Make the server act like an API

2016-11-17 02:06:00 +01:00 · 2016-11-17 02:06:00 +01:00 · 06837a8776
commit 06837a8776
parent 466c3f4295
23 changed files with 200 additions and 1028 deletions
--- a/config.yml.exemple
+++ b/config.yml.exemple
@ -1,11 +1,9 @@
 authorizer:
-  cookie_name: auth
+  secret: my_secret_app_key
  cookie_key: mysecretkey
  pepper: pepper
  cost: 10
 pgdsn: postgres://test:test@127.0.0.1:5432/dev?sslmode=disable
 trakttv_client_id: my_trakttv_client_id
 tmdb_api_key: my_tmdb_key
 listen_port: 3000
 templates_dir: build/templates
 public_dir: build/public
--- a/src/internal/auth/auth.go
+++ b/src/internal/auth/auth.go
@ -3,8 +3,10 @@ package auth
 import (
 	"fmt"
 	"net/http"
 	"strings"
 	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/gorilla/sessions"
 	"golang.org/x/crypto/bcrypt"
 )
@ -13,8 +15,8 @@ var (
 	ErrInvalidPassword = fmt.Errorf("Invalid password")
 	// ErrInvalidSecret returned when cookie's secret is don't match
 	ErrInvalidSecret = fmt.Errorf("Invalid secret")
-	// ErrCorrupted returned when session have been corrupted
+	// ErrInvalidToken returned when the jwt token is invalid
-	ErrCorrupted = fmt.Errorf("Corrupted session")
+	ErrInvalidToken = fmt.Errorf("Invalid token")
 )
 // UserBackend interface for user backend
@ -27,6 +29,7 @@ type User interface {
 	GetName() string
 	GetHash() string
 	HasRole(string) bool
 	IsAdmin() bool
 }
 // Authorizer handle sesssion
@ -36,11 +39,10 @@ type Authorizer struct {
 // Params for Authorizer creation
 type Params struct {
-	Backend    UserBackend
+	Backend UserBackend
-	Cookiejar  *sessions.CookieStore
+	Pepper  string
-	CookieName string
+	Cost    int
-	Pepper     string
+	Secret  string
 	Cost       int
 }
 // New Authorizer pepper is like a salt but not stored in database,
@ -60,112 +62,56 @@ func (a *Authorizer) GenHash(password string) (string, error) {
 	return string(b), nil
 }
-// Login cheks password and updates cookie info
+// Login cheks password and creates a jwt token
-func (a *Authorizer) Login(rw http.ResponseWriter, req *http.Request, username, password string) error {
+func (a *Authorizer) Login(rw http.ResponseWriter, req *http.Request, username, password string) (User, error) {
 	cookie, err := a.Cookiejar.Get(req, a.CookieName)
 	if err != nil {
 		return err
 	}
 	u, err := a.Backend.Get(username)
 	if err != nil {
-		return err
+		return nil, err
 	}
 	// Compare the password
 	err = bcrypt.CompareHashAndPassword([]byte(u.GetHash()), []byte(password+a.Pepper))
 	if err != nil {
-		return ErrInvalidPassword
+		return nil, ErrInvalidPassword
-	}
+	}
-
+
-	cookie.Values["username"] = username
+	return u, nil
-
+}
-	// genereate secret
+
-	b, err := bcrypt.GenerateFromPassword([]byte(u.GetHash()), a.Cost)
+// CurrentUser returns the logged in username from session and verifies the token
-	if err != nil {
+func (a *Authorizer) CurrentUser(rw http.ResponseWriter, req *http.Request) (User, error) {
-		return err
+	h := req.Header.Get("Authorization")
-	}
+	// No user logged
-	cookie.Values["secret"] = string(b)
+	if h == "" {
-
+		return nil, nil
-	err = cookie.Save(req, rw)
+	}
-	if err != nil {
+
-		return err
+	// Get the token from the header
-	}
+	tokenStr := strings.Replace(h, "Bearer ", "", -1)
-	return nil
+
-}
+	// Keyfunc to decode the token
-
+	var keyfunc jwt.Keyfunc = func(token *jwt.Token) (interface{}, error) {
-// RegenSecret update secret in cookie with user info, usefull when updating password
+		return []byte(a.Secret), nil
-func (a *Authorizer) RegenSecret(user User, w http.ResponseWriter, r *http.Request) error {
+	}
-	cookie, err := a.Cookiejar.Get(r, a.CookieName)
+
-	if err != nil {
+	var tokenClaims struct {
-		return err
+		Username string `json:"username"`
-	}
+		jwt.StandardClaims
-	// genereate secret
+	}
-	b, err := bcrypt.GenerateFromPassword([]byte(user.GetHash()), a.Cost)
+	token, err := jwt.ParseWithClaims(tokenStr, &tokenClaims, keyfunc)
-	if err != nil {
+	if err != nil {
-		return err
+		return nil, err
-	}
+	}
-	cookie.Values["secret"] = string(b)
+
-
+	// Check the token validity
-	err = cookie.Save(r, w)
+	if !token.Valid {
-	if err != nil {
+		return nil, ErrInvalidToken
-		return err
+	}
-	}
+
-	return nil
+	// Get the user
-}
+	u, err := a.Backend.Get(tokenClaims.Username)
-
+	if err != nil {
-// Logout remove cookie info
+		return nil, err
 func (a *Authorizer) Logout(rw http.ResponseWriter, req *http.Request) error {
 	cookie, err := a.Cookiejar.Get(req, a.CookieName)
 	if err != nil {
 		return err
 	}
 	cookie.Values["username"] = nil
 	cookie.Values["secret"] = nil
 	cookie.Options.MaxAge = -1 // kill the cookie
 	err = cookie.Save(req, rw)
 	if err != nil {
 		return err
 	}
 	return nil
 }
 // CurrentUser returns the logged in username from session
 func (a *Authorizer) CurrentUser(rw http.ResponseWriter, req *http.Request) (User, error) {
 	cookie, err := a.Cookiejar.Get(req, a.CookieName)
 	if err != nil {
 		return nil, err
 	}
 	if cookie.IsNew {
 		return nil, nil
 	}
 	usernameTmp := cookie.Values["username"]
 	if usernameTmp == nil {
 		return nil, nil
 	}
 	username, ok := usernameTmp.(string)
 	if !ok {
 		return nil, ErrCorrupted
 	}
 	u, err := a.Backend.Get(username)
 	if err != nil {
 		return nil, err
 	}
 	// Check secret
 	hash := u.GetHash()
