+14

.sqlx/query-00e2443c853791978e20e590a54721e44bbf7df1285acc27b0b658841fb55c7e.json

··· 1 1 + { 2 2 + "db_name": "PostgreSQL", 3 3 + "query": "UPDATE users SET telegram_verified = TRUE WHERE id = $1", 4 4 + "describe": { 5 5 + "columns": [], 6 6 + "parameters": { 7 7 + "Left": [ 8 8 + "Uuid" 9 9 + ] 10 10 + }, 11 11 + "nullable": [] 12 12 + }, 13 13 + "hash": "00e2443c853791978e20e590a54721e44bbf7df1285acc27b0b658841fb55c7e" 14 14 + }

-14

.sqlx/query-0e837bf8eb303dbd2d0ffad0167da75c15fb1859c658fc5957ab28ef674108a8.json

··· 1 1 - { 2 2 - "db_name": "PostgreSQL", 3 3 - "query": "DELETE FROM channel_verifications WHERE user_id = $1 AND channel = 'telegram'", 4 4 - "describe": { 5 5 - "columns": [], 6 6 - "parameters": { 7 7 - "Left": [ 8 8 - "Uuid" 9 9 - ] 10 10 - }, 11 11 - "nullable": [] 12 12 - }, 13 13 - "hash": "0e837bf8eb303dbd2d0ffad0167da75c15fb1859c658fc5957ab28ef674108a8" 14 14 - }

+2 -1

.sqlx/query-17dfafc85b3434ed78041f48809580a02c92e579869f647cb08f65ac777854f5.json

··· 40 40 "two_factor_code", 41 41 "channel_verification", 42 42 "passkey_recovery", 43 43 - "legacy_login_alert" 43 43 + "legacy_login_alert", 44 44 + "migration_verification" 44 45 ] 45 46 } 46 47 }

+14

.sqlx/query-1baf4c087c31d0e2af8f607fb3476db6b34925a0c8902fdd9c9a5a607f19b3af.json

··· 1 1 + { 2 2 + "db_name": "PostgreSQL", 3 3 + "query": "UPDATE users SET signal_verified = TRUE WHERE id = $1", 4 4 + "describe": { 5 5 + "columns": [], 6 6 + "parameters": { 7 7 + "Left": [ 8 8 + "Uuid" 9 9 + ] 10 10 + }, 11 11 + "nullable": [] 12 12 + }, 13 13 + "hash": "1baf4c087c31d0e2af8f607fb3476db6b34925a0c8902fdd9c9a5a607f19b3af" 14 14 + }

+2 -1

.sqlx/query-20dd204aa552572ec9dc5b9950efdfa8a2e37aae3f171a2be73bee3057f86e08.json

··· 48 48 "two_factor_code", 49 49 "channel_verification", 50 50 "passkey_recovery", 51 51 - "legacy_login_alert" 51 51 + "legacy_login_alert", 52 52 + "migration_verification" 52 53 ] 53 54 } 54 55 }

-15

.sqlx/query-30aa8003262b82ee58f1819f1a74c195768dce6d4c8d297e8b7eab1d990f61c5.json

··· 1 1 - { 2 2 - "db_name": "PostgreSQL", 3 3 - "query": "UPDATE users SET email = $1, updated_at = NOW() WHERE id = $2", 4 4 - "describe": { 5 5 - "columns": [], 6 6 - "parameters": { 7 7 - "Left": [ 8 8 - "Text", 9 9 - "Uuid" 10 10 - ] 11 11 - }, 12 12 - "nullable": [] 13 13 - }, 14 14 - "hash": "30aa8003262b82ee58f1819f1a74c195768dce6d4c8d297e8b7eab1d990f61c5" 15 15 - }

+2 -1

.sqlx/query-3f9b3b06f54df7c1d20ea9ff94b914ad3bf77d47dd393a0aae1c030b8ce98bcc.json

··· 40 40 "two_factor_code", 41 41 "channel_verification", 42 42 "passkey_recovery", 43 43 - "legacy_login_alert" 43 43 + "legacy_login_alert", 44 44 + "migration_verification" 44 45 ] 45 46 } 46 47 }

-30

.sqlx/query-54ec6149f129881362891151da8200baef1f16427d87fb3afeb1e066c4084483.json

··· 1 1 - { 2 2 - "db_name": "PostgreSQL", 3 3 - "query": "INSERT INTO channel_verifications (user_id, channel, code, pending_identifier, expires_at) VALUES ($1, $2::comms_channel, $3, $4, $5)", 4 4 - "describe": { 5 5 - "columns": [], 6 6 - "parameters": { 7 7 - "Left": [ 8 8 - "Uuid", 9 9 - { 10 10 - "Custom": { 11 11 - "name": "comms_channel", 12 12 - "kind": { 13 13 - "Enum": [ 14 14 - "email", 15 15 - "discord", 16 16 - "telegram", 17 17 - "signal" 18 18 - ] 19 19 - } 20 20 - } 21 21 - }, 22 22 - "Text", 23 23 - "Text", 24 24 - "Timestamptz" 25 25 - ] 26 26 - }, 27 27 - "nullable": [] 28 28 - }, 29 29 - "hash": "54ec6149f129881362891151da8200baef1f16427d87fb3afeb1e066c4084483" 30 30 - }

-27

.sqlx/query-57229564a518b14dca6fecef677d4b58b5ab6892846e65a4f1549ae5f147c13e.json

··· 1 1 - { 2 2 - "db_name": "PostgreSQL", 3 3 - "query": "DELETE FROM channel_verifications WHERE user_id = $1 AND channel = $2::comms_channel", 4 4 - "describe": { 5 5 - "columns": [], 6 6 - "parameters": { 7 7 - "Left": [ 8 8 - "Uuid", 9 9 - { 10 10 - "Custom": { 11 11 - "name": "comms_channel", 12 12 - "kind": { 13 13 - "Enum": [ 14 14 - "email", 15 15 - "discord", 16 16 - "telegram", 17 17 - "signal" 18 18 - ] 19 19 - } 20 20 - } 21 21 - } 22 22 - ] 23 23 - }, 24 24 - "nullable": [] 25 25 - }, 26 26 - "hash": "57229564a518b14dca6fecef677d4b58b5ab6892846e65a4f1549ae5f147c13e" 27 27 - }

-41

.sqlx/query-5a3f588a937a44a4e14570a6c13bc6f4c5a2a50155f6e8bdd14beef66dca97c1.json

··· 1 1 - { 2 2 - "db_name": "PostgreSQL", 3 3 - "query": "SELECT code, expires_at FROM channel_verifications WHERE user_id = $1 AND channel = $2::comms_channel", 4 4 - "describe": { 5 5 - "columns": [ 6 6 - { 7 7 - "ordinal": 0, 8 8 - "name": "code", 9 9 - "type_info": "Text" 10 10 - }, 11 11 - { 12 12 - "ordinal": 1, 13 13 - "name": "expires_at", 14 14 - "type_info": "Timestamptz" 15 15 - } 16 16 - ], 17 17 - "parameters": { 18 18 - "Left": [ 19 19 - "Uuid", 20 20 - { 21 21 - "Custom": { 22 22 - "name": "comms_channel", 23 23 - "kind": { 24 24 - "Enum": [ 25 25 - "email", 26 26 - "discord", 27 27 - "telegram", 28 28 - "signal" 29 29 - ] 30 30 - } 31 31 - } 32 32 - } 33 33 - ] 34 34 - }, 35 35 - "nullable": [ 36 36 - false, 37 37 - false 38 38 - ] 39 39 - }, 40 40 - "hash": "5a3f588a937a44a4e14570a6c13bc6f4c5a2a50155f6e8bdd14beef66dca97c1" 41 41 - }

+34

.sqlx/query-5e1ed2edc81e4f2560b3f8f0a8f04e0fb78548402715fc88e2b34a8ccdb80082.json

··· 1 1 + { 2 2 + "db_name": "PostgreSQL", 3 3 + "query": "SELECT id, email, email_verified FROM users WHERE did = $1", 4 4 + "describe": { 5 5 + "columns": [ 6 6 + { 7 7 + "ordinal": 0, 8 8 + "name": "id", 9 9 + "type_info": "Uuid" 10 10 + }, 11 11 + { 12 12 + "ordinal": 1, 13 13 + "name": "email", 14 14 + "type_info": "Text" 15 15 + }, 16 16 + { 17 17 + "ordinal": 2, 18 18 + "name": "email_verified", 19 19 + "type_info": "Bool" 20 20 + } 21 21 + ], 22 22 + "parameters": { 23 23 + "Left": [ 24 24 + "Text" 25 25 + ] 26 26 + }, 27 27 + "nullable": [ 28 28 + false, 29 29 + true, 30 30 + false 31 31 + ] 32 32 + }, 33 33 + "hash": "5e1ed2edc81e4f2560b3f8f0a8f04e0fb78548402715fc88e2b34a8ccdb80082" 34 34 + }

+46

.sqlx/query-5ee0976fbff885ad19482b3b4d54ebca7a6cde24c411597c9df6e94b8be1f922.json

··· 1 1 + { 2 2 + "db_name": "PostgreSQL", 3 3 + "query": "SELECT id, did, email, email_verified, handle FROM users WHERE LOWER(email) = $1", 4 4 + "describe": { 5 5 + "columns": [ 6 6 + { 7 7 + "ordinal": 0, 8 8 + "name": "id", 9 9 + "type_info": "Uuid" 10 10 + }, 11 11 + { 12 12 + "ordinal": 1, 13 13 + "name": "did", 14 14 + "type_info": "Text" 15 15 + }, 16 16 + { 17 17 + "ordinal": 2, 18 18 + "name": "email", 19 19 + "type_info": "Text" 20 20 + }, 21 21 + { 22 22 + "ordinal": 3, 23 23 + "name": "email_verified", 24 24 + "type_info": "Bool" 25 25 + }, 26 26 + { 27 27 + "ordinal": 4, 28 28 + "name": "handle", 29 29 + "type_info": "Text" 30 30 + } 31 31 + ], 32 32 + "parameters": { 33 33 + "Left": [ 34 34 + "Text" 35 35 + ] 36 36 + }, 37 37 + "nullable": [ 38 38 + false, 39 39 + false, 40 40 + true, 41 41 + false, 42 42 + false 43 43 + ] 44 44 + }, 45 45 + "hash": "5ee0976fbff885ad19482b3b4d54ebca7a6cde24c411597c9df6e94b8be1f922" 46 46 + }

-14

.sqlx/query-9af373d1bee5d79419f131a44c6e346a95bd3cafe2454dbe08411abb11f42161.json

··· 1 1 - { 2 2 - "db_name": "PostgreSQL", 3 3 - "query": "DELETE FROM channel_verifications WHERE user_id = $1 AND channel = 'discord'", 4 4 - "describe": { 5 5 - "columns": [], 6 6 - "parameters": { 7 7 - "Left": [ 8 8 - "Uuid" 9 9 - ] 10 10 - }, 11 11 - "nullable": [] 12 12 - }, 13 13 - "hash": "9af373d1bee5d79419f131a44c6e346a95bd3cafe2454dbe08411abb11f42161" 14 14 - }

-34

.sqlx/query-a1464e8d15e8e46a3ebc21e591afb89b8f937469f8e33a43f2cd8e121526f3d3.json

··· 1 1 - { 2 2 - "db_name": "PostgreSQL", 3 3 - "query": "SELECT code, pending_identifier, expires_at FROM channel_verifications WHERE user_id = $1 AND channel = 'email'", 4 4 - "describe": { 5 5 - "columns": [ 6 6 - { 7 7 - "ordinal": 0, 8 8 - "name": "code", 9 9 - "type_info": "Text" 10 10 - }, 11 11 - { 12 12 - "ordinal": 1, 13 13 - "name": "pending_identifier", 14 14 - "type_info": "Text" 15 15 - }, 16 16 - { 17 17 - "ordinal": 2, 18 18 - "name": "expires_at", 19 19 - "type_info": "Timestamptz" 20 20 - } 21 21 - ], 22 22 - "parameters": { 23 23 - "Left": [ 24 24 - "Uuid" 25 25 - ] 26 26 - }, 27 27 - "nullable": [ 28 28 - false, 29 29 - true, 30 30 - false 31 31 - ] 32 32 - }, 33 33 - "hash": "a1464e8d15e8e46a3ebc21e591afb89b8f937469f8e33a43f2cd8e121526f3d3" 34 34 - }

+15

.sqlx/query-a51d2a4af488164421cf669302c896720a4745bfb913a18e4829a8edd73ea005.json

··· 1 1 + { 2 2 + "db_name": "PostgreSQL", 3 3 + "query": "UPDATE users SET email = $1, email_verified = TRUE, updated_at = NOW() WHERE id = $2", 4 4 + "describe": { 5 5 + "columns": [], 6 6 + "parameters": { 7 7 + "Left": [ 8 8 + "Text", 9 9 + "Uuid" 10 10 + ] 11 11 + }, 12 12 + "nullable": [] 13 13 + }, 14 14 + "hash": "a51d2a4af488164421cf669302c896720a4745bfb913a18e4829a8edd73ea005" 15 15 + }

-14

.sqlx/query-af3010ff76e52b7cb495091f2f36547360523b12f83e4eb178242edec052a0f2.json

··· 1 1 - { 2 2 - "db_name": "PostgreSQL", 3 3 - "query": "DELETE FROM channel_verifications WHERE user_id = $1 AND channel = 'email'", 4 4 - "describe": { 5 5 - "columns": [], 6 6 - "parameters": { 7 7 - "Left": [ 8 8 - "Uuid" 9 9 - ] 10 10 - }, 11 11 - "nullable": [] 12 12 - }, 13 13 - "hash": "af3010ff76e52b7cb495091f2f36547360523b12f83e4eb178242edec052a0f2" 14 14 - }

+14

.sqlx/query-b1a4e2dc9578c3aad054ebacf00a7e804dc0aa4f0a4a283683ad1ce6a77d4f6a.json

··· 1 1 + { 2 2 + "db_name": "PostgreSQL", 3 3 + "query": "UPDATE users SET email_verified = true WHERE id = $1", 4 4 + "describe": { 5 5 + "columns": [], 6 6 + "parameters": { 7 7 + "Left": [ 8 8 + "Uuid" 9 9 + ] 10 10 + }, 11 11 + "nullable": [] 12 12 + }, 13 13 + "hash": "b1a4e2dc9578c3aad054ebacf00a7e804dc0aa4f0a4a283683ad1ce6a77d4f6a" 14 14 + }

+58

.sqlx/query-c12a8bbd82bd9caf8ad92f21da7517275989b41befa82347883945f77e8630f6.json

··· 1 1 + { 2 2 + "db_name": "PostgreSQL", 3 3 + "query": "SELECT id, handle, email, email_verified, discord_verified, telegram_verified, signal_verified FROM users WHERE did = $1", 4 4 + "describe": { 5 5 + "columns": [ 6 6 + { 7 7 + "ordinal": 0, 8 8 + "name": "id", 9 9 + "type_info": "Uuid" 10 10 + }, 11 11 + { 12 12 + "ordinal": 1, 13 13 + "name": "handle", 14 14 + "type_info": "Text" 15 15 + }, 16 16 + { 17 17 + "ordinal": 2, 18 18 + "name": "email", 19 19 + "type_info": "Text" 20 20 + }, 21 21 + { 22 22 + "ordinal": 3, 23 23 + "name": "email_verified", 24 24 + "type_info": "Bool" 25 25 + }, 26 26 + { 27 27 + "ordinal": 4, 28 28 + "name": "discord_verified", 29 29 + "type_info": "Bool" 30 30 + }, 31 31 + { 32 32 + "ordinal": 5, 33 33 + "name": "telegram_verified", 34 34 + "type_info": "Bool" 35 35 + }, 36 36 + { 37 37 + "ordinal": 6, 38 38 + "name": "signal_verified", 39 39 + "type_info": "Bool" 40 40 + } 41 41 + ], 42 42 + "parameters": { 43 43 + "Left": [ 44 44 + "Text" 45 45 + ] 46 46 + }, 47 47 + "nullable": [ 48 48 + false, 49 49 + false, 50 50 + true, 51 51 + false, 52 52 + false, 53 53 + false, 54 54 + false 55 55 + ] 56 56 + }, 57 57 + "hash": "c12a8bbd82bd9caf8ad92f21da7517275989b41befa82347883945f77e8630f6" 58 58 + }

-30

.sqlx/query-c4db3853b2f3b6363ab0e2c10a1820dd37741e9c506d85fc2608a3a6e376c5e6.json

··· 1 1 - { 2 2 - "db_name": "PostgreSQL", 3 3 - "query": "\n INSERT INTO channel_verifications (user_id, channel, code, pending_identifier, expires_at)\n VALUES ($1, $2::comms_channel, $3, $4, $5)\n ON CONFLICT (user_id, channel) DO UPDATE\n SET code = $3, pending_identifier = $4, expires_at = $5, created_at = NOW()\n ", 4 4 - "describe": { 5 5 - "columns": [], 6 6 - "parameters": { 7 7 - "Left": [ 8 8 - "Uuid", 9 9 - { 10 10 - "Custom": { 11 11 - "name": "comms_channel", 12 12 - "kind": { 13 13 - "Enum": [ 14 14 - "email", 15 15 - "discord", 16 16 - "telegram", 17 17 - "signal" 18 18 - ] 19 19 - } 20 20 - } 21 21 - }, 22 22 - "Text", 23 23 - "Text", 24 24 - "Timestamptz" 25 25 - ] 26 26 - }, 27 27 - "nullable": [] 28 28 - }, 29 29 - "hash": "c4db3853b2f3b6363ab0e2c10a1820dd37741e9c506d85fc2608a3a6e376c5e6" 30 30 - }

+14

.sqlx/query-cb626a36deffd73e67de2dc4789bd875675779a173fb2cd41ba365c1acca96f9.json

··· 1 1 + { 2 2 + "db_name": "PostgreSQL", 3 3 + "query": "UPDATE users SET email_verified = TRUE WHERE id = $1", 4 4 + "describe": { 5 5 + "columns": [], 6 6 + "parameters": { 7 7 + "Left": [ 8 8 + "Uuid" 9 9 + ] 10 10 + }, 11 11 + "nullable": [] 12 12 + }, 13 13 + "hash": "cb626a36deffd73e67de2dc4789bd875675779a173fb2cd41ba365c1acca96f9" 14 14 + }

+14

.sqlx/query-d09a8b0ab3abd19a09b7588b99335ec3857ca22e0707ef8911251c4c69e74c87.json

··· 1 1 + { 2 2 + "db_name": "PostgreSQL", 3 3 + "query": "UPDATE users SET discord_verified = TRUE WHERE id = $1", 4 4 + "describe": { 5 5 + "columns": [], 6 6 + "parameters": { 7 7 + "Left": [ 8 8 + "Uuid" 9 9 + ] 10 10 + }, 11 11 + "nullable": [] 12 12 + }, 13 13 + "hash": "d09a8b0ab3abd19a09b7588b99335ec3857ca22e0707ef8911251c4c69e74c87" 14 14 + }

-14

.sqlx/query-ee95f960c0df276fd936ceaef8b75d341a4c84322e5de2b3630573dbef387839.json

··· 1 1 - { 2 2 - "db_name": "PostgreSQL", 3 3 - "query": "DELETE FROM channel_verifications WHERE user_id = $1 AND channel = 'signal'", 4 4 - "describe": { 5 5 - "columns": [], 6 6 - "parameters": { 7 7 - "Left": [ 8 8 - "Uuid" 9 9 - ] 10 10 - }, 11 11 - "nullable": [] 12 12 - }, 13 13 - "hash": "ee95f960c0df276fd936ceaef8b75d341a4c84322e5de2b3630573dbef387839" 14 14 - }

+21 -3

.sqlx/query-efc26a1202b1bbf72da1c06b59b47e560dfb5912db8e40ee92cf91846f306e1a.json .sqlx/query-9b895b9db78ec8a5f13c0b55ea0115e4653e01fd6f5c41f156c844381347cb8a.json

··· 1 1 { 2 2 "db_name": "PostgreSQL", 3 3 - "query": "SELECT\n u.id, u.did, u.handle, u.email,\n u.preferred_comms_channel as \"channel: crate::comms::CommsChannel\",\n k.key_bytes, k.encryption_version\n FROM users u\n JOIN user_keys k ON u.id = k.user_id\n WHERE u.did = $1", 3 3 + "query": "SELECT\n u.id, u.did, u.handle, u.email,\n u.preferred_comms_channel as \"channel: crate::comms::CommsChannel\",\n u.discord_id, u.telegram_username, u.signal_number,\n k.key_bytes, k.encryption_version\n FROM users u\n JOIN user_keys k ON u.id = k.user_id\n WHERE u.did = $1", 4 4 "describe": { 5 5 "columns": [ 6 6 { ··· 42 42 }, 43 43 { 44 44 "ordinal": 5, 45 45 + "name": "discord_id", 46 46 + "type_info": "Text" 47 47 + }, 48 48 + { 49 49 + "ordinal": 6, 50 50 + "name": "telegram_username", 51 51 + "type_info": "Text" 52 52 + }, 53 53 + { 54 54 + "ordinal": 7, 55 55 + "name": "signal_number", 56 56 + "type_info": "Text" 57 57 + }, 58 58 + { 59 59 + "ordinal": 8, 45 60 "name": "key_bytes", 46 61 "type_info": "Bytea" 47 62 }, 48 63 { 49 49 - "ordinal": 6, 64 64 + "ordinal": 9, 50 65 "name": "encryption_version", 51 66 "type_info": "Int4" 52 67 } ··· 62 77 false, 63 78 true, 64 79 false, 80 80 + true, 81 81 + true, 82 82 + true, 65 83 false, 66 84 true 67 85 ] 68 86 }, 69 69 - "hash": "efc26a1202b1bbf72da1c06b59b47e560dfb5912db8e40ee92cf91846f306e1a" 87 87 + "hash": "9b895b9db78ec8a5f13c0b55ea0115e4653e01fd6f5c41f156c844381347cb8a" 70 88 }

-47

.sqlx/query-f48c982a2bf52a2f2de6d70043108ac148363e2f98b301dbeeb1caac330528c5.json

··· 1 1 - { 2 2 - "db_name": "PostgreSQL", 3 3 - "query": "\n SELECT code, pending_identifier, expires_at FROM channel_verifications\n WHERE user_id = $1 AND channel = $2::comms_channel\n ", 4 4 - "describe": { 5 5 - "columns": [ 6 6 - { 7 7 - "ordinal": 0, 8 8 - "name": "code", 9 9 - "type_info": "Text" 10 10 - }, 11 11 - { 12 12 - "ordinal": 1, 13 13 - "name": "pending_identifier", 14 14 - "type_info": "Text" 15 15 - }, 16 16 - { 17 17 - "ordinal": 2, 18 18 - "name": "expires_at", 19 19 - "type_info": "Timestamptz" 20 20 - } 21 21 - ], 22 22 - "parameters": { 23 23 - "Left": [ 24 24 - "Uuid", 25 25 - { 26 26 - "Custom": { 27 27 - "name": "comms_channel", 28 28 - "kind": { 29 29 - "Enum": [ 30 30 - "email", 31 31 - "discord", 32 32 - "telegram", 33 33 - "signal" 34 34 - ] 35 35 - } 36 36 - } 37 37 - } 38 38 - ] 39 39 - }, 40 40 - "nullable": [ 41 41 - false, 42 42 - true, 43 43 - false 44 44 - ] 45 45 - }, 46 46 - "hash": "f48c982a2bf52a2f2de6d70043108ac148363e2f98b301dbeeb1caac330528c5" 47 47 - }

+2 -1

.sqlx/query-fde01bb40898f8a5d45a6e8f89c635c06b4179b5858a7b388404c4b03fc92ab4.json

··· 43 43 "two_factor_code", 44 44 "channel_verification", 45 45 "passkey_recovery", 46 46 - "legacy_login_alert" 46 46 + "legacy_login_alert", 47 47 + "migration_verification" 47 48 ] 48 49 } 49 50 }

+27

frontend/deno.lock

··· 8 8 "npm:@testing-library/user-event@^14.5.2": "14.6.1_@testing-library+dom@10.4.1", 9 9 "npm:jsdom@^25.0.1": "25.0.1", 10 10 "npm:multiformats@^13.3.1": "13.4.2", 11 11 + "npm:svelte-check@*": "4.3.5_svelte@5.45.10__acorn@8.15.0_typescript@5.9.3", 11 12 "npm:svelte-i18n@^4.0.1": "4.0.1_svelte@5.45.10__acorn@8.15.0", 12 13 "npm:svelte@5": "5.45.10_acorn@8.15.0", 13 14 "npm:vite@*": "6.4.1_picomatch@4.0.3", ··· 794 795 "check-error@2.1.1": { 795 796 "integrity": "sha512-OAlb+T7V4Op9OwdkjmguYRqncdlx5JiofwOAUkmTF+jNdHwzTaTs4sRAGpzLF3oOz5xAyDGrPgeIDFQmDOTiJw==" 796 797 }, 798 798 + "chokidar@4.0.3": { 799 799 + "integrity": "sha512-Qgzu8kfBvo+cA4962jnP1KkS6Dop5NS6g7R5LFYJr4b8Ub94PPQXUksCw9PvXoeXPRRddRNC5C1JQUR2SMGtnA==", 800 800 + "dependencies": [ 801 801 + "readdirp" 802 802 + ] 803 803 + }, 797 804 "cli-color@2.0.4": { 798 805 "integrity": "sha512-zlnpg0jNcibNrO7GG9IeHH7maWFeCz+Ja1wx/7tZNU5ASSSSZ+/qZciM0/LHCYxSdqv5h2sdbQ/PXYdOuetXvA==", 799 806 "dependencies": [ ··· 1339 1346 "react-is@17.0.2": { 1340 1347 "integrity": "sha512-w2GsyukL62IJnlaff/nRegPQR94C/XXamvMWmSHRJ4y7Ts/4ocGRmTHvOs8PSE6pB3dWOrD/nueuU5sduBsQ4w==" 1341 1348 }, 1349 1349 + "readdirp@4.1.2": { 1350 1350 + "integrity": "sha512-GDhwkLfywWL2s6vEjyhri+eXmfH6j1L7JE27WhqLeYzoh/A3DBaYGEj2H/HFZCn/kMfim73FXxEJTw06WtxQwg==" 1351 1351 + }, 1342 1352 "redent@3.0.0": { 1343 1353 "integrity": "sha512-6tDA8g98We0zd0GvVeMT9arEOnTw9qM03L9cJXaCjrip1OO764RDBLBfrB4cwzNGDj5OA5ioymC9GkizgWJDUg==", 1344 1354 "dependencies": [ ··· 1416 1426 "dependencies": [ 1417 1427 "min-indent" 1418 1428 ] 1429 1429 + }, 1430 1430 + "svelte-check@4.3.5_svelte@5.45.10__acorn@8.15.0_typescript@5.9.3": { 1431 1431 + "integrity": "sha512-e4VWZETyXaKGhpkxOXP+B/d0Fp/zKViZoJmneZWe/05Y2aqSKj3YN2nLfYPJBQ87WEiY4BQCQ9hWGu9mPT1a1Q==", 1432 1432 + "dependencies": [ 1433 1433 + "@jridgewell/trace-mapping", 1434 1434 + "chokidar", 1435 1435 + "fdir", 1436 1436 + "picocolors", 1437 1437 + "sade", 1438 1438 + "svelte", 1439 1439 + "typescript" 1440 1440 + ], 1441 1441 + "bin": true 1419 1442 }, 1420 1443 "svelte-i18n@4.0.1_svelte@5.45.10__acorn@8.15.0": { 1421 1444 "integrity": "sha512-jaykGlGT5PUaaq04JWbJREvivlCnALtT+m87Kbm0fxyYHynkQaxQMnIKHLm2WeIuBRoljzwgyvz0Z6/CMwfdmQ==", ··· 1517 1540 }, 1518 1541 "type@2.7.3": { 1519 1542 "integrity": "sha512-8j+1QmAbPvLZow5Qpi6NCaN8FB60p/6x8/vfNqOk/hC+HuvFZhL4+WfekuhQLiqFZXOgQdrs3B+XxEmCc6b3FQ==" 1543 1543 + }, 1544 1544 + "typescript@5.9.3": { 1545 1545 + "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==", 1546 1546 + "bin": true 1520 1547 }, 1521 1548 "vite-node@2.1.9": { 1522 1549 "integrity": "sha512-AM9aQ/IPrW/6ENLQg3AGY4K1N2TGZdR5e4gu/MmmR2xR3Ll1+dib+nook92g4TV3PXVyeyxdWwtaCAiUL0hMxA==",

+2 -1

frontend/src/components/ui/Input.svelte

··· 15 15 ...rest 16 16 }: Props = $props() 17 17 18 18 - let inputId = id || `input-${Math.random().toString(36).slice(2, 9)}` 18 18 + const fallbackId = `input-${Math.random().toString(36).slice(2, 9)}` 19 19 + let inputId = $derived(id || fallbackId) 19 20 </script> 20 21 21 22 <div class="field">

-4

frontend/src/components/ui/Section.svelte

··· 33 33 padding: var(--space-6); 34 34 } 35 35 36 36 - .section + .section { 37 37 - margin-top: var(--space-6); 38 38 - } 39 39 - 40 36 .section-danger { 41 37 background: var(--error-bg); 42 38 border: 1px solid var(--error-border);

+29 -2

frontend/src/lib/api.ts

··· 319 319 }) 320 320 }, 321 321 322 322 - async confirmChannelVerification(token: string, channel: string, code: string): Promise<{ success: boolean }> { 322 322 + async confirmChannelVerification(token: string, channel: string, identifier: string, code: string): Promise<{ success: boolean }> { 323 323 return xrpc('com.tranquil.account.confirmChannelVerification', { 324 324 method: 'POST', 325 325 token, 326 326 - body: { channel, code }, 326 326 + body: { channel, identifier, code }, 327 327 }) 328 328 }, 329 329 ··· 852 852 return xrpc('com.tranquil.account.recoverPasskeyAccount', { 853 853 method: 'POST', 854 854 body: { did, recoveryToken, newPassword }, 855 855 + }) 856 856 + }, 857 857 + 858 858 + async verifyMigrationEmail(token: string, email: string): Promise<{ success: boolean; did: string }> { 859 859 + return xrpc('com.atproto.server.verifyMigrationEmail', { 860 860 + method: 'POST', 861 861 + body: { token, email }, 862 862 + }) 863 863 + }, 864 864 + 865 865 + async resendMigrationVerification(email: string): Promise<{ sent: boolean }> { 866 866 + return xrpc('com.atproto.server.resendMigrationVerification', { 867 867 + method: 'POST', 868 868 + body: { email }, 869 869 + }) 870 870 + }, 871 871 + 872 872 + async verifyToken(token: string, identifier: string, accessToken?: string): Promise<{ 873 873 + success: boolean 874 874 + did: string 875 875 + purpose: string 876 876 + channel: string 877 877 + }> { 878 878 + return xrpc('com.tranquil.account.verifyToken', { 879 879 + method: 'POST', 880 880 + body: { token, identifier }, 881 881 + token: accessToken, 855 882 }) 856 883 }, 857 884 }

+16 -3

frontend/src/lib/registration/VerificationStep.svelte

··· 70 70 id="verification-code" 71 71 type="text" 72 72 bind:value={verificationCode} 73 73 - placeholder="Enter 6-digit code" 73 73 + placeholder="XXXX-XXXX-XXXX-XXXX" 74 74 disabled={flow.state.submitting} 75 75 required 76 76 - maxlength="6" 77 77 - inputmode="numeric" 78 76 autocomplete="one-time-code" 77 77 + class="code-input" 79 78 /> 79 79 + <span class="hint">Copy the entire code from your message, including dashes.</span> 80 80 </div> 81 81 82 82 <button type="submit" disabled={flow.state.submitting || !verificationCode.trim()}> ··· 99 99 .info-text { 100 100 color: var(--text-secondary); 101 101 margin: 0; 102 102 + } 103 103 + 104 104 + .code-input { 105 105 + font-family: var(--font-mono, monospace); 106 106 + font-size: var(--text-base); 107 107 + letter-spacing: 0.05em; 108 108 + } 109 109 + 110 110 + .hint { 111 111 + display: block; 112 112 + color: var(--text-secondary); 113 113 + font-size: var(--text-sm); 114 114 + margin-top: var(--space-1); 102 115 } 103 116 </style>

