fix: limit request body size on auth form handlers (gosec G120)

Datastar's NewSSE() flushes HTTP headers before SCS's session middleware
can attach the Set-Cookie header, so the session cookie never reaches the
browser after login/register/logout.

Convert login, register, and logout to standard HTML forms with HTTP
redirects, which lets SCS write cookies normally. Also fix return_url
capture on the login page (was never being stored in the session).

Add handler tests covering login, register, and logout flows.

features/auth/handlers.go

@@ -3,10 +3,10 @@ package auth
 import (
 	"database/sql"
 	"net/http"
+	"net/url"
 
 	"github.com/alexedwards/scs/v2"
 	"github.com/google/uuid"
-	"github.com/starfederation/datastar-go/datastar"
 
 	"github.com/ryanhamamura/games/auth"
 	"github.com/ryanhamamura/games/db/repository"
@@ -14,20 +14,15 @@ import (
 	appsessions "github.com/ryanhamamura/games/sessions"
 )
 
-type LoginSignals struct {
+func HandleLoginPage(sessions *scs.SessionManager) http.HandlerFunc {
-	Username string `json:"username"`
-	Password string `json:"password"` //nolint:gosec // form input, not stored
-}
-
-type RegisterSignals struct {
-	Username string `json:"username"`
-	Password string `json:"password"` //nolint:gosec // form input, not stored
-	Confirm  string `json:"confirm"`
-}
-
-func HandleLoginPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if err := pages.LoginPage().Render(r.Context(), w); err != nil {
+		// Capture return_url so we can redirect back after login
+		if returnURL := r.URL.Query().Get("return_url"); returnURL != "" {
+			sessions.Put(r.Context(), "return_url", returnURL)
+		}
+
+		errorMsg := r.URL.Query().Get("error")
+		if err := pages.LoginPage(errorMsg).Render(r.Context(), w); err != nil {
 			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		}
 	}
@@ -35,7 +30,8 @@ func HandleLoginPage() http.HandlerFunc {
 
 func HandleRegisterPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if err := pages.RegisterPage().Render(r.Context(), w); err != nil {
+		errorMsg := r.URL.Query().Get("error")
+		if err := pages.RegisterPage(errorMsg).Render(r.Context(), w); err != nil {
 			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		}
 	}
@@ -43,25 +39,21 @@ func HandleRegisterPage() http.HandlerFunc {
 
 func HandleLogin(queries *repository.Queries, sessions *scs.SessionManager) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		var signals LoginSignals
+		r.Body = http.MaxBytesReader(w, r.Body, 1024)
-		if err := datastar.ReadSignals(r, &signals); err != nil {
+		username := r.FormValue("username")
-			http.Error(w, err.Error(), http.StatusBadRequest)
+		password := r.FormValue("password")
-			return
-		}
 
-		sse := datastar.NewSSE(w, r)
+		user, err := queries.GetUserByUsername(r.Context(), username)
-
-		user, err := queries.GetUserByUsername(r.Context(), signals.Username)
 		if err == sql.ErrNoRows {
-			sse.MarshalAndPatchSignals(map[string]any{"error": "Invalid username or password"}) //nolint:errcheck
+			http.Redirect(w, r, "/login?error="+url.QueryEscape("Invalid username or password"), http.StatusSeeOther)
 			return
 		}
 		if err != nil {
-			sse.MarshalAndPatchSignals(map[string]any{"error": "An error occurred"}) //nolint:errcheck
+			http.Redirect(w, r, "/login?error="+url.QueryEscape("An error occurred"), http.StatusSeeOther)
 			return
 		}
-		if !auth.CheckPassword(signals.Password, user.PasswordHash) {
+		if !auth.CheckPassword(password, user.PasswordHash) {
-			sse.MarshalAndPatchSignals(map[string]any{"error": "Invalid username or password"}) //nolint:errcheck
+			http.Redirect(w, r, "/login?error="+url.QueryEscape("Invalid username or password"), http.StatusSeeOther)
 			return
 		}
 
