Merge pull request 'Switch to datastar-pro and stop tracking downloaded libs' (#16) from feat/datastar-pro into main

Datastar-pro is fetched from a private Gitea repo (ryan/vendor-libs)
using VENDOR_TOKEN for CI/Docker builds, with a local fallback from
../optional/ for development. DaisyUI is pinned to v5.5.19 instead of
tracking latest. Downloaded files are now gitignored and fetched at
build time via 'task download', which is a dependency of both build
and live tasks.

.env.example

@@ -11,6 +11,10 @@
 # PORT=7331
 
 # Goose CLI migration config (only needed for running goose manually)
+# Gitea API token for downloading datastar-pro from private repo (CI/Docker only).
+# Not needed for local dev — falls back to copying from ../optional/.
+# VENDOR_TOKEN=
+
 GOOSE_DRIVER=sqlite3
 GOOSE_DBSTRING=data/games.db?_pragma=foreign_keys(1)&_pragma=journal_mode(WAL)
 GOOSE_MIGRATION_DIR=db/migrations

.gitea/workflows/deploy.yml

@@ -61,8 +61,13 @@ jobs:
           mkdir -p $DEPLOY_DIR/data
 
       - name: Rebuild and restart
+        env:
+          VENDOR_TOKEN: ${{ secrets.VENDOR_TOKEN }}
         run: |
           cd $DEPLOY_DIR
           VERSION=$(git describe --tags --always)
           COMMIT=$(git rev-parse --short HEAD)
-          VERSION=$VERSION COMMIT=$COMMIT docker compose up -d --build --remove-orphans
+          VERSION=$VERSION COMMIT=$COMMIT VENDOR_TOKEN=$VENDOR_TOKEN docker compose up -d --build --remove-orphans
+
+      - name: Prune unused images
+        run: docker image prune -f

.gitignore

@@ -27,6 +27,10 @@
 *_templ.go
 assets/css/output.css
 
+# Downloaded client-side libs (fetched by cmd/downloader)
+assets/js/datastar/*
+assets/css/daisyui/*
+
 # Deploy scripts and configs
 !deploy/*.sh
 !deploy/*.service

AGENTS.md

@@ -9,6 +9,7 @@ Instructions for AI coding agents working in this repository.
 task live              # Hot-reload dev server (templ + tailwind + air)
 task build             # Production build to bin/games
 task run               # Build and run server
+task download          # Download pinned client-side libs (datastar-pro, daisyui)
 
 # Quality
 task test              # Run all tests: go test ./...
@@ -16,106 +17,80 @@ task lint              # Run linter: golangci-lint run
 
 # Single test
 go test -run TestName ./path/to/package
+go test -v -run TestHandleLogin_Success ./features/auth
 
 # Code generation
-task build:templ       # Compile .templ files
+task build:templ       # Compile .templ files (go tool templ generate)
-task build:styles      # Build TailwindCSS
+task build:styles      # Build TailwindCSS (go tool gotailwind)
-go generate ./...      # Run sqlc for DB queries
 ```
 
+Tools (templ, air, gotailwind, goose, sqlc) are managed via Go 1.25's `tool` directive in go.mod — no separate installs needed.
+
 ## Workflow Rules
 
 - **Never merge PRs without explicit user approval.** Create the PR, push changes, then wait.
-- Always use PRs via `tea` CLI - never push directly to main.
+- Always use PRs via `tea` CLI — never push directly to main.
 - Write semantic commit messages focusing on "why" not "what".
 
 ## Project Structure
 
 ```
 games/
-├── connect4/, snake/       # Game logic packages (pure Go)
+├── connect4/, snake/       # Game logic packages (pure Go, no HTTP)
 ├── features/               # Feature modules (handlers, routes, templates)
-│   ├── auth/               # Login/register
+│   ├── auth/               # Login/register (standard HTTP, not SSE)
-│   ├── c4game/             # Connect 4 UI
+│   ├── c4game/             # Connect 4 UI + services
-│   ├── snakegame/          # Snake UI
+│   ├── snakegame/          # Snake UI + services
 │   ├── lobby/              # Game lobby
 │   └── common/             # Shared components, layouts
-├── chat/                   # Reusable chat room (NATS + persistence)
+├── chat/                   # Reusable chat room (NATS + optional DB persistence)
+├── auth/                   # Password hashing/validation (pure, no HTTP)
 ├── db/                     # SQLite, migrations, sqlc queries
-├── assets/                 # Static files (embedded)
+├── cmd/downloader/         # Build-time tool: fetches datastar-pro + daisyui
-└── config/, logging/, nats/, sessions/, router/  # Infrastructure
+├── assets/                 # Static files (embedded in prod, filesystem in dev)
+└── config/, logging/, nats/, sessions/, router/, player/, version/
 ```
 
 ## Code Style
 
 ### Imports
 
-Organize in three groups: stdlib, third-party, local. The linter enforces this.
+Three groups separated by blank lines: stdlib, third-party, local. Enforced by goimports with `local-prefixes: github.com/ryanhamamura/games`.
 
 ```go
 import (
-    "context"
     "fmt"
     "net/http"
 
     "github.com/go-chi/chi/v5"
-    "github.com/rs/zerolog/log"
 
     "github.com/ryanhamamura/games/connect4"
-    "github.com/ryanhamamura/games/db/repository"
 )
 ```
 
-### Naming Conventions
-
-| Type | Convention | Examples |
-|------|------------|----------|
-| Files | lowercase, underscores | `config_dev.go`, `handlers.go` |
-| HTTP handlers | `Handle` prefix | `HandleGamePage`, `HandleLogin` |
-| Constructors | `New` prefix | `NewStore`, `NewRoom` |
-| Getters | `Get` prefix | `GetPlayerID`, `GetGame` |
-| Setup functions | `Setup` prefix | `SetupRoutes`, `SetupLogger` |
-| Types | PascalCase | `Game`, `Player`, `Instance` |
-| Status enums | `Status` prefix | `StatusWaitingForPlayer`, `StatusInProgress` |
-| Session keys | `Key` prefix | `KeyPlayerID`, `KeyUserID` |
-
 ### Error Handling
 
-1. **Wrap errors with context:**
 ```go
+// Wrap errors with context
 return fmt.Errorf("loading game %s: %w", id, err)
-   ```
 
-2. **Return (result, error) tuples:**
+// Combine cleanup errors with errors.Join
-   ```go
+return nil, errors.Join(fmt.Errorf("pinging database: %w", err), DB.Close())
-   func loadGame(queries *repository.Queries, id string) (*Game, error)
-   ```
 
-3. **Best-effort operations** - use nolint comment:
+// Best-effort operations
-   ```go
 nc.Publish(subject, nil) //nolint:errcheck // best-effort notification
-   ```
 
-4. **HTTP errors:**
+// HTTP errors
-   ```go
 http.Error(w, "game not found", http.StatusNotFound)
 http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+
 ```
 
 ### Comments
 
 - Focus on **why**, not **how**. Avoid superfluous comments.
-- Package comments at top of primary file:
+- Package comments at top of primary file.
-  ```go
+- Function comments for exported functions.
-  // Package connect4 implements Connect 4 game logic, state management, and persistence.
-  package connect4
-  ```
-- Function comments for exported functions:
-  ```go
-  // DropPiece attempts to drop a piece in the given column.
-  // Returns (row placed, success).
-  func (g *Game) DropPiece(col, playerColor int) (int, bool)
-  ```
 
 ## Go Patterns
 
@@ -125,129 +100,119 @@ Handlers receive dependencies and return `http.HandlerFunc`:
 
