diff --git a/config.example.toml b/config.example.toml index 7cfb7db..1ce0e4b 100644 --- a/config.example.toml +++ b/config.example.toml @@ -33,6 +33,22 @@ listen_addr = ":8080" site_title = "Pete" base_url = "https://news.parodia.dev" +# Optional OIDC sign-in (Authentik). When enabled, signed-in users get their +# preferences (hidden feeds, weather location, toggles) stored server-side keyed +# by their OIDC subject and synced across devices. Anonymous visitors keep using +# browser localStorage — the site stays public. If the provider is unreachable +# at startup, Pete logs a warning and serves anonymously rather than refusing to +# boot. Create an OAuth2/OIDC provider + application in Authentik, set the +# redirect URI to /auth/callback, then fill these in. +[web.auth] +enabled = false +issuer = "https://authentik.parodia.dev/application/o/pete/" +client_id = "${PETE_OIDC_CLIENT_ID}" +client_secret = "${PETE_OIDC_CLIENT_SECRET}" +redirect_url = "https://news.parodia.dev/auth/callback" +# HMAC key that signs the session cookie. Generate with: openssl rand -hex 32 +session_secret = "${PETE_SESSION_SECRET}" + # Every enabled source MUST set direct_route to a key from [matrix.channels] above. # There is no automatic classification — Pete posts each story to its configured channel. # Optional: language = "en" drops feed items whose per-item tag is diff --git a/go.mod b/go.mod index f308086..83caa26 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,9 @@ require ( require ( filippo.io/edwards25519 v1.2.0 // indirect github.com/andybalholm/cascadia v1.3.3 // indirect + github.com/coreos/go-oidc/v3 v3.19.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect + github.com/go-jose/go-jose/v4 v4.1.4 // indirect github.com/google/uuid v1.6.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/mattn/go-colorable v0.1.14 // indirect @@ -35,6 +37,7 @@ require ( golang.org/x/exp v0.0.0-20260508232706-74f9aab9d74a // indirect golang.org/x/image v0.41.0 // indirect golang.org/x/net v0.55.0 // indirect + golang.org/x/oauth2 v0.36.0 // indirect golang.org/x/sys v0.45.0 // indirect golang.org/x/text v0.37.0 // indirect modernc.org/libc v1.72.3 // indirect diff --git a/go.sum b/go.sum index 9209f41..5898a0a 100644 --- a/go.sum +++ b/go.sum @@ -8,11 +8,15 @@ github.com/PuerkitoBio/goquery v1.12.0 h1:pAcL4g3WRXekcB9AU/y1mbKez2dbY2AajVhtkO github.com/PuerkitoBio/goquery v1.12.0/go.mod h1:802ej+gV2y7bbIhOIoPY5sT183ZW0YFofScC4q/hIpQ= github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM= github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA= +github.com/coreos/go-oidc/v3 v3.19.0 h1:F/xyOi3x1UnG1U27YVnM1N6bHiL1K2upi6U/0qr8r+I= +github.com/coreos/go-oidc/v3 v3.19.0/go.mod h1:DYCf24+ncYi+XkIH97GY1+dqoRlbaSI26KVTCI9SrY4= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= +github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA= +github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08= github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs= @@ -96,6 +100,8 @@ golang.org/x/net v0.25.0/go.mod h1:JkAGAh7GEvH74S6FOH42FLoXpXbE/aqXSrIQjXgsiwM= golang.org/x/net v0.33.0/go.mod h1:HXLR5J+9DxmrqMwG9qjGCxZ+zKXxBru04zlTvWlWuN4= golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8= golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww= +golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs= +golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= diff --git a/internal/config/config.go b/internal/config/config.go index 8a8f2a2..4550c19 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -22,10 +22,23 @@ type Config struct { // WebConfig controls the read-only HTTP interface (news.parodia.dev style). type WebConfig struct { - Enabled bool `toml:"enabled"` - ListenAddr string `toml:"listen_addr"` // e.g. ":8080" or "127.0.0.1:8080" - SiteTitle string `toml:"site_title"` // display name in the header - BaseURL string `toml:"base_url"` // public URL (used in metadata only) + Enabled bool `toml:"enabled"` + ListenAddr string `toml:"listen_addr"` // e.g. ":8080" or "127.0.0.1:8080" + SiteTitle string `toml:"site_title"` // display name in the header + BaseURL string `toml:"base_url"` // public URL (used in metadata only) + Auth AuthConfig `toml:"auth"` // optional OIDC sign-in (Authentik) +} + +// AuthConfig wires Pete's web UI to an OIDC provider (our Authentik instance). +// When enabled, signed-in users get their preferences stored server-side keyed +// by the OIDC subject; anonymous visitors keep using browser localStorage. +type AuthConfig struct { + Enabled bool `toml:"enabled"` + Issuer string `toml:"issuer"` // e.g. https://authentik.parodia.dev/application/o/pete/ + ClientID string `toml:"client_id"` + ClientSecret string `toml:"client_secret"` + RedirectURL string `toml:"redirect_url"` // e.g. https://news.parodia.dev/auth/callback + SessionSecret string `toml:"session_secret"` // HMAC key for signing the session cookie } type MatrixConfig struct { @@ -73,7 +86,7 @@ type SourceConfig struct { // Language, when set, drops feed items whose per-item language tag is // present and does not match (prefix). Useful for multilingual feeds // like Politico Europe that publish English + French side-by-side. - Language string `toml:"language"` + Language string `toml:"language"` } func Load(path string) (*Config, error) { @@ -124,6 +137,16 @@ func (c *Config) validate() error { return fmt.Errorf("storage.db_path is required") } + if c.Web.Auth.Enabled { + a := c.Web.Auth + if a.Issuer == "" || a.ClientID == "" || a.ClientSecret == "" || a.RedirectURL == "" { + return fmt.Errorf("web.auth requires issuer, client_id, client_secret, and redirect_url when enabled") + } + if len(a.SessionSecret) < 16 { + return fmt.Errorf("web.auth.session_secret must be at least 16 characters") + } + } + for i, s := range c.Sources { if s.Name == "" { return fmt.Errorf("sources[%d].name is required", i) diff --git a/internal/storage/prefs.go b/internal/storage/prefs.go new file mode 100644 index 0000000..c629a66 --- /dev/null +++ b/internal/storage/prefs.go @@ -0,0 +1,50 @@ +package storage + +import ( + "database/sql" + "errors" + "fmt" +) + +// UserPrefs is one signed-in user's stored state. Prefs is an opaque JSON blob +// owned by the web frontend (disabled feeds, weather location, toggles, …) — +// the backend just persists and returns it, keyed by the OIDC subject. +type UserPrefs struct { + Sub string + Prefs string + Username string + Email string + UpdatedAt int64 +} + +// GetUserPrefs returns the stored prefs blob for an OIDC subject. It returns +// ("", nil) when the user has no record yet (first sign-in). +func GetUserPrefs(sub string) (string, error) { + var prefs string + err := Get().QueryRow(`SELECT prefs FROM user_preferences WHERE user_sub = ?`, sub).Scan(&prefs) + if errors.Is(err, sql.ErrNoRows) { + return "", nil + } + if err != nil { + return "", fmt.Errorf("get user prefs: %w", err) + } + return prefs, nil +} + +// PutUserPrefs upserts a user's prefs blob along with identity hints (username, +// email) for later features. The prefs string is stored verbatim. +func PutUserPrefs(sub, prefs, username, email string) error { + _, err := Get().Exec(` + INSERT INTO user_preferences (user_sub, prefs, username, email, updated_at) + VALUES (?, ?, ?, ?, ?) + ON CONFLICT(user_sub) DO UPDATE SET + prefs = excluded.prefs, + username = excluded.username, + email = excluded.email, + updated_at = excluded.updated_at`, + sub, prefs, username, email, nowUnix()) + if err != nil { + return fmt.Errorf("put user prefs: %w", err) + } + return nil +} diff --git a/internal/storage/prefs_test.go b/internal/storage/prefs_test.go new file mode 100644 index 0000000..725bb47 --- /dev/null +++ b/internal/storage/prefs_test.go @@ -0,0 +1,44 @@ +package storage + +import ( + "path/filepath" + "testing" +) + +func TestUserPrefsRoundTrip(t *testing.T) { + if err := Init(filepath.Join(t.TempDir(), "prefs.db")); err != nil { + t.Fatalf("init db: %v", err) + } + t.Cleanup(func() { _ = Close() }) + + // Missing user → empty, no error. + got, err := GetUserPrefs("nobody") + if err != nil { + t.Fatalf("get missing: %v", err) + } + if got != "" { + t.Fatalf("expected empty for missing user, got %q", got) + } + + blob := `{"pete.weather.loc.v1":"{\"postal\":\"1000\"}"}` + if err := PutUserPrefs("ak-sub-1", blob, "misaki", "m@example.com"); err != nil { + t.Fatalf("put: %v", err) + } + got, err = GetUserPrefs("ak-sub-1") + if err != nil { + t.Fatalf("get: %v", err) + } + if got != blob { + t.Fatalf("blob mismatch:\n got %q\nwant %q", got, blob) + } + + // Upsert: second put for same sub replaces the blob. + blob2 := `{"pete-weather-off":"1"}` + if err := PutUserPrefs("ak-sub-1", blob2, "misaki", "m@example.com"); err != nil { + t.Fatalf("upsert: %v", err) + } + got, _ = GetUserPrefs("ak-sub-1") + if got != blob2 { + t.Fatalf("upsert mismatch: got %q want %q", got, blob2) + } +} diff --git a/internal/storage/schema.go b/internal/storage/schema.go index 8706793..6a58aa3 100644 --- a/internal/storage/schema.go +++ b/internal/storage/schema.go @@ -45,6 +45,14 @@ CREATE TABLE IF NOT EXISTS reactions ( reacted_at INTEGER NOT NULL ); +CREATE TABLE IF NOT EXISTS user_preferences ( + user_sub TEXT PRIMARY KEY, + prefs TEXT NOT NULL, + username TEXT, + email TEXT, + updated_at INTEGER NOT NULL +); + CREATE UNIQUE INDEX IF NOT EXISTS idx_post_log_guid_channel ON post_log(guid, channel); CREATE INDEX IF NOT EXISTS idx_post_log_event_id ON post_log(event_id); CREATE INDEX IF NOT EXISTS idx_post_log_channel_posted ON post_log(channel, posted_at); diff --git a/internal/web/auth.go b/internal/web/auth.go new file mode 100644 index 0000000..13918d0 --- /dev/null +++ b/internal/web/auth.go @@ -0,0 +1,270 @@ +package web + +import ( + "context" + "crypto/hmac" + "crypto/rand" + "crypto/sha256" + "crypto/subtle" + "encoding/base64" + "encoding/json" + "fmt" + "log/slog" + "net/http" + "strings" + "time" + + "github.com/coreos/go-oidc/v3/oidc" + "golang.org/x/oauth2" + + "pete/internal/config" +) + +const ( + sessionCookie = "pete_session" + oauthCookie = "pete_oauth" + sessionTTL = 30 * 24 * time.Hour // stay signed in for a month + oauthTTL = 10 * time.Minute // login round-trip window +) + +// Authenticator holds the OIDC plumbing for optional sign-in via Authentik. +type Authenticator struct { + oauth *oauth2.Config + verifier *oidc.IDTokenVerifier + secret []byte +} + +// SessionUser is the identity carried in the signed session cookie. +type SessionUser struct { + Sub string `json:"sub"` + Name string `json:"name,omitempty"` + Email string `json:"email,omitempty"` + Exp int64 `json:"exp"` +} + +// Display is the friendly name shown in the header (name, else email, else sub). +func (u *SessionUser) Display() string { + if u.Name != "" { + return u.Name + } + if u.Email != "" { + return u.Email + } + return u.Sub +} + +// Initial is the single uppercase glyph for the avatar bubble. +func (u *SessionUser) Initial() string { + d := strings.TrimSpace(u.Display()) + if d == "" { + return "?" + } + return strings.ToUpper(d[:1]) +} + +// oauthState is the short-lived CSRF/nonce envelope for the login round-trip. +type oauthState struct { + State string `json:"s"` + Nonce string `json:"n"` + Next string `json:"r"` + Exp int64 `json:"e"` +} + +// newAuthenticator performs OIDC discovery against the configured issuer. It is +// non-fatal at the call site: if discovery fails (provider down at boot), the +// site still serves anonymously. +func newAuthenticator(ctx context.Context, cfg config.AuthConfig) (*Authenticator, error) { + provider, err := oidc.NewProvider(ctx, strings.TrimRight(cfg.Issuer, "/")+"/") + if err != nil { + return nil, fmt.Errorf("oidc discovery: %w", err) + } + return &Authenticator{ + oauth: &oauth2.Config{ + ClientID: cfg.ClientID, + ClientSecret: cfg.ClientSecret, + RedirectURL: cfg.RedirectURL, + Endpoint: provider.Endpoint(), + Scopes: []string{oidc.ScopeOpenID, "profile", "email"}, + }, + verifier: provider.Verifier(&oidc.Config{ClientID: cfg.ClientID}), + secret: []byte(cfg.SessionSecret), + }, nil +} + +// ---- signed-cookie helpers ------------------------------------------------ + +// sign returns base64url(payload).base64url(hmac) — a compact stateless token. +func (a *Authenticator) sign(payload []byte) string { + mac := hmac.New(sha256.New, a.secret) + mac.Write(payload) + b64 := base64.RawURLEncoding + return b64.EncodeToString(payload) + "." + b64.EncodeToString(mac.Sum(nil)) +} + +// verify checks the HMAC and returns the raw payload bytes. +func (a *Authenticator) verify(token string) ([]byte, bool) { + parts := strings.SplitN(token, ".", 2) + if len(parts) != 2 { + return nil, false + } + b64 := base64.RawURLEncoding + payload, err := b64.DecodeString(parts[0]) + if err != nil { + return nil, false + } + want, err := b64.DecodeString(parts[1]) + if err != nil { + return nil, false + } + mac := hmac.New(sha256.New, a.secret) + mac.Write(payload) + if subtle.ConstantTimeCompare(want, mac.Sum(nil)) != 1 { + return nil, false + } + return payload, true +} + +func randToken() string { + b := make([]byte, 32) + _, _ = rand.Read(b) + return base64.RawURLEncoding.EncodeToString(b) +} + +// userFromRequest returns the signed-in user, or nil for anonymous visitors. +func (a *Authenticator) userFromRequest(r *http.Request) *SessionUser { + c, err := r.Cookie(sessionCookie) + if err != nil { + return nil + } + payload, ok := a.verify(c.Value) + if !ok { + return nil + } + var u SessionUser + if json.Unmarshal(payload, &u) != nil { + return nil + } + if u.Sub == "" || time.Now().Unix() > u.Exp { + return nil + } + return &u +} + +func (a *Authenticator) setCookie(w http.ResponseWriter, name, value string, ttl time.Duration) { + http.SetCookie(w, &http.Cookie{ + Name: name, + Value: value, + Path: "/", + Expires: time.Now().Add(ttl), + MaxAge: int(ttl.Seconds()), + HttpOnly: true, + Secure: true, + SameSite: http.SameSiteLaxMode, + }) +} + +func (a *Authenticator) clearCookie(w http.ResponseWriter, name string) { + http.SetCookie(w, &http.Cookie{ + Name: name, Value: "", Path: "/", MaxAge: -1, + HttpOnly: true, Secure: true, SameSite: http.SameSiteLaxMode, + }) +} + +// ---- handlers ------------------------------------------------------------- + +// handleLogin starts the OIDC authorization-code flow. +func (a *Authenticator) handleLogin(w http.ResponseWriter, r *http.Request) { + st := oauthState{ + State: randToken(), + Nonce: randToken(), + Next: safeNext(r.URL.Query().Get("next")), + Exp: time.Now().Add(oauthTTL).Unix(), + } + payload, _ := json.Marshal(st) + a.setCookie(w, oauthCookie, a.sign(payload), oauthTTL) + http.Redirect(w, r, a.oauth.AuthCodeURL(st.State, oidc.Nonce(st.Nonce)), http.StatusFound) +} + +// handleCallback completes the flow: validates state, exchanges the code, +// verifies the ID token, and issues a session cookie. +func (a *Authenticator) handleCallback(w http.ResponseWriter, r *http.Request) { + c, err := r.Cookie(oauthCookie) + if err != nil { + http.Error(w, "login expired, please try again", http.StatusBadRequest) + return + } + a.clearCookie(w, oauthCookie) + payload, ok := a.verify(c.Value) + if !ok { + http.Error(w, "invalid login state", http.StatusBadRequest) + return + } + var st oauthState + if json.Unmarshal(payload, &st) != nil || time.Now().Unix() > st.Exp { + http.Error(w, "login expired, please try again", http.StatusBadRequest) + return + } + if subtle.ConstantTimeCompare([]byte(st.State), []byte(r.URL.Query().Get("state"))) != 1 { + http.Error(w, "state mismatch", http.StatusBadRequest) + return + } + + ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second) + defer cancel() + + tok, err := a.oauth.Exchange(ctx, r.URL.Query().Get("code")) + if err != nil { + slog.Error("auth: code exchange failed", "err", err) + http.Error(w, "sign-in failed", http.StatusBadGateway) + return + } + rawID, ok := tok.Extra("id_token").