Merge pull request '73-authentication-local' (#120) from 73-authentication-local into master

Reviewed-on: tim/me-fit#120
2024-09-01 14:21:39 +02:00
parent 4360d31bb2 1f84a009f8
commit cf6432c13f
19 changed files with 589 additions and 187 deletions
--- a/go.mod
+++ b/go.mod
@@ -5,9 +5,11 @@ go 1.22.5
 require (
 	github.com/a-h/templ v0.2.771
 	github.com/golang-migrate/migrate/v4 v4.17.1
+	github.com/google/uuid v1.4.0
 	github.com/joho/godotenv v1.5.1
 	github.com/mattn/go-sqlite3 v1.14.22
 	github.com/prometheus/client_golang v1.20.2
+	golang.org/x/crypto v0.20.0
 )

 require (
--- a/go.sum
+++ b/go.sum
@@ -10,6 +10,8 @@ github.com/golang-migrate/migrate/v4 v4.17.1 h1:4zQ6iqL6t6AiItphxJctQb3cFqWiSpMn
 github.com/golang-migrate/migrate/v4 v4.17.1/go.mod h1:m8hinFyWBn0SA4QKHuKh175Pm9wjmxj3S2Mia7dbXzM=
 github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
 github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
+github.com/google/uuid v1.4.0 h1:MtMxsa51/r9yyhkyLsVeVt0B+BGQZzpQiTQ4eHZ8bc4=
+github.com/google/uuid v1.4.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -41,6 +43,8 @@ github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsT
 github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+golang.org/x/crypto v0.20.0 h1:jmAMJJZXr5KiCw05dfYK9QnqaqKLYXijU23lsEdcQqg=
+golang.org/x/crypto v0.20.0/go.mod h1:Xwo95rrVNIoSMx9wa1JroENMToLWn3RNVrTBpLHgZPQ=
 golang.org/x/sys v0.24.0 h1:Twjiwq9dn6R1fQcyiK+wQyHWfaz/BJB+YIpzU/Cv3Xg=
 golang.org/x/sys v0.24.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 google.golang.org/protobuf v1.34.2 h1:6xV6lTsCfpGD21XK49h7MhtcApnLqkfYgPcdHftf6hg=
--- a/handler.go
+++ b/handler.go
@@ -11,15 +11,21 @@ import (
 func getHandler(db *sql.DB) http.Handler {
 	var router = http.NewServeMux()

-	router.HandleFunc("/", service.HandleIndexAnd404)
+	router.HandleFunc("/", service.HandleIndexAnd404(db))

 	// Serve static files (CSS, JS and images)
 	router.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("./static/"))))

-	router.HandleFunc("/app", service.App)
-	router.HandleFunc("POST /api/workout", service.NewWorkout(db))
-	router.HandleFunc("GET /api/workout", service.GetWorkouts(db))
-	router.HandleFunc("DELETE /api/workout", service.DeleteWorkout(db))
+	router.HandleFunc("/app", service.HandleWorkoutPage(db))
+	router.HandleFunc("POST /api/workout", service.HandleNewWorkout(db))
+	router.HandleFunc("GET /api/workout", service.HandleGetWorkouts(db))
+	router.HandleFunc("DELETE /api/workout/{id}", service.HandleDeleteWorkout(db))
+
+	router.HandleFunc("/auth/signin", service.HandleSignInPage(db))
+	router.HandleFunc("/auth/signup", service.HandleSignUpPage(db))
+	router.HandleFunc("/api/auth/signup", service.HandleSignUp(db))
+	router.HandleFunc("/api/auth/signin", service.HandleSignIn(db))
+	router.HandleFunc("/api/auth/signout", service.HandleSignOutComp(db))

