nemunaire/chldapasswd
1
0
Fork 0
Code Issues Pull requests Releases Activity

Compare commits

base: nemunaire:c98fe735ad48004f4e8d5c49dd75d37172d867bd
Branches Tags
nemunaire:master
...
compare: nemunaire:99def55e8081ca7933791d339f652f1b043ca0cc
Branches Tags
nemunaire:master

5 commits
c98fe735ad ... 99def55e80

Author SHA1 Message Date
Pierre-Olivier Mercier
99def55e80 feat: replace Bootstrap with custom CSS and add profile page
All checks were successful
continuous-integration/drone/push Build is passing
Details 
- Add self-hosted style.css replacing Bootstrap CDN dependency
- Add profile.html with tabbed view (account info, emails/aliases, API token)
- Refactor login handler to pass structured data to template instead of building HTML strings
- Add brand-name and brand-logo flags/env vars for UI customization
- Update CSP to allow brand logo domain and remove CDN references
- Update all templates to pass template vars to header/footer and use new CSS classes

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-08 11:49:51 +07:00
Pierre-Olivier Mercier
910dd7b47a Add log to know LDAP server in use 2026-03-08 11:48:34 +07:00
Pierre-Olivier Mercier
439dc2cd07 refactor: modernize Go idioms across codebase 
Replace map[string]interface{} with map[string]any, ioutil.ReadAll with
io.ReadAll, and simplify redundant fmt.Sprintf/w.Write calls.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-08 11:48:34 +07:00
Pierre-Olivier Mercier
8933055358 feat: add -dev flag for local HTTP testing 
In development mode (-dev):
- HSTS header is omitted (prevents browser caching HTTPS-only requirement)
- CSRF cookie Secure flag is cleared (allows cookies over plain HTTP)
- A warning is logged on startup

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-08 10:56:37 +07:00
Pierre-Olivier Mercier
28f55960de feat(security): add altcha proof-of-work CAPTCHA to all sensitive forms 
Integrate go-altcha to protect login, change password, lost password,
and reset password forms against automated submissions. Serves the
altcha widget JS from the embedded library, exposes a challenge
endpoint, validates responses server-side with replay prevention, and
updates the CSP to allow self-hosted scripts and WebAssembly.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-08 10:56:16 +07:00
20 changed files with 895 additions and 133 deletions
Download patch file Download diff file Expand all files Collapse all files

10
addy.go
View file

@ -12,6 +12,7 @@ import (
"log"
"net/http"
"os"
"slices"
"strings"
)
@ -134,14 +135,7 @@ func addyAliasAPI(w http.ResponseWriter, r *http.Request) {
http.Error(w, "Alias creation is not configured", http.StatusServiceUnavailable)
return
}
domainAllowed := false
for _, d := range allowedAliasDomains {
if body.Domain == d {
domainAllowed = true
break
}
}
if !domainAllowed {
if !slices.Contains(allowedAliasDomains, body.Domain) {
http.Error(w, "Domain not allowed", http.StatusBadRequest)
return
}

27
altcha.go Normal file
View file

@ -0,0 +1,27 @@
package main
import (
"net/http"
goaltcha "github.com/k42-software/go-altcha"
altchahttp "github.com/k42-software/go-altcha/http"
)
func serveAltchaJS(w http.ResponseWriter, r *http.Request) {
altchahttp.ServeJavascript(w, r)
}
func serveAltchaChallenge(w http.ResponseWriter, r *http.Request) {
challenge := goaltcha.NewChallenge()
w.Header().Set("Content-Type", "application/json")
w.Header().Set("Cache-Control", "private, no-cache, no-store, must-revalidate")
_, _ = w.Write([]byte(challenge.Encode()))
}
func validateAltcha(r *http.Request) bool {
encoded := r.PostFormValue("altcha")
if encoded == "" {
return false
}
return goaltcha.ValidateResponse(encoded, true)
}

14
change.go
View file

@ -33,7 +33,7 @@ func checkPasswdConstraint(password string) error {
func changePassword(w http.ResponseWriter, r *http.Request) {
if r.Method == "POST" && !changeLimiter.Allow(remoteIP(r)) {
csrfToken, _ := setCSRFToken(w)
displayTmplError(w, http.StatusTooManyRequests, "change.html", map[string]interface{}{"error": "Too many requests. Please try again later.", "csrf_token": csrfToken})
displayTmplError(w, http.StatusTooManyRequests, "change.html", map[string]any{"error": "Too many requests. Please try again later.", "csrf_token": csrfToken})
return
}
@ -43,19 +43,25 @@ func changePassword(w http.ResponseWriter, r *http.Request) {
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
displayTmpl(w, "change.html", map[string]interface{}{"csrf_token": csrfToken})
displayTmpl(w, "change.html", map[string]any{"csrf_token": csrfToken})
return
}
if !validateCSRF(r) {
csrfToken, _ := setCSRFToken(w)
displayTmplError(w, http.StatusForbidden, "change.html", map[string]interface{}{"error": "Invalid or missing CSRF token. Please try again.", "csrf_token": csrfToken})
displayTmplError(w, http.StatusForbidden, "change.html", map[string]any{"error": "Invalid or missing CSRF token. Please try again.", "csrf_token": csrfToken})
return
}
if !validateAltcha(r) {
csrfToken, _ := setCSRFToken(w)
displayTmplError(w, http.StatusForbidden, "change.html", map[string]any{"error": "Invalid or missing altcha response. Please try again.", "csrf_token": csrfToken})
return
}
renderError := func(status int, msg string) {
csrfToken, _ := setCSRFToken(w)
displayTmplError(w, status, "change.html", map[string]interface{}{"error": msg, "csrf_token": csrfToken})
displayTmplError(w, status, "change.html", map[string]any{"error": msg, "csrf_token": csrfToken})
}
// Check the two new passwords are identical

1
csrf.go
View file

@ -25,6 +25,7 @@ func setCSRFToken(w http.ResponseWriter) (string, error) {
Path: "/",
HttpOnly: false, // must be readable via form hidden field comparison
SameSite: http.SameSiteStrictMode,
Secure: !devMode,
})
return token, nil
}

2
go.mod
View file

@ -14,6 +14,8 @@ require (
github.com/Azure/go-ntlmssp v0.0.0-20221128193559-754e69321358 // indirect
github.com/go-asn1-ber/asn1-ber v1.5.8-0.20250403174932-29230038a667 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/k42-software/go-altcha v0.1.1
github.com/pkg/errors v0.9.1 // indirect
golang.org/x/crypto v0.36.0 // indirect
gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
)

