fix: close all bincio-auth migration holes
Pages (register, reset-password, invites) now redirect to bincio.org like login already did. Admin user-state ops (reset-password-code, suspend, unsuspend, delete account) are proxied to bincio-auth via httpx so they write to the correct DB. Adds BINCIO_AUTH_API env var.
This commit is contained in:
Davide Scaini
@@ -1,158 +1,6 @@
|
||||
---
|
||||
import Base from '../../layouts/Base.astro';
|
||||
const authUrl = import.meta.env.PUBLIC_AUTH_URL ?? '';
|
||||
const target = authUrl ? authUrl + '/invites/' : '/';
|
||||
---
|
||||
<Base title="Invites — Bincio">
|
||||
<div class="max-w-lg mx-auto mt-12 px-4">
|
||||
<div class="flex items-center justify-between mb-4">
|
||||
<h1 class="text-2xl font-bold text-white">Your invites</h1>
|
||||
<button id="gen-btn"
|
||||
class="px-4 py-2 rounded-lg bg-[--accent] hover:opacity-90 text-white text-sm font-medium transition-opacity">
|
||||
Generate invite
|
||||
</button>
|
||||
</div>
|
||||
|
||||
<!-- Activity toggle: only shown for users who have activity_access -->
|
||||
<div id="activity-toggle-row" style="display:none" class="mb-6">
|
||||
<label class="flex items-center gap-2 cursor-pointer select-none group">
|
||||
<input id="grants-activity" type="checkbox"
|
||||
class="w-4 h-4 rounded accent-[--accent] cursor-pointer" />
|
||||
<span class="text-sm text-zinc-400 group-hover:text-zinc-300 transition-colors">
|
||||
Include activity access
|
||||
</span>
|
||||
<span class="text-xs text-zinc-600">(wiki + activity)</span>
|
||||
</label>
|
||||
</div>
|
||||
|
||||
<p id="invite-error" class="text-red-400 text-sm mb-4 hidden"></p>
|
||||
|
||||
<ul id="invite-list" class="space-y-3">
|
||||
<li class="text-zinc-500 text-sm">Loading…</li>
|
||||
</ul>
|
||||
</div>
|
||||
</Base>
|
||||
|
||||
<script>
|
||||
const listEl = document.getElementById('invite-list')!;
|
||||
const errEl = document.getElementById('invite-error')!;
|
||||
const toggleRow = document.getElementById('activity-toggle-row') as HTMLElement;
|
||||
const grantsActivityChk = document.getElementById('grants-activity') as HTMLInputElement;
|
||||
|
||||
type Invite = {
|
||||
code: string;
|
||||
used: boolean;
|
||||
used_by: string | null;
|
||||
created_at: number;
|
||||
grants_activity: boolean;
|
||||
};
|
||||
|
||||
function renderInvite(inv: Invite) {
|
||||
const li = document.createElement('li');
|
||||
li.className = 'flex items-center justify-between rounded-xl bg-zinc-900 border border-zinc-800 px-4 py-3';
|
||||
|
||||
const date = new Date(inv.created_at * 1000).toLocaleDateString('en-GB', { day: 'numeric', month: 'short', year: 'numeric' });
|
||||
const registerUrl = `${window.location.origin}/register/?code=${inv.code}`;
|
||||
const badge = inv.grants_activity
|
||||
? `<span class="text-xs px-2 py-0.5 rounded-full bg-zinc-800 text-zinc-400 border border-zinc-700">wiki + activity</span>`
|
||||
: `<span class="text-xs px-2 py-0.5 rounded-full bg-zinc-800 text-zinc-600 border border-zinc-700">wiki only</span>`;
|
||||
|
||||
li.innerHTML = `
|
||||
<div class="flex-1 min-w-0">
|
||||
<div class="flex items-center gap-2 flex-wrap">
|
||||
<span class="font-mono text-lg tracking-widest ${inv.used ? 'text-zinc-600 line-through' : 'text-white'}">${inv.code}</span>
|
||||
${badge}
|
||||
</div>
|
||||
<p class="text-xs text-zinc-500 mt-0.5">
|
||||
${inv.used ? `Used by @${inv.used_by}` : `Created ${date}`}
|
||||
</p>
|
||||
</div>
|
||||
${!inv.used ? `
|
||||
<button data-link="${registerUrl}"
|
||||
class="copy-btn ml-3 shrink-0 text-xs px-3 py-1.5 rounded-lg bg-zinc-800 hover:bg-zinc-700 text-zinc-300 transition-colors">
|
||||
Copy link
|
||||
</button>
|
||||
` : ''}
|
||||
`;
|
||||
return li;
|
||||
}
|
||||
|
||||
function fallbackCopy(text: string, done: () => void) {
|
||||
const ta = document.createElement('textarea');
|
||||
ta.value = text;
|
||||