 	return middleware.Logging(middleware.EnableCors(router))
 }
--- a/migrations/001_initial_schema.up.sql
+++ b/migrations/001_initial_schema.up.sql
@@ -6,3 +6,4 @@ CREATE TABLE workout (
 	sets INTEGER NOT NULL,
 	reps INTEGER NOT NULL
 );
+
--- a/migrations/002_user_and_session.up.sql
+++ b/migrations/002_user_and_session.up.sql
@@ -0,0 +1,21 @@
+
+CREATE TABLE user (
+	user_uuid TEXT NOT NULL UNIQUE PRIMARY KEY,
+
+	email TEXT NOT NULL UNIQUE,
+	email_verified BOOLEAN NOT NULL,
+
+	is_admin BOOLEAN NOT NULL,
+
+	password BLOB NOT NULL,
+	salt BLOB NOT NULL,
+
+	created_at DATETIME NOT NULL
+) WITHOUT ROWID;
+
+CREATE TABLE session (
+	session_id TEXT NOT NULL UNIQUE PRIMARY KEY,
+	user_uuid TEXT NOT NULL,
+
+	created_at DATETIME NOT NULL
+) WITHOUT ROWID;
--- a/service/auth.go
+++ b/service/auth.go
@@ -0,0 +1,273 @@
+package service
+
+import (
+	"bytes"
+	"crypto/rand"
+	"database/sql"
+	"encoding/base64"
+	"log"
+	"net/http"
+	"net/mail"
+	"strings"
+	"time"
+
+	"me-fit/template"
+	"me-fit/template/auth"
+
+	"github.com/a-h/templ"
+	"github.com/google/uuid"
+	"golang.org/x/crypto/argon2"
+)
+
+type User struct {
+	user_uuid uuid.UUID
+	email     string
+}
+
+func HandleSignInPage(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		user_comp := UserInfoComp(verifySessionAndReturnUser(db, r))
+		signIn := auth.SignInOrUp(true)
+		template.Layout(signIn, user_comp).Render(r.Context(), w)
+	}
+}
+
+func HandleSignUpPage(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		user_comp := UserInfoComp(verifySessionAndReturnUser(db, r))
+		signIn := auth.SignInOrUp(false)
+		template.Layout(signIn, user_comp).Render(r.Context(), w)
+	}
+}
+
+func UserInfoComp(user *User) templ.Component {
+
+	if user != nil {
+		return auth.UserComp(user.email)
+	} else {
+		return auth.UserComp("")
+	}
+}
+
+func HandleSignUp(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var email = r.FormValue("email")
+		var password = r.FormValue("password")
+
+		_, err := mail.ParseAddress(email)
+		if err != nil {
+			http.Error(w, "Invalid email", http.StatusBadRequest)
+			return
+		}
+
+		if len(password) < 8 ||
+			!strings.ContainsAny(password, "0123456789") ||
+			!strings.ContainsAny(password, "ABCDEFGHIJKLMNOPQRSTUVWXYZ") ||
+			!strings.ContainsAny(password, "abcdefghijklmnopqrstuvwxyz") ||
+			!strings.ContainsAny(password, "!@#$%^&*()_+-=[]{}\\|;:'\",.<>/?") {
+			http.Error(w, "Password needs to be 8 characters long, contain at least one number, one special, one uppercase and one lowercase character", http.StatusBadRequest)
+			return
+		}
+
+		user_uuid, err := uuid.NewRandom()
+		if err != nil {
+			log.Printf("Could not generate UUID: %v", err)
+			auth.Error("Internal Server Error").Render(r.Context(), w)
+			return
+		}
+
+		salt := make([]byte, 16)
+		rand.Read(salt)
+
+		hash := getHashPassword(password, salt)
+
+		_, err = db.Exec("INSERT INTO user (user_uuid, email, email_verified, is_admin, password, salt, created_at) VALUES (?, ?, FALSE, FALSE, ?, ?, datetime())", user_uuid, email, hash, salt)
+		if err != nil {
+			if strings.Contains(err.Error(), "email") {
+				auth.Error("Bad Request").Render(r.Context(), w)
+				return
+			}
+
+			auth.Error("Internal Server Error").Render(r.Context(), w)
+			log.Printf("Could not insert user: %v", err)
+			return
+		}
+
+		result := tryCreateSessionAndSetCookie(w, db, user_uuid)
+		if !result {
+			return
+		}
+
+		w.Header().Add("HX-Redirect", "/")
+		w.WriteHeader(http.StatusOK)
+	}
+}
+
+func HandleSignIn(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var email = r.FormValue("email")
+		var password = r.FormValue("password")
+
+		var result bool = true
+		start := time.Now()
+
+		var user_uuid uuid.UUID
+		var saved_hash []byte
+		var salt []byte
+		err := db.QueryRow("SELECT user_uuid, password, salt FROM user WHERE email = ?", email).Scan(&user_uuid, &saved_hash, &salt)
+		if err != nil {
+			result = false
+		}
+
+		if result {
+			new_hash := getHashPassword(password, salt)
