tenseleyflow/shithub / 6baf2b6

+			r.Get("/settings/profile", h.settingsProfileForm)

+			r.Post("/settings/profile", h.settingsProfileSubmit)

+	profileTpl := `{{ define "page" }}<h1>Public profile</h1>{{ with .Error }}<p class=error>{{.}}</p>{{ end }}{{ with .Success }}<p class=notice>{{.}}</p>{{ end }}<form><input name=csrf_token value="{{.CSRFToken}}">DISPLAY={{.Form.DisplayName}};BIO={{.Form.Bio}};LOCATION={{.Form.Location}};WEBSITE={{.Form.Website}};COMPANY={{.Form.Company}};PRONOUNS={{.Form.Pronouns}};</form>{{ end }}`

+		"settings/profile.html":      {Data: []byte(profileTpl)},

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth

+

+import (

+	"net/http"

+	"net/url"

+	"strings"

+	"unicode/utf8"

+

+	usersdb "github.com/tenseleyFlow/shithub/internal/users/sqlc"

+	"github.com/tenseleyFlow/shithub/internal/web/middleware"

+)

+

+// Field length caps. These mirror the CHECK constraints added in

+// migration 0014; the handler validates before the DB does so we surface

+// a friendly error instead of a 500 from a constraint violation.

+const (

+	maxDisplayName = 100

+	maxBio         = 500

+	maxLocation    = 80

+	maxWebsite     = 200

+	maxCompany     = 80

+	maxPronouns    = 40

+)

+

+// profileForm is the editor's form state. We round-trip on validation

+// errors so the user doesn't lose their input.

+type profileForm struct {

+	DisplayName string

+	Bio         string

+	Location    string

+	Website     string

+	Company     string

+	Pronouns    string

+}

+

+// settingsProfileForm renders GET /settings/profile prefilled from the DB.

+func (h *Handlers) settingsProfileForm(w http.ResponseWriter, r *http.Request) {

+	user := middleware.CurrentUserFromContext(r.Context())

+	row, err := h.q.GetUserByID(r.Context(), h.d.Pool, user.ID)

+	if err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "settings/profile: load", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+	h.renderProfileForm(w, r, profileForm{

+		DisplayName: row.DisplayName,

+		Bio:         row.Bio,

+		Location:    row.Location,

+		Website:     row.Website,

+		Company:     row.Company,

+		Pronouns:    row.Pronouns,

+	}, "", "")

+}

+

+// settingsProfileSubmit handles POST /settings/profile.

+func (h *Handlers) settingsProfileSubmit(w http.ResponseWriter, r *http.Request) {

+	if err := r.ParseForm(); err != nil {

+		h.d.Render.HTTPError(w, r, http.StatusBadRequest, "form parse")

+		return

+	}

+	user := middleware.CurrentUserFromContext(r.Context())

+	form := profileForm{

+		DisplayName: strings.TrimSpace(r.PostFormValue("display_name")),

+		Bio:         strings.TrimRight(r.PostFormValue("bio"), " \t\r\n"),

+		Location:    strings.TrimSpace(r.PostFormValue("location")),

+		Website:     strings.TrimSpace(r.PostFormValue("website")),

+		Company:     strings.TrimSpace(r.PostFormValue("company")),

+		Pronouns:    strings.TrimSpace(r.PostFormValue("pronouns")),

+	}

+	if msg := validateProfile(&form); msg != "" {

+		h.renderProfileForm(w, r, form, msg, "")

+		return

+	}

+

+	if err := h.q.UpdateUserProfile(r.Context(), h.d.Pool, usersdb.UpdateUserProfileParams{

+		ID:          user.ID,

+		DisplayName: form.DisplayName,

+		Bio:         form.Bio,

+		Location:    form.Location,

+		Website:     form.Website,

+		Company:     form.Company,

+		Pronouns:    form.Pronouns,

+	}); err != nil {

+		h.d.Logger.ErrorContext(r.Context(), "settings/profile: update", "error", err)

+		h.d.Render.HTTPError(w, r, http.StatusInternalServerError, "")

+		return

+	}

+

+	h.renderProfileForm(w, r, form, "", "Profile updated.")

+}

+

+// renderProfileForm is the shared render path. errMsg / successMsg are

+// mutually exclusive in practice but we let the template show whichever is set.

+func (h *Handlers) renderProfileForm(w http.ResponseWriter, r *http.Request, form profileForm, errMsg, successMsg string) {

+	user := middleware.CurrentUserFromContext(r.Context())

+	h.renderPage(w, r, "settings/profile", map[string]any{

+		"Title":          "Public profile",

+		"CSRFToken":      middleware.CSRFTokenForRequest(r),

+		"SettingsActive": "profile",

+		"Username":       user.Username,

+		"Form":           form,

+		"Error":          errMsg,

+		"Success":        successMsg,

+	})

+}

+

+// validateProfile enforces length caps and (if present) URL shape on

+// the website. It returns a friendly message or "" on success.