 ```go
 func HandleGamePage(store *connect4.Store, sm *scs.SessionManager) http.HandlerFunc {
-    return func(w http.ResponseWriter, r *http.Request) {
+    return func(w http.ResponseWriter, r *http.Request) { /* ... */ }
-        // use store, sm here
-    }
 }
 ```
 
-### Mutex for Concurrent Access
+### Cleanup Function Returns
+
+Infrastructure init functions return a cleanup func the caller defers:
 
 ```go
-type Store struct {
+cleanupDB, err := db.Init(cfg.DBPath)
-    games   map[string]*Instance
+defer cleanupDB()
-    gamesMu sync.RWMutex
-}
-
-func (s *Store) Get(id string) (*Instance, bool) {
-    s.gamesMu.RLock()
-    defer s.gamesMu.RUnlock()
-    inst, ok := s.games[id]
-    return inst, ok
-}
 ```
 
-### Build Tags for Environment
+### Store/Instance Pattern
 
-```go
+Game state uses a two-tier pattern: a thread-safe **Store** (map + RWMutex) holding **Instance** wrappers (individual game + own mutex + DB queries). Stores lazy-load from DB on cache miss.
-//go:build dev
 
-//go:build !dev
+### Build Tags
-```
 
-### Embedded Filesystems
+`//go:build dev` and `//go:build !dev` switch behavior for static asset serving (filesystem vs embedded hashfs) and config loading.
-
-```go
-//go:embed assets
-var assets embed.FS
-
-//go:embed migrations/*.sql
-var MigrationFS embed.FS
-```
-
-### Graceful Shutdown
-
-```go
-eg, egctx := errgroup.WithContext(ctx)
-eg.Go(func() error { return server.ListenAndServe() })
-eg.Go(func() error {
-    <-egctx.Done()
-    return server.Shutdown(context.Background())
-})
-return eg.Wait()
-```
 
 ## Templ + Datastar Patterns
 
-### SSE Connection with Disabled Cancellation
+### Architecture: Everything Is a Stream
 
-Datastar cancels SSE on user interaction by default. Disable for persistent connections:
+The core mental model: **the server owns all state and continuously projects it to the browser over SSE**. There is no client-side state management. The browser connects to an event stream, and the server pushes full HTML fragments whenever something changes. Datastar morphs these into the DOM — the client is a thin rendering surface.
+
+User actions (clicks, keypresses) trigger short POST/DELETE requests back to the server. The server mutates state, publishes a NATS signal, and every connected SSE stream picks up the change and re-renders. The client never needs to know what changed — it just receives the new truth and morphs to match.
+
+This means: **always send whole components down the wire.** Don't try to diff or send minimal patches. Render the full templ component, call `sse.PatchElementTempl()`, and let Datastar's morph handle the rest. The only exception is appending to a list (e.g. chat messages).
+
+**Signals follow command-query segregation.** Signals are *commands* — they carry the user's intent to the server (form input values, button clicks). The SSE stream is the *query* — it continuously projects the server's truth into the DOM. Keep signals thin: form input buffers (`chatMsg`, `nickname`), pure UI state the server never needs (`activeTab`), and request indicators. Don't use signals to hold application state — that arrives from the server via SSE.
+
+### SSE Event Loop
+
+Both game event handlers follow the same structure:
+1. Subscribe to NATS channels **before** creating SSE (avoids missed messages)
+2. Send initial full-state patch
+3. `select` loop over: context done, game updates (drain channel first), chat messages (append), 1-second heartbeat (full re-render)
 
 ```go
+// Handler side — long-lived SSE with Brotli compression
+sse := datastar.NewSSE(w, r, datastar.WithCompression(
+    datastar.WithBrotli(datastar.WithBrotliLevel(5)),
+))
+sse.PatchElementTempl(components.GameBoard(game))
+
+// Template side — disable Datastar's default SSE cancellation on interaction
 data-init={ fmt.Sprintf("@get('/games/%s/events',{requestCancellation:'disabled'})", g.ID) }
 ```
 
-### Prevent Script Duplication on SSE Patches
+### Client-Server Interactions
-
-Use `templ.NewOnceHandle()` for scripts in components that get patched:
 
 ```go
-var scriptHandle = templ.NewOnceHandle()
+// Trigger SSE actions from templates
+data-on:click={ datastar.PostSSE("/games/%s/drop?col=%d", g.ID, colIdx) }
+data-on:click={ datastar.DeleteSSE("/games/%s", g.ID) }
 
-templ MyComponent() {
+// Read client signals in handlers
-    <div id="my-component">...</div>
+var signals struct { ChatMsg string `json:"chatMsg"` }
-    @scriptHandle.Once() {
+datastar.ReadSignals(r, &signals)
-        @myScript()
+
-    }
+// Clear input after submission
-}
+sse.MarshalAndPatchSignals(map[string]any{"chatMsg": ""})
+
+// Redirect via SSE
+sse.Redirectf("/games/%s", newGame.ID())
 ```
 
-### Conditional Classes with templ.KV
+### Appending Elements (Chat Messages)
+
+The one exception to whole-component morphing is chat, where messages are appended individually:
 