+
+			if !bytes.Equal(new_hash, saved_hash) {
+				result = false
+			}
+		}
+
+		if result {
+			result := tryCreateSessionAndSetCookie(w, db, user_uuid)
+			if !result {
+				return
+			}
+		}
+
+		duration := time.Since(start)
+		time_to_wait := 100 - duration.Milliseconds()
+		// It is important to sleep for a while to prevent timing attacks
+		// If the email is correct, the server will calculate the hash, which will take some time
+		// This way an attacker could guess emails when comparing the response time
+		// Because of that, we cant use WriteHeader in the middle of the function. We have to wait until the end
+		time.Sleep(time.Duration(time_to_wait) * time.Millisecond)
+
+		if result {
+			w.Header().Add("HX-Redirect", "/")
+			w.WriteHeader(http.StatusOK)
+		} else {
+			auth.Error("Invalid email or password").Render(r.Context(), w)
+		}
+	}
+}
+
+func HandleSignOutComp(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		id := getSessionID(r)
+
+		_, err := db.Exec("DELETE FROM session WHERE session_id = ?", id)
+		if err != nil {
+			log.Printf("Could not delete session: %v", err)
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		c := http.Cookie{
+			Name:     "id",
+			Value:    "",
+			MaxAge:   -1,
+			Secure:   true,
+			HttpOnly: true,
+			SameSite: http.SameSiteStrictMode,
+			Path:     "/",
+		}
+
+		http.SetCookie(w, &c)
+		auth.UserComp("").Render(r.Context(), w)
+	}
+}
+
+// var (
+// 	metricsAuthSignUp = promauto.NewCounterVec(
+// 		prometheus.CounterOpts{
+// 			Name: "mefit_api_auth_signup_total",
+// 			Help: "The total number of auth signup api requests processed",
+// 		},
+// 		[]string{"result"},
+// 	)
+//
+// 	metricsError = promauto.NewCounterVec(
+// 		prometheus.CounterOpts{
+// 			Name: "mefit_api_error_total",
+// 			Help: "The total number of errors",
+// 		},
+// 		[]string{"result"},
+// 	)
+//
+// 	// metricsAuthSignIn = promauto.NewCounterVec(
+// 	// 	prometheus.CounterOpts{
+// 	// 		Name: "mefit_api_auth_signin_total",
+// 	// 	},
+// 	// 	[]string{"result"},
+// 	// )
+// )
+
+func tryCreateSessionAndSetCookie(w http.ResponseWriter, db *sql.DB, user_uuid uuid.UUID) bool {
+	var session_id_bytes []byte = make([]byte, 32)
+	_, err := rand.Reader.Read(session_id_bytes)
+	if err != nil {
+		log.Printf("Could not generate session ID: %v", err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return false
+	}
+	session_id := base64.StdEncoding.EncodeToString(session_id_bytes)
+
+	_, err = db.Exec("INSERT INTO session (session_id, user_uuid, created_at) VALUES (?, ?, datetime())", session_id, user_uuid)
+	if err != nil {
+		log.Printf("Could not insert session: %v", err)
+		http.Error(w, err.Error(), http.StatusInternalServerError)
+		return false
+	}
+
+	cookie := http.Cookie{
+		Name:     "id",
+		Value:    session_id,
+		MaxAge:   60 * 60 * 8, // 8 hours
+		Secure:   true,
+		HttpOnly: true,
+		SameSite: http.SameSiteStrictMode,
+		Path:     "/",
+	}
+	http.SetCookie(w, &cookie)
+
+	return true
+}
+
+func getSessionID(r *http.Request) string {
+	for _, c := range r.Cookies() {
+		if c.Name == "id" {
+			return c.Value
+		}
+	}
+	return ""
+}
+
+func verifySessionAndReturnUser(db *sql.DB, r *http.Request) *User {
+	session_id := getSessionID(r)
+	if session_id == "" {
+		return nil
+	}
+
+	var user User
+	var created_at time.Time
+
+	err := db.QueryRow(`
+			SELECT u.user_uuid, u.email, s.created_at
+			FROM session s
+			INNER JOIN user u ON s.user_uuid = u.user_uuid
+			WHERE session_id = ?`, session_id).Scan(&user.user_uuid, &user.email, &created_at)
+	if err != nil {
+		log.Printf("Could not verify session: %v", err)
+		return nil
+	}
+
+	if created_at.Add(time.Duration(8 * time.Hour)).Before(time.Now()) {
+		return nil
+	}
+
+	return &user
+}
+
+func getHashPassword(password string, salt []byte) []byte {
+	return argon2.IDKey([]byte(password), salt, 1, 64*1024, 1, 16)
+}
--- a/service/static_ui.go
+++ b/service/static_ui.go
@@ -1,20 +1,25 @@
 package service

