tenseleyflow/shithub / 134f212

+			r.Get("/settings/emails", h.settingsEmailsList)

+			r.Post("/settings/emails", h.settingsEmailsAdd)

+			r.Post("/settings/emails/{id}/resend", h.settingsEmailsResend)

+			r.Post("/settings/emails/{id}/primary", h.settingsEmailsSetPrimary)

+			r.Post("/settings/emails/{id}/remove", h.settingsEmailsRemove)

+func (c *captureSender) reset() {

+	c.mu.Lock()

+	defer c.mu.Unlock()

+	c.out = nil

+}

+

+	emailsTpl := `{{ define "page" }}<h1>Emails</h1>{{ with .Error }}<p class=error>{{.}}</p>{{ end }}{{ with .Success }}<p class=notice>{{.}}</p>{{ end }}<form action="/settings/emails" method=POST><input name=csrf_token value="{{.CSRFToken}}"></form>EMAILS={{ range .Emails }}{{.ID}}:{{.Email}}:p={{.IsPrimary}}:v={{.Verified}};{{ end }}{{ end }}`

+		"settings/emails.html":       {Data: []byte(emailsTpl)},

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth

+

+import (

+	"net/http"

+	"strconv"

+	"strings"

+	"time"

+

+	"github.com/go-chi/chi/v5"

+	"github.com/jackc/pgx/v5/pgtype"

+

+	"github.com/tenseleyFlow/shithub/internal/auth/email"

+	"github.com/tenseleyFlow/shithub/internal/auth/token"

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+// maxEmailsPerUser caps how many addresses a user can register. Picked

+// to match GitHub's posted ceiling — high enough that nobody hits it

+// legitimately, low enough that an abuser can't use the table as scratch

+// space.

+const maxEmailsPerUser = 10

+

+// settingsEmailsList renders GET /settings/emails.

+func (h *Handlers) settingsEmailsList(w http.ResponseWriter, r *http.Request) {

+	h.renderEmailsList(w, r, "", "")

+}

+

+// settingsEmailsAdd handles POST /settings/emails.

+func (h *Handlers) settingsEmailsAdd(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")

+		return

+	}

+	user := middleware.CurrentUserFromContext(r.Context())

+	addr := strings.ToLower(strings.TrimSpace(r.PostFormValue("email")))

+

+	if !looksLikeEmail(addr) {

+		h.renderEmailsList(w, r, "Please enter a valid email address.", "")

+		return

+	}

+

+	count, err := h.countUserEmails(r, user.ID)

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if count >= maxEmailsPerUser {

+		h.renderEmailsList(w, r, "You've reached the per-account email cap. Remove one first.", "")

+		return

+	}

+

+	tokEnc, tokHash, err := token.New()

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "emails: token", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	tx, err := h.d.Pool.Begin(r.Context())

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "emails: begin", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	defer func() { _ = tx.Rollback(r.Context()) }()

+

+	em, err := h.q.CreateUserEmail(r.Context(), tx, usersdb.CreateUserEmailParams{

+		UserID:                user.ID,

+		Email:                 addr,

+		IsPrimary:             false,

+		Verified:              false,

+		VerificationTokenHash: tokHash,

+	})

+	if err != nil {

+		if isUniqueViolation(err) {

+			h.renderEmailsList(w, r, "That email is already registered (here or to another account).", "")

+			return

+		}

+		h.d.Logger.ErrorContext(r.Context(), "emails: insert", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	expires := pgtype.Timestamptz{Time: time.Now().Add(24 * time.Hour), Valid: true}

+	if _, err := h.q.CreateEmailVerification(r.Context(), tx, usersdb.CreateEmailVerificationParams{

+		UserEmailID: em.ID, TokenHash: tokHash, ExpiresAt: expires,

+	}); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "emails: verification row", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if err := tx.Commit(r.Context()); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "emails: commit", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	h.sendVerifyMessage(r, addr, user.Username, tokEnc)

+	h.renderEmailsList(w, r, "", "Verification link sent to "+addr+".")

+}

+

+// settingsEmailsResend handles POST /settings/emails/{id}/resend.

