http: GET /setup landing page with expiry handling

internal/server/http/server.go

@@ -137,6 +137,8 @@ func (s *Server) routes(r chi.Router) {
 		r.Get("/login", s.handleUILoginGet)
 		r.Post("/login", s.handleUILoginPost)
 		r.Post("/logout", s.handleUILogoutPost)
+		r.Get("/setup", s.handleUISetupGet)
+		r.Post("/setup", s.handleUISetupPost)
 	}
 
 	// Viewer band — anyone authenticated can read.

internal/server/http/setup_handler.go

@@ -0,0 +1,77 @@
+// setup_handler.go — public landing page for the user-setup link
+// emitted by the admin's "+ Add user" / "Regenerate setup link" flow.
+//
+// Routes (wired in server.go):
+//
+//	GET  /setup   → handleUISetupGet
+//	POST /setup   → handleUISetupPost  (lands in Task D2)
+//
+// The token in the querystring (`?token=<raw>`) is the credential.
+// Auth middleware does not run on these routes.
+package http
+
+import (
+	"crypto/sha256"
+	"encoding/hex"
+	"log/slog"
+	stdhttp "net/http"
+	"time"
+
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/server/ui"
+)
+
+type setupPage struct {
+	Username string
+	Token    string // round-tripped to the POST form
+	Error    string // displayed when password validation fails or token is invalid
+}
+
+// hashSetupToken is the canonical hashing for setup tokens. Must
+// match what the admin handler uses when SetSetupToken is called,
+// so the digest at rest matches what GET /setup hashes.
+func hashSetupToken(raw string) string {
+	h := sha256.Sum256([]byte(raw))
+	return hex.EncodeToString(h[:])
+}
+
+func (s *Server) handleUISetupGet(w stdhttp.ResponseWriter, r *stdhttp.Request) {
+	raw := r.URL.Query().Get("token")
+	if raw == "" {
+		s.renderSetupExpired(w, r)
+		return
+	}
+	tok, err := s.deps.Store.LookupSetupToken(r.Context(), hashSetupToken(raw))
+	if err != nil {
+		s.renderSetupExpired(w, r)
+		return
+	}
+	if tok.ExpiresAt.Before(time.Now().UTC()) {
+		s.renderSetupExpired(w, r)
+		return
+	}
+	u, err := s.deps.Store.GetUserByID(r.Context(), tok.UserID)
+	if err != nil {
+		s.renderSetupExpired(w, r)
+		return
+	}
+	view := s.baseView(r, nil)
+	view.Title = "Set your password · restic-manager"
+	view.Page = setupPage{Username: u.Username, Token: raw}
+	if err := s.deps.UI.Render(w, "setup", view); err != nil {
+		slog.Error("ui setup: render", "err", err)
+	}
+}
+
+func (s *Server) renderSetupExpired(w stdhttp.ResponseWriter, r *stdhttp.Request) {
+	w.WriteHeader(stdhttp.StatusGone)
+	view := s.baseView(r, nil)
+	view.Title = "Link expired · restic-manager"
+	view.Page = setupPage{Error: "expired"}
+	_ = s.deps.UI.Render(w, "setup", view)
+	_ = ui.User{} // keep ui import alive
+}
+
+// handleUISetupPost is a stub — full implementation lands in Task D2.
+func (s *Server) handleUISetupPost(w stdhttp.ResponseWriter, r *stdhttp.Request) {
+	stdhttp.Error(w, "not implemented", stdhttp.StatusNotImplemented)
+}

