tenseleyflow/shithub / 42e74ce

+			r.Get("/settings/notifications", h.settingsNotificationsForm)

+			r.Post("/settings/notifications", h.settingsNotificationsSubmit)

+	notifTpl := `{{ define "page" }}<h1>Notifications</h1>{{ with .Success }}<p class=notice>{{.}}</p>{{ end }}<form action="/settings/notifications" method=POST><input name=csrf_token value="{{.CSRFToken}}">CHANNELS={{ range .Channels }}{{.Key}}:e={{.Enabled}}:r={{.Required}};{{ end }}</form>{{ end }}`

+		"_layout.html":                {Data: []byte(layout)},

+		"hello.html":                  {Data: []byte(`{{ define "page" }}home{{ end }}`)},

+		"auth/signup.html":            {Data: []byte(signup)},

+		"auth/login.html":             {Data: []byte(login)},

+		"auth/reset_request.html":     {Data: []byte(resetReq)},

+		"auth/reset_confirm.html":     {Data: []byte(resetConf)},

+		"auth/verify_resend.html":     {Data: []byte(verifyResend)},

+		"auth/2fa_challenge.html":     {Data: []byte(tfaChallenge)},

+		"settings/2fa_enable.html":    {Data: []byte(tfaEnable)},

+		"settings/2fa_disable.html":   {Data: []byte(tfaDisable)},

+		"settings/2fa_recovery.html":  {Data: []byte(tfaRecovery)},

+		"settings/keys.html":          {Data: []byte(keysTpl)},

+		"settings/tokens.html":        {Data: []byte(tokensTpl)},

+		"settings/profile.html":       {Data: []byte(profileTpl)},

+		"settings/account.html":       {Data: []byte(accountTpl)},

+		"settings/password.html":      {Data: []byte(pwTpl)},

+		"settings/appearance.html":    {Data: []byte(apprTpl)},

+		"settings/emails.html":        {Data: []byte(emailsTpl)},

+		"settings/notifications.html": {Data: []byte(notifTpl)},

+		"errors/404.html":             {Data: []byte(errorPage)},

+		"errors/403.html":             {Data: []byte(errorPage)},

+		"errors/429.html":             {Data: []byte(errorPage)},

+		"errors/500.html":             {Data: []byte(errorPage)},

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth

+

+import (

+	"encoding/json"

+	"net/http"

+

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+// notifChannel is one toggleable preference. Adding a channel is a code

+// change (this list) plus a translation, never a DB migration; the

+// underlying user_notification_prefs table is generic key/value.

+type notifChannel struct {

+	Key         string

+	Title       string

+	Description string

+	Required    bool // when true, displayed but not toggleable

+}

+

+// notifChannels is the fixed set surfaced on /settings/notifications.

+// Order matters — it's the render order. Required channels (security

+// alerts) are listed first so they're prominent.

+var notifChannels = []notifChannel{

+	{

+		Key:         "security_alerts",

+		Title:       "Security alerts",

+		Description: "New sign-ins, password changes, 2FA enrollment, recovery codes used. These cannot be disabled.",

+		Required:    true,

+	},

+	{

+		Key:         "account_changes",

+		Title:       "Account changes",

+		Description: "Username changes, primary-email switches, account-deletion confirmations.",

+	},

+	{

+		Key:         "product_news",

+		Title:       "Product news",

+		Description: "Occasional updates about new shithub features. Off by default.",

+	},

+}

+

+// notifChannelDefault returns the default state for a channel that has

+// no DB row. Account-related channels are opt-out (default on); marketing

+// channels are opt-in (default off).

+func notifChannelDefault(key string) bool {

+	switch key {

+	case "security_alerts", "account_changes":

+		return true

+	default:

+		return false

+	}

+}

+

+// notifPrefValue is the JSON shape we persist in user_notification_prefs.value.

+type notifPrefValue struct {

+	Enabled bool `json:"enabled"`

+}

+

+// settingsNotificationsForm renders GET /settings/notifications.

+func (h *Handlers) settingsNotificationsForm(w http.ResponseWriter, r *http.Request) {

+	h.renderNotificationsForm(w, r, "")

+}

+

+// settingsNotificationsSubmit handles POST /settings/notifications.

