Add optional Authentik (OIDC) sign-in with server-side preference sync

Signed-in users get their preferences (hidden feeds, weather location,
weather toggle) stored server-side keyed by their OIDC subject and synced
across devices. Anonymous visitors keep using browser localStorage, so the
site stays public. First sign-in migrates existing localStorage prefs up.

- config: [web.auth] section (issuer, client_id/secret, redirect, session_secret)
- storage: user_preferences table + Get/PutUserPrefs
- web/auth: OIDC code flow, HMAC-signed session cookie, CSRF state + nonce
- web/prefs_api: GET/PUT /api/preferences (auth-gated, 64KB cap)
- frontend: prefs.js sync layer seeds localStorage from server, pushes on write
- header: sign-in / account control

OIDC discovery is non-fatal at boot: if Authentik is down, Pete serves
anonymously rather than refusing to start.
This commit is contained in:
prosolis
2026-06-21 15:44:53 -07:00
parent 1a43616248
commit cbbedd9894
18 changed files with 722 additions and 32 deletions

View File

@@ -22,10 +22,23 @@ type Config struct {
// WebConfig controls the read-only HTTP interface (news.parodia.dev style).
type WebConfig struct {
Enabled bool `toml:"enabled"`
ListenAddr string `toml:"listen_addr"` // e.g. ":8080" or "127.0.0.1:8080"
SiteTitle string `toml:"site_title"` // display name in the header
BaseURL string `toml:"base_url"` // public URL (used in metadata only)
Enabled bool `toml:"enabled"`
ListenAddr string `toml:"listen_addr"` // e.g. ":8080" or "127.0.0.1:8080"
SiteTitle string `toml:"site_title"` // display name in the header
BaseURL string `toml:"base_url"` // public URL (used in metadata only)
Auth AuthConfig `toml:"auth"` // optional OIDC sign-in (Authentik)
}
// AuthConfig wires Pete's web UI to an OIDC provider (our Authentik instance).
// When enabled, signed-in users get their preferences stored server-side keyed
// by the OIDC subject; anonymous visitors keep using browser localStorage.
type AuthConfig struct {
Enabled bool `toml:"enabled"`
Issuer string `toml:"issuer"` // e.g. https://authentik.parodia.dev/application/o/pete/
ClientID string `toml:"client_id"`
ClientSecret string `toml:"client_secret"`
RedirectURL string `toml:"redirect_url"` // e.g. https://news.parodia.dev/auth/callback
SessionSecret string `toml:"session_secret"` // HMAC key for signing the session cookie
}
type MatrixConfig struct {
@@ -73,7 +86,7 @@ type SourceConfig struct {
// Language, when set, drops feed items whose per-item language tag is
// present and does not match (prefix). Useful for multilingual feeds
// like Politico Europe that publish English + French side-by-side.
Language string `toml:"language"`
Language string `toml:"language"`
}
func Load(path string) (*Config, error) {
@@ -124,6 +137,16 @@ func (c *Config) validate() error {
return fmt.Errorf("storage.db_path is required")
}
if c.Web.Auth.Enabled {
a := c.Web.Auth
if a.Issuer == "" || a.ClientID == "" || a.ClientSecret == "" || a.RedirectURL == "" {
return fmt.Errorf("web.auth requires issuer, client_id, client_secret, and redirect_url when enabled")
}
if len(a.SessionSecret) < 16 {
return fmt.Errorf("web.auth.session_secret must be at least 16 characters")
}
}
for i, s := range c.Sources {
if s.Name == "" {
return fmt.Errorf("sources[%d].name is required", i)

