auth: replace copy-paste JWT checks with real middleware

Add a shared parseTokenByIssuer helper and VolunteerAuthMiddleware,
consolidate all protected admin routes into a single subrouter wrapped
with AdminAuthMiddleware, and remove the duplicated cookie+token checks
that were scattered across handler and template functions.

Closes #73

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: sumnerevans

internal/admin.go

@@ -3,7 +3,6 @@ package internal
 import (
 	"context"
 	"encoding/csv"
-	"errors"
 	"fmt"
 	"net/http"
 	"time"
@@ -24,47 +23,7 @@ func (a *Application) createAdminLoginJWT(email string) *jwt.Token {
 	})
 }
 
-func (a *Application) isAdminByToken(tokenStr string) (bool, error) {
-	if tokenStr == "" {
-		return false, errors.New("no token")
-	}
-
-	token, err := jwt.ParseWithClaims(tokenStr, &jwt.RegisteredClaims{}, func(token *jwt.Token) (any, error) {
-		// Don't forget to validate the alg is what you expect:
-		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
-		}
-
-		return a.Config.ReadSecretKey(), nil
-	})
-	if err != nil {
-		return false, fmt.Errorf("failed to parse admin token: %w", err)
-	}
-
-	claims, ok := token.Claims.(*jwt.RegisteredClaims)
-	if !token.Valid || !ok {
-		return false, fmt.Errorf("failed to validate token: %w", err)
-	}
-
-	if claims.Issuer != string(IssuerAdminLogin) {
-		return false, fmt.Errorf("invalid student verify token: %w", err)
-	}
-
-	return true, nil
-}
-
 func (a *Application) GetAdminTeamsTemplate(r *http.Request) map[string]any {
-	tok, err := r.Cookie("admin_token")
-	if err != nil {
-		a.Log.Warn().Err(err).Msg("failed to get admin token")
-		return nil
-	}
-
-	if isAdmin, err := a.isAdminByToken(tok.Value); err != nil || !isAdmin {
-		a.Log.Warn().Err(err).Msg("user is not admin!")
-		return nil
-	}
-
 	teamsWithTeachers, err := a.DB.GetAdminTeamsWithTeacherName(r.Context())
 	if err != nil {
 		a.Log.Err(err).Msg("failed to get teams")
@@ -153,17 +112,6 @@ func (a *Application) GetAdminTeamsTemplate(r *http.Request) map[string]any {
 }
 
 func (a *Application) GetAdminDietaryRestrictionsTemplate(r *http.Request) map[string]any {
-	tok, err := r.Cookie("admin_token")
-	if err != nil {
-		a.Log.Warn().Err(err).Msg("failed to get admin token")
-		return nil
-	}
-
-	if isAdmin, err := a.isAdminByToken(tok.Value); err != nil || !isAdmin {
-		a.Log.Warn().Err(err).Msg("user is not admin!")
-		return nil
-	}
-
 	dietaryRestrictions, err := a.DB.GetAllDietaryRestrictions(r.Context())
 	if err != nil {
 		a.Log.Err(err).Msg("failed to get dietary restrictions")
@@ -179,7 +127,7 @@ func (a *Application) HandleAdminEmailLogin(w http.ResponseWriter, r *http.Reque
 	tok := r.URL.Query().Get("tok")
 	log := zerolog.Ctx(r.Context())
 	log.Info().Str("token", tok).Msg("got token")
-	isAdmin, err := a.isAdminByToken(tok)
+	isAdmin, err := a.parseTokenByIssuer(tok, IssuerAdminLogin)
 	if err != nil || !isAdmin {
 		log.Warn().Msg("failed to get admin")
 		w.WriteHeader(http.StatusBadRequest)

internal/application.go

@@ -3,6 +3,7 @@ package internal
 import (
 	"fmt"
 	"html/template"
+	"maps"
 	"net/http"
 	"regexp"
 	"strings"
@@ -66,9 +67,7 @@ func (a *Application) ServeTemplateExtra(logger *zerolog.Logger, templateName st
 		if data == nil {
 			data = map[string]any{}
 		}
-		for k, v := range extraData {
-			data[k] = v
-		}
+		maps.Copy(data, extraData)
 		user, err := a.GetLoggedInTeacher(r)
 		if err == nil {
 			data["Username"] = user.Name
@@ -217,36 +216,43 @@ func (a *Application) Start() {
 		router.HandleFunc("POST "+path, renderFn(fn))
 	}
 
