The LDAP struct was mixing LDAP connection settings with unrelated mail
settings. Extract mail fields into a dedicated SMTPConfig struct with
its own global (mySMTP), keeping concerns cleanly separated.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
LDAP connections were never closed, leaking TCP connections on every
request. Also refactors change.go from chained else-if to early returns
for cleaner defer placement.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
- Verify reset token before showing the form (GET), redirecting with
an error immediately if the token is invalid or expired
- Add peekResetToken to check token validity non-destructively
- Fix POST form action to include query params so the URL check doesn't
silently redirect to /lost before processing errors
- Update page title and subtitle to reflect the reset step
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Replace map[string]interface{} with map[string]any, ioutil.ReadAll with
io.ReadAll, and simplify redundant fmt.Sprintf/w.Write calls.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Integrate go-altcha to protect login, change password, lost password,
and reset password forms against automated submissions. Serves the
altcha widget JS from the embedded library, exposes a challenge
endpoint, validates responses server-side with replay prevention, and
updates the CSP to allow self-hosted scripts and WebAssembly.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Implement sliding window rate limiter to prevent brute-force attacks:
- /auth and /login: 20 requests/minute per IP
- /change: 10 POST requests/minute per IP
- /lost: 5 POST requests/minute per IP (prevents email spam and user enumeration)
- /reset: 10 POST requests/minute per IP
- /api/v1/aliases: 30 requests/minute per IP
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Replace SHA512-based deterministic token with 32-byte crypto/rand token
- Store tokens server-side with 1-hour expiry and single-use semantics
- Remove genToken (previously broken due to time.Add immutability bug)
- Add CSRF double-submit cookie protection to change/lost/reset forms
- Remove token from form action URL (use hidden fields only, POST body)
- Add MailFrom field and SMTP_FROM env var for configurable sender address
- Add SMTP_PASSWORD_FILE env var for secure SMTP password loading
- Add PUBLIC_URL env var and --public-url flag for configurable reset link domain
- Use generic error messages in handlers to avoid information disclosure
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