(string) + if !ok { + http.Error(w, "no id_token in response", http.StatusBadGateway) + return + } + idToken, err := a.verifier.Verify(ctx, rawID) + if err != nil { + slog.Error("auth: id_token verify failed", "err", err) + http.Error(w, "sign-in failed", http.StatusBadGateway) + return + } + if idToken.Nonce != st.Nonce { + http.Error(w, "nonce mismatch", http.StatusBadRequest) + return + } + var claims struct { + Sub string `json:"sub"` + Name string `json:"name"` + PreferredUsername string `json:"preferred_username"` + Email string `json:"email"` + } + if err := idToken.Claims(&claims); err != nil { + http.Error(w, "sign-in failed", http.StatusBadGateway) + return + } + name := claims.Name + if name == "" { + name = claims.PreferredUsername + } + u := SessionUser{Sub: claims.Sub, Name: name, Email: claims.Email, Exp: time.Now().Add(sessionTTL).Unix()} + sess, _ := json.Marshal(u) + a.setCookie(w, sessionCookie, a.sign(sess), sessionTTL) + slog.Info("auth: user signed in", "sub", claims.Sub, "name", name) + http.Redirect(w, r, st.Next, http.StatusFound) +} + +// handleLogout clears the local session. It does not end the upstream Authentik +// SSO session (that stays the user's choice). +func (a *Authenticator) handleLogout(w http.ResponseWriter, r *http.Request) { + a.clearCookie(w, sessionCookie) + http.Redirect(w, r, "/", http.StatusFound) +} + +// safeNext keeps post-login redirects on-site (no open redirects). +func safeNext(next string) string { + if next == "" || !strings.HasPrefix(next, "/") || strings.HasPrefix(next, "//") { + return "/" + } + return next +} diff --git a/internal/web/auth_test.go b/internal/web/auth_test.go new file mode 100644 index 0000000..a183ec4 --- /dev/null +++ b/internal/web/auth_test.go @@ -0,0 +1,55 @@ +package web + +import "testing" + +func TestSignVerifyRoundTrip(t *testing.T) { + a := &Authenticator{secret: []byte("test-secret-key-at-least-16")} + payload := []byte(`{"sub":"abc","exp":123}`) + tok := a.sign(payload) + + got, ok := a.verify(tok) + if !ok { + t.Fatal("verify rejected a freshly signed token") + } + if string(got) != string(payload) { + t.Fatalf("payload mismatch: got %q want %q", got, payload) + } +} + +func TestVerifyRejectsTamperAndForeignKey(t *testing.T) { + a := &Authenticator{secret: []byte("test-secret-key-at-least-16")} + tok := a.sign([]byte(`{"sub":"abc"}`)) + + // Flip a byte in the payload segment. + bad := []byte(tok) + bad[0] ^= 0x01 + if _, ok := a.verify(string(bad)); ok { + t.Error("verify accepted a tampered token") + } + + // A different key must not validate the same token. + other := &Authenticator{secret: []byte("a-totally-different-key-16")} + if _, ok := other.verify(tok); ok { + t.Error("verify accepted a token signed with a different key") + } + + if _, ok := a.verify("not-a-valid-token"); ok { + t.Error("verify accepted a malformed token") + } +} + +func TestSafeNext(t *testing.T) { + cases := map[string]string{ + "": "/", + "/tech": "/tech", + "/tech?page=2": "/tech?page=2", + "//evil.com": "/", // protocol-relative open redirect + "https://evil.com": "/", // absolute URL + "javascript:alert": "/", // not a path + } + for in, want := range cases { + if got := safeNext(in); got != want { + t.Errorf("safeNext(%q) = %q, want %q", in, got, want) + } + } +} diff --git a/internal/web/handlers.go b/internal/web/handlers.go index 96a426b..cff5b5d 100644 --- a/internal/web/handlers.go +++ b/internal/web/handlers.go @@ -43,24 +43,28 @@ func toView(s storage.Story) StoryView { } type pageData struct { - SiteTitle string - Channels []Channel - Active string // slug of active channel, "" for landing - Weather Weather - Phase string // when set, forces day/dawn/dusk/night and disables the clock-driven phase JS - AllSources template.JS // JSON array of {name, channel} for the settings panel + SiteTitle string + Channels []Channel + Active string // slug of active channel, "" for landing + Weather Weather + Phase string // when set, forces day/dawn/dusk/night and disables the clock-driven phase JS + AllSources template.JS // JSON array of {name, channel} for the settings panel + AuthEnabled bool // sign-in is available + User *SessionUser // nil for anonymous visitors + UserPrefs template.JS // signed-in user's stored prefs blob (JSON), or "null" + Path string // current request path, for post-login return } type channelPage struct { pageData - Channel Channel - Stories []StoryView - Page int - HasPrev bool - HasNext bool - PrevURL string - NextURL string - Total int + Channel Channel + Stories []StoryView + Page int + HasPrev bool + HasNext bool + PrevURL string + NextURL string + Total int } type indexPage struct { @@ -78,20 +82,32 @@ type channelStat struct { Total int } -func (s *Server) base() pageData { +func (s *Server) base(r *http.Request) pageData { srcJSON, err := json.Marshal(s.sources) if err != nil { srcJSON = []byte("[]") } - return pageData{ - SiteTitle: s.cfg.SiteTitle, - Channels: channels, - Weather: currentWeather(time.Now()), - AllSources: template.JS(srcJSON), + d := pageData{ + SiteTitle: s.cfg.SiteTitle, + Channels: channels, + Weather: currentWeather(time.Now()), + AllSources: template.JS(srcJSON), + AuthEnabled: s.auth != nil, + UserPrefs: template.JS("null"), + Path: r.URL.Path, } + if s.auth != nil { + if u := s.auth.userFromRequest(r); u != nil { + d.User = u + if blob, err := storage.GetUserPrefs(u.Sub); err == nil && blob != "" { + d.UserPrefs = template.JS(blob) + } + } + } + return d } -func (s *Server) handleIndex(w http.ResponseWriter, _ *http.Request) { +func (s *Server) handleIndex(w http.ResponseWriter, r *http.Request) { const ( justPostedLimit = 6 latestLimit = 16 @@ -137,7 +153,7 @@ func (s *Server) handleIndex(w http.ResponseWriter, _ *http.Request) { } data := indexPage{ - pageData: s.base(), + pageData: s.base(r), JustPosted: justPosted, Stats: stats, Latest: latest, @@ -169,7 +185,7 @@ func (s *Server) handleChannel(w http.ResponseWriter, r *http.Request, ch Channe } total, _ := storage.CountClassifiedByChannel(ch.Slug) - base := s.base() + base := s.base(r) base.Active = ch.Slug data := channelPage{ pageData: base, @@ -230,7 +246,7 @@ func (s *Server) handleWeatherDemo(w http.ResponseWriter, r *http.Request) { intensity := pickOr(q.Get("intensity"), demoIntensities, "heavy") phase := pickOr(q.Get("phase"), demoPhases, "day") - base := s.base() + base := s.base(r) base.Weather = Weather{Season: seasonForVariant(variant), Variant: variant, Intensity: intensity} base.Phase = phase diff --git a/internal/web/prefs_api.go b/internal/web/prefs_api.go new file mode 100644 index 0000000..de45248 --- /dev/null +++ b/internal/web/prefs_api.go @@ -0,0 +1,74 @@ +package web + +import ( + "encoding/json" + "io" + "log/slog" + "net/http" + + "pete/internal/storage" +) + +// maxPrefsBytes caps the stored blob. Preferences are small (disabled feeds, +// a postal code, a couple toggles); this is generous headroom, not a target. +const maxPrefsBytes = 64 * 1024 + +// handlePrefs serves GET (load) and PUT (save) of the signed-in user's +// preferences blob. The blob is opaque JSON owned by the frontend. Both verbs +// require a session; anonymous callers get 401 and fall back to localStorage. +func (s *Server) handlePrefs(w http.ResponseWriter, r *http.Request) { + if s.auth == nil { + http.Error(w, "auth disabled", http.StatusNotFound) + return + } + u := s.auth.userFromRequest(r) + if u == nil { + w.Header().Set("Content-Type", "application/json; charset=utf-8") + http.Error(w, `{"error":"not signed in"}`, http.StatusUnauthorized) + return + } + + switch r.Method { + case http.MethodGet: + blob, err := storage.GetUserPrefs(u.Sub) + if err != nil { + slog.Error("prefs: load failed", "sub", u.Sub, "err", err) + http.Error(w, "internal error", http.StatusInternalServerError) + return + } + w.Header().Set("Content-Type", "application/json; charset=utf-8") + w.Header().Set("Cache-Control", "no-store") + if blob == "" { + _, _ = w.Write([]byte(`{"prefs":null}`)) + return + } + // blob is already valid JSON; embed it verbatim. + _, _ = w.Write([]byte(`{"prefs":`)) + _, _ = io.WriteString(w, blob) + _, _ = w.Write([]byte(`}`)) + + case http.MethodPut: + body, err := io.ReadAll(io.LimitReader(r.Body, maxPrefsBytes+1)) + if err != nil { + http.Error(w, "read error", http.StatusBadRequest) + return + } + if len(body) > maxPrefsBytes { + http.Error(w, "preferences too large", http.StatusRequestEntityTooLarge) + return + } + if !json.Valid(body) { + http.Error(w, "invalid JSON", http.StatusBadRequest) + return + } + if err := storage.PutUserPrefs(u.Sub, string(body), u.Name, u.Email); err != nil { + slog.Error("prefs: save failed", "sub", u.Sub, "err", err) + http.Error(w, "internal error", http.StatusInternalServerError) + return + } + w.WriteHeader(http.StatusNoContent) + + default: + http.Error(w, "method not allowed", http.StatusMethodNotAllowed) + } +} diff --git a/internal/web/server.go b/internal/web/server.go index 1cd805b..0ab7e3d 100644 --- a/internal/web/server.go +++ b/internal/web/server.go @@ -55,6 +55,7 @@ type Server struct { sources []SourceInfo srv *http.Server tpls map[string]*template.Template // keyed by page name (e.g. "index", "channel") + auth *Authenticator // nil when sign-in is disabled or unavailable } // New builds the server. Templates are parsed once at startup. Each page @@ -82,6 +83,22 @@ func New(cfg config.WebConfig, sources []config.SourceConfig) (*Server, error) { infos = append(infos, SourceInfo{Name: sc.Name, Channel: sc.DirectRoute}) } s := &Server{cfg: cfg, sources: infos, tpls: tpls} + + // Optional OIDC sign-in (Authentik). Discovery is a network call; if the + // provider is unreachable at boot we log and serve