@@ -76,46 +68,43 @@ func HandleLogin(queries *repository.Queries, sessions *scs.SessionManager) http
 			redirectURL = returnURL
 		}
 
-		sse.Redirect(redirectURL) //nolint:errcheck
+		http.Redirect(w, r, redirectURL, http.StatusSeeOther)
 	}
 }
 
 func HandleRegister(queries *repository.Queries, sessions *scs.SessionManager) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		var signals RegisterSignals
+		r.Body = http.MaxBytesReader(w, r.Body, 1024)
-		if err := datastar.ReadSignals(r, &signals); err != nil {
+		username := r.FormValue("username")
-			http.Error(w, err.Error(), http.StatusBadRequest)
+		password := r.FormValue("password")
+		confirm := r.FormValue("confirm")
+
+		if err := auth.ValidateUsername(username); err != nil {
+			http.Redirect(w, r, "/register?error="+url.QueryEscape(err.Error()), http.StatusSeeOther)
+			return
+		}
+		if err := auth.ValidatePassword(password); err != nil {
+			http.Redirect(w, r, "/register?error="+url.QueryEscape(err.Error()), http.StatusSeeOther)
+			return
+		}
+		if password != confirm {
+			http.Redirect(w, r, "/register?error="+url.QueryEscape("Passwords do not match"), http.StatusSeeOther)
 			return
 		}
 
-		sse := datastar.NewSSE(w, r)
+		hash, err := auth.HashPassword(password)
-
-		if err := auth.ValidateUsername(signals.Username); err != nil {
-			sse.MarshalAndPatchSignals(map[string]any{"error": err.Error()}) //nolint:errcheck
-			return
-		}
-		if err := auth.ValidatePassword(signals.Password); err != nil {
-			sse.MarshalAndPatchSignals(map[string]any{"error": err.Error()}) //nolint:errcheck
-			return
-		}
-		if signals.Password != signals.Confirm {
-			sse.MarshalAndPatchSignals(map[string]any{"error": "Passwords do not match"}) //nolint:errcheck
-			return
-		}
-
-		hash, err := auth.HashPassword(signals.Password)
 		if err != nil {
-			sse.MarshalAndPatchSignals(map[string]any{"error": "An error occurred"}) //nolint:errcheck
+			http.Redirect(w, r, "/register?error="+url.QueryEscape("An error occurred"), http.StatusSeeOther)
 			return
 		}
 
 		user, err := queries.CreateUser(r.Context(), repository.CreateUserParams{
 			ID:           uuid.New().String(),
-			Username:     signals.Username,
+			Username:     username,
 			PasswordHash: hash,
 		})
 		if err != nil {
-			sse.MarshalAndPatchSignals(map[string]any{"error": "Username already taken"}) //nolint:errcheck
+			http.Redirect(w, r, "/register?error="+url.QueryEscape("Username already taken"), http.StatusSeeOther)
 			return
 		}
 
@@ -130,6 +119,6 @@ func HandleRegister(queries *repository.Queries, sessions *scs.SessionManager) h
 			redirectURL = returnURL
 		}
 
-		sse.Redirect(redirectURL) //nolint:errcheck
+		http.Redirect(w, r, redirectURL, http.StatusSeeOther)
 	}
 }