ta.style.cssText = 'position:fixed;opacity:0;top:0;left:0';
|
||||
document.body.appendChild(ta);
|
||||
ta.focus();
|
||||
ta.select();
|
||||
try { document.execCommand('copy'); done(); } catch (_) {}
|
||||
document.body.removeChild(ta);
|
||||
}
|
||||
|
||||
async function loadInvites() {
|
||||
try {
|
||||
const r = await fetch('/api/invites', { credentials: 'include' });
|
||||
if (r.status === 401) {
|
||||
window.location.href = `/login/?next=${encodeURIComponent(window.location.pathname)}`;
|
||||
return;
|
||||
}
|
||||
if (!r.ok) throw new Error(`HTTP ${r.status}`);
|
||||
const invites: Invite[] = await r.json();
|
||||
listEl.innerHTML = '';
|
||||
if (invites.length === 0) {
|
||||
listEl.innerHTML = '<li class="text-zinc-500 text-sm">No invites yet.</li>';
|
||||
return;
|
||||
}
|
||||
for (const inv of invites) listEl.appendChild(renderInvite(inv));
|
||||
|
||||
listEl.querySelectorAll('.copy-btn').forEach(btn => {
|
||||
btn.addEventListener('click', () => {
|
||||
const text = (btn as HTMLElement).dataset.link ?? '';
|
||||
const done = () => {
|
||||
btn.textContent = 'Copied!';
|
||||
setTimeout(() => { btn.textContent = 'Copy link'; }, 2000);
|
||||
};
|
||||
if (navigator.clipboard) {
|
||||
navigator.clipboard.writeText(text).then(done).catch(() => fallbackCopy(text, done));
|
||||
} else {
|
||||
fallbackCopy(text, done);
|
||||
}
|
||||
});
|
||||
});
|
||||
} catch (e: any) {
|
||||
errEl.textContent = e.message;
|
||||
errEl.classList.remove('hidden');
|
||||
}
|
||||
}
|
||||
|
||||
// Show activity toggle only for users who have activity access
|
||||
fetch('/api/me', { credentials: 'include' })
|
||||
.then(async r => {
|
||||
if (!r.ok) return;
|
||||
const user = await r.json();
|
||||
if (user.activity_access) toggleRow.style.display = '';
|
||||
})
|
||||
.catch(() => {});
|
||||
|
||||
document.getElementById('gen-btn')?.addEventListener('click', async () => {
|
||||
errEl.classList.add('hidden');
|
||||
const grantsActivity = grantsActivityChk?.checked ?? false;
|
||||
try {
|
||||
const r = await fetch('/api/invites', {
|
||||
method: 'POST',
|
||||
credentials: 'include',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify({ grants_activity: grantsActivity }),
|
||||
});
|
||||
if (!r.ok) {
|
||||
const d = await r.json().catch(() => ({}));
|
||||
errEl.textContent = d.detail ?? 'Could not generate invite';
|
||||
errEl.classList.remove('hidden');
|
||||
return;
|
||||
}
|
||||
await loadInvites();
|
||||
} catch (e: any) {
|
||||
errEl.textContent = e.message;
|
||||
errEl.classList.remove('hidden');
|
||||
}
|
||||
});
|
||||
|
||||
loadInvites();
|
||||
</script>
|
||||
<meta http-equiv="refresh" content={`0;url=${target}`} />
|
||||
<script define:vars={{ target }}>window.location.replace(target);</script>
|
||||
|
||||
@@ -1,87 +1,6 @@
|
||||
---
|
||||
import Base from '../../layouts/Base.astro';
|
||||
const authUrl = import.meta.env.PUBLIC_AUTH_URL ?? '';
|
||||
const target = authUrl ? authUrl + '/register/' : '/';
|
||||
---
|
||||
<Base title="Create account — BincioActivity" public={true}>
|
||||
<div class="max-w-sm mx-auto mt-16 px-4">
|
||||
<h1 class="text-2xl font-bold text-white mb-6 text-center">Create account</h1>
|
||||
|
||||
<form id="register-form" class="space-y-4">
|
||||
<div>
|
||||
<label class="block text-sm text-zinc-400 mb-1" for="code">Invite code</label>
|
||||
<input id="code" name="code" type="text" autocomplete="off"
|
||||
class="w-full px-3 py-2 rounded-lg bg-zinc-900 border border-zinc-700 text-white font-mono uppercase tracking-widest placeholder-zinc-500 focus:outline-none focus:border-[--accent]"
|
||||
placeholder="XXXXXXXX" maxlength="8" required />
|
||||
</div>
|
||||
<div>
|
||||
<label class="block text-sm text-zinc-400 mb-1" for="handle">Handle</label>
|
||||
<input id="handle" name="handle" type="text" autocomplete="username"
|
||||