anonymously rather than + // refusing to start the whole site. + if cfg.Auth.Enabled { + dctx, cancel := context.WithTimeout(context.Background(), 15*time.Second) + auth, err := newAuthenticator(dctx, cfg.Auth) + cancel() + if err != nil { + slog.Error("web: OIDC auth init failed; sign-in disabled", "err", err) + } else { + s.auth = auth + slog.Info("web: OIDC sign-in enabled", "issuer", cfg.Auth.Issuer) + } + } + mux := http.NewServeMux() staticSub, err := fs.Sub(staticFS, "static") @@ -105,6 +122,14 @@ func New(cfg config.WebConfig, sources []config.SourceConfig) (*Server, error) { _, _ = w.Write([]byte("ok")) }) + if s.auth != nil { + mux.HandleFunc("GET /auth/login", s.auth.handleLogin) + mux.HandleFunc("GET /auth/callback", s.auth.handleCallback) + mux.HandleFunc("GET /auth/logout", s.auth.handleLogout) + mux.HandleFunc("GET /api/preferences", s.handlePrefs) + mux.HandleFunc("PUT /api/preferences", s.handlePrefs) + } + s.srv = &http.Server{ Addr: cfg.ListenAddr, Handler: mux, diff --git a/internal/web/static/css/output.css b/internal/web/static/css/output.css index 41f1c5b..98e26c8 100644 --- a/internal/web/static/css/output.css +++ b/internal/web/static/css/output.css @@ -1 +1 @@ -*,:after,:before{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgba(59,130,246,.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }::backdrop{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgba(59,130,246,.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }/*! tailwindcss v3.4.19 | MIT License | https://tailwindcss.com*/*,:after,:before{box-sizing:border-box;border:0 solid #e5e7eb}:after,:before{--tw-content:""}:host,html{line-height:1.5;-webkit-text-size-adjust:100%;-moz-tab-size:4;-o-tab-size:4;tab-size:4;font-family:ui-sans-serif,system-ui,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;font-feature-settings:normal;font-variation-settings:normal;-webkit-tap-highlight-color:transparent}body{margin:0;line-height:inherit}hr{height:0;color:inherit;border-top-width:1px}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,pre,samp{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace;font-feature-settings:normal;font-variation-settings:normal;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}table{text-indent:0;border-color:inherit;border-collapse:collapse}button,input,optgroup,select,textarea{font-family:inherit;font-feature-settings:inherit;font-variation-settings:inherit;font-size:100%;font-weight:inherit;line-height:inherit;letter-spacing:inherit;color:inherit;margin:0;padding:0}button,select{text-transform:none}button,input:where([type=button]),input:where([type=reset]),input:where([type=submit]){-webkit-appearance:button;background-color:transparent;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:baseline}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dd,dl,figure,h1,h2,h3,h4,h5,h6,hr,p,pre{margin:0}fieldset{margin:0}fieldset,legend{padding:0}menu,ol,ul{list-style:none;margin:0;padding:0}dialog{padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{opacity:1;color:#9ca3af}input::placeholder,textarea::placeholder{opacity:1;color:#9ca3af}[role=button],button{cursor:pointer}:disabled{cursor:default}audio,canvas,embed,iframe,img,object,svg,video{display:block;vertical-align:middle}img,video{max-width:100%;height:auto}[hidden]:where(:not([hidden=until-found])){display:none}body{font-family:Nunito,system-ui,sans-serif}html{scroll-behavior:smooth}body,html{overflow-x:hidden}.container{width:100%}@media (min-width:640px){.container{max-width:640px}}@media (min-width:768px){.container{max-width:768px}}@media (min-width:1024px){.container{max-width:1024px}}@media (min-width:1280px){.container{max-width:1280px}}@media (min-width:1536px){.container{max-width:1536px}}.pete-channel-nav{scrollbar-width:none;-ms-overflow-style:none}.pete-channel-nav::-webkit-scrollbar{display:none}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border-width:0}.pointer-events-none{pointer-events:none}.visible{visibility:visible}.fixed{position:fixed}.absolute{position:absolute}.relative{position:relative}.inset-0{inset:0}.-right-6{right:-1.5rem}.-top-6{top:-1.5rem}.-z-10{z-index:-10}.-z-\[5\]{z-index:-5}.z-50{z-index:50}.mx-auto{margin-left:auto;margin-right:auto}.mb-1{margin-bottom:.25rem}.mb-10{margin-bottom:2.5rem}.mb-12{margin-bottom:3rem}.mb-4{margin-bottom:1rem}.mb-5{margin-bottom:1.25rem}.mb-8{margin-bottom:2rem}.mr-1{margin-right:.25rem}.mt-1{margin-top:.25rem}.mt-10{margin-top:2.5rem}.mt-2{margin-top:.5rem}.mt-3{margin-top:.75rem}.mt-4{margin-top:1rem}.mt-5{margin-top:1.25rem}.line-clamp-2{-webkit-line-clamp:2}.line-clamp-2,.line-clamp-3{overflow:hidden;display:-webkit-box;-webkit-box-orient:vertical}.line-clamp-3{-webkit-line-clamp:3}.block{display:block}.inline-block{display:inline-block}.flex{display:flex}.inline-flex{display:inline-flex}.table{display:table}.grid{display:grid}.hidden{display:none}.aspect-\[16\/10\]{aspect-ratio:16/10}.h-12{height:3rem}.h-20{height:5rem}.h-4{height:1rem}.h-5{height:1.25rem}.h-9{height:2.25rem}.h-full{height:100%}.max-h-\[55vh\]{max-height:55vh}.max-h-\[60vh\]{max-height:60vh}.min-h-screen{min-height:100vh}.w-12{width:3rem}.w-20{width:5rem}.w-4{width:1rem}.w-5{width:1.25rem}.w-9{width:2.25rem}.w-full{width:100%}.min-w-0{min-width:0}.max-w-2xl{max-width:42rem}.max-w-6xl{max-width:72rem}.max-w-full{max-width:100%}.max-w-md{max-width:28rem}.max-w-sm{max-width:24rem}.max-w-xl{max-width:36rem}.flex-1{flex:1 1 0%}.shrink-0{flex-shrink:0}.-translate-y-0{--tw-translate-y:-0px}.-translate-y-0,.transform{transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}.cursor-pointer{cursor:pointer}.select-none{-webkit-user-select:none;-moz-user-select:none;user-select:none}.resize{resize:both}.grid-cols-1{grid-template-columns:repeat(1,minmax(0,1fr))}.grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}.grid-cols-5{grid-template-columns:repeat(5,minmax(0,1fr))}.flex-col{flex-direction:column}.flex-wrap{flex-wrap:wrap}.items-start{align-items:flex-start}.items-end{align-items:flex-end}.items-center{align-items:center}.items-baseline{align-items:baseline}.justify-center{justify-content:center}.justify-between{justify-content:space-between}.gap-1{gap:.25rem}.gap-1\.5{gap:.375rem}.gap-2{gap:.5rem}.gap-3{gap:.75rem}.gap-4{gap:1rem}.gap-5{gap:1.25rem}.space-y-1>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(.25rem*(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.25rem*var(--tw-space-y-reverse))}.space-y-2>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(.5rem*(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.5rem*var(--tw-space-y-reverse))}.space-y-3>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(.75rem*(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.75rem*var(--tw-space-y-reverse))}.space-y-8>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(2rem*(1 - var(--tw-space-y-reverse)));margin-bottom:calc(2rem*var(--tw-space-y-reverse))}.overflow-hidden{overflow:hidden}.overflow-x-auto{overflow-x:auto}.overflow-y-auto{overflow-y:auto}.truncate{overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.rounded{border-radius:.25rem}.rounded-2xl{border-radius:1rem}.rounded-3xl{border-radius:1.5rem}.rounded-full{border-radius:9999px}.rounded-md{border-radius:.375rem}.border{border-width:1px}.border-2{border-width:2px}.border-b{border-bottom-width:1px}.border-t{border-top-width:1px}.border-dashed{border-style:dashed}.border-transparent{border-color:transparent}.bg-\[color\:var\(--accent\)\]{background-color:var(--accent)}.bg-\[color\:var\(--bg\)\]{background-color:var(--bg)}.bg-\[color\:var\(--bg-grad\)\]{background-color:var(--bg-grad)}.bg-\[color\:var\(--card\)\]{background-color:var(--card)}.bg-transparent{background-color:transparent}.object-cover{-o-object-fit:cover;object-fit:cover}.p-0\.5{padding:.125rem}.p-1{padding:.25rem}.p-10{padding:2.5rem}.p-2{padding:.5rem}.p-3{padding:.75rem}.p-4{padding:1rem}.p-5{padding:1.25rem}.p-6{padding:1.5rem}.p-8{padding:2rem}.px-1{padding-left:.25rem;padding-right:.25rem}.px-1\.5{padding-left:.375rem;padding-right:.375rem}.px-2{padding-left:.5rem;padding-right:.5rem}.px-2\.5{padding-left:.625rem;padding-right:.625rem}.px-3{padding-left:.75rem;padding-right:.75rem}.px-4{padding-left:1rem;padding-right:1rem}.px-5{padding-left:1.25rem;padding-right:1.25rem}.py-0{padding-top:0;padding-bottom:0}.py-0\.5{padding-top:.125rem;padding-bottom:.125rem}.py-1{padding-top:.25rem;padding-bottom:.25rem}.py-1\.5{padding-top:.375rem;padding-bottom:.375rem}.py-2{padding-top:.5rem;padding-bottom:.5rem}.py-3{padding-top