 import (
-	"me-fit/templates"
+	"database/sql"
+	"me-fit/template"
 	"net/http"

 	"github.com/a-h/templ"
 )

-func HandleIndexAnd404(w http.ResponseWriter, r *http.Request) {
-	var comp templ.Component = nil
-	if r.URL.Path != "/" {
-		comp = templates.Layout(templates.NotFound())
-		w.WriteHeader(http.StatusNotFound)
-	} else {
-		comp = templates.Layout(templates.Index())
-	}
+func HandleIndexAnd404(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		var comp templ.Component = nil
+		user_comp := UserInfoComp(verifySessionAndReturnUser(db, r))

-	comp.Render(r.Context(), w)
+		if r.URL.Path != "/" {
+			comp = template.Layout(template.NotFound(), user_comp)
+			w.WriteHeader(http.StatusNotFound)
+		} else {
+			comp = template.Layout(template.Index(), user_comp)
+		}
+
+		comp.Render(r.Context(), w)
+	}
 }
--- a/service/workout.go
+++ b/service/workout.go
@@ -1,8 +1,8 @@
 package service

 import (
-	"me-fit/templates"
-	"me-fit/utils"
+	"me-fit/template"
+	"me-fit/template/workout"

 	"database/sql"
 	"net/http"
@@ -23,16 +23,26 @@ var (
 	)
 )

-func App(w http.ResponseWriter, r *http.Request) {
-	comp := templates.App()
-	layout := templates.Layout(comp)
-	layout.Render(r.Context(), w)
+func HandleWorkoutPage(db *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		currentDate := time.Now().Format("2006-01-02")
+		inner := workout.WorkoutComp(currentDate)
+		user_comp := UserInfoComp(verifySessionAndReturnUser(db, r))
+		layout := template.Layout(inner, user_comp)
+		layout.Render(r.Context(), w)
+	}
 }

-func NewWorkout(db *sql.DB) http.HandlerFunc {
+func HandleNewWorkout(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		metrics.WithLabelValues("new").Inc()

+		user := verifySessionAndReturnUser(db, r)
+		if user == nil {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}
+
 		var dateStr = r.FormValue("date")
 		var typeStr = r.FormValue("type")
 		var setsStr = r.FormValue("sets")
@@ -61,78 +71,84 @@ func NewWorkout(db *sql.DB) http.HandlerFunc {
 			return
 		}

-		//TODO: Ensure auth
-		// token := r.Context().Value(middleware.TOKEN_KEY).(*auth.Token)
-
-		_, err = db.Exec("INSERT INTO workout (user_id, date, type, sets, reps) VALUES (?, ?, ?, ?, ?)", "", date, typeStr, sets, reps)
+		_, err = db.Exec("INSERT INTO workout (user_id, date, type, sets, reps) VALUES (?, ?, ?, ?, ?)", user.user_uuid, date, typeStr, sets, reps)

 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+
+		wo := workout.Workout{
+			Date: r.FormValue("date"),
+			Type: r.FormValue("type"),
+			Sets: r.FormValue("sets"),
+			Reps: r.FormValue("reps"),
+		}
+
+		workout.WorkoutItemComp(wo, true).Render(r.Context(), w)
 	}
 }