 ```go
-class={
+sse.PatchElementTempl(
-    "status status-sm",
+    chatcomponents.ChatMessage(msg, cfg),
-    templ.KV("status-success", isConnected),
+    datastar.WithSelectorID("c4-chat-history"),
-    templ.KV("status-error", !isConnected),
+    datastar.WithModeAppend(),
-}
+)
 ```
 
-### Datastar SSE Responses
+### Datastar Template Attributes
 
-```go
+- `data-signals` — declare reactive state
-sse := datastar.NewSSE(w, r)
+- `data-bind` — two-way input binding
-sse.MergeFragmentTempl(components.GameBoard(game))
+- `data-show` — conditional visibility
+- `data-class` — reactive CSS classes
+- `data-morph-ignore` — prevent SSE from overwriting an element (e.g. chat input)
+
+## Testing
+
+```bash
+task test                                          # All tests
+go test -run TestHandleLogin_Success ./features/auth  # Single test
+go test -v ./features/auth                         # Verbose package
 ```
 
+- Use `testutil.NewTestDB(t)` for tests needing a database
+- Use `testutil.NewTestSessionManager(db)` for session-aware tests
+- Use `config.LoadForTest()` to set safe defaults without .env
+- Tests use external test packages (`package auth_test`)
+
 ## Tech Stack
 
 | Layer | Technology |
 |-------|------------|
 | Templates | templ (type-safe HTML) |
-| Reactivity | Datastar (SSE-driven) |
+| Reactivity | Datastar Pro (SSE-driven) |
 | CSS | TailwindCSS v4 + daisyUI |
 | Router | chi/v5 |
-| Sessions | scs/v2 |
+| Sessions | scs/v2 (SQLite-backed) |
 | Database | SQLite (modernc.org/sqlite) |
-| Migrations | goose |
+| Migrations | goose (embedded SQL) |
 | SQL codegen | sqlc |
-| Pub/sub | Embedded NATS |
+| Pub/sub | Embedded NATS (nil-payload signals) |
-| Logging | zerolog |
+| Logging | zerolog + slog (bridged via slog-zerolog) |
-
-## Testing
-
-```bash
-# All tests
-task test
-
-# Single test
-go test -run TestDropPiece ./connect4
-
-# With verbose output
-go test -v -run TestDropPiece ./connect4
-
-# Test a package
-go test ./connect4/...
-```
-
-Use `testutil.SetupTestDB()` for tests requiring database access.

Dockerfile

@@ -10,6 +10,11 @@ COPY go.mod go.sum ./
 RUN go mod download
 
 COPY . .
+
+RUN --mount=type=secret,id=vendor_token \
+    VENDOR_TOKEN=$(cat /run/secrets/vendor_token) \
+    go run cmd/downloader/main.go
+
 RUN go tool templ generate
 RUN go tool gotailwind -i assets/css/input.css -o assets/css/output.css --minify
 RUN --mount=type=cache,target=/root/.cache/go-build \

Taskfile.yml

@@ -2,9 +2,12 @@ version: "3"
 
 tasks:
   download:
-    desc: Download latest client-side libs
+    desc: Download pinned client-side libs
     cmds:
       - go run cmd/downloader/main.go
+    status:
+      - test -f assets/js/datastar/datastar.js
+      - test -f assets/css/daisyui/daisyui.js
 
   build:templ:
     desc: Compile .templ files to Go
@@ -31,6 +34,7 @@ tasks:
     cmds:
       - go build -o bin/games .
     deps:
+      - download
       - build:templ
       - build:styles
 
@@ -58,6 +62,7 @@ tasks:
   live:
     desc: Dev mode with hot-reload
     deps:
+      - download
       - live:templ
       - live:styles
       - live:server

assets/css/input.css

@@ -1,8 +1,8 @@
 @import 'tailwindcss';
 
-@source not "./daisyui{,*}.mjs";
+@source not "./daisyui/daisyui{,*}.js";
-@plugin "./daisyui.mjs";
+@plugin "./daisyui/daisyui.js";
-@plugin "./daisyui-theme.mjs" {
+@plugin "./daisyui/daisyui-theme.js" {
   name: "stealth";
   default: true;
   color-scheme: light;

assets/js/README.md

@@ -0,0 +1 @@
+Downloaded by cmd/downloader at build time.

cmd/downloader/main.go

@@ -1,30 +1,20 @@
 package main
 
 import (
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
 	"log/slog"
 	"net/http"
+	"net/url"
 	"os"
 	"path/filepath"
 	"sync"
-)
 
-// Asset directories, relative to project root.
+	"github.com/ryanhamamura/games/assets"
-const (
-	jsDir  = "assets/js"
-	cssDir = "assets/css"
 )
 
-// files maps download URLs to local destination paths.
-var files = map[string]string{
-	"https://raw.githubusercontent.com/starfederation/datastar/main/bundles/datastar.js":     jsDir + "/datastar.js",
-	"https://raw.githubusercontent.com/starfederation/datastar/main/bundles/datastar.js.map": jsDir + "/datastar.js.map",
-	"https://github.com/saadeghi/daisyui/releases/latest/download/daisyui.mjs":               cssDir + "/daisyui.mjs",
-	"https://github.com/saadeghi/daisyui/releases/latest/download/daisyui-theme.mjs":         cssDir + "/daisyui-theme.mjs",
-}
-
 func main() {
 	if err := run(); err != nil {
 		slog.Error("failure", "error", err)
@@ -32,16 +22,243 @@ func main() {
 	}
 }
 
+// Pinned dependency versions — update these to upgrade.
+const (
+	datastarVersion = "v1.0.0-RC.8" // Pro build — fetched from private Gitea repo
+	daisyuiVersion  = "v5.5.19"
+)
+
+// dependencies tracks pinned versions alongside their GitHub coordinates
+// so the version check can look up the latest release for each.
+var dependencies = []dependency{
+	{name: "datastar", owner: "starfederation", repo: "datastar", pinnedVersion: datastarVersion},
+	{name: "daisyui", owner: "saadeghi", repo: "daisyui", pinnedVersion: daisyuiVersion},
+}
+
+type dependency struct {
+	name          string
+	owner         string
+	repo          string
+	pinnedVersion string
+}
+
+// datastar-pro sources, in order of preference.
+const (
+	giteaRawURL       = "https://gitea.adriatica.io/ryan/vendor-libs/raw/branch/main/datastar/datastar.js"
+	localFallbackPath = "../optional/web/resources/static/datastar/datastar.js"
+)
+
 func run() error {
-	dirs := []string{jsDir, cssDir}
+	jsDir := assets.DirectoryPath + "/js/datastar"
+	cssDir := assets.DirectoryPath + "/css/daisyui"
 
-	for _, dir := range dirs {
+	daisyuiBase := "https://github.com/saadeghi/daisyui/releases/download/" + daisyuiVersion + "/"
-		if err := os.MkdirAll(dir, 0755); err != nil {
+
-			return fmt.Errorf("create directory %s: %w", dir, err)
+	downloads := map[string]string{
-		}
+		daisyuiBase + "daisyui.js":       cssDir + "/daisyui.js",
+		daisyuiBase + "daisyui-theme.js": cssDir + "/daisyui-theme.js",
 	}
 