features/auth/handlers_test.go

@@ -0,0 +1,351 @@
+package auth_test
+
+import (
+	"context"
+	"database/sql"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/alexedwards/scs/v2"
+	"github.com/google/uuid"
+
+	"github.com/ryanhamamura/games/auth"
+	"github.com/ryanhamamura/games/db/repository"
+	featauth "github.com/ryanhamamura/games/features/auth"
+	"github.com/ryanhamamura/games/features/lobby"
+	appsessions "github.com/ryanhamamura/games/sessions"
+	"github.com/ryanhamamura/games/testutil"
+)
+
+// sessionCookieName is the default SCS cookie name used in tests.
+const sessionCookieName = "session"
+
+type testSetup struct {
+	db      *sql.DB
+	queries *repository.Queries
+	sm      *scs.SessionManager
+}
+
+func (s *testSetup) ctx() context.Context {
+	return context.Background()
+}
+
+func newTestSetup(t *testing.T) *testSetup {
+	t.Helper()
+	db, queries := testutil.NewTestDB(t)
+	sm := testutil.NewTestSessionManager(t, db)
+	return &testSetup{db: db, queries: queries, sm: sm}
+}
+
+// createTestUser inserts a user into the test database and returns the user ID.
+func createTestUser(t *testing.T, setup *testSetup, username, password string) string {
+	t.Helper()
+	hash, err := auth.HashPassword(password)
+	if err != nil {
+		t.Fatalf("hashing password: %v", err)
+	}
+	id := uuid.New().String()
+	_, err = setup.queries.CreateUser(setup.ctx(), repository.CreateUserParams{
+		ID:           id,
+		Username:     username,
+		PasswordHash: hash,
+	})
+	if err != nil {
+		t.Fatalf("creating test user: %v", err)
+	}
+	return id
+}
+
+// postForm sends a POST request with form-encoded body through the session middleware,
+// forwarding any cookies from a previous response.
+func postForm(handler http.Handler, path string, values url.Values, cookies []*http.Cookie) *httptest.ResponseRecorder {
+	body := strings.NewReader(values.Encode())
+	req := httptest.NewRequest(http.MethodPost, path, body)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	return rec
+}
+
+// getPage sends a GET request through the session middleware, forwarding cookies.
+func getPage(handler http.Handler, path string, cookies []*http.Cookie) *httptest.ResponseRecorder {
+	req := httptest.NewRequest(http.MethodGet, path, nil)
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	return rec
+}
+
+// extractSessionValue makes a GET request with the given cookies to a test endpoint
+// that reads a session value, verifying the session was persisted correctly.
+func extractSessionValue(t *testing.T, setup *testSetup, cookies []*http.Cookie, key string) string {
+	t.Helper()
+	var value string
+	handler := setup.sm.LoadAndSave(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		value = setup.sm.GetString(r.Context(), key)
+	}))
+	req := httptest.NewRequest(http.MethodGet, "/check-session", nil)
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	if rec.Code != http.StatusOK {
+		t.Fatalf("session check returned %d", rec.Code)
+	}
+	return value
+}
+
+func TestHandleLogin_Success(t *testing.T) {
+	setup := newTestSetup(t)
+	createTestUser(t, setup, "alice", "password123")
+
+	handler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/login", url.Values{
+		"username": {"alice"},
+		"password": {"password123"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	if loc := rec.Header().Get("Location"); loc != "/" {
+		t.Errorf("expected redirect to /, got %q", loc)
+	}
+
+	// Verify the response sets a session cookie
+	cookies := rec.Result().Cookies()
+	if !hasCookie(cookies, sessionCookieName) {
+		t.Fatal("response did not set a session cookie")
+	}
+
+	// Verify session contains user data by reading it back
+	userID := extractSessionValue(t, setup, cookies, appsessions.KeyUserID)
+	if userID == "" {
+		t.Error("session does not contain user_id after login")
+	}
+	nickname := extractSessionValue(t, setup, cookies, appsessions.KeyNickname)
+	if nickname != "alice" {
+		t.Errorf("expected nickname %q, got %q", "alice", nickname)
+	}
+}
+
+func TestHandleLogin_InvalidPassword(t *testing.T) {
+	setup := newTestSetup(t)
+	createTestUser(t, setup, "alice", "password123")
+
+	handler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/login", url.Values{
+		"username": {"alice"},
+		"password": {"wrongpassword"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	loc := rec.Header().Get("Location")
+	if !strings.HasPrefix(loc, "/login?error=") {
+		t.Errorf("expected redirect to /login?error=..., got %q", loc)
+	}
+}
+
+func TestHandleLogin_UnknownUser(t *testing.T) {
+	setup := newTestSetup(t)
+
+	handler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/login", url.Values{
+		"username": {"nonexistent"},
+		"password": {"password123"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	loc := rec.Header().Get("Location")
+	if !strings.HasPrefix(loc, "/login?error=") {
+		t.Errorf("expected redirect to /login?error=..., got %q", loc)
+	}
+}
+
+func TestHandleLogin_ReturnURL(t *testing.T) {