4
go.sum
View file

@ -41,6 +41,10 @@ github.com/jcmturner/gokrb5/v8 v8.4.4 h1:x1Sv4HaTpepFkXbt2IkL29DXRf8sOfZXo8eRKh6
github.com/jcmturner/gokrb5/v8 v8.4.4/go.mod h1:1btQEpgT6k+unzCwX1KdWMEwPPkkgBtP+F6aCACiMrs=
github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZY=
github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc=
github.com/k42-software/go-altcha v0.1.1 h1:vfA+0+0gr7jK4vp21Q7xvEpIjDsx8PqzxS0obgIToQs=
github.com/k42-software/go-altcha v0.1.1/go.mod h1:2aX+0PkUSI0YPDVfjapZeuGELWt8ugEXkg8gr6QejMU=
github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

146
login.go
View file

@ -2,8 +2,6 @@ package main
import (
"fmt"
"html"
"html/template"
"log"
"net/http"
"net/url"
@ -12,6 +10,69 @@ import (
"github.com/go-ldap/ldap/v3"
)
type profileField struct {
Name string
Label string
Value string
}
type profileAlias struct {
Value string
URLSafe string
ElemID string
Token string
}
var ldapLabels = map[string]string{
"cn": "Full name",
"uid": "Username",
"givenName": "First name",
"sn": "Last name",
"displayName": "Display name",
"telephoneNumber": "Phone",
"mobile": "Mobile",
"employeeNumber": "Employee ID",
"o": "Organization",
"ou": "Department",
"title": "Title",
"description": "Description",
"labeledURI": "Website",
}
// ldapSkip lists attributes that should never be shown to the user.
var ldapSkip = map[string]bool{
"userPassword": true,
"krbPrincipalKey": true,
"objectClass": true,
"entryUUID": true,
"entryDN": true,
"structuralObjectClass": true,
"hasSubordinates": true,
"krbExtraData": true,
}
// isGeneratedAlias returns true for auto-generated alias local parts:
// exactly 10 characters and containing at least one digit or uppercase letter,
// which distinguishes them from plain words like "postmaster" or "abonnement".
func isGeneratedAlias(local string) bool {
if len(local) != 10 {
return false
}
for _, c := range local {
if c >= '0' && c <= '9' || c >= 'A' && c <= 'Z' {
return true
}
}
return false
}
func ldapLabel(name string) string {
if l, ok := ldapLabels[name]; ok {
return l
}
return name
}
func login(login string, password string) ([]*ldap.EntryAttribute, error) {
conn, err := myLDAP.Connect()
if err != nil || conn == nil {
@ -44,42 +105,71 @@ func login(login string, password string) ([]*ldap.EntryAttribute, error) {
func tryLogin(w http.ResponseWriter, r *http.Request) {
if r.Method != "POST" {
displayTmpl(w, "login.html", map[string]interface{}{})
displayTmpl(w, "login.html", map[string]any{})
return
}
if !authLimiter.Allow(remoteIP(r)) {
displayTmplError(w, http.StatusTooManyRequests, "login.html", map[string]interface{}{"error": "Too many login attempts. Please try again later."})
displayTmplError(w, http.StatusTooManyRequests, "login.html", map[string]any{"error": "Too many login attempts. Please try again later."})
return
}
if entries, err := login(r.PostFormValue("login"), r.PostFormValue("password")); err != nil {
log.Println(err)
displayTmplError(w, http.StatusInternalServerError, "login.html", map[string]interface{}{"error": err.Error()})
} else {
apiToken := AddyAPIToken(r.PostFormValue("login"))
if !validateAltcha(r) {
displayTmplError(w, http.StatusForbidden, "login.html", map[string]any{"error": "Invalid or missing altcha response. Please try again."})
return
}
cnt := "<ul>"
for _, e := range entries {
for i, v := range e.Values {
safeName := html.EscapeString(e.Name)
safeVal := html.EscapeString(v)
elemID := fmt.Sprintf("mailAlias-%d", i)
if e.Name == "userPassword" || e.Name == "krbPrincipalKey" {
cnt += "<li><strong>" + safeName + ":</strong> <em>[...]</em></li>"
} else if e.Name == "mailAlias" && len(strings.SplitN(v, "@", 2)[0]) == 10 {
safeURL := url.PathEscape(v)
safeToken := html.EscapeString(apiToken)
safeElemID := html.EscapeString(elemID)
cnt += `<li id="` + safeElemID + `"><strong>` + safeName + `:</strong> ` + safeVal +
`<button type="button" class="mx-1 btn btn-sm btn-danger" data-alias="` + safeURL + `" data-token="` + safeToken + `" data-elem="` + safeElemID + `" onclick="(function(b){fetch('/api/v1/aliases/'+b.dataset.alias,{'method':'delete','headers':{'Authorization':'Bearer '+b.dataset.token}}).then(function(r){if(r.ok)document.getElementById(b.dataset.elem).remove();})})(this)">Supprimer</button></li>`
} else {
cnt += "<li><strong>" + safeName + ":</strong> " + safeVal + "</li>"
}
loginName := r.PostFormValue("login")
entries, err := login(loginName, r.PostFormValue("password"))
if err != nil {
log.Println(err)
displayTmplError(w, http.StatusInternalServerError, "login.html", map[string]any{"error": err.Error()})
return
}
apiToken := AddyAPIToken(loginName)
var fields []profileField
var emails []string
var aliases []profileAlias
aliasIdx := 0
for _, e := range entries {
if ldapSkip[e.Name] {
continue
}
for _, v := range e.Values {
switch {
case e.Name == "mail":
emails = append(emails, v)
case e.Name == "mailAlias" && isGeneratedAlias(strings.SplitN(v, "@", 2)[0]):
elemID := fmt.Sprintf("alias-%d", aliasIdx)
aliasIdx++
aliases = append(aliases, profileAlias{
Value: v,
URLSafe: url.PathEscape(v),
ElemID: elemID,
Token: apiToken,
})
case e.Name == "mailAlias":
emails = append(emails, v)
default:
fields = append(fields, profileField{
Name: e.Name,
Label: ldapLabel(e.Name),
Value: v,
})
}
}
displayTmpl(w, "message.html", map[string]interface{}{"details": template.HTML(`Login ok<br><br>Here are the information we have about you:` + cnt + "</ul><p>To use our Addy.io compatible API, use the following token: <code>" + html.EscapeString(apiToken) + "</code></p>")})
}
displayTmpl(w, "profile.html", map[string]any{
"login": loginName,
"fields": fields,
"emails": emails,
"aliases": aliases,
"api_token": apiToken,
"card_wide": true,
})
}
func httpBasicAuth(w http.ResponseWriter, r *http.Request) {
@ -102,7 +192,7 @@ func httpBasicAuth(w http.ResponseWriter, r *http.Request) {
for _, e := range entries {
for _, v := range e.Values {
if e.Name != "userPassword" {
w.Write([]byte(fmt.Sprintf("%s: %s", e.Name, v)))
fmt.Fprintf(w, "%s: %s", e.Name, v)
}
}
}

