welcome (#72)

* welcome

* Update screenshots

* fix demo user

* Update screenshots

---------

Co-authored-by: dylan-botler[bot] <dylan-botler[bot]@users.noreply.github.com>

Author: dbut2

docs/screenshots/.content-hash

@@ -1 +1 @@
-31fad4a29cc5f862542a4f998913c7cb5ebf78d281fd1d57fb8878760c7a74bb
+856dfd1ef54fae7d3742610df73623bb72be071168a9a19f921bf90817a6f450

docs/screenshots/home.png

@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	"log"
 	"os"
+	"strings"
 
 	firebase "firebase.google.com/go/v4"
 	"firebase.google.com/go/v4/messaging"
@@ -73,12 +74,31 @@ func setup(r *gin.Engine) (*api.API, gin.HandlerFunc) {
 		if err != nil {
 			log.Fatalf("failed to seed demo data: %v", err)
 		}
+		if err := queries.SetUserToken(context.Background(), userID, sql.NullString{String: "demo:token", Valid: true}); err != nil {
+			log.Fatalf("failed to set demo user token: %v", err)
+		}
 		return api.New(queries, fx, classifier, push), middleware.DemoAuth(userID)
 	}
 
 	webhook.New(queries, classifier, push).Register(r.Group("/webhook"))
 
-	return api.New(queries, fx, classifier, push), middleware.Middleware(queries, os.Getenv("BASE_URL"))
+	teamDomain := os.Getenv("CF_ACCESS_TEAM_DOMAIN")
+	audRaw := os.Getenv("CF_ACCESS_AUD")
+	if teamDomain == "" || audRaw == "" {
+		log.Fatalf("CF_ACCESS_TEAM_DOMAIN and CF_ACCESS_AUD must be set")
+	}
+	var audiences []string
+	for _, a := range strings.Split(audRaw, ",") {
+		if a = strings.TrimSpace(a); a != "" {
+			audiences = append(audiences, a)
+		}
+	}
+	verifier, err := middleware.NewCloudflareAccessVerifier(teamDomain, audiences)
+	if err != nil {
+		log.Fatalf("failed to init cf access verifier: %v", err)
+	}
+
+	return api.New(queries, fx, classifier, push), middleware.Middleware(queries, os.Getenv("BASE_URL"), verifier)
 }
 
 func newFCMClient() *messaging.Client {

go/cmd/float/main.go

@@ -14,17 +14,23 @@ import (
 	"dbut.dev/float/go/service"
 )
 
-func Middleware(queries database.Querier, baseURL string) gin.HandlerFunc {
+func Middleware(queries database.Querier, baseURL string, verifier *CloudflareAccessVerifier) gin.HandlerFunc {
 	webhookSvc := service.NewWebhookService(queries, nil, nil)
 
 	var emailToUserID sync.Map
 	var generalBucketEnsured sync.Map
 	var webhookConfirmed sync.Map
 
 	return func(c *gin.Context) {
-		email := c.GetHeader("Cf-Access-Authenticated-User-Email")
+		token := c.GetHeader("Cf-Access-Jwt-Assertion")
+		if token == "" {
+			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
+			return
+		}
 
-		if email == "" {
+		email, err := verifier.Verify(token)
+		if err != nil {
+			log.Printf("cf access: jwt verification failed: %v", err)
 			c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{"error": "unauthorized"})
 			return
 		}

go/middleware/middleware.go

@@ -18,6 +18,7 @@ type User struct {
 	UserID    uuid.UUID `json:"user_id"`
 	Email     string    `json:"email"`
 	CreatedAt time.Time `json:"created_at"`
+	HasToken  bool      `json:"has_token"`
 }
 
 type UserService struct {
@@ -37,7 +38,12 @@ func (s *UserService) GetUser(ctx context.Context, userID uuid.UUID) (User, erro
 	if err != nil {
 		return User{}, err
 	}
-	return User{UserID: u.UserID, Email: u.Email, CreatedAt: u.CreatedAt}, nil
+	return User{
+		UserID:    u.UserID,
+		Email:     u.Email,
+		CreatedAt: u.CreatedAt,
+		HasToken:  u.UpToken.Valid && u.UpToken.String != "",
+	}, nil
 }
 
 func (s *UserService) UpdateToken(ctx context.Context, userID uuid.UUID, token string) error {

go/service/user.go

@@ -18,9 +18,11 @@ func Now() time.Time {
 }
 
 func Today() time.Time {
-	return Now().Truncate(24 * time.Hour)
+	n := Now()
+	return time.Date(n.Year(), n.Month(), n.Day(), 0, 0, 0, 0, Location)
 }
 
 func ToDate(t time.Time) time.Time {
-	return t.In(Location).Truncate(24 * time.Hour)
+	l := t.In(Location)
+	return time.Date(l.Year(), l.Month(), l.Day(), 0, 0, 0, 0, Location)
 }

go/utils/time.go

@@ -4,11 +4,13 @@ import Dashboard from './pages/Dashboard'
 import BucketDetail from './pages/BucketDetail'
 import Settings from './pages/Settings'
 import Rules from './pages/Rules'
+import Onboarding from './pages/Onboarding'
 
 export default function App() {
   return (
     <BrowserRouter>
       <Routes>
+        <Route path="onboarding" element={<Onboarding />} />
         <Route element={<Layout />}>
           <Route index element={<Dashboard />} />
           <Route path="buckets/:id" element={<BucketDetail />} />

web/src/App.tsx

@@ -2,6 +2,7 @@ export interface User {
   user_id: string
   email: string
   created_at: string
+  has_token: boolean
 }
 
 export interface Cover {

web/src/lib/api.ts

@@ -145,6 +145,14 @@ export default function Dashboard() {
     queryFn: api.getTransactBalance,
   })
 
+  const { data: me } = useQuery({ queryKey: ['user'], queryFn: api.getUser })
+
+  useEffect(() => {
+    if (me && !me.has_token) {
+      navigate('/onboarding', { replace: true })
+    }
+  }, [me, navigate])
+
   useEffect(() => {
     setOrderedBuckets(buckets)
   }, [buckets])