+130 -8

frontend/src/locales/en.json

··· 164 164 "changeEmailButton": "Change Email", 165 165 "requesting": "Requesting...", 166 166 "verificationCode": "Verification Code", 167 167 - "verificationCodePlaceholder": "Enter code from email", 167 167 + "verificationCodePlaceholder": "Enter verification code", 168 168 "confirmEmailChange": "Confirm Email Change", 169 169 "updating": "Updating...", 170 170 "changeHandle": "Change Handle", ··· 202 202 "deleteAccount": "Delete Account", 203 203 "deleteWarning": "This action is irreversible. All your data will be permanently deleted.", 204 204 "requestDeletion": "Request Account Deletion", 205 205 - "confirmationCode": "Confirmation Code (from email)", 205 205 + "confirmationCode": "Confirmation Code", 206 206 "confirmationCodePlaceholder": "Enter confirmation code", 207 207 "yourPassword": "Your Password", 208 208 "yourPasswordPlaceholder": "Enter your password", 209 209 "permanentlyDelete": "Permanently Delete Account", 210 210 "deleting": "Deleting...", 211 211 "messages": { 212 212 - "emailCodeSent": "Verification code sent to your current email", 212 212 + "emailCodeSent": "Verification code sent to your notification channel", 213 213 "emailUpdated": "Email updated successfully", 214 214 "handleUpdated": "Handle updated successfully", 215 215 "passwordChanged": "Password changed successfully", ··· 451 451 }, 452 452 "admin": { 453 453 "title": "Admin Panel", 454 454 + "loading": "Loading...", 455 455 + "serverConfig": "Server Configuration", 456 456 + "serverName": "Server Name", 457 457 + "serverNamePlaceholder": "My PDS", 458 458 + "serverNameHelp": "Displayed in the browser tab and other places", 459 459 + "serverLogo": "Server Logo", 460 460 + "logoPreview": "Logo preview", 461 461 + "removeLogo": "Remove", 462 462 + "logoHelp": "Used as favicon and shown in the navbar", 463 463 + "themeColors": "Theme Colors", 464 464 + "themeColorsHint": "Leave blank to use default colors.", 465 465 + "primaryLight": "Primary (Light Mode)", 466 466 + "primaryLightDefault": "#2c00ff (default)", 467 467 + "primaryDark": "Primary (Dark Mode)", 468 468 + "primaryDarkDefault": "#7b6bff (default)", 469 469 + "secondaryLight": "Secondary (Light Mode)", 470 470 + "secondaryLightDefault": "#ff2400 (default)", 471 471 + "secondaryDark": "Secondary (Dark Mode)", 472 472 + "secondaryDarkDefault": "#ff6b5b (default)", 473 473 + "configSaved": "Server configuration saved", 474 474 + "saving": "Saving...", 475 475 + "saveConfig": "Save Configuration", 454 476 "serverStats": "Server Statistics", 455 477 "users": "Users", 456 478 "repos": "Repositories", ··· 580 602 "verify": { 581 603 "title": "Verify Your Account", 582 604 "subtitle": "We've sent a verification code to your {channel}. Enter it below to complete registration.", 583 583 - "codePlaceholder": "Enter 6-digit code", 605 605 + "tokenSubtitle": "Enter the verification code and the identifier it was sent to.", 606 606 + "tokenTitle": "Verify", 607 607 + "codePlaceholder": "XXXX-XXXX-XXXX-XXXX...", 584 608 "codeLabel": "Verification Code", 609 609 + "codeHelp": "Copy the entire code from your message, including dashes", 585 610 "verifyButton": "Verify Account", 611 611 + "verify": "Verify", 586 612 "verifying": "Verifying...", 613 613 + "pleaseWait": "Please wait...", 587 614 "resendCode": "Resend Code", 588 615 "resending": "Resending...", 616 616 + "sending": "Sending...", 589 617 "codeResent": "Verification code resent!", 618 618 + "codeResentDetail": "Verification code sent! Check your inbox.", 590 619 "backToLogin": "Back to Login", 591 620 "verifyingAccount": "Verifying account: @{handle}", 592 621 "startOver": "Start over with a different account", 593 622 "noPending": "No pending verification found.", 594 623 "noPendingInfo": "If you recently created an account and need to verify it, you may need to create a new account. If you already verified your account, you can sign in.", 595 624 "createAccount": "Create Account", 596 596 - "signIn": "Sign In" 625 625 + "signIn": "Sign In", 626 626 + "verified": "Verified!", 627 627 + "channelVerified": "Your {channel} has been verified successfully.", 628 628 + "canNowSignIn": "You can now sign in to your account.", 629 629 + "continue": "Continue", 630 630 + "identifierLabel": "Email or Identifier", 631 631 + "identifierPlaceholder": "you@example.com", 632 632 + "identifierHelp": "The email address or identifier the code was sent to" 597 633 }, 598 634 "resetPassword": { 599 635 "title": "Reset Password", ··· 605 641 "sendCode": "Send Reset Code", 606 642 "sending": "Sending...", 607 643 "codeSent": "Password reset code sent! Check your preferred notification channel.", 608 608 - "enterCode": "Enter the code from your email and your new password.", 644 644 + "enterCode": "Enter the code you received and your new password.", 609 645 "code": "Reset Code", 610 646 "codePlaceholder": "Enter reset code", 611 647 "newPassword": "New Password", ··· 664 700 }, 665 701 "registerPasskey": { 666 702 "title": "Create Passkey Account", 667 667 - "subtitle": "Create a passwordless account using a passkey.", 703 703 + "subtitle": "Create an ultra-secure account using a passkey instead of a password.", 704 704 + "subtitleKeyChoice": "Choose how to set up your external did:web identity.", 705 705 + "subtitleInitialDidDoc": "Upload your DID document to continue.", 706 706 + "subtitleCreating": "Creating your account...", 707 707 + "subtitlePasskey": "Register your passkey to secure your account.", 708 708 + "subtitleAppPassword": "Save your app password for third-party apps.", 709 709 + "subtitleVerify": "Verify your {channel} to continue.", 710 710 + "subtitleUpdatedDidDoc": "Update your DID document with the PDS signing key.", 711 711 + "subtitleActivating": "Activating your account...", 712 712 + "subtitleComplete": "Your account has been created successfully!", 668 713 "handle": "Handle", 669 714 "handlePlaceholder": "yourname", 670 715 "handleHint": "Your full handle will be: @{handle}", 716 716 + "handleDotWarning": "Custom domain handles can be set up after account creation.", 671 717 "email": "Email Address", 672 718 "emailPlaceholder": "you@example.com", 673 719 "inviteCode": "Invite Code", 674 720 "inviteCodePlaceholder": "Enter your invite code", 675 721 "createButton": "Create Account", 676 722 "creating": "Creating...", 723 723 + "continue": "Continue", 724 724 + "back": "Back", 677 725 "alreadyHaveAccount": "Already have an account?", 678 726 "signIn": "Sign in", 679 727 "wantPassword": "Want to use a password?", 680 680 - "createPasswordAccount": "Create a password account" 728 728 + "createPasswordAccount": "Create a password account", 729 729 + "wantTraditional": "Want a traditional password?", 730 730 + "registerWithPassword": "Register with password", 731 731 + "contactMethod": "Contact Method", 732 732 + "contactMethodHint": "Choose how you'd like to verify your account and receive notifications.", 733 733 + "verificationMethod": "Verification Method", 734 734 + "identityType": "Identity Type", 735 735 + "identityTypeHint": "Choose how your decentralized identity will be managed.", 736 736 + "didPlcRecommended": "did:plc (Recommended)", 737 737 + "didPlcHint": "Portable identity managed by PLC Directory", 738 738 + "didWeb": "did:web", 739 739 + "didWebHint": "Identity hosted on this PDS (read warning below)", 740 740 + "didWebBYOD": "did:web (BYOD)", 741 741 + "didWebBYODHint": "Bring your own domain", 742 742 + "didWebWarningTitle": "Important: Understand the trade-offs", 743 743 + "didWebWarning1": "Permanent tie to this PDS:", 744 744 + "didWebWarning2": "No recovery mechanism:", 745 745 + "didWebWarning2Detail": "Unlike did:plc, did:web has no rotation keys.", 746 746 + "didWebWarning3": "We commit to you:", 747 747 + "didWebWarning3Detail": "If you migrate away, we will continue serving a minimal DID document.", 748 748 + "didWebWarning4": "Recommendation:", 749 749 + "didWebWarning4Detail": "Choose did:plc unless you have a specific reason to prefer did:web.", 750 750 + "externalDid": "Your did:web", 751 751 + "externalDidPlaceholder": "did:web:yourdomain.com", 752 752 + "externalDidHint": "You'll need to serve a DID document at", 753 753 + "whyPasskeyOnly": "Why passkey-only?", 754 754 + "whyPasskeyOnlyDesc": "Passkey accounts are more secure than password-based accounts because they:", 755 755 + "whyPasskeyBullet1": "Cannot be phished or stolen in data breaches", 756 756 + "whyPasskeyBullet2": "Use hardware-backed cryptographic keys", 757 757 + "whyPasskeyBullet3": "Require your biometric or device PIN to use", 758 758 + "passkeyNameLabel": "Passkey Name (optional)", 759 759 + "passkeyNamePlaceholder": "e.g., MacBook Touch ID", 760 760 + "passkeyNameHint": "A friendly name to identify this passkey", 761 761 + "passkeyPrompt": "Click the button below to create your passkey. You'll be prompted to use:", 762 762 + "passkeyPromptBullet1": "Touch ID or Face ID", 763 763 + "passkeyPromptBullet2": "Your device PIN or password", 764 764 + "passkeyPromptBullet3": "A security key (if you have one)", 765 765 + "createPasskey": "Create Passkey", 766 766 + "creatingPasskey": "Creating Passkey...", 767 767 + "redirecting": "Redirecting to dashboard...", 768 768 + "loading": "Loading...", 769 769 + "errors": { 770 770 + "handleRequired": "Handle is required", 771 771 + "handleNoDots": "Handle cannot contain dots. You can set up a custom domain handle after creating your account.", 772 772 + "inviteRequired": "Invite code is required", 773 773 + "externalDidRequired": "External did:web is required", 774 774 + "externalDidFormat": "External DID must start with did:web:", 775 775 + "emailRequired": "Email is required for email verification", 776 776 + "discordRequired": "Discord ID is required for Discord verification", 777 777 + "telegramRequired": "Telegram username is required for Telegram verification", 778 778 + "signalRequired": "Phone number is required for Signal verification", 779 779 + "passkeysNotSupported": "Passkeys are not supported in this browser. Please use a different browser or register with a password instead.", 780 780 + "passkeyCancelled": "Passkey creation was cancelled", 781 781 + "passkeyFailed": "Passkey registration failed" 782 782 + } 681 783 }, 682 784 "trustedDevices": { 683 785 "title": "Trusted Devices", ··· 710 812 "verify": "Verify", 711 813 "verifying": "Verifying...", 712 814 "cancel": "Cancel" 815 815 + }, 816 816 + "verifyChannel": { 817 817 + "title": "Verify Channel", 818 818 + "subtitle": "Enter the verification code sent to your notification channel.", 819 819 + "signInRequired": "Sign In Required", 820 820 + "signInRequiredDesc": "You must be signed in to verify a channel.", 821 821 + "signIn": "Sign In", 822 822 + "verifying": "Verifying...", 823 823 + "pleaseWait": "Please wait while we verify your channel.", 824 824 + "successTitle": "Verified!", 825 825 + "successDesc": "Your {channel} has been verified successfully.", 826 826 + "backToSettings": "Back to Settings", 827 827 + "channelLabel": "Channel", 828 828 + "selectChannel": "Select channel...", 829 829 + "identifierLabel": "Identifier", 830 830 + "identifierPlaceholder": "Email, Discord ID, etc.", 831 831 + "identifierHelp": "The email address, Discord ID, Telegram username, or Signal number being verified.", 832 832 + "codeLabel": "Verification Code", 833 833 + "codeHelp": "Copy the entire code from your message, including dashes.", 834 834 + "verifyButton": "Verify" 713 835 } 714 836 }

+91 -7

frontend/src/locales/fi.json

··· 164 164 "changeEmailButton": "Vaihda sähköposti", 165 165 "requesting": "Pyydetään...", 166 166 "verificationCode": "Vahvistuskoodi", 167 167 - "verificationCodePlaceholder": "Syötä koodi sähköpostista", 167 167 + "verificationCodePlaceholder": "Syötä vahvistuskoodi", 168 168 "confirmEmailChange": "Vahvista sähköpostin vaihto", 169 169 "updating": "Päivitetään...", 170 170 "changeHandle": "Vaihda käyttäjänimi", ··· 202 202 "deleteAccount": "Poista tili", 203 203 "deleteWarning": "Tämä toiminto on peruuttamaton. Kaikki tietosi poistetaan pysyvästi.", 204 204 "requestDeletion": "Pyydä tilin poistoa", 205 205 - "confirmationCode": "Vahvistuskoodi (sähköpostista)", 205 205 + "confirmationCode": "Vahvistuskoodi", 206 206 "confirmationCodePlaceholder": "Syötä vahvistuskoodi", 207 207 "yourPassword": "Salasanasi", 208 208 "yourPasswordPlaceholder": "Syötä salasanasi", 209 209 "permanentlyDelete": "Poista tili pysyvästi", 210 210 "deleting": "Poistetaan...", 211 211 "messages": { 212 212 - "emailCodeSent": "Vahvistuskoodi lähetetty nykyiseen sähköpostiisi", 212 212 + "emailCodeSent": "Vahvistuskoodi lähetetty ilmoituskanavallesi", 213 213 "emailUpdated": "Sähköposti päivitetty", 214 214 "handleUpdated": "Käyttäjänimi päivitetty", 215 215 "passwordChanged": "Salasana vaihdettu", ··· 451 451 }, 452 452 "admin": { 453 453 "title": "Ylläpitopaneeli", 454 454 + "loading": "Ladataan...", 455 455 + "serverConfig": "Palvelinasetukset", 456 456 + "serverName": "Palvelimen nimi", 457 457 + "serverNamePlaceholder": "Oma PDS", 458 458 + "serverNameHelp": "Näytetään selaimen välilehdessä ja muualla", 459 459 + "serverLogo": "Palvelimen logo", 460 460 + "logoPreview": "Logon esikatselu", 461 461 + "removeLogo": "Poista", 462 462 + "logoHelp": "Käytetään faviconina ja näytetään navigointipalkissa", 463 463 + "themeColors": "Teemavärit", 464 464 + "themeColorsHint": "Jätä tyhjäksi käyttääksesi oletusvärejä.", 465 465 + "primaryLight": "Ensisijainen (vaalea tila)", 466 466 + "primaryDark": "Ensisijainen (tumma tila)", 467 467 + "accentLight": "Korostus (vaalea tila)", 468 468 + "accentDark": "Korostus (tumma tila)", 469 469 + "faviconExample": "Favicon-esimerkki", 470 470 + "configSaved": "Palvelinasetukset tallennettu", 471 471 + "saving": "Tallennetaan...", 472 472 + "saveConfig": "Tallenna asetukset", 454 473 "serverStats": "Palvelintilastot", 455 474 "users": "Käyttäjät", 456 475 "repos": "Tietovarastot", ··· 580 599 "verify": { 581 600 "title": "Vahvista tilisi", 582 601 "subtitle": "Olemme lähettäneet vahvistuskoodin {channel}. Syötä se alla viimeistelläksesi rekisteröinnin.", 583 583 - "codePlaceholder": "Syötä 6-numeroinen koodi", 602 602 + "tokenTitle": "Vahvista", 603 603 + "tokenSubtitle": "Syötä vahvistuskoodi ja tunniste, johon se lähetettiin.", 604 604 + "codePlaceholder": "XXXX-XXXX-XXXX-XXXX...", 584 605 "codeLabel": "Vahvistuskoodi", 606 606 + "codeHelp": "Kopioi koko koodi viestistäsi, mukaan lukien väliviivat", 585 607 "verifyButton": "Vahvista tili", 608 608 + "verify": "Vahvista", 586 609 "verifying": "Vahvistetaan...", 610 610 + "pleaseWait": "Odota...", 611 611 + "sending": "Lähetetään...", 587 612 "resendCode": "Lähetä koodi uudelleen", 588 613 "resending": "Lähetetään uudelleen...", 589 614 "codeResent": "Vahvistuskoodi lähetetty uudelleen!", 615 615 + "codeResentDetail": "Vahvistuskoodi lähetetty! Tarkista saapuneet-kansiosi.", 616 616 + "verified": "Vahvistettu!", 617 617 + "channelVerified": "{channel} on vahvistettu onnistuneesti.", 618 618 + "canNowSignIn": "Voit nyt kirjautua tilillesi.", 619 619 + "continue": "Jatka", 620 620 + "identifierLabel": "Sähköposti tai tunniste", 621 621 + "identifierPlaceholder": "sinä@esimerkki.fi", 622 622 + "identifierHelp": "Sähköpostiosoite tai tunniste, johon koodi lähetettiin", 590 623 "backToLogin": "Takaisin kirjautumiseen", 591 624 "verifyingAccount": "Vahvistetaan tiliä: @{handle}", 592 625 "startOver": "Aloita alusta toisella tilillä", ··· 605 638 "sendCode": "Lähetä palautuskoodi", 606 639 "sending": "Lähetetään...", 607 640 "codeSent": "Palautuskoodi lähetetty! Tarkista ensisijainen ilmoituskanavasi.", 608 608 - "enterCode": "Syötä koodi sähköpostistasi ja uusi salasanasi.", 641 641 + "enterCode": "Syötä saamasi koodi ja uusi salasanasi.", 609 642 "code": "Palautuskoodi", 610 643 "codePlaceholder": "Syötä palautuskoodi", 611 644 "newPassword": "Uusi salasana", ··· 664 697 }, 665 698 "registerPasskey": { 666 699 "title": "Luo pääsyavaintili", 667 667 - "subtitle": "Luo salasanaton tili pääsyavaimella.", 700 700 + "subtitle": "Luo erittäin turvallinen tili käyttämällä pääsyavainta salasanan sijaan.", 701 701 + "subtitleKeyChoice": "Valitse, miten haluat määrittää ulkoisen did:web-identiteettisi.", 702 702 + "subtitleVerify": "Olemme lähettäneet vahvistuskoodin {channel}. Syötä koodi jatkaaksesi.", 703 703 + "subtitlePasskey": "Luo pääsyavain viimeistelläksesi tilin määrityksen.", 668 704 "handle": "Käyttäjänimi", 669 705 "handlePlaceholder": "nimesi", 670 706 "handleHint": "Täydellinen käyttäjänimesi on: @{handle}", 707 707 + "contactMethod": "Yhteysmenetelmä", 708 708 + "contactMethodHint": "Valitse, miten haluat vahvistaa tilisi ja vastaanottaa ilmoituksia.", 709 709 + "verificationMethod": "Vahvistusmenetelmä", 671 710 "email": "Sähköpostiosoite", 672 711 "emailPlaceholder": "sinä@esimerkki.fi", 712 712 + "discord": "Discord", 713 713 + "discordId": "Discord-käyttäjätunnus", 714 714 + "discordIdPlaceholder": "Discord-käyttäjätunnuksesi", 715 715 + "discordIdHint": "Numeerinen Discord-käyttäjätunnuksesi (ota Kehittäjätila käyttöön löytääksesi sen)", 716 716 + "telegram": "Telegram", 717 717 + "telegramUsername": "Telegram-käyttäjänimi", 718 718 + "telegramUsernamePlaceholder": "@käyttäjänimesi", 719 719 + "signal": "Signal", 720 720 + "signalNumber": "Signal-puhelinnumero", 721 721 + "signalNumberPlaceholder": "+358401234567", 722 722 + "signalNumberHint": "Sisällytä maakoodi (esim. +358 Suomelle)", 673 723 "inviteCode": "Kutsukoodi", 674 724 "inviteCodePlaceholder": "Syötä kutsukoodisi", 725 725 + "inviteCodeRequired": "vaaditaan", 726 726 + "didWebDescription": "Käytä DID-identiteettiä, jota isännöidään omalla verkkotunnuksellasi.", 727 727 + "didWebToggle": "Käytä ulkoista did:web", 728 728 + "externalDid": "Sinun did:web", 729 729 + "externalDidPlaceholder": "did:web:verkkotunnuksesi.fi", 730 730 + "dnsVerificationInstructions": "Vahvistaaksesi verkkotunnuksesi, lisää tämä TXT-tietue:", 731 731 + "copyDid": "Kopioi DID", 675 732 "createButton": "Luo tili", 676 733 "creating": "Luodaan...", 677 734 "alreadyHaveAccount": "Onko sinulla jo tili?", 678 735 "signIn": "Kirjaudu sisään", 679 736 "wantPassword": "Haluatko käyttää salasanaa?", 680 680 - "createPasswordAccount": "Luo salasanatili" 737 737 + "createPasswordAccount": "Luo salasanatili", 738 738 + "errors": { 739 739 + "handleRequired": "Käyttäjänimi vaaditaan", 740 740 + "handleNoDots": "Käyttäjänimi ei voi sisältää pisteitä. Voit määrittää oman verkkotunnuksen tilin luomisen jälkeen.", 741 741 + "passkeysNotSupported": "Pääsyavaimia ei tueta tässä selaimessa. Luo salasanapohjainen tili tai käytä selainta, joka tukee pääsyavaimia.", 742 742 + "passkeyCancelled": "Pääsyavaimen luominen peruutettu", 743 743 + "passkeyFailed": "Pääsyavaimen rekisteröinti epäonnistui" 744 744 + } 681 745 }, 682 746 "trustedDevices": { 683 747 "title": "Luotetut laitteet", ··· 710 774 "verify": "Vahvista", 711 775 "verifying": "Vahvistetaan...", 712 776 "cancel": "Peruuta" 777 777 + }, 778 778 + "verifyChannel": { 779 779 + "title": "Vahvista kanava", 780 780 + "subtitle": "Syötä ilmoituskanavallesi lähetetty vahvistuskoodi.", 781 781 + "signInRequired": "Kirjautuminen vaaditaan", 782 782 + "signInRequiredDesc": "Sinun on kirjauduttava sisään vahvistaaksesi kanavan.", 783 783 + "signIn": "Kirjaudu sisään", 784 784 + "verifying": "Vahvistetaan...", 785 785 + "pleaseWait": "Odota, vahvistamme kanavaasi.", 786 786 + "successTitle": "Vahvistettu!", 787 787 + "successDesc": "{channel} on vahvistettu onnistuneesti.", 788 788 + "backToSettings": "Takaisin asetuksiin", 789 789 + "channelLabel": "Kanava", 790 790 + "selectChannel": "Valitse kanava...", 791 791 + "identifierLabel": "Tunniste", 792 792 + "identifierPlaceholder": "Sähköposti, Discord ID jne.", 793 793 + "identifierHelp": "Vahvistettava sähköpostiosoite, Discord ID, Telegram-käyttäjänimi tai Signal-numero.", 794 794 + "codeLabel": "Vahvistuskoodi", 795 795 + "codeHelp": "Kopioi koko koodi viestistäsi, mukaan lukien väliviivat.", 796 796 + "verifyButton": "Vahvista" 713 797 } 714 798 }

+92 -8

frontend/src/locales/ja.json

··· 65 65 "didPlcHint": "PLC ディレクトリで管理されるポータブルアイデンティティ", 66 66 "didWeb": "did:web", 67 67 "didWebHint": "この PDS でホストされるアイデンティティ（下記の警告をお読みください）", 68 68 - "didWebBYOD": "did:web (BYOD)", 68 68 + "didWebBYOD": "did:web (自前ドメイン)", 69 69 "didWebBYODHint": "独自ドメインを持ち込む", 70 70 "didWebWarningTitle": "重要: トレードオフをご理解ください", 71 71 "didWebWarning1": "この PDS への永続的な紐付け:", ··· 164 164 "changeEmailButton": "メールを変更", 165 165 "requesting": "リクエスト中...", 166 166 "verificationCode": "確認コード", 167 167 - "verificationCodePlaceholder": "メールから受け取ったコードを入力", 167 167 + "verificationCodePlaceholder": "認証コードを入力", 168 168 "confirmEmailChange": "メール変更を確認", 169 169 "updating": "更新中...", 170 170 "changeHandle": "ハンドル変更", ··· 202 202 "deleteAccount": "アカウント削除", 203 203 "deleteWarning": "この操作は取り消せません。すべてのデータが完全に削除されます。", 204 204 "requestDeletion": "アカウント削除をリクエスト", 205 205 - "confirmationCode": "確認コード（メールから）", 205 205 + "confirmationCode": "確認コード", 206 206 "confirmationCodePlaceholder": "確認コードを入力", 207 207 "yourPassword": "パスワード", 208 208 "yourPasswordPlaceholder": "パスワードを入力", 209 209 "permanentlyDelete": "アカウントを完全に削除", 210 210 "deleting": "削除中...", 211 211 "messages": { 212 212 - "emailCodeSent": "現在のメールに確認コードを送信しました", 212 212 + "emailCodeSent": "通知チャンネルに確認コードを送信しました", 213 213 "emailUpdated": "メールを更新しました", 214 214 "handleUpdated": "ハンドルを更新しました", 215 215 "passwordChanged": "パスワードを変更しました", ··· 451 451 }, 452 452 "admin": { 453 453 "title": "管理パネル", 454 454 + "loading": "読み込み中...", 455 455 + "serverConfig": "サーバー設定", 456 456 + "serverName": "サーバー名", 457 457 + "serverNamePlaceholder": "マイ PDS", 458 458 + "serverNameHelp": "ブラウザのタブやその他の場所に表示されます", 459 459 + "serverLogo": "サーバーロゴ", 460 460 + "logoPreview": "ロゴプレビュー", 461 461 + "removeLogo": "削除", 462 462 + "logoHelp": "ファビコンとして使用され、ナビバーに表示されます", 463 463 + "themeColors": "テーマカラー", 464 464 + "themeColorsHint": "デフォルトカラーを使用する場合は空白のままにしてください。", 465 465 + "primaryLight": "プライマリ（ライトモード）", 466 466 + "primaryDark": "プライマリ（ダークモード）", 467 467 + "accentLight": "アクセント（ライトモード）", 468 468 + "accentDark": "アクセント（ダークモード）", 469 469 + "faviconExample": "ファビコン例", 470 470 + "configSaved": "サーバー設定を保存しました", 471 471 + "saving": "保存中...", 472 472 + "saveConfig": "設定を保存", 454 473 "serverStats": "サーバー統計", 455 474 "users": "ユーザー", 456 475 "repos": "リポジトリ", ··· 580 599 "verify": { 581 600 "title": "アカウント確認", 582 601 "subtitle": "{channel} に確認コードを送信しました。以下に入力して登録を完了してください。", 583 583 - "codePlaceholder": "6桁のコードを入力", 602 602 + "tokenTitle": "確認", 603 603 + "tokenSubtitle": "確認コードと送信先の識別子を入力してください。", 604 604 + "codePlaceholder": "XXXX-XXXX-XXXX-XXXX...", 584 605 "codeLabel": "確認コード", 606 606 + "codeHelp": "ダッシュを含む完全なコードをメッセージからコピーしてください", 585 607 "verifyButton": "アカウントを確認", 608 608 + "verify": "確認", 586 609 "verifying": "確認中...", 610 610 + "pleaseWait": "お待ちください...", 611 611 + "sending": "送信中...", 587 612 "resendCode": "コードを再送信", 588 613 "resending": "送信中...", 589 614 "codeResent": "確認コードを再送信しました！", 615 615 + "codeResentDetail": "確認コードを送信しました！受信トレイを確認してください。", 616 616 + "verified": "確認完了！", 617 617 + "channelVerified": "{channel} が正常に確認されました。", 618 618 + "canNowSignIn": "アカウントにサインインできるようになりました。", 619 619 + "continue": "続行", 620 620 + "identifierLabel": "メールまたは識別子", 621 621 + "identifierPlaceholder": "you@example.com", 622 622 + "identifierHelp": "コードが送信されたメールアドレスまたは識別子", 590 623 "backToLogin": "ログインに戻る", 591 624 "verifyingAccount": "確認中のアカウント: @{handle}", 592 625 "startOver": "別のアカウントでやり直す", ··· 605 638 "sendCode": "リセットコードを送信", 606 639 "sending": "送信中...", 607 640 "codeSent": "パスワードリセットコードを送信しました！優先通知チャンネルを確認してください。", 608 608 - "enterCode": "メールからのコードと新しいパスワードを入力してください。", 641 641 + "enterCode": "受け取ったコードと新しいパスワードを入力してください。", 609 642 "code": "リセットコード", 610 643 "codePlaceholder": "リセットコードを入力", 611 644 "newPassword": "新しいパスワード", ··· 664 697 }, 665 698 "registerPasskey": { 666 699 "title": "パスキーアカウントを作成", 667 667 - "subtitle": "パスキーを使用してパスワードレスアカウントを作成します。", 700 700 + "subtitle": "パスワードの代わりにパスキーを使用して超安全なアカウントを作成します。", 701 701 + "subtitleKeyChoice": "外部 did:web アイデンティティの設定方法を選択してください。", 702 702 + "subtitleVerify": "{channel} に確認コードを送信しました。コードを入力して続行してください。", 703 703 + "subtitlePasskey": "パスキーを作成してアカウント設定を完了します。", 668 704 "handle": "ハンドル", 669 705 "handlePlaceholder": "あなたの名前", 670 706 "handleHint": "完全なハンドル: @{handle}", 707 707 + "contactMethod": "連絡方法", 708 708 + "contactMethodHint": "アカウントの確認と通知の受信方法を選択してください。", 709 709 + "verificationMethod": "確認方法", 671 710 "email": "メールアドレス", 672 711 "emailPlaceholder": "you@example.com", 712 712 + "discord": "Discord", 713 713 + "discordId": "Discord ユーザー ID", 714 714 + "discordIdPlaceholder": "Discord ユーザー ID", 715 715 + "discordIdHint": "数値の Discord ユーザー ID（開発者モードを有効にして確認）", 716 716 + "telegram": "Telegram", 717 717 + "telegramUsername": "Telegram ユーザー名", 718 718 + "telegramUsernamePlaceholder": "@yourusername", 719 719 + "signal": "Signal", 720 720 + "signalNumber": "Signal 電話番号", 721 721 + "signalNumberPlaceholder": "+81XXXXXXXXXX", 722 722 + "signalNumberHint": "国番号を含めてください（例: 日本は +81）", 673 723 "inviteCode": "招待コード", 674 724 "inviteCodePlaceholder": "招待コードを入力", 725 725 + "inviteCodeRequired": "必須", 726 726 + "didWebDescription": "独自ドメインでホストされる DID アイデンティティを使用します。", 727 727 + "didWebToggle": "外部 did:web を使用", 728 728 + "externalDid": "あなたの did:web", 729 729 + "externalDidPlaceholder": "did:web:yourdomain.com", 730 730 + "dnsVerificationInstructions": "ドメインを確認するには、この TXT レコードを追加してください:", 731 731 + "copyDid": "DID をコピー", 675 732 "createButton": "アカウントを作成", 676 733 "creating": "作成中...", 677 734 "alreadyHaveAccount": "すでにアカウントをお持ちですか？", 678 735 "signIn": "サインイン", 679 736 "wantPassword": "パスワードを使用しますか？", 680 680 - "createPasswordAccount": "パスワードアカウントを作成" 737 737 + "createPasswordAccount": "パスワードアカウントを作成", 738 738 + "errors": { 739 739 + "handleRequired": "ハンドルは必須です", 740 740 + "handleNoDots": "ハンドルにドットは使用できません。アカウント作成後にカスタムドメインを設定できます。", 741 741 + "passkeysNotSupported": "このブラウザではパスキーがサポートされていません。パスワードベースのアカウントを作成するか、パスキーをサポートするブラウザを使用してください。", 742 742 + "passkeyCancelled": "パスキーの作成がキャンセルされました", 743 743 + "passkeyFailed": "パスキーの登録に失敗しました" 744 744 + } 681 745 }, 682 746 "trustedDevices": { 683 747 "title": "信頼済みデバイス", ··· 710 774 "verify": "確認", 711 775 "verifying": "確認中...", 712 776 "cancel": "キャンセル" 777 777 + }, 778 778 + "verifyChannel": { 779 779 + "title": "チャンネル認証", 780 780 + "subtitle": "通知チャンネルに送信された認証コードを入力してください。", 781 781 + "signInRequired": "ログインが必要です", 782 782 + "signInRequiredDesc": "チャンネルを認証するにはログインが必要です。", 783 783 + "signIn": "ログイン", 784 784 + "verifying": "認証中...", 785 785 + "pleaseWait": "チャンネルを認証しています。しばらくお待ちください。", 786 786 + "successTitle": "認証完了！", 787 787 + "successDesc": "{channel} が正常に認証されました。", 788 788 + "backToSettings": "設定に戻る", 789 789 + "channelLabel": "チャンネル", 790 790 + "selectChannel": "チャンネルを選択...", 791 791 + "identifierLabel": "識別子", 792 792 + "identifierPlaceholder": "メール、Discord ID など", 793 793 + "identifierHelp": "認証するメールアドレス、Discord ID、Telegram ユーザー名、または Signal 番号。", 794 794 + "codeLabel": "認証コード", 795 795 + "codeHelp": "メッセージからハイフンを含む完全なコードをコピーしてください。", 796 796 + "verifyButton": "認証" 713 797 } 714 798 }