50
internal/storage/prefs.go Normal file
View File

@@ -0,0 +1,50 @@
package storage
import (
"database/sql"
"errors"
"fmt"
)
// UserPrefs is one signed-in user's stored state. Prefs is an opaque JSON blob
// owned by the web frontend (disabled feeds, weather location, toggles, …) —
// the backend just persists and returns it, keyed by the OIDC subject.
type UserPrefs struct {
Sub string
Prefs string
Username string
Email string
UpdatedAt int64
}
// GetUserPrefs returns the stored prefs blob for an OIDC subject. It returns
// ("", nil) when the user has no record yet (first sign-in).
func GetUserPrefs(sub string) (string, error) {
var prefs string
err := Get().QueryRow(`SELECT prefs FROM user_preferences WHERE user_sub = ?`, sub).Scan(&prefs)
if errors.Is(err, sql.ErrNoRows) {
return "", nil
}
if err != nil {
return "", fmt.Errorf("get user prefs: %w", err)
}
return prefs, nil
}
// PutUserPrefs upserts a user's prefs blob along with identity hints (username,
// email) for later features. The prefs string is stored verbatim.
func PutUserPrefs(sub, prefs, username, email string) error {
_, err := Get().Exec(`
INSERT INTO user_preferences (user_sub, prefs, username, email, updated_at)
VALUES (?, ?, ?, ?, ?)
ON CONFLICT(user_sub) DO UPDATE SET
prefs = excluded.prefs,
username = excluded.username,
email = excluded.email,
updated_at = excluded.updated_at`,
sub, prefs, username, email, nowUnix())
if err != nil {
return fmt.Errorf("put user prefs: %w", err)
}
return nil
}

View File

@@ -0,0 +1,44 @@
package storage
import (
"path/filepath"
"testing"
)
func TestUserPrefsRoundTrip(t *testing.T) {
if err := Init(filepath.Join(t.TempDir(), "prefs.db")); err != nil {
t.Fatalf("init db: %v", err)
}
t.Cleanup(func() { _ = Close() })
// Missing user → empty, no error.
got, err := GetUserPrefs("nobody")
if err != nil {
t.Fatalf("get missing: %v", err)
}
if got != "" {
t.Fatalf("expected empty for missing user, got %q", got)
}
blob := `{"pete.weather.loc.v1":"{\"postal\":\"1000\"}"}`
if err := PutUserPrefs("ak-sub-1", blob, "misaki", "m@example.com"); err != nil {
t.Fatalf("put: %v", err)
}
got, err = GetUserPrefs("ak-sub-1")
if err != nil {
t.Fatalf("get: %v", err)
}
if got != blob {
t.Fatalf("blob mismatch:\n got %q\nwant %q", got, blob)
}
// Upsert: second put for same sub replaces the blob.
blob2 := `{"pete-weather-off":"1"}`
if err := PutUserPrefs("ak-sub-1", blob2, "misaki", "m@example.com"); err != nil {
t.Fatalf("upsert: %v", err)
}
got, _ = GetUserPrefs("ak-sub-1")
if got != blob2 {
t.Fatalf("upsert mismatch: got %q want %q", got, blob2)
}
}

View File

@@ -45,6 +45,14 @@ CREATE TABLE IF NOT EXISTS reactions (
reacted_at INTEGER NOT NULL
);
CREATE TABLE IF NOT EXISTS user_preferences (
user_sub TEXT PRIMARY KEY,
prefs TEXT NOT NULL,
username TEXT,
email TEXT,
updated_at INTEGER NOT NULL
);
CREATE UNIQUE INDEX IF NOT EXISTS idx_post_log_guid_channel ON post_log(guid, channel);
CREATE INDEX IF NOT EXISTS idx_post_log_event_id ON post_log(event_id);
CREATE INDEX IF NOT EXISTS idx_post_log_channel_posted ON post_log(channel, posted_at);