 	secretTmp := cookie.Values["secret"]
 	if secretTmp == nil {
 		return nil, nil
 	}
 	secret, ok := secretTmp.(string)
 	if !ok {
 		return nil, ErrCorrupted
 	}
 	err = bcrypt.CompareHashAndPassword([]byte(secret), []byte(hash))
 	if err != nil {
 		return nil, ErrInvalidSecret
 	}
 	return u, nil
--- a/src/internal/auth/auth_test.go
+++ b/src/internal/auth/auth_test.go
@ -1,199 +0,0 @@
 package auth
 import (
 	"fmt"
 	"io/ioutil"
 	"net/http"
 	"net/http/cookiejar"
 	"net/http/httptest"
 	"testing"
 	"github.com/gorilla/mux"
 	"github.com/kr/pretty"
 )
 const (
 	pepper     = "polp"
 	ckey       = "plop"
 	cookieName = "auth"
 	cost       = 10
 	username = "plop"
 	password = "ploppwd"
 	hash     = "$2a$10$eVye8xbs6nj4TWnlTmifRuBsAU3F2hkxEcFz9WXdYjUuE6uKLVuzK"
 )
 type user struct {
 	username string
 	password string
 	hash     string
 }
 func (u *user) GetHash() string {
 	return u.hash
 }
 type Backend struct {
 	user *user
 }
 func (b *Backend) Get(username string) (User, error) {
 	if username == b.user.username {
 		return b.user, nil
 	}
 	return nil, fmt.Errorf("invalid username")
 }
 func getBackend() *Backend {
 	return &Backend{
 		user: &user{
 			username: username,
 			password: password,
 			hash:     hash,
 		},
 	}
 }
 func login(w http.ResponseWriter, r *http.Request) {
 	a := New(getBackend(), pepper, cookieName, ckey, cost)
 	err := a.Login(w, r, username, password)
 	if err != nil {
 		fmt.Fprintf(w, "%s", err)
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 	w.WriteHeader(http.StatusOK)
 }
 func logout(w http.ResponseWriter, r *http.Request) {
 	a := New(getBackend(), pepper, cookieName, ckey, cost)
 	err := a.Logout(w, r)
 	if err != nil {
 		fmt.Fprintf(w, "%s", err)
 		w.WriteHeader(http.StatusInternalServerError)
 		return
 	}
 	w.WriteHeader(http.StatusOK)
 }
 func check(w http.ResponseWriter, r *http.Request) {
 	a := New(getBackend(), pepper, cookieName, key, cost)
 	u, err := a.CurrentUser(w, r)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		fmt.Fprintf(w, "%s", err)
 		return
 	}
 	w.WriteHeader(http.StatusOK)
 	if u != nil {
 		usr, ok := u.(*user)
 		if !ok {
 			fmt.Fprintf(w, "Invalid user type")
 			return
 		}
 		fmt.Fprintf(w, "%s", usr.username)
 	}
 }
 func handlers() *mux.Router {
 	r := mux.NewRouter()
 	r.HandleFunc("/login", login).Methods("GET")
 	r.HandleFunc("/logout", logout).Methods("GET")
 	r.HandleFunc("/check", check).Methods("GET")
 	return r
 }
 func TestAuth(t *testing.T) {
 	ts := httptest.NewServer(handlers())
 	defer ts.Close()
 	cookieJar, _ := cookiejar.New(nil)
 	client := &http.Client{
 		Jar: cookieJar,
 	}
 	// Check no user logged in =
 	res, err := client.Get(ts.URL + "/check")
 	if err != nil {
 		t.Fatal(err)
 	}
 	body, err := ioutil.ReadAll(res.Body)
 	res.Body.Close()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if res.StatusCode != http.StatusOK {
 		t.Fatal(body)
 	}
 	if string(body) != "" {
 		t.Fatalf("No user logged in expected but found: %s", body)
 	}
 	// Login
 	res, err = client.Get(ts.URL + "/login")
 	if err != nil {
 		t.Fatal(err)
 	}
 	body, err = ioutil.ReadAll(res.Body)
 	res.Body.Close()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if res.StatusCode != http.StatusOK {
 		t.Fatal(string(body))
 	}
 	// Checks we are logged in
 	res, err = client.Get(ts.URL + "/check")
 	if err != nil {
 		t.Fatal(err)
 	}
 	body, err = ioutil.ReadAll(res.Body)
 	res.Body.Close()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if res.StatusCode != http.StatusOK {
 		pretty.Println(res.StatusCode)
 		t.Fatal(body)
 	}
 	if string(body) != username {
 		t.Fatalf("We expect be logged in as %s but we got: %s", username, body)
 	}
 	// Logout
 	res, err = client.Get(ts.URL + "/logout")
 	if err != nil {
 		t.Fatal(err)
 	}
 	body, err = ioutil.ReadAll(res.Body)
 	res.Body.Close()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if res.StatusCode != http.StatusOK {
 		t.Fatal(string(body))
 	}
 	// Check no username logged in anymore
 	res, err = client.Get(ts.URL + "/check")
 	if err != nil {
 		t.Fatal(err)
 	}
 	body, err = ioutil.ReadAll(res.Body)
 	res.Body.Close()
 	if err != nil {
 		t.Fatal(err)
 	}
 	if res.StatusCode != http.StatusOK {
 		t.Fatal(body)
 	}
 	if string(body) != "" {
 		t.Fatalf("No user logged in expected but found: %s", body)
 	}
 }
--- a/src/internal/auth/middleware.go
+++ b/src/internal/auth/middleware.go
@ -2,11 +2,8 @@ package auth
 import (
 	"context"
 	"fmt"
 	"net/http"
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/data"
 	"github.com/Sirupsen/logrus"
 )
@ -27,13 +24,12 @@ func NewMiddleware(authorizer *Authorizer, log *logrus.Entry) *Middleware {
 func (m *Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
 	user, err := m.authorizer.CurrentUser(w, r)
 	if err != nil {
-		panic(err)
+		http.Error(w, err.Error(), http.StatusUnauthorized)
 		return
 	}
 	if user != nil {
-		name := user.GetName()
+		m.log.Debugf("setting user %s in the context", user.GetName())
 		m.log.Debugf("setting user %s in the context", name)
 		data.SetData(r, "user", user)
 	} else {
 		m.log.Debugf("got a nil user in the context")
 	}
@ -46,19 +42,17 @@ func (m *Middleware) ServeHTTP(w http.ResponseWriter, r *http.Request, next http
 // MiddlewareRole handles the role checking for the current user