internal/server/http/setup_test.go

@@ -0,0 +1,90 @@
+package http
+
+import (
+	"context"
+	"crypto/sha256"
+	"encoding/hex"
+	"io"
+	stdhttp "net/http"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/oklog/ulid/v2"
+
+	"gitea.dcglab.co.uk/steve/restic-manager/internal/store"
+)
+
+func sha256Hex(s string) string {
+	h := sha256.Sum256([]byte(s))
+	return hex.EncodeToString(h[:])
+}
+
+func TestSetupGetValidToken(t *testing.T) {
+	t.Parallel()
+	// /setup renders HTML, so we need a real UI renderer.
+	srv, ts, _ := rawTestServerWithUI(t)
+	urlBase := ts.URL
+	now := time.Now().UTC()
+
+	uid := ulid.Make().String()
+	if err := srv.deps.Store.CreateUser(t.Context(), store.User{
+		ID: uid, Username: "newbie", PasswordHash: "",
+		Role: store.RoleOperator, CreatedAt: now,
+		MustChangePassword: true,
+	}); err != nil {
+		t.Fatalf("create: %v", err)
+	}
+
+	raw := "raw-token-1234567890"
+	hash := sha256Hex(raw)
+	if err := srv.deps.Store.SetSetupToken(context.Background(), store.SetupToken{
+		UserID: uid, TokenHash: hash,
+		ExpiresAt: now.Add(time.Hour), CreatedAt: now,
+	}); err != nil {
+		t.Fatalf("set token: %v", err)
+	}
+
+	res, err := stdhttp.Get(urlBase + "/setup?token=" + raw)
+	if err != nil {
+		t.Fatalf("GET: %v", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != stdhttp.StatusOK {
+		t.Errorf("status: got %d want 200", res.StatusCode)
+	}
+	body, _ := io.ReadAll(res.Body)
+	if !strings.Contains(string(body), "newbie") {
+		t.Errorf("expected username in body: %s", body)
+	}
+}
+
+func TestSetupGetExpiredToken(t *testing.T) {
+	t.Parallel()
+	// /setup renders HTML, so we need a real UI renderer.
+	srv, ts, _ := rawTestServerWithUI(t)
+	urlBase := ts.URL
+	now := time.Now().UTC()
+
+	uid := ulid.Make().String()
+	_ = srv.deps.Store.CreateUser(t.Context(), store.User{
+		ID: uid, Username: "stale",
+		PasswordHash: "", Role: store.RoleViewer, CreatedAt: now,
+		MustChangePassword: true,
+	})
+
+	raw := "expired-token"
+	_ = srv.deps.Store.SetSetupToken(context.Background(), store.SetupToken{
+		UserID: uid, TokenHash: sha256Hex(raw),
+		ExpiresAt: now.Add(-time.Minute), CreatedAt: now.Add(-2 * time.Hour),
+	})
+
+	res, err := stdhttp.Get(urlBase + "/setup?token=" + raw)
+	if err != nil {
+		t.Fatalf("GET: %v", err)
+	}
+	defer res.Body.Close()
+	if res.StatusCode != stdhttp.StatusGone {
+		t.Errorf("status: got %d want 410", res.StatusCode)
+	}
+}

internal/server/ui/ui.go

@@ -152,7 +152,7 @@ func (r *Renderer) RenderPartial(w io.Writer, name string, data ViewData) error
 // chrome-less; everything else uses the standard navigation chrome.
 func layoutFor(page string) string {
 	switch page {
-	case "login", "bootstrap":
+	case "login", "bootstrap", "setup":
 		return "chromeless"
 	default:
 		return "base"

web/templates/pages/setup.html

@@ -0,0 +1,44 @@
+{{define "title"}}{{.Title}}{{end}}
+
+{{define "content"}}
+{{$page := .Page}}
+<div class="max-w-[520px] mx-auto px-8 pt-20 pb-14">
+  {{if eq $page.Error "expired"}}
+    <h1 class="text-[22px] font-medium tracking-[-0.005em]">Link expired</h1>
+    <p class="text-pretty text-[13px] text-ink-mute mt-3 leading-[1.6]">
+      This setup link has expired or is invalid. Setup links are valid
+      for one hour from the moment your administrator generates them.
+    </p>
+    <p class="text-[12.5px] text-ink-mute mt-3 leading-[1.6]">
+      Contact your administrator and ask them to regenerate the link.
+    </p>
+  {{else}}
+    <h1 class="text-[22px] font-medium tracking-[-0.005em]">
+      Welcome, <span class="mono">{{$page.Username}}</span>
+    </h1>
+    <p class="text-pretty text-[13px] text-ink-mute mt-3 leading-[1.6]">
+      Pick a password to finish setting up your account. The link expires
+      one hour after your administrator generated it, so don't dawdle.
+    </p>
+    <form method="post" action="/setup" class="mt-7 space-y-4">
+      <input type="hidden" name="token" value="{{$page.Token}}" />
+      <div>
+        <label class="field-label" for="pw">New password</label>
+        <input id="pw" name="password" type="password" class="field"
+               required minlength="12" autocomplete="new-password" />
+      </div>
+      <div>
+        <label class="field-label" for="pw2">Confirm password</label>
+        <input id="pw2" name="password_confirm" type="password" class="field"
+               required minlength="12" autocomplete="new-password" />
+      </div>
+      <button type="submit" class="btn btn-primary btn-block btn-lg">
+        Set password and sign in
+      </button>
+    </form>
+    {{if and $page.Error (ne $page.Error "expired")}}
+      <p class="text-bad text-[12.5px] mt-4">{{$page.Error}}</p>
+    {{end}}
+  {{end}}
+</div>
+{{end}}