-func GetWorkouts(db *sql.DB) http.HandlerFunc {
+func HandleGetWorkouts(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		metrics.WithLabelValues("get").Inc()

-		// token := r.Context().Value(middleware.TOKEN_KEY).(*auth.Token)
-		// var userId = token.UID
-		var userId = ""
+		user := verifySessionAndReturnUser(db, r)
+		if user == nil {
+			http.Error(w, "Unauthorized", http.StatusUnauthorized)
+			return
+		}

-		rows, err := db.Query("SELECT rowid, date, type, sets, reps FROM workout WHERE user_id = ?", userId)
+		rows, err := db.Query("SELECT rowid, date, type, sets, reps FROM workout WHERE user_id = ?", user.user_uuid)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}

-		var workouts = make([]map[string]interface{}, 0)
+		var workouts = make([]workout.Workout, 0)
 		for rows.Next() {
-			var id int
-			var date string
-			var workoutType string
-			var sets int
-			var reps int
+			var workout workout.Workout

-			err = rows.Scan(&id, &date, &workoutType, &sets, &reps)
+			err = rows.Scan(&workout.Id, &workout.Date, &workout.Type, &workout.Sets, &workout.Reps)
 			if err != nil {
 				http.Error(w, err.Error(), http.StatusInternalServerError)
 				return
 			}

-			workout := map[string]interface{}{
-				"id":   id,
-				"date": date,
-				"type": workoutType,
-				"sets": sets,
-				"reps": reps,
-			}
 			workouts = append(workouts, workout)
 		}

-		utils.WriteJSON(w, workouts)
+		workout.WorkoutListComp(workouts).Render(r.Context(), w)
 	}
 }

-func DeleteWorkout(db *sql.DB) http.HandlerFunc {
+func HandleDeleteWorkout(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		metrics.WithLabelValues("delete").Inc()

-		// token := r.Context().Value(middleware.TOKEN_KEY).(*auth.Token)
-		// var userId = token.UID
-		var userId = ""
+		user := verifySessionAndReturnUser(db, r)

-		rowId := r.FormValue("id")
+		rowId := r.PathValue("id")
 		if rowId == "" {
 			http.Error(w, "Missing required fields", http.StatusBadRequest)
 			return
 		}