17
lost.go
View file

@ -88,7 +88,7 @@ func lostPasswordToken(conn *LDAPConn, login string) (string, string, error) {
func lostPassword(w http.ResponseWriter, r *http.Request) {
if r.Method == "POST" && !lostLimiter.Allow(remoteIP(r)) {
displayTmplError(w, http.StatusTooManyRequests, "lost.html", map[string]interface{}{"error": "Too many requests. Please try again later."})
displayTmplError(w, http.StatusTooManyRequests, "lost.html", map[string]any{"error": "Too many requests. Please try again later."})
return
}
@ -98,12 +98,17 @@ func lostPassword(w http.ResponseWriter, r *http.Request) {
http.Error(w, "Internal server error", http.StatusInternalServerError)
return
}
displayTmpl(w, "lost.html", map[string]interface{}{"csrf_token": csrfToken})
displayTmpl(w, "lost.html", map[string]any{"csrf_token": csrfToken})
return
}
if !validateCSRF(r) {
displayTmplError(w, http.StatusForbidden, "lost.html", map[string]interface{}{"error": "Invalid or missing CSRF token. Please try again."})
displayTmplError(w, http.StatusForbidden, "lost.html", map[string]any{"error": "Invalid or missing CSRF token. Please try again."})
return
}
if !validateAltcha(r) {
displayTmplError(w, http.StatusForbidden, "lost.html", map[string]any{"error": "Invalid or missing altcha response. Please try again."})
return
}
@ -111,7 +116,7 @@ func lostPassword(w http.ResponseWriter, r *http.Request) {
conn, err := myLDAP.Connect()
if err != nil || conn == nil {
log.Println(err)
displayTmplError(w, http.StatusInternalServerError, "lost.html", map[string]interface{}{"error": "Unable to process your request. Please try again later."})
displayTmplError(w, http.StatusInternalServerError, "lost.html", map[string]any{"error": "Unable to process your request. Please try again later."})
return
}
@ -162,7 +167,7 @@ func lostPassword(w http.ResponseWriter, r *http.Request) {
s, err = d.Dial()
if err != nil {
log.Println("Unable to connect to email server: " + err.Error())
displayTmplError(w, http.StatusInternalServerError, "lost.html", map[string]interface{}{"error": "Unable to send password recovery email. Please try again later."})
displayTmplError(w, http.StatusInternalServerError, "lost.html", map[string]any{"error": "Unable to send password recovery email. Please try again later."})
return
}
} else {
@ -197,7 +202,7 @@ func lostPassword(w http.ResponseWriter, r *http.Request) {
if err := gomail.Send(s, m); err != nil {
log.Println("Unable to send email: " + err.Error())
displayTmplError(w, http.StatusInternalServerError, "lost.html", map[string]interface{}{"error": "Unable to send password recovery email. Please try again later."})
displayTmplError(w, http.StatusInternalServerError, "lost.html", map[string]any{"error": "Unable to send password recovery email. Please try again later."})
return
}

30
main.go
View file

@ -5,7 +5,7 @@ import (
"encoding/json"
"flag"
"fmt"
"io/ioutil"
"io"
"log"
"net/http"
"net/url"
@ -18,6 +18,9 @@ import (
)
var myPublicURL = "https://ldap.nemunai.re"
var devMode bool
var brandName = "chldapasswd"
var brandLogo = ""
// dockerRegistrySecret is required for X-Special-Auth anonymous access.
// If empty, the feature is disabled.
@ -80,9 +83,24 @@ func main() {
var baseURL = flag.String("baseurl", "/", "URL prepended to each URL")
var configfile = flag.String("config", "", "path to the configuration file")
var publicURL = flag.String("public-url", myPublicURL, "Public base URL used in password reset emails")
var dev = flag.Bool("dev", false, "Development mode: disables HSTS and cookie Secure flag for local HTTP testing")
var bname = flag.String("brand-name", "chldapasswd", "Brand name displayed in the UI")
var blogo = flag.String("brand-logo", "", "URL of brand logo displayed in the UI (added to CSP img-src)")
flag.Parse()
myPublicURL = *publicURL
devMode = *dev
brandName = *bname
brandLogo = *blogo
if val, ok := os.LookupEnv("BRAND_NAME"); ok {
brandName = val
}
if val, ok := os.LookupEnv("BRAND_LOGO"); ok {
brandLogo = val
}
if devMode {
log.Println("WARNING: running in development mode — security features relaxed, do not use in production")
}
// Sanitize options
log.Println("Checking paths...")
@ -98,7 +116,7 @@ func main() {
if configfile != nil && *configfile != "" {
if fd, err := os.Open(*configfile); err != nil {
log.Fatal(err)
} else if cnt, err := ioutil.ReadAll(fd); err != nil {
} else if cnt, err := io.ReadAll(fd); err != nil {
log.Fatal(err)
} else if err := json.Unmarshal(cnt, &myLDAP); err != nil {
log.Fatal(err)
@ -131,7 +149,7 @@ func main() {
if val, ok := os.LookupEnv("LDAP_SERVICE_PASSWORD_FILE"); ok {
if fd, err := os.Open(val); err != nil {
log.Fatal(err)
} else if cnt, err := ioutil.ReadAll(fd); err != nil {
} else if cnt, err := io.ReadAll(fd); err != nil {
log.Fatal(err)
} else {
myLDAP.ServicePassword = string(cnt)
@ -213,6 +231,9 @@ func main() {
signal.Notify(interrupt, os.Interrupt, syscall.SIGTERM)
// Register handlers
http.HandleFunc(fmt.Sprintf("GET %s/altcha.min.js", *baseURL), serveAltchaJS)
http.HandleFunc(fmt.Sprintf("GET %s/style.css", *baseURL), serveStyleCSS)
http.HandleFunc(fmt.Sprintf("GET %s/altcha-challenge", *baseURL), serveAltchaChallenge)
http.HandleFunc(fmt.Sprintf("%s/{$}", *baseURL), changePassword)
http.HandleFunc(fmt.Sprintf("POST %s/api/v1/aliases", *baseURL), addyAliasAPI)
http.HandleFunc(fmt.Sprintf("DELETE %s/api/v1/aliases/{alias}", *baseURL), addyAliasAPIDelete)
@ -231,7 +252,8 @@ func main() {
go func() {
log.Fatal(srv.ListenAndServe())
}()
log.Println(fmt.Sprintf("Ready, listening on %s", *bind))
log.Printf("Using LDAP server at %s:%d (baseDN: %s)", myLDAP.Host, myLDAP.Port, myLDAP.BaseDN)
log.Printf("Ready, listening on %s", *bind)
// Wait shutdown signal
<-interrupt