270
internal/web/auth.go Normal file
View File

@@ -0,0 +1,270 @@
package web
import (
"context"
"crypto/hmac"
"crypto/rand"
"crypto/sha256"
"crypto/subtle"
"encoding/base64"
"encoding/json"
"fmt"
"log/slog"
"net/http"
"strings"
"time"
"github.com/coreos/go-oidc/v3/oidc"
"golang.org/x/oauth2"
"pete/internal/config"
)
const (
sessionCookie = "pete_session"
oauthCookie = "pete_oauth"
sessionTTL = 30 * 24 * time.Hour // stay signed in for a month
oauthTTL = 10 * time.Minute // login round-trip window
)
// Authenticator holds the OIDC plumbing for optional sign-in via Authentik.
type Authenticator struct {
oauth *oauth2.Config
verifier *oidc.IDTokenVerifier
secret []byte
}
// SessionUser is the identity carried in the signed session cookie.
type SessionUser struct {
Sub string `json:"sub"`
Name string `json:"name,omitempty"`
Email string `json:"email,omitempty"`
Exp int64 `json:"exp"`
}
// Display is the friendly name shown in the header (name, else email, else sub).
func (u *SessionUser) Display() string {
if u.Name != "" {
return u.Name
}
if u.Email != "" {
return u.Email
}
return u.Sub
}
// Initial is the single uppercase glyph for the avatar bubble.
func (u *SessionUser) Initial() string {
d := strings.TrimSpace(u.Display())
if d == "" {
return "?"
}
return strings.ToUpper(d[:1])
}
// oauthState is the short-lived CSRF/nonce envelope for the login round-trip.
type oauthState struct {
State string `json:"s"`
Nonce string `json:"n"`
Next string `json:"r"`
Exp int64 `json:"e"`
}
// newAuthenticator performs OIDC discovery against the configured issuer. It is
// non-fatal at the call site: if discovery fails (provider down at boot), the
// site still serves anonymously.
func newAuthenticator(ctx context.Context, cfg config.AuthConfig) (*Authenticator, error) {
provider, err := oidc.NewProvider(ctx, strings.TrimRight(cfg.Issuer, "/")+"/")
if err != nil {
return nil, fmt.Errorf("oidc discovery: %w", err)
}
return &Authenticator{
oauth: &oauth2.Config{
ClientID: cfg.ClientID,
ClientSecret: cfg.ClientSecret,
RedirectURL: cfg.RedirectURL,
Endpoint: provider.Endpoint(),
Scopes: []string{oidc.ScopeOpenID, "profile", "email"},
},
verifier: provider.Verifier(&oidc.Config{ClientID: cfg.ClientID}),
secret: []byte(cfg.SessionSecret),
}, nil
}
// ---- signed-cookie helpers ------------------------------------------------
// sign returns base64url(payload).base64url(hmac) — a compact stateless token.
func (a *Authenticator) sign(payload []byte) string {
mac := hmac.New(sha256.New, a.secret)
mac.Write(payload)
b64 := base64.RawURLEncoding
return b64.EncodeToString(payload) + "." + b64.EncodeToString(mac.Sum(nil))
}
// verify checks the HMAC and returns the raw payload bytes.
func (a *Authenticator) verify(token string) ([]byte, bool) {
parts := strings.SplitN(token, ".", 2)
if len(parts) != 2 {
return nil, false
}
b64 := base64.RawURLEncoding
payload, err := b64.DecodeString(parts[0])
if err != nil {
return nil, false
}
want, err := b64.DecodeString(parts[1])
if err != nil {
return nil, false
}
mac := hmac.New(sha256.New, a.secret)
mac.Write(payload)
if subtle.ConstantTimeCompare(want, mac.Sum(nil)) != 1 {
return nil, false
}
return payload, true
}
func randToken() string {
b := make([]byte, 32)
_, _ = rand.Read(b)
return base64.RawURLEncoding.EncodeToString(b)
}
// userFromRequest returns the signed-in user, or nil for anonymous visitors.
func (a *Authenticator) userFromRequest(r *http.Request) *SessionUser {
c, err := r.Cookie(sessionCookie)
if err != nil {
return nil
}
payload, ok := a.verify(c.Value)
if !ok {
return nil
}
var u SessionUser
if json.Unmarshal(payload, &u) != nil {
return nil
}
if u.Sub == "" || time.Now().Unix() > u.Exp {