-		_, err := db.Exec("DELETE FROM workout WHERE user_id = ? AND rowid = ?", userId, rowId)
+		res, err := db.Exec("DELETE FROM workout WHERE user_id = ? AND rowid = ?", user.user_uuid, rowId)
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+
+		rows, err := res.RowsAffected()
+		if err != nil {
+			http.Error(w, err.Error(), http.StatusInternalServerError)
+			return
+		}
+
+		if rows == 0 {
+			http.Error(w, "Not found", http.StatusNotFound)
+			return
+		}
 	}
 }
--- a/tailwind.config.js
+++ b/tailwind.config.js
@@ -1,6 +1,6 @@
 /** @type {import('tailwindcss').Config} */
 module.exports = {
-	content: ["./templates/**/*.templ"],
+	content: ["./template/**/*.templ"],
 	theme: {
 		extend: {},
 	},
--- a/template/auth/sign_in_or_up.templ
+++ b/template/auth/sign_in_or_up.templ
@@ -0,0 +1,72 @@
+package auth
+
+templ SignInOrUp(isSignIn bool) {
+	<form
+		class="max-w-xl px-2 mx-auto flex flex-col gap-4 h-full justify-center"
+		hx-target="#sign-in-or-up-error"
+		if isSignIn {
+			hx-post="/api/auth/signin"
+		} else {
+			hx-post="/api/auth/signup"
+		}
+	>
+		<h2 class="text-6xl mb-10">
+			if isSignIn {
+				Sign In
+			} else {
+				Sign Up
+			}
+		</h2>
+		<label class="input input-bordered flex items-center gap-2">
+			<svg
+				xmlns="http://www.w3.org/2000/svg"
+				viewBox="0 0 16 16"
+				fill="currentColor"
+				class="h-4 w-4 opacity-70"
+			>
+				<path
+					d="M2.5 3A1.5 1.5 0 0 0 1 4.5v.793c.026.009.051.02.076.032L7.674 8.51c.206.1.446.1.652 0l6.598-3.185A.755.755 0 0 1 15 5.293V4.5A1.5 1.5 0 0 0 13.5 3h-11Z"
+				></path>
+				<path
+					d="M15 6.954 8.978 9.86a2.25 2.25 0 0 1-1.956 0L1 6.954V11.5A1.5 1.5 0 0 0 2.5 13h11a1.5 1.5 0 0 0 1.5-1.5V6.954Z"
+				></path>
+			</svg>
+			<input type="text" class="grow" placeholder="Email" name="email"/>
+		</label>
+		<label class="input input-bordered flex items-center gap-2">
+			<svg
+				xmlns="http://www.w3.org/2000/svg"
+				viewBox="0 0 16 16"
+				fill="currentColor"
+				class="h-4 w-4 opacity-70"
+			>
+				<path
+					fill-rule="evenodd"
+					d="M14 6a4 4 0 0 1-4.899 3.899l-1.955 1.955a.5.5 0 0 1-.353.146H5v1.5a.5.5 0 0 1-.5.5h-2a.5.5 0 0 1-.5-.5v-2.293a.5.5 0 0 1 .146-.353l3.955-3.955A4 4 0 1 1 14 6Zm-4-2a.75.75 0 0 0 0 1.5.5.5 0 0 1 .5.5.75.75 0 0 0 1.5 0 2 2 0 0 0-2-2Z"
+					clip-rule="evenodd"
+				></path>
+			</svg>
+			<input type="password" class="grow" placeholder="Password" name="password"/>
+		</label>
+		<div class="flex justify-end items-center gap-2">
+			if isSignIn {
+				<a href="/auth/signup" class="link text-gray-500 text-sm">Don't have an account? Sign Up</a>
+				<button class="btn btn-primary self-end">
+					Sign In
+				</button>
+			} else {
+				<a href="/auth/signin" class="link text-gray-500 text-sm">Already have an account? Sign In</a>
+				<button class="btn btn-primary self-end">
+					Sign Up
+				</button>
+			}
+		</div>
+		@Error("")
+	</form>
+}
+
+templ Error(message string) {
+	<p class="text-error text-right" id="sign-in-or-up-error">
+		{ message }
+	</p>
+}
--- a/template/auth/user.templ
+++ b/template/auth/user.templ
@@ -0,0 +1,13 @@
+package auth
+
+templ UserComp(user string) {
+	<div id="user-info" class="flex gap-5 items-center">
+		if user != "" {
+			<a hx-get="/api/auth/signout" hx-target="#user-info" class="btn btn-sm">Sign Out</a>
+			<p>{ user }</p>
+		} else {
+			<a href="/auth/signup" class="btn btn-sm">Sign Up</a>
+			<a href="/auth/signin" class="btn btn-sm">Sign In</a>
+		}
+	</div>
+}
--- a/templates/index.templ
+++ b/templates/index.templ
@@ -1,4 +1,4 @@
-package templates
+package template

 templ Index() {
 	<div class="hero bg-base-200 h-full">
--- a/template/layout.templ
+++ b/template/layout.templ
@@ -0,0 +1,32 @@
+package template
+
+templ Layout(slot templ.Component, user templ.Component) {
+	<!DOCTYPE html>
+	<html lang="en">
+		<head>
+			<meta charset="utf-8"/>
+			<title>ME-FIT</title>
+			<link rel="icon" href="/static/favicon.svg"/>
+			<link rel="stylesheet" href="/static/css/tailwind.css"/>
+			<meta name="viewport" content="width=device-width, initial-scale=1"/>
+			<script defer src="https://umami.me-fit.eu/script.js" data-website-id="3c8efb09-44e4-4372-8a1e-c3bc675cd89a"></script>
+			<script src="/static/js/htmx.min.js" data-website-id="3c8efb09-44e4-4372-8a1e-c3bc675cd89a"></script>
+		</head>
+		<body>
+			<div class="h-screen flex flex-col">
+				<div class="flex justify-end items-center gap-2 py-1 px-2 md:gap-10 md:px-10 md:py-2 shadow">
+					<a href="/" class="flex-1 flex gap-2">
+						<img src="/static/favicon.svg" alt="ME-FIT logo"/>
+						<span>ME-FIT</span>
+					</a>
+					@user
+				</div>
+				<div class="flex-1">
+					if slot != nil {
+						@slot
+					}
+				</div>
+			</div>
+		</body>
+	</html>
+}
--- a/templates/not_found.templ
+++ b/templates/not_found.templ
@@ -1,4 +1,4 @@
-package templates
+package template