+func (h *Handlers) settingsEmailsResend(w http.ResponseWriter, r *http.Request) {

+	id, ok := h.parseEmailID(w, r)

+	if !ok {

+		return

+	}

+	user := middleware.CurrentUserFromContext(r.Context())

+	em, err := h.q.GetUserEmailByID(r.Context(), h.d.Pool, id)

+	if err != nil || em.UserID != user.ID {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	if em.Verified {

+		h.renderEmailsList(w, r, "That address is already verified.", "")

+		return

+	}

+

+	tokEnc, tokHash, err := token.New()

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "emails: resend token", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	tx, err := h.d.Pool.Begin(r.Context())

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	defer func() { _ = tx.Rollback(r.Context()) }()

+	if err := h.q.SetVerificationToken(r.Context(), tx, usersdb.SetVerificationTokenParams{

+		ID: em.ID, VerificationTokenHash: tokHash,

+	}); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if _, err := h.q.CreateEmailVerification(r.Context(), tx, usersdb.CreateEmailVerificationParams{

+		UserEmailID: em.ID,

+		TokenHash:   tokHash,

+		ExpiresAt:   pgtype.Timestamptz{Time: time.Now().Add(24 * time.Hour), Valid: true},

+	}); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if err := tx.Commit(r.Context()); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	h.sendVerifyMessage(r, string(em.Email), user.Username, tokEnc)

+	h.renderEmailsList(w, r, "", "Verification link resent to "+string(em.Email)+".")

+}

+

+// settingsEmailsSetPrimary handles POST /settings/emails/{id}/primary.

+func (h *Handlers) settingsEmailsSetPrimary(w http.ResponseWriter, r *http.Request) {

+	id, ok := h.parseEmailID(w, r)

+	if !ok {

+		return

+	}

+	user := middleware.CurrentUserFromContext(r.Context())

+	em, err := h.q.GetUserEmailByID(r.Context(), h.d.Pool, id)

+	if err != nil || em.UserID != user.ID {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return

+	}

+	if !em.Verified {

+		h.renderEmailsList(w, r, "Verify the address before promoting it to primary.", "")

+		return

+	}

+	if em.IsPrimary {

+		h.renderEmailsList(w, r, "That address is already primary.", "")

+		return

+	}

+

+	tx, err := h.d.Pool.Begin(r.Context())

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	defer func() { _ = tx.Rollback(r.Context()) }()

+	if err := h.q.SetUserEmailPrimary(r.Context(), tx, usersdb.SetUserEmailPrimaryParams{

+		UserID: user.ID, ID: em.ID,

+	}); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "emails: set primary", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if err := h.q.LinkUserPrimaryEmail(r.Context(), tx, usersdb.LinkUserPrimaryEmailParams{

+		ID:             user.ID,

+		PrimaryEmailID: pgtype.Int8{Int64: em.ID, Valid: true},

+	}); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "emails: link primary", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if err := tx.Commit(r.Context()); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	h.renderEmailsList(w, r, "", "Primary email is now "+string(em.Email)+".")

+}

+

+// settingsEmailsRemove handles POST /settings/emails/{id}/remove.

+func (h *Handlers) settingsEmailsRemove(w http.ResponseWriter, r *http.Request) {

+	id, ok := h.parseEmailID(w, r)

+	if !ok {

+		return

+	}

+	user := middleware.CurrentUserFromContext(r.Context())

+	rows, err := h.q.DeleteUserEmail(r.Context(), h.d.Pool, usersdb.DeleteUserEmailParams{

+		ID: id, UserID: user.ID,

+	})

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "emails: delete", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	if rows == 0 {

+		h.renderEmailsList(w, r, "Couldn't remove that email — set a different primary first.", "")

+		return

+	}

+	h.renderEmailsList(w, r, "", "Email removed.")

+}

+

+// renderEmailsList is the shared render path.

+func (h *Handlers) renderEmailsList(w http.ResponseWriter, r *http.Request, errMsg, successMsg string) {

+	user := middleware.CurrentUserFromContext(r.Context())

+	rows, err := h.q.ListUserEmailsForUser(r.Context(), h.d.Pool, user.ID)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "emails: list", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	h.renderPage(w, r, "settings/emails", map[string]any{

+		"Title":          "Emails",

+		"CSRFToken":      middleware.CSRFTokenForRequest(r),

+		"SettingsActive": "emails",

+		"Emails":         rows,

+		"Error":          errMsg,

+		"Success":        successMsg,

+	})

+}

+

+// parseEmailID extracts and validates the {id} route param. On failure

+// writes a 404 and returns ok=false.