 type MiddlewareRole struct {
-	authorizer      *Authorizer
+	authorizer *Authorizer
-	log             *logrus.Entry
+	log        *logrus.Entry
-	role            string
+	role       string
 	loginPageGetter func() string
 }
 // NewMiddlewareRole returns a new MiddlewareRole
-func NewMiddlewareRole(authorizer *Authorizer, log *logrus.Entry, loginPageGetter func() string, role string) *MiddlewareRole {
+func NewMiddlewareRole(authorizer *Authorizer, log *logrus.Entry, role string) *MiddlewareRole {
 	return &MiddlewareRole{
-		authorizer:      authorizer,
+		authorizer: authorizer,
-		log:             log.WithField("middleware", "role"),
+		log:        log.WithField("middleware", "role"),
-		role:            role,
+		role:       role,
 		loginPageGetter: loginPageGetter,
 	}
 }
@ -72,16 +66,8 @@ func (m *MiddlewareRole) ServeHTTP(w http.ResponseWriter, r *http.Request, next
 			m.log.Debug("user doesn't have the role")
 		}
-		cookie, err := m.authorizer.Cookiejar.Get(r, "rlogin")
+		// return unauthorized
-		if err != nil {
+		http.Error(w, "Invalid user role", http.StatusUnauthorized)
 			panic(err)
 		}
 		cookie.Values["redirect"] = r.URL.Path
 		err = cookie.Save(r, w)
 		if err != nil {
 			panic(err)
 		}
 		http.Redirect(w, r, m.loginPageGetter(), http.StatusTemporaryRedirect)
 		return
 	}
@ -90,30 +76,6 @@ func (m *MiddlewareRole) ServeHTTP(w http.ResponseWriter, r *http.Request, next
 	next(w, r)
 }
 // GetPostLoginRedirect returns the location of the page requested before the
 // users was redirected to the login page
 func GetPostLoginRedirect(a *Authorizer, w http.ResponseWriter, r *http.Request) (string, error) {
 	cookie, err := a.Cookiejar.Get(r, "rlogin")
 	if err != nil {
 		return "", err
 	}
 	val := cookie.Values["redirect"]
 	if val == nil {
 		return "", nil
 	}
 	path, ok := val.(string)
 	if !ok {
 		return "", fmt.Errorf("invalid redirect type")
 	}
 	cookie.Values["rlogin"] = ""
 	err = cookie.Save(r, w)
 	if err != nil {
 		return "", err
 	}
 	return path, nil
 }
 // GetCurrentUser gets the current user from the request context
 func GetCurrentUser(r *http.Request, log *logrus.Entry) User {
 	log.Debug("getting user from context")
--- a/src/internal/config/canape.go
+++ b/src/internal/config/canape.go
@ -15,7 +15,6 @@ type Config struct {
 	PGDSN           string           `yaml:"pgdsn"`
 	Port            string           `yaml:"listen_port"`
 	TraktTVClientID string           `yaml:"trakttv_client_id"`
 	TemplatesDir    string           `yaml:"templates_dir"`
 	PublicDir       string           `yaml:"public_dir"`
 	// TODO improve the detailers configurations
@ -24,10 +23,9 @@ type Config struct {
 }
 type AuthorizerConfig struct {
-	CookieName string `yaml:"cookie_name"`
+	Pepper string `yaml:"pepper"`
-	Key        string `yaml:"cookie_key"`
+	Cost   int    `yaml:"cost"`
-	Pepper     string `yaml:"pepper"`
+	Secret string `yaml:"secret"`
 	Cost       int    `yaml:"cost"`
 }
 func Load(path string) (*Config, error) {
--- a/src/internal/config/polochon.go
+++ b/src/internal/config/polochon.go
@ -2,6 +2,6 @@ package config
 // UserPolochon is polochon access parameter for a user
 type UserPolochon struct {
-	URL   string
+	URL   string `json:"url"`
-	Token string
+	Token string `json:"token"`
 }
--- a/src/internal/data/data.go
+++ b/src/internal/data/data.go
@ -1,42 +0,0 @@
 package data
 import (
 	"fmt"
 	"net/http"
 	"context"
 )
 type key int
 // dKey is key for access to response data in context
 const dKey key = 0
 // GetAllData  return response's data
 func GetAllData(r *http.Request) map[string]interface{} {
 	data := GetData(r, "data")
 	if data == nil {
 		data = make(map[string]interface{})
 	}
 	mapData, ok := data.(map[string]interface{})
 	if !ok {
 		fmt.Printf("something wrong with data")
 	}
 	// log.Printf("got all data %+v", mapData)
 	return mapData
 }
 // SetData sets some response's data for access in template
 func SetData(r *http.Request, key string, val interface{}) {
 	allData := GetAllData(r)
 	allData[key] = val
 	ctx := context.WithValue(r.Context(), "data", allData)
 	*r = *r.WithContext(ctx)
 	allData = GetAllData(r)
 }
 // GetData gets some response's data for access in template
 func GetData(r *http.Request, key string) interface{} {
 	return r.Context().Value(key)
 }
--- a/src/internal/movies/handlers.go
+++ b/src/internal/movies/handlers.go
@ -15,13 +15,14 @@ import (
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/auth"
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/config"
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/data"
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/users"
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/web"
 )
 // ErrPolochonUnavailable is an error returned if the polochon server is not available
 var ErrPolochonUnavailable = fmt.Errorf("Invalid polochon address")
 // SortByTitle helps sort the movies
 type SortByTitle []*Movie
 func (a SortByTitle) Len() int           { return len(a) }
@ -115,18 +116,10 @@ func FromPolochon(env *web.Env, w http.ResponseWriter, r *http.Request) error {
 	if !ok {
 		return fmt.Errorf("invalid user type")
 	}
 	data.SetData(r, "user", user)
 	movies, err := getPolochonMovies(user)
 	if err != nil {