+//

+// Diff strategy:

+//   - For each non-required channel, read the form checkbox.

+//   - If desired matches default → DeleteUserNotificationPref (so the

+//     row only exists when the user has actively diverged).

+//   - Otherwise → UpsertUserNotificationPref with {"enabled":<desired>}.

+//

+// This keeps the table small and makes "reset to defaults" a no-op

+// rather than a code change.

+func (h *Handlers) settingsNotificationsSubmit(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")

+		return

+	}

+	user := middleware.CurrentUserFromContext(r.Context())

+

+	for _, ch := range notifChannels {

+		if ch.Required {

+			continue

+		}

+		desired := r.PostFormValue(ch.Key) == "on"

+		if desired == notifChannelDefault(ch.Key) {

+			if err := h.q.DeleteUserNotificationPref(r.Context(), h.d.Pool, usersdb.DeleteUserNotificationPrefParams{

+				UserID: user.ID, Key: ch.Key,

+			}); err != nil {

+				h.d.Logger.ErrorContext(r.Context(), "notif: delete", "error", err, "key", ch.Key)

+				h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+				return

+			}

+			continue

+		}

+		val, err := json.Marshal(notifPrefValue{Enabled: desired})

+		if err != nil {

+			h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+			return

+		}

+		if err := h.q.UpsertUserNotificationPref(r.Context(), h.d.Pool, usersdb.UpsertUserNotificationPrefParams{

+			UserID: user.ID, Key: ch.Key, Value: val,

+		}); err != nil {

+			h.d.Logger.ErrorContext(r.Context(), "notif: upsert", "error", err, "key", ch.Key)

+			h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+			return

+		}

+	}

+

+	h.renderNotificationsForm(w, r, "Preferences saved.")

+}

+

+// renderNotificationsForm pulls the current persisted state, layers it

+// on top of defaults, and renders the toggles.

+func (h *Handlers) renderNotificationsForm(w http.ResponseWriter, r *http.Request, successMsg string) {

+	user := middleware.CurrentUserFromContext(r.Context())

+	rows, err := h.q.ListUserNotificationPrefs(r.Context(), h.d.Pool, user.ID)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "notif: list", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	persisted := make(map[string]bool, len(rows))

+	for _, p := range rows {

+		var v notifPrefValue

+		if err := json.Unmarshal(p.Value, &v); err != nil {

+			continue

+		}

+		persisted[p.Key] = v.Enabled

+	}

+

+	type viewChan struct {

+		notifChannel

+		Enabled bool

+	}

+	view := make([]viewChan, 0, len(notifChannels))

+	for _, ch := range notifChannels {

+		enabled := notifChannelDefault(ch.Key)

+		if v, ok := persisted[ch.Key]; ok {

+			enabled = v

+		}

+		if ch.Required {

+			enabled = true

+		}

+		view = append(view, viewChan{notifChannel: ch, Enabled: enabled})

+	}

+

+	h.renderPage(w, r, "settings/notifications", map[string]any{

+		"Title":          "Notifications",

+		"CSRFToken":      middleware.CSRFTokenForRequest(r),

+		"SettingsActive": "notifications",

+		"Channels":       view,

+		"Success":        successMsg,

+	})

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth_test

+

+import (

+	"io"

+	"net/http"

+	"net/url"

+	"strings"

+	"testing"

+)

+

+func loginNotifUser(t *testing.T, name string) *client {

+	t.Helper()

+	httpsrv, captor := newTestServer(t, false)

+	cli := newClient(t, httpsrv)

+	mustSignup(t, cli, name, name+"@example.com", "correct horse battery staple")

+	tok := extractTokenFromMessage(t, captor.all()[0], "/verify-email")

+	_ = cli.get(t, "/verify-email/"+tok).Body.Close()

+

+	csrf := cli.extractCSRF(t, "/login")

+	resp := cli.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {name},

+		"password":   {"correct horse battery staple"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		t.Fatalf("login: %d", resp.StatusCode)

+	}

+	_ = resp.Body.Close()

+	return cli

+}

+

+func TestNotifications_DefaultsRender(t *testing.T) {

+	t.Parallel()

+	cli := loginNotifUser(t, "nfa")

+	resp := cli.get(t, "/settings/notifications")

+	defer func() { _ = resp.Body.Close() }()

+	body, _ := io.ReadAll(resp.Body)

+	// Required is always on. account_changes default-on. product_news default-off.