return nil
}
return &u
}
func (a *Authenticator) setCookie(w http.ResponseWriter, name, value string, ttl time.Duration) {
http.SetCookie(w, &http.Cookie{
Name: name,
Value: value,
Path: "/",
Expires: time.Now().Add(ttl),
MaxAge: int(ttl.Seconds()),
HttpOnly: true,
Secure: true,
SameSite: http.SameSiteLaxMode,
})
}
func (a *Authenticator) clearCookie(w http.ResponseWriter, name string) {
http.SetCookie(w, &http.Cookie{
Name: name, Value: "", Path: "/", MaxAge: -1,
HttpOnly: true, Secure: true, SameSite: http.SameSiteLaxMode,
})
}
// ---- handlers -------------------------------------------------------------
// handleLogin starts the OIDC authorization-code flow.
func (a *Authenticator) handleLogin(w http.ResponseWriter, r *http.Request) {
st := oauthState{
State: randToken(),
Nonce: randToken(),
Next: safeNext(r.URL.Query().Get("next")),
Exp: time.Now().Add(oauthTTL).Unix(),
}
payload, _ := json.Marshal(st)
a.setCookie(w, oauthCookie, a.sign(payload), oauthTTL)
http.Redirect(w, r, a.oauth.AuthCodeURL(st.State, oidc.Nonce(st.Nonce)), http.StatusFound)
}
// handleCallback completes the flow: validates state, exchanges the code,
// verifies the ID token, and issues a session cookie.
func (a *Authenticator) handleCallback(w http.ResponseWriter, r *http.Request) {
c, err := r.Cookie(oauthCookie)
if err != nil {
http.Error(w, "login expired, please try again", http.StatusBadRequest)
return
}
a.clearCookie(w, oauthCookie)
payload, ok := a.verify(c.Value)
if !ok {
http.Error(w, "invalid login state", http.StatusBadRequest)
return
}
var st oauthState
if json.Unmarshal(payload, &st) != nil || time.Now().Unix() > st.Exp {
http.Error(w, "login expired, please try again", http.StatusBadRequest)
return
}
if subtle.ConstantTimeCompare([]byte(st.State), []byte(r.URL.Query().Get("state"))) != 1 {
http.Error(w, "state mismatch", http.StatusBadRequest)
return
}
ctx, cancel := context.WithTimeout(r.Context(), 15*time.Second)
defer cancel()
tok, err := a.oauth.Exchange(ctx, r.URL.Query().Get("code"))
if err != nil {
slog.Error("auth: code exchange failed", "err", err)
http.Error(w, "sign-in failed", http.StatusBadGateway)
return
}
rawID, ok := tok.Extra("id_token").(string)
if !ok {
http.Error(w, "no id_token in response", http.StatusBadGateway)
return
}
idToken, err := a.verifier.Verify(ctx, rawID)
if err != nil {
slog.Error("auth: id_token verify failed", "err", err)
http.Error(w, "sign-in failed", http.StatusBadGateway)
return
}
if idToken.Nonce != st.Nonce {
http.Error(w, "nonce mismatch", http.StatusBadRequest)
return
}
var claims struct {
Sub string `json:"sub"`
Name string `json:"name"`
PreferredUsername string `json:"preferred_username"`
Email string `json:"email"`
}
if err := idToken.Claims(&claims); err != nil {
http.Error(w, "sign-in failed", http.StatusBadGateway)
return
}
name := claims.Name
if name == "" {
name = claims.PreferredUsername
}
u := SessionUser{Sub: claims.Sub, Name: name, Email: claims.Email, Exp: time.Now().Add(sessionTTL).Unix()}
sess, _ := json.Marshal(u)
a.setCookie(w, sessionCookie, a.sign(sess), sessionTTL)
slog.Info("auth: user signed in", "sub", claims.Sub, "name", name)
http.Redirect(w, r, st.Next, http.StatusFound)
}
// handleLogout clears the local session. It does not end the upstream Authentik
// SSO session (that stays the user's choice).
func (a *Authenticator) handleLogout(w http.ResponseWriter, r *http.Request) {
a.clearCookie(w, sessionCookie)
http.Redirect(w, r, "/", http.StatusFound)
}
// safeNext keeps post-login redirects on-site (no open redirects).
func safeNext(next string) string {
if next == "" || !strings.HasPrefix(next, "/") || strings.HasPrefix(next, "//") {
return "/"
}
return next
}

