feat: add env-based configuration and token-in-cookie auth

Implement 12-factor configuration via environment variables and
token-in-cookie authentication for Gitea API access.

- internal/config/config.go: reads GITEA_URL, GITEA_TOKEN, LISTEN_ADDR,
  SESSION_SECRET from environment with validation
- internal/auth/cookie.go: HMAC-signed HTTP-only cookie for storing
  Gitea API tokens (Secure, SameSite=Strict)
- internal/middleware/auth.go: extracts token from cookie, injects into
  request context, redirects unauthenticated users to /settings
- internal/middleware/logging.go: structured JSON request logging
- internal/handlers/settings.go: settings page for entering/removing
  Gitea API token with mobile-first dark UI
- cmd/server/main.go: integrated config, auth middleware, and settings

Includes unit tests for config loading, cookie signing/verification,
and auth middleware bypass/redirect logic.

Closes leeworks-agents/gitea-mobile#2

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

internal/middleware/auth.go

@@ -0,0 +1,54 @@
+package middleware
+
+import (
+	"context"
+	"log/slog"
+	"net/http"
+
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/auth"
+)
+
+// contextKey is a private type for context keys in this package.
+type contextKey string
+
+const (
+	// TokenContextKey is the context key for the Gitea API token.
+	TokenContextKey contextKey = "gitea_token"
+)
+
+// TokenFromContext extracts the Gitea API token from the request context.
+func TokenFromContext(ctx context.Context) string {
+	token, _ := ctx.Value(TokenContextKey).(string)
+	return token
+}
+
+// Auth returns middleware that checks for a valid token cookie.
+// Unauthenticated requests are redirected to the settings page.
+// The /health, /settings, and /static/ paths are exempt from auth.
+func Auth(sessionSecret string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			// Skip auth for exempt paths.
+			path := r.URL.Path
+			if path == "/health" || path == "/settings" || hasPrefix(path, "/static/") {
+				next.ServeHTTP(w, r)
+				return
+			}
+
+			token, err := auth.GetToken(r, sessionSecret)
+			if err != nil || token == "" {
+				slog.Debug("unauthenticated request, redirecting to settings", "path", path, "error", err)
+				http.Redirect(w, r, "/settings", http.StatusSeeOther)
+				return
+			}
+
+			// Inject token into request context.
+			ctx := context.WithValue(r.Context(), TokenContextKey, token)
+			next.ServeHTTP(w, r.WithContext(ctx))
+		})
+	}
+}
+
+func hasPrefix(s, prefix string) bool {
+	return len(s) >= len(prefix) && s[:len(prefix)] == prefix
+}

internal/middleware/auth_test.go

@@ -0,0 +1,85 @@
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"gitea.leeworks.dev/0xwheatyz/gitea-mobile/internal/auth"
+)
+
+const testSecret = "test-secret-that-is-at-least-32-chars-long"
+
+func TestAuth_HealthBypass(t *testing.T) {
+	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/health", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}
+
+func TestAuth_SettingsBypass(t *testing.T) {
+	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/settings", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}
+
+func TestAuth_RedirectWithoutToken(t *testing.T) {
+	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if w.Code != http.StatusSeeOther {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusSeeOther)
+	}
+	if loc := w.Header().Get("Location"); loc != "/settings" {
+		t.Errorf("Location = %q, want %q", loc, "/settings")
+	}
+}
+
+func TestAuth_PassWithToken(t *testing.T) {
+	called := false
+	handler := Auth(testSecret)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		called = true
+		token := TokenFromContext(r.Context())
+		if token != "my-token" {
+			t.Errorf("token = %q, want %q", token, "my-token")
+		}
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Set a token cookie.
+	cookieW := httptest.NewRecorder()
+	auth.SetTokenCookie(cookieW, "my-token", testSecret, false)
+	cookie := cookieW.Result().Cookies()[0]
+
+	req := httptest.NewRequest(http.MethodGet, "/", nil)
+	req.AddCookie(cookie)
+	w := httptest.NewRecorder()
+	handler.ServeHTTP(w, req)
+
+	if !called {
+		t.Error("next handler was not called")
+	}
+	if w.Code != http.StatusOK {
+		t.Errorf("status = %d, want %d", w.Code, http.StatusOK)
+	}
+}

internal/middleware/logging.go

@@ -0,0 +1,38 @@
+package middleware
+
+import (
+	"log/slog"
+	"net/http"
+	"time"
+)
+
+// responseWriter wraps http.ResponseWriter to capture the status code.
+type responseWriter struct {
+	http.ResponseWriter
+	statusCode int
+}
+
+func (rw *responseWriter) WriteHeader(code int) {
+	rw.statusCode = code
+	rw.ResponseWriter.WriteHeader(code)
+}
+
+// Logging returns middleware that logs each HTTP request with structured logging.
+func Logging() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			start := time.Now()
+			rw := &responseWriter{ResponseWriter: w, statusCode: http.StatusOK}
+
+			next.ServeHTTP(rw, r)
+
+			slog.Info("http request",
+				"method", r.Method,
+				"path", r.URL.Path,
+				"status", rw.statusCode,
+				"duration", time.Since(start).String(),
+				"remote", r.RemoteAddr,
+			)
+		})
+	}
+}