+func (h *Handlers) parseEmailID(w http.ResponseWriter, r *http.Request) (int64, bool) {

+	id, err := strconv.ParseInt(chi.URLParam(r, "id"), 10, 64)

+	if err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusNotFound, "")

+		return 0, false

+	}

+	return id, true

+}

+

+func (h *Handlers) countUserEmails(r *http.Request, userID int64) (int, error) {

+	rows, err := h.q.ListUserEmailsForUser(r.Context(), h.d.Pool, userID)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "emails: count", "error", err)

+		return 0, err

+	}

+	return len(rows), nil

+}

+

+// sendVerifyMessage is best-effort: failures don't break the flow but

+// are logged so the operator can chase delivery issues.

+func (h *Handlers) sendVerifyMessage(r *http.Request, addr, username, tokEnc string) {

+	msg, err := email.VerifyMessage(h.d.Branding, addr, username, tokEnc)

+	if err != nil {

+		h.d.Logger.WarnContext(r.Context(), "emails: build verify msg", "error", err)

+		return

+	}

+	if err := h.d.Email.Send(r.Context(), msg); err != nil {

+		h.d.Logger.WarnContext(r.Context(), "emails: send verify msg", "error", err)

+	}

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth_test

+

+import (

+	"io"

+	"net/http"

+	"net/http/httptest"

+	"net/url"

+	"regexp"

+	"strings"

+	"testing"

+)

+

+// loginEmailsUser returns an authenticated client AND the captureSender

+// so tests can pull verification tokens out of newly-sent emails.

+func loginEmailsUser(t *testing.T, name string) (*client, *httptest.Server, *captureSender) {

+	t.Helper()

+	httpsrv, captor := newTestServer(t, false)

+	cli := newClient(t, httpsrv)

+	mustSignup(t, cli, name, name+"@example.com", "correct horse battery staple")

+	tok := extractTokenFromMessage(t, captor.all()[0], "/verify-email")

+	_ = cli.get(t, "/verify-email/"+tok).Body.Close()

+

+	csrf := cli.extractCSRF(t, "/login")

+	resp := cli.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {name},

+		"password":   {"correct horse battery staple"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		t.Fatalf("login: %d", resp.StatusCode)

+	}

+	_ = resp.Body.Close()

+	return cli, httpsrv, captor

+}

+

+// extractEmailIDFromList scans the test fixture's "EMAILS=…" payload for

+// the row whose address matches addr and returns its ID.

+//

+// Fixture format:  ID:address:p=<bool>:v=<bool>;…

+var emailRowRE = regexp.MustCompile(`(\d+):([^:]+):p=(true|false):v=(true|false);`)

+

+func extractEmailID(t *testing.T, body, addr string) int64 {

+	t.Helper()

+	for _, m := range emailRowRE.FindAllStringSubmatch(body, -1) {

+		if m[2] == addr {

+			var id int64

+			for _, c := range m[1] {

+				id = id*10 + int64(c-'0')

+			}

+			return id

+		}

+	}

+	t.Fatalf("no email row for %q in body: %s", addr, body)

+	return 0

+}

+

+func TestEmails_ListShowsPrimary(t *testing.T) {

+	t.Parallel()

+	cli, _, _ := loginEmailsUser(t, "ema")

+	resp := cli.get(t, "/settings/emails")

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "ema@example.com:p=true:v=true") {

+		t.Fatalf("expected primary verified row, got: %s", body)

+	}

+}

+

+func TestEmails_AddSendsVerify(t *testing.T) {

+	t.Parallel()

+	cli, _, captor := loginEmailsUser(t, "emb")

+	captor.reset()

+

+	csrf := cli.extractCSRF(t, "/settings/emails")

+	resp := cli.post(t, "/settings/emails", url.Values{

+		"csrf_token": {csrf},

+		"email":      {"emb-second@example.com"},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "Verification link sent") {

+		t.Fatalf("expected success, got: %s", body)

+	}

+	if !strings.Contains(string(body), "emb-second@example.com:p=false:v=false") {

+		t.Fatalf("new email row missing or wrong shape: %s", body)

+	}

+	if len(captor.all()) == 0 {

+		t.Fatalf("expected captor to have a verify email")

+	}

+}

+

+func TestEmails_AddRejectsBad(t *testing.T) {

+	t.Parallel()