 templ NotFound() {
 	<main class="flex h-full justify-center items-center ">
--- a/template/workout/workout.templ
+++ b/template/workout/workout.templ
@@ -0,0 +1,89 @@
+package workout
+
+templ WorkoutComp(currentDate string) {
+	<main class="mx-2">
+		<form
+			class="max-w-xl mx-auto flex flex-col gap-4 justify-center mt-10"
+			hx-post="/api/workout"
+			hx-target="#workout-placeholder"
+			hx-swap="outerHTML"
+		>
+			<h2 class="text-4xl mb-8">Track your workout</h2>
+			<input
+				id="date"
+				type="date"
+				class="input input-bordered"
+				value={ currentDate }
+				name="date"
+			/>
+			<select class="select select-bordered w-full" name="type">
+				<option>Push Ups</option>
+				<option>Pull Ups</option>
+			</select>
+			<input
+				type="number"
+				class="input input-bordered"
+				placeholder="Sets"
+				name="sets"
+			/>
+			<input
+				type="number"
+				class="input input-bordered"
+				placeholder="Reps"
+				name="reps"
+			/>
+			<button class="btn btn-primary self-end">Save</button>
+		</form>
+		<div hx-get="/api/workout" hx-trigger="load"></div>
+	</main>
+}
+
+type Workout struct {
+	Id   string
+	Date string
+	Type string
+	Sets string
+	Reps string
+}
+
+templ WorkoutListComp(workouts []Workout) {
+	<div class="overflow-x-auto mx-auto max-w-screen-lg">
+		<h2 class="text-4xl mt-14 mb-8">Workout history</h2>
+		<table class="table table-auto max-w-full">
+			<thead>
+				<tr>
+					<th>Date</th>
+					<th>Type</th>
+					<th>Sets</th>
+					<th>Reps</th>
+					<th></th>
+				</tr>
+			</thead>
+			<tbody>
+				<tr class="hidden" id="workout-placeholder"></tr>
+				for _,w := range workouts {
+					@WorkoutItemComp(w, false)
+				}
+			</tbody>
+		</table>
+	</div>
+}
+
+templ WorkoutItemComp(w Workout, includePlaceholder bool) {
+	if includePlaceholder {
+		<tr class="hidden" id="workout-placeholder"></tr>
+	}
+	<tr>
+		<th>{ w.Date }</th>
+		<th>{ w.Type }</th>
+		<th>{ w.Sets }</th>
+		<th>{ w.Reps }</th>
+		<th>
+			<div class="tooltip" data-tip="Delete Entry">
+				<button hx-delete={ "api/workout/" + w.Id } hx-target="closest tr">
+					Delete
+				</button>
+			</div>
+		</th>
+	</tr>
+}
--- a/templates/app.templ
+++ b/templates/app.templ
@@ -1,65 +0,0 @@
-package templates
-
-templ App() {
-	<main class="mx-2">
-		<form
-			class="max-w-xl mx-auto flex flex-col gap-4 justify-center mt-10"
-		>
-			<h2 class="text-4xl mb-8">Track your workout</h2>
-			<input
-				id="date"
-				type="date"
-				class="input input-bordered"
-				value=""
-				name="date"
-			/>
-			<select class="select select-bordered w-full" name="type">
-				<option>Push Ups</option>
-				<option>Pull Ups</option>
-			</select>
-			<input
-				type="number"
-				class="input input-bordered"
-				placeholder="Sets"
-				name="sets"
-			/>
-			<input
-				type="number"
-				class="input input-bordered"
-				placeholder="Reps"
-				name="reps"
-			/>
-			<button class="btn btn-primary self-end">Save</button>
-		</form>