-	// Admin pages
-	router.HandleFunc("GET /admin", a.ServeTemplate(a.Log, "adminhome.html", noArgs))
+	// Admin pages (unprotected — these exact patterns beat the /admin/ prefix below)
 	router.HandleFunc("GET /admin/login", a.ServeTemplate(a.Log, "adminlogin.html", noArgs))
-	router.HandleFunc("GET /admin/dietaryrestrictions", a.ServeTemplate(a.Log, "admindietaryrestrictions.html", a.GetAdminDietaryRestrictionsTemplate))
-	router.HandleFunc("GET /admin/teams", a.ServeTemplate(a.Log, "adminteams.html", a.GetAdminTeamsTemplate))
 	router.HandleFunc("GET /admin/emaillogin", a.HandleAdminEmailLogin)
 	router.HandleFunc("POST /admin/emaillogin", a.HandleAdminLogin)
 
-	adminAPIRouter := http.NewServeMux()
-	adminAPIRouter.HandleFunc("GET /resendstudentemail", a.HandleResendStudentEmail)
-	adminAPIRouter.HandleFunc("GET /resendparentemail", a.HandleResendParentEmail)
-	adminAPIRouter.HandleFunc("GET /confirmationlink/student", a.HandleGetStudentEmailConfirmationLink)
-	adminAPIRouter.HandleFunc("GET /confirmationlink/parent", a.HandleGetParentEmailConfirmationLink)
-	adminAPIRouter.HandleFunc("GET /sendemailconfirmationreminders", a.HandleSendEmailConfirmationReminders)
-	adminAPIRouter.HandleFunc("GET /sendparentreminders", a.HandleSendParentReminders)
-	adminAPIRouter.HandleFunc("GET /sendqrcodes", a.HandleSendQRCodes)
-	adminAPIRouter.HandleFunc("GET /kattis/teams", a.HandleKattisTeamsExport)
-	adminAPIRouter.HandleFunc("GET /kattis/participants", a.HandleKattisParticipantsExport)
-	adminAPIRouter.HandleFunc("GET /zoom/breakout", a.HandleZoomBreakoutExport)
-	adminAPIRouter.HandleFunc("GET /manualcheckin", a.HandleManualCheckin)
-	adminAPIRouter.HandleFunc("GET /team-list", a.HandleTeamList)
-	router.Handle("/admin/api/", http.StripPrefix("/admin/api", a.AdminAuthMiddleware(adminAPIRouter)))
-
-	// Volunteer pages
+	// Admin pages (protected) — subrouter consolidates all protected admin routes
+	adminRouter := http.NewServeMux()
+	adminRouter.HandleFunc("GET /{$}", a.ServeTemplate(a.Log, "adminhome.html", noArgs))
+	adminRouter.HandleFunc("GET /dietaryrestrictions", a.ServeTemplate(a.Log, "admindietaryrestrictions.html", a.GetAdminDietaryRestrictionsTemplate))
+	adminRouter.HandleFunc("GET /teams", a.ServeTemplate(a.Log, "adminteams.html", a.GetAdminTeamsTemplate))
+	adminRouter.HandleFunc("GET /api/resendstudentemail", a.HandleResendStudentEmail)
+	adminRouter.HandleFunc("GET /api/resendparentemail", a.HandleResendParentEmail)
+	adminRouter.HandleFunc("GET /api/confirmationlink/student", a.HandleGetStudentEmailConfirmationLink)
+	adminRouter.HandleFunc("GET /api/confirmationlink/parent", a.HandleGetParentEmailConfirmationLink)
+	adminRouter.HandleFunc("GET /api/sendemailconfirmationreminders", a.HandleSendEmailConfirmationReminders)
+	adminRouter.HandleFunc("GET /api/sendparentreminders", a.HandleSendParentReminders)
+	adminRouter.HandleFunc("GET /api/sendqrcodes", a.HandleSendQRCodes)
+	adminRouter.HandleFunc("GET /api/kattis/teams", a.HandleKattisTeamsExport)
+	adminRouter.HandleFunc("GET /api/kattis/participants", a.HandleKattisParticipantsExport)
+	adminRouter.HandleFunc("GET /api/zoom/breakout", a.HandleZoomBreakoutExport)
+	adminRouter.HandleFunc("GET /api/manualcheckin", a.HandleManualCheckin)
+	adminRouter.HandleFunc("GET /api/team-list", a.HandleTeamList)
+	router.Handle("/admin/", http.StripPrefix("/admin", a.AdminAuthMiddleware(adminRouter)))
+	router.Handle("GET /admin", a.AdminAuthMiddleware(
+		http.HandlerFunc(a.ServeTemplate(a.Log, "adminhome.html", noArgs))))
+
+	// Volunteer pages (unprotected)
 	router.HandleFunc("GET /volunteer", a.ServeTemplate(a.Log, "volunteerhome.html", noArgs))
 	router.HandleFunc("GET /volunteer/login", a.ServeTemplate(a.Log, "volunteerlogin.html", noArgs))
 	router.HandleFunc("GET /volunteer/emaillogin", a.HandleVolunteerEmailLogin)
 	router.HandleFunc("POST /volunteer/emaillogin", a.HandleVolunteerLogin)
-	router.HandleFunc("GET /volunteer/scan", a.ServeTemplate(a.Log, "volunteerscan.html", a.GetVolunteerScanTemplate))
-	router.HandleFunc("GET /volunteer/checkin", a.HandleVolunteerCheckIn)
+
+	// Volunteer pages (protected)
+	router.Handle("GET /volunteer/scan", a.VolunteerAuthMiddleware(
+		http.HandlerFunc(a.ServeTemplate(a.Log, "volunteerscan.html", a.GetVolunteerScanTemplate))))
+	router.Handle("GET /volunteer/checkin", a.VolunteerAuthMiddleware(
+		http.HandlerFunc(a.HandleVolunteerCheckIn)))
 