+	if !strings.Contains(string(body), "security_alerts:e=true:r=true") {

+		t.Errorf("security_alerts row wrong: %s", body)

+	}

+	if !strings.Contains(string(body), "account_changes:e=true:r=false") {

+		t.Errorf("account_changes default mismatch: %s", body)

+	}

+	if !strings.Contains(string(body), "product_news:e=false:r=false") {

+		t.Errorf("product_news default mismatch: %s", body)

+	}

+}

+

+func TestNotifications_OptOutThenOptIn(t *testing.T) {

+	t.Parallel()

+	cli := loginNotifUser(t, "nfb")

+

+	// Opt out of account_changes (no checkbox sent for it).

+	csrf := cli.extractCSRF(t, "/settings/notifications")

+	resp := cli.post(t, "/settings/notifications", url.Values{

+		"csrf_token": {csrf},

+		// account_changes intentionally omitted

+		"product_news": {"on"},

+	})

+	body, _ := io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	if !strings.Contains(string(body), "Preferences saved") {

+		t.Fatalf("expected save success, got: %s", body)

+	}

+	if !strings.Contains(string(body), "account_changes:e=false:r=false") {

+		t.Errorf("account_changes should be off after opt-out: %s", body)

+	}

+	if !strings.Contains(string(body), "product_news:e=true:r=false") {

+		t.Errorf("product_news should be on after opt-in: %s", body)

+	}

+

+	// Now flip back to defaults — DB rows for both should be deleted

+	// since the desired state matches the default again.

+	csrf = cli.extractCSRF(t, "/settings/notifications")

+	resp = cli.post(t, "/settings/notifications", url.Values{

+		"csrf_token":      {csrf},

+		"account_changes": {"on"}, // back to default-on

+		// product_news omitted → back to default-off

+	})

+	defer func() { _ = resp.Body.Close() }()

+	body, _ = io.ReadAll(resp.Body)

+	if !strings.Contains(string(body), "account_changes:e=true:r=false") {

+		t.Errorf("expected account_changes back on: %s", body)

+	}

+	if !strings.Contains(string(body), "product_news:e=false:r=false") {

+		t.Errorf("expected product_news back off: %s", body)

+	}

+}

+

+/* ----- notifications (S10) ----- */

+.shithub-notif-form { display: grid; gap: 0.75rem; max-width: 36rem; }

+.shithub-notif-row {

+  display: grid;

+  grid-template-columns: max-content 1fr;

+  gap: 0.75rem;

+  padding: 0.75rem 1rem;

+  border: 1px solid var(--border-default);

+  border-radius: 6px;

+  background: var(--canvas-subtle);

+  align-items: start;

+}

+.shithub-notif-row.required { background: rgba(56, 139, 253, 0.06); }

+.shithub-notif-row strong { display: block; font-size: 0.95rem; }

+.shithub-notif-row small { display: block; color: var(--fg-muted); font-size: 0.85rem; }

+{{ define "page" -}}

+<div class="shithub-settings-page">

+  {{ template "settings-nav" . }}

+  <div class="shithub-settings-content">

+    <h1>Notifications</h1>

+

+    {{ with .Success }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}

+

+    <section class="shithub-settings-section">

+      <h2>Email preferences</h2>

+      <p>Choose which kinds of email shithub may send to your primary address.</p>

+

+      <form method="POST" action="/settings/notifications" novalidate class="shithub-notif-form">

+        <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">

+

+        {{ range .Channels }}

+        <label class="shithub-notif-row{{ if .Required }} required{{ end }}">

+          <input type="checkbox" name="{{ .Key }}" value="on"

+                 {{ if .Enabled }}checked{{ end }}

+                 {{ if .Required }}disabled{{ end }}>

+          <span>

+            <strong>{{ .Title }}</strong>

+            <small>{{ .Description }}</small>

+          </span>

+        </label>

+        {{ end }}

+

+        <button type="submit" class="shithub-button shithub-button-primary">Save preferences</button>

+      </form>

+    </section>

+  </div>

+</div>

+{{- end }}