7
reset.go
View file

@ -16,7 +16,7 @@ func resetPassword(w http.ResponseWriter, r *http.Request) {
return
}
base := map[string]interface{}{
base := map[string]any{
"login": r.URL.Query().Get("l"),
"token": r.URL.Query().Get("t"),
}
@ -44,6 +44,11 @@ func resetPassword(w http.ResponseWriter, r *http.Request) {
return
}
if !validateAltcha(r) {
renderError(http.StatusForbidden, "Invalid or missing altcha response. Please try again.")
return
}
// Check the two new passwords are identical
if r.PostFormValue("newpassword") != r.PostFormValue("new2password") {
renderError(http.StatusNotAcceptable, "New passwords are not identical. Please retry.")

42
static.go
View file

@ -5,6 +5,8 @@ import (
"html/template"
"log"
"net/http"
"net/url"
"strings"
)
func securityHeaders(next http.Handler) http.Handler {
@ -12,8 +14,19 @@ func securityHeaders(next http.Handler) http.Handler {
w.Header().Set("X-Frame-Options", "DENY")
w.Header().Set("X-Content-Type-Options", "nosniff")
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'unsafe-inline' https://stackpath.bootstrapcdn.com; style-src https://stackpath.bootstrapcdn.com; img-src 'self'; font-src https://stackpath.bootstrapcdn.com")
w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
imgSrc := "'self' data:"
if strings.HasPrefix(brandLogo, "http://") || strings.HasPrefix(brandLogo, "https://") {
if u, err := url.Parse(brandLogo); err == nil {
imgSrc += " " + u.Scheme + "://" + u.Host
}
}
csp := "default-src 'self'; script-src 'self' 'wasm-unsafe-eval' 'unsafe-inline'; style-src 'self' 'sha256-W6z8OR2iqpPyNGe72eRXH58H75H3UVJDuwHoKA6pX98='; img-src " + imgSrc + "; worker-src blob:"
w.Header().Set("Content-Security-Policy", csp)
if !devMode {
w.Header().Set("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
}
next.ServeHTTP(w, r)
})
}
@ -21,7 +34,26 @@ func securityHeaders(next http.Handler) http.Handler {
//go:embed all:static
var assets embed.FS
func displayTmpl(w http.ResponseWriter, page string, vars map[string]interface{}) {
func serveStyleCSS(w http.ResponseWriter, r *http.Request) {
data, err := assets.ReadFile("static/style.css")
if err != nil {
http.NotFound(w, r)
return
}
w.Header().Set("Content-Type", "text/css; charset=utf-8")
w.Header().Set("Cache-Control", "public, max-age=3600")
w.Write(data)
}
func displayTmpl(w http.ResponseWriter, page string, vars map[string]any) {
if vars == nil {
vars = map[string]any{}
}
vars["brand_name"] = brandName
if brandLogo != "" {
vars["brand_logo"] = brandLogo
}
data, err := assets.ReadFile("static/" + page)
if err != nil {
log.Fatalf("Unable to find %q: %s", page, err.Error())
@ -43,7 +75,7 @@ func displayTmpl(w http.ResponseWriter, page string, vars map[string]interface{}
tpl.ExecuteTemplate(w, "page", vars)
}
func displayTmplError(w http.ResponseWriter, statusCode int, page string, vars map[string]interface{}) {
func displayTmplError(w http.ResponseWriter, statusCode int, page string, vars map[string]any) {
w.WriteHeader(statusCode)
displayTmpl(w, page, vars)
}
@ -56,5 +88,5 @@ func displayMsg(w http.ResponseWriter, msg string, statusCode int) {
label = "message"
}
displayTmpl(w, "message.html", map[string]interface{}{label: msg})
displayTmpl(w, "message.html", map[string]any{label: msg})
}