+92 -8

frontend/src/locales/ko.json

··· 65 65 "didPlcHint": "PLC 디렉토리에서 관리하는 이동 가능한 ID", 66 66 "didWeb": "did:web", 67 67 "didWebHint": "이 PDS에서 호스팅되는 ID (아래 경고 참조)", 68 68 - "didWebBYOD": "did:web (BYOD)", 68 68 + "didWebBYOD": "did:web (자체 도메인)", 69 69 "didWebBYODHint": "자체 도메인 사용", 70 70 "didWebWarningTitle": "중요: 장단점을 이해하세요", 71 71 "didWebWarning1": "이 PDS에 영구 연결:", ··· 164 164 "changeEmailButton": "이메일 변경", 165 165 "requesting": "요청 중...", 166 166 "verificationCode": "인증 코드", 167 167 - "verificationCodePlaceholder": "이메일의 코드 입력", 167 167 + "verificationCodePlaceholder": "인증 코드 입력", 168 168 "confirmEmailChange": "이메일 변경 확인", 169 169 "updating": "업데이트 중...", 170 170 "changeHandle": "핸들 변경", ··· 202 202 "deleteAccount": "계정 삭제", 203 203 "deleteWarning": "이 작업은 되돌릴 수 없습니다. 모든 데이터가 영구적으로 삭제됩니다.", 204 204 "requestDeletion": "계정 삭제 요청", 205 205 - "confirmationCode": "확인 코드 (이메일에서)", 205 205 + "confirmationCode": "확인 코드", 206 206 "confirmationCodePlaceholder": "확인 코드 입력", 207 207 "yourPassword": "비밀번호", 208 208 "yourPasswordPlaceholder": "비밀번호 입력", 209 209 "permanentlyDelete": "계정 영구 삭제", 210 210 "deleting": "삭제 중...", 211 211 "messages": { 212 212 - "emailCodeSent": "현재 이메일로 인증 코드를 보냈습니다", 212 212 + "emailCodeSent": "알림 채널로 인증 코드를 보냈습니다", 213 213 "emailUpdated": "이메일이 업데이트되었습니다", 214 214 "handleUpdated": "핸들이 업데이트되었습니다", 215 215 "passwordChanged": "비밀번호가 변경되었습니다", ··· 451 451 }, 452 452 "admin": { 453 453 "title": "관리 패널", 454 454 + "loading": "로딩 중...", 455 455 + "serverConfig": "서버 설정", 456 456 + "serverName": "서버 이름", 457 457 + "serverNamePlaceholder": "내 PDS", 458 458 + "serverNameHelp": "브라우저 탭 및 다른 곳에 표시됩니다", 459 459 + "serverLogo": "서버 로고", 460 460 + "logoPreview": "로고 미리보기", 461 461 + "removeLogo": "삭제", 462 462 + "logoHelp": "파비콘으로 사용되며 네비게이션 바에 표시됩니다", 463 463 + "themeColors": "테마 색상", 464 464 + "themeColorsHint": "기본 색상을 사용하려면 비워 두세요.", 465 465 + "primaryLight": "기본 (라이트 모드)", 466 466 + "primaryDark": "기본 (다크 모드)", 467 467 + "accentLight": "강조 (라이트 모드)", 468 468 + "accentDark": "강조 (다크 모드)", 469 469 + "faviconExample": "파비콘 예시", 470 470 + "configSaved": "서버 설정이 저장되었습니다", 471 471 + "saving": "저장 중...", 472 472 + "saveConfig": "설정 저장", 454 473 "serverStats": "서버 통계", 455 474 "users": "사용자", 456 475 "repos": "저장소", ··· 580 599 "verify": { 581 600 "title": "계정 인증", 582 601 "subtitle": "{channel}(으)로 인증 코드를 보냈습니다. 아래에 입력하여 등록을 완료하세요.", 583 583 - "codePlaceholder": "6자리 코드 입력", 602 602 + "tokenTitle": "인증", 603 603 + "tokenSubtitle": "인증 코드와 전송된 식별자를 입력하세요.", 604 604 + "codePlaceholder": "XXXX-XXXX-XXXX-XXXX...", 584 605 "codeLabel": "인증 코드", 606 606 + "codeHelp": "메시지에서 하이픈을 포함한 전체 코드를 복사하세요", 585 607 "verifyButton": "계정 인증", 608 608 + "verify": "인증", 586 609 "verifying": "인증 중...", 610 610 + "pleaseWait": "잠시 기다려 주세요...", 611 611 + "sending": "전송 중...", 587 612 "resendCode": "코드 다시 보내기", 588 613 "resending": "전송 중...", 589 614 "codeResent": "인증 코드를 다시 보냈습니다!", 615 615 + "codeResentDetail": "인증 코드가 전송되었습니다! 받은 편지함을 확인하세요.", 616 616 + "verified": "인증 완료!", 617 617 + "channelVerified": "{channel}이(가) 성공적으로 인증되었습니다.", 618 618 + "canNowSignIn": "이제 계정에 로그인할 수 있습니다.", 619 619 + "continue": "계속", 620 620 + "identifierLabel": "이메일 또는 식별자", 621 621 + "identifierPlaceholder": "you@example.com", 622 622 + "identifierHelp": "코드가 전송된 이메일 주소 또는 식별자", 590 623 "backToLogin": "로그인으로 돌아가기", 591 624 "verifyingAccount": "인증 중인 계정: @{handle}", 592 625 "startOver": "다른 계정으로 다시 시작", ··· 605 638 "sendCode": "재설정 코드 보내기", 606 639 "sending": "전송 중...", 607 640 "codeSent": "비밀번호 재설정 코드를 보냈습니다! 선호하는 알림 채널을 확인하세요.", 608 608 - "enterCode": "이메일의 코드와 새 비밀번호를 입력하세요.", 641 641 + "enterCode": "받은 코드와 새 비밀번호를 입력하세요.", 609 642 "code": "재설정 코드", 610 643 "codePlaceholder": "재설정 코드 입력", 611 644 "newPassword": "새 비밀번호", ··· 664 697 }, 665 698 "registerPasskey": { 666 699 "title": "패스키 계정 만들기", 667 667 - "subtitle": "패스키를 사용하여 비밀번호 없는 계정을 만듭니다.", 700 700 + "subtitle": "비밀번호 대신 패스키를 사용하여 초안전 계정을 만듭니다.", 701 701 + "subtitleKeyChoice": "외부 did:web 아이덴티티 설정 방법을 선택하세요.", 702 702 + "subtitleVerify": "{channel}(으)로 인증 코드를 보냈습니다. 코드를 입력하여 계속하세요.", 703 703 + "subtitlePasskey": "패스키를 만들어 계정 설정을 완료하세요.", 668 704 "handle": "핸들", 669 705 "handlePlaceholder": "사용자 이름", 670 706 "handleHint": "전체 핸들: @{handle}", 707 707 + "contactMethod": "연락 방법", 708 708 + "contactMethodHint": "계정 인증 및 알림 수신 방법을 선택하세요.", 709 709 + "verificationMethod": "인증 방법", 671 710 "email": "이메일 주소", 672 711 "emailPlaceholder": "you@example.com", 712 712 + "discord": "Discord", 713 713 + "discordId": "Discord 사용자 ID", 714 714 + "discordIdPlaceholder": "Discord 사용자 ID", 715 715 + "discordIdHint": "숫자 Discord 사용자 ID (개발자 모드를 활성화하여 찾기)", 716 716 + "telegram": "Telegram", 717 717 + "telegramUsername": "Telegram 사용자 이름", 718 718 + "telegramUsernamePlaceholder": "@yourusername", 719 719 + "signal": "Signal", 720 720 + "signalNumber": "Signal 전화번호", 721 721 + "signalNumberPlaceholder": "+821012345678", 722 722 + "signalNumberHint": "국가 코드 포함 (예: 한국 +82)", 673 723 "inviteCode": "초대 코드", 674 724 "inviteCodePlaceholder": "초대 코드 입력", 725 725 + "inviteCodeRequired": "필수", 726 726 + "didWebDescription": "자체 도메인에서 호스팅되는 DID 아이덴티티를 사용합니다.", 727 727 + "didWebToggle": "외부 did:web 사용", 728 728 + "externalDid": "귀하의 did:web", 729 729 + "externalDidPlaceholder": "did:web:yourdomain.com", 730 730 + "dnsVerificationInstructions": "도메인을 인증하려면 이 TXT 레코드를 추가하세요:", 731 731 + "copyDid": "DID 복사", 675 732 "createButton": "계정 만들기", 676 733 "creating": "생성 중...", 677 734 "alreadyHaveAccount": "이미 계정이 있으신가요?", 678 735 "signIn": "로그인", 679 736 "wantPassword": "비밀번호를 사용하시겠습니까?", 680 680 - "createPasswordAccount": "비밀번호 계정 만들기" 737 737 + "createPasswordAccount": "비밀번호 계정 만들기", 738 738 + "errors": { 739 739 + "handleRequired": "핸들은 필수입니다", 740 740 + "handleNoDots": "핸들에 점을 포함할 수 없습니다. 계정 생성 후 사용자 정의 도메인을 설정할 수 있습니다.", 741 741 + "passkeysNotSupported": "이 브라우저에서 패스키가 지원되지 않습니다. 비밀번호 기반 계정을 만들거나 패스키를 지원하는 브라우저를 사용하세요.", 742 742 + "passkeyCancelled": "패스키 생성이 취소되었습니다", 743 743 + "passkeyFailed": "패스키 등록에 실패했습니다" 744 744 + } 681 745 }, 682 746 "trustedDevices": { 683 747 "title": "신뢰할 수 있는 기기", ··· 710 774 "verify": "확인", 711 775 "verifying": "확인 중...", 712 776 "cancel": "취소" 777 777 + }, 778 778 + "verifyChannel": { 779 779 + "title": "채널 인증", 780 780 + "subtitle": "알림 채널로 전송된 인증 코드를 입력하세요.", 781 781 + "signInRequired": "로그인 필요", 782 782 + "signInRequiredDesc": "채널을 인증하려면 로그인해야 합니다.", 783 783 + "signIn": "로그인", 784 784 + "verifying": "인증 중...", 785 785 + "pleaseWait": "채널을 인증하는 중입니다. 잠시 기다려 주세요.", 786 786 + "successTitle": "인증 완료!", 787 787 + "successDesc": "{channel}이(가) 성공적으로 인증되었습니다.", 788 788 + "backToSettings": "설정으로 돌아가기", 789 789 + "channelLabel": "채널", 790 790 + "selectChannel": "채널 선택...", 791 791 + "identifierLabel": "식별자", 792 792 + "identifierPlaceholder": "이메일, Discord ID 등", 793 793 + "identifierHelp": "인증할 이메일 주소, Discord ID, Telegram 사용자 이름 또는 Signal 번호.", 794 794 + "codeLabel": "인증 코드", 795 795 + "codeHelp": "메시지에서 하이픈을 포함한 전체 코드를 복사하세요.", 796 796 + "verifyButton": "인증" 713 797 } 714 798 }

+98 -14

frontend/src/locales/sv.json

··· 80 80 "externalDidPlaceholder": "did:web:dindomän.se", 81 81 "externalDidHint": "Din domän måste tillhandahålla ett giltigt DID-dokument på /.well-known/did.json som pekar på denna PDS", 82 82 "contactMethod": "Kontaktmetod", 83 83 - "contactMethodHint": "Välj hur du vill verifiera ditt konto och ta emot notiser. Du behöver bara en.", 83 83 + "contactMethodHint": "Välj hur du vill verifiera ditt konto och ta emot meddelanden. Du behöver bara en.", 84 84 "verificationMethod": "Verifieringsmetod", 85 85 "email": "E-post", 86 86 "emailAddress": "E-postadress", ··· 164 164 "changeEmailButton": "Ändra e-post", 165 165 "requesting": "Begär...", 166 166 "verificationCode": "Verifieringskod", 167 167 - "verificationCodePlaceholder": "Ange kod från e-post", 167 167 + "verificationCodePlaceholder": "Ange verifieringskod", 168 168 "confirmEmailChange": "Bekräfta e-poständring", 169 169 "updating": "Uppdaterar...", 170 170 "changeHandle": "Ändra användarnamn", ··· 202 202 "deleteAccount": "Radera konto", 203 203 "deleteWarning": "Denna åtgärd är oåterkallelig. All din data kommer att raderas permanent.", 204 204 "requestDeletion": "Begär kontoradering", 205 205 - "confirmationCode": "Bekräftelsekod (från e-post)", 205 205 + "confirmationCode": "Bekräftelsekod", 206 206 "confirmationCodePlaceholder": "Ange bekräftelsekod", 207 207 "yourPassword": "Ditt lösenord", 208 208 "yourPasswordPlaceholder": "Ange ditt lösenord", 209 209 "permanentlyDelete": "Radera konto permanent", 210 210 "deleting": "Raderar...", 211 211 "messages": { 212 212 - "emailCodeSent": "Verifieringskod skickad till din nuvarande e-post", 212 212 + "emailCodeSent": "Verifieringskod skickad till din meddelandekanal", 213 213 "emailUpdated": "E-post uppdaterad", 214 214 "handleUpdated": "Användarnamn uppdaterat", 215 215 "passwordChanged": "Lösenord ändrat", ··· 350 350 "lastUsed": "Senast använd", 351 351 "passwordDescription": "Hantera ditt kontolösenord. Om du har nycklar konfigurerade kan du valfritt ta bort ditt lösenord för en helt lösenordsfri upplevelse.", 352 352 "disableTotpWarning": "Detta gör ditt konto mindre säkert.", 353 353 - "removePasswordWarning": "Detta gör ditt konto till endast nyckelkonto. Du kan endast logga in med dina registrerade nycklar. Om du förlorar tillgång till alla dina nycklar kan du återställa ditt konto via din notifieringskanal.", 353 353 + "removePasswordWarning": "Detta gör ditt konto till endast nyckelkonto. Du kan endast logga in med dina registrerade nycklar. Om du förlorar tillgång till alla dina nycklar kan du återställa ditt konto via din meddelandekanal.", 354 354 "beforeProceeding": "Innan du fortsätter:", 355 355 "beforeProceedingItem1": "Se till att du har minst en pålitlig nyckel registrerad", 356 356 "beforeProceedingItem2": "Överväg att registrera nycklar på flera enheter", 357 357 - "beforeProceedingItem3": "Se till att din återställningsnotifieringskanal är uppdaterad", 357 357 + "beforeProceedingItem3": "Se till att din meddelandekanal för återställning är uppdaterad", 358 358 "addPasskeyFirst": "Lägg till minst en nyckel innan du kan ta bort ditt lösenord.", 359 359 "passkeyOnlyHint": "Du loggar in med endast nycklar. Om du förlorar tillgång till dina nycklar kan du återställa ditt konto med länken \"Tappat bort nyckeln?\" på inloggningssidan.", 360 360 "trustedDevices": "Betrodda enheter", ··· 451 451 }, 452 452 "admin": { 453 453 "title": "Adminpanel", 454 454 + "loading": "Laddar...", 455 455 + "serverConfig": "Serverkonfiguration", 456 456 + "serverName": "Servernamn", 457 457 + "serverNamePlaceholder": "Min PDS", 458 458 + "serverNameHelp": "Visas i webbläsarfliken och på andra ställen", 459 459 + "serverLogo": "Serverlogotyp", 460 460 + "logoPreview": "Förhandsgranskning av logotyp", 461 461 + "removeLogo": "Ta bort", 462 462 + "logoHelp": "Används som favicon och visas i navigeringsfältet", 463 463 + "themeColors": "Temafärger", 464 464 + "themeColorsHint": "Lämna tomt för att använda standardfärger.", 465 465 + "primaryLight": "Primär (ljust läge)", 466 466 + "primaryDark": "Primär (mörkt läge)", 467 467 + "accentLight": "Accent (ljust läge)", 468 468 + "accentDark": "Accent (mörkt läge)", 469 469 + "faviconExample": "Favicon-exempel", 470 470 + "configSaved": "Serverkonfiguration sparad", 471 471 + "saving": "Sparar...", 472 472 + "saveConfig": "Spara konfiguration", 454 473 "serverStats": "Serverstatistik", 455 474 "users": "Användare", 456 475 "repos": "Dataförvar", ··· 514 533 "readProfile": "Läsa din profilinformation", 515 534 "readPosts": "Läsa dina inlägg och innehåll", 516 535 "writePosts": "Skapa och radera inlägg för din räkning", 517 517 - "readNotifications": "Läsa dina notiser", 536 536 + "readNotifications": "Läsa dina aviseringar", 518 537 "fullAccess": "Full tillgång till ditt konto", 519 538 "authorize": "Auktorisera", 520 539 "deny": "Neka", ··· 580 599 "verify": { 581 600 "title": "Verifiera ditt konto", 582 601 "subtitle": "Vi har skickat en verifieringskod till din {channel}. Ange den nedan för att slutföra registreringen.", 583 583 - "codePlaceholder": "Ange 6-siffrig kod", 602 602 + "tokenTitle": "Verifiera", 603 603 + "tokenSubtitle": "Ange verifieringskoden och identifieraren den skickades till.", 604 604 + "codePlaceholder": "XXXX-XXXX-XXXX-XXXX...", 584 605 "codeLabel": "Verifieringskod", 606 606 + "codeHelp": "Kopiera hela koden från ditt meddelande, inklusive bindestreck", 585 607 "verifyButton": "Verifiera konto", 608 608 + "verify": "Verifiera", 586 609 "verifying": "Verifierar...", 610 610 + "pleaseWait": "Vänta...", 611 611 + "sending": "Skickar...", 587 612 "resendCode": "Skicka kod igen", 588 613 "resending": "Skickar igen...", 589 614 "codeResent": "Verifieringskod skickad igen!", 615 615 + "codeResentDetail": "Verifieringskod skickad! Kontrollera din inkorg.", 616 616 + "verified": "Verifierad!", 617 617 + "channelVerified": "Din {channel} har verifierats.", 618 618 + "canNowSignIn": "Du kan nu logga in på ditt konto.", 619 619 + "continue": "Fortsätt", 620 620 + "identifierLabel": "E-post eller identifierare", 621 621 + "identifierPlaceholder": "du@exempel.se", 622 622 + "identifierHelp": "E-postadressen eller identifieraren koden skickades till", 590 623 "backToLogin": "Tillbaka till inloggning", 591 624 "verifyingAccount": "Verifierar konto: @{handle}", 592 625 "startOver": "Börja om med ett annat konto", ··· 604 637 "emailPlaceholder": "användarnamn eller du@exempel.se", 605 638 "sendCode": "Skicka återställningskod", 606 639 "sending": "Skickar...", 607 607 - "codeSent": "Återställningskod skickad! Kontrollera din föredragna notifieringskanal.", 608 608 - "enterCode": "Ange koden från din e-post och ditt nya lösenord.", 640 640 + "codeSent": "Återställningskod skickad! Kontrollera din föredragna meddelandekanal.", 641 641 + "enterCode": "Ange koden du fick och ditt nya lösenord.", 609 642 "code": "Återställningskod", 610 643 "codePlaceholder": "Ange återställningskod", 611 644 "newPassword": "Nytt lösenord", ··· 652 685 "title": "Återställ nyckelkonto", 653 686 "subtitle": "Förlorat tillgång till din nyckel? Ange ditt användarnamn eller e-post så skickar vi dig en återställningslänk.", 654 687 "successTitle": "Återställningslänk skickad", 655 655 - "successMessage": "Om ditt konto finns och är ett endast nyckelkonto får du en återställningslänk på din föredragna notifieringskanal.", 688 688 + "successMessage": "Om ditt konto finns och är ett endast nyckelkonto får du en återställningslänk på din föredragna meddelandekanal.", 656 689 "successInfo": "Länken upphör om 1 timme. Kontrollera din e-post, Discord, Telegram eller Signal beroende på dina kontoinställningar.", 657 690 "handleOrEmail": "Användarnamn eller e-post", 658 691 "emailPlaceholder": "användarnamn eller du@exempel.se", 659 692 "howItWorks": "Så fungerar det", 660 660 - "howItWorksDetail": "Vi skickar en säker länk till din registrerade notifieringskanal. Klicka på länken för att ställa in ett tillfälligt lösenord. Sedan kan du logga in och lägga till en ny nyckel.", 693 693 + "howItWorksDetail": "Vi skickar en säker länk till din registrerade meddelandekanal. Klicka på länken för att ställa in ett tillfälligt lösenord. Sedan kan du logga in och lägga till en ny nyckel.", 661 694 "sendRecoveryLink": "Skicka återställningslänk", 662 695 "sending": "Skickar...", 663 696 "backToLogin": "Tillbaka till inloggning" 664 697 }, 665 698 "registerPasskey": { 666 699 "title": "Skapa nyckelkonto", 667 667 - "subtitle": "Skapa ett lösenordsfritt konto med en nyckel.", 700 700 + "subtitle": "Skapa ett ultrasäkert konto med en nyckel istället för ett lösenord.", 701 701 + "subtitleKeyChoice": "Välj hur du vill konfigurera din externa did:web-identitet.", 702 702 + "subtitleVerify": "Vi har skickat en verifieringskod till din {channel}. Ange koden för att fortsätta.", 703 703 + "subtitlePasskey": "Skapa din nyckel för att slutföra kontokonfigurationen.", 668 704 "handle": "Användarnamn", 669 705 "handlePlaceholder": "dittnamn", 670 706 "handleHint": "Ditt fullständiga användarnamn blir: @{handle}", 707 707 + "contactMethod": "Kontaktmetod", 708 708 + "contactMethodHint": "Välj hur du vill verifiera ditt konto och ta emot meddelanden.", 709 709 + "verificationMethod": "Verifieringsmetod", 671 710 "email": "E-postadress", 672 711 "emailPlaceholder": "du@exempel.se", 712 712 + "discord": "Discord", 713 713 + "discordId": "Discord användar-ID", 714 714 + "discordIdPlaceholder": "Ditt Discord användar-ID", 715 715 + "discordIdHint": "Ditt numeriska Discord användar-ID (aktivera Utvecklarläge för att hitta det)", 716 716 + "telegram": "Telegram", 717 717 + "telegramUsername": "Telegram-användarnamn", 718 718 + "telegramUsernamePlaceholder": "@dittanvändarnamn", 719 719 + "signal": "Signal", 720 720 + "signalNumber": "Signal-telefonnummer", 721 721 + "signalNumberPlaceholder": "+46701234567", 722 722 + "signalNumberHint": "Inkludera landskod (t.ex. +46 för Sverige)", 673 723 "inviteCode": "Inbjudningskod", 674 724 "inviteCodePlaceholder": "Ange din inbjudningskod", 725 725 + "inviteCodeRequired": "krävs", 726 726 + "didWebDescription": "Använd en DID-identitet som är lagrad på din egen domän.", 727 727 + "didWebToggle": "Använd extern did:web", 728 728 + "externalDid": "Din did:web", 729 729 + "externalDidPlaceholder": "did:web:dindomän.se", 730 730 + "dnsVerificationInstructions": "För att verifiera din domän, lägg till denna TXT-post:", 731 731 + "copyDid": "Kopiera DID", 675 732 "createButton": "Skapa konto", 676 733 "creating": "Skapar...", 677 734 "alreadyHaveAccount": "Har du redan ett konto?", 678 735 "signIn": "Logga in", 679 736 "wantPassword": "Vill du använda ett lösenord?", 680 680 - "createPasswordAccount": "Skapa ett lösenordskonto" 737 737 + "createPasswordAccount": "Skapa ett lösenordskonto", 738 738 + "errors": { 739 739 + "handleRequired": "Användarnamn krävs", 740 740 + "handleNoDots": "Användarnamn kan inte innehålla punkter. Du kan konfigurera ett eget domännamn efter att kontot skapats.", 741 741 + "passkeysNotSupported": "Nycklar stöds inte i denna webbläsare. Skapa ett lösenordsbaserat konto eller använd en webbläsare som stöder nycklar.", 742 742 + "passkeyCancelled": "Nyckelskapande avbröts", 743 743 + "passkeyFailed": "Nyckelregistrering misslyckades" 744 744 + } 681 745 }, 682 746 "trustedDevices": { 683 747 "title": "Betrodda enheter", ··· 710 774 "verify": "Verifiera", 711 775 "verifying": "Verifierar...", 712 776 "cancel": "Avbryt" 777 777 + }, 778 778 + "verifyChannel": { 779 779 + "title": "Verifiera kanal", 780 780 + "subtitle": "Ange verifieringskoden som skickades till din meddelandekanal.", 781 781 + "signInRequired": "Inloggning krävs", 782 782 + "signInRequiredDesc": "Du måste vara inloggad för att verifiera en kanal.", 783 783 + "signIn": "Logga in", 784 784 + "verifying": "Verifierar...", 785 785 + "pleaseWait": "Vänta medan vi verifierar din kanal.", 786 786 + "successTitle": "Verifierad!", 787 787 + "successDesc": "Din {channel} har verifierats.", 788 788 + "backToSettings": "Tillbaka till inställningar", 789 789 + "channelLabel": "Kanal", 790 790 + "selectChannel": "Välj kanal...", 791 791 + "identifierLabel": "Identifierare", 792 792 + "identifierPlaceholder": "E-post, Discord ID, etc.", 793 793 + "identifierHelp": "E-postadressen, Discord ID, Telegram-användarnamn eller Signal-nummer som verifieras.", 794 794 + "codeLabel": "Verifieringskod", 795 795 + "codeHelp": "Kopiera hela koden från ditt meddelande, inklusive bindestreck.", 796 796 + "verifyButton": "Verifiera" 713 797 } 714 798 }

+130 -8

frontend/src/locales/zh.json

··· 164 164 "changeEmailButton": "更改邮箱", 165 165 "requesting": "请求中...", 166 166 "verificationCode": "验证码", 167 167 - "verificationCodePlaceholder": "输入邮件中的验证码", 167 167 + "verificationCodePlaceholder": "输入验证码", 168 168 "confirmEmailChange": "确认更改邮箱", 169 169 "updating": "更新中...", 170 170 "changeHandle": "更改用户名", ··· 202 202 "deleteAccount": "删除账户", 203 203 "deleteWarning": "此操作不可逆。您的所有数据将被永久删除。", 204 204 "requestDeletion": "请求删除账户", 205 205 - "confirmationCode": "确认码（来自邮件）", 205 205 + "confirmationCode": "确认码", 206 206 "confirmationCodePlaceholder": "输入确认码", 207 207 "yourPassword": "您的密码", 208 208 "yourPasswordPlaceholder": "输入您的密码", 209 209 "permanentlyDelete": "永久删除账户", 210 210 "deleting": "删除中...", 211 211 "messages": { 212 212 - "emailCodeSent": "验证码已发送到您当前的邮箱", 212 212 + "emailCodeSent": "验证码已发送到您的通知渠道", 213 213 "emailUpdated": "邮箱更新成功", 214 214 "handleUpdated": "用户名更新成功", 215 215 "passwordChanged": "密码更改成功", ··· 451 451 }, 452 452 "admin": { 453 453 "title": "管理后台", 454 454 + "loading": "加载中...", 455 455 + "serverConfig": "服务器配置", 456 456 + "serverName": "服务器名称", 457 457 + "serverNamePlaceholder": "我的 PDS", 458 458 + "serverNameHelp": "显示在浏览器标签和其他地方", 459 459 + "serverLogo": "服务器图标", 460 460 + "logoPreview": "图标预览", 461 461 + "removeLogo": "移除", 462 462 + "logoHelp": "用作网站图标和导航栏显示", 463 463 + "themeColors": "主题颜色", 464 464 + "themeColorsHint": "留空使用默认颜色。", 465 465 + "primaryLight": "主色（浅色模式）", 466 466 + "primaryLightDefault": "#2c00ff（默认）", 467 467 + "primaryDark": "主色（深色模式）", 468 468 + "primaryDarkDefault": "#7b6bff（默认）", 469 469 + "secondaryLight": "副色（浅色模式）", 470 470 + "secondaryLightDefault": "#ff2400（默认）", 471 471 + "secondaryDark": "副色（深色模式）", 472 472 + "secondaryDarkDefault": "#ff6b5b（默认）", 473 473 + "configSaved": "服务器配置已保存", 474 474 + "saving": "保存中...", 475 475 + "saveConfig": "保存配置", 454 476 "serverStats": "服务器统计", 455 477 "users": "用户", 456 478 "repos": "仓库", ··· 580 602 "verify": { 581 603 "title": "验证账户", 582 604 "subtitle": "我们已将验证码发送到您的{channel}。请在下方输入以完成注册。", 583 583 - "codePlaceholder": "输入6位验证码", 605 605 + "tokenSubtitle": "输入验证码和接收验证码的标识符。", 606 606 + "tokenTitle": "验证", 607 607 + "codePlaceholder": "XXXX-XXXX-XXXX-XXXX...", 584 608 "codeLabel": "验证码", 609 609 + "codeHelp": "复制消息中的完整验证码，包括横线", 585 610 "verifyButton": "验证账户", 611 611 + "verify": "验证", 586 612 "verifying": "验证中...", 613 613 + "pleaseWait": "请稍候...", 587 614 "resendCode": "重新发送验证码", 588 615 "resending": "发送中...", 616 616 + "sending": "发送中...", 589 617 "codeResent": "验证码已重新发送！", 618 618 + "codeResentDetail": "验证码已发送！请查收。", 590 619 "backToLogin": "返回登录", 591 620 "verifyingAccount": "正在验证账户：@{handle}", 592 621 "startOver": "使用其他账户重新开始", 593 622 "noPending": "未找到待验证的账户", 594 623 "noPendingInfo": "如果您最近创建了账户需要验证，可能需要重新创建账户。如果您已完成验证，可以直接登录。", 595 624 "createAccount": "创建账户", 596 596 - "signIn": "登录" 625 625 + "signIn": "登录", 626 626 + "verified": "验证成功！", 627 627 + "channelVerified": "您的{channel}已成功验证。", 628 628 + "canNowSignIn": "您现在可以登录账户。", 629 629 + "continue": "继续", 630 630 + "identifierLabel": "邮箱或标识符", 631 631 + "identifierPlaceholder": "you@example.com", 632 632 + "identifierHelp": "接收验证码的邮箱地址或标识符" 597 633 }, 598 634 "resetPassword": { 599 635 "title": "重置密码", ··· 605 641 "sendCode": "发送重置验证码", 606 642 "sending": "发送中...", 607 643 "codeSent": "重置验证码已发送！请检查您的首选通知渠道。", 608 608 - "enterCode": "输入邮件中的验证码和新密码。", 644 644 + "enterCode": "输入您收到的验证码和新密码。", 609 645 "code": "重置验证码", 610 646 "codePlaceholder": "输入重置验证码", 611 647 "newPassword": "新密码", ··· 664 700 }, 665 701 "registerPasskey": { 666 702 "title": "创建通行密钥账户", 667 667 - "subtitle": "使用通行密钥创建无密码账户。", 703 703 + "subtitle": "使用通行密钥创建超安全账户，无需密码。", 704 704 + "subtitleKeyChoice": "选择如何设置您的外部 did:web 身份。", 705 705 + "subtitleInitialDidDoc": "上传您的 DID 文档以继续。", 706 706 + "subtitleCreating": "正在创建您的账户...", 707 707 + "subtitlePasskey": "注册通行密钥以保护您的账户。", 708 708 + "subtitleAppPassword": "保存您的应用专用密码以使用第三方应用。", 709 709 + "subtitleVerify": "验证您的{channel}以继续。", 710 710 + "subtitleUpdatedDidDoc": "使用 PDS 签名密钥更新您的 DID 文档。", 711 711 + "subtitleActivating": "正在激活您的账户...", 712 712 + "subtitleComplete": "您的账户已成功创建！", 668 713 "handle": "用户名", 669 714 "handlePlaceholder": "您的用户名", 670 715 "handleHint": "您的完整用户名将是：@{handle}", 716 716 + "handleDotWarning": "可以在创建账户后设置自定义域名。", 671 717 "email": "邮箱地址", 672 718 "emailPlaceholder": "you@example.com", 673 719 "inviteCode": "邀请码", 674 720 "inviteCodePlaceholder": "输入您的邀请码", 675 721 "createButton": "创建账户", 676 722 "creating": "创建中...", 723 723 + "continue": "继续", 724 724 + "back": "返回", 677 725 "alreadyHaveAccount": "已有账户？", 678 726 "signIn": "立即登录", 679 727 "wantPassword": "想使用密码？", 680 680 - "createPasswordAccount": "创建密码账户" 728 728 + "createPasswordAccount": "创建密码账户", 729 729 + "wantTraditional": "想使用传统密码？", 730 730 + "registerWithPassword": "使用密码注册", 731 731 + "contactMethod": "联系方式", 732 732 + "contactMethodHint": "选择您希望如何验证账户和接收通知。", 733 733 + "verificationMethod": "验证方式", 734 734 + "identityType": "身份类型", 735 735 + "identityTypeHint": "选择如何管理您的去中心化身份。", 736 736 + "didPlcRecommended": "did:plc（推荐）", 737 737 + "didPlcHint": "由 PLC 目录管理的可迁移身份", 738 738 + "didWeb": "did:web", 739 739 + "didWebHint": "托管在此 PDS 上的身份（请阅读下方警告）", 740 740 + "didWebBYOD": "did:web（自带域名）", 741 741 + "didWebBYODHint": "使用您自己的域名", 742 742 + "didWebWarningTitle": "重要：了解利弊", 743 743 + "didWebWarning1": "永久绑定此 PDS：", 744 744 + "didWebWarning2": "无法恢复：", 745 745 + "didWebWarning2Detail": "与 did:plc 不同，did:web 没有密钥轮换机制。", 746 746 + "didWebWarning3": "我们的承诺：", 747 747 + "didWebWarning3Detail": "如果您迁移到其他 PDS，我们将继续提供最小 DID 文档。", 748 748 + "didWebWarning4": "建议：", 749 749 + "didWebWarning4Detail": "除非有特定原因，否则请选择 did:plc。", 750 750 + "externalDid": "您的 did:web", 751 751 + "externalDidPlaceholder": "did:web:yourdomain.com", 752 752 + "externalDidHint": "您需要在以下地址提供 DID 文档", 753 753 + "whyPasskeyOnly": "为什么选择仅通行密钥？", 754 754 + "whyPasskeyOnlyDesc": "通行密钥账户比密码账户更安全，因为它们：", 755 755 + "whyPasskeyBullet1": "无法被钓鱼或在数据泄露中被盗", 756 756 + "whyPasskeyBullet2": "使用硬件支持的加密密钥", 757 757 + "whyPasskeyBullet3": "需要您的生物识别或设备 PIN 才能使用", 758 758 + "passkeyNameLabel": "通行密钥名称（可选）", 759 759 + "passkeyNamePlaceholder": "如 MacBook Touch ID", 760 760 + "passkeyNameHint": "用于识别此通行密钥的友好名称", 761 761 + "passkeyPrompt": "点击下方按钮创建通行密钥。系统会提示您使用：", 762 762 + "passkeyPromptBullet1": "Touch ID 或 Face ID", 763 763 + "passkeyPromptBullet2": "设备 PIN 或密码", 764 764 + "passkeyPromptBullet3": "安全密钥（如果有的话）", 765 765 + "createPasskey": "创建通行密钥", 766 766 + "creatingPasskey": "正在创建通行密钥...", 767 767 + "redirecting": "正在跳转到控制台...", 768 768 + "loading": "加载中...", 769 769 + "errors": { 770 770 + "handleRequired": "请输入用户名", 771 771 + "handleNoDots": "用户名不能包含点号。您可以在创建账户后设置自定义域名。", 772 772 + "inviteRequired": "请输入邀请码", 773 773 + "externalDidRequired": "请输入您的 did:web", 774 774 + "externalDidFormat": "DID 必须以 did:web: 开头", 775 775 + "emailRequired": "使用邮箱验证需要填写邮箱地址", 776 776 + "discordRequired": "使用 Discord 验证需要填写 Discord ID", 777 777 + "telegramRequired": "使用 Telegram 验证需要填写用户名", 778 778 + "signalRequired": "使用 Signal 验证需要填写电话号码", 779 779 + "passkeysNotSupported": "此浏览器不支持通行密钥。请使用其他浏览器或使用密码注册。", 780 780 + "passkeyCancelled": "通行密钥创建已取消", 781 781 + "passkeyFailed": "通行密钥注册失败" 782 782 + } 681 783 }, 682 784 "trustedDevices": { 683 785 "title": "受信任设备", ··· 710 812 "verify": "验证", 711 813 "verifying": "验证中...", 712 814 "cancel": "取消" 815 815 + }, 816 816 + "verifyChannel": { 817 817 + "title": "验证通道", 818 818 + "subtitle": "输入发送到您通知通道的验证码。", 819 819 + "signInRequired": "需要登录", 820 820 + "signInRequiredDesc": "您必须登录才能验证通道。", 821 821 + "signIn": "登录", 822 822 + "verifying": "验证中...", 823 823 + "pleaseWait": "请稍候，正在验证您的通道。", 824 824 + "successTitle": "验证成功！", 825 825 + "successDesc": "您的 {channel} 已成功验证。", 826 826 + "backToSettings": "返回设置", 827 827 + "channelLabel": "通道", 828 828 + "selectChannel": "选择通道...", 829 829 + "identifierLabel": "标识符", 830 830 + "identifierPlaceholder": "邮箱、Discord ID 等", 831 831 + "identifierHelp": "正在验证的邮箱地址、Discord ID、Telegram 用户名或 Signal 号码。", 832 832 + "codeLabel": "验证码", 833 833 + "codeHelp": "复制消息中的完整验证码，包括横线。", 834 834 + "verifyButton": "验证" 713 835 } 714 836 }