-	return download(files)
+	directories := []string{jsDir, cssDir}
+
+	if err := removeDirectories(directories); err != nil {
+		return err
+	}
+
+	if err := createDirectories(directories); err != nil {
+		return err
+	}
+
+	if err := acquireDatastar(jsDir + "/datastar.js"); err != nil {
+		return err
+	}
+
+	if err := download(downloads); err != nil {
+		return err
+	}
+
+	checkForUpdates()
+
+	return nil
+}
+
+// acquireDatastar fetches datastar-pro from the private Gitea repo when
+// GITEA_TOKEN is set, otherwise copies from the local optional project.
+func acquireDatastar(dest string) error {
+	if token := os.Getenv("VENDOR_TOKEN"); token != "" {
+		slog.Info("downloading datastar-pro from private repo...")
+		return downloadWithAuth(giteaRawURL, dest, token)
+	}
+
+	slog.Info("copying datastar-pro from local fallback...", "src", localFallbackPath)
+	return copyFile(localFallbackPath, dest)
+}
+
+func copyFile(src, dest string) error {
+	in, err := os.Open(src) //nolint:gosec // paths are hardcoded constants
+	if err != nil {
+		return fmt.Errorf("open %s: %w", src, err)
+	}
+	defer in.Close() //nolint:errcheck
+
+	out, err := os.Create(dest) //nolint:gosec // paths are hardcoded constants
+	if err != nil {
+		return fmt.Errorf("create %s: %w", dest, err)
+	}
+
+	if _, err := io.Copy(out, in); err != nil {
+		out.Close() //nolint:errcheck
+		return fmt.Errorf("copy to %s: %w", dest, err)
+	}
+
+	if err := out.Close(); err != nil {
+		return fmt.Errorf("close %s: %w", dest, err)
+	}
+
+	return nil
+}
+
+func downloadWithAuth(rawURL, dest, token string) error {
+	req, err := http.NewRequest(http.MethodGet, rawURL, nil)
+	if err != nil {
+		return fmt.Errorf("create request for %s: %w", rawURL, err)
+	}
+	req.Header.Set("Authorization", "token "+token)
+
+	resp, err := http.DefaultClient.Do(req) //nolint:gosec // URL is built from compile-time constants
+	if err != nil {
+		return fmt.Errorf("GET %s: %w", rawURL, err)
+	}
+	defer resp.Body.Close() //nolint:errcheck
+
+	if resp.StatusCode != http.StatusOK {
+		return fmt.Errorf("GET %s: status %s", rawURL, resp.Status)
+	}
+
+	out, err := os.Create(dest) //nolint:gosec // paths are hardcoded constants
+	if err != nil {
+		return fmt.Errorf("create %s: %w", dest, err)
+	}
+
+	if _, err := io.Copy(out, resp.Body); err != nil {
+		out.Close() //nolint:errcheck
+		return fmt.Errorf("write %s: %w", dest, err)
+	}
+
+	if err := out.Close(); err != nil {
+		return fmt.Errorf("close %s: %w", dest, err)
+	}
+
+	return nil
+}
+
+// checkForUpdates queries the GitHub releases API for each dependency
+// and logs a notice if a newer version is available. Failures are
+// logged but never cause the download to fail.
+func checkForUpdates() {
+	var wg sync.WaitGroup
+
+	for _, dep := range dependencies {
+		wg.Go(func() {
+			latest, err := latestGitHubRelease(dep.owner, dep.repo)
+			if err != nil {
+				slog.Warn("could not check for updates", "dependency", dep.name, "error", err)
+				return
+			}
+
+			if latest != dep.pinnedVersion {
+				slog.Warn("newer version available",
+					"dependency", dep.name,
+					"pinned", dep.pinnedVersion,
+					"latest", latest,
+				)
+			}
+		})
+	}
+
+	wg.Wait()
+}
+
+// githubRelease is the minimal subset of the GitHub releases API response we need.
+type githubRelease struct {
+	TagName string `json:"tag_name"`
+}
+
+func latestGitHubRelease(owner, repo string) (string, error) {
+	u := &url.URL{
+		Scheme: "https",
+		Host:   "api.github.com",
+		Path:   fmt.Sprintf("/repos/%s/%s/releases/latest", owner, repo),
+	}
+
+	req, err := http.NewRequest(http.MethodGet, u.String(), nil)
+	if err != nil {
+		return "", fmt.Errorf("creating request: %w", err)
+	}
+	req.Header.Set("Accept", "application/vnd.github+json")
+
+	resp, err := http.DefaultClient.Do(req) //nolint:gosec
+	if err != nil {
+		return "", fmt.Errorf("fetching release: %w", err)
+	}
+	defer resp.Body.Close() //nolint:errcheck
+
+	if resp.StatusCode != http.StatusOK {
+		return "", fmt.Errorf("unexpected status %s", resp.Status)
+	}
+
+	var release githubRelease
+	if err := json.NewDecoder(resp.Body).Decode(&release); err != nil {
+		return "", fmt.Errorf("decoding response: %w", err)
+	}
+
+	return release.TagName, nil
+}
+
+func removeDirectories(dirs []string) error {
+	var wg sync.WaitGroup
+	errCh := make(chan error, len(dirs))
+
+	for _, path := range dirs {
+		wg.Go(func() {
+			if err := os.RemoveAll(path); err != nil {
+				errCh <- fmt.Errorf("remove directory %s: %w", path, err)
+			}
+		})
+	}
+
+	wg.Wait()
+	close(errCh)
+
+	var errs []error
+	for err := range errCh {
+		errs = append(errs, err)
+	}
+
+	return errors.Join(errs...)
+}
+
+func createDirectories(dirs []string) error {
+	var wg sync.WaitGroup
+	errCh := make(chan error, len(dirs))
+
+	for _, path := range dirs {
+		wg.Go(func() {
+			if err := os.MkdirAll(path, 0755); err != nil {
+				errCh <- fmt.Errorf("create directory %s: %w", path, err)
+			}
+		})
+	}
+
+	wg.Wait()
+	close(errCh)
+
+	var errs []error
+	for err := range errCh {
+		errs = append(errs, err)
+	}
+
+	return errors.Join(errs...)
 }
 
 func download(files map[string]string) error {
@@ -71,15 +288,15 @@ func download(files map[string]string) error {
 	return errors.Join(errs...)
 }
 