+	cli, _, _ := loginEmailsUser(t, "emc")

+	csrf := cli.extractCSRF(t, "/settings/emails")

+	resp := cli.post(t, "/settings/emails", url.Values{

+		"csrf_token": {csrf},

+		"email":      {"not-an-email"},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "valid email") {

+		t.Fatalf("expected validation, got: %s", body)

+	}

+}

+

+func TestEmails_SetPrimaryRequiresVerified(t *testing.T) {

+	t.Parallel()

+	cli, _, _ := loginEmailsUser(t, "emd")

+	csrf := cli.extractCSRF(t, "/settings/emails")

+	resp := cli.post(t, "/settings/emails", url.Values{

+		"csrf_token": {csrf},

+		"email":      {"emd-second@example.com"},

+	})

+	body, _ := io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+

+	id := extractEmailID(t, string(body), "emd-second@example.com")

+	csrf = cli.extractCSRF(t, "/settings/emails")

+	resp = cli.post(t, "/settings/emails/"+itoa(id)+"/primary", url.Values{

+		"csrf_token": {csrf},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ = io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "Verify the address") {

+		t.Fatalf("expected verify-required error, got: %s", body)

+	}

+}

+

+func TestEmails_RoundtripVerifySetPrimaryRemove(t *testing.T) {

+	t.Parallel()

+	cli, _, captor := loginEmailsUser(t, "eme")

+	captor.reset()

+

+	// 1. Add a second address.

+	csrf := cli.extractCSRF(t, "/settings/emails")

+	resp := cli.post(t, "/settings/emails", url.Values{

+		"csrf_token": {csrf},

+		"email":      {"eme-second@example.com"},

+	})

+	body, _ := io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	id := extractEmailID(t, string(body), "eme-second@example.com")

+

+	// 2. Verify via the link in the captured email.

+	if len(captor.all()) == 0 {

+		t.Fatalf("expected verify email; none captured")

+	}

+	tok := extractTokenFromMessage(t, captor.all()[0], "/verify-email")

+	_ = cli.get(t, "/verify-email/"+tok).Body.Close()

+

+	// 3. Promote it to primary.

+	csrf = cli.extractCSRF(t, "/settings/emails")

+	resp = cli.post(t, "/settings/emails/"+itoa(id)+"/primary", url.Values{

+		"csrf_token": {csrf},

+	})

+	body, _ = io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	if !strings.Contains(string(body), "Primary email is now eme-second@example.com") {

+		t.Fatalf("expected primary-set success, got: %s", body)

+	}

+	if !strings.Contains(string(body), "eme-second@example.com:p=true:v=true") {

+		t.Fatalf("expected new row to be primary+verified: %s", body)

+	}

+

+	// 4. Now the original address can be removed (no longer primary).

+	origID := extractEmailID(t, string(body), "eme@example.com")

+	csrf = cli.extractCSRF(t, "/settings/emails")

+	resp = cli.post(t, "/settings/emails/"+itoa(origID)+"/remove", url.Values{

+		"csrf_token": {csrf},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ = io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "Email removed") {

+		t.Fatalf("expected remove success, got: %s", body)

+	}

+	if strings.Contains(string(body), "eme@example.com:") {

+		t.Fatalf("removed email still listed: %s", body)

+	}

+}

+

+func TestEmails_CannotRemovePrimary(t *testing.T) {

+	t.Parallel()

+	cli, _, _ := loginEmailsUser(t, "emf")

+

+	// Find the (only) primary row's id.

+	resp := cli.get(t, "/settings/emails")

+	body, _ := io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	id := extractEmailID(t, string(body), "emf@example.com")

+

+	csrf := cli.extractCSRF(t, "/settings/emails")

+	resp = cli.post(t, "/settings/emails/"+itoa(id)+"/remove", url.Values{

+		"csrf_token": {csrf},

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ = io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "set a different primary first") {

+		t.Fatalf("expected primary-protected error, got: %s", body)

+	}

+}

+

+// itoa avoids strconv to keep imports tight.