+	setup := newTestSetup(t)
+	createTestUser(t, setup, "alice", "password123")
+
+	// First, visit the login page with a return_url to store it in the session
+	loginPageHandler := setup.sm.LoadAndSave(featauth.HandleLoginPage(setup.sm))
+	pageRec := getPage(loginPageHandler, "/login?return_url=/games/abc", nil)
+	cookies := pageRec.Result().Cookies()
+
+	// Now log in with those cookies so the handler can read return_url from session
+	loginHandler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
+	rec := postForm(loginHandler, "/auth/login", url.Values{
+		"username": {"alice"},
+		"password": {"password123"},
+	}, cookies)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	if loc := rec.Header().Get("Location"); loc != "/games/abc" {
+		t.Errorf("expected redirect to /games/abc, got %q", loc)
+	}
+}
+
+func TestHandleRegister_Success(t *testing.T) {
+	setup := newTestSetup(t)
+
+	handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/register", url.Values{
+		"username": {"newuser"},
+		"password": {"password123"},
+		"confirm":  {"password123"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	if loc := rec.Header().Get("Location"); loc != "/" {
+		t.Errorf("expected redirect to /, got %q", loc)
+	}
+
+	cookies := rec.Result().Cookies()
+	if !hasCookie(cookies, sessionCookieName) {
+		t.Fatal("response did not set a session cookie")
+	}
+
+	userID := extractSessionValue(t, setup, cookies, appsessions.KeyUserID)
+	if userID == "" {
+		t.Error("session does not contain user_id after registration")
+	}
+}
+
+func TestHandleRegister_PasswordMismatch(t *testing.T) {
+	setup := newTestSetup(t)
+
+	handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/register", url.Values{
+		"username": {"newuser"},
+		"password": {"password123"},
+		"confirm":  {"differentpassword"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	loc := rec.Header().Get("Location")
+	if !strings.Contains(loc, "Passwords+do+not+match") {
+		t.Errorf("expected error about password mismatch, got %q", loc)
+	}
+}
+
+func TestHandleRegister_InvalidUsername(t *testing.T) {
+	setup := newTestSetup(t)
+
+	handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/register", url.Values{
+		"username": {"ab"}, // too short
+		"password": {"password123"},
+		"confirm":  {"password123"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	loc := rec.Header().Get("Location")
+	if !strings.HasPrefix(loc, "/register?error=") {
+		t.Errorf("expected redirect to /register?error=..., got %q", loc)
+	}
+}
+
+func TestHandleRegister_ShortPassword(t *testing.T) {
+	setup := newTestSetup(t)
+
+	handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/register", url.Values{
+		"username": {"validuser"},
+		"password": {"short"},
+		"confirm":  {"short"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	loc := rec.Header().Get("Location")
+	if !strings.HasPrefix(loc, "/register?error=") {
+		t.Errorf("expected redirect to /register?error=..., got %q", loc)
+	}
+}
+
+func TestHandleRegister_DuplicateUsername(t *testing.T) {
+	setup := newTestSetup(t)
+	createTestUser(t, setup, "taken", "password123")
+
+	handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/register", url.Values{
+		"username": {"taken"},
+		"password": {"password123"},
+		"confirm":  {"password123"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	loc := rec.Header().Get("Location")
+	if !strings.Contains(loc, "Username+already+taken") {
+		t.Errorf("expected error about duplicate username, got %q", loc)
+	}
+}
+
+func TestHandleLogout(t *testing.T) {
+	setup := newTestSetup(t)
+	createTestUser(t, setup, "alice", "password123")
+
+	// Log in first to establish a session
+	loginHandler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
+	loginRec := postForm(loginHandler, "/auth/login", url.Values{
+		"username": {"alice"},
+		"password": {"password123"},
+	}, nil)
+	cookies := loginRec.Result().Cookies()
+
+	// Verify we're logged in
+	userID := extractSessionValue(t, setup, cookies, appsessions.KeyUserID)
+	if userID == "" {
+		t.Fatal("expected to be logged in before testing logout")
+	}
+
+	// Now log out
+	logoutHandler := setup.sm.LoadAndSave(lobby.HandleLogout(setup.sm))
+	logoutRec := postForm(logoutHandler, "/logout", nil, cookies)
+
+	if logoutRec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, logoutRec.Code)
+	}
+	if loc := logoutRec.Header().Get("Location"); loc != "/" {
+		t.Errorf("expected redirect to /, got %q", loc)
+	}
+
+	// Verify session is cleared — use the cookies from the logout response
+	logoutCookies := logoutRec.Result().Cookies()
+	userID = extractSessionValue(t, setup, logoutCookies, appsessions.KeyUserID)
+	if userID != "" {
+		t.Errorf("expected empty user_id after logout, got %q", userID)
+	}
+}
+
+func hasCookie(cookies []*http.Cookie, name string) bool {
+	for _, c := range cookies {
+		if c.Name == name {
+			return true
+		}
+	}
+	return false
+}