-func downloadFile(url, dest string) error {
+func downloadFile(rawURL, dest string) error {
-	resp, err := http.Get(url) //nolint:gosec,noctx // static URLs, simple tool
+	resp, err := http.Get(rawURL) //nolint:gosec,noctx // static URLs, simple tool
 	if err != nil {
-		return fmt.Errorf("GET %s: %w", url, err)
+		return fmt.Errorf("GET %s: %w", rawURL, err)
 	}
 	defer resp.Body.Close() //nolint:errcheck
 
 	if resp.StatusCode != http.StatusOK {
-		return fmt.Errorf("GET %s: status %s", url, resp.Status)
+		return fmt.Errorf("GET %s: status %s", rawURL, resp.Status)
 	}
 
 	out, err := os.Create(dest) //nolint:gosec // paths are hardcoded constants

docker-compose.yml

@@ -5,6 +5,8 @@ services:
       args:
         VERSION: ${VERSION:-dev}
         COMMIT: ${COMMIT:-unknown}
+      secrets:
+        - vendor_token
     container_name: games
     restart: unless-stopped
     ports:
@@ -16,3 +18,7 @@ services:
       - PORT=8080
     volumes:
       - ./data:/data
+
+secrets:
+  vendor_token:
+    environment: VENDOR_TOKEN

features/auth/handlers.go

@@ -3,10 +3,10 @@ package auth
 import (
 	"database/sql"
 	"net/http"
+	"net/url"
 
 	"github.com/alexedwards/scs/v2"
 	"github.com/google/uuid"
-	"github.com/starfederation/datastar-go/datastar"
 
 	"github.com/ryanhamamura/games/auth"
 	"github.com/ryanhamamura/games/db/repository"
@@ -14,20 +14,15 @@ import (
 	appsessions "github.com/ryanhamamura/games/sessions"
 )
 
-type LoginSignals struct {
+func HandleLoginPage(sessions *scs.SessionManager) http.HandlerFunc {
-	Username string `json:"username"`
-	Password string `json:"password"` //nolint:gosec // form input, not stored
-}
-
-type RegisterSignals struct {
-	Username string `json:"username"`
-	Password string `json:"password"` //nolint:gosec // form input, not stored
-	Confirm  string `json:"confirm"`
-}
-
-func HandleLoginPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if err := pages.LoginPage().Render(r.Context(), w); err != nil {
+		// Capture return_url so we can redirect back after login
+		if returnURL := r.URL.Query().Get("return_url"); returnURL != "" {
+			sessions.Put(r.Context(), "return_url", returnURL)
+		}
+
+		errorMsg := r.URL.Query().Get("error")
+		if err := pages.LoginPage(errorMsg).Render(r.Context(), w); err != nil {
 			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		}
 	}
@@ -35,7 +30,8 @@ func HandleLoginPage() http.HandlerFunc {
 
 func HandleRegisterPage() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		if err := pages.RegisterPage().Render(r.Context(), w); err != nil {
+		errorMsg := r.URL.Query().Get("error")
+		if err := pages.RegisterPage(errorMsg).Render(r.Context(), w); err != nil {
 			http.Error(w, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
 		}
 	}
@@ -43,25 +39,21 @@ func HandleRegisterPage() http.HandlerFunc {
 
 func HandleLogin(queries *repository.Queries, sessions *scs.SessionManager) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		var signals LoginSignals
+		r.Body = http.MaxBytesReader(w, r.Body, 1024)
-		if err := datastar.ReadSignals(r, &signals); err != nil {
+		username := r.FormValue("username")
-			http.Error(w, err.Error(), http.StatusBadRequest)
+		password := r.FormValue("password")
-			return
-		}
 
-		sse := datastar.NewSSE(w, r)
+		user, err := queries.GetUserByUsername(r.Context(), username)
-
-		user, err := queries.GetUserByUsername(r.Context(), signals.Username)
 		if err == sql.ErrNoRows {
-			sse.MarshalAndPatchSignals(map[string]any{"error": "Invalid username or password"}) //nolint:errcheck
+			http.Redirect(w, r, "/login?error="+url.QueryEscape("Invalid username or password"), http.StatusSeeOther)
 			return
 		}
 		if err != nil {
-			sse.MarshalAndPatchSignals(map[string]any{"error": "An error occurred"}) //nolint:errcheck
+			http.Redirect(w, r, "/login?error="+url.QueryEscape("An error occurred"), http.StatusSeeOther)
 			return
 		}
-		if !auth.CheckPassword(signals.Password, user.PasswordHash) {
+		if !auth.CheckPassword(password, user.PasswordHash) {
-			sse.MarshalAndPatchSignals(map[string]any{"error": "Invalid username or password"}) //nolint:errcheck
+			http.Redirect(w, r, "/login?error="+url.QueryEscape("Invalid username or password"), http.StatusSeeOther)
 			return
 		}
 
@@ -76,46 +68,43 @@ func HandleLogin(queries *repository.Queries, sessions *scs.SessionManager) http
 			redirectURL = returnURL
 		}
 
-		sse.Redirect(redirectURL) //nolint:errcheck
+		http.Redirect(w, r, redirectURL, http.StatusSeeOther)
 	}
 }
 
 func HandleRegister(queries *repository.Queries, sessions *scs.SessionManager) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		var signals RegisterSignals
+		r.Body = http.MaxBytesReader(w, r.Body, 1024)
-		if err := datastar.ReadSignals(r, &signals); err != nil {
+		username := r.FormValue("username")
-			http.Error(w, err.Error(), http.StatusBadRequest)
+		password := r.FormValue("password")
+		confirm := r.FormValue("confirm")
+
+		if err := auth.ValidateUsername(username); err != nil {
+			http.Redirect(w, r, "/register?error="+url.QueryEscape(err.Error()), http.StatusSeeOther)
+			return
+		}
+		if err := auth.ValidatePassword(password); err != nil {
+			http.Redirect(w, r, "/register?error="+url.QueryEscape(err.Error()), http.StatusSeeOther)
+			return
+		}
+		if password != confirm {
+			http.Redirect(w, r, "/register?error="+url.QueryEscape("Passwords do not match"), http.StatusSeeOther)
 			return
 		}
 