55
internal/web/auth_test.go Normal file
View File

@@ -0,0 +1,55 @@
package web
import "testing"
func TestSignVerifyRoundTrip(t *testing.T) {
a := &Authenticator{secret: []byte("test-secret-key-at-least-16")}
payload := []byte(`{"sub":"abc","exp":123}`)
tok := a.sign(payload)
got, ok := a.verify(tok)
if !ok {
t.Fatal("verify rejected a freshly signed token")
}
if string(got) != string(payload) {
t.Fatalf("payload mismatch: got %q want %q", got, payload)
}
}
func TestVerifyRejectsTamperAndForeignKey(t *testing.T) {
a := &Authenticator{secret: []byte("test-secret-key-at-least-16")}
tok := a.sign([]byte(`{"sub":"abc"}`))
// Flip a byte in the payload segment.
bad := []byte(tok)
bad[0] ^= 0x01
if _, ok := a.verify(string(bad)); ok {
t.Error("verify accepted a tampered token")
}
// A different key must not validate the same token.
other := &Authenticator{secret: []byte("a-totally-different-key-16")}
if _, ok := other.verify(tok); ok {
t.Error("verify accepted a token signed with a different key")
}
if _, ok := a.verify("not-a-valid-token"); ok {
t.Error("verify accepted a malformed token")
}
}
func TestSafeNext(t *testing.T) {
cases := map[string]string{
"": "/",
"/tech": "/tech",
"/tech?page=2": "/tech?page=2",
"//evil.com": "/", // protocol-relative open redirect
"https://evil.com": "/", // absolute URL
"javascript:alert": "/", // not a path
}
for in, want := range cases {
if got := safeNext(in); got != want {
t.Errorf("safeNext(%q) = %q, want %q", in, got, want)
}
}
}

View File

@@ -43,24 +43,28 @@ func toView(s storage.Story) StoryView {
}
type pageData struct {
SiteTitle string
Channels []Channel
Active string // slug of active channel, "" for landing
Weather Weather
Phase string // when set, forces day/dawn/dusk/night and disables the clock-driven phase JS
AllSources template.JS // JSON array of {name, channel} for the settings panel
SiteTitle string
Channels []Channel
Active string // slug of active channel, "" for landing
Weather Weather
Phase string // when set, forces day/dawn/dusk/night and disables the clock-driven phase JS
AllSources template.JS // JSON array of {name, channel} for the settings panel
AuthEnabled bool // sign-in is available
User *SessionUser // nil for anonymous visitors
UserPrefs template.JS // signed-in user's stored prefs blob (JSON), or "null"
Path string // current request path, for post-login return
}
type channelPage struct {
pageData
Channel Channel
Stories []StoryView
Page int
HasPrev bool
HasNext bool
PrevURL string
NextURL string
Total int
Channel Channel
Stories []StoryView
Page int
HasPrev bool
HasNext bool
PrevURL string
NextURL string
Total int
}
type indexPage struct {
@@ -78,20 +82,32 @@ type channelStat struct {
Total int
}
func (s *Server) base() pageData {
func (s *Server) base(r *http.Request) pageData {
srcJSON, err := json.Marshal(s.sources)
if err != nil {
srcJSON = []byte("[]")
}
return pageData{
SiteTitle: s.cfg.SiteTitle,
Channels: channels,
Weather: currentWeather(time.Now()),
AllSources: template.JS(srcJSON),
d := pageData{
SiteTitle: s.cfg.SiteTitle,
Channels: channels,
Weather: currentWeather(time.Now()),
AllSources: template.JS(srcJSON),
AuthEnabled: s.auth != nil,
UserPrefs: template.JS("null"),
Path: r.URL.Path,
}
if s.auth != nil {
if u := s.auth.userFromRequest(r); u != nil {
d.User = u
if blob, err := storage.GetUserPrefs(u.Sub); err == nil && blob != "" {
d.UserPrefs = template.JS(blob)
}
}
}
return d
}
func (s *Server) handleIndex(w http.ResponseWriter, _ *http.Request) {
func (s *Server) handleIndex(w http.ResponseWriter, r *http.Request) {
const (
justPostedLimit = 6
latestLimit = 16
@@ -137,7 +153,7 @@ func (s *Server) handleIndex(w http.ResponseWriter, _ *http.Request) {
}
data := indexPage{
pageData: s.base(),
pageData: s.base(r),
JustPosted: justPosted,
Stats: stats,
Latest: latest,
@@ -169,7 +185,7 @@ func (s *Server) handleChannel(w http.ResponseWriter, r *http.Request, ch Channe
}
total, _ := storage.CountClassifiedByChannel(ch.Slug)
base := s.base()
base := s.base(r)
base.Active = ch.Slug
data := channelPage{
pageData: base,
@@ -230,7 +246,7 @@ func (s *Server) handleWeatherDemo(w http.ResponseWriter, r *http.Request) {
intensity := pickOr(q.Get("intensity"), demoIntensities, "heavy")
phase := pickOr(q.Get("phase"), demoPhases, "day")
base := s.base()
base := s.base(r)
base.Weather = Weather{Season: seasonForVariant(variant), Variant: variant, Intensity: intensity}
base.Phase = phase