-		<!-- 	<div class="overflow-x-auto mx-auto max-w-screen-lg"> -->
-		<!-- 		<h2 class="text-4xl mt-14 mb-8">Workout history</h2> -->
-		<!-- 		<table class="table table-auto max-w-full"> -->
-		<!-- 			<thead> -->
-		<!-- 				<tr> -->
-		<!-- 					<th>Date</th> -->
-		<!-- 					<th>Type</th> -->
-		<!-- 					<th>Sets</th> -->
-		<!-- 					<th>Reps</th> -->
-		<!-- 					<th></th> -->
-		<!-- 				</tr> -->
-		<!-- 			</thead> -->
-		<!--  -->
-		<!-- 			<tbody> -->
-		<!-- 					<tr> -->
-		<!-- 						<th>{workout.date}</th> -->
-		<!-- 						<th>{workout.type}</th> -->
-		<!-- 						<th>{workout.sets}</th> -->
-		<!-- 						<th>{workout.reps}</th> -->
-		<!-- 						<th> -->
-		<!-- 							<div class="tooltip" data-tip="Delete Entry"> -->
-		<!-- 								<button on:click={() => deleteWorkout(workout.id)}> -->
-		<!-- 									<MdiDelete class="text-gray-400 text-lg"></MdiDelete> -->
-		<!-- 								</button> -->
-		<!-- 							</div> -->
-		<!-- 						</th> -->
-		<!-- 					</tr> -->
-		<!-- 			</tbody> -->
-		<!-- 	</table> -->
-		<!-- </div> -->
-	</main>
-}
--- a/templates/header.templ
+++ b/templates/header.templ
@@ -1,12 +0,0 @@
-package templates
-
-templ header() {
-	<div class="flex justify-end items-center gap-2 py-1 px-2 md:gap-10 md:px-10 md:py-2 shadow">
-		<a href="/" class="flex-1 flex gap-2">
-			<img src="/static/favicon.svg" alt="ME-FIT logo"/>
-			<span>ME-FIT</span>
-		</a>
-		<a href="/signup" class="btn btn-sm">Sign Up</a>
-		<a href="/signin" class="btn btn-sm">Sign In</a>
-	</div>
-}
--- a/templates/layout.templ
+++ b/templates/layout.templ
@@ -1,25 +0,0 @@
-package templates
-
-templ Layout(comp templ.Component) {
-	<!DOCTYPE html>
-	<html lang="en">
-		<head>
-			<meta charset="utf-8"/>
-			<title>ME-FIT</title>
-			<link rel="icon" href="static/favicon.svg"/>
-			<link rel="stylesheet" href="static/css/tailwind.css"/>
-			<meta name="viewport" content="width=device-width, initial-scale=1"/>
-			<script defer src="https://umami.me-fit.eu/script.js" data-website-id="3c8efb09-44e4-4372-8a1e-c3bc675cd89a"></script>
-		</head>
-		<body>
-			<div class="h-screen flex flex-col">
-				@header()
-				<div class="flex-1">
-					if comp != nil {
-						@comp
-					}
-				</div>
-			</div>
-		</body>
-	</html>
-}
--- a/utils/auth.go
+++ b/utils/auth.go
@@ -1,30 +0,0 @@
-package utils
-
-// import (
-// 	"context"
-// 	"log"
-// )
-
-// func VerifyToken(token string) (*auth.Token, error) {
-// 	if app == nil {
-// 		setup()
-// 	}
-//
-// 	client, err := app.Auth(context.Background())
-// 	if err != nil {
-// 		log.Fatalf("error getting Auth client: %v\n", err)
-// 	}
-// 	return client.VerifyIDToken(context.Background(), token)
-// }
-//
-// func setup() {
-// 	opt := option.WithCredentialsFile("./secrets/firebase.json")
-//
-// 	firebaseApp, err := firebase.NewApp(context.Background(), nil, opt)
-//
-// 	if err != nil {
-// 		log.Fatalf("error initializing app: %v", err)
-// 	}
-//
-// 	app = firebaseApp
-// }