68
static/change.html
View file

@ -1,46 +1,46 @@
{{template "header"}}
<h1 class="display-4">Change your password <small class="text-muted">Fill the following fields!</small></h1>
{{template "header" .}}
<h1 class="page-title">Change your password</h1>
<p class="page-subtitle">Fill the following fields!</p>
<form method="post" action="change">
{{if .error}}<div class="alert alert-danger" role="alert">{{.error}}</div>{{end}}
{{if .error}}<div class="alert alert-error" role="alert">{{.error}}</div>{{end}}
<input type="hidden" name="csrf_token" value="{{ .csrf_token }}">
<div class="form-group">
<div class="form-field">
<input name="login" required="" class="form-control" id="input_0" type="text" placeholder="Login" autofocus>
</div>
<div class="form-group input-group">
<div class="form-field input-group">
<input name="password" required="" class="form-control" id="input_1" type="password" placeholder="Current password">
<div class="input-group-append">
<button class="btn btn-outline-secondary" type="button" onclick="document.getElementById('input_1').type = document.getElementById('input_1').type=='password'?'text':'password'">
<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-eye" viewBox="0 0 16 16">
<path d="M16 8s-3-5.5-8-5.5S0 8 0 8s3 5.5 8 5.5S16 8 16 8zM1.173 8a13.133 13.133 0 0 1 1.66-2.043C4.12 4.668 5.88 3.5 8 3.5c2.12 0 3.879 1.168 5.168 2.457A13.133 13.133 0 0 1 14.828 8c-.058.087-.122.183-.195.288-.335.48-.83 1.12-1.465 1.755C11.879 11.332 10.119 12.5 8 12.5c-2.12 0-3.879-1.168-5.168-2.457A13.134 13.134 0 0 1 1.172 8z"/>
<path d="M8 5.5a2.5 2.5 0 1 0 0 5 2.5 2.5 0 0 0 0-5zM4.5 8a3.5 3.5 0 1 1 7 0 3.5 3.5 0 0 1-7 0z"/>
</svg>
</button>
</div>
<button class="btn-toggle-password" type="button" onclick="var i=document.getElementById('input_1');i.type=i.type=='password'?'text':'password'">
<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
<path d="M16 8s-3-5.5-8-5.5S0 8 0 8s3 5.5 8 5.5S16 8 16 8zM1.173 8a13.133 13.133 0 0 1 1.66-2.043C4.12 4.668 5.88 3.5 8 3.5c2.12 0 3.879 1.168 5.168 2.457A13.133 13.133 0 0 1 14.828 8c-.058.087-.122.183-.195.288-.335.48-.83 1.12-1.465 1.755C11.879 11.332 10.119 12.5 8 12.5c-2.12 0-3.879-1.168-5.168-2.457A13.134 13.134 0 0 1 1.172 8z"/>
<path d="M8 5.5a2.5 2.5 0 1 0 0 5 2.5 2.5 0 0 0 0-5zM4.5 8a3.5 3.5 0 1 1 7 0 3.5 3.5 0 0 1-7 0z"/>
</svg>
</button>
</div>
<div class="form-group input-group">
<div class="form-field input-group">
<input name="newpassword" required="" class="form-control" id="input_2" type="password" placeholder="New password">
<div class="input-group-append">
<button class="btn btn-outline-secondary" type="button" onclick="document.getElementById('input_2').type = document.getElementById('input_2').type=='password'?'text':'password'">
<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-eye" viewBox="0 0 16 16">
<path d="M16 8s-3-5.5-8-5.5S0 8 0 8s3 5.5 8 5.5S16 8 16 8zM1.173 8a13.133 13.133 0 0 1 1.66-2.043C4.12 4.668 5.88 3.5 8 3.5c2.12 0 3.879 1.168 5.168 2.457A13.133 13.133 0 0 1 14.828 8c-.058.087-.122.183-.195.288-.335.48-.83 1.12-1.465 1.755C11.879 11.332 10.119 12.5 8 12.5c-2.12 0-3.879-1.168-5.168-2.457A13.134 13.134 0 0 1 1.172 8z"/>
<path d="M8 5.5a2.5 2.5 0 1 0 0 5 2.5 2.5 0 0 0 0-5zM4.5 8a3.5 3.5 0 1 1 7 0 3.5 3.5 0 0 1-7 0z"/>
</svg>
</button>
</div>
<button class="btn-toggle-password" type="button" onclick="var i=document.getElementById('input_2');i.type=i.type=='password'?'text':'password'">
<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
<path d="M16 8s-3-5.5-8-5.5S0 8 0 8s3 5.5 8 5.5S16 8 16 8zM1.173 8a13.133 13.133 0 0 1 1.66-2.043C4.12 4.668 5.88 3.5 8 3.5c2.12 0 3.879 1.168 5.168 2.457A13.133 13.133 0 0 1 14.828 8c-.058.087-.122.183-.195.288-.335.48-.83 1.12-1.465 1.755C11.879 11.332 10.119 12.5 8 12.5c-2.12 0-3.879-1.168-5.168-2.457A13.134 13.134 0 0 1 1.172 8z"/>
<path d="M8 5.5a2.5 2.5 0 1 0 0 5 2.5 2.5 0 0 0 0-5zM4.5 8a3.5 3.5 0 1 1 7 0 3.5 3.5 0 0 1-7 0z"/>
</svg>
</button>
</div>
<div class="form-group input-group">
<div class="form-field input-group">
<input name="new2password" required="" class="form-control" id="input_3" type="password" placeholder="Retype new password">
<div class="input-group-append">
<button class="btn btn-outline-secondary" type="button" onclick="document.getElementById('input_3').type = document.getElementById('input_3').type=='password'?'text':'password'">
<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" class="bi bi-eye" viewBox="0 0 16 16">
<path d="M16 8s-3-5.5-8-5.5S0 8 0 8s3 5.5 8 5.5S16 8 16 8zM1.173 8a13.133 13.133 0 0 1 1.66-2.043C4.12 4.668 5.88 3.5 8 3.5c2.12 0 3.879 1.168 5.168 2.457A13.133 13.133 0 0 1 14.828 8c-.058.087-.122.183-.195.288-.335.48-.83 1.12-1.465 1.755C11.879 11.332 10.119 12.5 8 12.5c-2.12 0-3.879-1.168-5.168-2.457A13.134 13.134 0 0 1 1.172 8z"/>
<path d="M8 5.5a2.5 2.5 0 1 0 0 5 2.5 2.5 0 0 0 0-5zM4.5 8a3.5 3.5 0 1 1 7 0 3.5 3.5 0 0 1-7 0z"/>
</svg>
</button>
</div>
<button class="btn-toggle-password" type="button" onclick="var i=document.getElementById('input_3');i.type=i.type=='password'?'text':'password'">
<svg xmlns="http://www.w3.org/2000/svg" width="16" height="16" fill="currentColor" viewBox="0 0 16 16">
<path d="M16 8s-3-5.5-8-5.5S0 8 0 8s3 5.5 8 5.5S16 8 16 8zM1.173 8a13.133 13.133 0 0 1 1.66-2.043C4.12 4.668 5.88 3.5 8 3.5c2.12 0 3.879 1.168 5.168 2.457A13.133 13.133 0 0 1 14.828 8c-.058.087-.122.183-.195.288-.335.48-.83 1.12-1.465 1.755C11.879 11.332 10.119 12.5 8 12.5c-2.12 0-3.879-1.168-5.168-2.457A13.134 13.134 0 0 1 1.172 8z"/>
<path d="M8 5.5a2.5 2.5 0 1 0 0 5 2.5 2.5 0 0 0 0-5zM4.5 8a3.5 3.5 0 1 1 7 0 3.5 3.5 0 0 1-7 0z"/>
</svg>
</button>
</div>
<div class="form-field">
<altcha-widget challengeurl="altcha-challenge"></altcha-widget>
</div>
<div class="btn-group">
<button class="btn btn-primary" type="submit">Change my password</button>
<a href="/lost" class="btn btn-secondary">Forgot your password?</a>
</div>
<button class="btn btn-primary" type="submit">Change my password</button>
<a href="/lost" class="btn btn-outline-secondary">Forgot your password?</a>
</form>
{{template "footer"}}
{{template "footer" .}}