74
internal/web/prefs_api.go Normal file
View File

@@ -0,0 +1,74 @@
package web
import (
"encoding/json"
"io"
"log/slog"
"net/http"
"pete/internal/storage"
)
// maxPrefsBytes caps the stored blob. Preferences are small (disabled feeds,
// a postal code, a couple toggles); this is generous headroom, not a target.
const maxPrefsBytes = 64 * 1024
// handlePrefs serves GET (load) and PUT (save) of the signed-in user's
// preferences blob. The blob is opaque JSON owned by the frontend. Both verbs
// require a session; anonymous callers get 401 and fall back to localStorage.
func (s *Server) handlePrefs(w http.ResponseWriter, r *http.Request) {
if s.auth == nil {
http.Error(w, "auth disabled", http.StatusNotFound)
return
}
u := s.auth.userFromRequest(r)
if u == nil {
w.Header().Set("Content-Type", "application/json; charset=utf-8")
http.Error(w, `{"error":"not signed in"}`, http.StatusUnauthorized)
return
}
switch r.Method {
case http.MethodGet:
blob, err := storage.GetUserPrefs(u.Sub)
if err != nil {
slog.Error("prefs: load failed", "sub", u.Sub, "err", err)
http.Error(w, "internal error", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/json; charset=utf-8")
w.Header().Set("Cache-Control", "no-store")
if blob == "" {
_, _ = w.Write([]byte(`{"prefs":null}`))
return
}
// blob is already valid JSON; embed it verbatim.
_, _ = w.Write([]byte(`{"prefs":`))
_, _ = io.WriteString(w, blob)
_, _ = w.Write([]byte(`}`))
case http.MethodPut:
body, err := io.ReadAll(io.LimitReader(r.Body, maxPrefsBytes+1))
if err != nil {
http.Error(w, "read error", http.StatusBadRequest)
return
}
if len(body) > maxPrefsBytes {
http.Error(w, "preferences too large", http.StatusRequestEntityTooLarge)
return
}
if !json.Valid(body) {
http.Error(w, "invalid JSON", http.StatusBadRequest)
return
}
if err := storage.PutUserPrefs(u.Sub, string(body), u.Name, u.Email); err != nil {
slog.Error("prefs: save failed", "sub", u.Sub, "err", err)
http.Error(w, "internal error", http.StatusInternalServerError)
return
}
w.WriteHeader(http.StatusNoContent)
default:
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
}
}

View File

@@ -55,6 +55,7 @@ type Server struct {
sources []SourceInfo
srv *http.Server
tpls map[string]*template.Template // keyed by page name (e.g. "index", "channel")
auth *Authenticator // nil when sign-in is disabled or unavailable
}
// New builds the server. Templates are parsed once at startup. Each page
@@ -82,6 +83,22 @@ func New(cfg config.WebConfig, sources []config.SourceConfig) (*Server, error) {
infos = append(infos, SourceInfo{Name: sc.Name, Channel: sc.DirectRoute})
}
s := &Server{cfg: cfg, sources: infos, tpls: tpls}
// Optional OIDC sign-in (Authentik). Discovery is a network call; if the
// provider is unreachable at boot we log and serve anonymously rather than
// refusing to start the whole site.
if cfg.Auth.Enabled {
dctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
auth, err := newAuthenticator(dctx, cfg.Auth)
cancel()
if err != nil {
slog.Error("web: OIDC auth init failed; sign-in disabled", "err", err)
} else {
s.auth = auth
slog.Info("web: OIDC sign-in enabled", "issuer", cfg.Auth.Issuer)
}
}
mux := http.NewServeMux()
staticSub, err := fs.Sub(staticFS, "static")
@@ -105,6 +122,14 @@ func New(cfg config.WebConfig, sources []config.SourceConfig) (*Server, error) {
_, _ = w.Write([]byte("ok"))
})
if s.auth != nil {
mux.HandleFunc("GET /auth/login", s.auth.handleLogin)
mux.HandleFunc("GET /auth/callback", s.auth.handleCallback)
mux.HandleFunc("GET /auth/logout", s.auth.handleLogout)
mux.HandleFunc("GET /api/preferences", s.handlePrefs)
mux.HandleFunc("PUT /api/preferences", s.handlePrefs)
}
s.srv = &http.Server{
Addr: cfg.ListenAddr,
Handler: mux,

