Phase 4 — P4-03/04: RBAC + user management #14
@@ -182,6 +182,8 @@ func (s *Server) routes(r chi.Router) {
|
||||
r.Get("/alerts", s.handleUIAlerts)
|
||||
r.Get("/audit", s.handleUIAudit)
|
||||
r.Get("/audit.csv", s.handleUIAuditCSV)
|
||||
r.Get("/settings/account", s.handleUIAccountGet)
|
||||
r.Post("/settings/account", s.handleUIAccountPost)
|
||||
}
|
||||
})
|
||||
|
||||
|
||||
@@ -64,3 +64,91 @@ func (s *Server) handleAPIAccountPassword(w stdhttp.ResponseWriter, r *stdhttp.R
|
||||
})
|
||||
w.WriteHeader(stdhttp.StatusOK)
|
||||
}
|
||||
|
||||
type accountPage struct {
|
||||
Username string
|
||||
Role string
|
||||
MustChange bool
|
||||
Error string
|
||||
Saved bool
|
||||
}
|
||||
|
||||
func (s *Server) handleUIAccountGet(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
||||
u := s.requireUIUser(w, r)
|
||||
if u == nil {
|
||||
return
|
||||
}
|
||||
full, err := s.deps.Store.GetUserByID(r.Context(), u.ID)
|
||||
if err != nil {
|
||||
stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
view := s.baseView(r, u)
|
||||
view.Title = "Account · restic-manager"
|
||||
view.Active = "settings"
|
||||
view.Page = accountPage{
|
||||
Username: full.Username, Role: string(full.Role),
|
||||
MustChange: full.MustChangePassword,
|
||||
}
|
||||
_ = s.deps.UI.Render(w, "account", view)
|
||||
}
|
||||
|
||||
func (s *Server) handleUIAccountPost(w stdhttp.ResponseWriter, r *stdhttp.Request) {
|
||||
u := s.requireUIUser(w, r)
|
||||
if u == nil {
|
||||
return
|
||||
}
|
||||
if err := r.ParseForm(); err != nil {
|
||||
stdhttp.Error(w, "bad request", stdhttp.StatusBadRequest)
|
||||
return
|
||||
}
|
||||
cur := r.PostForm.Get("current_password")
|
||||
pw := r.PostForm.Get("new_password")
|
||||
pw2 := r.PostForm.Get("confirm_password")
|
||||
|
||||
full, err := s.deps.Store.GetUserByID(r.Context(), u.ID)
|
||||
if err != nil {
|
||||
stdhttp.Error(w, "internal", stdhttp.StatusInternalServerError)
|
||||
return
|
||||
}
|
||||
|
||||
render := func(errMsg string, saved bool) {
|
||||
view := s.baseView(r, u)
|
||||
view.Title = "Account · restic-manager"
|
||||
view.Active = "settings"
|
||||
view.Page = accountPage{
|
||||
Username: full.Username, Role: string(full.Role),
|
||||
MustChange: full.MustChangePassword,
|
||||
Error: errMsg, Saved: saved,
|
||||
}
|
||||
_ = s.deps.UI.Render(w, "account", view)
|
||||
}
|
||||
|
||||
if pw == "" || pw != pw2 || len(pw) < 12 {
|
||||
render("Passwords must match and be at least 12 characters.", false)
|
||||
return
|
||||
}
|
||||
if !full.MustChangePassword {
|
||||
if err := auth.VerifyPassword(full.PasswordHash, cur); err != nil {
|
||||
render("Current password is incorrect.", false)
|
||||
return
|
||||
}
|
||||
}
|
||||
hash, err := auth.HashPassword(pw)
|
||||
if err != nil {
|
||||
render("Internal error.", false)
|
||||
return
|
||||
}
|
||||
if err := s.deps.Store.SetPasswordHash(r.Context(), u.ID, hash); err != nil {
|
||||
render("Internal error.", false)
|
||||
return
|
||||
}
|
||||
_ = s.deps.Store.AppendAudit(r.Context(), store.AuditEntry{
|
||||
ID: ulid.Make().String(), UserID: &u.ID, Actor: "user",
|
||||
Action: "user.password_changed",
|
||||
TargetKind: ptr("user"), TargetID: &u.ID,
|
||||
TS: time.Now().UTC(),
|
||||
})
|
||||
full.MustChangePassword = false
|
||||
render("", true)
|
||||
}
|
||||
|
||||
@@ -0,0 +1,46 @@
|
||||
{{define "title"}}Account · restic-manager{{end}}
|
||||
|
||||
{{define "content"}}
|
||||
{{$page := .Page}}
|
||||
<div class="max-w-[520px] mx-auto px-8 pb-14">
|
||||
<div class="crumbs pt-6">
|
||||
<a href="/">Dashboard</a><span class="sep">/</span>
|
||||
<span class="text-ink-mid">account</span>
|
||||
</div>
|
||||
|
||||
<h1 class="text-[22px] font-medium tracking-[-0.005em] mt-3.5">Account</h1>
|
||||
<div class="text-[12.5px] text-ink-mute mt-2 leading-[1.6]">
|
||||
Signed in as <span class="mono text-ink-mid">{{$page.Username}}</span>
|
||||
({{$page.Role}}). Change your password below.
|
||||
</div>
|
||||
|
||||
{{if $page.Saved}}
|
||||
<div class="mt-6 panel rounded-[7px] p-4"
|
||||
style="border-color: color-mix(in oklch, var(--ok), transparent 60%);">
|
||||
<div class="text-ok text-[13px]">Password updated.</div>
|
||||
</div>
|
||||
{{end}}
|
||||
|
||||
<form method="post" action="/settings/account" class="mt-6 panel rounded-[7px] p-6 space-y-4">
|
||||
{{if not $page.MustChange}}
|
||||
<div>
|
||||
<label class="field-label" for="current">Current password</label>
|
||||
<input id="current" name="current_password" type="password" class="field"
|
||||
required autocomplete="current-password" />
|
||||
</div>
|
||||
{{end}}
|
||||
<div>
|
||||
<label class="field-label" for="new">New password</label>
|
||||
<input id="new" name="new_password" type="password" class="field"
|
||||
required minlength="12" autocomplete="new-password" />
|
||||
</div>
|
||||
<div>
|
||||
<label class="field-label" for="confirm">Confirm new password</label>
|
||||
<input id="confirm" name="confirm_password" type="password" class="field"
|
||||
required minlength="12" autocomplete="new-password" />
|
||||
</div>
|
||||
{{if $page.Error}}<div class="text-bad text-[12.5px]">{{$page.Error}}</div>{{end}}
|
||||
<button type="submit" class="btn btn-primary btn-block btn-lg">Update password</button>
|
||||
</form>
|
||||
</div>
|
||||
{{end}}
|
||||
Reference in New Issue
Block a user