-		// Catch network error for accessing specified polochon address
+		return env.RenderError(w, err)
 		if err == ErrPolochonUnavailable {
 			data.SetData(r, "error", "Invalid address")
 			return env.Rends(w, r, "movies/library")
 		}
 		return err
 	}
 	var polochonConfig config.UserPolochon
@ -168,10 +161,10 @@ func FromPolochon(env *web.Env, w http.ResponseWriter, r *http.Request) error {
 	sort.Sort(smovies)
-	data.SetData(r, "movies", movies[params.Start:params.Start+params.Limit])
+	return env.RenderJSON(w, movies)
 	return env.Rends(w, r, "movies/library")
 }
 // ExplorePopular returns the popular movies
 func ExplorePopular(env *web.Env, w http.ResponseWriter, r *http.Request) error {
 	log := env.Log.WithField("function", "movies.ExplorePopular")
@ -206,7 +199,6 @@ func ExplorePopular(env *web.Env, w http.ResponseWriter, r *http.Request) error
 		movies = append(movies, movie)
 		ids = append(ids, m.IDs.ImDB)
 	}
 	data.SetData(r, "movies", movies)
-	return env.Rends(w, r, "movies/library")
+	return env.RenderJSON(w, movies)
 }
--- a/src/internal/users/handlers.go
+++ b/src/internal/users/handlers.go
@ -1,58 +1,43 @@
 package users
 import (
 	"encoding/json"
 	"fmt"
 	"net/http"
 	"time"
-	"github.com/gorilla/Schema"
+	jwt "github.com/dgrijalva/jwt-go"
 	"github.com/kr/pretty"
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/auth"
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/config"
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/data"
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/web"
 )
 func LoginGETHandler(e *web.Env, w http.ResponseWriter, r *http.Request) error {
 	return e.Rends(w, r, "users/login")
 }
 func SignupGETHandler(e *web.Env, w http.ResponseWriter, r *http.Request) error {
 	return e.Rends(w, r, "users/signup")
 }
 func SignupPOSTHandler(e *web.Env, w http.ResponseWriter, r *http.Request) error {
-	type newForm struct {
+	var data struct {
-		Username       string
+		Username        string `json:"username"`
-		Password       string
+		Password        string `json:"password"`
-		PasswordVerify string
+		PasswordConfirm string `json:"password_confirm"`
 	}
 	if err := json.NewDecoder(r.Body).Decode(&data); err != nil {
 		return err
 	}
 	e.Log.Debugf("creating new user ...")
-	err := r.ParseForm()
+	if data.Password == "" && data.PasswordConfirm != "" {
-	if err != nil {
+		return e.RenderError(w, fmt.Errorf("Empty password"))
 		return err
 	}
-	form := new(newForm)
+	if data.Password != data.PasswordConfirm {
-	decoder := schema.NewDecoder()
+		return e.RenderError(w, fmt.Errorf("Passwords missmatch"))
 	err = decoder.Decode(form, r.PostForm)
 	if err != nil {
 		return err
 	}
-	user := User{
+	user := User{Name: data.Username}
-		Name: form.Username,
+
-	}
+	var err error
-	if form.Password != "" || form.PasswordVerify != "" {
+	user.Hash, err = e.Auth.GenHash(data.Password)
-		if form.Password != form.PasswordVerify {
+	if err != nil {
-			data.SetData(r, "Errors", "Password mismatch")
+		return err
 			return e.Rends(w, r, "users/signup")
 		}
 		user.Hash, err = e.Auth.GenHash(form.Password)
 		if err != nil {
 			return err
 		}
 	}
 	err = user.NewConfig()
@ -60,75 +45,58 @@ func SignupPOSTHandler(e *web.Env, w http.ResponseWriter, r *http.Request) error
 		return err
 	}
-	err = user.Add(e.Database)
+	if err = user.Add(e.Database); err != nil {
 	if err != nil {
 		pretty.Println(err)
 		return err
 	}
-	e.Log.Debugf("new user %s created ...", form.Username)
+	e.Log.Debugf("new user %s created ...", data.Username)
-	err = e.Auth.Login(w, r, form.Username, form.Password)
+	return e.RenderOK(w, "User created")
 	if err != nil {
 		if err == auth.ErrInvalidPassword || err == ErrUnknownUser {
 			data.SetData(r, "Errors", "Error invalid user or password")
 			return e.Rends(w, r, "users/signup")
 		}
 		return err
 	}
 	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 	return nil
 }
 // LoginPOSTHandler handles the login proccess
 func LoginPOSTHandler(e *web.Env, w http.ResponseWriter, r *http.Request) error {
-	type loginForm struct {
+	var data struct {
-		Username string
+		Username string `json:"username"`
-		Password string
+		Password string `json:"password"`
 	}
-	err := r.ParseForm()
+	if err := json.NewDecoder(r.Body).Decode(&data); err != nil {
 	if err != nil {
 		return err
 	}
-	form := new(loginForm)
+	user, err := e.Auth.Login(w, r, data.Username, data.Password)
 	decoder := schema.NewDecoder()
 	err = decoder.Decode(form, r.PostForm)
 	if err != nil {
 		return err
 	}
 	err = e.Auth.Login(w, r, form.Username, form.Password)
 	if err != nil {
 		if err == auth.ErrInvalidPassword || err == ErrUnknownUser {
-			data.SetData(r, "Errors", "Error invalid user or password")
+			return e.RenderError(w, fmt.Errorf("Error invalid user or password"))
 			return e.Rends(w, r, "users/login")
 		}
 		return err
 	}
-	e.Log.Debug("logged")
+	e.Log.Debugf("logged %s", user.GetName())
-	path, err := auth.GetPostLoginRedirect(e.Auth, w, r)
+	// Create a jwt token
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
 		// Not before
 		"nbf": time.Now().Unix(),
 		// Issued at
 		"iat": time.Now().Unix(),
 		// Private claims
 		"username": user.GetName(),
 		"isAdmin":  user.IsAdmin(),
 	})
 	// Sign the token
 	ss, err := token.SignedString([]byte(e.Auth.Secret))