File diff suppressed because one or more lines are too long

View File

@@ -0,0 +1,70 @@
// Preference sync. Anonymous visitors keep using localStorage exactly as
// before — this file is a no-op for them. When a user is signed in (Authentik
// via OIDC), the server is the source of truth: their stored blob is injected
// as window.PETE_PREFS and seeded into localStorage *synchronously* here, before
// the feature scripts (settings.js, weather*.js) read it. Those scripts then
// call PetePrefs.push() after every write to mirror the change back up.
//
// This script must run before the others — it's loaded first in layout.html,
// and all the feature scripts are `defer`, so document order is guaranteed.
(function () {
// The localStorage keys we sync. The weather *cache* is deliberately excluded:
// it's transient and per-device.
var SYNCED = ["pete.disabledSources.v1", "pete.weather.loc.v1", "pete-weather-off"];
var user = window.PETE_USER || null;
var serverPrefs = window.PETE_PREFS || null;
function seed(prefs) {
SYNCED.forEach(function (k) {
if (!Object.prototype.hasOwnProperty.call(prefs, k)) return;
var v = prefs[k];
try {
if (v === null || v === undefined) localStorage.removeItem(k);
else localStorage.setItem(k, String(v));
} catch (e) {}
});
}
function snapshot() {
var out = {};
SYNCED.forEach(function (k) {
try { var v = localStorage.getItem(k); if (v !== null) out[k] = v; } catch (e) {}
});
return out;
}
var timer = null;
function push() {
if (!user) return; // anonymous: localStorage only
if (timer) clearTimeout(timer);
timer = setTimeout(function () {
timer = null;
try {
fetch("/api/preferences", {
method: "PUT",
headers: { "Content-Type": "application/json" },
body: JSON.stringify(snapshot()),
credentials: "same-origin",
keepalive: true
}).catch(function () {});
} catch (e) {}
}, 600);
}
window.PetePrefs = { push: push, loggedIn: !!user, syncedKeys: SYNCED };
if (user) {
if (serverPrefs && typeof serverPrefs === "object") {
seed(serverPrefs); // cross-device: server wins on load
} else {
push(); // first sign-in: migrate this browser's prefs to the account
}
// Swap "saved in this browser" copy for the synced story.
document.addEventListener("DOMContentLoaded", function () {
document.querySelectorAll("[data-storage-note]").forEach(function (el) {
el.textContent = "Synced to your account ✓";
});
});
}
})();

View File

@@ -13,6 +13,7 @@
}
function save(set) {
try { localStorage.setItem(KEY, JSON.stringify(set)); } catch (e) {}
if (window.PetePrefs) window.PetePrefs.push();
}
var disabled = load();

View File

@@ -24,6 +24,7 @@
function setLoc(loc) {
if (loc) writeJSON(LOC_KEY, loc);
else { try { localStorage.removeItem(LOC_KEY); } catch (e) {} }
if (window.PetePrefs) window.PetePrefs.push();
}
// ---- WMO weather code → canvas variant + label + emoji -------------------

View File

@@ -28,6 +28,7 @@
if (v) localStorage.setItem(STORAGE_KEY, "1");
else localStorage.removeItem(STORAGE_KEY);
} catch (e) {}
if (window.PetePrefs) window.PetePrefs.push();
}
function syncBtn(enabled) {
if (!toggleBtn) return;