-		sse := datastar.NewSSE(w, r)
+		hash, err := auth.HashPassword(password)
-
-		if err := auth.ValidateUsername(signals.Username); err != nil {
-			sse.MarshalAndPatchSignals(map[string]any{"error": err.Error()}) //nolint:errcheck
-			return
-		}
-		if err := auth.ValidatePassword(signals.Password); err != nil {
-			sse.MarshalAndPatchSignals(map[string]any{"error": err.Error()}) //nolint:errcheck
-			return
-		}
-		if signals.Password != signals.Confirm {
-			sse.MarshalAndPatchSignals(map[string]any{"error": "Passwords do not match"}) //nolint:errcheck
-			return
-		}
-
-		hash, err := auth.HashPassword(signals.Password)
 		if err != nil {
-			sse.MarshalAndPatchSignals(map[string]any{"error": "An error occurred"}) //nolint:errcheck
+			http.Redirect(w, r, "/register?error="+url.QueryEscape("An error occurred"), http.StatusSeeOther)
 			return
 		}
 
 		user, err := queries.CreateUser(r.Context(), repository.CreateUserParams{
 			ID:           uuid.New().String(),
-			Username:     signals.Username,
+			Username:     username,
 			PasswordHash: hash,
 		})
 		if err != nil {
-			sse.MarshalAndPatchSignals(map[string]any{"error": "Username already taken"}) //nolint:errcheck
+			http.Redirect(w, r, "/register?error="+url.QueryEscape("Username already taken"), http.StatusSeeOther)
 			return
 		}
 
@@ -130,6 +119,6 @@ func HandleRegister(queries *repository.Queries, sessions *scs.SessionManager) h
 			redirectURL = returnURL
 		}
 
-		sse.Redirect(redirectURL) //nolint:errcheck
+		http.Redirect(w, r, redirectURL, http.StatusSeeOther)
 	}
 }

