kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
37afc68287c912519c85d4a880631864792127f4
mcias/web/templates/account_detail.html
Kyle Isom 37afc68287 Add TOTP enrollment to web UI 
- Profile page TOTP section with enrollment flow:
  password re-auth → QR code + manual entry → 6-digit confirm
- Server-side QR code generation (go-qrcode, data: URI PNG)
- Admin "Remove TOTP" button on account detail page
- Enrollment nonces: sync.Map with 5-minute TTL, single-use
- Template fragments: totp_section.html, totp_enroll_qr.html
- Handler: handlers_totp.go (enroll start, confirm, admin remove)

Security: Password re-auth before secret generation (SEC-01).
Lockout checked before Argon2. CSRF on all endpoints. Single-use
enrollment nonces with expiry. TOTP counter replay prevention
(CRIT-01). Self-removal not permitted (admin only).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-16 17:39:45 -07:00

81 lines
3.3 KiB
HTML
Raw Blame History

{{define "account_detail"}}{{template "base" .}}{{end}}
{{define "title"}}{{.Account.Username}} — MCIAS{{end}}
{{define "content"}}
<div class="page-header d-flex align-center justify-between">
<div>
<h1>{{.Account.Username}}</h1>
<p class="text-muted text-small">{{.Account.UUID}}</p>
</div>
<a class="btn btn-secondary" href="/accounts">← Accounts</a>
</div>
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Account Info</h2>
<dl style="display:grid;grid-template-columns:140px 1fr;gap:.5rem .75rem;font-size:.9rem">
<dt class="text-muted">Type</dt><dd>{{.Account.AccountType}}</dd>
<dt class="text-muted">Status</dt>
<dd id="status-cell">{{template "account_status" .}}</dd>
<dt class="text-muted">TOTP</dt>
<dd id="totp-admin-status">
{{if .Account.TOTPRequired}}
Enabled
<button class="btn btn-sm btn-danger" style="margin-left:.5rem"
hx-delete="/accounts/{{.Account.UUID}}/totp"
hx-target="#totp-admin-status"
hx-swap="innerHTML"
hx-confirm="Remove TOTP for this account?"
hx-headers='{"X-CSRF-Token": "{{.CSRFToken}}"}'>Remove</button>
{{else}}Disabled{{end}}
</dd>
{{if .WebAuthnEnabled}}<dt class="text-muted">Passkeys</dt><dd>{{len .WebAuthnCreds}} registered</dd>{{end}}
<dt class="text-muted">Created</dt><dd class="text-small">{{formatTime .Account.CreatedAt}}</dd>
<dt class="text-muted">Updated</dt><dd class="text-small">{{formatTime .Account.UpdatedAt}}</dd>
</dl>
</div>
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Roles</h2>
<div id="roles-editor">{{template "roles_editor" .}}</div>
</div>
<div class="card">
<div class="d-flex align-center justify-between" style="margin-bottom:1rem">
<h2 style="font-size:1rem;font-weight:600">Tokens</h2>
{{if and (eq (string .Account.AccountType) "system") .CanIssueToken}}
<button class="btn btn-sm btn-secondary"
hx-post="/accounts/{{.Account.UUID}}/token"
hx-target="#token-list" hx-swap="outerHTML">Issue Token</button>
{{end}}
</div>
{{template "token_list" .}}
</div>
{{if eq (string .Account.AccountType) "system"}}
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Postgres Credentials</h2>
{{template "pgcreds_form" .}}
</div>
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Token Issue Access</h2>
<div id="token-delegates-section">{{template "token_delegates" .}}</div>
</div>
{{end}}
{{if .WebAuthnEnabled}}
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Passkeys</h2>
{{template "webauthn_credentials" .}}
</div>
{{end}}
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Tags</h2>
<div id="tags-editor">{{template "tags_editor" .}}</div>
</div>
{{if eq (string .Account.AccountType) "human"}}
<div class="card">
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Reset Password</h2>
<p class="text-muted text-small" style="margin-bottom:.75rem">
Set a new password for this account. All active sessions will be revoked.
</p>
<div id="password-reset-section">
{{template "password_reset_form" .}}
</div>
</div>
{{end}}
{{end}}
Reference in New Issue View Git Blame Copy Permalink