+func validateProfile(f *profileForm) string {

+	if utf8.RuneCountInString(f.DisplayName) > maxDisplayName {

+		return "Display name is too long."

+	}

+	if utf8.RuneCountInString(f.Bio) > maxBio {

+		return "Bio is too long (max 500 characters)."

+	}

+	if utf8.RuneCountInString(f.Location) > maxLocation {

+		return "Location is too long."

+	}

+	if utf8.RuneCountInString(f.Website) > maxWebsite {

+		return "Website URL is too long."

+	}

+	if utf8.RuneCountInString(f.Company) > maxCompany {

+		return "Company is too long."

+	}

+	if utf8.RuneCountInString(f.Pronouns) > maxPronouns {

+		return "Pronouns is too long."

+	}

+	if f.Website != "" {

+		// Auto-prefix bare hosts so users can paste "example.com".

+		if !strings.Contains(f.Website, "://") {

+			f.Website = "https://" + f.Website

+		}

+		u, err := url.Parse(f.Website)

+		if err != nil || (u.Scheme != "http" && u.Scheme != "https") || u.Host == "" {

+			return "Website must be an http(s) URL."

+		}

+	}

+	if strings.ContainsAny(f.DisplayName, "\r\n") ||

+		strings.ContainsAny(f.Location, "\r\n") ||

+		strings.ContainsAny(f.Company, "\r\n") ||

+		strings.ContainsAny(f.Pronouns, "\r\n") {

+		return "Single-line fields cannot contain newlines."

+	}

+	return ""

+}

+// SPDX-License-Identifier: AGPL-3.0-or-later

+

+package auth_test

+

+import (

+	"io"

+	"net/http"

+	"net/url"

+	"strings"

+	"testing"

+)

+

+func loginProfileUser(t *testing.T) *client {

+	t.Helper()

+	httpsrv, captor := newTestServer(t, false)

+	cli := newClient(t, httpsrv)

+

+	mustSignup(t, cli, "alicep", "alicep@example.com", "correct horse battery staple")

+	tok := extractTokenFromMessage(t, captor.all()[0], "/verify-email")

+	_ = cli.get(t, "/verify-email/"+tok).Body.Close()

+

+	csrf := cli.extractCSRF(t, "/login")

+	resp := cli.post(t, "/login", url.Values{

+		"csrf_token": {csrf},

+		"username":   {"alicep"},

+		"password":   {"correct horse battery staple"},

+	})

+	if resp.StatusCode != http.StatusSeeOther {

+		t.Fatalf("login: %d", resp.StatusCode)

+	}

+	_ = resp.Body.Close()

+	return cli

+}

+

+func TestProfileEditor_Roundtrip(t *testing.T) {

+	t.Parallel()

+	cli := loginProfileUser(t)

+

+	// GET shows the form.

+	resp := cli.get(t, "/settings/profile")

+	if resp.StatusCode != 200 {

+		t.Fatalf("get: %d", resp.StatusCode)

+	}

+	body, _ := io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	if !strings.Contains(string(body), "Public profile") {

+		t.Fatalf("missing heading: %s", body)

+	}

+

+	csrf := cli.extractCSRF(t, "/settings/profile")

+	resp = cli.post(t, "/settings/profile", url.Values{

+		"csrf_token":   {csrf},

+		"display_name": {"Alice P."},

+		"bio":          {"Building things."},

+		"location":     {"Berlin"},

+		"website":      {"example.com"}, // bare host -> auto https://

+		"company":      {"Acme"},

+		"pronouns":     {"she/her"},

+	})

+	if resp.StatusCode != 200 {

+		body, _ := io.ReadAll(resp.Body)

+		t.Fatalf("post: %d %s", resp.StatusCode, body)

+	}

+	body, _ = io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	for _, want := range []string{"Profile updated.", "Alice P.", "Building things.", "Berlin", "https://example.com", "Acme", "she/her"} {

+		if !strings.Contains(string(body), want) {

+			t.Errorf("missing %q in body", want)

+		}

+	}

+}

+

+func TestProfileEditor_RejectsBadURL(t *testing.T) {

+	t.Parallel()

+	cli := loginProfileUser(t)

+	csrf := cli.extractCSRF(t, "/settings/profile")

+	resp := cli.post(t, "/settings/profile", url.Values{

+		"csrf_token": {csrf},

+		"website":    {"javascript:alert(1)"},

+	})

+	body, _ := io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	if !strings.Contains(string(body), "http(s)") {

+		t.Fatalf("expected URL error, got: %s", body)

+	}

+}

+

+func TestProfileEditor_RequiresAuth(t *testing.T) {

+	t.Parallel()

+	httpsrv, _ := newTestServer(t, false)

+	cli := newClient(t, httpsrv)

+	resp := cli.get(t, "/settings/profile")

+	defer func() { _ = resp.Body.Close() }()

+	// RequireUser sends an unauthenticated visitor to /login (303 See Other).

