Page Data & Middleware Flow

General Notes

• Internal web pages are protected at the route-group level.
• The /saas, /mapp, and /end-user route groups all use ValidateCookieMiddleware(cookie.SC) in cmd/web/main.go.
  • The cookie acts as the app’s session token.
  • The cookie is created after a successful login flow
• Its payload includes these elements defined in cookie/cookie.go
  • email
  • saas_uuid
  • saas_id
  • set_time

Login

• In the magic-link flow, /public/login validates the sign-in code, builds the cookie payload, encodes it, sets the cookie, and redirects to /saas/business-hub in routes/public.go.
• In the Google OAuth flow, the app creates a redirect token, routes the request to /login/dashboard, and SetLoginCookieMiddleware sets the cookie before the dashboard handler runs in middleware/auth.go.
• /public/signin has a special-case behavior.
• That page also uses the validator in routes/public.go.
• If the user already has a valid cookie, middleware redirects them away from sign-in and into /saas/business-hub in middleware/auth.go.
• If the user has no valid cookie, the sign-in page is allowed to render.

Internal Page Processing

• For every request to an internal page, ValidateCookieMiddleware runs first in middleware/auth.go.
• It reads the cookie from the request.
• If the cookie is missing, it redirects the user to /public/signin.
• If the cookie exists, it decodes the signed cookie payload.
• It checks whether the cookie is expired based on set_time and the configured expiration interval.
• It checks whether the associated account is still active in the database.
• If any of those checks fail, the request is blocked and the user is redirected to sign in again, or shown an unauthorized/account-not-found response depending on the failure.
• If the cookie is valid, the middleware enriches the request context.
• It stores email, saas_uuid, and saas_id in the Gin context in middleware/auth.go.
• Internal page handlers then read those context values instead of re-parsing the cookie themselves.

Overall Page Flow

This means the internal page flow is:

• User logs in successfully.
• Server writes a signed auth cookie.
• Browser sends that cookie on later requests to protected routes.
• Middleware validates the cookie on each request.
• Middleware injects identity values into request context.
• Internal page handler uses those values to load and render the page.

Logout

• Logout clears the cookie.
• /saas/logout sets the cookie to an empty value with a negative max age in routes/saas_user.go.
• After logout, future internal-page requests fail middleware validation and send the user back to sign-in.

Other Implementation Notes

• The repo includes helper functions in cookie/cookie.go.
• But the main internal browser flow currently uses the direct cookie-setting and cookie-validation logic in routes/public.go and middleware/auth.go.