From 2dd8f3c3beeb5698c447f6050c84a79c7095929c Mon Sep 17 00:00:00 2001
From: Steve Cliff <steve@devcloud.guru>
Date: Tue, 5 May 2026 10:03:41 +0100
Subject: [PATCH] ui: /settings/account self-service password change

Adds GET/POST handlers for /settings/account in the viewer band
(any authenticated user), account.html template with current-password
field suppressed when must_change_password is set, and audits the
change via AppendAudit.
---
 internal/server/http/server.go     |  2 +
 internal/server/http/ui_account.go | 88 ++++++++++++++++++++++++++++++
 web/templates/pages/account.html   | 46 ++++++++++++++++
 3 files changed, 136 insertions(+)
 create mode 100644 web/templates/pages/account.html

diff --git a/internal/server/http/server.go b/internal/server/http/server.go
index 23329c8..68e7438 100644
--- a/internal/server/http/server.go
+++ b/internal/server/http/server.go
@@ -182,6 +182,8 @@ func (s *Server) routes(r chi.Router) {
 			r.Get("/alerts", s.handleUIAlerts)
 			r.Get("/audit", s.handleUIAudit)
 			r.Get("/audit.csv", s.handleUIAuditCSV)
+			r.Get("/settings/account", s.handleUIAccountGet)
+			r.Post("/settings/account", s.handleUIAccountPost)
 		}
 	})
 
diff --git a/internal/server/http/ui_account.go b/internal/server/http/ui_account.go
index d23483e..31bd025 100644
--- a/internal/server/http/ui_account.go
+++ b/internal/server/http/ui_account.go
@@ -64,3 +64,91 @@ func (s *Server) handleAPIAccountPassword(w stdhttp.ResponseWriter, r *stdhttp.R
 	})
 	w.WriteHeader(stdhttp.StatusOK)
 }
+
+type accountPage struct {
+	Username   string
+	Role       string
+	MustChange bool
+	Error      string
+	Saved      bool
+}
+
+func (s *Server) handleUIAccountGet(w stdhttp.ResponseWriter, r *stdhttp.Request) {
+	u := s.requireUIUser(w, r)
+	if u == nil {
+		return
+	}
+	full, err := s.deps.Store.GetUserByID(r.Context(), u.ID)
+	if err != nil {
+		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
+		return
+	}
+	view := s.baseView(r, u)
+	view.Title = "Account · restic-manager"
+	view.Active = "settings"
+	view.Page = accountPage{
+		Username: full.Username, Role: string(full.Role),
+		MustChange: full.MustChangePassword,
+	}
+	_ = s.deps.UI.Render(w, "account", view)
+}
+
+func (s *Server) handleUIAccountPost(w stdhttp.ResponseWriter, r *stdhttp.Request) {
+	u := s.requireUIUser(w, r)
+	if u == nil {
+		return
+	}
+	if err := r.ParseForm(); err != nil {
+		stdhttp.Error(w, "bad request", stdhttp.StatusBadRequest)
+		return
+	}
+	cur := r.PostForm.Get("current_password")
+	pw := r.PostForm.Get("new_password")
+	pw2 := r.PostForm.Get("confirm_password")
+
+	full, err := s.deps.Store.GetUserByID(r.Context(), u.ID)
+	if err != nil {
+		stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
+		return
+	}
+
+	render := func(errMsg string, saved bool) {
+		view := s.baseView(r, u)
+		view.Title = "Account · restic-manager"
+		view.Active = "settings"
+		view.Page = accountPage{
+			Username: full.Username, Role: string(full.Role),
+			MustChange: full.MustChangePassword,
+			Error:      errMsg, Saved: saved,
+		}
+		_ = s.deps.UI.Render(w, "account", view)
+	}
+
+	if pw == "" || pw != pw2 || len(pw) < 12 {
+		render("Passwords must match and be at least 12 characters.", false)
+		return
+	}
+	if !full.MustChangePassword {
+		if err := auth.VerifyPassword(full.PasswordHash, cur); err != nil {
+			render("Current password is incorrect.", false)
+			return
+		}
+	}
+	hash, err := auth.HashPassword(pw)
+	if err != nil {
+		render("Internal error.", false)
+		return
+	}
+	if err := s.deps.Store.SetPasswordHash(r.Context(), u.ID, hash); err != nil {
+		render("Internal error.", false)
+		return
+	}
+	_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
+		ID: ulid.Make().String(), UserID: &u.ID, Actor: "user",
+		Action:     "user.password_changed",
+		TargetKind: ptr("user"), TargetID: &u.ID,
+		TS: time.Now().UTC(),
+	})
+	full.MustChangePassword = false
+	render("", true)
+}
diff --git a/web/templates/pages/account.html b/web/templates/pages/account.html
new file mode 100644
index 0000000..5164fc2
--- /dev/null
+++ b/web/templates/pages/account.html
@@ -0,0 +1,46 @@
+{{define "title"}}Account · restic-manager{{end}}
+
+{{define "content"}}
+{{$page := .Page}}
+<div class="max-w-[520px] mx-auto px-8 pb-14">
+  <div class="crumbs pt-6">
+    <a href="/">Dashboard</a><span class="sep">/</span>
+    <span class="text-ink-mid">account</span>
+  </div>
+
+  <h1 class="text-[22px] font-medium tracking-[-0.005em] mt-3.5">Account</h1>
+  <div class="text-[12.5px] text-ink-mute mt-2 leading-[1.6]">
+    Signed in as <span class="mono text-ink-mid">{{$page.Username}}</span>
+    ({{$page.Role}}). Change your password below.
+  </div>
+
+  {{if $page.Saved}}
+    <div class="mt-6 panel rounded-[7px] p-4"
+         style="border-color: color-mix(in oklch, var(--ok), transparent 60%);">
+      <div class="text-ok text-[13px]">Password updated.</div>
+    </div>
+  {{end}}
+
+  <form method="post" action="/settings/account" class="mt-6 panel rounded-[7px] p-6 space-y-4">
+    {{if not $page.MustChange}}
+      <div>
+        <label class="field-label" for="current">Current password</label>
+        <input id="current" name="current_password" type="password" class="field"
+               required autocomplete="current-password" />
+      </div>
+    {{end}}
+    <div>
+      <label class="field-label" for="new">New password</label>
+      <input id="new" name="new_password" type="password" class="field"
+             required minlength="12" autocomplete="new-password" />
+    </div>
+    <div>
+      <label class="field-label" for="confirm">Confirm new password</label>
+      <input id="confirm" name="confirm_password" type="password" class="field"
+             required minlength="12" autocomplete="new-password" />
+    </div>
+    {{if $page.Error}}<div class="text-bad text-[12.5px]">{{$page.Error}}</div>{{end}}
+    <button type="submit" class="btn btn-primary btn-block btn-lg">Update password</button>
+  </form>
+</div>
+{{end}}