1
static/footer.html
View file

@ -1,5 +1,4 @@
{{define "footer"}}
</div>
</div>
</body>
</html>

26
static/header.html
View file

@ -1,17 +1,17 @@
{{define "header"}}
<!doctype html>
<html lang="en">
<head>
<!-- Required meta tags -->
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<!-- Bootstrap CSS -->
<link rel="stylesheet" href="https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/css/bootstrap.min.css" integrity="sha384-MCw98/SFnGE8fJT3GXwEOngsV7Zt27NXFoaoApmYm81iuXoPkFOJwJ8ERdknLPMO" crossorigin="anonymous">
<title>nemunai.re password change</title>
</head>
<body>
<div class="container">
<div class="jumbotron">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>{{if .brand_name}}{{.brand_name}} - {{end}}Password management</title>
<link rel="stylesheet" href="style.css">
<script src="altcha.min.js" type="module" async defer></script>
</head>
<body>
<div class="card{{if .card_wide}} card-wide{{end}}">
<div class="brand">
{{if .brand_logo}}<img src="{{.brand_logo}}" alt="" class="brand-logo">{{end}}
<span class="brand-name">{{if .brand_name}}{{.brand_name}}{{else}}Password management{{end}}</span>
</div>
{{end}}

24
static/login.html
View file

@ -1,15 +1,21 @@
{{template "header"}}
<h1 class="display-4">Sign in <small class="text-muted">Don't have an account? <a href="/register">Create one!</a></small></h1>
{{template "header" .}}
<h1 class="page-title">Sign in</h1>
<p class="page-subtitle">Don't have an account? <a href="/register">Create one!</a></p>
<form method="post" action="login">
{{if .error}}<div class="alert alert-danger" role="alert">{{.error}}</div>{{end}}
<div class="form-group">
{{if .error}}<div class="alert alert-error" role="alert">{{.error}}</div>{{end}}
<div class="form-field">
<input name="login" required="" class="form-control" id="input_0" type="text" placeholder="Login" autofocus>
</div>
<div class="form-group">
<div class="form-field">
<input name="password" required="" class="form-control" id="input_1" type="password" placeholder="Current password">
</div>
<button class="btn btn-primary" type="submit">Sign in</button>
<a href="/lost" class="btn btn-outline-secondary">Forgot your password?</a>
</form>
{{template "footer"}}
<div class="form-field">
<altcha-widget challengeurl="altcha-challenge"></altcha-widget>
</div>
<div class="btn-group">
<button class="btn btn-primary" type="submit">Sign in</button>
<a href="/lost" class="btn btn-secondary">Forgot your password?</a>
</div>
</form>
{{template "footer" .}}

20
static/lost.html
View file

@ -1,13 +1,19 @@
{{template "header"}}
<h1 class="display-4">Forgot your password? <small class="text-muted">We'll send you a link by e-mail to reset it!</small></h1>
{{template "header" .}}
<h1 class="page-title">Forgot your password?</h1>
<p class="page-subtitle">We'll send you a link by e-mail to reset it!</p>
<form method="post" action="lost">
{{if .error}}<div class="alert alert-danger" role="alert">{{.error}}</div>{{end}}
{{if .error}}<div class="alert alert-error" role="alert">{{.error}}</div>{{end}}
<input type="hidden" name="csrf_token" value="{{ .csrf_token }}">
<div class="form-group">
<div class="form-field">
<input name="login" required="" class="form-control" id="input_0" type="text" placeholder="Login" autofocus>
</div>
<button class="btn btn-primary" type="submit">Reset my password</button>
<a href="/change" class="btn btn-outline-success">Just want to change your password?</a>
<div class="form-field">
<altcha-widget challengeurl="altcha-challenge"></altcha-widget>
</div>
<div class="btn-group">
<button class="btn btn-primary" type="submit">Reset my password</button>
<a href="/change" class="btn btn-secondary">Just want to change your password?</a>
</div>
</form>
{{template "footer"}}
{{template "footer" .}}

12
static/message.html
View file

@ -1,5 +1,7 @@
{{template "header"}}
{{if .message}}<div class="alert alert-success">{{.message}}</div>{{end}}
{{if .error}}<div class="alert alert-danger">{{.error}}</div>{{end}}
{{if .details}}<p>{{.details}}</p>{{end}}
{{template "footer"}}
{{template "header" .}}
<div class="message-page">
{{if .message}}<div class="alert alert-success">{{.message}}</div>{{end}}
{{if .error}}<div class="alert alert-error">{{.error}}</div>{{end}}
{{if .details}}<p class="details-text">{{.details}}</p>{{end}}
</div>
{{template "footer" .}}

76
static/profile.html Normal file
View file

@ -0,0 +1,76 @@
{{template "header" .}}
<h1 class="page-title">Welcome, {{.login}}</h1>
<nav class="tabs">
<button class="tab-btn active" onclick="showTab(this,'account')">Account</button>
{{if or .emails .aliases}}<button class="tab-btn" onclick="showTab(this,'email')">Email &amp; Aliases</button>{{end}}
<button class="tab-btn" onclick="showTab(this,'api')">API</button>
</nav>
<div id="tab-account" class="tab-panel">
{{if .fields}}
<table class="info-table">
{{range .fields}}
<tr>
<th>{{.Label}}</th>
<td>{{.Value}}</td>
</tr>
{{end}}
</table>
{{else}}
<p class="section-empty">No account information available.</p>
{{end}}
</div>
{{if or .emails .aliases}}
<div id="tab-email" class="tab-panel hidden">
{{if .emails}}
<h3 class="section-title">Email addresses</h3>
<ul class="email-list">
{{range .emails}}
<li>{{.}}</li>
{{end}}
</ul>
{{end}}
{{if .aliases}}
<h3 class="section-title">Disposable aliases</h3>
<ul class="alias-list">
{{range .aliases}}
<li id="{{.ElemID}}" class="alias-item">
<span class="alias-value">{{.Value}}</span>
<button class="btn btn-danger btn-sm"
data-alias="{{.URLSafe}}"
data-token="{{.Token}}"
data-elem="{{.ElemID}}"
onclick="deleteAlias(this)">Delete</button>
</li>
{{end}}
</ul>
{{end}}
</div>
{{end}}
<div id="tab-api" class="tab-panel hidden">
<p class="section-desc">Use this token to authenticate with the Addy.io-compatible alias API:</p>
<div class="api-token-box">{{.api_token}}</div>
<p class="section-desc">Endpoint: <code>POST /api/v1/aliases</code><code>DELETE /api/v1/aliases/{alias}</code></p>
<p class="section-desc">Set the <code>Authorization: Bearer &lt;token&gt;</code> header on each request.</p>
</div>
<script>
function showTab(btn, name) {
document.querySelectorAll('.tab-panel').forEach(function(p) { p.classList.add('hidden'); });
document.querySelectorAll('.tab-btn').forEach(function(b) { b.classList.remove('active'); });
document.getElementById('tab-' + name).classList.remove('hidden');
btn.classList.add('active');
}
function deleteAlias(btn) {
fetch('/api/v1/aliases/' + btn.dataset.alias, {
method: 'DELETE',
headers: {'Authorization': 'Bearer ' + btn.dataset.token}
}).then(function(r) {
if (r.ok) document.getElementById(btn.dataset.elem).remove();
});
}
</script>
{{template "footer" .}}