 	if err != nil {
 		return err
 	}
-	e.Log.Debugf("redirecting to %s", path)
+	var out = struct {
-	if path != "" {
+		Token string `json:"token"`
-		http.Redirect(w, r, path, http.StatusTemporaryRedirect)
+	}{
-		return nil
+		Token: ss,
 	}
 	e.Log.Debugf("got no path, redirecting to /")
 	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 	return nil
 }
-// LogoutHandler just logout
+	return e.RenderJSON(w, out)
 func LogoutHandler(e *web.Env, w http.ResponseWriter, r *http.Request) error {
 	e.Auth.Logout(w, r)
 	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 	return nil
 }
 // DetailsHandler show user details
@ -145,8 +113,7 @@ func DetailsHandler(e *web.Env, w http.ResponseWriter, r *http.Request) error {
 		return err
 	}
-	data.SetData(r, "polochon", polochonConfig)
+	return e.RenderJSON(w, polochonConfig)
 	return e.Rends(w, r, "users/details")
 }
 // EditHandler allow editing user info and configuration
@ -156,70 +123,44 @@ func EditHandler(e *web.Env, w http.ResponseWriter, r *http.Request) error {
 	if !ok {
 		return fmt.Errorf("invalid user type")
 	}
-	var polochonConfig config.UserPolochon
+
-	err := user.GetConfig("polochon", &polochonConfig)
+	var data struct {
-	if err != nil {
+		PolochonURL     string `json:"polochon_url"`
 		PolochonToken   string `json:"polochon_token"`
 		Password        string `json:"password"`
 		PasswordConfirm string `json:"password_confirm"`
 	}
 	if err := json.NewDecoder(r.Body).Decode(&data); err != nil {
 		return err
 	}
-	if r.Method == "GET" {
+	if data.Password == "" && data.PasswordConfirm != "" {
-		data.SetData(r, "polochon", polochonConfig)
+		if data.Password != data.PasswordConfirm {
-		return e.Rends(w, r, "users/edit")
+			return e.RenderError(w, fmt.Errorf("Passwords empty or missmatch"))
 	}
 	type editForm struct {
 		PolochonURL    string
 		PolochonToken  string
 		Password       string
 		PasswordVerify string
 	}
 	err = r.ParseForm()
 	if err != nil {
 		return err
 	}
 	form := new(editForm)
 	decoder := schema.NewDecoder()
 	err = decoder.Decode(form, r.PostForm)
 	if err != nil {
 		return err
 	}
 	polochonConfig.URL = form.PolochonURL
 	polochonConfig.Token = form.PolochonToken
 	err = user.SetConfig("polochon", polochonConfig)
 	if err != nil {
 		return err
 	}
 	if form.Password != "" || form.PasswordVerify != "" {
 		if form.Password != form.PasswordVerify {
 			// TODO: manage form error
 		}
-		user.Hash, err = e.Auth.GenHash(form.Password)
+
 		// Update the user config
 		var err error
 		user.Hash, err = e.Auth.GenHash(data.Password)
 		if err != nil {
 			return err
 		}
 		if err := user.Update(e.Database); err != nil {
 			return err
 		}
 	}
-	err = user.Update(e.Database)
+	// Update the polochon config
-	if err != nil {
+	var polochonConfig config.UserPolochon
-		pretty.Println(err)
+	if err := user.GetConfig("polochon", &polochonConfig); err != nil {
 		return err
 	}
 	polochonConfig.URL = data.PolochonURL
 	polochonConfig.Token = data.PolochonToken
 	if err := user.SetConfig("polochon", polochonConfig); err != nil {
 		return err
 	}
-	err = e.Auth.RegenSecret(user, w, r)
+	return e.RenderOK(w, "user updated")
 	if err != nil {
 		return err
 	}
 	url, err := e.GetURL("users.details")
 	if err != nil {
 		return err
 	}
 	http.Redirect(w, r, url, http.StatusTemporaryRedirect)
 	return nil
 }
--- a/src/internal/users/users.go
+++ b/src/internal/users/users.go
@ -204,3 +204,7 @@ func (u *User) HasRole(role string) bool {
 	}
 	return true
 }
 func (u *User) IsAdmin() bool {
 	return u.HasRole(AdminRole)
 }
--- a/src/internal/web/env.go
+++ b/src/internal/web/env.go
@ -1,8 +1,6 @@
 package web
 import (
 	"fmt"
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/auth"
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/config"
@ -34,28 +32,14 @@ type EnvParams struct {
 // NewEnv returns a new *Env
 func NewEnv(p EnvParams) *Env {
-	e := &Env{
+	return &Env{
 		Database: p.Database,
 		Log:      p.Log,
 		Router:   mux.NewRouter(),
 		Auth:     p.Auth,
 		Config:   p.Config,
 		Render:   render.New(),
 	}
 	tmplFuncs = append(tmplFuncs, map[string]interface{}{
 		"URL": func(name string, pairs ...string) (string, error) {
 			return e.GetURL(name, pairs...)
 		},
 	})
 	e.Render = render.New(render.Options{
 		Directory: p.Config.TemplatesDir,
 		Layout:    "layout",
 		Funcs:     tmplFuncs,
 		DisableHTTPErrorRendering: true,
 		RequirePartials:           true,
 	})
 	return e
 }
 type Route struct {
@ -76,7 +60,7 @@ func (r *Route) Methods(methods ...string) *Route {
 func (r *Route) WithRole(role string) *Route {
 	handler := r.mRoute.GetHandler()
 	newHandler := negroni.New(
-		auth.NewMiddlewareRole(r.env.Auth, r.env.Log, r.env.GetLoginRouteGetter(), role),
+		auth.NewMiddlewareRole(r.env.Auth, r.env.Log, role),
 		negroni.Wrap(handler))
 	r.mRoute.Handler(newHandler)
 	return r
@ -90,39 +74,3 @@ func (e *Env) Handle(route string, H HandlerFunc) *Route {
 		mRoute: mRoute,
 	}
 }
 // GetURL returns URL string from URL name and params
 // Usefull for redirection and templates
 func (e *Env) GetURL(name string, pairs ...string) (string, error) {
 	route := e.Router.Get(name)
 	if route == nil {
 		return "", fmt.Errorf("No route find for the given name: %s", name)
 	}
 	URL, err := route.URL(pairs...)