features/auth/handlers_test.go

@@ -0,0 +1,351 @@
+package auth_test
+
+import (
+	"context"
+	"database/sql"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+
+	"github.com/alexedwards/scs/v2"
+	"github.com/google/uuid"
+
+	"github.com/ryanhamamura/games/auth"
+	"github.com/ryanhamamura/games/db/repository"
+	featauth "github.com/ryanhamamura/games/features/auth"
+	"github.com/ryanhamamura/games/features/lobby"
+	appsessions "github.com/ryanhamamura/games/sessions"
+	"github.com/ryanhamamura/games/testutil"
+)
+
+// sessionCookieName is the default SCS cookie name used in tests.
+const sessionCookieName = "session"
+
+type testSetup struct {
+	db      *sql.DB
+	queries *repository.Queries
+	sm      *scs.SessionManager
+}
+
+func (s *testSetup) ctx() context.Context {
+	return context.Background()
+}
+
+func newTestSetup(t *testing.T) *testSetup {
+	t.Helper()
+	db, queries := testutil.NewTestDB(t)
+	sm := testutil.NewTestSessionManager(t, db)
+	return &testSetup{db: db, queries: queries, sm: sm}
+}
+
+// createTestUser inserts a user into the test database and returns the user ID.
+func createTestUser(t *testing.T, setup *testSetup, username, password string) string {
+	t.Helper()
+	hash, err := auth.HashPassword(password)
+	if err != nil {
+		t.Fatalf("hashing password: %v", err)
+	}
+	id := uuid.New().String()
+	_, err = setup.queries.CreateUser(setup.ctx(), repository.CreateUserParams{
+		ID:           id,
+		Username:     username,
+		PasswordHash: hash,
+	})
+	if err != nil {
+		t.Fatalf("creating test user: %v", err)
+	}
+	return id
+}
+
+// postForm sends a POST request with form-encoded body through the session middleware,
+// forwarding any cookies from a previous response.
+func postForm(handler http.Handler, path string, values url.Values, cookies []*http.Cookie) *httptest.ResponseRecorder {
+	body := strings.NewReader(values.Encode())
+	req := httptest.NewRequest(http.MethodPost, path, body)
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	return rec
+}
+
+// getPage sends a GET request through the session middleware, forwarding cookies.
+func getPage(handler http.Handler, path string, cookies []*http.Cookie) *httptest.ResponseRecorder {
+	req := httptest.NewRequest(http.MethodGet, path, nil)
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	return rec
+}
+
+// extractSessionValue makes a GET request with the given cookies to a test endpoint
+// that reads a session value, verifying the session was persisted correctly.
+func extractSessionValue(t *testing.T, setup *testSetup, cookies []*http.Cookie, key string) string {
+	t.Helper()
+	var value string
+	handler := setup.sm.LoadAndSave(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		value = setup.sm.GetString(r.Context(), key)
+	}))
+	req := httptest.NewRequest(http.MethodGet, "/check-session", nil)
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+	rec := httptest.NewRecorder()
+	handler.ServeHTTP(rec, req)
+	if rec.Code != http.StatusOK {
+		t.Fatalf("session check returned %d", rec.Code)
+	}
+	return value
+}
+
+func TestHandleLogin_Success(t *testing.T) {
+	setup := newTestSetup(t)
+	createTestUser(t, setup, "alice", "password123")
+
+	handler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/login", url.Values{
+		"username": {"alice"},
+		"password": {"password123"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	if loc := rec.Header().Get("Location"); loc != "/" {
+		t.Errorf("expected redirect to /, got %q", loc)
+	}
+
+	// Verify the response sets a session cookie
+	cookies := rec.Result().Cookies()
+	if !hasCookie(cookies, sessionCookieName) {
+		t.Fatal("response did not set a session cookie")
+	}
+
+	// Verify session contains user data by reading it back
+	userID := extractSessionValue(t, setup, cookies, appsessions.KeyUserID)
+	if userID == "" {
+		t.Error("session does not contain user_id after login")
+	}
+	nickname := extractSessionValue(t, setup, cookies, appsessions.KeyNickname)
+	if nickname != "alice" {
+		t.Errorf("expected nickname %q, got %q", "alice", nickname)
+	}
+}
+
+func TestHandleLogin_InvalidPassword(t *testing.T) {
+	setup := newTestSetup(t)
+	createTestUser(t, setup, "alice", "password123")
+
+	handler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/login", url.Values{
+		"username": {"alice"},
+		"password": {"wrongpassword"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	loc := rec.Header().Get("Location")
+	if !strings.HasPrefix(loc, "/login?error=") {
+		t.Errorf("expected redirect to /login?error=..., got %q", loc)
+	}
+}
+
+func TestHandleLogin_UnknownUser(t *testing.T) {
+	setup := newTestSetup(t)
+
+	handler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/login", url.Values{
+		"username": {"nonexistent"},
+		"password": {"password123"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	loc := rec.Header().Get("Location")
+	if !strings.HasPrefix(loc, "/login?error=") {
+		t.Errorf("expected redirect to /login?error=..., got %q", loc)
+	}
+}
+
+func TestHandleLogin_ReturnURL(t *testing.T) {
+	setup := newTestSetup(t)
+	createTestUser(t, setup, "alice", "password123")
+
+	// First, visit the login page with a return_url to store it in the session
+	loginPageHandler := setup.sm.LoadAndSave(featauth.HandleLoginPage(setup.sm))
+	pageRec := getPage(loginPageHandler, "/login?return_url=/games/abc", nil)
+	cookies := pageRec.Result().Cookies()
+
+	// Now log in with those cookies so the handler can read return_url from session
+	loginHandler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
+	rec := postForm(loginHandler, "/auth/login", url.Values{
+		"username": {"alice"},
+		"password": {"password123"},
+	}, cookies)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	if loc := rec.Header().Get("Location"); loc != "/games/abc" {
+		t.Errorf("expected redirect to /games/abc, got %q", loc)
+	}
+}
+
+func TestHandleRegister_Success(t *testing.T) {
+	setup := newTestSetup(t)
+
+	handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/register", url.Values{
+		"username": {"newuser"},
+		"password": {"password123"},
+		"confirm":  {"password123"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	if loc := rec.Header().Get("Location"); loc != "/" {
+		t.Errorf("expected redirect to /, got %q", loc)
+	}
+
+	cookies := rec.Result().Cookies()
+	if !hasCookie(cookies, sessionCookieName) {
+		t.Fatal("response did not set a session cookie")
+	}
+
+	userID := extractSessionValue(t, setup, cookies, appsessions.KeyUserID)
+	if userID == "" {
+		t.Error("session does not contain user_id after registration")
+	}
+}
+
+func TestHandleRegister_PasswordMismatch(t *testing.T) {
+	setup := newTestSetup(t)
+
+	handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/register", url.Values{
+		"username": {"newuser"},
+		"password": {"password123"},
+		"confirm":  {"differentpassword"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	loc := rec.Header().Get("Location")
+	if !strings.Contains(loc, "Passwords+do+not+match") {
+		t.Errorf("expected error about password mismatch, got %q", loc)
+	}
+}
+
+func TestHandleRegister_InvalidUsername(t *testing.T) {
+	setup := newTestSetup(t)
+
+	handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/register", url.Values{
+		"username": {"ab"}, // too short
+		"password": {"password123"},
+		"confirm":  {"password123"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	loc := rec.Header().Get("Location")
+	if !strings.HasPrefix(loc, "/register?error=") {
+		t.Errorf("expected redirect to /register?error=..., got %q", loc)
+	}
+}
+
+func TestHandleRegister_ShortPassword(t *testing.T) {
+	setup := newTestSetup(t)
+
+	handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/register", url.Values{
+		"username": {"validuser"},
+		"password": {"short"},
+		"confirm":  {"short"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	loc := rec.Header().Get("Location")
+	if !strings.HasPrefix(loc, "/register?error=") {
+		t.Errorf("expected redirect to /register?error=..., got %q", loc)
+	}
+}
+
+func TestHandleRegister_DuplicateUsername(t *testing.T) {
+	setup := newTestSetup(t)
+	createTestUser(t, setup, "taken", "password123")
+
+	handler := setup.sm.LoadAndSave(featauth.HandleRegister(setup.queries, setup.sm))
+	rec := postForm(handler, "/auth/register", url.Values{
+		"username": {"taken"},
+		"password": {"password123"},
+		"confirm":  {"password123"},
+	}, nil)
+
+	if rec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, rec.Code)
+	}
+	loc := rec.Header().Get("Location")
+	if !strings.Contains(loc, "Username+already+taken") {
+		t.Errorf("expected error about duplicate username, got %q", loc)
+	}
+}
+
+func TestHandleLogout(t *testing.T) {
+	setup := newTestSetup(t)
+	createTestUser(t, setup, "alice", "password123")
+
+	// Log in first to establish a session
+	loginHandler := setup.sm.LoadAndSave(featauth.HandleLogin(setup.queries, setup.sm))
+	loginRec := postForm(loginHandler, "/auth/login", url.Values{
+		"username": {"alice"},
+		"password": {"password123"},
+	}, nil)
+	cookies := loginRec.Result().Cookies()
+
+	// Verify we're logged in
+	userID := extractSessionValue(t, setup, cookies, appsessions.KeyUserID)
+	if userID == "" {
+		t.Fatal("expected to be logged in before testing logout")
+	}
+
+	// Now log out
+	logoutHandler := setup.sm.LoadAndSave(lobby.HandleLogout(setup.sm))
+	logoutRec := postForm(logoutHandler, "/logout", nil, cookies)
+
+	if logoutRec.Code != http.StatusSeeOther {
+		t.Errorf("expected status %d, got %d", http.StatusSeeOther, logoutRec.Code)
+	}
+	if loc := logoutRec.Header().Get("Location"); loc != "/" {
+		t.Errorf("expected redirect to /, got %q", loc)
+	}
+
+	// Verify session is cleared — use the cookies from the logout response
+	logoutCookies := logoutRec.Result().Cookies()
+	userID = extractSessionValue(t, setup, logoutCookies, appsessions.KeyUserID)
+	if userID != "" {
+		t.Errorf("expected empty user_id after logout, got %q", userID)
+	}
+}
+
+func hasCookie(cookies []*http.Cookie, name string) bool {
+	for _, c := range cookies {
+		if c.Name == name {
+			return true
+		}
+	}
+	return false
+}

features/auth/pages/login.templ

@@ -1,45 +1,39 @@
 package pages
 
-import (
+import "github.com/ryanhamamura/games/features/common/layouts"
-	"github.com/ryanhamamura/games/features/common/layouts"
-	"github.com/starfederation/datastar-go/datastar"
-)
 
