feature/security-recovery-support #16

Merged

patillacode merged 23 commits from feature/security-recovery-support into main 2026-04-28 16:23:04 +02:00

Conversation 0 Commits 23 Files changed 36 +1307 -264

patillacode commented 2026-04-28 14:07:00 +02:00

Owner

Copy link

Adding recovery codes, forgot-password, legal pages, landing polish

Summary

• Recovery codes: users can generate one-time recovery codes at signup and regenerate them from the security
  settings tab; codes are hashed at rest, rate-limited, and CSRF-protected
• Forgot-password flow: self-service password reset via recovery code (no email required); invalidates all
  existing sessions on success
• Legal pages: Privacy Policy (/privacy) and Terms of Service (/terms) with bot-proof email obfuscation;
  linked from footer and signup consent line
• Admin cleanup: removed password reset from the admin panel (users now own their own recovery path); removed
  the associated hidden form and route
• Landing page redesign: free-forever pricing block, feature sections styled as cards, auth-aware hero CTAs,
  Ko-fi support button, footer with Privacy/Terms links
• Auth page polish: login, signup, forgot-password, and signup-closed pages get the logo + wordmark header,
  consistent accent-colored links, and i18n coverage
• i18n: full Spanish/English coverage for all new strings (recovery, auth, legal, landing pricing)
• CSS cleanup: extracted inline styles to static files, fixed .btn-danger sizing regression, added
  .card-brand, .login__subtitle, .legal-* component classes

Adding recovery codes, forgot-password, legal pages, landing polish **Summary** - **Recovery codes**: users can generate one-time recovery codes at signup and regenerate them from the security settings tab; codes are hashed at rest, rate-limited, and CSRF-protected - **Forgot-password flow**: self-service password reset via recovery code (no email required); invalidates all existing sessions on success - **Legal pages**: Privacy Policy (/privacy) and Terms of Service (/terms) with bot-proof email obfuscation; linked from footer and signup consent line - **Admin cleanup**: removed password reset from the admin panel (users now own their own recovery path); removed the associated hidden form and route - **Landing page redesign**: free-forever pricing block, feature sections styled as cards, auth-aware hero CTAs, Ko-fi support button, footer with Privacy/Terms links - **Auth page polish**: login, signup, forgot-password, and signup-closed pages get the logo + wordmark header, consistent accent-colored links, and i18n coverage - **i18n**: full Spanish/English coverage for all new strings (recovery, auth, legal, landing pricing) - **CSS cleanup**: extracted inline styles to static files, fixed `.btn-danger` sizing regression, added `.card-brand`, `.login__subtitle`, `.legal-*` component classes

patillacode added 12 commits 2026-04-28 14:07:01 +02:00

remove admin password reset route and template fe03fbb8f3

feat: add RecoveryCode model and recovery utilities 6e395f4a42

add RecoveryCode model and recovery utilities dfffcf94dd

feat: add forgot-password and recovery code routes ... 1cf1d2b173

- GET/POST /forgot-password: reset password via recovery code (rate-limited, login-CSRF protected)
- GET/POST /signup: self-registration, generates 12 recovery codes on success
- GET /account/recovery-codes: shows codes once via signed flash cookie, then clears them
- POST /account/recovery-codes/regenerate: regenerates codes after password verification
- GET /account: adds recovery_remaining count to security tab context
- app/recovery_flash.py: signed cookie helper for one-time code display
- Stub templates for signup, forgot_password, recovery_codes
- 17 new route tests, all 177 passing

add recovery code routes, forgot-password flow, account recovery pages 952c226415

feat: build proper templates for recovery code feature ... 50bdf47d1e

Complete recovery_codes.html (one-time display + revisit views), security.html (password + recovery section), forgot_password.html, signup.html (with confirm-password validation), and add forgot-password link to login.html.

fix recovery codes template: unnest page_scripts block, fix accessible button, remove dead JS var bee25dd4dc

add Ko-fi donation links and free-forever pricing block 548ecdfd57

move show_donation_prompts to feature-flags group in settings 28e59f93e1

add Ko-fi support badge to README b5cd5f13b6

add privacy policy and terms of use pages 564b610a1b

polish: verify CSRF/rate-limiting on recovery routes, add i18n strings 737d57e4e3

patillacode added 1 commit 2026-04-28 14:19:01 +02:00

merge origin/main into feature/security-recovery-support afaaf91dcf

patillacode added 1 commit 2026-04-28 14:47:29 +02:00

wip d8abe284df

patillacode added 1 commit 2026-04-28 15:06:00 +02:00

wip 2cd97a9569

patillacode added 1 commit 2026-04-28 15:10:44 +02:00

wip e9853e5a22

patillacode added 1 commit 2026-04-28 15:12:23 +02:00

wip 6dd561051d

patillacode added 1 commit 2026-04-28 15:14:48 +02:00

wip 8702542233

patillacode added 2 commits 2026-04-28 15:27:21 +02:00

wip 0504367ad9

wip 0a5af91cb6

patillacode added 1 commit 2026-04-28 15:44:27 +02:00

wip fcc5c4c32a

patillacode added 1 commit 2026-04-28 16:04:56 +02:00

wip afe5f9ab63

patillacode added 1 commit 2026-04-28 16:13:30 +02:00

wip e2c56289d7

patillacode merged commit a57f275727 into main 2026-04-28 16:23:04 +02:00

patillacode deleted branch feature/security-recovery-support 2026-04-28 16:23:04 +02:00

patillacode referenced this pull request from a commit 2026-04-28 16:23:05 +02:00

feature/security-recovery-support (#16)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

patillacode/piruetas!16

No description provided.