 	if err != nil {
 		return "", err
 	}
 	return URL.String(), nil
 }
 // SetLoginRoute sets the route name of login page for further use
 // with GetLoginRouteGetter
 func (e *Env) SetLoginRoute(name string) error {
 	route, err := e.GetURL(name)
 	if err != nil {
 		return err
 	}
 	e.loginRoute = route
 	return nil
 }
 // GetLoginRouteGetter allow some code parts like middleware access
 // to login route name
 func (e *Env) GetLoginRouteGetter() func() string {
 	return func() string {
 		if e.loginRoute == "" {
 			panic("Env: login route not set")
 		}
 		return e.loginRoute
 	}
 }
--- a/src/internal/web/render.go
+++ b/src/internal/web/render.go
@ -1,48 +1,36 @@
 package web
-import (
+import "net/http"
 	"html/template"
 	"net/http"
-	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/data"
+// RenderError renders an error
-
+func (e *Env) RenderError(w http.ResponseWriter, err error) error {
-	"github.com/gorilla/mux"
+	return e.render(w, "error", err.Error())
 )
 // TmplFuncs handles global template functions
 var tmplFuncs = []template.FuncMap{
 	map[string]interface{}{
 		"safeURL": func(s string) template.URL {
 			return template.URL(s)
 		},
 	},
 }
-// AddTmplFunc adds a template function
+// RenderOK renders a message
-func AddTmplFunc(name string, f interface{}) error {
+func (e *Env) RenderOK(w http.ResponseWriter, message string) error {
-	tmplFuncs = append(tmplFuncs, map[string]interface{}{
+	return e.render(w, "ok", message)
 		name: f,
 	})
 	return nil
 }
-// TemplateData represents object passed to template renderer
+func (e *Env) render(w http.ResponseWriter, status, message string) error {
-type TemplateData struct {
+	var out = struct {
-	Route string
+		Status  string `json:"status"`
-	Data  map[string]interface{}
+		Message string `json:"message"`
-}
+	}{
-
+		Status:  status,
-// Rends a view
+		Message: message,
 func (e *Env) Rends(w http.ResponseWriter, r *http.Request, template string) error {
 	if r.Header.Get("Accept") == "application/json" {
 		return e.Render.JSON(w, http.StatusOK, TemplateData{
 			Route: mux.CurrentRoute(r).GetName(),
 			Data:  data.GetAllData(r),
 		})
 	}
-
+	return e.Render.JSON(w, http.StatusOK, out)
-	return e.Render.HTML(w, http.StatusOK, template, TemplateData{
+}
-		Route: mux.CurrentRoute(r).GetName(),
+
-		Data:  data.GetAllData(r),
+// RenderJSON renders the data in JSON format
-	})
+func (e *Env) RenderJSON(w http.ResponseWriter, data interface{}) error {
 	var out = struct {
 		Status string      `json:"status"`
 		Data   interface{} `json:"data"`
 	}{
 		Status: "ok",
 		Data:   data,
 	}
 	return e.Render.JSON(w, http.StatusOK, out)
 }
--- a/src/internal/web/templates.go
+++ b/src/internal/web/templates.go
@ -1,48 +0,0 @@
 package web
 import (
 	"html/template"
 	"net/http"
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/data"
 	"github.com/gorilla/mux"
 )
 // TmplFuncs handles global template functions
 var tmplFuncs = []template.FuncMap{
 	map[string]interface{}{
 		"safeURL": func(s string) template.URL {
 			return template.URL(s)
 		},
 	},
 }
 // AddTmplFunc adds a template function
 func AddTmplFunc(name string, f interface{}) error {
 	tmplFuncs = append(tmplFuncs, map[string]interface{}{
 		name: f,
 	})
 	return nil
 }
 // TemplateData represents object passed to template renderer
 type TemplateData struct {
 	Route string
 	Data  map[string]interface{}
 }
 // Rends a view
 func (e *Env) Rends(w http.ResponseWriter, r *http.Request, template string) error {
 	if r.Header.Get("Accept") == "application/json" {
 		return e.Render.JSON(w, http.StatusOK, TemplateData{
 			Route: mux.CurrentRoute(r).GetName(),
 			Data:  data.GetAllData(r),
 		})
 	}
 	return e.Render.HTML(w, http.StatusOK, template, TemplateData{
 		Route: mux.CurrentRoute(r).GetName(),
 		Data:  data.GetAllData(r),
 	})
 }
--- a/src/main.go
+++ b/src/main.go
@ -11,7 +11,6 @@ import (
 	"gitlab.quimbo.fr/odwrtw/canape-sql/src/internal/web"
 	"github.com/Sirupsen/logrus"
 	"github.com/gorilla/sessions"
 	"github.com/jmoiron/sqlx"
 	_ "github.com/lib/pq"
 	"github.com/urfave/negroni"
@ -52,11 +51,10 @@ func main() {
 	uBackend := &UserBackend{Database: db}
 	authParams := auth.Params{
-		Backend:    uBackend,
+		Backend: uBackend,
-		Pepper:     cf.Authorizer.Pepper,
+		Pepper:  cf.Authorizer.Pepper,
-		CookieName: cf.Authorizer.CookieName,
+		Cost:    cf.Authorizer.Cost,
-		Cookiejar:  sessions.NewCookieStore([]byte(cf.Authorizer.Key)),
+		Secret:  cf.Authorizer.Secret,
 		Cost:       cf.Authorizer.Cost,
 	}
 	authorizer := auth.New(authParams)
@ -69,22 +67,13 @@ func main() {
 	authMiddleware := auth.NewMiddleware(env.Auth, log)
-	env.Handle("/", movies.ExplorePopular).Name("movies.home")
+	env.Handle("/users/login", users.LoginPOSTHandler).Methods("POST")
-	env.Handle("/users/login", users.LoginGETHandler).Name("users.login").Methods("GET")
+	env.Handle("/users/signup", users.SignupPOSTHandler).Methods("POST")
-	env.Handle("/users/login", users.LoginPOSTHandler).Name("users.login").Methods("POST")
+	env.Handle("/users/details", users.DetailsHandler).WithRole(users.UserRole)
-	env.Handle("/users/signup", users.SignupGETHandler).Name("users.signup").Methods("GET")
+	env.Handle("/users/edit", users.EditHandler).WithRole(users.UserRole)
 	env.Handle("/users/signup", users.SignupPOSTHandler).Name("users.signup").Methods("POST")
 	env.Handle("/users/logout", users.LogoutHandler).Name("users.logout")
 	env.Handle("/users/details", users.DetailsHandler).Name("users.details").WithRole(users.UserRole)
 	env.Handle("/users/edit", users.EditHandler).Name("users.edit").WithRole(users.UserRole)
-	env.Handle("/movies/polochon", movies.FromPolochon).Name("movies.polochon").WithRole(users.UserRole)
