCookie); existing != "" {
+			if _, err := s.Service.ValidateAndGetPreauth(c.Context(), existing); err == nil {
+				return c.SendStatus(fiber.StatusOK)
+			}
+		}
+
+		return c.Status(400).JSON(fiber.Map{"error": "This signup link has expired."})
+	}
+}
+
+// setPASessionCookie writes the pa_session cookie used by subsequent /accounts
+// and /sub/update calls during the signup / resync flow.
+func setPASessionCookie(c *fiber.Ctx, sessionID string) {
+	c.Cookie(&fiber.Cookie{
+		Name:     PASessionCookie,
+		Value:    sessionID,
+		HTTPOnly: true,
+		Secure:   true,
+		SameSite: fiber.CookieSameSiteLaxMode,
+		MaxAge:   900,
+		Expires:  time.Now().Add(15 * time.Minute),
+	})
+}