+71 -71

frontend/src/routes/Admin.svelte

··· 302 302 {#if auth.session?.isAdmin} 303 303 <div class="page"> 304 304 <header> 305 305 - <a href="#/dashboard" class="back">&larr; Dashboard</a> 306 306 - <h1>Admin Panel</h1> 305 305 + <a href="#/dashboard" class="back">{$_('common.backToDashboard')}</a> 306 306 + <h1>{$_('admin.title')}</h1> 307 307 </header> 308 308 {#if loading} 309 309 - <p class="loading">Loading...</p> 309 309 + <p class="loading">{$_('admin.loading')}</p> 310 310 {:else} 311 311 {#if error} 312 312 <div class="message error">{error}</div> 313 313 {/if} 314 314 <section> 315 315 - <h2>Server Configuration</h2> 315 315 + <h2>{$_('admin.serverConfig')}</h2> 316 316 <form class="config-form" onsubmit={saveServerConfig}> 317 317 <div class="form-group"> 318 318 - <label for="serverName">Server Name</label> 318 318 + <label for="serverName">{$_('admin.serverName')}</label> 319 319 <input 320 320 type="text" 321 321 id="serverName" 322 322 bind:value={serverNameInput} 323 323 - placeholder="My PDS" 323 323 + placeholder={$_('admin.serverNamePlaceholder')} 324 324 maxlength="100" 325 325 disabled={serverConfigLoading} 326 326 /> 327 327 - <span class="help-text">Displayed in the browser tab and other places</span> 327 327 + <span class="help-text">{$_('admin.serverNameHelp')}</span> 328 328 </div> 329 329 330 330 <div class="form-group"> 331 331 - <label for="serverLogo">Server Logo</label> 331 331 + <label for="serverLogo">{$_('admin.serverLogo')}</label> 332 332 <div class="logo-upload"> 333 333 {#if logoPreview} 334 334 <div class="logo-preview"> 335 335 - <img src={logoPreview} alt="Logo preview" /> 336 336 - <button type="button" class="remove-logo" onclick={removeLogo} disabled={serverConfigLoading}>Remove</button> 335 335 + <img src={logoPreview} alt={$_('admin.logoPreview')} /> 336 336 + <button type="button" class="remove-logo" onclick={removeLogo} disabled={serverConfigLoading}>{$_('admin.removeLogo')}</button> 337 337 </div> 338 338 {:else} 339 339 <input ··· 345 345 /> 346 346 {/if} 347 347 </div> 348 348 - <span class="help-text">Used as favicon and shown in the navbar</span> 348 348 + <span class="help-text">{$_('admin.logoHelp')}</span> 349 349 </div> 350 350 351 351 - <h3 class="subsection-title">Theme Colors</h3> 352 352 - <p class="theme-hint">Leave blank to use default colors.</p> 351 351 + <h3 class="subsection-title">{$_('admin.themeColors')}</h3> 352 352 + <p class="theme-hint">{$_('admin.themeColorsHint')}</p> 353 353 354 354 <div class="color-grid"> 355 355 <div class="color-group"> 356 356 - <label for="primaryColor">Primary (Light Mode)</label> 356 356 + <label for="primaryColor">{$_('admin.primaryLight')}</label> 357 357 <div class="color-input-row"> 358 358 <input 359 359 type="color" ··· 364 364 type="text" 365 365 id="primaryColor" 366 366 bind:value={primaryColorInput} 367 367 - placeholder="#2c00ff (default)" 367 367 + placeholder={$_('admin.primaryLightDefault')} 368 368 disabled={serverConfigLoading} 369 369 /> 370 370 </div> 371 371 </div> 372 372 <div class="color-group"> 373 373 - <label for="primaryColorDark">Primary (Dark Mode)</label> 373 373 + <label for="primaryColorDark">{$_('admin.primaryDark')}</label> 374 374 <div class="color-input-row"> 375 375 <input 376 376 type="color" ··· 381 381 type="text" 382 382 id="primaryColorDark" 383 383 bind:value={primaryColorDarkInput} 384 384 - placeholder="#7b6bff (default)" 384 384 + placeholder={$_('admin.primaryDarkDefault')} 385 385 disabled={serverConfigLoading} 386 386 /> 387 387 </div> 388 388 </div> 389 389 <div class="color-group"> 390 390 - <label for="secondaryColor">Secondary (Light Mode)</label> 390 390 + <label for="secondaryColor">{$_('admin.secondaryLight')}</label> 391 391 <div class="color-input-row"> 392 392 <input 393 393 type="color" ··· 398 398 type="text" 399 399 id="secondaryColor" 400 400 bind:value={secondaryColorInput} 401 401 - placeholder="#ff2400 (default)" 401 401 + placeholder={$_('admin.secondaryLightDefault')} 402 402 disabled={serverConfigLoading} 403 403 /> 404 404 </div> 405 405 </div> 406 406 <div class="color-group"> 407 407 - <label for="secondaryColorDark">Secondary (Dark Mode)</label> 407 407 + <label for="secondaryColorDark">{$_('admin.secondaryDark')}</label> 408 408 <div class="color-input-row"> 409 409 <input 410 410 type="color" ··· 415 415 type="text" 416 416 id="secondaryColorDark" 417 417 bind:value={secondaryColorDarkInput} 418 418 - placeholder="#ff6b5b (default)" 418 418 + placeholder={$_('admin.secondaryDarkDefault')} 419 419 disabled={serverConfigLoading} 420 420 /> 421 421 </div> ··· 426 426 <div class="message error">{serverConfigError}</div> 427 427 {/if} 428 428 {#if serverConfigSuccess} 429 429 - <div class="message success">Server configuration saved</div> 429 429 + <div class="message success">{$_('admin.configSaved')}</div> 430 430 {/if} 431 431 <button type="submit" disabled={serverConfigLoading || !hasConfigChanges()}> 432 432 - {serverConfigLoading ? 'Saving...' : 'Save Configuration'} 432 432 + {serverConfigLoading ? $_('admin.saving') : $_('admin.saveConfig')} 433 433 </button> 434 434 </form> 435 435 </section> 436 436 {#if stats} 437 437 <section> 438 438 - <h2>Server Statistics</h2> 438 438 + <h2>{$_('admin.serverStats')}</h2> 439 439 <div class="stats-grid"> 440 440 <div class="stat-card"> 441 441 <div class="stat-value">{formatNumber(stats.userCount)}</div> 442 442 - <div class="stat-label">Users</div> 442 442 + <div class="stat-label">{$_('admin.users')}</div> 443 443 </div> 444 444 <div class="stat-card"> 445 445 <div class="stat-value">{formatNumber(stats.repoCount)}</div> 446 446 - <div class="stat-label">Repositories</div> 446 446 + <div class="stat-label">{$_('admin.repos')}</div> 447 447 </div> 448 448 <div class="stat-card"> 449 449 <div class="stat-value">{formatNumber(stats.recordCount)}</div> 450 450 - <div class="stat-label">Records</div> 450 450 + <div class="stat-label">{$_('admin.records')}</div> 451 451 </div> 452 452 <div class="stat-card"> 453 453 <div class="stat-value">{formatBytes(stats.blobStorageBytes)}</div> 454 454 - <div class="stat-label">Blob Storage</div> 454 454 + <div class="stat-label">{$_('admin.blobStorage')}</div> 455 455 </div> 456 456 </div> 457 457 - <button class="refresh-btn" onclick={loadStats}>Refresh Stats</button> 457 457 + <button class="refresh-btn" onclick={loadStats}>{$_('admin.refreshStats')}</button> 458 458 </section> 459 459 {/if} 460 460 <section> 461 461 - <h2>User Management</h2> 461 461 + <h2>{$_('admin.userManagement')}</h2> 462 462 <form class="search-form" onsubmit={handleSearch}> 463 463 <input 464 464 type="text" 465 465 bind:value={handleSearchQuery} 466 466 - placeholder="Search by handle (optional)" 466 466 + placeholder={$_('admin.searchPlaceholder')} 467 467 disabled={usersLoading} 468 468 /> 469 469 <button type="submit" disabled={usersLoading}> 470 470 - {usersLoading ? 'Loading...' : 'Search Users'} 470 470 + {usersLoading ? $_('admin.loading') : $_('admin.searchUsers')} 471 471 </button> 472 472 </form> 473 473 {#if usersError} ··· 476 476 {#if showUsers} 477 477 <div class="user-list"> 478 478 {#if users.length === 0} 479 479 - <p class="no-results">No users found</p> 479 479 + <p class="no-results">{$_('admin.noUsers')}</p> 480 480 {:else} 481 481 <table> 482 482 <thead> 483 483 <tr> 484 484 - <th>Handle</th> 485 485 - <th>Email</th> 486 486 - <th>Status</th> 487 487 - <th>Created</th> 484 484 + <th>{$_('admin.handle')}</th> 485 485 + <th>{$_('admin.email')}</th> 486 486 + <th>{$_('admin.status')}</th> 487 487 + <th>{$_('admin.created')}</th> 488 488 </tr> 489 489 </thead> 490 490 <tbody> ··· 494 494 <td class="email">{user.email || '-'}</td> 495 495 <td> 496 496 {#if user.deactivatedAt} 497 497 - <span class="badge deactivated">Deactivated</span> 497 497 + <span class="badge deactivated">{$_('admin.deactivated')}</span> 498 498 {:else if user.emailConfirmedAt} 499 499 - <span class="badge verified">Verified</span> 499 499 + <span class="badge verified">{$_('admin.verified')}</span> 500 500 {:else} 501 501 - <span class="badge unverified">Unverified</span> 501 501 + <span class="badge unverified">{$_('admin.unverified')}</span> 502 502 {/if} 503 503 </td> 504 504 <td class="date">{formatDate(user.indexedAt)}</td> ··· 508 508 </table> 509 509 {#if usersCursor} 510 510 <button class="load-more" onclick={() => loadUsers(false)} disabled={usersLoading}> 511 511 - {usersLoading ? 'Loading...' : 'Load More'} 511 511 + {usersLoading ? $_('admin.loading') : $_('admin.loadMore')} 512 512 </button> 513 513 {/if} 514 514 {/if} ··· 516 516 {/if} 517 517 </section> 518 518 <section> 519 519 - <h2>Invite Codes</h2> 519 519 + <h2>{$_('admin.inviteCodes')}</h2> 520 520 <div class="section-actions"> 521 521 <button onclick={() => loadInvites(true)} disabled={invitesLoading}> 522 522 - {invitesLoading ? 'Loading...' : showInvites ? 'Refresh' : 'Load Invite Codes'} 522 522 + {invitesLoading ? $_('admin.loading') : showInvites ? $_('admin.refresh') : $_('admin.loadInviteCodes')} 523 523 </button> 524 524 </div> 525 525 {#if invitesError} ··· 528 528 {#if showInvites} 529 529 <div class="invite-list"> 530 530 {#if invites.length === 0} 531 531 - <p class="no-results">No invite codes found</p> 531 531 + <p class="no-results">{$_('admin.noInvites')}</p> 532 532 {:else} 533 533 <table> 534 534 <thead> 535 535 <tr> 536 536 - <th>Code</th> 537 537 - <th>Available</th> 538 538 - <th>Uses</th> 539 539 - <th>Status</th> 540 540 - <th>Created</th> 541 541 - <th>Actions</th> 536 536 + <th>{$_('admin.code')}</th> 537 537 + <th>{$_('admin.available')}</th> 538 538 + <th>{$_('admin.uses')}</th> 539 539 + <th>{$_('admin.status')}</th> 540 540 + <th>{$_('admin.created')}</th> 541 541 + <th>{$_('admin.actions')}</th> 542 542 </tr> 543 543 </thead> 544 544 <tbody> ··· 549 549 <td>{invite.uses.length}</td> 550 550 <td> 551 551 {#if invite.disabled} 552 552 - <span class="badge deactivated">Disabled</span> 552 552 + <span class="badge deactivated">{$_('admin.disabled')}</span> 553 553 {:else if invite.available === 0} 554 554 - <span class="badge unverified">Exhausted</span> 554 554 + <span class="badge unverified">{$_('admin.exhausted')}</span> 555 555 {:else} 556 556 - <span class="badge verified">Active</span> 556 556 + <span class="badge verified">{$_('admin.active')}</span> 557 557 {/if} 558 558 </td> 559 559 <td class="date">{formatDate(invite.createdAt)}</td> 560 560 <td> 561 561 {#if !invite.disabled} 562 562 <button class="action-btn danger" onclick={() => disableInvite(invite.code)}> 563 563 - Disable 563 563 + {$_('admin.disable')} 564 564 </button> 565 565 {:else} 566 566 <span class="muted">-</span> ··· 572 572 </table> 573 573 {#if invitesCursor} 574 574 <button class="load-more" onclick={() => loadInvites(false)} disabled={invitesLoading}> 575 575 - {invitesLoading ? 'Loading...' : 'Load More'} 575 575 + {invitesLoading ? $_('admin.loading') : $_('admin.loadMore')} 576 576 </button> 577 577 {/if} 578 578 {/if} ··· 585 585 <div class="modal-overlay" onclick={closeUserDetail} onkeydown={(e) => e.key === 'Escape' && closeUserDetail()} role="presentation"> 586 586 <div class="modal" onclick={(e) => e.stopPropagation()} onkeydown={(e) => e.stopPropagation()} role="dialog" aria-modal="true" tabindex="-1"> 587 587 <div class="modal-header"> 588 588 - <h2>User Details</h2> 588 588 + <h2>{$_('admin.userDetails')}</h2> 589 589 <button class="close-btn" onclick={closeUserDetail}>&times;</button> 590 590 </div> 591 591 {#if userDetailLoading} 592 592 - <p class="loading">Loading...</p> 592 592 + <p class="loading">{$_('admin.loading')}</p> 593 593 {:else} 594 594 <div class="modal-body"> 595 595 <dl class="user-details"> 596 596 - <dt>Handle</dt> 596 596 + <dt>{$_('admin.handle')}</dt> 597 597 <dd>@{selectedUser.handle}</dd> 598 598 - <dt>DID</dt> 598 598 + <dt>{$_('admin.did')}</dt> 599 599 <dd class="mono">{selectedUser.did}</dd> 600 600 - <dt>Email</dt> 600 600 + <dt>{$_('admin.email')}</dt> 601 601 <dd>{selectedUser.email || '-'}</dd> 602 602 - <dt>Status</dt> 602 602 + <dt>{$_('admin.status')}</dt> 603 603 <dd> 604 604 {#if selectedUser.deactivatedAt} 605 605 - <span class="badge deactivated">Deactivated</span> 605 605 + <span class="badge deactivated">{$_('admin.deactivated')}</span> 606 606 {:else if selectedUser.emailConfirmedAt} 607 607 - <span class="badge verified">Verified</span> 607 607 + <span class="badge verified">{$_('admin.verified')}</span> 608 608 {:else} 609 609 - <span class="badge unverified">Unverified</span> 609 609 + <span class="badge unverified">{$_('admin.unverified')}</span> 610 610 {/if} 611 611 </dd> 612 612 - <dt>Created</dt> 612 612 + <dt>{$_('admin.created')}</dt> 613 613 <dd>{formatDateTime(selectedUser.indexedAt)}</dd> 614 614 - <dt>Invites</dt> 614 614 + <dt>{$_('admin.invites')}</dt> 615 615 <dd> 616 616 {#if selectedUser.invitesDisabled} 617 617 - <span class="badge deactivated">Disabled</span> 617 617 + <span class="badge deactivated">{$_('admin.disabled')}</span> 618 618 {:else} 619 619 - <span class="badge verified">Enabled</span> 619 619 + <span class="badge verified">{$_('admin.enabled')}</span> 620 620 {/if} 621 621 </dd> 622 622 </dl> ··· 626 626 onclick={toggleUserInvites} 627 627 disabled={userActionLoading} 628 628 > 629 629 - {selectedUser.invitesDisabled ? 'Enable Invites' : 'Disable Invites'} 629 629 + {selectedUser.invitesDisabled ? $_('admin.enableInvites') : $_('admin.disableInvites')} 630 630 </button> 631 631 <button 632 632 class="action-btn danger" 633 633 onclick={deleteUser} 634 634 disabled={userActionLoading} 635 635 > 636 636 - Delete Account 636 636 + {$_('admin.deleteAccount')} 637 637 </button> 638 638 </div> 639 639 </div> ··· 642 642 </div> 643 643 {/if} 644 644 {:else if auth.loading} 645 645 - <div class="loading">Loading...</div> 645 645 + <div class="loading">{$_('admin.loading')}</div> 646 646 {/if} 647 647 <style> 648 648 .page {

+10 -1

frontend/src/routes/Comms.svelte

··· 93 93 if (!auth.session || !verificationCode) return 94 94 verificationError = null 95 95 verificationSuccess = null 96 96 + 97 97 + let identifier = '' 98 98 + switch (channel) { 99 99 + case 'discord': identifier = discordId; break 100 100 + case 'telegram': identifier = telegramUsername; break 101 101 + case 'signal': identifier = signalNumber; break 102 102 + } 103 103 + if (!identifier) return 104 104 + 96 105 try { 97 97 - await api.confirmChannelVerification(auth.session.accessJwt, channel, verificationCode) 106 106 + await api.confirmChannelVerification(auth.session.accessJwt, channel, identifier, verificationCode) 98 107 await refreshSession() 99 108 verificationSuccess = $_('comms.verifiedSuccess', { values: { channel } }) 100 109 verificationCode = ''

+10 -4

frontend/src/routes/Register.svelte

··· 33 33 } 34 34 }) 35 35 36 36 + let creatingStarted = false 37 37 + $effect(() => { 38 38 + if (flow?.state.step === 'creating' && !creatingStarted) { 39 39 + creatingStarted = true 40 40 + flow.createPasswordAccount() 41 41 + } 42 42 + }) 43 43 + 36 44 async function loadServerInfo() { 37 45 try { 38 46 serverInfo = await api.describeServer() ··· 140 148 case 'verify': return `Verify your ${channelLabel(flow.info.verificationChannel)} to continue.` 141 149 case 'updated-did-doc': return 'Update your DID document with the PDS signing key.' 142 150 case 'activating': return 'Activating your account...' 143 143 - case 'complete': return 'Your account has been created successfully!' 151 151 + case 'redirect-to-dashboard': return 'Your account has been created successfully!' 144 152 default: return '' 145 153 } 146 154 } ··· 383 391 /> 384 392 385 393 {:else if flow.state.step === 'creating'} 386 386 - {#await flow.createPasswordAccount()} 387 387 - <p class="loading">{$_('register.creating')}</p> 388 388 - {/await} 394 394 + <p class="loading">{$_('register.creating')}</p> 389 395 390 396 {:else if flow.state.step === 'verify'} 391 397 <VerificationStep {flow} />