-templ LoginPage() {
+templ LoginPage(errorMsg string) {
 	@layouts.Base("Login") {
-		<main class="max-w-sm mx-auto mt-8 text-center" data-signals="{username: '', password: '', error: ''}">
+		<main class="max-w-sm mx-auto mt-8 text-center">
 			<h1 class="text-3xl font-bold">Login</h1>
 			<p class="mb-4">Sign in to your account</p>
-			<div data-show="$error != ''" class="alert alert-error mb-4" data-text="$error"></div>
+			if errorMsg != "" {
-			<div>
+				<div class="alert alert-error mb-4">{ errorMsg }</div>
+			}
+			<form method="POST" action="/auth/login">
 				<fieldset class="fieldset">
 					<label class="label" for="username">Username</label>
 					<input
 						class="input input-bordered w-full"
 						id="username"
+						name="username"
 						type="text"
 						placeholder="Enter your username"
-					data-bind="username"
-					data-on:keydown={ "evt.key === 'Enter' && " + datastar.PostSSE("/auth/login") }
 						autofocus
 					/>
 					<label class="label" for="password">Password</label>
 					<input
 						class="input input-bordered w-full"
 						id="password"
+						name="password"
 						type="password"
 						placeholder="Enter your password"
-						data-bind="password"
-						data-on:keydown={ "evt.key === 'Enter' && " + datastar.PostSSE("/auth/login") }
 					/>
 				</fieldset>
-				<button
+				<button type="submit" class="btn btn-primary w-full">
-					class="btn btn-primary w-full"
-					data-on:click={ datastar.PostSSE("/auth/login") }
-				>
 					Login
 				</button>
-			</div>
+			</form>
 			<p>
 				Don't have an account? <a class="link" href="/register">Register</a>
 			</p>

features/auth/pages/register.templ

@@ -1,54 +1,47 @@
 package pages
 
-import (
+import "github.com/ryanhamamura/games/features/common/layouts"
-	"github.com/ryanhamamura/games/features/common/layouts"
-	"github.com/starfederation/datastar-go/datastar"
-)
 
-templ RegisterPage() {
+templ RegisterPage(errorMsg string) {
 	@layouts.Base("Register") {
-		<main class="max-w-sm mx-auto mt-8 text-center" data-signals="{username: '', password: '', confirm: '', error: ''}">
+		<main class="max-w-sm mx-auto mt-8 text-center">
 			<h1 class="text-3xl font-bold">Register</h1>
 			<p class="mb-4">Create a new account</p>
-			<div data-show="$error != ''" class="alert alert-error mb-4" data-text="$error"></div>
+			if errorMsg != "" {
-			<div>
+				<div class="alert alert-error mb-4">{ errorMsg }</div>
+			}
+			<form method="POST" action="/auth/register">
 				<fieldset class="fieldset">
 					<label class="label" for="username">Username</label>
 					<input
 						class="input input-bordered w-full"
 						id="username"
+						name="username"
 						type="text"
 						placeholder="Choose a username"
-					data-bind="username"
-					data-on:keydown={ "evt.key === 'Enter' && " + datastar.PostSSE("/auth/register") }
 						autofocus
 					/>
 					<label class="label" for="password">Password</label>
 					<input
 						class="input input-bordered w-full"
 						id="password"
+						name="password"
 						type="password"
 						placeholder="Choose a password (min 8 chars)"
-					data-bind="password"
-					data-on:keydown={ "evt.key === 'Enter' && " + datastar.PostSSE("/auth/register") }
 					/>
 					<label class="label" for="confirm">Confirm Password</label>
 					<input
 						class="input input-bordered w-full"
 						id="confirm"
+						name="confirm"
 						type="password"
 						placeholder="Confirm your password"
-						data-bind="confirm"
-						data-on:keydown={ "evt.key === 'Enter' && " + datastar.PostSSE("/auth/register") }
 					/>
 				</fieldset>
-				<button
+				<button type="submit" class="btn btn-primary w-full">
-					class="btn btn-primary w-full"
-					data-on:click={ datastar.PostSSE("/auth/register") }
-				>
 					Register
 				</button>
-			</div>
+			</form>
 			<p>
 				Already have an account? <a class="link" href="/login">Login</a>
 			</p>

features/auth/routes.go

@@ -9,7 +9,7 @@ import (
 )
 
 func SetupRoutes(router chi.Router, queries *repository.Queries, sessions *scs.SessionManager) {
-	router.Get("/login", HandleLoginPage())
+	router.Get("/login", HandleLoginPage(sessions))
 	router.Get("/register", HandleRegisterPage())
 	router.Post("/auth/login", HandleLogin(queries, sessions))
 	router.Post("/auth/register", HandleRegister(queries, sessions))

features/c4game/pages/game.templ

@@ -24,7 +24,7 @@ templ GamePage(g *connect4.Game, myColor int, messages []chat.Message, chatCfg c
 }
 
 templ GameContent(g *connect4.Game, myColor int, messages []chat.Message, chatCfg chatcomponents.Config) {
-	<div id="game-content">
+	<div id="game-content" class="flex flex-col items-center gap-4">
 		@sharedcomponents.LiveClock()
 		@sharedcomponents.BackToLobby()
 		@sharedcomponents.StealthTitle("text-3xl font-bold")

features/common/layouts/base.templ

@@ -12,7 +12,7 @@ templ Base(title string) {
 		<head>
 			<title>{ title }</title>
 			<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1, user-scalable=0"/>
-			<script defer type="module" src={ assets.StaticPath("js/datastar.js") }></script>
+			<script defer type="module" src={ assets.StaticPath("js/datastar/datastar.js") }></script>
 			<link href={ assets.StaticPath("css/output.css") } rel="stylesheet" type="text/css"/>
 		</head>
 		<body class="flex flex-col h-screen">

features/lobby/handlers.go

@@ -171,7 +171,6 @@ func HandleLogout(sessions *scs.SessionManager) http.HandlerFunc {
 			return
 		}
 
-		sse := datastar.NewSSE(w, r)
+		http.Redirect(w, r, "/", http.StatusSeeOther)
-		sse.ExecuteScript("window.location.href='/'") //nolint:errcheck
 	}
 }

features/lobby/pages/lobby.templ

@@ -20,13 +20,11 @@ templ LobbyPage(data LobbyData) {
 			if data.IsLoggedIn {
 				<div class="flex justify-center items-center gap-4 mb-4 p-2 bg-base-200 rounded-lg">
 					<span>Logged in as <strong>{ data.Username }</strong></span>
-					<button
+					<form method="POST" action="/logout" class="inline">
-						type="button"
+						<button type="submit" class="btn btn-ghost btn-sm">
-						class="btn btn-ghost btn-sm"
-						data-on:click={ datastar.PostSSE("/logout") }
-					>
 							Logout
 						</button>
+					</form>
 				</div>
 			} else {
 				<div class="alert text-sm mb-4">

features/snakegame/pages/game.templ

@@ -43,7 +43,7 @@ templ GamePage(sg *snake.SnakeGame, mySlot int, messages []chat.Message, chatCfg
 }
 
 templ GameContent(sg *snake.SnakeGame, mySlot int, messages []chat.Message, chatCfg chatcomponents.Config, gameID string) {
-	<div id="game-content">
+	<div id="game-content" class="flex flex-col items-center gap-4">
 		@components.LiveClock()
 		@components.BackToLobby()
 		<h1 class="text-3xl font-bold">~~~~</h1>