features/auth/pages/login.templ

@@ -1,45 +1,39 @@
 package pages
 
-import (
+import "github.com/ryanhamamura/games/features/common/layouts"
-	"github.com/ryanhamamura/games/features/common/layouts"
-	"github.com/starfederation/datastar-go/datastar"
-)
 
-templ LoginPage() {
+templ LoginPage(errorMsg string) {
 	@layouts.Base("Login") {
-		<main class="max-w-sm mx-auto mt-8 text-center" data-signals="{username: '', password: '', error: ''}">
+		<main class="max-w-sm mx-auto mt-8 text-center">
 			<h1 class="text-3xl font-bold">Login</h1>
 			<p class="mb-4">Sign in to your account</p>
-			<div data-show="$error != ''" class="alert alert-error mb-4" data-text="$error"></div>
+			if errorMsg != "" {
-			<div>
+				<div class="alert alert-error mb-4">{ errorMsg }</div>
+			}
+			<form method="POST" action="/auth/login">
 				<fieldset class="fieldset">
 					<label class="label" for="username">Username</label>
 					<input
 						class="input input-bordered w-full"
 						id="username"
+						name="username"
 						type="text"
 						placeholder="Enter your username"
-					data-bind="username"
+						autofocus
-					data-on:keydown={ "evt.key === 'Enter' && " + datastar.PostSSE("/auth/login") }
+					/>
-					autofocus
-				/>
 					<label class="label" for="password">Password</label>
 					<input
 						class="input input-bordered w-full"
 						id="password"
+						name="password"
 						type="password"
 						placeholder="Enter your password"
-						data-bind="password"
-						data-on:keydown={ "evt.key === 'Enter' && " + datastar.PostSSE("/auth/login") }
 					/>
 				</fieldset>
-				<button
+				<button type="submit" class="btn btn-primary w-full">
-					class="btn btn-primary w-full"
-					data-on:click={ datastar.PostSSE("/auth/login") }
-				>
 					Login
 				</button>
-			</div>
+			</form>
 			<p>
 				Don't have an account? <a class="link" href="/register">Register</a>
 			</p>

features/auth/pages/register.templ

@@ -1,54 +1,47 @@
 package pages
 
-import (
+import "github.com/ryanhamamura/games/features/common/layouts"
-	"github.com/ryanhamamura/games/features/common/layouts"
-	"github.com/starfederation/datastar-go/datastar"
-)
 