+96 -90

frontend/src/routes/RegisterPasskey.svelte

··· 34 34 } 35 35 }) 36 36 37 37 + let creatingStarted = false 38 38 + $effect(() => { 39 39 + if (flow?.state.step === 'creating' && !creatingStarted) { 40 40 + creatingStarted = true 41 41 + flow.createPasskeyAccount() 42 42 + } 43 43 + }) 44 44 + 37 45 async function loadServerInfo() { 38 46 try { 39 47 serverInfo = await api.describeServer() ··· 49 57 function validateInfoStep(): string | null { 50 58 if (!flow) return 'Flow not initialized' 51 59 const info = flow.info 52 52 - if (!info.handle.trim()) return 'Handle is required' 53 53 - if (info.handle.includes('.')) return 'Handle cannot contain dots. You can set up a custom domain handle after creating your account.' 60 60 + if (!info.handle.trim()) return $_('registerPasskey.errors.handleRequired') 61 61 + if (info.handle.includes('.')) return $_('registerPasskey.errors.handleNoDots') 54 62 if (serverInfo?.inviteCodeRequired && !info.inviteCode?.trim()) { 55 55 - return 'Invite code is required' 63 63 + return $_('registerPasskey.errors.inviteRequired') 56 64 } 57 65 if (info.didType === 'web-external') { 58 58 - if (!info.externalDid?.trim()) return 'External did:web is required' 59 59 - if (!info.externalDid.trim().startsWith('did:web:')) return 'External DID must start with did:web:' 66 66 + if (!info.externalDid?.trim()) return $_('registerPasskey.errors.externalDidRequired') 67 67 + if (!info.externalDid.trim().startsWith('did:web:')) return $_('registerPasskey.errors.externalDidFormat') 60 68 } 61 69 switch (info.verificationChannel) { 62 70 case 'email': 63 63 - if (!info.email.trim()) return 'Email is required for email verification' 71 71 + if (!info.email.trim()) return $_('registerPasskey.errors.emailRequired') 64 72 break 65 73 case 'discord': 66 66 - if (!info.discordId?.trim()) return 'Discord ID is required for Discord verification' 74 74 + if (!info.discordId?.trim()) return $_('registerPasskey.errors.discordRequired') 67 75 break 68 76 case 'telegram': 69 69 - if (!info.telegramUsername?.trim()) return 'Telegram username is required for Telegram verification' 77 77 + if (!info.telegramUsername?.trim()) return $_('registerPasskey.errors.telegramRequired') 70 78 break 71 79 case 'signal': 72 72 - if (!info.signalNumber?.trim()) return 'Phone number is required for Signal verification' 80 80 + if (!info.signalNumber?.trim()) return $_('registerPasskey.errors.signalRequired') 73 81 break 74 82 } 75 83 return null ··· 121 129 } 122 130 123 131 if (!window.PublicKeyCredential) { 124 124 - flow.setError('Passkeys are not supported in this browser. Please use a different browser or register with a password instead.') 132 132 + flow.setError($_('registerPasskey.errors.passkeysNotSupported')) 125 133 return 126 134 } 127 135 ··· 153 161 }) 154 162 155 163 if (!credential) { 156 156 - flow.setError('Passkey creation was cancelled') 164 164 + flow.setError($_('registerPasskey.errors.passkeyCancelled')) 157 165 flow.setSubmitting(false) 158 166 return 159 167 } ··· 180 188 flow.setPasskeyComplete(result.appPassword, result.appPasswordName) 181 189 } catch (err) { 182 190 if (err instanceof DOMException && err.name === 'NotAllowedError') { 183 183 - flow.setError('Passkey creation was cancelled') 191 191 + flow.setError($_('registerPasskey.errors.passkeyCancelled')) 184 192 } else if (err instanceof ApiError) { 185 185 - flow.setError(err.message || 'Passkey registration failed') 193 193 + flow.setError(err.message || $_('registerPasskey.errors.passkeyFailed')) 186 194 } else if (err instanceof Error) { 187 187 - flow.setError(err.message || 'Passkey registration failed') 195 195 + flow.setError(err.message || $_('registerPasskey.errors.passkeyFailed')) 188 196 } else { 189 189 - flow.setError('Passkey registration failed') 197 197 + flow.setError($_('registerPasskey.errors.passkeyFailed')) 190 198 } 191 199 } finally { 192 200 flow.setSubmitting(false) ··· 207 215 208 216 function channelLabel(ch: string): string { 209 217 switch (ch) { 210 210 - case 'email': return 'Email' 211 211 - case 'discord': return 'Discord' 212 212 - case 'telegram': return 'Telegram' 213 213 - case 'signal': return 'Signal' 218 218 + case 'email': return $_('register.email') 219 219 + case 'discord': return $_('register.discord') 220 220 + case 'telegram': return $_('register.telegram') 221 221 + case 'signal': return $_('register.signal') 214 222 default: return ch 215 223 } 216 224 } ··· 230 238 function getSubtitle(): string { 231 239 if (!flow) return '' 232 240 switch (flow.state.step) { 233 233 - case 'info': return 'Create an ultra-secure account using a passkey instead of a password.' 234 234 - case 'key-choice': return 'Choose how to set up your external did:web identity.' 235 235 - case 'initial-did-doc': return 'Upload your DID document to continue.' 236 236 - case 'creating': return 'Creating your account...' 237 237 - case 'passkey': return 'Register your passkey to secure your account.' 238 238 - case 'app-password': return 'Save your app password for third-party apps.' 239 239 - case 'verify': return `Verify your ${channelLabel(flow.info.verificationChannel)} to continue.` 240 240 - case 'updated-did-doc': return 'Update your DID document with the PDS signing key.' 241 241 - case 'activating': return 'Activating your account...' 242 242 - case 'complete': return 'Your account has been created successfully!' 241 241 + case 'info': return $_('registerPasskey.subtitle') 242 242 + case 'key-choice': return $_('registerPasskey.subtitleKeyChoice') 243 243 + case 'initial-did-doc': return $_('registerPasskey.subtitleInitialDidDoc') 244 244 + case 'creating': return $_('registerPasskey.subtitleCreating') 245 245 + case 'passkey': return $_('registerPasskey.subtitlePasskey') 246 246 + case 'app-password': return $_('registerPasskey.subtitleAppPassword') 247 247 + case 'verify': return $_('registerPasskey.subtitleVerify', { values: { channel: channelLabel(flow.info.verificationChannel) } }) 248 248 + case 'updated-did-doc': return $_('registerPasskey.subtitleUpdatedDidDoc') 249 249 + case 'activating': return $_('registerPasskey.subtitleActivating') 250 250 + case 'redirect-to-dashboard': return $_('registerPasskey.subtitleComplete') 243 251 default: return '' 244 252 } 245 253 } ··· 259 267 </div> 260 268 {/if} 261 269 262 262 - <h1>Create Passkey Account</h1> 270 270 + <h1>{$_('registerPasskey.title')}</h1> 263 271 <p class="subtitle">{getSubtitle()}</p> 264 272 265 273 {#if flow?.state.error} ··· 267 275 {/if} 268 276 269 277 {#if loadingServerInfo || !flow} 270 270 - <p class="loading">Loading...</p> 278 278 + <p class="loading">{$_('registerPasskey.loading')}</p> 271 279 272 280 {:else if flow.state.step === 'info'} 273 281 <form onsubmit={handleInfoSubmit}> 274 282 <div class="field"> 275 275 - <label for="handle">Handle</label> 283 283 + <label for="handle">{$_('registerPasskey.handle')}</label> 276 284 <input 277 285 id="handle" 278 286 type="text" 279 287 bind:value={flow.info.handle} 280 280 - placeholder="yourname" 288 288 + placeholder={$_('registerPasskey.handlePlaceholder')} 281 289 disabled={flow.state.submitting} 282 290 required 283 291 /> 284 292 {#if flow.info.handle.includes('.')} 285 285 - <p class="hint warning">Custom domain handles can be set up after account creation.</p> 293 293 + <p class="hint warning">{$_('registerPasskey.handleDotWarning')}</p> 286 294 {:else if fullHandle()} 287 287 - <p class="hint">Your full handle will be: @{fullHandle()}</p> 295 295 + <p class="hint">{$_('registerPasskey.handleHint', { values: { handle: fullHandle() } })}</p> 288 296 {/if} 289 297 </div> 290 298 291 299 <fieldset class="section-fieldset"> 292 292 - <legend>Contact Method</legend> 293 293 - <p class="section-hint">Choose how you'd like to verify your account and receive notifications.</p> 300 300 + <legend>{$_('registerPasskey.contactMethod')}</legend> 301 301 + <p class="section-hint">{$_('registerPasskey.contactMethodHint')}</p> 294 302 <div class="field"> 295 295 - <label for="verification-channel">Verification Method</label> 303 303 + <label for="verification-channel">{$_('registerPasskey.verificationMethod')}</label> 296 304 <select id="verification-channel" bind:value={flow.info.verificationChannel} disabled={flow.state.submitting}> 297 297 - <option value="email">Email</option> 305 305 + <option value="email">{$_('register.email')}</option> 298 306 <option value="discord" disabled={!isChannelAvailable('discord')}> 299 299 - Discord{isChannelAvailable('discord') ? '' : ` (${$_('register.notConfigured')})`} 307 307 + {$_('register.discord')}{isChannelAvailable('discord') ? '' : ` (${$_('register.notConfigured')})`} 300 308 </option> 301 309 <option value="telegram" disabled={!isChannelAvailable('telegram')}> 302 302 - Telegram{isChannelAvailable('telegram') ? '' : ` (${$_('register.notConfigured')})`} 310 310 + {$_('register.telegram')}{isChannelAvailable('telegram') ? '' : ` (${$_('register.notConfigured')})`} 303 311 </option> 304 312 <option value="signal" disabled={!isChannelAvailable('signal')}> 305 305 - Signal{isChannelAvailable('signal') ? '' : ` (${$_('register.notConfigured')})`} 313 313 + {$_('register.signal')}{isChannelAvailable('signal') ? '' : ` (${$_('register.notConfigured')})`} 306 314 </option> 307 315 </select> 308 316 </div> 309 317 {#if flow.info.verificationChannel === 'email'} 310 318 <div class="field"> 311 311 - <label for="email">Email Address</label> 312 312 - <input id="email" type="email" bind:value={flow.info.email} placeholder="you@example.com" disabled={flow.state.submitting} required /> 319 319 + <label for="email">{$_('registerPasskey.email')}</label> 320 320 + <input id="email" type="email" bind:value={flow.info.email} placeholder={$_('registerPasskey.emailPlaceholder')} disabled={flow.state.submitting} required /> 313 321 </div> 314 322 {:else if flow.info.verificationChannel === 'discord'} 315 323 <div class="field"> 316 316 - <label for="discord-id">Discord User ID</label> 317 317 - <input id="discord-id" type="text" bind:value={flow.info.discordId} placeholder="Your Discord user ID" disabled={flow.state.submitting} required /> 318 318 - <p class="hint">Your numeric Discord user ID (enable Developer Mode to find it)</p> 324 324 + <label for="discord-id">{$_('register.discordId')}</label> 325 325 + <input id="discord-id" type="text" bind:value={flow.info.discordId} placeholder={$_('register.discordIdPlaceholder')} disabled={flow.state.submitting} required /> 326 326 + <p class="hint">{$_('register.discordIdHint')}</p> 319 327 </div> 320 328 {:else if flow.info.verificationChannel === 'telegram'} 321 329 <div class="field"> 322 322 - <label for="telegram-username">Telegram Username</label> 323 323 - <input id="telegram-username" type="text" bind:value={flow.info.telegramUsername} placeholder="@yourusername" disabled={flow.state.submitting} required /> 330 330 + <label for="telegram-username">{$_('register.telegramUsername')}</label> 331 331 + <input id="telegram-username" type="text" bind:value={flow.info.telegramUsername} placeholder={$_('register.telegramUsernamePlaceholder')} disabled={flow.state.submitting} required /> 324 332 </div> 325 333 {:else if flow.info.verificationChannel === 'signal'} 326 334 <div class="field"> 327 327 - <label for="signal-number">Signal Phone Number</label> 328 328 - <input id="signal-number" type="tel" bind:value={flow.info.signalNumber} placeholder="+1234567890" disabled={flow.state.submitting} required /> 329 329 - <p class="hint">Include country code (e.g., +1 for US)</p> 335 335 + <label for="signal-number">{$_('register.signalNumber')}</label> 336 336 + <input id="signal-number" type="tel" bind:value={flow.info.signalNumber} placeholder={$_('register.signalNumberPlaceholder')} disabled={flow.state.submitting} required /> 337 337 + <p class="hint">{$_('register.signalNumberHint')}</p> 330 338 </div> 331 339 {/if} 332 340 </fieldset> 333 341 334 342 <fieldset class="section-fieldset"> 335 335 - <legend>Identity Type</legend> 336 336 - <p class="section-hint">Choose how your decentralized identity will be managed.</p> 343 343 + <legend>{$_('registerPasskey.identityType')}</legend> 344 344 + <p class="section-hint">{$_('registerPasskey.identityTypeHint')}</p> 337 345 <div class="radio-group"> 338 346 <label class="radio-label"> 339 347 <input type="radio" name="didType" value="plc" bind:group={flow.info.didType} disabled={flow.state.submitting} /> 340 348 <span class="radio-content"> 341 341 - <strong>did:plc</strong> (Recommended) 342 342 - <span class="radio-hint">Portable identity managed by PLC Directory</span> 349 349 + <strong>{$_('registerPasskey.didPlcRecommended')}</strong> 350 350 + <span class="radio-hint">{$_('registerPasskey.didPlcHint')}</span> 343 351 </span> 344 352 </label> 345 353 <label class="radio-label"> 346 354 <input type="radio" name="didType" value="web" bind:group={flow.info.didType} disabled={flow.state.submitting} /> 347 355 <span class="radio-content"> 348 348 - <strong>did:web</strong> 349 349 - <span class="radio-hint">Identity hosted on this PDS (read warning below)</span> 356 356 + <strong>{$_('registerPasskey.didWeb')}</strong> 357 357 + <span class="radio-hint">{$_('registerPasskey.didWebHint')}</span> 350 358 </span> 351 359 </label> 352 360 <label class="radio-label"> 353 361 <input type="radio" name="didType" value="web-external" bind:group={flow.info.didType} disabled={flow.state.submitting} /> 354 362 <span class="radio-content"> 355 355 - <strong>did:web (BYOD)</strong> 356 356 - <span class="radio-hint">Bring your own domain</span> 363 363 + <strong>{$_('registerPasskey.didWebBYOD')}</strong> 364 364 + <span class="radio-hint">{$_('registerPasskey.didWebBYODHint')}</span> 357 365 </span> 358 366 </label> 359 367 </div> 360 368 {#if flow.info.didType === 'web'} 361 369 <div class="warning-box"> 362 362 - <strong>Important: Understand the trade-offs</strong> 370 370 + <strong>{$_('registerPasskey.didWebWarningTitle')}</strong> 363 371 <ul> 364 364 - <li><strong>Permanent tie to this PDS:</strong> Your identity will be <code>did:web:yourhandle.{serverInfo?.availableUserDomains?.[0] || 'this-pds.com'}</code>.</li> 365 365 - <li><strong>No recovery mechanism:</strong> Unlike did:plc, did:web has no rotation keys.</li> 366 366 - <li><strong>We commit to you:</strong> If you migrate away, we will continue serving a minimal DID document.</li> 367 367 - <li><strong>Recommendation:</strong> Choose did:plc unless you have a specific reason to prefer did:web.</li> 372 372 + <li><strong>{$_('registerPasskey.didWebWarning1')}</strong> Your identity will be <code>did:web:yourhandle.{serverInfo?.availableUserDomains?.[0] || 'this-pds.com'}</code>.</li> 373 373 + <li><strong>{$_('registerPasskey.didWebWarning2')}</strong> {$_('registerPasskey.didWebWarning2Detail')}</li> 374 374 + <li><strong>{$_('registerPasskey.didWebWarning3')}</strong> {$_('registerPasskey.didWebWarning3Detail')}</li> 375 375 + <li><strong>{$_('registerPasskey.didWebWarning4')}</strong> {$_('registerPasskey.didWebWarning4Detail')}</li> 368 376 </ul> 369 377 </div> 370 378 {/if} 371 379 {#if flow.info.didType === 'web-external'} 372 380 <div class="field"> 373 373 - <label for="external-did">Your did:web</label> 374 374 - <input id="external-did" type="text" bind:value={flow.info.externalDid} placeholder="did:web:yourdomain.com" disabled={flow.state.submitting} required /> 375 375 - <p class="hint">You'll need to serve a DID document at <code>https://{flow.info.externalDid ? extractDomain(flow.info.externalDid) : 'yourdomain.com'}/.well-known/did.json</code></p> 381 381 + <label for="external-did">{$_('registerPasskey.externalDid')}</label> 382 382 + <input id="external-did" type="text" bind:value={flow.info.externalDid} placeholder={$_('registerPasskey.externalDidPlaceholder')} disabled={flow.state.submitting} required /> 383 383 + <p class="hint">{$_('registerPasskey.externalDidHint')} <code>https://{flow.info.externalDid ? extractDomain(flow.info.externalDid) : 'yourdomain.com'}/.well-known/did.json</code></p> 376 384 </div> 377 385 {/if} 378 386 </fieldset> 379 387 380 388 {#if serverInfo?.inviteCodeRequired} 381 389 <div class="field"> 382 382 - <label for="invite-code">Invite Code <span class="required">*</span></label> 383 383 - <input id="invite-code" type="text" bind:value={flow.info.inviteCode} placeholder="Enter your invite code" disabled={flow.state.submitting} required /> 390 390 + <label for="invite-code">{$_('registerPasskey.inviteCode')} <span class="required">*</span></label> 391 391 + <input id="invite-code" type="text" bind:value={flow.info.inviteCode} placeholder={$_('registerPasskey.inviteCodePlaceholder')} disabled={flow.state.submitting} required /> 384 392 </div> 385 393 {/if} 386 394 387 395 <div class="info-box"> 388 388 - <strong>Why passkey-only?</strong> 389 389 - <p>Passkey accounts are more secure than password-based accounts because they:</p> 396 396 + <strong>{$_('registerPasskey.whyPasskeyOnly')}</strong> 397 397 + <p>{$_('registerPasskey.whyPasskeyOnlyDesc')}</p> 390 398 <ul> 391 391 - <li>Cannot be phished or stolen in data breaches</li> 392 392 - <li>Use hardware-backed cryptographic keys</li> 393 393 - <li>Require your biometric or device PIN to use</li> 399 399 + <li>{$_('registerPasskey.whyPasskeyBullet1')}</li> 400 400 + <li>{$_('registerPasskey.whyPasskeyBullet2')}</li> 401 401 + <li>{$_('registerPasskey.whyPasskeyBullet3')}</li> 394 402 </ul> 395 403 </div> 396 404 397 405 <button type="submit" disabled={flow.state.submitting}> 398 398 - {flow.state.submitting ? 'Creating account...' : 'Continue'} 406 406 + {flow.state.submitting ? $_('registerPasskey.creating') : $_('registerPasskey.continue')} 399 407 </button> 400 408 </form> 401 409 402 410 <p class="link-text"> 403 403 - Want a traditional password? <a href="#/register">Register with password</a> 411 411 + {$_('registerPasskey.wantTraditional')} <a href="#/register">{$_('registerPasskey.registerWithPassword')}</a> 404 412 </p> 405 413 406 414 {:else if flow.state.step === 'key-choice'} ··· 415 423 /> 416 424 417 425 {:else if flow.state.step === 'creating'} 418 418 - {#await flow.createPasskeyAccount()} 419 419 - <p class="loading">Creating your account...</p> 420 420 - {/await} 426 426 + <p class="loading">{$_('registerPasskey.subtitleCreating')}</p> 421 427 422 428 {:else if flow.state.step === 'passkey'} 423 429 <div class="step-content"> 424 430 <div class="field"> 425 425 - <label for="passkey-name">Passkey Name (optional)</label> 426 426 - <input id="passkey-name" type="text" bind:value={passkeyName} placeholder="e.g., MacBook Touch ID" disabled={flow.state.submitting} /> 427 427 - <p class="hint">A friendly name to identify this passkey</p> 431 431 + <label for="passkey-name">{$_('registerPasskey.passkeyNameLabel')}</label> 432 432 + <input id="passkey-name" type="text" bind:value={passkeyName} placeholder={$_('registerPasskey.passkeyNamePlaceholder')} disabled={flow.state.submitting} /> 433 433 + <p class="hint">{$_('registerPasskey.passkeyNameHint')}</p> 428 434 </div> 429 435 430 436 <div class="info-box"> 431 431 - <p>Click the button below to create your passkey. You'll be prompted to use:</p> 437 437 + <p>{$_('registerPasskey.passkeyPrompt')}</p> 432 438 <ul> 433 433 - <li>Touch ID or Face ID</li> 434 434 - <li>Your device PIN or password</li> 435 435 - <li>A security key (if you have one)</li> 439 439 + <li>{$_('registerPasskey.passkeyPromptBullet1')}</li> 440 440 + <li>{$_('registerPasskey.passkeyPromptBullet2')}</li> 441 441 + <li>{$_('registerPasskey.passkeyPromptBullet3')}</li> 436 442 </ul> 437 443 </div> 438 444 439 445 <button onclick={handlePasskeyRegistration} disabled={flow.state.submitting} class="passkey-btn"> 440 440 - {flow.state.submitting ? 'Creating Passkey...' : 'Create Passkey'} 446 446 + {flow.state.submitting ? $_('registerPasskey.creatingPasskey') : $_('registerPasskey.createPasskey')} 441 447 </button> 442 448 443 449 <button type="button" class="secondary" onclick={() => flow?.goBack()} disabled={flow.state.submitting}> 444 444 - Back 450 450 + {$_('registerPasskey.back')} 445 451 </button> 446 452 </div> 447 453 ··· 459 465 /> 460 466 461 467 {:else if flow.state.step === 'redirect-to-dashboard'} 462 462 - <p class="loading">Redirecting to dashboard...</p> 468 468 + <p class="loading">{$_('registerPasskey.redirecting')}</p> 463 469 {/if} 464 470 </div> 465 471

+1 -1

frontend/src/routes/Settings.svelte

··· 55 55 const result = await api.requestEmailUpdate(auth.session.accessJwt, newEmail) 56 56 emailTokenRequired = result.tokenRequired 57 57 if (emailTokenRequired) { 58 58 - showMessage('success', $_('settings.messages.verificationCodeSent')) 58 58 + showMessage('success', $_('settings.messages.emailCodeSent')) 59 59 } else { 60 60 await api.updateEmail(auth.session.accessJwt, newEmail) 61 61 await refreshSession()

+231 -28

frontend/src/routes/Verify.svelte

··· 1 1 <script lang="ts"> 2 2 + import { onMount } from 'svelte' 2 3 import { confirmSignup, resendVerification, getAuthState } from '../lib/auth.svelte' 4 4 + import { api, ApiError } from '../lib/api' 3 5 import { navigate } from '../lib/router.svelte' 4 6 import { _ } from '../lib/i18n' 5 7 ··· 11 13 channel: string 12 14 } 13 15 16 16 + type VerificationMode = 'signup' | 'token' 17 17 + 18 18 + let mode = $state<VerificationMode>('signup') 14 19 let pendingVerification = $state<PendingVerification | null>(null) 15 20 let verificationCode = $state('') 21 21 + let identifier = $state('') 16 22 let submitting = $state(false) 17 23 let resendingCode = $state(false) 18 24 let error = $state<string | null>(null) 19 25 let resendMessage = $state<string | null>(null) 26 26 + let success = $state(false) 27 27 + let autoSubmitting = $state(false) 28 28 + let successPurpose = $state<string | null>(null) 29 29 + let successChannel = $state<string | null>(null) 20 30 21 31 const auth = getAuthState() 22 32 23 23 - $effect(() => { 24 24 - if (auth.session) { 25 25 - clearPendingVerification() 26 26 - navigate('/dashboard') 33 33 + 34 34 + function parseQueryParams() { 35 35 + const hash = window.location.hash 36 36 + const queryIndex = hash.indexOf('?') 37 37 + if (queryIndex === -1) return {} 38 38 + 39 39 + const queryString = hash.slice(queryIndex + 1) 40 40 + const params: Record<string, string> = {} 41 41 + for (const pair of queryString.split('&')) { 42 42 + const [key, value] = pair.split('=') 43 43 + if (key && value) { 44 44 + params[decodeURIComponent(key)] = decodeURIComponent(value) 45 45 + } 46 46 + } 47 47 + return params 48 48 + } 49 49 + 50 50 + onMount(async () => { 51 51 + const params = parseQueryParams() 52 52 + 53 53 + if (params.token) { 54 54 + mode = 'token' 55 55 + verificationCode = params.token 56 56 + if (params.identifier) { 57 57 + identifier = params.identifier 58 58 + } 59 59 + if (verificationCode && identifier) { 60 60 + autoSubmitting = true 61 61 + await handleTokenVerification() 62 62 + autoSubmitting = false 63 63 + } 64 64 + } else { 65 65 + mode = 'signup' 66 66 + const stored = localStorage.getItem(STORAGE_KEY) 67 67 + if (stored) { 68 68 + try { 69 69 + pendingVerification = JSON.parse(stored) 70 70 + } catch { 71 71 + pendingVerification = null 72 72 + } 73 73 + } 27 74 } 28 75 }) 29 76 30 77 $effect(() => { 31 31 - const stored = localStorage.getItem(STORAGE_KEY) 32 32 - if (stored) { 33 33 - try { 34 34 - pendingVerification = JSON.parse(stored) 35 35 - } catch { 36 36 - pendingVerification = null 37 37 - } 78 78 + if (mode === 'signup' && auth.session) { 79 79 + clearPendingVerification() 80 80 + navigate('/dashboard') 38 81 } 39 82 }) 40 83 ··· 43 86 pendingVerification = null 44 87 } 45 88 46 46 - async function handleVerification(e: Event) { 89 89 + async function handleSignupVerification(e: Event) { 47 90 e.preventDefault() 48 91 if (!pendingVerification || !verificationCode.trim()) return 49 92 ··· 61 104 } 62 105 } 63 106 64 64 - async function handleResendCode() { 65 65 - if (!pendingVerification || resendingCode) return 107 107 + async function handleTokenVerification() { 108 108 + if (!verificationCode.trim() || !identifier.trim()) return 66 109 67 67 - resendingCode = true 68 68 - resendMessage = null 110 110 + submitting = true 69 111 error = null 70 112 71 113 try { 72 72 - await resendVerification(pendingVerification.did) 73 73 - resendMessage = 'Verification code resent!' 114 114 + const result = await api.verifyToken( 115 115 + verificationCode.trim(), 116 116 + identifier.trim(), 117 117 + auth.session?.accessJwt 118 118 + ) 119 119 + success = true 120 120 + successPurpose = result.purpose 121 121 + successChannel = result.channel 74 122 } catch (e: any) { 75 75 - error = e.message || 'Failed to resend code' 123 123 + if (e instanceof ApiError) { 124 124 + if (e.error === 'AuthenticationRequired') { 125 125 + error = 'You must be signed in to complete this verification. Please sign in and try again.' 126 126 + } else { 127 127 + error = e.message 128 128 + } 129 129 + } else { 130 130 + error = 'Verification failed' 131 131 + } 76 132 } finally { 77 77 - resendingCode = false 133 133 + submitting = false 134 134 + } 135 135 + } 136 136 + 137 137 + async function handleResendCode() { 138 138 + if (mode === 'signup') { 139 139 + if (!pendingVerification || resendingCode) return 140 140 + 141 141 + resendingCode = true 142 142 + resendMessage = null 143 143 + error = null 144 144 + 145 145 + try { 146 146 + await resendVerification(pendingVerification.did) 147 147 + resendMessage = $_('verify.codeResent') 148 148 + } catch (e: any) { 149 149 + error = e.message || 'Failed to resend code' 150 150 + } finally { 151 151 + resendingCode = false 152 152 + } 153 153 + } else { 154 154 + if (!identifier.trim() || resendingCode) return 155 155 + 156 156 + resendingCode = true 157 157 + resendMessage = null 158 158 + error = null 159 159 + 160 160 + try { 161 161 + await api.resendMigrationVerification(identifier.trim()) 162 162 + resendMessage = $_('verify.codeResentDetail') 163 163 + } catch (e: any) { 164 164 + error = e.message || 'Failed to resend verification' 165 165 + } finally { 166 166 + resendingCode = false 167 167 + } 78 168 } 79 169 } 80 170 ··· 87 177 default: return ch 88 178 } 89 179 } 180 180 + 181 181 + function goToNextStep() { 182 182 + if (successPurpose === 'migration') { 183 183 + navigate('/login') 184 184 + } else if (successChannel === 'email') { 185 185 + navigate('/settings') 186 186 + } else { 187 187 + navigate('/comms') 188 188 + } 189 189 + } 90 190 </script> 91 191 92 192 <div class="verify-page"> 93 93 - {#if error} 94 94 - <div class="message error">{error}</div> 95 95 - {/if} 193 193 + {#if autoSubmitting} 194 194 + <div class="loading-container"> 195 195 + <h1>{$_('verify.verifying')}</h1> 196 196 + <p class="subtitle">{$_('verify.pleaseWait')}</p> 197 197 + </div> 198 198 + {:else if success} 199 199 + <div class="success-container"> 200 200 + <h1>{$_('verify.verified')}</h1> 201 201 + {#if successPurpose === 'migration' || successPurpose === 'signup'} 202 202 + <p class="subtitle">{$_('verify.channelVerified', { values: { channel: channelLabel(successChannel || '') } })}</p> 203 203 + <p class="info-text">{$_('verify.canNowSignIn')}</p> 204 204 + <div class="actions"> 205 205 + <a href="#/login" class="btn">{$_('verify.signIn')}</a> 206 206 + </div> 207 207 + {:else} 208 208 + <p class="subtitle"> 209 209 + {$_('verify.channelVerified', { values: { channel: channelLabel(successChannel || '') } })} 210 210 + </p> 211 211 + <div class="actions"> 212 212 + <button class="btn" onclick={goToNextStep}>{$_('verify.continue')}</button> 213 213 + </div> 214 214 + {/if} 215 215 + </div> 216 216 + {:else if mode === 'token'} 217 217 + <h1>{$_('verify.tokenTitle')}</h1> 218 218 + <p class="subtitle">{$_('verify.tokenSubtitle')}</p> 219 219 + 220 220 + {#if error} 221 221 + <div class="message error">{error}</div> 222 222 + {/if} 223 223 + 224 224 + {#if resendMessage} 225 225 + <div class="message success">{resendMessage}</div> 226 226 + {/if} 227 227 + 228 228 + <form onsubmit={(e) => { e.preventDefault(); handleTokenVerification(); }}> 229 229 + <div class="field"> 230 230 + <label for="identifier">{$_('verify.identifierLabel')}</label> 231 231 + <input 232 232 + id="identifier" 233 233 + type="text" 234 234 + bind:value={identifier} 235 235 + placeholder={$_('verify.identifierPlaceholder')} 236 236 + disabled={submitting} 237 237 + required 238 238 + autocomplete="email" 239 239 + /> 240 240 + <p class="field-help">{$_('verify.identifierHelp')}</p> 241 241 + </div> 242 242 + 243 243 + <div class="field"> 244 244 + <label for="verification-code">{$_('verify.codeLabel')}</label> 245 245 + <input 246 246 + id="verification-code" 247 247 + type="text" 248 248 + bind:value={verificationCode} 249 249 + placeholder={$_('verify.codePlaceholder')} 250 250 + disabled={submitting} 251 251 + required 252 252 + autocomplete="off" 253 253 + class="token-input" 254 254 + /> 255 255 + <p class="field-help">{$_('verify.codeHelp')}</p> 256 256 + </div> 96 257 97 97 - {#if pendingVerification} 258 258 + <button type="submit" disabled={submitting || !verificationCode.trim() || !identifier.trim()}> 259 259 + {submitting ? $_('verify.verifying') : $_('verify.verify')} 260 260 + </button> 261 261 + 262 262 + <button type="button" class="secondary" onclick={handleResendCode} disabled={resendingCode || !identifier.trim()}> 263 263 + {resendingCode ? $_('verify.sending') : $_('verify.resendCode')} 264 264 + </button> 265 265 + </form> 266 266 + 267 267 + <p class="link-text"> 268 268 + <a href="#/login">{$_('verify.backToLogin')}</a> 269 269 + </p> 270 270 + {:else if pendingVerification} 98 271 <h1>{$_('verify.title')}</h1> 99 272 <p class="subtitle"> 100 273 {$_('verify.subtitle', { values: { channel: channelLabel(pendingVerification.channel) } })} 101 274 </p> 102 275 <p class="handle-info">{$_('verify.verifyingAccount', { values: { handle: pendingVerification.handle } })}</p> 103 276 277 277 + {#if error} 278 278 + <div class="message error">{error}</div> 279 279 + {/if} 280 280 + 104 281 {#if resendMessage} 105 282 <div class="message success">{resendMessage}</div> 106 283 {/if} 107 284 108 108 - <form onsubmit={(e) => { e.preventDefault(); handleVerification(e); }}> 285 285 + <form onsubmit={(e) => { e.preventDefault(); handleSignupVerification(e); }}> 109 286 <div class="field"> 110 287 <label for="verification-code">{$_('verify.codeLabel')}</label> 111 288 <input ··· 115 292 placeholder={$_('verify.codePlaceholder')} 116 293 disabled={submitting} 117 294 required 118 118 - maxlength="6" 119 119 - inputmode="numeric" 120 120 - autocomplete="one-time-code" 295 295 + autocomplete="off" 296 296 + class="token-input" 121 297 /> 298 298 + <p class="field-help">{$_('verify.codeHelp')}</p> 122 299 </div> 123 300 124 301 <button type="submit" disabled={submitting || !verificationCode.trim()}> ··· 178 355 gap: var(--space-4); 179 356 } 180 357 358 358 + .field-help { 359 359 + font-size: var(--text-xs); 360 360 + color: var(--text-secondary); 361 361 + margin: var(--space-1) 0 0 0; 362 362 + } 363 363 + 364 364 + .token-input { 365 365 + font-family: var(--font-mono); 366 366 + letter-spacing: 0.05em; 367 367 + } 368 368 + 181 369 .link-text { 182 370 text-align: center; 183 371 margin-top: var(--space-6); ··· 222 410 .btn.secondary:hover { 223 411 background: var(--accent); 224 412 color: var(--text-inverse); 413 413 + } 414 414 + 415 415 + .success-container, 416 416 + .loading-container { 417 417 + text-align: center; 418 418 + } 419 419 + 420 420 + .success-container .actions { 421 421 + justify-content: center; 422 422 + margin-top: var(--space-6); 423 423 + } 424 424 + 425 425 + .success-container .btn { 426 426 + flex: none; 427 427 + padding: var(--space-4) var(--space-8); 225 428 } 226 429 </style>

+1

migrations/20251232_add_migration_verification_comms_type.sql

··· 1 1 + ALTER TYPE comms_type ADD VALUE IF NOT EXISTS 'migration_verification';

+1

migrations/20251233_remove_channel_verifications.sql

··· 1 1 + DROP TABLE IF EXISTS channel_verifications;

+34 -28

src/api/admin/config.rs

··· 1 1 use crate::api::error::ApiError; 2 2 use crate::auth::BearerAuthAdmin; 3 3 use crate::state::AppState; 4 4 - use axum::{extract::State, Json}; 4 4 + use axum::{Json, extract::State}; 5 5 use serde::{Deserialize, Serialize}; 6 6 use tracing::error; 7 7 ··· 80 80 async fn upsert_config(db: &sqlx::PgPool, key: &str, value: &str) -> Result<(), sqlx::Error> { 81 81 sqlx::query( 82 82 "INSERT INTO server_config (key, value, updated_at) VALUES ($1, $2, NOW()) 83 83 - ON CONFLICT (key) DO UPDATE SET value = $2, updated_at = NOW()" 83 83 + ON CONFLICT (key) DO UPDATE SET value = $2, updated_at = NOW()", 84 84 ) 85 85 .bind(key) 86 86 .bind(value) ··· 105 105 if let Some(server_name) = req.server_name { 106 106 let trimmed = server_name.trim(); 107 107 if trimmed.is_empty() || trimmed.len() > 100 { 108 108 - return Err(ApiError::InvalidRequest("Server name must be 1-100 characters".into())); 108 108 + return Err(ApiError::InvalidRequest( 109 109 + "Server name must be 1-100 characters".into(), 110 110 + )); 109 111 } 110 112 upsert_config(&state.db, "server_name", trimmed).await?; 111 113 } ··· 116 118 } else if is_valid_hex_color(color) { 117 119 upsert_config(&state.db, "primary_color", color).await?; 118 120 } else { 119 119 - return Err(ApiError::InvalidRequest("Invalid primary color format (expected #RRGGBB)".into())); 121 121 + return Err(ApiError::InvalidRequest( 122 122 + "Invalid primary color format (expected #RRGGBB)".into(), 123 123 + )); 120 124 } 121 125 } 122 126 ··· 126 130 } else if is_valid_hex_color(color) { 127 131 upsert_config(&state.db, "primary_color_dark", color).await?; 128 132 } else { 129 129 - return Err(ApiError::InvalidRequest("Invalid primary dark color format (expected #RRGGBB)".into())); 133 133 + return Err(ApiError::InvalidRequest( 134 134 + "Invalid primary dark color format (expected #RRGGBB)".into(), 135 135 + )); 130 136 } 131 137 } 132 138 ··· 136 142 } else if is_valid_hex_color(color) { 137 143 upsert_config(&state.db, "secondary_color", color).await?; 138 144 } else { 139 139 - return Err(ApiError::InvalidRequest("Invalid secondary color format (expected #RRGGBB)".into())); 145 145 + return Err(ApiError::InvalidRequest( 146 146 + "Invalid secondary color format (expected #RRGGBB)".into(), 147 147 + )); 140 148 } 141 149 } 142 150 ··· 146 154 } else if is_valid_hex_color(color) { 147 155 upsert_config(&state.db, "secondary_color_dark", color).await?; 148 156 } else { 149 149 - return Err(ApiError::InvalidRequest("Invalid secondary dark color format (expected #RRGGBB)".into())); 157 157 + return Err(ApiError::InvalidRequest( 158 158 + "Invalid secondary dark color format (expected #RRGGBB)".into(), 159 159 + )); 150 160 } 151 161 } 152 162 153 163 if let Some(ref logo_cid) = req.logo_cid { 154 154 - let old_logo_cid: Option<String> = sqlx::query_scalar( 155 155 - "SELECT value FROM server_config WHERE key = 'logo_cid'" 156 156 - ) 157 157 - .fetch_optional(&state.db) 158 158 - .await?; 164 164 + let old_logo_cid: Option<String> = 165 165 + sqlx::query_scalar("SELECT value FROM server_config WHERE key = 'logo_cid'") 166 166 + .fetch_optional(&state.db) 167 167 + .await?; 159 168 160 169 let should_delete_old = match (&old_logo_cid, logo_cid.is_empty()) { 161 170 (Some(old), true) => Some(old.clone()), ··· 163 172 _ => None, 164 173 }; 165 174 166 166 - if let Some(old_cid) = should_delete_old { 167 167 - if let Ok(Some(blob)) = sqlx::query!( 168 168 - "SELECT storage_key FROM blobs WHERE cid = $1", 169 169 - old_cid 170 170 - ) 171 171 - .fetch_optional(&state.db) 172 172 - .await 175 175 + if let Some(old_cid) = should_delete_old 176 176 + && let Ok(Some(blob)) = 177 177 + sqlx::query!("SELECT storage_key FROM blobs WHERE cid = $1", old_cid) 178 178 + .fetch_optional(&state.db) 179 179 + .await 180 180 + { 181 181 + if let Err(e) = state.blob_store.delete(&blob.storage_key).await { 182 182 + error!("Failed to delete old logo blob from storage: {:?}", e); 183 183 + } 184 184 + if let Err(e) = sqlx::query!("DELETE FROM blobs WHERE cid = $1", old_cid) 185 185 + .execute(&state.db) 186 186 + .await 173 187 { 174 174 - if let Err(e) = state.blob_store.delete(&blob.storage_key).await { 175 175 - error!("Failed to delete old logo blob from storage: {:?}", e); 176 176 - } 177 177 - if let Err(e) = sqlx::query!("DELETE FROM blobs WHERE cid = $1", old_cid) 178 178 - .execute(&state.db) 179 179 - .await 180 180 - { 181 181 - error!("Failed to delete old logo blob record: {:?}", e); 182 182 - } 188 188 + error!("Failed to delete old logo blob record: {:?}", e); 183 189 } 184 190 } 185 191

+3 -1

src/api/error.rs

··· 94 94 fn error_name(&self) -> Cow<'static, str> { 95 95 match self { 96 96 Self::InternalError | Self::DatabaseError => Cow::Borrowed("InternalError"), 97 97 - Self::UpstreamFailure | Self::UpstreamUnavailable(_) => Cow::Borrowed("UpstreamFailure"), 97 97 + Self::UpstreamFailure | Self::UpstreamUnavailable(_) => { 98 98 + Cow::Borrowed("UpstreamFailure") 99 99 + } 98 100 Self::UpstreamTimeout => Cow::Borrowed("UpstreamTimeout"), 99 101 Self::UpstreamError { error, .. } => { 100 102 if let Some(e) = error {