+	env.Handle("/movies/polochon", movies.FromPolochon).WithRole(users.UserRole)
-	env.Handle("/movies/explore/popular", movies.ExplorePopular).Name("movies.explore.popular").WithRole(users.UserRole)
+	env.Handle("/movies/explore/popular", movies.ExplorePopular).WithRole(users.UserRole)
 	err = env.SetLoginRoute("users.login")
 	if err != nil {
 		log.Panic(err)
 	}
 	n := negroni.Classic()
 	n.Use(authMiddleware)
--- a/src/templates/errors.tmpl
+++ b/src/templates/errors.tmpl
@ -1,9 +0,0 @@
 {{ if $.Data.Errors }}
 <div class="row">
    <div class="col-md-6 col-md-offset-3 col-xs-12">
        <div class="alert alert-warning">
              <p>{{ $.Data.Errors }}</p>
        </div>
    </div>
 </div>
 {{ end }}
--- a/src/templates/layout.tmpl
+++ b/src/templates/layout.tmpl
@ -1,23 +0,0 @@
 <!DOCTYPE html>
 <html lang="en">
  <head>
    <meta charset="utf-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <title>Canape</title>
    <link href="/css/app.css" rel="stylesheet">
  </head>
  <body>
    {{ template "errors" $ }}
    {{ template "success" $ }}
    {{ template "navbar" $ }}
    <div class="container-fluid">
      <div class="container">
        {{ yield }}
      </div>
    </div>
    <script src="/js/app.js"></script>
  </body>
 </html>
--- a/src/templates/movies/library.tmpl
+++ b/src/templates/movies/library.tmpl
@ -1,61 +0,0 @@
 {{ if $.Data.error }}
    {{ if eq $.Data.error "Invalid address"}}
        <div class="alert alert-danger" role="alert">
            The polochon API adress specified in your configuration is invalid or unreachable,
            <a href="{{ URL "users.edit"}}">change it</a>
        </div>
    {{ end }}
 {{ else }}
 <div class="row" id="movie-library">
    <div class="col-xs-5 col-md-8">
        <div class="row">
            {{ range $.Data.movies }}
                <div class="col-xs-12 col-md-3">
                    <a href="#" class="thumbnail" data-imdbid="{{.ImdbID}}">
                        <img src="/img/movies/{{.ImdbID}}.jpg" onerror="this.onerror=null;this.src='/img/noimage.png';">
                    </a>
                </div>
            {{ end }}
        </div>
    </div>
    <div class="col-xs-7 col-md-4">
        {{ range $.Data.movies}}
            <div id="{{.ImdbID}}-detail" class="hidden movie-detail affix">
                <h1 class="hidden-xs">{{ .Title }}</h1>
                <h3 class="visible-xs">{{ .Title }}</h3>
                <h4 class="hidden-xs">{{ .Year }}</h4>
                <p>
                    <i class="fa fa-clock-o"></i>
                    {{ .Runtime }} min
                </p>
                <p>
                    <i class="fa fa-star-o"></i>
                    {{ .Rating }} <small>({{ .Votes }} counts)</small>
                </p>
                <p class="movie-plot">{{ .Plot }}</p>
                <div class="movie-details-buttons">
                    {{ if .PolochonURL }}
                        <a type="button" class="btn btn-success btn-sm" href="{{ .PolochonURL }}">
                            <i class="fa fa-download"></i> Download
                        </a>
                    {{ end }}
                    <a id="imdb-link" type="button" class="btn btn-sm btn-warning" href="http://www.imdb.com/title/{{ .ImdbID }}">
                        <i class="fa fa-external-link"></i> IMDB
                    </a>
                </div>
            </div>
        {{ end}}
    </div>
 </div>
 {{ end }}
--- a/src/templates/navbar.tmpl
+++ b/src/templates/navbar.tmpl
@ -1,71 +0,0 @@
 <nav class="navbar navbar-inverse navbar-fixed-top">
  <div class="container">
    <div class="container-fluid">
      <!-- Brand and toggle get grouped for better mobile display -->
      <div class="navbar-header">
        <button type="button" class="navbar-toggle collapsed" data-toggle="collapse" data-target="#bs-example-navbar-collapse-1" aria-expanded="false">
          <span class="sr-only">Toggle navigation</span>
          <span class="icon-bar"></span>
          <span class="icon-bar"></span>
          <span class="icon-bar"></span>
        </button>
        <a class="navbar-brand" href="#">Canape</a>
      </div>
      <!-- Collect the nav links, forms, and other content for toggling -->
      <div class="collapse navbar-collapse" id="bs-example-navbar-collapse-1">
        <ul class="nav navbar-nav">
          <li><a href="{{ URL "movies.explore.popular"}}">Movies</a></li>
          <li><a href="#">TV Shows</a></li>
        {{ if $.Data.user }}
          <li class="dropdown">
            <a href="#" class="dropdown-toggle" data-toggle="dropdown">
              <i class="fa fa-list"></i>
              My Library
              <span class="caret"></span>
            </a>
            <ul class="dropdown-menu" role="menu">
              <li  {{ if eq $.Route "movies.polochon" }}class="active"{{ end }}>
                <a href="{{ URL "movies.polochon" }}?limit=10">Movies{{ if eq $.Route "movies.polochon" }}<span class="sr-only">Movies</span>{{ end }}</a>
              </li>
              <li>
                <a href="#">
                  TVShows
                </a>
              </li>
            </ul>
          </li>
        {{ end }}
        </ul>
        <ul class="nav navbar-nav navbar-right">
        {{ if $.Data.user }}
          <li class="dropdown">
            <a href="#" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">{{$.Data.user.Name}} <span class="caret"></span></a>
            <ul class="dropdown-menu">
              <li>
                <a href="{{ URL "users.details"}}">My account</a>
              </li>
              <li>
                <a href="{{ URL "users.edit"}}">Edit</a>
              </li>
              <li role="separator" class="divider"></li>
              <li>
