Kyle Isom
446b3df52d
- Fix webauthn.js CSRF token: read HMAC header value from body hx-headers attribute instead of cookie nonce - Update profile labels to mention security keys/FIDO2 alongside passkeys Security: CSRF double-submit was broken for fetch()-based WebAuthn requests — JS was sending the cookie nonce as the header value instead of the HMAC. Fixed by reading the server-rendered header token from the DOM. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
33 lines
1.3 KiB
HTML
33 lines
1.3 KiB
HTML
{{define "profile"}}{{template "base" .}}{{end}}
|
|
{{define "title"}}Profile — MCIAS{{end}}
|
|
{{define "content"}}
|
|
<div class="page-header">
|
|
<h1>Profile</h1>
|
|
</div>
|
|
<div class="card">
|
|
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Two-Factor Authentication (TOTP)</h2>
|
|
{{template "totp_section" .}}
|
|
</div>
|
|
{{if .WebAuthnEnabled}}
|
|
<div class="card">
|
|
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Passkeys & Security Keys</h2>
|
|
<p class="text-muted text-small" style="margin-bottom:.75rem">
|
|
Register a passkey (Touch ID, Windows Hello) or a hardware security key (YubiKey, FIDO2) for passwordless sign-in or two-factor authentication.
|
|
</p>
|
|
{{template "webauthn_credentials" .}}
|
|
<h3 style="font-size:.9rem;font-weight:600;margin:1rem 0 .5rem">Add a Passkey or Security Key</h3>
|
|
{{template "webauthn_enroll" .}}
|
|
</div>
|
|
<script src="/static/webauthn.js"></script>
|
|
{{end}}
|
|
<div class="card">
|
|
<h2 style="font-size:1rem;font-weight:600;margin-bottom:1rem">Change Password</h2>
|
|
<p class="text-muted text-small" style="margin-bottom:.75rem">
|
|
Enter your current password and choose a new one. Other active sessions will be revoked.
|
|
</p>
|
|
<div id="password-change-section">
|
|
{{template "password_change_form" .}}
|
|
</div>
|
|
</div>
|
|
{{end}}
|