-templ RegisterPage() {
+templ RegisterPage(errorMsg string) {
 	@layouts.Base("Register") {
-		<main class="max-w-sm mx-auto mt-8 text-center" data-signals="{username: '', password: '', confirm: '', error: ''}">
+		<main class="max-w-sm mx-auto mt-8 text-center">
 			<h1 class="text-3xl font-bold">Register</h1>
 			<p class="mb-4">Create a new account</p>
-			<div data-show="$error != ''" class="alert alert-error mb-4" data-text="$error"></div>
+			if errorMsg != "" {
-			<div>
+				<div class="alert alert-error mb-4">{ errorMsg }</div>
+			}
+			<form method="POST" action="/auth/register">
 				<fieldset class="fieldset">
 					<label class="label" for="username">Username</label>
 					<input
 						class="input input-bordered w-full"
 						id="username"
+						name="username"
 						type="text"
 						placeholder="Choose a username"
-					data-bind="username"
+						autofocus
-					data-on:keydown={ "evt.key === 'Enter' && " + datastar.PostSSE("/auth/register") }
+					/>
-					autofocus
-				/>
 					<label class="label" for="password">Password</label>
 					<input
 						class="input input-bordered w-full"
 						id="password"
+						name="password"
 						type="password"
 						placeholder="Choose a password (min 8 chars)"
-					data-bind="password"
+					/>
-					data-on:keydown={ "evt.key === 'Enter' && " + datastar.PostSSE("/auth/register") }
-				/>
 					<label class="label" for="confirm">Confirm Password</label>
 					<input
 						class="input input-bordered w-full"
 						id="confirm"
+						name="confirm"
 						type="password"
 						placeholder="Confirm your password"
-						data-bind="confirm"
-						data-on:keydown={ "evt.key === 'Enter' && " + datastar.PostSSE("/auth/register") }
 					/>
 				</fieldset>
-				<button
+				<button type="submit" class="btn btn-primary w-full">
-					class="btn btn-primary w-full"
-					data-on:click={ datastar.PostSSE("/auth/register") }
-				>
 					Register
 				</button>
-			</div>
+			</form>
 			<p>
 				Already have an account? <a class="link" href="/login">Login</a>
 			</p>

features/auth/routes.go

@@ -9,7 +9,7 @@ import (
 )
 
 func SetupRoutes(router chi.Router, queries *repository.Queries, sessions *scs.SessionManager) {
-	router.Get("/login", HandleLoginPage())
+	router.Get("/login", HandleLoginPage(sessions))
 	router.Get("/register", HandleRegisterPage())
 	router.Post("/auth/login", HandleLogin(queries, sessions))
 	router.Post("/auth/register", HandleRegister(queries, sessions))

features/lobby/handlers.go

@@ -171,7 +171,6 @@ func HandleLogout(sessions *scs.SessionManager) http.HandlerFunc {
 			return
 		}
 
-		sse := datastar.NewSSE(w, r)
+		http.Redirect(w, r, "/", http.StatusSeeOther)
-		sse.ExecuteScript("window.location.href='/'") //nolint:errcheck
 	}
 }

features/lobby/pages/lobby.templ

@@ -20,13 +20,11 @@ templ LobbyPage(data LobbyData) {
 			if data.IsLoggedIn {
 				<div class="flex justify-center items-center gap-4 mb-4 p-2 bg-base-200 rounded-lg">
 					<span>Logged in as <strong>{ data.Username }</strong></span>
-					<button
+					<form method="POST" action="/logout" class="inline">
-						type="button"
+						<button type="submit" class="btn btn-ghost btn-sm">
-						class="btn btn-ghost btn-sm"
+							Logout
-						data-on:click={ datastar.PostSSE("/logout") }
+						</button>
-					>
+					</form>
-						Logout
-					</button>
 				</div>
 			} else {
 				<div class="alert text-sm mb-4">