+75 -71

src/api/identity/account.rs

··· 132 132 .map(|d| d.starts_with("did:plc:")) 133 133 .unwrap_or(false); 134 134 135 135 - if is_migration || is_did_web_byod { 136 136 - if let (Some(provided_did), Some(auth_did)) = (input.did.as_ref(), migration_auth.as_ref()) 137 137 - { 138 138 - if provided_did != auth_did { 139 139 - return ( 135 135 + if (is_migration || is_did_web_byod) 136 136 + && let (Some(provided_did), Some(auth_did)) = (input.did.as_ref(), migration_auth.as_ref()) 137 137 + { 138 138 + if provided_did != auth_did { 139 139 + return ( 140 140 StatusCode::FORBIDDEN, 141 141 Json(json!({ 142 142 "error": "AuthorizationError", ··· 144 144 })), 145 145 ) 146 146 .into_response(); 147 147 - } 148 148 - if is_did_web_byod { 149 149 - info!(did = %provided_did, "Processing did:web BYOD account creation"); 150 150 - } else { 151 151 - info!(did = %provided_did, "Processing account migration"); 152 152 - } 147 147 + } 148 148 + if is_did_web_byod { 149 149 + info!(did = %provided_did, "Processing did:web BYOD account creation"); 150 150 + } else { 151 151 + info!(did = %provided_did, "Processing account migration"); 153 152 } 154 153 } 155 154 ··· 348 347 ) 349 348 .into_response(); 350 349 } 351 351 - if !is_did_web_byod { 352 352 - if let Err(e) = 350 350 + if !is_did_web_byod 351 351 + && let Err(e) = 353 352 verify_did_web(d, &hostname, &input.handle, input.signing_key.as_deref()).await 354 354 - { 355 355 - return ( 356 356 - StatusCode::BAD_REQUEST, 357 357 - Json(json!({"error": "InvalidDid", "message": e})), 358 358 - ) 359 359 - .into_response(); 360 360 - } 353 353 + { 354 354 + return ( 355 355 + StatusCode::BAD_REQUEST, 356 356 + Json(json!({"error": "InvalidDid", "message": e})), 357 357 + ) 358 358 + .into_response(); 361 359 } 362 360 info!(did = %d, "Creating external did:web account"); 363 361 d.clone() ··· 368 366 info!(did = %d, "Migration with existing did:plc"); 369 367 d.clone() 370 368 } else if d.starts_with("did:web:") { 371 371 - if !is_did_web_byod { 372 372 - if let Err(e) = 373 373 - verify_did_web(d, &hostname, &input.handle, input.signing_key.as_deref()) 374 374 - .await 375 375 - { 376 376 - return ( 377 377 - StatusCode::BAD_REQUEST, 378 378 - Json(json!({"error": "InvalidDid", "message": e})), 379 379 - ) 380 380 - .into_response(); 381 381 - } 369 369 + if !is_did_web_byod 370 370 + && let Err(e) = verify_did_web( 371 371 + d, 372 372 + &hostname, 373 373 + &input.handle, 374 374 + input.signing_key.as_deref(), 375 375 + ) 376 376 + .await 377 377 + { 378 378 + return ( 379 379 + StatusCode::BAD_REQUEST, 380 380 + Json(json!({"error": "InvalidDid", "message": e})), 381 381 + ) 382 382 + .into_response(); 382 383 } 383 384 d.clone() 384 385 } else if !d.trim().is_empty() { ··· 710 711 .into_response(); 711 712 } 712 713 }; 713 713 - let verification_code = format!("{:06}", rand::random::<u32>() % 1_000_000); 714 714 - let code_expires_at = chrono::Utc::now() + chrono::Duration::minutes(30); 715 714 let is_first_user = sqlx::query_scalar!("SELECT COUNT(*) as count FROM users") 716 715 .fetch_one(&mut *tx) 717 716 .await ··· 758 757 ) 759 758 .bind(is_first_user) 760 759 .bind(deactivated_at) 761 761 - .bind(is_migration) 760 760 + .bind(false) 762 761 .fetch_one(&mut *tx) 763 762 .await; 764 763 let user_id = match user_insert { ··· 806 805 } 807 806 }; 808 807 809 809 - if !is_migration 810 810 - && let Some(ref recipient) = verification_recipient 811 811 - && let Err(e) = sqlx::query!( 812 812 - "INSERT INTO channel_verifications (user_id, channel, code, pending_identifier, expires_at) VALUES ($1, $2::comms_channel, $3, $4, $5)", 813 813 - user_id, 814 814 - verification_channel as _, 815 815 - verification_code, 816 816 - recipient, 817 817 - code_expires_at 818 818 - ) 819 819 - .execute(&mut *tx) 820 820 - .await { 821 821 - error!("Error inserting verification code: {:?}", e); 822 822 - return ( 823 823 - StatusCode::INTERNAL_SERVER_ERROR, 824 824 - Json(json!({"error": "InternalError"})), 825 825 - ) 826 826 - .into_response(); 827 827 - } 828 808 let encrypted_key_bytes = match crate::config::encrypt_key(&secret_key_bytes) { 829 809 Ok(enc) => enc, 830 810 Err(e) => { ··· 881 861 } 882 862 }; 883 863 let rev = Tid::now(LimitedU32::MIN); 884 884 - let (commit_bytes, _sig) = match create_signed_commit(&did, mst_root, &rev.to_string(), None, &signing_key) { 885 885 - Ok(result) => result, 886 886 - Err(e) => { 887 887 - error!("Error creating genesis commit: {:?}", e); 888 888 - return ( 889 889 - StatusCode::INTERNAL_SERVER_ERROR, 890 890 - Json(json!({"error": "InternalError"})), 891 891 - ) 892 892 - .into_response(); 893 893 - } 894 894 - }; 864 864 + let (commit_bytes, _sig) = 865 865 + match create_signed_commit(&did, mst_root, rev.as_ref(), None, &signing_key) { 866 866 + Ok(result) => result, 867 867 + Err(e) => { 868 868 + error!("Error creating genesis commit: {:?}", e); 869 869 + return ( 870 870 + StatusCode::INTERNAL_SERVER_ERROR, 871 871 + Json(json!({"error": "InternalError"})), 872 872 + ) 873 873 + .into_response(); 874 874 + } 875 875 + }; 895 876 let commit_cid = match state.block_store.put(&commit_bytes).await { 896 877 Ok(c) => c, 897 878 Err(e) => { ··· 973 954 warn!("Failed to create default profile for {}: {}", did, e); 974 955 } 975 956 } 957 957 + let hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string()); 976 958 if !is_migration { 977 977 - if let Some(ref recipient) = verification_recipient 978 978 - && let Err(e) = crate::comms::enqueue_signup_verification( 959 959 + if let Some(ref recipient) = verification_recipient { 960 960 + let verification_token = crate::auth::verification_token::generate_signup_token( 961 961 + &did, 962 962 + verification_channel, 963 963 + recipient, 964 964 + ); 965 965 + let formatted_token = 966 966 + crate::auth::verification_token::format_token_for_display(&verification_token); 967 967 + if let Err(e) = crate::comms::enqueue_signup_verification( 979 968 &state.db, 980 969 user_id, 981 970 verification_channel, 982 971 recipient, 983 983 - &verification_code, 972 972 + &formatted_token, 984 973 None, 985 974 ) 986 975 .await 976 976 + { 977 977 + warn!( 978 978 + "Failed to enqueue signup verification notification: {:?}", 979 979 + e 980 980 + ); 981 981 + } 982 982 + } 983 983 + } else if let Some(ref user_email) = email { 984 984 + let token = crate::auth::verification_token::generate_migration_token(&did, user_email); 985 985 + let formatted_token = crate::auth::verification_token::format_token_for_display(&token); 986 986 + if let Err(e) = crate::comms::enqueue_migration_verification( 987 987 + &state.db, 988 988 + user_id, 989 989 + user_email, 990 990 + &formatted_token, 991 991 + &hostname, 992 992 + ) 993 993 + .await 987 994 { 988 988 - warn!( 989 989 - "Failed to enqueue signup verification notification: {:?}", 990 990 - e 991 991 - ); 995 995 + warn!("Failed to enqueue migration verification email: {:?}", e); 992 996 } 993 997 } 994 998

+33 -59

src/api/notification_prefs.rs

··· 6 6 http::{HeaderMap, StatusCode}, 7 7 response::{IntoResponse, Response}, 8 8 }; 9 9 - use chrono::{Duration, Utc}; 10 10 - use rand::Rng; 11 9 use serde::{Deserialize, Serialize}; 12 10 use serde_json::json; 13 11 use sqlx::Row; 14 12 use tracing::info; 15 15 - 16 16 - fn generate_verification_code() -> String { 17 17 - rand::thread_rng() 18 18 - .sample_iter(&rand::distributions::Uniform::new(0, 10)) 19 19 - .take(6) 20 20 - .map(|x| x.to_string()) 21 21 - .collect() 22 22 - } 23 13 24 14 #[derive(Serialize)] 25 15 #[serde(rename_all = "camelCase")] ··· 228 218 pub async fn request_channel_verification( 229 219 db: &sqlx::PgPool, 230 220 user_id: uuid::Uuid, 221 221 + did: &str, 231 222 channel: &str, 232 223 identifier: &str, 233 224 handle: Option<&str>, 234 225 ) -> Result<String, String> { 235 235 - let code = generate_verification_code(); 236 236 - let expires_at = Utc::now() + Duration::minutes(10); 237 237 - 238 238 - sqlx::query!( 239 239 - r#" 240 240 - INSERT INTO channel_verifications (user_id, channel, code, pending_identifier, expires_at) 241 241 - VALUES ($1, $2::comms_channel, $3, $4, $5) 242 242 - ON CONFLICT (user_id, channel) DO UPDATE 243 243 - SET code = $3, pending_identifier = $4, expires_at = $5, created_at = NOW() 244 244 - "#, 245 245 - user_id, 246 246 - channel as _, 247 247 - code, 248 248 - identifier, 249 249 - expires_at 250 250 - ) 251 251 - .execute(db) 252 252 - .await 253 253 - .map_err(|e| format!("Database error: {}", e))?; 226 226 + let token = 227 227 + crate::auth::verification_token::generate_channel_update_token(did, channel, identifier); 228 228 + let formatted_token = crate::auth::verification_token::format_token_for_display(&token); 254 229 255 230 if channel == "email" { 256 231 let hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string()); 257 232 let handle_str = handle.unwrap_or("user"); 258 258 - crate::comms::enqueue_email_update(db, user_id, identifier, handle_str, &code, &hostname) 259 259 - .await 260 260 - .map_err(|e| format!("Failed to enqueue email notification: {}", e))?; 233 233 + crate::comms::enqueue_email_update( 234 234 + db, 235 235 + user_id, 236 236 + identifier, 237 237 + handle_str, 238 238 + &formatted_token, 239 239 + &hostname, 240 240 + ) 241 241 + .await 242 242 + .map_err(|e| format!("Failed to enqueue email notification: {}", e))?; 261 243 } else { 262 244 sqlx::query!( 263 245 r#" ··· 267 249 user_id, 268 250 channel as _, 269 251 identifier, 270 270 - format!("Your verification code is: {}", code), 271 271 - json!({"code": code}) 252 252 + format!("Your verification code is: {}", formatted_token), 253 253 + json!({"code": formatted_token}) 272 254 ) 273 255 .execute(db) 274 256 .await 275 257 .map_err(|e| format!("Failed to enqueue notification: {}", e))?; 276 258 } 277 259 278 278 - Ok(code) 260 260 + Ok(token) 279 261 } 280 262 281 263 pub async fn update_notification_prefs( ··· 397 379 if let Err(e) = request_channel_verification( 398 380 &state.db, 399 381 user_id, 382 382 + &user.did, 400 383 "email", 401 384 &email_clean, 402 385 Some(&handle), ··· 429 412 ) 430 413 .into_response(); 431 414 } 432 432 - let _ = sqlx::query!( 433 433 - "DELETE FROM channel_verifications WHERE user_id = $1 AND channel = 'discord'", 434 434 - user_id 435 435 - ) 436 436 - .execute(&state.db) 437 437 - .await; 438 415 info!(did = %user.did, "Cleared Discord ID"); 439 416 } else { 440 440 - if let Err(e) = 441 441 - request_channel_verification(&state.db, user_id, "discord", discord_id, None).await 417 417 + if let Err(e) = request_channel_verification( 418 418 + &state.db, user_id, &user.did, "discord", discord_id, None, 419 419 + ) 420 420 + .await 442 421 { 443 422 return ( 444 423 StatusCode::INTERNAL_SERVER_ERROR, ··· 467 446 ) 468 447 .into_response(); 469 448 } 470 470 - let _ = sqlx::query!( 471 471 - "DELETE FROM channel_verifications WHERE user_id = $1 AND channel = 'telegram'", 472 472 - user_id 473 473 - ) 474 474 - .execute(&state.db) 475 475 - .await; 476 449 info!(did = %user.did, "Cleared Telegram username"); 477 450 } else { 478 478 - if let Err(e) = 479 479 - request_channel_verification(&state.db, user_id, "telegram", telegram_clean, None) 480 480 - .await 451 451 + if let Err(e) = request_channel_verification( 452 452 + &state.db, 453 453 + user_id, 454 454 + &user.did, 455 455 + "telegram", 456 456 + telegram_clean, 457 457 + None, 458 458 + ) 459 459 + .await 481 460 { 482 461 return ( 483 462 StatusCode::INTERNAL_SERVER_ERROR, ··· 505 484 ) 506 485 .into_response(); 507 486 } 508 508 - let _ = sqlx::query!( 509 509 - "DELETE FROM channel_verifications WHERE user_id = $1 AND channel = 'signal'", 510 510 - user_id 511 511 - ) 512 512 - .execute(&state.db) 513 513 - .await; 514 487 info!(did = %user.did, "Cleared Signal number"); 515 488 } else { 516 489 if let Err(e) = 517 517 - request_channel_verification(&state.db, user_id, "signal", signal, None).await 490 490 + request_channel_verification(&state.db, user_id, &user.did, "signal", signal, None) 491 491 + .await 518 492 { 519 493 return ( 520 494 StatusCode::INTERNAL_SERVER_ERROR,

+1 -1

src/api/repo/record/utils.rs

··· 3 3 use cid::Cid; 4 4 use jacquard::types::{integer::LimitedU32, string::Tid}; 5 5 use jacquard_repo::storage::BlockStore; 6 6 - use k256::ecdsa::{signature::Signer, Signature, SigningKey}; 6 6 + use k256::ecdsa::{Signature, SigningKey, signature::Signer}; 7 7 use serde::Serialize; 8 8 use serde_json::json; 9 9 use uuid::Uuid;

+64 -108

src/api/server/email.rs

··· 6 6 http::StatusCode, 7 7 response::{IntoResponse, Response}, 8 8 }; 9 9 - use chrono::Utc; 10 9 use serde::Deserialize; 11 10 use serde_json::json; 12 11 use tracing::{error, info, warn}; ··· 66 65 return e; 67 66 } 68 67 69 69 - let did = auth_user.did; 68 68 + let did = auth_user.did.clone(); 70 69 let user = match sqlx::query!("SELECT id, handle, email FROM users WHERE did = $1", did) 71 70 .fetch_optional(&state.db) 72 71 .await ··· 117 116 if let Err(e) = crate::api::notification_prefs::request_channel_verification( 118 117 &state.db, 119 118 user_id, 119 119 + &did, 120 120 "email", 121 121 &email, 122 122 Some(&handle), ··· 206 206 } 207 207 }; 208 208 209 209 - let verification = match sqlx::query!( 210 210 - "SELECT code, pending_identifier, expires_at FROM channel_verifications WHERE user_id = $1 AND channel = 'email'", 211 211 - user_id 212 212 - ) 213 213 - .fetch_optional(&state.db) 214 214 - .await 215 215 - { 216 216 - Ok(Some(row)) => row, 217 217 - _ => { 209 209 + let email = input.email.trim().to_lowercase(); 210 210 + let confirmation_code = 211 211 + crate::auth::verification_token::normalize_token_input(input.token.trim()); 212 212 + 213 213 + let verified = crate::auth::verification_token::verify_channel_update_token( 214 214 + &confirmation_code, 215 215 + "email", 216 216 + &email, 217 217 + ); 218 218 + 219 219 + match verified { 220 220 + Ok(token_data) => { 221 221 + if token_data.did != did { 222 222 + return ( 223 223 + StatusCode::BAD_REQUEST, 224 224 + Json( 225 225 + json!({"error": "InvalidToken", "message": "Token does not match account"}), 226 226 + ), 227 227 + ) 228 228 + .into_response(); 229 229 + } 230 230 + } 231 231 + Err(crate::auth::verification_token::VerifyError::Expired) => { 218 232 return ( 219 233 StatusCode::BAD_REQUEST, 220 220 - Json(json!({"error": "InvalidRequest", "message": "No pending email update found"})), 234 234 + Json(json!({"error": "ExpiredToken", "message": "Token has expired"})), 221 235 ) 222 236 .into_response(); 223 237 } 224 224 - }; 225 225 - 226 226 - let pending_email = verification.pending_identifier.unwrap_or_default(); 227 227 - let email = input.email.trim().to_lowercase(); 228 228 - let confirmation_code = input.token.trim(); 229 229 - 230 230 - if pending_email != email { 231 231 - return ( 232 232 - StatusCode::BAD_REQUEST, 233 233 - Json(json!({"error": "InvalidRequest", "message": "Email does not match pending update"})), 234 234 - ) 235 235 - .into_response(); 236 236 - } 237 237 - 238 238 - if verification.code != confirmation_code { 239 239 - return ( 240 240 - StatusCode::BAD_REQUEST, 241 241 - Json(json!({"error": "InvalidToken", "message": "Invalid token"})), 242 242 - ) 243 243 - .into_response(); 238 238 + Err(_) => { 239 239 + return ( 240 240 + StatusCode::BAD_REQUEST, 241 241 + Json(json!({"error": "InvalidToken", "message": "Invalid token"})), 242 242 + ) 243 243 + .into_response(); 244 244 + } 244 245 } 245 246 246 246 - if Utc::now() > verification.expires_at { 247 247 - return ( 248 248 - StatusCode::BAD_REQUEST, 249 249 - Json(json!({"error": "ExpiredToken", "message": "Token has expired"})), 250 250 - ) 251 251 - .into_response(); 252 252 - } 253 253 - 254 254 - let mut tx = match state.db.begin().await { 255 255 - Ok(tx) => tx, 256 256 - Err(_) => return ApiError::InternalError.into_response(), 257 257 - }; 258 258 - 259 247 let update = sqlx::query!( 260 260 - "UPDATE users SET email = $1, updated_at = NOW() WHERE id = $2", 261 261 - pending_email, 248 248 + "UPDATE users SET email = $1, email_verified = TRUE, updated_at = NOW() WHERE id = $2", 249 249 + email, 262 250 user_id 263 251 ) 264 264 - .execute(&mut *tx) 252 252 + .execute(&state.db) 265 253 .await; 266 254 267 255 if let Err(e) = update { ··· 283 271 .into_response(); 284 272 } 285 273 286 286 - if let Err(e) = sqlx::query!( 287 287 - "DELETE FROM channel_verifications WHERE user_id = $1 AND channel = 'email'", 288 288 - user_id 289 289 - ) 290 290 - .execute(&mut *tx) 291 291 - .await 292 292 - { 293 293 - error!("Failed to delete verification record: {:?}", e); 294 294 - return ApiError::InternalError.into_response(); 295 295 - } 296 296 - 297 297 - if tx.commit().await.is_err() { 298 298 - return ApiError::InternalError.into_response(); 299 299 - } 300 300 - 301 274 info!("Email updated for user {}", user_id); 302 275 (StatusCode::OK, Json(json!({}))).into_response() 303 276 } ··· 377 350 return (StatusCode::OK, Json(json!({}))).into_response(); 378 351 } 379 352 380 380 - let verification = sqlx::query!( 381 381 - "SELECT code, pending_identifier, expires_at FROM channel_verifications WHERE user_id = $1 AND channel = 'email'", 382 382 - user_id 383 383 - ) 384 384 - .fetch_optional(&state.db) 385 385 - .await 386 386 - .unwrap_or(None); 353 353 + let confirmation_token = match &input.token { 354 354 + Some(t) => crate::auth::verification_token::normalize_token_input(t.trim()), 355 355 + None => { 356 356 + return ( 357 357 + StatusCode::BAD_REQUEST, 358 358 + Json(json!({"error": "TokenRequired", "message": "Token required. Call requestEmailUpdate first."})), 359 359 + ) 360 360 + .into_response(); 361 361 + } 362 362 + }; 363 363 + 364 364 + let verified = crate::auth::verification_token::verify_channel_update_token( 365 365 + &confirmation_token, 366 366 + "email", 367 367 + &new_email, 368 368 + ); 387 369 388 388 - if let Some(ver) = verification { 389 389 - let confirmation_token = match &input.token { 390 390 - Some(t) => t.trim(), 391 391 - None => { 370 370 + match verified { 371 371 + Ok(token_data) => { 372 372 + if token_data.did != did { 392 373 return ( 393 374 StatusCode::BAD_REQUEST, 394 394 - Json(json!({"error": "TokenRequired", "message": "Token required. Call requestEmailUpdate first."})), 375 375 + Json( 376 376 + json!({"error": "InvalidToken", "message": "Token does not match account"}), 377 377 + ), 395 378 ) 396 379 .into_response(); 397 380 } 398 398 - }; 399 399 - 400 400 - let pending_email = ver.pending_identifier.unwrap_or_default(); 401 401 - if pending_email.to_lowercase() != new_email { 381 381 + } 382 382 + Err(crate::auth::verification_token::VerifyError::Expired) => { 402 383 return ( 403 384 StatusCode::BAD_REQUEST, 404 404 - Json(json!({"error": "InvalidRequest", "message": "Email does not match pending update"})), 385 385 + Json(json!({"error": "ExpiredToken", "message": "Token has expired"})), 405 386 ) 406 387 .into_response(); 407 388 } 408 408 - 409 409 - if ver.code != confirmation_token { 389 389 + Err(_) => { 410 390 return ( 411 391 StatusCode::BAD_REQUEST, 412 392 Json(json!({"error": "InvalidToken", "message": "Invalid token"})), 413 393 ) 414 394 .into_response(); 415 395 } 416 416 - 417 417 - if Utc::now() > ver.expires_at { 418 418 - return ( 419 419 - StatusCode::BAD_REQUEST, 420 420 - Json(json!({"error": "ExpiredToken", "message": "Token has expired"})), 421 421 - ) 422 422 - .into_response(); 423 423 - } 424 396 } 425 397 426 398 let exists = sqlx::query!( ··· 438 410 ) 439 411 .into_response(); 440 412 } 441 441 - 442 442 - let mut tx = match state.db.begin().await { 443 443 - Ok(tx) => tx, 444 444 - Err(_) => return ApiError::InternalError.into_response(), 445 445 - }; 446 413 447 414 let update = sqlx::query!( 448 448 - "UPDATE users SET email = $1, updated_at = NOW() WHERE id = $2", 415 415 + "UPDATE users SET email = $1, email_verified = TRUE, updated_at = NOW() WHERE id = $2", 449 416 new_email, 450 417 user_id 451 418 ) 452 452 - .execute(&mut *tx) 419 419 + .execute(&state.db) 453 420 .await; 454 421 455 422 if let Err(e) = update { ··· 469 436 Json(json!({"error": "InternalError"})), 470 437 ) 471 438 .into_response(); 472 472 - } 473 473 - 474 474 - let _ = sqlx::query!( 475 475 - "DELETE FROM channel_verifications WHERE user_id = $1 AND channel = 'email'", 476 476 - user_id 477 477 - ) 478 478 - .execute(&mut *tx) 479 479 - .await; 480 480 - 481 481 - if tx.commit().await.is_err() { 482 482 - return ApiError::InternalError.into_response(); 483 439 } 484 440 485 441 match sqlx::query!(

+11 -12

src/api/server/logo.rs

··· 9 9 use tracing::error; 10 10 11 11 pub async fn get_logo(State(state): State<AppState>) -> Response { 12 12 - let logo_cid: Option<String> = match sqlx::query_scalar( 13 13 - "SELECT value FROM server_config WHERE key = 'logo_cid'" 14 14 - ) 15 15 - .fetch_optional(&state.db) 16 16 - .await 17 17 - { 18 18 - Ok(cid) => cid, 19 19 - Err(e) => { 20 20 - error!("DB error fetching logo_cid: {:?}", e); 21 21 - return StatusCode::INTERNAL_SERVER_ERROR.into_response(); 22 22 - } 23 23 - }; 12 12 + let logo_cid: Option<String> = 13 13 + match sqlx::query_scalar("SELECT value FROM server_config WHERE key = 'logo_cid'") 14 14 + .fetch_optional(&state.db) 15 15 + .await 16 16 + { 17 17 + Ok(cid) => cid, 18 18 + Err(e) => { 19 19 + error!("DB error fetching logo_cid: {:?}", e); 20 20 + return StatusCode::INTERNAL_SERVER_ERROR.into_response(); 21 21 + } 22 22 + }; 24 23 25 24 let cid = match logo_cid { 26 25 Some(c) if !c.is_empty() => c,

+7 -3

src/api/server/mod.rs

··· 13 13 pub mod signing_key; 14 14 pub mod totp; 15 15 pub mod trusted_devices; 16 16 + pub mod verify_email; 17 17 + pub mod verify_token; 16 18 17 19 pub use account_status::{ 18 20 activate_account, check_account_status, deactivate_account, delete_account, ··· 35 37 change_password, get_password_status, remove_password, request_password_reset, reset_password, 36 38 }; 37 39 pub use reauth::{ 38 38 - check_legacy_session_mfa, check_reauth_required, get_reauth_status, legacy_mfa_required_response, 39 39 - reauth_passkey_finish, reauth_passkey_start, reauth_password, reauth_required_response, 40 40 - reauth_totp, update_mfa_verified, 40 40 + check_legacy_session_mfa, check_reauth_required, get_reauth_status, 41 41 + legacy_mfa_required_response, reauth_passkey_finish, reauth_passkey_start, reauth_password, 42 42 + reauth_required_response, reauth_totp, update_mfa_verified, 41 43 }; 42 44 pub use service_auth::get_service_auth; 43 45 pub use session::{ ··· 54 56 extend_device_trust, is_device_trusted, list_trusted_devices, revoke_trusted_device, 55 57 trust_device, update_trusted_device, 56 58 }; 59 59 + pub use verify_email::{resend_migration_verification, verify_migration_email}; 60 60 + pub use verify_token::{VerifyTokenInput, VerifyTokenOutput, verify_token, verify_token_internal};

+36 -51

src/api/server/passkey_account.rs

··· 117 117 .await 118 118 { 119 119 Ok(claims) => { 120 120 - debug!("Service token verified for BYOD did:web: iss={}", claims.iss); 120 120 + debug!( 121 121 + "Service token verified for BYOD did:web: iss={}", 122 122 + claims.iss 123 123 + ); 121 124 Some(claims.iss) 122 125 } 123 126 Err(e) => { ··· 342 345 .into_response(); 343 346 } 344 347 if is_byod_did_web { 345 345 - if let Some(ref auth_did) = byod_auth { 346 346 - if d != auth_did { 347 347 - return ( 348 348 + if let Some(ref auth_did) = byod_auth 349 349 + && d != auth_did 350 350 + { 351 351 + return ( 348 352 StatusCode::FORBIDDEN, 349 353 Json(json!({ 350 354 "error": "AuthorizationError", ··· 352 356 })), 353 357 ) 354 358 .into_response(); 355 355 - } 356 359 } 357 360 info!(did = %d, "Creating external did:web passkey account (BYOD key)"); 358 361 } else { ··· 415 418 }; 416 419 417 420 info!(did = %did, handle = %handle, "Created DID for passkey-only account"); 418 418 - 419 419 - let verification_code = format!( 420 420 - "{:06}", 421 421 - rand::Rng::gen_range(&mut rand::thread_rng(), 0..1_000_000u32) 422 422 - ); 423 423 - let verification_code_expires_at = Utc::now() + Duration::minutes(30); 424 421 425 422 let setup_token = generate_setup_token(); 426 423 let setup_token_hash = match hash(&setup_token, DEFAULT_COST) { ··· 591 588 } 592 589 }; 593 590 let rev = Tid::now(LimitedU32::MIN); 594 594 - let (commit_bytes, _sig) = match create_signed_commit(&did, mst_root, &rev.to_string(), None, &secret_key) { 595 595 - Ok(result) => result, 596 596 - Err(e) => { 597 597 - error!("Error creating genesis commit: {:?}", e); 598 598 - return ( 599 599 - StatusCode::INTERNAL_SERVER_ERROR, 600 600 - Json(json!({"error": "InternalError"})), 601 601 - ) 602 602 - .into_response(); 603 603 - } 604 604 - }; 591 591 + let (commit_bytes, _sig) = 592 592 + match create_signed_commit(&did, mst_root, rev.as_ref(), None, &secret_key) { 593 593 + Ok(result) => result, 594 594 + Err(e) => { 595 595 + error!("Error creating genesis commit: {:?}", e); 596 596 + return ( 597 597 + StatusCode::INTERNAL_SERVER_ERROR, 598 598 + Json(json!({"error": "InternalError"})), 599 599 + ) 600 600 + .into_response(); 601 601 + } 602 602 + }; 605 603 let commit_cid: cid::Cid = match state.block_store.put(&commit_bytes).await { 606 604 Ok(c) => c, 607 605 Err(e) => { ··· 647 645 .await; 648 646 } 649 647 650 650 - if let Err(e) = sqlx::query!( 651 651 - "INSERT INTO channel_verifications (user_id, channel, code, pending_identifier, expires_at) VALUES ($1, $2::comms_channel, $3, $4, $5)", 652 652 - user_id, 653 653 - verification_channel as _, 654 654 - verification_code, 655 655 - verification_recipient, 656 656 - verification_code_expires_at 657 657 - ) 658 658 - .execute(&mut *tx) 659 659 - .await 660 660 - { 661 661 - error!("Error inserting channel verification: {:?}", e); 662 662 - return ( 663 663 - StatusCode::INTERNAL_SERVER_ERROR, 664 664 - Json(json!({"error": "InternalError"})), 665 665 - ) 666 666 - .into_response(); 667 667 - } 668 668 - 669 648 if let Err(e) = tx.commit().await { 670 649 error!("Error committing transaction: {:?}", e); 671 650 return ( ··· 703 682 } 704 683 } 705 684 685 685 + let verification_token = crate::auth::verification_token::generate_signup_token( 686 686 + &did, 687 687 + verification_channel, 688 688 + &verification_recipient, 689 689 + ); 690 690 + let formatted_token = 691 691 + crate::auth::verification_token::format_token_for_display(&verification_token); 706 692 if let Err(e) = crate::comms::enqueue_signup_verification( 707 693 &state.db, 708 694 user_id, 709 695 verification_channel, 710 696 &verification_recipient, 711 711 - &verification_code, 697 697 + &formatted_token, 712 698 None, 713 699 ) 714 700 .await ··· 847 833 } 848 834 }; 849 835 850 850 - let credential: webauthn_rs::prelude::RegisterPublicKeyCredential = match serde_json::from_value( 851 851 - input.passkey_credential, 852 852 - ) { 853 853 - Ok(c) => c, 854 854 - Err(e) => { 855 855 - warn!("Failed to parse credential: {:?}", e); 856 856 - return ( 836 836 + let credential: webauthn_rs::prelude::RegisterPublicKeyCredential = 837 837 + match serde_json::from_value(input.passkey_credential) { 838 838 + Ok(c) => c, 839 839 + Err(e) => { 840 840 + warn!("Failed to parse credential: {:?}", e); 841 841 + return ( 857 842 StatusCode::BAD_REQUEST, 858 843 Json( 859 844 json!({"error": "InvalidCredential", "message": "Failed to parse credential"}), 860 845 ), 861 846 ) 862 847 .into_response(); 863 863 - } 864 864 - }; 848 848 + } 849 849 + }; 865 850 866 851 let security_key = match webauthn.finish_registration(&credential, &reg_state) { 867 852 Ok(sk) => sk,

+7 -1

src/api/server/password.rs

··· 471 471 .await; 472 472 } 473 473 474 474 - if crate::api::server::reauth::check_reauth_required_cached(&state.db, &state.cache, &auth.0.did).await { 474 474 + if crate::api::server::reauth::check_reauth_required_cached( 475 475 + &state.db, 476 476 + &state.cache, 477 477 + &auth.0.did, 478 478 + ) 479 479 + .await 480 480 + { 475 481 return crate::api::server::reauth::reauth_required_response(&state.db, &auth.0.did).await; 476 482 } 477 483

+10 -9

src/api/server/reauth.rs

··· 376 376 { 377 377 Ok(false) => { 378 378 warn!(did = %auth.0.did, "Passkey counter anomaly detected - possible cloned key"); 379 379 - let _ = crate::auth::webauthn::delete_authentication_state(&state.db, &auth.0.did).await; 379 379 + let _ = 380 380 + crate::auth::webauthn::delete_authentication_state(&state.db, &auth.0.did).await; 380 381 return ( 381 382 StatusCode::UNAUTHORIZED, 382 383 Json(json!({ ··· 494 495 did: &str, 495 496 ) -> bool { 496 497 let cache_key = format!("reauth:{}", did); 497 497 - if let Some(timestamp_str) = cache.get(&cache_key).await { 498 498 - if let Ok(timestamp) = timestamp_str.parse::<i64>() { 499 499 - let reauth_time = chrono::DateTime::from_timestamp(timestamp, 0); 500 500 - if let Some(t) = reauth_time { 501 501 - let elapsed = Utc::now().signed_duration_since(t); 502 502 - if elapsed.num_seconds() <= REAUTH_WINDOW_SECONDS { 503 503 - return false; 504 504 - } 498 498 + if let Some(timestamp_str) = cache.get(&cache_key).await 499 499 + && let Ok(timestamp) = timestamp_str.parse::<i64>() 500 500 + { 501 501 + let reauth_time = chrono::DateTime::from_timestamp(timestamp, 0); 502 502 + if let Some(t) = reauth_time { 503 503 + let elapsed = Utc::now().signed_duration_since(t); 504 504 + if elapsed.num_seconds() <= REAUTH_WINDOW_SECONDS { 505 505 + return false; 505 506 } 506 507 } 507 508 }