:.75rem;padding-bottom:.75rem}.py-4{padding-top:1rem;padding-bottom:1rem}.pb-1{padding-bottom:.25rem}.pb-10{padding-bottom:2.5rem}.pb-24{padding-bottom:6rem}.pb-4{padding-bottom:1rem}.pt-1{padding-top:.25rem}.pt-3{padding-top:.75rem}.pt-8{padding-top:2rem}.pt-\[10vh\]{padding-top:10vh}.pt-\[12vh\]{padding-top:12vh}.text-center{text-align:center}.align-\[-4px\]{vertical-align:-4px}.font-mono{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace}.text-2xl{font-size:1.5rem;line-height:2rem}.text-3xl{font-size:1.875rem;line-height:2.25rem}.text-4xl{font-size:2.25rem;line-height:2.5rem}.text-5xl{font-size:3rem;line-height:1}.text-\[10px\]{font-size:10px}.text-\[11px\]{font-size:11px}.text-\[12rem\]{font-size:12rem}.text-base{font-size:1rem;line-height:1.5rem}.text-lg{font-size:1.125rem;line-height:1.75rem}.text-sm{font-size:.875rem;line-height:1.25rem}.text-xl{font-size:1.25rem;line-height:1.75rem}.text-xs{font-size:.75rem;line-height:1rem}.font-bold{font-weight:700}.font-semibold{font-weight:600}.uppercase{text-transform:uppercase}.tabular-nums{--tw-numeric-spacing:tabular-nums;font-variant-numeric:var(--tw-ordinal) var(--tw-slashed-zero) var(--tw-numeric-figure) var(--tw-numeric-spacing) var(--tw-numeric-fraction)}.leading-none{line-height:1}.leading-snug{line-height:1.375}.leading-tight{line-height:1.25}.tracking-\[0\.2em\]{letter-spacing:.2em}.tracking-tight{letter-spacing:-.025em}.tracking-wider{letter-spacing:.05em}.text-\[color\:var\(--ink\)\]{color:var(--ink)}.text-red-500{--tw-text-opacity:1;color:rgb(239 68 68/var(--tw-text-opacity,1))}.text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity,1))}.text-white\/85{color:hsla(0,0%,100%,.85)}.underline{text-decoration-line:underline}.decoration-4{text-decoration-thickness:4px}.underline-offset-2{text-underline-offset:2px}.underline-offset-4{text-underline-offset:4px}.accent-\[color\:var\(--accent\)\]{accent-color:var(--accent)}.opacity-20{opacity:.2}.opacity-75{opacity:.75}.opacity-80{opacity:.8}.shadow{--tw-shadow:0 1px 3px 0 rgba(0,0,0,.1),0 1px 2px -1px rgba(0,0,0,.1);--tw-shadow-colored:0 1px 3px 0 var(--tw-shadow-color),0 1px 2px -1px var(--tw-shadow-color)}.shadow,.shadow-sm{box-shadow:var(--tw-ring-offset-shadow,0 0 #0000),var(--tw-ring-shadow,0 0 #0000),var(--tw-shadow)}.shadow-sm{--tw-shadow:0 1px 2px 0 rgba(0,0,0,.05);--tw-shadow-colored:0 1px 2px 0 var(--tw-shadow-color)}.outline-none{outline:2px solid transparent;outline-offset:2px}.outline{outline-style:solid}.blur{--tw-blur:blur(8px)}.blur,.grayscale{filter:var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow)}.grayscale{--tw-grayscale:grayscale(100%)}.filter{filter:var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow)}.backdrop-blur-sm{--tw-backdrop-blur:blur(4px);-webkit-backdrop-filter:var(--tw-backdrop-blur) var(--tw-backdrop-brightness) var(--tw-backdrop-contrast) var(--tw-backdrop-grayscale) var(--tw-backdrop-hue-rotate) var(--tw-backdrop-invert) var(--tw-backdrop-opacity) var(--tw-backdrop-saturate) var(--tw-backdrop-sepia);backdrop-filter:var(--tw-backdrop-blur) var(--tw-backdrop-brightness) var(--tw-backdrop-contrast) var(--tw-backdrop-grayscale) var(--tw-backdrop-hue-rotate) var(--tw-backdrop-invert) var(--tw-backdrop-opacity) var(--tw-backdrop-saturate) var(--tw-backdrop-sepia)}.transition{transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,-webkit-backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter,-webkit-backdrop-filter;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.transition-colors{transition-property:color,background-color,border-color,text-decoration-color,fill,stroke;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.transition-transform{transition-property:transform;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.duration-1000{transition-duration:1s}.duration-500{transition-duration:.5s}.ease-in-out{transition-timing-function:cubic-bezier(.4,0,.2,1)}.font-display{font-family:Fredoka,Nunito,system-ui,sans-serif;letter-spacing:-.01em}.shadow-pete{box-shadow:0 4px 0 rgba(60,40,20,.1),0 8px 24px rgba(60,40,20,.08)}.shadow-pete-lg{box-shadow:0 6px 0 rgba(60,40,20,.12),0 16px 32px rgba(60,40,20,.12)}.bg-theme-gaming{background-color:#4caf7d}.bg-theme-tech{background-color:#5aa9e6}.bg-theme-politics{background-color:#e07a5f}.bg-theme-eu{background-color:#039}.bg-theme-music{background-color:#b079d6}.bg-theme-anime{background-color:#ec5e8a}.bg-theme-foss{background-color:#d97706}.bg-theme-kids{background-color:#14b8a6}.bg-theme-finance{background-color:#10b981}.bg-theme-lego{background-color:#d01012}.text-theme-gaming{color:#2d8a5a}.text-theme-tech{color:#2f7fb8}.text-theme-politics{color:#b8523a}.text-theme-eu{color:#039}.text-theme-music{color:#8a4fb8}.text-theme-anime{color:#c33a6a}.text-theme-foss{color:#b8530a}.text-theme-kids{color:#0f766e}.text-theme-finance{color:#059669}.text-theme-lego{color:#b00d0e}.decoration-theme-gaming{text-decoration-color:#4caf7d}.decoration-theme-tech{text-decoration-color:#5aa9e6}.decoration-theme-politics{text-decoration-color:#e07a5f}.decoration-theme-eu{text-decoration-color:#039}.decoration-theme-music{text-decoration-color:#b079d6}.decoration-theme-anime{text-decoration-color:#ec5e8a}.decoration-theme-foss{text-decoration-color:#d97706}.decoration-theme-kids{text-decoration-color:#14b8a6}.decoration-theme-finance{text-decoration-color:#10b981}.decoration-theme-lego{text-decoration-color:#d01012}.border-theme-gaming{border-color:#4caf7d}.border-theme-tech{border-color:#5aa9e6}.border-theme-politics{border-color:#e07a5f}.border-theme-eu{border-color:#039}.border-theme-music{border-color:#b079d6}.border-theme-anime{border-color:#ec5e8a}.border-theme-foss{border-color:#d97706}.border-theme-kids{border-color:#14b8a6}.border-theme-finance{border-color:#10b981}.border-theme-lego{border-color:#d01012}.glow-theme-gaming{box-shadow:0 0 0 2px rgba(76,175,125,.35),0 0 24px 4px rgba(76,175,125,.45)}.glow-theme-gaming,.glow-theme-tech{animation:pete-glow-pulse 2.4s ease-in-out infinite}.glow-theme-tech{box-shadow:0 0 0 2px rgba(90,169,230,.35),0 0 24px 4px rgba(90,169,230,.45)}.glow-theme-politics{box-shadow:0 0 0 2px rgba(224,122,95,.35),0 0 24px 4px rgba(224,122,95,.45)}.glow-theme-eu,.glow-theme-politics{animation:pete-glow-pulse 2.4s ease-in-out infinite}.glow-theme-eu{box-shadow:0 0 0 2px rgba(0,51,153,.35),0 0 24px 4px rgba(0,51,153,.45)}.glow-theme-music{box-shadow:0 0 0 2px rgba(176,121,214,.35),0 0 24px 4px rgba(176,121,214,.45)}.glow-theme-anime,.glow-theme-music{animation:pete-glow-pulse 2.4s ease-in-out infinite}.glow-theme-anime{box-shadow:0 0 0 2px rgba(236,94,138,.35),0 0 24px 4px rgba(236,94,138,.45)}.glow-theme-foss{box-shadow:0 0 0 2px rgba(217,119,6,.35),0 0 24px 4px rgba(217,119,6,.45)}.glow-theme-foss,.glow-theme-kids{animation:pete-glow-pulse 2.4s ease-in-out infinite}.glow-theme-kids{box-shadow:0 0 0 2px rgba(20,184,166,.35),0 0 24px 4px rgba(20,184,166,.45)}.glow-theme-finance{box-shadow:0 0 0 2px rgba(16,185,129,.35),0 0 24px 4px rgba(16,185,129,.45)}.glow-theme-finance,.glow-theme-lego{animation:pete-glow-pulse 2.4s ease-in-out infinite}.glow-theme-lego{box-shadow:0 0 0 2px rgba(208,16,18,.35),0 0 24px 4px rgba(208,16,18,.45)}@keyframes pete-glow-pulse{0%,to{filter:brightness(1)}50%{filter:brightness(1.08)}}.line-clamp-3{display:-webkit-box;-webkit-line-clamp:3;-webkit-box-orient:vertical;overflow:hidden}.paywall-stamp{position:absolute;inset:0;pointer-events:none;display:flex;align-items:center;justify-content:center;z-index:5;background:rgba(255,250,240,.18)}.paywall-stamp:before{content:"PAYWALLED";font-family:var(--font-display,ui-sans-serif),system-ui,sans-serif;font-weight:900;font-size:clamp(1rem,3.2vw,1.75rem);letter-spacing:.12em;color:rgba(180,30,30,.85);border:.28rem double rgba(180,30,30,.85);padding:.3rem .9rem;transform:rotate(-15deg);text-shadow:0 1px 0 hsla(0,0%,100%,.4);box-shadow:inset 0 0 0 2px hsla(0,0%,100%,.15);background:rgba(255,240,230,.55);border-radius:.25rem;filter:contrast(1.05)}:root,html[data-phase=day]{--bg:#fff7e4;--bg-grad:#ffeec2;--card:#fff;--ink:#3a2e1f;--accent:#f2a541}html[data-phase=dawn]{--bg:#ffe7d6;--bg-grad:#ffc9c9;--card:#fff4ea;--ink:#4a2e2a;--accent:#ff8a65}html[data-phase=dusk]{--bg:#ffd6a8;--bg-grad:#f7a07e;--card:#fff1de;--ink:#3d2417;--accent:#e6553a}html[data-phase=night]{--bg:#1a1f3a;--bg-grad:#2a3358;--card:#2d365a;--ink:#f1ecd8;--accent:#f9d976}.empty\:hidden:empty{display:none}.hover\:-translate-y-0\.5:hover{--tw-translate-y:-0.125rem}.hover\:-translate-y-0\.5:hover,.hover\:-translate-y-1:hover{transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}.hover\:-translate-y-1:hover{--tw-translate-y:-0.25rem}.hover\:text-\[color\:var\(--ink\)\]:hover{color:var(--ink)}.hover\:brightness-105:hover{--tw-brightness:brightness(1.05);filter:var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow)}.hover\:shadow-pete-lg:hover{box-shadow:0 