View File

@@ -65,6 +65,28 @@
class="inline-flex shrink-0 items-center gap-1.5 rounded-full bg-[color:var(--card)] px-3 py-2 text-sm font-semibold shadow-pete border-2 border-[color:var(--ink)]/10 hover:bg-[color:var(--ink)]/5 transition">
<span data-weather-chip class="tabular-nums">📍 Weather</span>
</button>
{{if .AuthEnabled}}
{{if .User}}
<a href="/auth/logout" data-account
title="Signed in as {{.User.Display}}{{if .User.Email}} · {{.User.Email}}{{end}} — sign out"
class="inline-flex shrink-0 items-center gap-2 rounded-full bg-[color:var(--card)] px-2.5 py-1.5 text-sm font-semibold shadow-pete border-2 border-[color:var(--ink)]/10 hover:bg-[color:var(--ink)]/5 transition">
<span class="grid h-6 w-6 place-items-center rounded-full bg-[color:var(--accent)] text-white text-xs font-bold">{{.User.Initial}}</span>
<span class="hidden sm:inline max-w-[7rem] truncate">{{.User.Display}}</span>
</a>
{{else}}
<a href="/auth/login?next={{.Path}}" data-signin
title="Sign in to sync your preferences"
class="inline-flex shrink-0 items-center gap-1.5 rounded-full bg-[color:var(--card)] px-3 py-2 text-sm font-semibold shadow-pete border-2 border-[color:var(--ink)]/10 hover:bg-[color:var(--ink)]/5 transition">
<svg aria-hidden="true" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2"
stroke-linecap="round" stroke-linejoin="round" class="h-4 w-4 text-[color:var(--ink)]/60">
<path d="M15 3h4a2 2 0 0 1 2 2v14a2 2 0 0 1-2 2h-4"></path>
<polyline points="10 17 15 12 10 7"></polyline>
<line x1="15" y1="12" x2="3" y2="12"></line>
</svg>
<span class="hidden sm:inline">Sign in</span>
</a>
{{end}}
{{end}}
<div class="flex items-center gap-2 min-w-0 max-w-full">
<button type="button" data-search-trigger title="Search (⌘K)"
class="flex shrink-0 items-center gap-2 rounded-full bg-[color:var(--card)] px-3 py-2 text-sm shadow-pete border-2 border-[color:var(--ink)]/10 hover:bg-[color:var(--ink)]/5 transition">
@@ -112,7 +134,7 @@
<h2 class="font-display text-lg font-bold">Feed settings</h2>
<button type="button" data-settings-close class="rounded-full px-2 py-1 text-sm text-[color:var(--ink)]/60 hover:bg-[color:var(--ink)]/5">esc</button>
</div>
<p class="px-5 pt-3 text-xs text-[color:var(--ink)]/60">Uncheck a feed to hide its stories. Saved in this browser.</p>
<p class="px-5 pt-3 text-xs text-[color:var(--ink)]/60">Uncheck a feed to hide its stories. <span data-storage-note>Saved in this browser.</span></p>
<div data-settings-list class="max-h-[55vh] overflow-y-auto p-3 space-y-1"></div>
<div class="px-5 py-3 border-t border-[color:var(--ink)]/10 flex items-center justify-between text-xs">
<button type="button" data-settings-reset class="text-[color:var(--ink)]/60 hover:text-[color:var(--ink)] font-semibold">Enable all</button>
@@ -148,7 +170,12 @@
})();
</script>
<script>window.PETE_SOURCES = {{.AllSources}};</script>
<script>
window.PETE_SOURCES = {{.AllSources}};
window.PETE_USER = {{if .User}}{ name: {{.User.Display}}, email: {{.User.Email}} }{{else}}null{{end}};
window.PETE_PREFS = {{.UserPrefs}};
</script>
<script src="/static/js/prefs.js" defer></script>
<script src="/static/js/weather.js" defer></script>
<script src="/static/js/weather-forecast.js" defer></script>
<script src="/static/js/search.js" defer></script>