 	var handler http.Handler = router
 	handler = hlog.RequestIDHandler("request_id", "RequestID")(handler)

internal/middleware.go

@@ -1,17 +1,66 @@
 package internal
 
-import "net/http"
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/golang-jwt/jwt/v4"
+)
+
+func (a *Application) parseTokenByIssuer(tokenStr string, issuer Issuer) (bool, error) {
+	if tokenStr == "" {
+		return false, fmt.Errorf("no token")
+	}
+
+	token, err := jwt.ParseWithClaims(tokenStr, &jwt.RegisteredClaims{}, func(token *jwt.Token) (any, error) {
+		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
+			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
+		}
+		return a.Config.ReadSecretKey(), nil
+	})
+	if err != nil {
+		return false, fmt.Errorf("failed to parse token: %w", err)
+	}
+
+	claims, ok := token.Claims.(*jwt.RegisteredClaims)
+	if !token.Valid || !ok {
+		return false, fmt.Errorf("invalid token")
+	}
+
+	if claims.Issuer != string(issuer) {
+		return false, fmt.Errorf("wrong issuer: got %s, want %s", claims.Issuer, issuer)
+	}
+
+	return true, nil
+}
 
 func (a *Application) AdminAuthMiddleware(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		tok, err := r.Cookie("admin_token")
 		if err != nil {
-			http.Redirect(w, r, "/", http.StatusSeeOther)
+			http.Redirect(w, r, "/admin/login", http.StatusSeeOther)
+			return
+		}
+
+		if isAdmin, err := a.parseTokenByIssuer(tok.Value, IssuerAdminLogin); err != nil || !isAdmin {
+			http.Redirect(w, r, "/admin/login", http.StatusSeeOther)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
+func (a *Application) VolunteerAuthMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		tok, err := r.Cookie("volunteer_token")
+		if err != nil {
+			http.Redirect(w, r, "/volunteer/login", http.StatusSeeOther)
 			return
 		}
 