22
static/reset.html
View file

@ -1,20 +1,26 @@
{{template "header"}}
<h1 class="display-4">Forgot your password? <small class="text-muted">Define a new one!</small></h1>
{{template "header" .}}
<h1 class="page-title">Forgot your password?</h1>
<p class="page-subtitle">Define a new one!</p>
<form method="post" action="reset">
{{if .error}}<div class="alert alert-danger" role="alert">{{.error}}</div>{{end}}
{{if .error}}<div class="alert alert-error" role="alert">{{.error}}</div>{{end}}
<input type="hidden" name="csrf_token" value="{{ .csrf_token }}">
<div class="form-group">
<div class="form-field">
<input required="" class="form-control" id="input_0" type="text" placeholder="Email" value="{{ .login }}" disabled="">
</div>
<input type="hidden" name="login" value="{{ .login }}">
<input type="hidden" name="token" value="{{ .token }}">
<div class="form-group">
<div class="form-field">
<input autofocus name="newpassword" required="" class="form-control" id="input_2" type="password" placeholder="New password">
</div>
<div class="form-group">
<div class="form-field">
<input name="new2password" required="" class="form-control" id="input_3" type="password" placeholder="Retype new password">
</div>
<button class="btn btn-primary" type="submit">Reset my password</button>
<div class="form-field">
<altcha-widget challengeurl="altcha-challenge"></altcha-widget>
</div>
<div class="btn-group">
<button class="btn btn-primary" type="submit">Reset my password</button>
</div>
</form>
{{template "footer"}}
{{template "footer" .}}