class="w-full px-3 py-2 rounded-lg bg-zinc-900 border border-zinc-700 text-white placeholder-zinc-500 focus:outline-none focus:border-[--accent]"
|
||||
placeholder="lowercase, letters and numbers" required />
|
||||
</div>
|
||||
<div>
|
||||
<label class="block text-sm text-zinc-400 mb-1" for="display_name">Display name <span class="text-zinc-600">(optional)</span></label>
|
||||
<input id="display_name" name="display_name" type="text"
|
||||
class="w-full px-3 py-2 rounded-lg bg-zinc-900 border border-zinc-700 text-white placeholder-zinc-500 focus:outline-none focus:border-[--accent]"
|
||||
placeholder="Your Name" />
|
||||
</div>
|
||||
<div>
|
||||
<label class="block text-sm text-zinc-400 mb-1" for="password">Password</label>
|
||||
<input id="password" name="password" type="password" autocomplete="new-password"
|
||||
class="w-full px-3 py-2 rounded-lg bg-zinc-900 border border-zinc-700 text-white focus:outline-none focus:border-[--accent]"
|
||||
minlength="8" required />
|
||||
<p class="text-zinc-600 text-xs mt-1">At least 8 characters</p>
|
||||
</div>
|
||||
<p id="reg-error" class="text-red-400 text-sm hidden"></p>
|
||||
<button type="submit"
|
||||
class="w-full py-2 rounded-lg bg-[--accent] hover:opacity-90 text-white font-medium transition-opacity">
|
||||
Create account
|
||||
</button>
|
||||
</form>
|
||||
|
||||
<p class="text-center text-zinc-500 text-sm mt-6">
|
||||
Already have an account? <a href="/login/" class="text-[--accent] hover:underline">Sign in</a>
|
||||
</p>
|
||||
</div>
|
||||
</Base>
|
||||
|
||||
<script>
|
||||
// Pre-fill invite code from query param
|
||||
const code = new URLSearchParams(window.location.search).get('code');
|
||||
if (code) {
|
||||
const input = document.getElementById('code') as HTMLInputElement;
|
||||
if (input) input.value = code.toUpperCase();
|
||||
}
|
||||
|
||||
document.getElementById('register-form')?.addEventListener('submit', async (e) => {
|
||||
e.preventDefault();
|
||||
const form = e.target as HTMLFormElement;
|
||||
const errEl = document.getElementById('reg-error')!;
|
||||
errEl.classList.add('hidden');
|
||||
|
||||
const body = {
|
||||
code: (form.querySelector('#code') as HTMLInputElement).value.trim().toUpperCase(),
|
||||
handle: (form.querySelector('#handle') as HTMLInputElement).value.trim().toLowerCase(),
|
||||
display_name: (form.querySelector('#display_name') as HTMLInputElement).value.trim(),
|
||||
password: (form.querySelector('#password') as HTMLInputElement).value,
|
||||
};
|
||||
|
||||
try {
|
||||
const r = await fetch('/api/register', {
|
||||
method: 'POST',
|
||||
credentials: 'include',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(body),
|
||||
});
|
||||
if (!r.ok) {
|
||||
const d = await r.json().catch(() => ({}));
|
||||
errEl.textContent = d.detail ?? 'Registration failed';
|
||||
errEl.classList.remove('hidden');
|
||||
return;
|
||||
}
|
||||
window.location.href = '/';
|
||||
} catch {
|
||||
errEl.textContent = 'Could not reach server';
|
||||
errEl.classList.remove('hidden');
|
||||
}
|
||||
});
|
||||
</script>
|
||||
<meta http-equiv="refresh" content={`0;url=${target}`} />
|
||||
<script define:vars={{ target }}>window.location.replace(target);</script>
|
||||
|
||||
@@ -1,87 +1,6 @@
|
||||
---
|
||||
import Base from '../../layouts/Base.astro';
|
||||
const authUrl = import.meta.env.PUBLIC_AUTH_URL ?? '';
|
||||
const target = authUrl ? authUrl + '/reset-password/' : '/';
|
||||
---
|
||||
<Base title="Reset password — BincioActivity" public={true}>
|
||||
<div class="max-w-sm mx-auto mt-16 px-4">
|
||||
<h1 class="text-2xl font-bold text-white mb-2 text-center">Reset password</h1>
|
||||
<p class="text-zinc-500 text-sm text-center mb-2">Enter the reset code you received from the admin.</p>
|
||||
<p class="text-zinc-600 text-xs text-center mb-6">Don't have a code? Contact the instance admin — they can generate one for you from the admin panel. Codes expire after 24 hours.</p>
|
||||
|