-		if isAdmin, err := a.isAdminByToken(tok.Value); err != nil || !isAdmin {
-			http.Redirect(w, r, "/", http.StatusSeeOther)
+		if isVolunteer, err := a.parseTokenByIssuer(tok.Value, IssuerVolunteerLogin); err != nil || !isVolunteer {
+			http.Redirect(w, r, "/volunteer/login", http.StatusSeeOther)
 			return
 		}
 

internal/volunteer.go

@@ -22,39 +22,10 @@ func (a *Application) createVolunteerLoginJWT(email string) *jwt.Token {
 	})
 }
 
-func (a *Application) isVolunteerByToken(tokenStr string) (bool, error) {
-	if tokenStr == "" {
-		return false, errors.New("no token")
-	}
-
-	token, err := jwt.ParseWithClaims(tokenStr, &jwt.RegisteredClaims{}, func(token *jwt.Token) (any, error) {
-		// Don't forget to validate the alg is what you expect:
-		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
-			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
-		}
-
-		return a.Config.ReadSecretKey(), nil
-	})
-	if err != nil {
-		return false, fmt.Errorf("failed to parse admin token: %w", err)
-	}
-
-	claims, ok := token.Claims.(*jwt.RegisteredClaims)
-	if !token.Valid || !ok {
-		return false, fmt.Errorf("failed to validate token: %w", err)
-	}
-
-	if claims.Issuer != string(IssuerVolunteerLogin) {
-		return false, fmt.Errorf("invalid student verify token: %w", err)
-	}
-
-	return true, nil
-}
-
 func (a *Application) HandleVolunteerEmailLogin(w http.ResponseWriter, r *http.Request) {
 	tok := r.URL.Query().Get("tok")
 	zerolog.Ctx(r.Context()).Info().Str("token", tok).Msg("got token")
-	isVolunteer, err := a.isVolunteerByToken(tok)
+	isVolunteer, err := a.parseTokenByIssuer(tok, IssuerVolunteerLogin)
 	if err != nil || !isVolunteer {
 		a.Log.Warn().Msg("failed to get volunteer")
 		w.WriteHeader(http.StatusBadRequest)
@@ -121,23 +92,13 @@ func (a *Application) HandleVolunteerLogin(w http.ResponseWriter, r *http.Reques
 
 func (a *Application) GetVolunteerScanTemplate(r *http.Request) map[string]any {
 	ctx := r.Context()
-	tok, err := r.Cookie("volunteer_token")
-	if err != nil {
-		a.Log.Warn().Err(err).Msg("failed to get volunteer token")
-		return nil
-	}
-
-	if isVolunteer, err := a.isVolunteerByToken(tok.Value); err != nil || !isVolunteer {
-		a.Log.Warn().Err(err).Msg("user is not volunteer!")
-		return nil
-	}
 
 	res := map[string]any{
 		"LoggedInAsVolunteer": true,
 	}
 
 	if adminTok, err := r.Cookie("admin_token"); err == nil {
-		if isAdmin, err := a.isAdminByToken(adminTok.Value); err == nil && isAdmin {
+		if isAdmin, err := a.parseTokenByIssuer(adminTok.Value, IssuerAdminLogin); err == nil && isAdmin {
 			res["LoggedInAsAdmin"] = true
 		}
 	}
@@ -174,18 +135,6 @@ func (a *Application) GetVolunteerScanTemplate(r *http.Request) map[string]any {
 
 func (a *Application) HandleVolunteerCheckIn(w http.ResponseWriter, r *http.Request) {
 	ctx := r.Context()
-	tok, err := r.Cookie("volunteer_token")
-	if err != nil {
-		a.Log.Warn().Err(err).Msg("failed to get volunteer token")
-		w.WriteHeader(http.StatusBadRequest)
-		return
-	}
-
-	if isVolunteer, err := a.isVolunteerByToken(tok.Value); err != nil || !isVolunteer {
-		a.Log.Warn().Err(err).Msg("user is not volunteer!")
-		w.WriteHeader(http.StatusBadRequest)
-		return
-	}
 
 	studentSignInToken := r.URL.Query().Get("tok")
 	student, err := a.getStudentByQRToken(ctx, studentSignInToken)