6px 0 rgba(60,40,20,.12),0 16px 32px rgba(60,40,20,.12)}.focus\:border-\[color\:var\(--accent\)\]:focus{border-color:var(--accent)}.disabled\:opacity-50:disabled{opacity:.5}.group:hover .group-hover\:-rotate-6{--tw-rotate:-6deg}.group:hover .group-hover\:-rotate-6,.group:hover .group-hover\:scale-105{transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}.group:hover .group-hover\:scale-105{--tw-scale-x:1.05;--tw-scale-y:1.05}.group:hover .group-hover\:underline{text-decoration-line:underline}@media (min-width:640px){.sm\:block{display:block}.sm\:inline{display:inline}.sm\:flex{display:flex}.sm\:inline-flex{display:inline-flex}.sm\:grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}.sm\:gap-2{gap:.5rem}.sm\:gap-4{gap:1rem}.sm\:p-10{padding:2.5rem}.sm\:pt-12{padding-top:3rem}.sm\:text-2xl{font-size:1.5rem;line-height:2rem}.sm\:text-5xl{font-size:3rem;line-height:1}.sm\:text-6xl{font-size:3.75rem;line-height:1}.sm\:text-lg{font-size:1.125rem;line-height:1.75rem}}@media (min-width:1024px){.lg\:grid-cols-3{grid-template-columns:repeat(3,minmax(0,1fr))}.lg\:grid-cols-4{grid-template-columns:repeat(4,minmax(0,1fr))}} \ No newline at end of file +*,:after,:before{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgba(59,130,246,.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }::backdrop{--tw-border-spacing-x:0;--tw-border-spacing-y:0;--tw-translate-x:0;--tw-translate-y:0;--tw-rotate:0;--tw-skew-x:0;--tw-skew-y:0;--tw-scale-x:1;--tw-scale-y:1;--tw-pan-x: ;--tw-pan-y: ;--tw-pinch-zoom: ;--tw-scroll-snap-strictness:proximity;--tw-gradient-from-position: ;--tw-gradient-via-position: ;--tw-gradient-to-position: ;--tw-ordinal: ;--tw-slashed-zero: ;--tw-numeric-figure: ;--tw-numeric-spacing: ;--tw-numeric-fraction: ;--tw-ring-inset: ;--tw-ring-offset-width:0px;--tw-ring-offset-color:#fff;--tw-ring-color:rgba(59,130,246,.5);--tw-ring-offset-shadow:0 0 #0000;--tw-ring-shadow:0 0 #0000;--tw-shadow:0 0 #0000;--tw-shadow-colored:0 0 #0000;--tw-blur: ;--tw-brightness: ;--tw-contrast: ;--tw-grayscale: ;--tw-hue-rotate: ;--tw-invert: ;--tw-saturate: ;--tw-sepia: ;--tw-drop-shadow: ;--tw-backdrop-blur: ;--tw-backdrop-brightness: ;--tw-backdrop-contrast: ;--tw-backdrop-grayscale: ;--tw-backdrop-hue-rotate: ;--tw-backdrop-invert: ;--tw-backdrop-opacity: ;--tw-backdrop-saturate: ;--tw-backdrop-sepia: ;--tw-contain-size: ;--tw-contain-layout: ;--tw-contain-paint: ;--tw-contain-style: }/*! tailwindcss v3.4.19 | MIT License | https://tailwindcss.com*/*,:after,:before{box-sizing:border-box;border:0 solid #e5e7eb}:after,:before{--tw-content:""}:host,html{line-height:1.5;-webkit-text-size-adjust:100%;-moz-tab-size:4;-o-tab-size:4;tab-size:4;font-family:ui-sans-serif,system-ui,sans-serif,Apple Color Emoji,Segoe UI Emoji,Segoe UI Symbol,Noto Color Emoji;font-feature-settings:normal;font-variation-settings:normal;-webkit-tap-highlight-color:transparent}body{margin:0;line-height:inherit}hr{height:0;color:inherit;border-top-width:1px}abbr:where([title]){-webkit-text-decoration:underline dotted;text-decoration:underline dotted}h1,h2,h3,h4,h5,h6{font-size:inherit;font-weight:inherit}a{color:inherit;text-decoration:inherit}b,strong{font-weight:bolder}code,kbd,pre,samp{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace;font-feature-settings:normal;font-variation-settings:normal;font-size:1em}small{font-size:80%}sub,sup{font-size:75%;line-height:0;position:relative;vertical-align:baseline}sub{bottom:-.25em}sup{top:-.5em}table{text-indent:0;border-color:inherit;border-collapse:collapse}button,input,optgroup,select,textarea{font-family:inherit;font-feature-settings:inherit;font-variation-settings:inherit;font-size:100%;font-weight:inherit;line-height:inherit;letter-spacing:inherit;color:inherit;margin:0;padding:0}button,select{text-transform:none}button,input:where([type=button]),input:where([type=reset]),input:where([type=submit]){-webkit-appearance:button;background-color:transparent;background-image:none}:-moz-focusring{outline:auto}:-moz-ui-invalid{box-shadow:none}progress{vertical-align:baseline}::-webkit-inner-spin-button,::-webkit-outer-spin-button{height:auto}[type=search]{-webkit-appearance:textfield;outline-offset:-2px}::-webkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}summary{display:list-item}blockquote,dd,dl,figure,h1,h2,h3,h4,h5,h6,hr,p,pre{margin:0}fieldset{margin:0}fieldset,legend{padding:0}menu,ol,ul{list-style:none;margin:0;padding:0}dialog{padding:0}textarea{resize:vertical}input::-moz-placeholder,textarea::-moz-placeholder{opacity:1;color:#9ca3af}input::placeholder,textarea::placeholder{opacity:1;color:#9ca3af}[role=button],button{cursor:pointer}:disabled{cursor:default}audio,canvas,embed,iframe,img,object,svg,video{display:block;vertical-align:middle}img,video{max-width:100%;height:auto}[hidden]:where(:not([hidden=until-found])){display:none}body{font-family:Nunito,system-ui,sans-serif}html{scroll-behavior:smooth}body,html{overflow-x:hidden}.container{width:100%}@media (min-width:640px){.container{max-width:640px}}@media (min-width:768px){.container{max-width:768px}}@media (min-width:1024px){.container{max-width:1024px}}@media (min-width:1280px){.container{max-width:1280px}}@media (min-width:1536px){.container{max-width:1536px}}.pete-channel-nav{scrollbar-width:none;-ms-overflow-style:none}.pete-channel-nav::-webkit-scrollbar{display:none}.sr-only{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;clip:rect(0,0,0,0);white-space:nowrap;border-width:0}.pointer-events-none{pointer-events:none}.visible{visibility:visible}.fixed{position:fixed}.absolute{position:absolute}.relative{position:relative}.inset-0{inset:0}.-right-6{right:-1.5rem}.-top-6{top:-1.5rem}.-z-10{z-index:-10}.-z-\[5\]{z-index:-5}.z-50{z-index:50}.mx-auto{margin-left:auto;margin-right:auto}.mb-1{margin-bottom:.25rem}.mb-10{margin-bottom:2.5rem}.mb-12{margin-bottom:3rem}.mb-4{margin-bottom:1rem}.mb-5{margin-bottom:1.25rem}.mb-8{margin-bottom:2rem}.mr-1{margin-right:.25rem}.mt-1{margin-top:.25rem}.mt-10{margin-top:2.5rem}.mt-2{margin-top:.5rem}.mt-3{margin-top:.75rem}.mt-4{margin-top:1rem}.mt-5{margin-top:1.25rem}.line-clamp-2{-webkit-line-clamp:2}.line-clamp-2,.line-clamp-3{overflow:hidden;display:-webkit-box;-webkit-box-orient:vertical}.line-clamp-3{-webkit-line-clamp:3}.block{display:block}.inline-block{display:inline-block}.flex{display:flex}.inline-flex{display:inline-flex}.table{display:table}.grid{display:grid}.hidden{display:none}.aspect-\[16\/10\]{aspect-ratio:16/10}.h-12{height:3rem}.h-20{height:5rem}.h-4{height:1rem}.h-5{height:1.25rem}.h-6{height:1.5rem}.h-9{height:2.25rem}.h-full{height:100%}.max-h-\[55vh\]{max-height:55vh}.max-h-\[60vh\]{max-height:60vh}.min-h-screen{min-height:100vh}.w-12{width:3rem}.w-20{width:5rem}.w-4{width:1rem}.w-5{width:1.25rem}.w-6{width:1.5rem}.w-9{width:2.25rem}.w-full{width:100%}.min-w-0{min-width:0}.max-w-2xl{max-width:42rem}.max-w-6xl{max-width:72rem}.max-w-\[7rem\]{max-width:7rem}.max-w-full{max-width:100%}.max-w-md{max-width:28rem}.max-w-sm{max-width:24rem}.max-w-xl{max-width:36rem}.flex-1{flex:1 1 0%}.shrink-0{flex-shrink:0}.-translate-y-0{--tw-translate-y:-0px}.