+20 -16

src/api/server/service_auth.rs

··· 66 66 } 67 67 }; 68 68 69 69 - let (token, is_dpop) = if auth_header.len() >= 7 && auth_header[..7].eq_ignore_ascii_case("bearer ") { 69 69 + let (token, is_dpop) = if auth_header.len() >= 7 70 70 + && auth_header[..7].eq_ignore_ascii_case("bearer ") 71 71 + { 70 72 (auth_header[7..].trim().to_string(), false) 71 73 } else if auth_header.len() >= 5 && auth_header[..5].eq_ignore_ascii_case("dpop ") { 72 74 (auth_header[5..].trim().to_string(), true) ··· 81 83 &token, 82 84 dpop_proof, 83 85 "GET", 84 84 - &format!("/xrpc/com.atproto.server.getServiceAuth?aud={}&lxm={}", 85 85 - params.aud, 86 86 - params.lxm.as_deref().unwrap_or("")), 87 87 - ).await { 86 86 + &format!( 87 87 + "/xrpc/com.atproto.server.getServiceAuth?aud={}&lxm={}", 88 88 + params.aud, 89 89 + params.lxm.as_deref().unwrap_or("") 90 90 + ), 91 91 + ) 92 92 + .await 93 93 + { 88 94 Ok(result) => crate::auth::AuthenticatedUser { 89 95 did: result.did, 90 96 is_oauth: true, ··· 100 106 "error": "use_dpop_nonce", 101 107 "message": "DPoP nonce required" 102 108 })), 103 103 - ).into_response(); 109 109 + ) 110 110 + .into_response(); 104 111 } 105 112 Err(e) => { 106 113 warn!(error = ?e, "getServiceAuth DPoP auth validation failed"); ··· 110 117 "error": "AuthenticationFailed", 111 118 "message": format!("{:?}", e) 112 119 })), 113 113 - ).into_response(); 120 120 + ) 121 121 + .into_response(); 114 122 } 115 123 } 116 124 } else { ··· 136 144 "SELECT k.key_bytes, k.encryption_version 137 145 FROM users u 138 146 JOIN user_keys k ON u.id = k.user_id 139 139 - WHERE u.did = $1" 147 147 + WHERE u.did = $1", 140 148 ) 141 149 .bind(&auth_user.did) 142 150 .fetch_optional(&state.db) ··· 155 163 } 156 164 } 157 165 Ok(None) => { 158 158 - return ApiError::AuthenticationFailedMsg( 159 159 - "User has no signing key".into(), 160 160 - ) 161 161 - .into_response(); 166 166 + return ApiError::AuthenticationFailedMsg("User has no signing key".into()) 167 167 + .into_response(); 162 168 } 163 169 Err(e) => { 164 170 error!(error = ?e, "DB error fetching user key"); 165 165 - return ApiError::AuthenticationFailedMsg( 166 166 - "Failed to get signing key".into(), 167 167 - ) 168 168 - .into_response(); 171 171 + return ApiError::AuthenticationFailedMsg("Failed to get signing key".into()) 172 172 + .into_response(); 169 173 } 170 174 } 171 175 }

+51 -73

src/api/server/session.rs

··· 8 8 response::{IntoResponse, Response}, 9 9 }; 10 10 use bcrypt::verify; 11 11 - use chrono::Utc; 12 11 use serde::{Deserialize, Serialize}; 13 12 use serde_json::json; 14 13 use tracing::{error, info, warn}; ··· 167 166 let has_totp = row.totp_enabled.unwrap_or(false); 168 167 let is_legacy_login = has_totp; 169 168 if has_totp && !row.allow_legacy_login { 170 170 - warn!( 171 171 - "Legacy login blocked for TOTP-enabled account: {}", 172 172 - row.did 173 173 - ); 169 169 + warn!("Legacy login blocked for TOTP-enabled account: {}", row.did); 174 170 return ( 175 171 StatusCode::FORBIDDEN, 176 172 Json(json!({ ··· 556 552 r#"SELECT 557 553 u.id, u.did, u.handle, u.email, 558 554 u.preferred_comms_channel as "channel: crate::comms::CommsChannel", 555 555 + u.discord_id, u.telegram_username, u.signal_number, 559 556 k.key_bytes, k.encryption_version 560 557 FROM users u 561 558 JOIN user_keys k ON u.id = k.user_id ··· 577 574 } 578 575 }; 579 576 580 580 - let channel_str = match row.channel { 581 581 - crate::comms::CommsChannel::Email => "email", 582 582 - crate::comms::CommsChannel::Discord => "discord", 583 583 - crate::comms::CommsChannel::Telegram => "telegram", 584 584 - crate::comms::CommsChannel::Signal => "signal", 585 585 - }; 586 586 - let verification = match sqlx::query!( 587 587 - "SELECT code, expires_at FROM channel_verifications WHERE user_id = $1 AND channel = $2::comms_channel", 588 588 - row.id, 589 589 - channel_str as _ 590 590 - ) 591 591 - .fetch_optional(&state.db) 592 592 - .await 593 593 - { 594 594 - Ok(Some(v)) => v, 595 595 - Ok(None) => { 596 596 - warn!("No verification code found for user: {}", input.did); 597 597 - return ApiError::InvalidRequest("No pending verification".into()).into_response(); 577 577 + let (channel_str, identifier) = match row.channel { 578 578 + crate::comms::CommsChannel::Email => ("email", row.email.clone().unwrap_or_default()), 579 579 + crate::comms::CommsChannel::Discord => { 580 580 + ("discord", row.discord_id.clone().unwrap_or_default()) 598 581 } 599 599 - Err(e) => { 600 600 - error!("Database error fetching verification: {:?}", e); 601 601 - return ApiError::InternalError.into_response(); 582 582 + crate::comms::CommsChannel::Telegram => ( 583 583 + "telegram", 584 584 + row.telegram_username.clone().unwrap_or_default(), 585 585 + ), 586 586 + crate::comms::CommsChannel::Signal => { 587 587 + ("signal", row.signal_number.clone().unwrap_or_default()) 602 588 } 603 589 }; 604 590 605 605 - if verification.code != input.verification_code { 606 606 - warn!("Invalid verification code for user: {}", input.did); 607 607 - return ApiError::InvalidRequest("Invalid verification code".into()).into_response(); 608 608 - } 609 609 - if verification.expires_at < Utc::now() { 610 610 - warn!("Verification code expired for user: {}", input.did); 611 611 - return ApiError::ExpiredTokenMsg("Verification code has expired".into()).into_response(); 591 591 + let normalized_token = 592 592 + crate::auth::verification_token::normalize_token_input(&input.verification_code); 593 593 + match crate::auth::verification_token::verify_signup_token( 594 594 + &normalized_token, 595 595 + channel_str, 596 596 + &identifier, 597 597 + ) { 598 598 + Ok(token_data) => { 599 599 + if token_data.did != input.did { 600 600 + warn!( 601 601 + "Token DID mismatch for confirm_signup: expected {}, got {}", 602 602 + input.did, token_data.did 603 603 + ); 604 604 + return ApiError::InvalidRequest("Invalid verification code".into()) 605 605 + .into_response(); 606 606 + } 607 607 + } 608 608 + Err(crate::auth::verification_token::VerifyError::Expired) => { 609 609 + warn!("Verification code expired for user: {}", input.did); 610 610 + return ApiError::ExpiredTokenMsg("Verification code has expired".into()) 611 611 + .into_response(); 612 612 + } 613 613 + Err(e) => { 614 614 + warn!("Invalid verification code for user {}: {:?}", input.did, e); 615 615 + return ApiError::InvalidRequest("Invalid verification code".into()).into_response(); 616 616 + } 612 617 } 613 618 614 619 let key_bytes = match crate::config::decrypt_key(&row.key_bytes, row.encryption_version) { ··· 632 637 { 633 638 error!("Failed to update verification status: {:?}", e); 634 639 return ApiError::InternalError.into_response(); 635 635 - } 636 636 - 637 637 - if let Err(e) = sqlx::query!( 638 638 - "DELETE FROM channel_verifications WHERE user_id = $1 AND channel = $2::comms_channel", 639 639 - row.id, 640 640 - channel_str as _ 641 641 - ) 642 642 - .execute(&state.db) 643 643 - .await 644 644 - { 645 645 - error!("Failed to delete verification record: {:?}", e); 646 640 } 647 641 648 642 let access_meta = match crate::auth::create_access_token_with_metadata(&row.did, &key_bytes) { ··· 737 731 if is_verified { 738 732 return ApiError::InvalidRequest("Account is already verified".into()).into_response(); 739 733 } 740 740 - let verification_code = format!("{:06}", rand::random::<u32>() % 1_000_000); 741 741 - let code_expires_at = Utc::now() + chrono::Duration::minutes(30); 742 734 743 735 let (channel_str, recipient) = match row.channel { 744 736 crate::comms::CommsChannel::Email => ("email", row.email.clone().unwrap_or_default()), ··· 754 746 } 755 747 }; 756 748 757 757 - if let Err(e) = sqlx::query!( 758 758 - r#" 759 759 - INSERT INTO channel_verifications (user_id, channel, code, pending_identifier, expires_at) 760 760 - VALUES ($1, $2::comms_channel, $3, $4, $5) 761 761 - ON CONFLICT (user_id, channel) DO UPDATE 762 762 - SET code = $3, pending_identifier = $4, expires_at = $5, created_at = NOW() 763 763 - "#, 764 764 - row.id, 765 765 - channel_str as _, 766 766 - verification_code, 767 767 - recipient, 768 768 - code_expires_at 769 769 - ) 770 770 - .execute(&state.db) 771 771 - .await 772 772 - { 773 773 - error!("Failed to update verification code: {:?}", e); 774 774 - return ApiError::InternalError.into_response(); 775 775 - } 749 749 + let verification_token = 750 750 + crate::auth::verification_token::generate_signup_token(&input.did, channel_str, &recipient); 751 751 + let formatted_token = 752 752 + crate::auth::verification_token::format_token_for_display(&verification_token); 753 753 + 776 754 if let Err(e) = crate::comms::enqueue_signup_verification( 777 755 &state.db, 778 756 row.id, 779 757 channel_str, 780 758 &recipient, 781 781 - &verification_code, 759 759 + &formatted_token, 782 760 None, 783 761 ) 784 762 .await ··· 886 864 Ok(rows) => { 887 865 for (id, token_id, created_at, expires_at, client_id) in rows { 888 866 let client_name = extract_client_name(&client_id); 889 889 - let is_current_oauth = auth.0.is_oauth 890 890 - && current_jti.as_ref() == Some(&token_id); 867 867 + let is_current_oauth = auth.0.is_oauth && current_jti.as_ref() == Some(&token_id); 891 868 sessions.push(SessionInfo { 892 869 id: format!("oauth:{}", id), 893 870 session_type: "oauth".to_string(), ··· 1071 1048 .into_response(); 1072 1049 } 1073 1050 } else { 1074 1074 - if let Err(e) = sqlx::query("DELETE FROM session_tokens WHERE did = $1 AND access_jti != $2") 1075 1075 - .bind(&auth.0.did) 1076 1076 - .bind(jti) 1077 1077 - .execute(&state.db) 1078 1078 - .await 1051 1051 + if let Err(e) = 1052 1052 + sqlx::query("DELETE FROM session_tokens WHERE did = $1 AND access_jti != $2") 1053 1053 + .bind(&auth.0.did) 1054 1054 + .bind(jti) 1055 1055 + .execute(&state.db) 1056 1056 + .await 1079 1057 { 1080 1058 error!("DB error revoking JWT sessions: {:?}", e); 1081 1059 return (

+101

src/api/server/verify_email.rs

··· 1 1 + use axum::{Json, extract::State, http::StatusCode}; 2 2 + use serde::{Deserialize, Serialize}; 3 3 + use serde_json::json; 4 4 + use tracing::{info, warn}; 5 5 + 6 6 + use crate::state::AppState; 7 7 + 8 8 + #[derive(Deserialize)] 9 9 + #[serde(rename_all = "camelCase")] 10 10 + pub struct VerifyMigrationEmailInput { 11 11 + pub token: String, 12 12 + pub email: String, 13 13 + } 14 14 + 15 15 + #[derive(Serialize)] 16 16 + #[serde(rename_all = "camelCase")] 17 17 + pub struct VerifyMigrationEmailOutput { 18 18 + pub success: bool, 19 19 + pub did: String, 20 20 + } 21 21 + 22 22 + pub async fn verify_migration_email( 23 23 + State(state): State<AppState>, 24 24 + Json(input): Json<VerifyMigrationEmailInput>, 25 25 + ) -> Result<Json<VerifyMigrationEmailOutput>, (StatusCode, Json<serde_json::Value>)> { 26 26 + let token_input = super::verify_token::VerifyTokenInput { 27 27 + token: input.token, 28 28 + identifier: input.email, 29 29 + }; 30 30 + 31 31 + let result = super::verify_token::verify_token_internal(&state, None, token_input).await?; 32 32 + 33 33 + Ok(Json(VerifyMigrationEmailOutput { 34 34 + success: result.success, 35 35 + did: result.did.clone(), 36 36 + })) 37 37 + } 38 38 + 39 39 + #[derive(Deserialize)] 40 40 + #[serde(rename_all = "camelCase")] 41 41 + pub struct ResendMigrationVerificationInput { 42 42 + pub email: String, 43 43 + } 44 44 + 45 45 + #[derive(Serialize)] 46 46 + #[serde(rename_all = "camelCase")] 47 47 + pub struct ResendMigrationVerificationOutput { 48 48 + pub sent: bool, 49 49 + } 50 50 + 51 51 + pub async fn resend_migration_verification( 52 52 + State(state): State<AppState>, 53 53 + Json(input): Json<ResendMigrationVerificationInput>, 54 54 + ) -> Result<Json<ResendMigrationVerificationOutput>, (StatusCode, Json<serde_json::Value>)> { 55 55 + let email = input.email.trim().to_lowercase(); 56 56 + 57 57 + let user = sqlx::query!( 58 58 + "SELECT id, did, email, email_verified, handle FROM users WHERE LOWER(email) = $1", 59 59 + email 60 60 + ) 61 61 + .fetch_optional(&state.db) 62 62 + .await 63 63 + .map_err(|e| { 64 64 + warn!(error = %e, "Database error during resend verification"); 65 65 + ( 66 66 + StatusCode::INTERNAL_SERVER_ERROR, 67 67 + Json(json!({ "error": "InternalError", "message": "Database error" })), 68 68 + ) 69 69 + })?; 70 70 + 71 71 + let user = match user { 72 72 + Some(u) => u, 73 73 + None => { 74 74 + return Ok(Json(ResendMigrationVerificationOutput { sent: true })); 75 75 + } 76 76 + }; 77 77 + 78 78 + if user.email_verified { 79 79 + return Ok(Json(ResendMigrationVerificationOutput { sent: true })); 80 80 + } 81 81 + 82 82 + let hostname = std::env::var("PDS_HOSTNAME").unwrap_or_else(|_| "localhost".to_string()); 83 83 + let token = crate::auth::verification_token::generate_migration_token(&user.did, &email); 84 84 + let formatted_token = crate::auth::verification_token::format_token_for_display(&token); 85 85 + 86 86 + if let Err(e) = crate::comms::enqueue_migration_verification( 87 87 + &state.db, 88 88 + user.id, 89 89 + &email, 90 90 + &formatted_token, 91 91 + &hostname, 92 92 + ) 93 93 + .await 94 94 + { 95 95 + warn!(error = %e, "Failed to enqueue migration verification email"); 96 96 + } 97 97 + 98 98 + info!(did = %user.did, "Resent migration verification email"); 99 99 + 100 100 + Ok(Json(ResendMigrationVerificationOutput { sent: true })) 101 101 + }

+391

src/api/server/verify_token.rs

··· 1 1 + use axum::{ 2 2 + Json, 3 3 + extract::State, 4 4 + http::{HeaderMap, StatusCode}, 5 5 + }; 6 6 + use serde::{Deserialize, Serialize}; 7 7 + use serde_json::json; 8 8 + use tracing::{error, info, warn}; 9 9 + 10 10 + use crate::auth::verification_token::{ 11 11 + VerificationPurpose, VerifyError, normalize_token_input, verify_token_signature, 12 12 + }; 13 13 + use crate::state::AppState; 14 14 + 15 15 + #[derive(Deserialize, Clone)] 16 16 + #[serde(rename_all = "camelCase")] 17 17 + pub struct VerifyTokenInput { 18 18 + pub token: String, 19 19 + pub identifier: String, 20 20 + } 21 21 + 22 22 + #[derive(Serialize, Clone)] 23 23 + #[serde(rename_all = "camelCase")] 24 24 + pub struct VerifyTokenOutput { 25 25 + pub success: bool, 26 26 + pub did: String, 27 27 + pub purpose: String, 28 28 + pub channel: String, 29 29 + } 30 30 + 31 31 + pub async fn verify_token( 32 32 + State(state): State<AppState>, 33 33 + headers: HeaderMap, 34 34 + Json(input): Json<VerifyTokenInput>, 35 35 + ) -> Result<Json<VerifyTokenOutput>, (StatusCode, Json<serde_json::Value>)> { 36 36 + verify_token_internal(&state, Some(&headers), input).await 37 37 + } 38 38 + 39 39 + pub async fn verify_token_internal( 40 40 + state: &AppState, 41 41 + headers: Option<&HeaderMap>, 42 42 + input: VerifyTokenInput, 43 43 + ) -> Result<Json<VerifyTokenOutput>, (StatusCode, Json<serde_json::Value>)> { 44 44 + let normalized_token = normalize_token_input(&input.token); 45 45 + let identifier = input.identifier.trim().to_lowercase(); 46 46 + 47 47 + let token_data = match verify_token_signature(&normalized_token) { 48 48 + Ok(data) => data, 49 49 + Err(e) => { 50 50 + let (status, error, message) = match e { 51 51 + VerifyError::InvalidFormat => ( 52 52 + StatusCode::BAD_REQUEST, 53 53 + "InvalidToken", 54 54 + "The verification token is invalid or malformed", 55 55 + ), 56 56 + VerifyError::UnsupportedVersion => ( 57 57 + StatusCode::BAD_REQUEST, 58 58 + "InvalidToken", 59 59 + "This verification token version is not supported", 60 60 + ), 61 61 + VerifyError::Expired => ( 62 62 + StatusCode::BAD_REQUEST, 63 63 + "ExpiredToken", 64 64 + "The verification token has expired. Please request a new one.", 65 65 + ), 66 66 + VerifyError::InvalidSignature => ( 67 67 + StatusCode::BAD_REQUEST, 68 68 + "InvalidToken", 69 69 + "The verification token signature is invalid", 70 70 + ), 71 71 + _ => ( 72 72 + StatusCode::BAD_REQUEST, 73 73 + "InvalidToken", 74 74 + "The verification token is not valid", 75 75 + ), 76 76 + }; 77 77 + warn!(error = ?e, "Token verification failed"); 78 78 + return Err((status, Json(json!({ "error": error, "message": message })))); 79 79 + } 80 80 + }; 81 81 + 82 82 + let expected_hash = crate::auth::verification_token::hash_identifier(&identifier); 83 83 + if token_data.identifier_hash != expected_hash { 84 84 + return Err(( 85 85 + StatusCode::BAD_REQUEST, 86 86 + Json( 87 87 + json!({ "error": "IdentifierMismatch", "message": "The identifier does not match the verification token" }), 88 88 + ), 89 89 + )); 90 90 + } 91 91 + 92 92 + match token_data.purpose { 93 93 + VerificationPurpose::Migration => { 94 94 + handle_migration_verification(state, &token_data.did, &token_data.channel, &identifier) 95 95 + .await 96 96 + } 97 97 + VerificationPurpose::ChannelUpdate => { 98 98 + let auth_did = extract_and_validate_auth(state, headers).await?; 99 99 + if auth_did != token_data.did { 100 100 + return Err(( 101 101 + StatusCode::BAD_REQUEST, 102 102 + Json( 103 103 + json!({ "error": "InvalidToken", "message": "Token does not match authenticated account" }), 104 104 + ), 105 105 + )); 106 106 + } 107 107 + handle_channel_update(state, &token_data.did, &token_data.channel, &identifier).await 108 108 + } 109 109 + VerificationPurpose::Signup => { 110 110 + handle_signup_verification(state, &token_data.did, &token_data.channel, &identifier) 111 111 + .await 112 112 + } 113 113 + } 114 114 + } 115 115 + 116 116 + async fn extract_and_validate_auth( 117 117 + state: &AppState, 118 118 + headers: Option<&HeaderMap>, 119 119 + ) -> Result<String, (StatusCode, Json<serde_json::Value>)> { 120 120 + let headers = headers.ok_or_else(|| { 121 121 + ( 122 122 + StatusCode::UNAUTHORIZED, 123 123 + Json(json!({ "error": "AuthenticationRequired", "message": "Authentication required for this verification" })), 124 124 + ) 125 125 + })?; 126 126 + 127 127 + let token = crate::auth::extract_bearer_token_from_header( 128 128 + headers.get("Authorization").and_then(|h| h.to_str().ok()), 129 129 + ) 130 130 + .ok_or_else(|| { 131 131 + ( 132 132 + StatusCode::UNAUTHORIZED, 133 133 + Json(json!({ "error": "AuthenticationRequired", "message": "Authentication required for this verification" })), 134 134 + ) 135 135 + })?; 136 136 + 137 137 + let user = crate::auth::validate_bearer_token(&state.db, &token) 138 138 + .await 139 139 + .map_err(|_| { 140 140 + ( 141 141 + StatusCode::UNAUTHORIZED, 142 142 + Json(json!({ "error": "AuthenticationFailed", "message": "Invalid authentication token" })), 143 143 + ) 144 144 + })?; 145 145 + 146 146 + Ok(user.did) 147 147 + } 148 148 + 149 149 + async fn handle_migration_verification( 150 150 + state: &AppState, 151 151 + did: &str, 152 152 + channel: &str, 153 153 + identifier: &str, 154 154 + ) -> Result<Json<VerifyTokenOutput>, (StatusCode, Json<serde_json::Value>)> { 155 155 + if channel != "email" { 156 156 + return Err(( 157 157 + StatusCode::BAD_REQUEST, 158 158 + Json( 159 159 + json!({ "error": "InvalidChannel", "message": "Migration verification is only supported for email" }), 160 160 + ), 161 161 + )); 162 162 + } 163 163 + 164 164 + let user = sqlx::query!( 165 165 + "SELECT id, email, email_verified FROM users WHERE did = $1", 166 166 + did 167 167 + ) 168 168 + .fetch_optional(&state.db) 169 169 + .await 170 170 + .map_err(|e| { 171 171 + warn!(error = %e, "Database error during migration verification"); 172 172 + ( 173 173 + StatusCode::INTERNAL_SERVER_ERROR, 174 174 + Json(json!({ "error": "InternalError", "message": "Database error" })), 175 175 + ) 176 176 + })?; 177 177 + 178 178 + let user = user.ok_or_else(|| { 179 179 + ( 180 180 + StatusCode::NOT_FOUND, 181 181 + Json(json!({ "error": "AccountNotFound", "message": "No account found for this verification token" })), 182 182 + ) 183 183 + })?; 184 184 + 185 185 + if user.email.as_ref().map(|e| e.to_lowercase()) != Some(identifier.to_string()) { 186 186 + return Err(( 187 187 + StatusCode::BAD_REQUEST, 188 188 + Json( 189 189 + json!({ "error": "IdentifierMismatch", "message": "The email address does not match the account" }), 190 190 + ), 191 191 + )); 192 192 + } 193 193 + 194 194 + if !user.email_verified { 195 195 + sqlx::query!( 196 196 + "UPDATE users SET email_verified = true WHERE id = $1", 197 197 + user.id 198 198 + ) 199 199 + .execute(&state.db) 200 200 + .await 201 201 + .map_err(|e| { 202 202 + warn!(error = %e, "Failed to update email_verified status"); 203 203 + ( 204 204 + StatusCode::INTERNAL_SERVER_ERROR, 205 205 + Json(json!({ "error": "InternalError", "message": "Failed to verify email" })), 206 206 + ) 207 207 + })?; 208 208 + } 209 209 + 210 210 + info!(did = %did, "Migration email verified successfully"); 211 211 + 212 212 + Ok(Json(VerifyTokenOutput { 213 213 + success: true, 214 214 + did: did.to_string(), 215 215 + purpose: "migration".to_string(), 216 216 + channel: channel.to_string(), 217 217 + })) 218 218 + } 219 219 + 220 220 + async fn handle_channel_update( 221 221 + state: &AppState, 222 222 + did: &str, 223 223 + channel: &str, 224 224 + identifier: &str, 225 225 + ) -> Result<Json<VerifyTokenOutput>, (StatusCode, Json<serde_json::Value>)> { 226 226 + let user_id = sqlx::query_scalar!("SELECT id FROM users WHERE did = $1", did) 227 227 + .fetch_one(&state.db) 228 228 + .await 229 229 + .map_err(|_| { 230 230 + ( 231 231 + StatusCode::INTERNAL_SERVER_ERROR, 232 232 + Json(json!({ "error": "InternalError", "message": "User not found" })), 233 233 + ) 234 234 + })?; 235 235 + 236 236 + let update_result = match channel { 237 237 + "email" => sqlx::query!( 238 238 + "UPDATE users SET email = $1, email_verified = TRUE, updated_at = NOW() WHERE id = $2", 239 239 + identifier, 240 240 + user_id 241 241 + ).execute(&state.db).await, 242 242 + "discord" => sqlx::query!( 243 243 + "UPDATE users SET discord_id = $1, discord_verified = TRUE, updated_at = NOW() WHERE id = $2", 244 244 + identifier, 245 245 + user_id 246 246 + ).execute(&state.db).await, 247 247 + "telegram" => sqlx::query!( 248 248 + "UPDATE users SET telegram_username = $1, telegram_verified = TRUE, updated_at = NOW() WHERE id = $2", 249 249 + identifier, 250 250 + user_id 251 251 + ).execute(&state.db).await, 252 252 + "signal" => sqlx::query!( 253 253 + "UPDATE users SET signal_number = $1, signal_verified = TRUE, updated_at = NOW() WHERE id = $2", 254 254 + identifier, 255 255 + user_id 256 256 + ).execute(&state.db).await, 257 257 + _ => { 258 258 + return Err(( 259 259 + StatusCode::BAD_REQUEST, 260 260 + Json(json!({ "error": "InvalidChannel", "message": "Invalid channel" })), 261 261 + )); 262 262 + } 263 263 + }; 264 264 + 265 265 + if let Err(e) = update_result { 266 266 + error!("Failed to update user channel: {:?}", e); 267 267 + if channel == "email" 268 268 + && e.as_database_error() 269 269 + .map(|db| db.is_unique_violation()) 270 270 + .unwrap_or(false) 271 271 + { 272 272 + return Err(( 273 273 + StatusCode::BAD_REQUEST, 274 274 + Json(json!({ "error": "EmailTaken", "message": "Email already in use" })), 275 275 + )); 276 276 + } 277 277 + return Err(( 278 278 + StatusCode::INTERNAL_SERVER_ERROR, 279 279 + Json(json!({ "error": "InternalError", "message": "Failed to update channel" })), 280 280 + )); 281 281 + } 282 282 + 283 283 + info!(did = %did, channel = %channel, "Channel verified successfully"); 284 284 + 285 285 + Ok(Json(VerifyTokenOutput { 286 286 + success: true, 287 287 + did: did.to_string(), 288 288 + purpose: "channel_update".to_string(), 289 289 + channel: channel.to_string(), 290 290 + })) 291 291 + } 292 292 + 293 293 + async fn handle_signup_verification( 294 294 + state: &AppState, 295 295 + did: &str, 296 296 + channel: &str, 297 297 + _identifier: &str, 298 298 + ) -> Result<Json<VerifyTokenOutput>, (StatusCode, Json<serde_json::Value>)> { 299 299 + let user = sqlx::query!( 300 300 + "SELECT id, handle, email, email_verified, discord_verified, telegram_verified, signal_verified FROM users WHERE did = $1", 301 301 + did 302 302 + ) 303 303 + .fetch_optional(&state.db) 304 304 + .await 305 305 + .map_err(|e| { 306 306 + warn!(error = %e, "Database error during signup verification"); 307 307 + ( 308 308 + StatusCode::INTERNAL_SERVER_ERROR, 309 309 + Json(json!({ "error": "InternalError", "message": "Database error" })), 310 310 + ) 311 311 + })?; 312 312 + 313 313 + let user = user.ok_or_else(|| { 314 314 + ( 315 315 + StatusCode::NOT_FOUND, 316 316 + Json(json!({ "error": "AccountNotFound", "message": "No account found for this verification token" })), 317 317 + ) 318 318 + })?; 319 319 + 320 320 + let is_verified = user.email_verified 321 321 + || user.discord_verified 322 322 + || user.telegram_verified 323 323 + || user.signal_verified; 324 324 + if is_verified { 325 325 + info!(did = %did, "Account already verified"); 326 326 + return Ok(Json(VerifyTokenOutput { 327 327 + success: true, 328 328 + did: did.to_string(), 329 329 + purpose: "signup".to_string(), 330 330 + channel: channel.to_string(), 331 331 + })); 332 332 + } 333 333 + 334 334 + let update_result = match channel { 335 335 + "email" => { 336 336 + sqlx::query!( 337 337 + "UPDATE users SET email_verified = TRUE WHERE id = $1", 338 338 + user.id 339 339 + ) 340 340 + .execute(&state.db) 341 341 + .await 342 342 + } 343 343 + "discord" => { 344 344 + sqlx::query!( 345 345 + "UPDATE users SET discord_verified = TRUE WHERE id = $1", 346 346 + user.id 347 347 + ) 348 348 + .execute(&state.db) 349 349 + .await 350 350 + } 351 351 + "telegram" => { 352 352 + sqlx::query!( 353 353 + "UPDATE users SET telegram_verified = TRUE WHERE id = $1", 354 354 + user.id 355 355 + ) 356 356 + .execute(&state.db) 357 357 + .await 358 358 + } 359 359 + "signal" => { 360 360 + sqlx::query!( 361 361 + "UPDATE users SET signal_verified = TRUE WHERE id = $1", 362 362 + user.id 363 363 + ) 364 364 + .execute(&state.db) 365 365 + .await 366 366 + } 367 367 + _ => { 368 368 + return Err(( 369 369 + StatusCode::BAD_REQUEST, 370 370 + Json(json!({ "error": "InvalidChannel", "message": "Invalid channel" })), 371 371 + )); 372 372 + } 373 373 + }; 374 374 + 375 375 + update_result.map_err(|e| { 376 376 + warn!(error = %e, "Failed to update channel verified status"); 377 377 + ( 378 378 + StatusCode::INTERNAL_SERVER_ERROR, 379 379 + Json(json!({ "error": "InternalError", "message": "Failed to verify channel" })), 380 380 + ) 381 381 + })?; 382 382 + 383 383 + info!(did = %did, channel = %channel, "Signup verified successfully"); 384 384 + 385 385 + Ok(Json(VerifyTokenOutput { 386 386 + success: true, 387 387 + did: did.to_string(), 388 388 + purpose: "signup".to_string(), 389 389 + channel: channel.to_string(), 390 390 + })) 391 391 + }

+8 -8

src/api/validation.rs

··· 64 64 return Err(HandleValidationError::TooLong); 65 65 } 66 66 67 67 - if let Some(first_char) = handle.chars().next() { 68 68 - if first_char == '-' || first_char == '_' { 69 69 - return Err(HandleValidationError::StartsWithInvalidChar); 70 70 - } 67 67 + if let Some(first_char) = handle.chars().next() 68 68 + && (first_char == '-' || first_char == '_') 69 69 + { 70 70 + return Err(HandleValidationError::StartsWithInvalidChar); 71 71 } 72 72 73 73 - if let Some(last_char) = handle.chars().last() { 74 74 - if last_char == '-' || last_char == '_' { 75 75 - return Err(HandleValidationError::EndsWithInvalidChar); 76 76 - } 73 73 + if let Some(last_char) = handle.chars().last() 74 74 + && (last_char == '-' || last_char == '_') 75 75 + { 76 76 + return Err(HandleValidationError::EndsWithInvalidChar); 77 77 } 78 78 79 79 for c in handle.chars() {