+	if resp.StatusCode != http.StatusSeeOther && resp.StatusCode != http.StatusFound {

+		t.Fatalf("expected redirect, got %d", resp.StatusCode)

+	}

+}

+

+func TestProfileEditor_TooLongBio(t *testing.T) {

+	t.Parallel()

+	cli := loginProfileUser(t)

+	csrf := cli.extractCSRF(t, "/settings/profile")

+	resp := cli.post(t, "/settings/profile", url.Values{

+		"csrf_token": {csrf},

+		"bio":        {strings.Repeat("a", 501)},

+	})

+	body, _ := io.ReadAll(resp.Body)

+	_ = resp.Body.Close()

+	if !strings.Contains(string(body), "Bio is too long") {

+		t.Fatalf("expected bio length error, got: %s", body)

+	}

+}

+

+.shithub-settings-section label small {

+  font-weight: 400;

+  color: var(--fg-muted);

+  font-size: 0.8rem;

+}

+

+.shithub-profile-edit {

+  display: grid;

+  grid-template-columns: minmax(0, 1fr) 220px;

+  gap: 2rem;

+  align-items: start;

+}

+.shithub-profile-edit-form { margin: 0; padding: 0; border: none; }

+.shithub-profile-edit-aside h2 { margin: 0 0 0.75rem; font-size: 0.9rem; font-weight: 600; }

+.shithub-profile-edit-avatar {

+  width: 200px;

+  height: 200px;

+  border-radius: 50%;

+  border: 1px solid var(--border-default);

+  background: var(--canvas-subtle);

+  display: block;

+}

+.shithub-empty-note {

+  margin: 0.5rem 0 0;

+  font-size: 0.8rem;

+  color: var(--fg-muted);

+}

+

+@media (max-width: 720px) {

+  .shithub-settings-page {

+    grid-template-columns: 1fr;

+  }

+  .shithub-profile-edit {

+    grid-template-columns: 1fr;

+  }

+}

+{{ define "page" -}}

+<div class="shithub-settings-page">

+  {{ template "settings-nav" . }}

+  <div class="shithub-settings-content">

+    <h1>Public profile</h1>

+

+    {{ with .Error }}<p class="shithub-flash shithub-flash-error" role="alert">{{ . }}</p>{{ end }}

+    {{ with .Success }}<p class="shithub-flash shithub-flash-notice" role="status">{{ . }}</p>{{ end }}

+

+    <div class="shithub-profile-edit">

+      <section class="shithub-settings-section shithub-profile-edit-form">

+        <form method="POST" action="/settings/profile" novalidate>

+          <input type="hidden" name="csrf_token" value="{{ .CSRFToken }}">

+          <label>

+            <span>Name</span>

+            <input type="text" name="display_name" maxlength="100" value="{{ .Form.DisplayName }}">

+            <small>Your name may appear around shithub where you contribute or are mentioned. You can remove it at any time.</small>

+          </label>

+          <label>

+            <span>Bio</span>

+            <textarea name="bio" rows="3" maxlength="500">{{ .Form.Bio }}</textarea>

+            <small>You can @mention other users and organizations to link to them.</small>

+          </label>

+          <label>

+            <span>Pronouns</span>

+            <input type="text" name="pronouns" maxlength="40" value="{{ .Form.Pronouns }}" placeholder="e.g. she/her, they/them">

+          </label>

+          <label>

+            <span>URL</span>

+            <input type="text" name="website" maxlength="200" value="{{ .Form.Website }}" placeholder="https://example.com">

+          </label>

+          <label>

+            <span>Company</span>

+            <input type="text" name="company" maxlength="80" value="{{ .Form.Company }}">

+            <small>You can @mention your company's shithub organization to link it.</small>

+          </label>

+          <label>

+            <span>Location</span>

+            <input type="text" name="location" maxlength="80" value="{{ .Form.Location }}">

+          </label>

+          <button type="submit" class="shithub-button shithub-button-primary">Update profile</button>

+        </form>

+      </section>

+

+      <aside class="shithub-profile-edit-aside">

+        <h2>Profile picture</h2>

+        <img src="/avatars/{{ .Username }}" alt="" class="shithub-profile-edit-avatar">

+        <p class="shithub-empty-note">Avatar upload coming soon.</p>

+      </aside>

+    </div>

+  </div>

+</div>

+{{- end }}