479
static/style.css Normal file
View file

@ -0,0 +1,479 @@
/* ============================================================
CSS custom properties
============================================================ */
:root {
--bg: #f4f6f9;
--card-bg: #ffffff;
--card-shadow: 0 4px 24px rgba(0,0,0,.10);
--text: #1a1d23;
--text-muted: #6b7280;
--border: #d1d5db;
--input-bg: #ffffff;
--input-focus-border: #4f46e5;
--input-focus-shadow: 0 0 0 3px rgba(79,70,229,.15);
--btn-primary-bg: #4f46e5;
--btn-primary-hover: #4338ca;
--btn-secondary-bg: #f3f4f6;
--btn-secondary-hover: #e5e7eb;
--btn-secondary-text: #374151;
--alert-error-bg: #fef2f2;
--alert-error-border: #fca5a5;
--alert-error-text: #991b1b;
--alert-success-bg: #f0fdf4;
--alert-success-border: #86efac;
--alert-success-text: #166534;
--brand-border: #e5e7eb;
}
@media (prefers-color-scheme: dark) {
:root {
--bg: #0f1117;
--card-bg: #1e2130;
--card-shadow: 0 4px 24px rgba(0,0,0,.40);
--text: #e5e7eb;
--text-muted: #9ca3af;
--border: #374151;
--input-bg: #111827;
--input-focus-border: #6366f1;
--input-focus-shadow: 0 0 0 3px rgba(99,102,241,.20);
--btn-primary-bg: #6366f1;
--btn-primary-hover: #4f46e5;
--btn-secondary-bg: #374151;
--btn-secondary-hover: #4b5563;
--btn-secondary-text: #d1d5db;
--alert-error-bg: #3b1515;
--alert-error-border: #7f1d1d;
--alert-error-text: #fca5a5;
--alert-success-bg: #052e16;
--alert-success-border: #14532d;
--alert-success-text: #86efac;
--brand-border: #374151;
}
}
/* ============================================================
Base
============================================================ */
*, *::before, *::after {
box-sizing: border-box;
margin: 0;
padding: 0;
}
body {
font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Roboto, Helvetica, Arial, sans-serif;
font-size: 16px;
line-height: 1.6;
background: var(--bg);
color: var(--text);
min-height: 100vh;
display: flex;
align-items: center;
justify-content: center;
padding: 1rem;
}
/* ============================================================
Card
============================================================ */
.card {
background: var(--card-bg);
border-radius: 12px;
box-shadow: var(--card-shadow);
padding: 2rem 2.5rem;
width: 100%;
max-width: 440px;
}
/* ============================================================
Brand
============================================================ */
.brand {
display: flex;
align-items: center;
gap: 0.625rem;
padding-bottom: 1.25rem;
margin-bottom: 1.5rem;
border-bottom: 1px solid var(--brand-border);
}
.brand-logo {
height: 2rem;
width: auto;
object-fit: contain;
}
.brand-name {
font-size: 1.125rem;
font-weight: 700;
letter-spacing: -0.01em;
color: var(--text);
}
/* ============================================================
Page title / subtitle
============================================================ */
.page-title {
font-size: 1.375rem;
font-weight: 700;
letter-spacing: -0.02em;
margin-bottom: 0.25rem;
}
.page-subtitle {
font-size: 0.9rem;
color: var(--text-muted);
margin-bottom: 1.5rem;
}
.page-subtitle a {
color: var(--btn-primary-bg);
text-decoration: none;
}
.page-subtitle a:hover {
text-decoration: underline;
}
/* ============================================================
Alerts
============================================================ */
.alert {
border-radius: 8px;
padding: 0.75rem 1rem;
font-size: 0.9rem;
margin-bottom: 1rem;
border: 1px solid transparent;
}
.alert-error {
background: var(--alert-error-bg);
border-color: var(--alert-error-border);
color: var(--alert-error-text);
}
.alert-success {
background: var(--alert-success-bg);
border-color: var(--alert-success-border);
color: var(--alert-success-text);
}
/* ============================================================
Forms
============================================================ */
.form-field {
margin-bottom: 1rem;
}
.form-control {
display: block;
width: 100%;
padding: 0.625rem 0.875rem;
font-size: 0.9375rem;
font-family: inherit;
background: var(--input-bg);
color: var(--text);
border: 1px solid var(--border);
border-radius: 8px;
transition: border-color .15s, box-shadow .15s;
outline: none;
-webkit-appearance: none;
}
.form-control:focus {
border-color: var(--input-focus-border);
box-shadow: var(--input-focus-shadow);
}
.form-control::placeholder {
color: var(--text-muted);
}
.form-control:disabled {
opacity: 0.6;
cursor: not-allowed;
}
/* Input group with toggle button */
.input-group {
position: relative;
}
.input-group .form-control {
padding-right: 3rem;
}
.btn-toggle-password {
position: absolute;
right: 0;
top: 0;
height: 100%;
width: 2.75rem;
display: flex;
align-items: center;
justify-content: center;
background: transparent;
border: none;
cursor: pointer;
color: var(--text-muted);
border-radius: 0 8px 8px 0;
transition: color .15s;
padding: 0;
}
.btn-toggle-password:hover {
color: var(--text);
}
/* ============================================================
Buttons
============================================================ */
.btn {
display: inline-flex;
align-items: center;
justify-content: center;
padding: 0.625rem 1.25rem;
font-size: 0.9375rem;
font-family: inherit;
font-weight: 500;
border-radius: 8px;
border: 1px solid transparent;
cursor: pointer;
text-decoration: none;
transition: background .15s, color .15s, border-color .15s, box-shadow .15s;
white-space: nowrap;
}
.btn-primary {
background: var(--btn-primary-bg);
color: #ffffff;
border-color: var(--btn-primary-bg);
}
.btn-primary:hover {
background: var(--btn-primary-hover);
border-color: var(--btn-primary-hover);
}
.btn-secondary {
background: var(--btn-secondary-bg);
color: var(--btn-secondary-text);
border-color: var(--border);
}
.btn-secondary:hover {
background: var(--btn-secondary-hover);
}
.btn-group {
display: flex;
flex-wrap: wrap;
gap: 0.75rem;
margin-top: 1.5rem;
}
/* ============================================================
Message page
============================================================ */
.message-page {
padding: 0.5rem 0;
}
.details-text {
color: var(--text-muted);
font-size: 0.9rem;
margin-top: 0.75rem;
}
/* ============================================================
altcha widget
============================================================ */
.form-field altcha-widget {
display: block;
}
/* ============================================================
Card wide (profile page)
============================================================ */
.card-wide {
max-width: 680px;
}
/* ============================================================
Tabs
============================================================ */
.tabs {
display: flex;
gap: 0.25rem;
border-bottom: 2px solid var(--border);
margin-bottom: 1.5rem;
}
.tab-btn {
padding: 0.5rem 1rem;
font-size: 0.9rem;
font-family: inherit;
font-weight: 500;
background: transparent;
border: none;
border-bottom: 2px solid transparent;
margin-bottom: -2px;
cursor: pointer;
color: var(--text-muted);
border-radius: 4px 4px 0 0;
transition: color .15s, border-color .15s;
}
.tab-btn:hover {
color: var(--text);
}
.tab-btn.active {
color: var(--btn-primary-bg);
border-bottom-color: var(--btn-primary-bg);
}
.tab-panel.hidden {
display: none;
}
/* ============================================================
Profile: Account tab
============================================================ */
.info-table {
width: 100%;
border-collapse: collapse;
font-size: 0.9rem;
}
.info-table th,
.info-table td {
padding: 0.5rem 0.625rem;
text-align: left;
border-bottom: 1px solid var(--border);
vertical-align: top;
}
.info-table th {
width: 38%;
color: var(--text-muted);
font-weight: 500;
white-space: nowrap;
}
.info-table tr:last-child th,
.info-table tr:last-child td {
border-bottom: none;
}
.section-empty {
color: var(--text-muted);
font-size: 0.9rem;
}
/* ============================================================
Profile: Email & Aliases tab
============================================================ */
.section-title {
font-size: 0.8125rem;
font-weight: 600;
text-transform: uppercase;
letter-spacing: 0.05em;
color: var(--text-muted);
margin-bottom: 0.625rem;
}
.section-title + .section-title,
.email-list + .section-title,
.alias-list + .section-title {
margin-top: 1.25rem;
}
.email-list {
list-style: none;
margin-bottom: 0.5rem;
}
.email-list li {
padding: 0.4rem 0;
border-bottom: 1px solid var(--border);
font-size: 0.9rem;
}
.email-list li:last-child {
border-bottom: none;
}
.alias-list {
list-style: none;
}
.alias-item {
display: flex;
align-items: center;
justify-content: space-between;
gap: 0.75rem;
padding: 0.4rem 0;
border-bottom: 1px solid var(--border);
}
.alias-item:last-child {
border-bottom: none;
}
.alias-value {
font-size: 0.875rem;
word-break: break-all;
}
/* ============================================================
Profile: API tab
============================================================ */
.api-token-box {
font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
font-size: 0.8125rem;
background: var(--input-bg);
border: 1px solid var(--border);
border-radius: 8px;
padding: 0.75rem 1rem;
word-break: break-all;
margin: 0.75rem 0;
user-select: all;
}
.section-desc {
font-size: 0.875rem;
color: var(--text-muted);
margin-bottom: 0.5rem;
}
.section-desc code {
font-family: ui-monospace, SFMono-Regular, Menlo, Monaco, Consolas, monospace;
font-size: 0.8125rem;
background: var(--btn-secondary-bg);
padding: 0.1em 0.35em;
border-radius: 4px;
color: var(--text);
}
/* ============================================================
Button variants
============================================================ */
.btn-danger {
background: #dc2626;
color: #ffffff;
border-color: #dc2626;
}
.btn-danger:hover {
background: #b91c1c;
border-color: #b91c1c;
}
.btn-sm {
padding: 0.3rem 0.75rem;
font-size: 0.8125rem;
border-radius: 6px;
white-space: nowrap;
flex-shrink: 0;
}