+func itoa(n int64) string {

+	if n == 0 {

+		return "0"

+	}

+	var buf [20]byte

+	i := len(buf)

+	for n > 0 {

+		i--

+		buf[i] = byte('0' + n%10)

+		n /= 10

+	}

+	return string(buf[i:])

+}

+

+/* ----- emails (S10) ----- */

+.shithub-email-list {

+  list-style: none;

+  padding: 0;

+  margin: 1rem 0 0;

+  display: grid;

+  gap: 0.5rem;

+}

+.shithub-email-row {

+  display: flex;

+  justify-content: space-between;

+  align-items: center;

+  gap: 1rem;

+  padding: 0.75rem 1rem;

+  border: 1px solid var(--border-default);

+  border-radius: 6px;

+  background: var(--canvas-subtle);

+}

+.shithub-email-meta { display: flex; align-items: center; gap: 0.5rem; flex-wrap: wrap; }

+.shithub-email-addr { background: transparent; padding: 0; font-weight: 500; }

+.shithub-email-actions { display: flex; gap: 0.5rem; flex-wrap: wrap; }

+.shithub-email-actions form { display: inline; }

+.shithub-pill {

+  font-size: 0.7rem;

+  padding: 0.1rem 0.5rem;

+  border-radius: 999px;

+  border: 1px solid var(--border-default);

+  text-transform: uppercase;

+  letter-spacing: 0.04em;

+  font-weight: 600;

+}

+.shithub-pill-primary { background: rgba(56, 139, 253, 0.15); border-color: rgba(56, 139, 253, 0.4); }

+.shithub-pill-verified { background: rgba(63, 185, 80, 0.15); border-color: rgba(63, 185, 80, 0.4); }

+.shithub-pill-unverified { background: rgba(187, 128, 9, 0.15); border-color: rgba(187, 128, 9, 0.4); }

+{{ define "page" -}}

+<div class="shithub-settings-page">

+  {{ template "settings-nav" . }}

+  <div class="shithub-settings-content">

+    <h1>Emails</h1>

+

+    {{ with .Error }}<p class="shithub-flash shithub-flash-error" role="alert">{{ . }}</p>{{ end }}

+    {{ with .Success }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}

+

+    <section class="shithub-settings-section">

+      <h2>Your email addresses</h2>

+      <p>Your <strong>primary</strong> email is where account-related and security notifications go. You must verify each address before it can become primary.</p>

+

+      {{ if .Emails }}

+      <ul class="shithub-email-list">

+        {{ range .Emails }}

+        <li class="shithub-email-row">

+          <div class="shithub-email-meta">

+            <code class="shithub-email-addr">{{ .Email }}</code>

+            {{ if .IsPrimary }}<span class="shithub-pill shithub-pill-primary">primary</span>{{ end }}

+            {{ if .Verified }}<span class="shithub-pill shithub-pill-verified">verified</span>

+            {{ else }}<span class="shithub-pill shithub-pill-unverified">unverified</span>{{ end }}

+          </div>

+          <div class="shithub-email-actions">

+            {{ if and (not .Verified) (not .IsPrimary) }}

+            <form method="POST" action="/settings/emails/{{ .ID }}/resend" novalidate>

+              <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">

+              <button type="submit" class="shithub-button">Resend verification</button>

+            </form>

+            {{ end }}

+            {{ if and .Verified (not .IsPrimary) }}

+            <form method="POST" action="/settings/emails/{{ .ID }}/primary" novalidate>

+              <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">

+              <button type="submit" class="shithub-button">Make primary</button>

+            </form>

+            {{ end }}

+            {{ if not .IsPrimary }}

+            <form method="POST" action="/settings/emails/{{ .ID }}/remove" novalidate>

+              <input type="hidden" name="csrf_token" value="{{ $.CSRFToken }}">

+              <button type="submit" class="shithub-button shithub-button-danger">Remove</button>

+            </form>

+            {{ end }}

+          </div>

+        </li>

+        {{ end }}

+      </ul>

+      {{ end }}

+    </section>

+

+    <section class="shithub-settings-section">

+      <h2>Add an email address</h2>

+      <form method="POST" action="/settings/emails" novalidate>

+        <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">

+        <label>

+          <span>Email address</span>

+          <input type="email" name="email" required autocomplete="email">

+          <small>We'll send a verification link to this address. It won't appear publicly until you also opt in (post-MVP).</small>

+        </label>

+        <button type="submit" class="shithub-button shithub-button-primary">Add</button>

+      </form>

+    </section>

+  </div>

+</div>

+{{- end }}