-translate-y-0,.transform{transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}.cursor-pointer{cursor:pointer}.select-none{-webkit-user-select:none;-moz-user-select:none;user-select:none}.resize{resize:both}.grid-cols-1{grid-template-columns:repeat(1,minmax(0,1fr))}.grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}.grid-cols-5{grid-template-columns:repeat(5,minmax(0,1fr))}.flex-col{flex-direction:column}.flex-wrap{flex-wrap:wrap}.place-items-center{place-items:center}.items-start{align-items:flex-start}.items-end{align-items:flex-end}.items-center{align-items:center}.items-baseline{align-items:baseline}.justify-center{justify-content:center}.justify-between{justify-content:space-between}.gap-1{gap:.25rem}.gap-1\.5{gap:.375rem}.gap-2{gap:.5rem}.gap-3{gap:.75rem}.gap-4{gap:1rem}.gap-5{gap:1.25rem}.space-y-1>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(.25rem*(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.25rem*var(--tw-space-y-reverse))}.space-y-2>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(.5rem*(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.5rem*var(--tw-space-y-reverse))}.space-y-3>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(.75rem*(1 - var(--tw-space-y-reverse)));margin-bottom:calc(.75rem*var(--tw-space-y-reverse))}.space-y-8>:not([hidden])~:not([hidden]){--tw-space-y-reverse:0;margin-top:calc(2rem*(1 - var(--tw-space-y-reverse)));margin-bottom:calc(2rem*var(--tw-space-y-reverse))}.overflow-hidden{overflow:hidden}.overflow-x-auto{overflow-x:auto}.overflow-y-auto{overflow-y:auto}.truncate{overflow:hidden;text-overflow:ellipsis;white-space:nowrap}.rounded{border-radius:.25rem}.rounded-2xl{border-radius:1rem}.rounded-3xl{border-radius:1.5rem}.rounded-full{border-radius:9999px}.rounded-md{border-radius:.375rem}.border{border-width:1px}.border-2{border-width:2px}.border-b{border-bottom-width:1px}.border-t{border-top-width:1px}.border-dashed{border-style:dashed}.border-transparent{border-color:transparent}.bg-\[color\:var\(--accent\)\]{background-color:var(--accent)}.bg-\[color\:var\(--bg\)\]{background-color:var(--bg)}.bg-\[color\:var\(--bg-grad\)\]{background-color:var(--bg-grad)}.bg-\[color\:var\(--card\)\]{background-color:var(--card)}.bg-transparent{background-color:transparent}.object-cover{-o-object-fit:cover;object-fit:cover}.p-0{padding:0}.p-0\.5{padding:.125rem}.p-1{padding:.25rem}.p-10{padding:2.5rem}.p-2{padding:.5rem}.p-3{padding:.75rem}.p-4{padding:1rem}.p-5{padding:1.25rem}.p-6{padding:1.5rem}.p-8{padding:2rem}.px-1{padding-left:.25rem;padding-right:.25rem}.px-1\.5{padding-left:.375rem;padding-right:.375rem}.px-2{padding-left:.5rem;padding-right:.5rem}.px-2\.5{padding-left:.625rem;padding-right:.625rem}.px-3{padding-left:.75rem;padding-right:.75rem}.px-4{padding-left:1rem;padding-right:1rem}.px-5{padding-left:1.25rem;padding-right:1.25rem}.py-0{padding-top:0;padding-bottom:0}.py-0\.5{padding-top:.125rem;padding-bottom:.125rem}.py-1{padding-top:.25rem;padding-bottom:.25rem}.py-1\.5{padding-top:.375rem;padding-bottom:.375rem}.py-2{padding-top:.5rem;padding-bottom:.5rem}.py-3{padding-top:.75rem;padding-bottom:.75rem}.py-4{padding-top:1rem;padding-bottom:1rem}.pb-1{padding-bottom:.25rem}.pb-10{padding-bottom:2.5rem}.pb-24{padding-bottom:6rem}.pb-4{padding-bottom:1rem}.pt-1{padding-top:.25rem}.pt-3{padding-top:.75rem}.pt-8{padding-top:2rem}.pt-\[10vh\]{padding-top:10vh}.pt-\[12vh\]{padding-top:12vh}.text-center{text-align:center}.align-\[-4px\]{vertical-align:-4px}.font-mono{font-family:ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,Liberation Mono,Courier New,monospace}.text-2xl{font-size:1.5rem;line-height:2rem}.text-3xl{font-size:1.875rem;line-height:2.25rem}.text-4xl{font-size:2.25rem;line-height:2.5rem}.text-5xl{font-size:3rem;line-height:1}.text-\[10px\]{font-size:10px}.text-\[11px\]{font-size:11px}.text-\[12rem\]{font-size:12rem}.text-base{font-size:1rem;line-height:1.5rem}.text-lg{font-size:1.125rem;line-height:1.75rem}.text-sm{font-size:.875rem;line-height:1.25rem}.text-xl{font-size:1.25rem;line-height:1.75rem}.text-xs{font-size:.75rem;line-height:1rem}.font-bold{font-weight:700}.font-semibold{font-weight:600}.uppercase{text-transform:uppercase}.tabular-nums{--tw-numeric-spacing:tabular-nums;font-variant-numeric:var(--tw-ordinal) var(--tw-slashed-zero) var(--tw-numeric-figure) var(--tw-numeric-spacing) var(--tw-numeric-fraction)}.leading-none{line-height:1}.leading-snug{line-height:1.375}.leading-tight{line-height:1.25}.tracking-\[0\.2em\]{letter-spacing:.2em}.tracking-tight{letter-spacing:-.025em}.tracking-wider{letter-spacing:.05em}.text-\[color\:var\(--ink\)\]{color:var(--ink)}.text-red-500{--tw-text-opacity:1;color:rgb(239 68 68/var(--tw-text-opacity,1))}.text-white{--tw-text-opacity:1;color:rgb(255 255 255/var(--tw-text-opacity,1))}.text-white\/85{color:hsla(0,0%,100%,.85)}.underline{text-decoration-line:underline}.decoration-4{text-decoration-thickness:4px}.underline-offset-2{text-underline-offset:2px}.underline-offset-4{text-underline-offset:4px}.accent-\[color\:var\(--accent\)\]{accent-color:var(--accent)}.opacity-20{opacity:.2}.opacity-75{opacity:.75}.opacity-80{opacity:.8}.shadow{--tw-shadow:0 1px 3px 0 rgba(0,0,0,.1),0 1px 2px -1px rgba(0,0,0,.1);--tw-shadow-colored:0 1px 3px 0 var(--tw-shadow-color),0 1px 2px -1px var(--tw-shadow-color)}.shadow,.shadow-sm{box-shadow:var(--tw-ring-offset-shadow,0 0 #0000),var(--tw-ring-shadow,0 0 #0000),var(--tw-shadow)}.shadow-sm{--tw-shadow:0 1px 2px 0 rgba(0,0,0,.05);--tw-shadow-colored:0 1px 2px 0 var(--tw-shadow-color)}.outline-none{outline:2px solid transparent;outline-offset:2px}.outline{outline-style:solid}.blur{--tw-blur:blur(8px)}.blur,.grayscale{filter:var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow)}.grayscale{--tw-grayscale:grayscale(100%)}.filter{filter:var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow)}.backdrop-blur-sm{--tw-backdrop-blur:blur(4px);-webkit-backdrop-filter:var(--tw-backdrop-blur) var(--tw-backdrop-brightness) var(--tw-backdrop-contrast) var(--tw-backdrop-grayscale) var(--tw-backdrop-hue-rotate) var(--tw-backdrop-invert) var(--tw-backdrop-opacity) var(--tw-backdrop-saturate) var(--tw-backdrop-sepia);backdrop-filter:var(--tw-backdrop-blur) var(--tw-backdrop-brightness) var(--tw-backdrop-contrast) var(--tw-backdrop-grayscale) var(--tw-backdrop-hue-rotate) var(--tw-backdrop-invert) var(--tw-backdrop-opacity) var(--tw-backdrop-saturate) var(--tw-backdrop-sepia)}.transition{transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,-webkit-backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter;transition-property:color,background-color,border-color,text-decoration-color,fill,stroke,opacity,box-shadow,transform,filter,backdrop-filter,-webkit-backdrop-filter;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.transition-colors{transition-property:color,background-color,border-color,text-decoration-color,fill,stroke;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.transition-transform{transition-property:transform;transition-timing-function:cubic-bezier(.4,0,.2,1);transition-duration:.15s}.duration-1000{transition-duration:1s}.duration-500{transition-duration:.5s}.ease-in-out{transition-timing-function:cubic-bezier(.4,0,.2,1)}.font-display{font-family:Fredoka,Nunito,system-ui,sans-serif;letter-spacing:-.01em}.shadow-pete{box-shadow:0 4px 0 rgba(60,40,20,.1),0 8px 24px rgba(60,40,20,.08)}.shadow-pete-lg{box-shadow:0 6px 0 rgba(60,40,20,.12),0 16px 32px rgba(60,40,20,.12)}.bg-theme-gaming{background-color:#4caf7d}.bg-theme-tech{background-color:#5aa9e6}.bg-theme-politics{background-color:#e07a5f}.bg-theme-eu{background-color:#039}.bg-theme-music{background-color:#b079d6}.bg-theme-anime{background-color:#ec5e8a}.bg-theme-foss{background-color:#d97706}.bg-theme-kids{background-color:#14b8a6}.bg-theme-finance{background-color:#10b981}.bg-theme-lego{background-color:#d01012}.text-theme-gaming{color:#2d8a5a}.text-theme-tech{color:#2f7fb8}.text-theme-politics{color:#b8523a}.text-theme-eu{color:#039}.text-theme-music{color:#8a4fb8}.text-theme-anime{color:#c33a6a}.text-theme-foss{color:#b8530a}.text-theme-kids{color:#0f766e}.text-theme-finance{color:#059669}.text-theme-lego{color:#b00d0e}.decoration-theme-gaming{text-decoration-color:#4caf7d}.decoration-theme-tech{text-decoration-color:#5aa9e6}.decoration-theme-politics{text-decoration-color:#e07a5f}.decoration-theme-eu{text-decoration-color:#039}.decoration-theme-music{text-decoration-color:#b079d6}.decoration-theme-anime{text-decoration-color:#ec5e8a}.decoration-theme-foss{text-decoration-color:#d97706}.decoration-theme-kids{text-decoration-color:#14b8a6}.decoration-theme-finance{text-decoration-color:#10b981}.decoration-theme-lego{text-decoration-color:#d01012}.border-theme-gaming{border-color:#4caf7d}.border-theme-tech{border-color:#5aa9e6}.border-theme-politics{border-color:#e07a5f}.border-theme-eu{border-color:#039}.border-theme-music{border-color:#b079d6}.border-theme-anime{border-color:#ec5e8a}.border-theme-foss{border-color:#d97706}.border-theme-kids{border-color:#14b8a6}.border-theme-finance{border-color:#10b981}.border-theme-lego{border-color:#d01012}.glow-theme-gaming{box-shadow:0 0 0 2px rgba(76,175,125,.35),0 0 24px 4px rgba(76,175,125,.45)}.glow-theme-gaming,.glow-theme-tech{animation:pete-glow-pulse 2.4s ease-in-out infinite}.glow-theme-tech{box-shadow:0 0 0 2px rgba(90,169,230,.35),0 0 24px 4px rgba(90,169,230,.45)}.glow-theme-politics{box-shadow:0 0 0 2px rgba(224,122,95,.35),0 0 24px 4px rgba(224,122,95,.45)}.glow-theme-eu,.glow-theme-politics{animation:pete-glow-pulse 2.4s ease-in-out infinite}.glow-theme-eu{box-shadow:0 0 0 2px