||||
<form id="reset-form" class="space-y-4">
|
||||
<div>
|
||||
<label class="block text-sm text-zinc-400 mb-1" for="code">Reset code</label>
|
||||
<input id="code" name="code" type="text" autocomplete="off"
|
||||
class="w-full px-3 py-2 rounded-lg bg-zinc-900 border border-zinc-700 text-white font-mono uppercase tracking-widest placeholder-zinc-500 focus:outline-none focus:border-[--accent]"
|
||||
placeholder="XXXXXXXX" maxlength="8" required />
|
||||
</div>
|
||||
<div>
|
||||
<label class="block text-sm text-zinc-400 mb-1" for="handle">Handle</label>
|
||||
<input id="handle" name="handle" type="text" autocomplete="username"
|
||||
class="w-full px-3 py-2 rounded-lg bg-zinc-900 border border-zinc-700 text-white placeholder-zinc-500 focus:outline-none focus:border-[--accent]"
|
||||
placeholder="your handle" required />
|
||||
</div>
|
||||
<div>
|
||||
<label class="block text-sm text-zinc-400 mb-1" for="password">New password</label>
|
||||
<input id="password" name="password" type="password" autocomplete="new-password"
|
||||
class="w-full px-3 py-2 rounded-lg bg-zinc-900 border border-zinc-700 text-white focus:outline-none focus:border-[--accent]"
|
||||
minlength="8" required />
|
||||
<p class="text-zinc-600 text-xs mt-1">At least 8 characters</p>
|
||||
</div>
|
||||
<p id="reset-error" class="text-red-400 text-sm hidden"></p>
|
||||
<p id="reset-ok" class="text-green-400 text-sm hidden">Password updated. <a href="/login/" class="underline">Sign in</a></p>
|
||||
<button type="submit"
|
||||
class="w-full py-2 rounded-lg bg-[--accent] hover:opacity-90 text-white font-medium transition-opacity">
|
||||
Set new password
|
||||
</button>
|
||||
</form>
|
||||
|
||||
<p class="text-center text-zinc-500 text-sm mt-6">
|
||||
<a href="/login/" class="text-[--accent] hover:underline">Back to sign in</a>
|
||||
</p>
|
||||
</div>
|
||||
</Base>
|
||||
|
||||
<script>
|
||||
// Pre-fill code and handle from query params if provided
|
||||
const params = new URLSearchParams(window.location.search);
|
||||
const codeParam = params.get('code');
|
||||
const handleParam = params.get('handle');
|
||||
if (codeParam) (document.getElementById('code') as HTMLInputElement).value = codeParam.toUpperCase();
|
||||
if (handleParam) (document.getElementById('handle') as HTMLInputElement).value = handleParam;
|
||||
|
||||
document.getElementById('reset-form')?.addEventListener('submit', async (e) => {
|
||||
e.preventDefault();
|
||||
const form = e.target as HTMLFormElement;
|
||||
const errEl = document.getElementById('reset-error')!;
|
||||
const okEl = document.getElementById('reset-ok')!;
|
||||
errEl.classList.add('hidden');
|
||||
okEl.classList.add('hidden');
|
||||
|
||||
const body = {
|
||||
code: (form.querySelector('#code') as HTMLInputElement).value.trim().toUpperCase(),
|
||||
handle: (form.querySelector('#handle') as HTMLInputElement).value.trim().toLowerCase(),
|
||||
password: (form.querySelector('#password') as HTMLInputElement).value,
|
||||
};
|
||||
|
||||
try {
|
||||
const r = await fetch('/api/auth/reset-password', {
|
||||
method: 'POST',
|
||||
headers: { 'Content-Type': 'application/json' },
|
||||
body: JSON.stringify(body),
|
||||
});
|
||||
if (!r.ok) {
|
||||
const d = await r.json().catch(() => ({}));
|
||||
errEl.textContent = d.detail ?? 'Reset failed';
|
||||
errEl.classList.remove('hidden');
|
||||
return;
|
||||
}
|
||||
okEl.classList.remove('hidden');
|
||||
(e.target as HTMLFormElement).querySelectorAll('input, button').forEach(
|
||||
el => (el as HTMLInputElement).disabled = true
|
||||
);
|
||||
} catch {
|
||||
errEl.textContent = 'Could not reach server';
|
||||
errEl.classList.remove('hidden');
|
||||
}
|
||||
});
|
||||
</script>
|
||||
<meta http-equiv="refresh" content={`0;url=${target}`} />
|
||||
<script define:vars={{ target }}>window.location.replace(target);</script>
|
||||
|
||||
Reference in New Issue
Block a user