                <a href="{{ URL "users.logout"}}">Logout</a>
              </li>
            </ul>
          </li>
        {{ else }}
          <li>
            <a href="{{ URL "users.login"}}">Sign in</a>
          </li>
          <li>
            <a href="{{ URL "users.signup"}}">Sign up</a>
          </li>
        {{ end }}
        </ul>
      </div><!-- /.navbar-collapse -->
    </div><!-- /.container-fluid -->
  </div><!-- /.container -->
 </nav>
--- a/src/templates/success.tmpl
+++ b/src/templates/success.tmpl
@ -1,9 +0,0 @@
 {{ if $.Data.Success }}
 <div class="row">
    <div class="col-xs-12">
        <div class="alert alert-success">
            {{ $.Data.Success }}
        </div>
    </div>
 </div>
 {{ end }}
--- a/src/templates/users/details.tmpl
+++ b/src/templates/users/details.tmpl
@ -1,26 +0,0 @@
 <div class="container">
    <div id="user-details" class="content-fluid">
        <div class="col-md-6 col-md-offset-3 col-xs-12">
            <h2>{{ $.Data.user.Name }}'s informations</h2>
            <hr>
            <div class="panel panel-info">
                <div class="panel-heading">
                    Polochon URL
                </div>
                <div class="panel-body">{{ $.Data.polochon.URL }}</div>
            </div>
            <div class="panel panel-info">
                <div class="panel-heading">
                    Polochon token
                </div>
                <div class="panel-body">{{ $.Data.polochon.Token }}</div>
            </div>
            <div>
                <a class="btn btn-default pull-left" href="{{ URL "users.edit" }}">Edit</a>
            </div>
        </div>
    </div>
 </div>
--- a/src/templates/users/edit.tmpl
+++ b/src/templates/users/edit.tmpl
@ -1,40 +0,0 @@
 <div class="container">
  <div class="content-fluid">
    <div class="col-md-6 col-md-offset-3 col-xs-12">
      <h2>Edit user</h2>
      <hr>
      <form accept-charset="UTF-8" action="{{ URL "users.edit" }}" method="POST" class="form-horizontal" id="user">
        <div class="form-group">
          <label class="control-label" for="PolochonURL">Polochon URL</label>
          <input autofocus="autofocus" class="form-control" name="PolochonURL" type="text" value="{{ $.Data.polochon.URL }}">
        </div>
        <div class="form-group">
          <label class="control-label" for="PolochonToken">Polochon token</label>
          <input autofocus="autofocus" class="form-control" name="PolochonToken" type="text" value="{{ $.Data.polochon.Token }}" >
        </div>
        <hr>
        <div class="form-group">
          <label class="control-label" for="Password">Password</label>
          <input autocomplete="off" class="form-control" name="Password" type="password" value="">
        </div>
        <div class="form-group">
          <label class="control-label" for="PasswordVerify">Confirm Password</label>
          <input autocomplete="off" class="form-control" name="PasswordVerify" type="password" value="">
        </div>
        <div>
          <input class="btn btn-primary pull-right" type="submit" value="Update">
          <a class="btn btn-default pull-left" href="{{ URL "users.details" }}">Cancel</a>
        </div>
      </form>
    </div>
  </div>
 </div>
--- a/src/templates/users/login.tmpl
+++ b/src/templates/users/login.tmpl
@ -1,27 +0,0 @@
 <div class="container">
  <div class="content-fluid">
    <div class="col-md-6 col-md-offset-3 col-xs-12">
      <h2>Log in</h2>
      <hr>
      <form accept-charset="UTF-8" action="/users/login" method="POST" class="form-horizontal">
        <div>
          <label for="user_email">Username</label>
          <br>
          <input autofocus="autofocus" class="form-control" id="username" name="Username" type="username" value="">
          <p></p>
        </div>
        <div>
          <label for="user_password">Password</label>
          <br>
          <input autocomplete="off" class="form-control" id="password" name="Password" type="password">
          <p></p>
        </div>
        <div>
          <input class="btn btn-primary pull-right" type="submit" value="Log in">
          <br>
        </div>
        <a class="btn btn-default btn-sm pull-left" href="/movies/%3cnil%3e">Cancel</a>
      </form>
    </div>
  </div>
 </div>
--- a/src/templates/users/signup.tmpl
+++ b/src/templates/users/signup.tmpl
@ -1,39 +0,0 @@
 <div class="container">
  <div class="content-fluid">
    <div class="col-md-6 col-md-offset-3 col-xs-12">
      <h2>Sign up</h2>
      <hr>
      <form accept-charset="UTF-8" action="{{ URL "users.signup" }}" method="POST" class="form-horizontal" id="new_user">
        <div>
          <p class="">
          <label for="user_email">Username</label>
          <br>
          <input autofocus="autofocus" class="form-control" id="username" name="Username" type="username" value="">
          <span class="error"></span>
          </p>
        </div>
        <div>
          <p class="">
          <label for="user_password">Password</label>
          <br>
          <input autocomplete="off" class="form-control" id="password" name="Password" type="password" value="">
          <span class="error"></span>
          </p>
        </div>
        <div>
          <p class="">
          <label for="user_password">Confirm Password</label>
          <br>
          <input autocomplete="off" class="form-control" id="passwordVerify" name="PasswordVerify" type="password" value="">
          <span class="error"></span>
          </p>
        </div>
        <div>
          <input class="btn btn-primary pull-right" type="submit" value="Sign up">
          <br>
        </div>
        <a class="btn btn-default btn-sm pull-left" href="/movies/%3cnil%3e">Cancel</a>
      </form>
    </div>
  </div>
 </div>