rgba(0,51,153,.35),0 0 24px 4px rgba(0,51,153,.45)}.glow-theme-music{box-shadow:0 0 0 2px rgba(176,121,214,.35),0 0 24px 4px rgba(176,121,214,.45)}.glow-theme-anime,.glow-theme-music{animation:pete-glow-pulse 2.4s ease-in-out infinite}.glow-theme-anime{box-shadow:0 0 0 2px rgba(236,94,138,.35),0 0 24px 4px rgba(236,94,138,.45)}.glow-theme-foss{box-shadow:0 0 0 2px rgba(217,119,6,.35),0 0 24px 4px rgba(217,119,6,.45)}.glow-theme-foss,.glow-theme-kids{animation:pete-glow-pulse 2.4s ease-in-out infinite}.glow-theme-kids{box-shadow:0 0 0 2px rgba(20,184,166,.35),0 0 24px 4px rgba(20,184,166,.45)}.glow-theme-finance{box-shadow:0 0 0 2px rgba(16,185,129,.35),0 0 24px 4px rgba(16,185,129,.45)}.glow-theme-finance,.glow-theme-lego{animation:pete-glow-pulse 2.4s ease-in-out infinite}.glow-theme-lego{box-shadow:0 0 0 2px rgba(208,16,18,.35),0 0 24px 4px rgba(208,16,18,.45)}@keyframes pete-glow-pulse{0%,to{filter:brightness(1)}50%{filter:brightness(1.08)}}.line-clamp-3{display:-webkit-box;-webkit-line-clamp:3;-webkit-box-orient:vertical;overflow:hidden}.paywall-stamp{position:absolute;inset:0;pointer-events:none;display:flex;align-items:center;justify-content:center;z-index:5;background:rgba(255,250,240,.18)}.paywall-stamp:before{content:"PAYWALLED";font-family:var(--font-display,ui-sans-serif),system-ui,sans-serif;font-weight:900;font-size:clamp(1rem,3.2vw,1.75rem);letter-spacing:.12em;color:rgba(180,30,30,.85);border:.28rem double rgba(180,30,30,.85);padding:.3rem .9rem;transform:rotate(-15deg);text-shadow:0 1px 0 hsla(0,0%,100%,.4);box-shadow:inset 0 0 0 2px hsla(0,0%,100%,.15);background:rgba(255,240,230,.55);border-radius:.25rem;filter:contrast(1.05)}:root,html[data-phase=day]{--bg:#fff7e4;--bg-grad:#ffeec2;--card:#fff;--ink:#3a2e1f;--accent:#f2a541}html[data-phase=dawn]{--bg:#ffe7d6;--bg-grad:#ffc9c9;--card:#fff4ea;--ink:#4a2e2a;--accent:#ff8a65}html[data-phase=dusk]{--bg:#ffd6a8;--bg-grad:#f7a07e;--card:#fff1de;--ink:#3d2417;--accent:#e6553a}html[data-phase=night]{--bg:#1a1f3a;--bg-grad:#2a3358;--card:#2d365a;--ink:#f1ecd8;--accent:#f9d976}.empty\:hidden:empty{display:none}.hover\:-translate-y-0\.5:hover{--tw-translate-y:-0.125rem}.hover\:-translate-y-0\.5:hover,.hover\:-translate-y-1:hover{transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}.hover\:-translate-y-1:hover{--tw-translate-y:-0.25rem}.hover\:text-\[color\:var\(--ink\)\]:hover{color:var(--ink)}.hover\:brightness-105:hover{--tw-brightness:brightness(1.05);filter:var(--tw-blur) var(--tw-brightness) var(--tw-contrast) var(--tw-grayscale) var(--tw-hue-rotate) var(--tw-invert) var(--tw-saturate) var(--tw-sepia) var(--tw-drop-shadow)}.hover\:shadow-pete-lg:hover{box-shadow:0 6px 0 rgba(60,40,20,.12),0 16px 32px rgba(60,40,20,.12)}.focus\:border-\[color\:var\(--accent\)\]:focus{border-color:var(--accent)}.disabled\:opacity-50:disabled{opacity:.5}.group:hover .group-hover\:-rotate-6{--tw-rotate:-6deg}.group:hover .group-hover\:-rotate-6,.group:hover .group-hover\:scale-105{transform:translate(var(--tw-translate-x),var(--tw-translate-y)) rotate(var(--tw-rotate)) skewX(var(--tw-skew-x)) skewY(var(--tw-skew-y)) scaleX(var(--tw-scale-x)) scaleY(var(--tw-scale-y))}.group:hover .group-hover\:scale-105{--tw-scale-x:1.05;--tw-scale-y:1.05}.group:hover .group-hover\:underline{text-decoration-line:underline}@media (min-width:640px){.sm\:block{display:block}.sm\:inline{display:inline}.sm\:flex{display:flex}.sm\:inline-flex{display:inline-flex}.sm\:grid-cols-2{grid-template-columns:repeat(2,minmax(0,1fr))}.sm\:gap-2{gap:.5rem}.sm\:gap-4{gap:1rem}.sm\:p-10{padding:2.5rem}.sm\:pt-12{padding-top:3rem}.sm\:text-2xl{font-size:1.5rem;line-height:2rem}.sm\:text-5xl{font-size:3rem;line-height:1}.sm\:text-6xl{font-size:3.75rem;line-height:1}.sm\:text-lg{font-size:1.125rem;line-height:1.75rem}}@media (min-width:1024px){.lg\:grid-cols-3{grid-template-columns:repeat(3,minmax(0,1fr))}.lg\:grid-cols-4{grid-template-columns:repeat(4,minmax(0,1fr))}} \ No newline at end of file diff --git a/internal/web/static/js/prefs.js b/internal/web/static/js/prefs.js new file mode 100644 index 0000000..e4e1d9c --- /dev/null +++ b/internal/web/static/js/prefs.js @@ -0,0 +1,70 @@ +// Preference sync. Anonymous visitors keep using localStorage exactly as +// before — this file is a no-op for them. When a user is signed in (Authentik +// via OIDC), the server is the source of truth: their stored blob is injected +// as window.PETE_PREFS and seeded into localStorage *synchronously* here, before +// the feature scripts (settings.js, weather*.js) read it. Those scripts then +// call PetePrefs.push() after every write to mirror the change back up. +// +// This script must run before the others — it's loaded first in layout.html, +// and all the feature scripts are `defer`, so document order is guaranteed. +(function () { + // The localStorage keys we sync. The weather *cache* is deliberately excluded: + // it's transient and per-device. + var SYNCED = ["pete.disabledSources.v1", "pete.weather.loc.v1", "pete-weather-off"]; + + var user = window.PETE_USER || null; + var serverPrefs = window.PETE_PREFS || null; + + function seed(prefs) { + SYNCED.forEach(function (k) { + if (!Object.prototype.hasOwnProperty.call(prefs, k)) return; + var v = prefs[k]; + try { + if (v === null || v === undefined) localStorage.removeItem(k); + else localStorage.setItem(k, String(v)); + } catch (e) {} + }); + } + + function snapshot() { + var out = {}; + SYNCED.forEach(function (k) { + try { var v = localStorage.getItem(k); if (v !== null) out[k] = v; } catch (e) {} + }); + return out; + } + + var timer = null; + function push() { + if (!user) return; // anonymous: localStorage only + if (timer) clearTimeout(timer); + timer = setTimeout(function () { + timer = null; + try { + fetch("/api/preferences", { + method: "PUT", + headers: { "Content-Type": "application/json" }, + body: JSON.stringify(snapshot()), + credentials: "same-origin", + keepalive: true + }).catch(function () {}); + } catch (e) {} + }, 600); + } + + window.PetePrefs = { push: push, loggedIn: !!user, syncedKeys: SYNCED }; + + if (user) { + if (serverPrefs && typeof serverPrefs === "object") { + seed(serverPrefs); // cross-device: server wins on load + } else { + push(); // first sign-in: migrate this browser's prefs to the account + } + // Swap "saved in this browser" copy for the synced story. + document.addEventListener("DOMContentLoaded", function () { + document.querySelectorAll("[data-storage-note]").forEach(function (el) { + el.textContent = "Synced to your account ✓"; + }); + }); + } +})(); diff --git a/internal/web/static/js/settings.js b/internal/web/static/js/settings.js index 5ccaf6a..41467ec 100644 --- a/internal/web/static/js/settings.js +++ b/internal/web/static/js/settings.js @@ -13,6 +13,7 @@ } function save(set) { try { localStorage.setItem(KEY, JSON.stringify(set)); } catch (e) {} + if (window.PetePrefs) window.PetePrefs.push(); } var disabled = load(); diff --git a/internal/web/static/js/weather-forecast.js b/internal/web/static/js/weather-forecast.js index 88969fb..59ffbd3 100644 --- a/internal/web/static/js/weather-forecast.js +++ b/internal/web/static/js/weather-forecast.js @@ -24,6 +24,7 @@ function setLoc(loc) { if (loc) writeJSON(LOC_KEY, loc); else { try { localStorage.removeItem(LOC_KEY); } catch (e) {} } + if (window.PetePrefs) window.PetePrefs.push(); } // ---- WMO weather code → canvas variant + label + emoji ------------------- diff --git a/internal/web/static/js/weather.js b/internal/web/static/js/weather.js index db012d9..b3d5fa8 100644 --- a/internal/web/static/js/weather.js +++ b/internal/web/static/js/weather.js @@ -28,6 +28,7 @@ if (v) localStorage.setItem(STORAGE_KEY, "1"); else localStorage.removeItem(STORAGE_KEY); } catch (e) {} + if (window.PetePrefs) window.PetePrefs.push(); } function syncBtn(enabled) { if (!toggleBtn) return; diff --git a/internal/web/templates/layout.html b/internal/web/templates/layout.html index 2b9fa4c..22242f0 100644 --- a/internal/web/templates/layout.html +++ b/internal/web/templates/layout.html @@ -65,6 +65,28 @@ class="inline-flex shrink-0 items-center gap-1.5 rounded-full bg-[color:var(--card)] px-3 py-2 text-sm font-semibold shadow-pete border-2 border-[color:var(--ink)]/10 hover:bg-[color:var(--ink)]/5 transition"> 📍 Weather + {{if .AuthEnabled}} + {{if .User}} + + {{.User.Initial}} + + + {{else}} + + + + + {{end}} + {{end}}
-

Uncheck a feed to hide its stories. Saved in this browser.

+

Uncheck a feed to hide its stories. Saved in this browser.

@@ -148,7 +170,12 @@ })(); - + +