+8 -176

src/api/verification.rs

··· 1 1 - use crate::auth::validate_bearer_token; 2 1 use crate::state::AppState; 3 2 use axum::{ 4 3 Json, 5 4 extract::State, 6 6 - http::{HeaderMap, StatusCode}, 5 5 + http::HeaderMap, 7 6 response::{IntoResponse, Response}, 8 7 }; 9 9 - use chrono::Utc; 10 8 use serde::Deserialize; 11 9 use serde_json::json; 12 12 - use tracing::{error, info}; 13 10 14 11 #[derive(Deserialize)] 15 12 #[serde(rename_all = "camelCase")] 16 13 pub struct ConfirmChannelVerificationInput { 17 14 pub channel: String, 15 15 + pub identifier: String, 18 16 pub code: String, 19 17 } 20 18 ··· 23 21 headers: HeaderMap, 24 22 Json(input): Json<ConfirmChannelVerificationInput>, 25 23 ) -> Response { 26 26 - let token = match crate::auth::extract_bearer_token_from_header( 27 27 - headers.get("Authorization").and_then(|h| h.to_str().ok()), 28 28 - ) { 29 29 - Some(t) => t, 30 30 - None => return ( 31 31 - StatusCode::UNAUTHORIZED, 32 32 - Json(json!({"error": "AuthenticationRequired", "message": "Authentication required"})), 33 33 - ) 34 34 - .into_response(), 35 35 - }; 36 36 - let user = match validate_bearer_token(&state.db, &token).await { 37 37 - Ok(u) => u, 38 38 - Err(_) => { 39 39 - return ( 40 40 - StatusCode::UNAUTHORIZED, 41 41 - Json(json!({"error": "AuthenticationFailed", "message": "Invalid token"})), 42 42 - ) 43 43 - .into_response(); 44 44 - } 45 45 - }; 46 46 - 47 47 - let user_id = match sqlx::query_scalar!("SELECT id FROM users WHERE did = $1", user.did) 48 48 - .fetch_one(&state.db) 49 49 - .await 50 50 - { 51 51 - Ok(id) => id, 52 52 - Err(_) => { 53 53 - return ( 54 54 - StatusCode::INTERNAL_SERVER_ERROR, 55 55 - Json(json!({"error": "InternalError", "message": "User not found"})), 56 56 - ) 57 57 - .into_response(); 58 58 - } 59 59 - }; 60 60 - 61 61 - let channel_str = input.channel.as_str(); 62 62 - if !["email", "discord", "telegram", "signal"].contains(&channel_str) { 63 63 - return ( 64 64 - StatusCode::BAD_REQUEST, 65 65 - Json(json!({"error": "InvalidRequest", "message": "Invalid channel"})), 66 66 - ) 67 67 - .into_response(); 68 68 - } 69 69 - 70 70 - let record = match sqlx::query!( 71 71 - r#" 72 72 - SELECT code, pending_identifier, expires_at FROM channel_verifications 73 73 - WHERE user_id = $1 AND channel = $2::comms_channel 74 74 - "#, 75 75 - user_id, 76 76 - channel_str as _ 77 77 - ) 78 78 - .fetch_optional(&state.db) 79 79 - .await { 80 80 - Ok(Some(r)) => r, 81 81 - Ok(None) => return ( 82 82 - StatusCode::BAD_REQUEST, 83 83 - Json(json!({"error": "InvalidRequest", "message": "No pending verification found. Update notification preferences first."})), 84 84 - ) 85 85 - .into_response(), 86 86 - Err(e) => return ( 87 87 - StatusCode::INTERNAL_SERVER_ERROR, 88 88 - Json(json!({"error": "InternalError", "message": format!("Database error: {}", e)})), 89 89 - ) 90 90 - .into_response(), 91 91 - }; 92 92 - 93 93 - let pending_identifier = 94 94 - match record.pending_identifier { 95 95 - Some(p) => p, 96 96 - None => return ( 97 97 - StatusCode::BAD_REQUEST, 98 98 - Json(json!({"error": "InvalidRequest", "message": "No pending identifier found"})), 99 99 - ) 100 100 - .into_response(), 101 101 - }; 102 102 - 103 103 - if record.expires_at < Utc::now() { 104 104 - return ( 105 105 - StatusCode::BAD_REQUEST, 106 106 - Json(json!({"error": "ExpiredToken", "message": "Verification code expired"})), 107 107 - ) 108 108 - .into_response(); 109 109 - } 110 110 - 111 111 - if record.code != input.code { 112 112 - return ( 113 113 - StatusCode::BAD_REQUEST, 114 114 - Json(json!({"error": "InvalidCode", "message": "Invalid verification code"})), 115 115 - ) 116 116 - .into_response(); 117 117 - } 118 118 - 119 119 - let mut tx = match state.db.begin().await { 120 120 - Ok(tx) => tx, 121 121 - Err(_) => { 122 122 - return ( 123 123 - StatusCode::INTERNAL_SERVER_ERROR, 124 124 - Json(json!({"error": "InternalError"})), 125 125 - ) 126 126 - .into_response(); 127 127 - } 128 128 - }; 129 129 - 130 130 - let update_result = match channel_str { 131 131 - "email" => sqlx::query!( 132 132 - "UPDATE users SET email = $1, updated_at = NOW() WHERE id = $2", 133 133 - pending_identifier, 134 134 - user_id 135 135 - ).execute(&mut *tx).await, 136 136 - "discord" => sqlx::query!( 137 137 - "UPDATE users SET discord_id = $1, discord_verified = TRUE, updated_at = NOW() WHERE id = $2", 138 138 - pending_identifier, 139 139 - user_id 140 140 - ).execute(&mut *tx).await, 141 141 - "telegram" => sqlx::query!( 142 142 - "UPDATE users SET telegram_username = $1, telegram_verified = TRUE, updated_at = NOW() WHERE id = $2", 143 143 - pending_identifier, 144 144 - user_id 145 145 - ).execute(&mut *tx).await, 146 146 - "signal" => sqlx::query!( 147 147 - "UPDATE users SET signal_number = $1, signal_verified = TRUE, updated_at = NOW() WHERE id = $2", 148 148 - pending_identifier, 149 149 - user_id 150 150 - ).execute(&mut *tx).await, 151 151 - _ => unreachable!(), 24 24 + let token_input = crate::api::server::VerifyTokenInput { 25 25 + token: input.code, 26 26 + identifier: input.identifier, 152 27 }; 153 28 154 154 - if let Err(e) = update_result { 155 155 - error!("Failed to update user channel: {:?}", e); 156 156 - if channel_str == "email" 157 157 - && e.as_database_error() 158 158 - .map(|db| db.is_unique_violation()) 159 159 - .unwrap_or(false) 160 160 - { 161 161 - return ( 162 162 - StatusCode::BAD_REQUEST, 163 163 - Json(json!({"error": "EmailTaken", "message": "Email already in use"})), 164 164 - ) 165 165 - .into_response(); 166 166 - } 167 167 - return ( 168 168 - StatusCode::INTERNAL_SERVER_ERROR, 169 169 - Json(json!({"error": "InternalError", "message": "Failed to update channel"})), 170 170 - ) 171 171 - .into_response(); 172 172 - } 173 173 - 174 174 - if let Err(e) = sqlx::query!( 175 175 - "DELETE FROM channel_verifications WHERE user_id = $1 AND channel = $2::comms_channel", 176 176 - user_id, 177 177 - channel_str as _ 178 178 - ) 179 179 - .execute(&mut *tx) 180 180 - .await 181 181 - { 182 182 - error!("Failed to delete verification record: {:?}", e); 183 183 - return ( 184 184 - StatusCode::INTERNAL_SERVER_ERROR, 185 185 - Json(json!({"error": "InternalError"})), 186 186 - ) 187 187 - .into_response(); 29 29 + match crate::api::server::verify_token_internal(&state, Some(&headers), token_input).await { 30 30 + Ok(output) => Json(json!({"success": output.success})).into_response(), 31 31 + Err((status, err_json)) => (status, err_json).into_response(), 188 32 } 189 189 - 190 190 - if tx.commit().await.is_err() { 191 191 - return ( 192 192 - StatusCode::INTERNAL_SERVER_ERROR, 193 193 - Json(json!({"error": "InternalError"})), 194 194 - ) 195 195 - .into_response(); 196 196 - } 197 197 - 198 198 - info!(did = %user.did, channel = %channel_str, "Channel verified successfully"); 199 199 - 200 200 - Json(json!({"success": true})).into_response() 201 33 }

+1

src/auth/mod.rs

··· 12 12 pub mod service; 13 13 pub mod token; 14 14 pub mod totp; 15 15 + pub mod verification_token; 15 16 pub mod verify; 16 17 pub mod webauthn; 17 18

+423

src/auth/verification_token.rs

··· 1 1 + use base64::{Engine as _, engine::general_purpose::URL_SAFE_NO_PAD}; 2 2 + use hmac::Mac; 3 3 + use sha2::{Digest, Sha256}; 4 4 + 5 5 + type HmacSha256 = hmac::Hmac<Sha256>; 6 6 + 7 7 + const TOKEN_VERSION: u8 = 1; 8 8 + const DEFAULT_SIGNUP_EXPIRY_MINUTES: u64 = 30; 9 9 + const DEFAULT_MIGRATION_EXPIRY_HOURS: u64 = 48; 10 10 + const DEFAULT_CHANNEL_UPDATE_EXPIRY_MINUTES: u64 = 10; 11 11 + 12 12 + #[derive(Debug, Clone, Copy, PartialEq, Eq)] 13 13 + pub enum VerificationPurpose { 14 14 + Signup, 15 15 + Migration, 16 16 + ChannelUpdate, 17 17 + } 18 18 + 19 19 + impl VerificationPurpose { 20 20 + fn as_str(&self) -> &'static str { 21 21 + match self { 22 22 + Self::Signup => "signup", 23 23 + Self::Migration => "migration", 24 24 + Self::ChannelUpdate => "channel_update", 25 25 + } 26 26 + } 27 27 + 28 28 + fn from_str(s: &str) -> Option<Self> { 29 29 + match s { 30 30 + "signup" => Some(Self::Signup), 31 31 + "migration" => Some(Self::Migration), 32 32 + "channel_update" => Some(Self::ChannelUpdate), 33 33 + _ => None, 34 34 + } 35 35 + } 36 36 + 37 37 + fn default_expiry_seconds(&self) -> u64 { 38 38 + match self { 39 39 + Self::Signup => DEFAULT_SIGNUP_EXPIRY_MINUTES * 60, 40 40 + Self::Migration => DEFAULT_MIGRATION_EXPIRY_HOURS * 3600, 41 41 + Self::ChannelUpdate => DEFAULT_CHANNEL_UPDATE_EXPIRY_MINUTES * 60, 42 42 + } 43 43 + } 44 44 + } 45 45 + 46 46 + #[derive(Debug)] 47 47 + pub struct VerificationToken { 48 48 + pub did: String, 49 49 + pub purpose: VerificationPurpose, 50 50 + pub channel: String, 51 51 + pub identifier_hash: String, 52 52 + pub expires_at: u64, 53 53 + } 54 54 + 55 55 + fn derive_verification_key() -> [u8; 32] { 56 56 + use hkdf::Hkdf; 57 57 + let master_key = std::env::var("MASTER_KEY").unwrap_or_else(|_| { 58 58 + if cfg!(test) || std::env::var("TRANQUIL_PDS_ALLOW_INSECURE_SECRETS").is_ok() { 59 59 + "test-master-key-not-for-production".to_string() 60 60 + } else { 61 61 + panic!("MASTER_KEY must be set"); 62 62 + } 63 63 + }); 64 64 + let hk = Hkdf::<Sha256>::new(None, master_key.as_bytes()); 65 65 + let mut key = [0u8; 32]; 66 66 + hk.expand(b"tranquil-pds-verification-token-v1", &mut key) 67 67 + .expect("HKDF expansion failed"); 68 68 + key 69 69 + } 70 70 + 71 71 + pub fn hash_identifier(identifier: &str) -> String { 72 72 + let mut hasher = Sha256::new(); 73 73 + hasher.update(identifier.to_lowercase().as_bytes()); 74 74 + let result = hasher.finalize(); 75 75 + URL_SAFE_NO_PAD.encode(&result[..16]) 76 76 + } 77 77 + 78 78 + pub fn generate_signup_token(did: &str, channel: &str, identifier: &str) -> String { 79 79 + generate_token(did, VerificationPurpose::Signup, channel, identifier) 80 80 + } 81 81 + 82 82 + pub fn generate_migration_token(did: &str, email: &str) -> String { 83 83 + generate_token(did, VerificationPurpose::Migration, "email", email) 84 84 + } 85 85 + 86 86 + pub fn generate_channel_update_token(did: &str, channel: &str, identifier: &str) -> String { 87 87 + generate_token(did, VerificationPurpose::ChannelUpdate, channel, identifier) 88 88 + } 89 89 + 90 90 + pub fn generate_token( 91 91 + did: &str, 92 92 + purpose: VerificationPurpose, 93 93 + channel: &str, 94 94 + identifier: &str, 95 95 + ) -> String { 96 96 + generate_token_with_expiry( 97 97 + did, 98 98 + purpose, 99 99 + channel, 100 100 + identifier, 101 101 + purpose.default_expiry_seconds(), 102 102 + ) 103 103 + } 104 104 + 105 105 + pub fn generate_token_with_expiry( 106 106 + did: &str, 107 107 + purpose: VerificationPurpose, 108 108 + channel: &str, 109 109 + identifier: &str, 110 110 + expiry_seconds: u64, 111 111 + ) -> String { 112 112 + let key = derive_verification_key(); 113 113 + let identifier_hash = hash_identifier(identifier); 114 114 + let expires_at = std::time::SystemTime::now() 115 115 + .duration_since(std::time::UNIX_EPOCH) 116 116 + .unwrap_or_default() 117 117 + .as_secs() 118 118 + + expiry_seconds; 119 119 + 120 120 + let payload = format!( 121 121 + "{}|{}|{}|{}|{}", 122 122 + did, 123 123 + purpose.as_str(), 124 124 + channel, 125 125 + identifier_hash, 126 126 + expires_at 127 127 + ); 128 128 + 129 129 + let mut mac = <HmacSha256 as Mac>::new_from_slice(&key).expect("HMAC key size is valid"); 130 130 + mac.update(payload.as_bytes()); 131 131 + let signature = URL_SAFE_NO_PAD.encode(mac.finalize().into_bytes()); 132 132 + 133 133 + let token_data = format!( 134 134 + "{}|{}|{}|{}|{}|{}|{}", 135 135 + TOKEN_VERSION, 136 136 + did, 137 137 + purpose.as_str(), 138 138 + channel, 139 139 + identifier_hash, 140 140 + expires_at, 141 141 + signature 142 142 + ); 143 143 + URL_SAFE_NO_PAD.encode(token_data.as_bytes()) 144 144 + } 145 145 + 146 146 + #[derive(Debug)] 147 147 + pub enum VerifyError { 148 148 + InvalidFormat, 149 149 + UnsupportedVersion, 150 150 + Expired, 151 151 + InvalidSignature, 152 152 + IdentifierMismatch, 153 153 + PurposeMismatch, 154 154 + ChannelMismatch, 155 155 + } 156 156 + 157 157 + impl std::fmt::Display for VerifyError { 158 158 + fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result { 159 159 + match self { 160 160 + Self::InvalidFormat => write!(f, "Invalid token format"), 161 161 + Self::UnsupportedVersion => write!(f, "Unsupported token version"), 162 162 + Self::Expired => write!(f, "Token has expired"), 163 163 + Self::InvalidSignature => write!(f, "Invalid token signature"), 164 164 + Self::IdentifierMismatch => write!(f, "Identifier does not match token"), 165 165 + Self::PurposeMismatch => write!(f, "Token purpose does not match"), 166 166 + Self::ChannelMismatch => write!(f, "Token channel does not match"), 167 167 + } 168 168 + } 169 169 + } 170 170 + 171 171 + pub fn verify_signup_token( 172 172 + token: &str, 173 173 + expected_channel: &str, 174 174 + expected_identifier: &str, 175 175 + ) -> Result<VerificationToken, VerifyError> { 176 176 + let parsed = verify_token_signature(token)?; 177 177 + if parsed.purpose != VerificationPurpose::Signup { 178 178 + return Err(VerifyError::PurposeMismatch); 179 179 + } 180 180 + if parsed.channel != expected_channel { 181 181 + return Err(VerifyError::ChannelMismatch); 182 182 + } 183 183 + let expected_hash = hash_identifier(expected_identifier); 184 184 + if parsed.identifier_hash != expected_hash { 185 185 + return Err(VerifyError::IdentifierMismatch); 186 186 + } 187 187 + Ok(parsed) 188 188 + } 189 189 + 190 190 + pub fn verify_migration_token( 191 191 + token: &str, 192 192 + expected_email: &str, 193 193 + ) -> Result<VerificationToken, VerifyError> { 194 194 + let parsed = verify_token_signature(token)?; 195 195 + if parsed.purpose != VerificationPurpose::Migration { 196 196 + return Err(VerifyError::PurposeMismatch); 197 197 + } 198 198 + if parsed.channel != "email" { 199 199 + return Err(VerifyError::ChannelMismatch); 200 200 + } 201 201 + let expected_hash = hash_identifier(expected_email); 202 202 + if parsed.identifier_hash != expected_hash { 203 203 + return Err(VerifyError::IdentifierMismatch); 204 204 + } 205 205 + Ok(parsed) 206 206 + } 207 207 + 208 208 + pub fn verify_channel_update_token( 209 209 + token: &str, 210 210 + expected_channel: &str, 211 211 + expected_identifier: &str, 212 212 + ) -> Result<VerificationToken, VerifyError> { 213 213 + let parsed = verify_token_signature(token)?; 214 214 + if parsed.purpose != VerificationPurpose::ChannelUpdate { 215 215 + return Err(VerifyError::PurposeMismatch); 216 216 + } 217 217 + if parsed.channel != expected_channel { 218 218 + return Err(VerifyError::ChannelMismatch); 219 219 + } 220 220 + let expected_hash = hash_identifier(expected_identifier); 221 221 + if parsed.identifier_hash != expected_hash { 222 222 + return Err(VerifyError::IdentifierMismatch); 223 223 + } 224 224 + Ok(parsed) 225 225 + } 226 226 + 227 227 + pub fn verify_token_for_did( 228 228 + token: &str, 229 229 + expected_did: &str, 230 230 + ) -> Result<VerificationToken, VerifyError> { 231 231 + let parsed = verify_token_signature(token)?; 232 232 + if parsed.did != expected_did { 233 233 + return Err(VerifyError::IdentifierMismatch); 234 234 + } 235 235 + Ok(parsed) 236 236 + } 237 237 + 238 238 + pub fn verify_token_signature(token: &str) -> Result<VerificationToken, VerifyError> { 239 239 + let token_bytes = URL_SAFE_NO_PAD 240 240 + .decode(token.trim()) 241 241 + .map_err(|_| VerifyError::InvalidFormat)?; 242 242 + let token_str = String::from_utf8(token_bytes).map_err(|_| VerifyError::InvalidFormat)?; 243 243 + 244 244 + let parts: Vec<&str> = token_str.split('|').collect(); 245 245 + if parts.len() != 7 { 246 246 + return Err(VerifyError::InvalidFormat); 247 247 + } 248 248 + 249 249 + let version: u8 = parts[0].parse().map_err(|_| VerifyError::InvalidFormat)?; 250 250 + if version != TOKEN_VERSION { 251 251 + return Err(VerifyError::UnsupportedVersion); 252 252 + } 253 253 + 254 254 + let did = parts[1]; 255 255 + let purpose_str = parts[2]; 256 256 + let channel = parts[3]; 257 257 + let identifier_hash = parts[4]; 258 258 + let expires_at: u64 = parts[5].parse().map_err(|_| VerifyError::InvalidFormat)?; 259 259 + let provided_signature = parts[6]; 260 260 + 261 261 + let purpose = VerificationPurpose::from_str(purpose_str).ok_or(VerifyError::InvalidFormat)?; 262 262 + 263 263 + let now = std::time::SystemTime::now() 264 264 + .duration_since(std::time::UNIX_EPOCH) 265 265 + .unwrap_or_default() 266 266 + .as_secs(); 267 267 + if now > expires_at { 268 268 + return Err(VerifyError::Expired); 269 269 + } 270 270 + 271 271 + let key = derive_verification_key(); 272 272 + let payload = format!( 273 273 + "{}|{}|{}|{}|{}", 274 274 + did, purpose_str, channel, identifier_hash, expires_at 275 275 + ); 276 276 + let mut mac = <HmacSha256 as Mac>::new_from_slice(&key).expect("HMAC key size is valid"); 277 277 + mac.update(payload.as_bytes()); 278 278 + let expected_signature = URL_SAFE_NO_PAD.encode(mac.finalize().into_bytes()); 279 279 + 280 280 + use subtle::ConstantTimeEq; 281 281 + let sig_matches: bool = provided_signature 282 282 + .as_bytes() 283 283 + .ct_eq(expected_signature.as_bytes()) 284 284 + .into(); 285 285 + if !sig_matches { 286 286 + return Err(VerifyError::InvalidSignature); 287 287 + } 288 288 + 289 289 + Ok(VerificationToken { 290 290 + did: did.to_string(), 291 291 + purpose, 292 292 + channel: channel.to_string(), 293 293 + identifier_hash: identifier_hash.to_string(), 294 294 + expires_at, 295 295 + }) 296 296 + } 297 297 + 298 298 + pub fn format_token_for_display(token: &str) -> String { 299 299 + let clean = token.replace(['-', ' '], ""); 300 300 + let mut result = String::new(); 301 301 + for (i, c) in clean.chars().enumerate() { 302 302 + if i > 0 && i % 4 == 0 { 303 303 + result.push('-'); 304 304 + } 305 305 + result.push(c); 306 306 + } 307 307 + result 308 308 + } 309 309 + 310 310 + pub fn normalize_token_input(input: &str) -> String { 311 311 + input 312 312 + .chars() 313 313 + .filter(|c| c.is_ascii_alphanumeric() || *c == '_' || *c == '=') 314 314 + .collect() 315 315 + } 316 316 + 317 317 + #[cfg(test)] 318 318 + mod tests { 319 319 + use super::*; 320 320 + 321 321 + #[test] 322 322 + fn test_signup_token() { 323 323 + let did = "did:plc:test123"; 324 324 + let channel = "email"; 325 325 + let identifier = "test@example.com"; 326 326 + let token = generate_signup_token(did, channel, identifier); 327 327 + let result = verify_signup_token(&token, channel, identifier); 328 328 + assert!(result.is_ok(), "Expected Ok, got {:?}", result); 329 329 + let parsed = result.unwrap(); 330 330 + assert_eq!(parsed.did, did); 331 331 + assert_eq!(parsed.purpose, VerificationPurpose::Signup); 332 332 + assert_eq!(parsed.channel, channel); 333 333 + } 334 334 + 335 335 + #[test] 336 336 + fn test_migration_token() { 337 337 + let did = "did:plc:test123"; 338 338 + let email = "test@example.com"; 339 339 + let token = generate_migration_token(did, email); 340 340 + let result = verify_migration_token(&token, email); 341 341 + assert!(result.is_ok(), "Expected Ok, got {:?}", result); 342 342 + let parsed = result.unwrap(); 343 343 + assert_eq!(parsed.did, did); 344 344 + assert_eq!(parsed.purpose, VerificationPurpose::Migration); 345 345 + } 346 346 + 347 347 + #[test] 348 348 + fn test_token_case_insensitive() { 349 349 + let did = "did:plc:test123"; 350 350 + let token = generate_signup_token(did, "email", "Test@Example.COM"); 351 351 + let result = verify_signup_token(&token, "email", "test@example.com"); 352 352 + assert!(result.is_ok()); 353 353 + } 354 354 + 355 355 + #[test] 356 356 + fn test_token_wrong_identifier() { 357 357 + let did = "did:plc:test123"; 358 358 + let token = generate_signup_token(did, "email", "test@example.com"); 359 359 + let result = verify_signup_token(&token, "email", "other@example.com"); 360 360 + assert!(matches!(result, Err(VerifyError::IdentifierMismatch))); 361 361 + } 362 362 + 363 363 + #[test] 364 364 + fn test_token_wrong_channel() { 365 365 + let did = "did:plc:test123"; 366 366 + let token = generate_signup_token(did, "email", "test@example.com"); 367 367 + let result = verify_signup_token(&token, "discord", "test@example.com"); 368 368 + assert!(matches!(result, Err(VerifyError::ChannelMismatch))); 369 369 + } 370 370 + 371 371 + #[test] 372 372 + fn test_expired_token() { 373 373 + let did = "did:plc:test123"; 374 374 + let token = generate_token_with_expiry( 375 375 + did, 376 376 + VerificationPurpose::Signup, 377 377 + "email", 378 378 + "test@example.com", 379 379 + 0, 380 380 + ); 381 381 + std::thread::sleep(std::time::Duration::from_millis(1100)); 382 382 + let result = verify_signup_token(&token, "email", "test@example.com"); 383 383 + assert!(matches!(result, Err(VerifyError::Expired))); 384 384 + } 385 385 + 386 386 + #[test] 387 387 + fn test_invalid_token() { 388 388 + let result = verify_signup_token("invalid-token", "email", "test@example.com"); 389 389 + assert!(matches!(result, Err(VerifyError::InvalidFormat))); 390 390 + } 391 391 + 392 392 + #[test] 393 393 + fn test_purpose_mismatch() { 394 394 + let did = "did:plc:test123"; 395 395 + let email = "test@example.com"; 396 396 + let signup_token = generate_signup_token(did, "email", email); 397 397 + let result = verify_migration_token(&signup_token, email); 398 398 + assert!(matches!(result, Err(VerifyError::PurposeMismatch))); 399 399 + } 400 400 + 401 401 + #[test] 402 402 + fn test_discord_channel() { 403 403 + let did = "did:plc:test123"; 404 404 + let discord_id = "123456789012345678"; 405 405 + let token = generate_signup_token(did, "discord", discord_id); 406 406 + let result = verify_signup_token(&token, "discord", discord_id); 407 407 + assert!(result.is_ok()); 408 408 + } 409 409 + 410 410 + #[test] 411 411 + fn test_format_token_for_display() { 412 412 + let token = "ABCDEFGHIJKLMNOP"; 413 413 + let formatted = format_token_for_display(token); 414 414 + assert_eq!(formatted, "ABCD-EFGH-IJKL-MNOP"); 415 415 + } 416 416 + 417 417 + #[test] 418 418 + fn test_normalize_token_input() { 419 419 + let input = "ABCD-EFGH IJKL-MNOP"; 420 420 + let normalized = normalize_token_input(input); 421 421 + assert_eq!(normalized, "ABCDEFGHIJKLMNOP"); 422 422 + } 423 423 + }

+28 -28

src/comms/locale.rs

··· 12 12 pub struct NotificationStrings { 13 13 pub welcome_subject: &'static str, 14 14 pub welcome_body: &'static str, 15 15 - pub email_verification_subject: &'static str, 16 16 - pub email_verification_body: &'static str, 17 15 pub password_reset_subject: &'static str, 18 16 pub password_reset_body: &'static str, 19 17 pub email_update_subject: &'static str, ··· 30 28 pub signup_verification_body: &'static str, 31 29 pub legacy_login_subject: &'static str, 32 30 pub legacy_login_body: &'static str, 31 31 + pub migration_verification_subject: &'static str, 32 32 + pub migration_verification_body: &'static str, 33 33 } 34 34 35 35 pub fn get_strings(locale: &str) -> &'static NotificationStrings { ··· 46 46 static STRINGS_EN: NotificationStrings = NotificationStrings { 47 47 welcome_subject: "Welcome to {hostname}", 48 48 welcome_body: "Welcome to {hostname}!\n\nYour handle is: @{handle}\n\nThank you for joining us.", 49 49 - email_verification_subject: "Verify your email - {hostname}", 50 50 - email_verification_body: "Hello @{handle},\n\nYour email verification code is: {code}\n\nThis code will expire in 10 minutes.\n\nIf you did not request this, please ignore this email.", 51 49 password_reset_subject: "Password Reset - {hostname}", 52 50 password_reset_body: "Hello @{handle},\n\nYour password reset code is: {code}\n\nThis code will expire in 10 minutes.\n\nIf you did not request this, please ignore this message.", 53 51 email_update_subject: "Confirm your new email - {hostname}", 54 54 - email_update_body: "Hello @{handle},\n\nYour email update confirmation code is: {code}\n\nThis code will expire in 10 minutes.\n\nIf you did not request this, please ignore this email.", 52 52 + email_update_body: "Hello @{handle},\n\nYour verification code is:\n{code}\n\nCopy the code above and enter it at:\n{verify_page}\n\nThis code will expire in 10 minutes.\n\nIf you did not request this, please ignore this email.\n\n(Or if you like to live dangerously: {verify_link})", 55 53 account_deletion_subject: "Account Deletion Request - {hostname}", 56 54 account_deletion_body: "Hello @{handle},\n\nYour account deletion confirmation code is: {code}\n\nThis code will expire in 10 minutes.\n\nIf you did not request this, please secure your account immediately.", 57 55 plc_operation_subject: "{hostname} - PLC Operation Token", ··· 61 59 passkey_recovery_subject: "Account Recovery - {hostname}", 62 60 passkey_recovery_body: "Hello @{handle},\n\nYou requested to recover your passkey-only account.\n\nClick the link below to set a temporary password and regain access:\n{url}\n\nThis link will expire in 1 hour.\n\nIf you did not request this, please ignore this message. Your account remains secure.", 63 61 signup_verification_subject: "Verify your account - {hostname}", 64 64 - signup_verification_body: "Welcome! Your account verification code is: {code}\n\nThis code will expire in 30 minutes.\n\nEnter this code to complete your registration on {hostname}.", 62 62 + signup_verification_body: "Welcome! Your verification code is:\n{code}\n\nCopy the code above and enter it at:\n{verify_page}\n\nThis code will expire in 30 minutes.\n\nIf you did not create an account on {hostname}, please ignore this message.\n\n(Or if you like to live dangerously: {verify_link})", 65 63 legacy_login_subject: "Security Alert: Legacy Login Detected - {hostname}", 66 64 legacy_login_body: "Hello @{handle},\n\nA login to your account was detected using a legacy app (like Bluesky) that doesn't support TOTP verification.\n\nDetails:\n- Time: {timestamp}\n- IP Address: {ip}\n\nYour TOTP protection was bypassed for this login. The session has limited permissions for sensitive operations.\n\nIf this wasn't you, please:\n1. Change your password immediately\n2. Review your active sessions\n3. Consider disabling legacy app logins in your security settings\n\nStay safe,\n{hostname}", 65 65 + migration_verification_subject: "Verify your email - {hostname}", 66 66 + migration_verification_body: "Welcome to {hostname}!\n\nYour account has been migrated successfully. To complete the setup, please verify your email address.\n\nYour verification code is:\n{code}\n\nCopy the code above and enter it at:\n{verify_page}\n\nThis code will expire in 48 hours.\n\nIf you did not migrate your account, please ignore this email.\n\n(Or if you like to live dangerously: {verify_link})", 67 67 }; 68 68 69 69 static STRINGS_ZH: NotificationStrings = NotificationStrings { 70 70 welcome_subject: "欢迎加入 {hostname}", 71 71 welcome_body: "欢迎加入 {hostname}！\n\n您的用户名是：@{handle}\n\n感谢您的加入。", 72 72 - email_verification_subject: "验证您的邮箱 - {hostname}", 73 73 - email_verification_body: "您好 @{handle}，\n\n您的邮箱验证码是：{code}\n\n此验证码将在10分钟后过期。\n\n如果这不是您的操作，请忽略此邮件。", 74 72 password_reset_subject: "密码重置 - {hostname}", 75 73 password_reset_body: "您好 @{handle}，\n\n您的密码重置验证码是：{code}\n\n此验证码将在10分钟后过期。\n\n如果这不是您的操作，请忽略此消息。", 76 74 email_update_subject: "确认您的新邮箱 - {hostname}", 77 77 - email_update_body: "您好 @{handle}，\n\n您的邮箱更新确认码是：{code}\n\n此验证码将在10分钟后过期。\n\n如果这不是您的操作，请忽略此邮件。", 75 75 + email_update_body: "您好 @{handle}，\n\n您的验证码是：\n{code}\n\n复制上述验证码并在此输入：\n{verify_page}\n\n此验证码将在10分钟后过期。\n\n如果这不是您的操作，请忽略此邮件。\n\n（或者直接点击链接：{verify_link}）", 78 76 account_deletion_subject: "账户删除请求 - {hostname}", 79 77 account_deletion_body: "您好 @{handle}，\n\n您的账户删除确认码是：{code}\n\n此验证码将在10分钟后过期。\n\n如果这不是您的操作，请立即保护您的账户。", 80 78 plc_operation_subject: "{hostname} - PLC 操作令牌", ··· 84 82 passkey_recovery_subject: "账户恢复 - {hostname}", 85 83 passkey_recovery_body: "您好 @{handle}，\n\n您请求恢复仅通行密钥账户的访问权限。\n\n点击以下链接设置临时密码并恢复访问：\n{url}\n\n此链接将在1小时后过期。\n\n如果这不是您的操作，请忽略此消息。您的账户仍然安全。", 86 84 signup_verification_subject: "验证您的账户 - {hostname}", 87 87 - signup_verification_body: "欢迎！您的账户验证码是：{code}\n\n此验证码将在30分钟后过期。\n\n请输入此验证码完成在 {hostname} 上的注册。", 85 85 + signup_verification_body: "欢迎！您的验证码是：\n{code}\n\n复制上述验证码并在此输入：\n{verify_page}\n\n此验证码将在30分钟后过期。\n\n如果您没有在 {hostname} 上创建账户，请忽略此消息。\n\n（或者直接点击链接：{verify_link}）", 88 86 legacy_login_subject: "安全提醒：检测到传统应用登录 - {hostname}", 89 87 legacy_login_body: "您好 @{handle}，\n\n检测到使用不支持 TOTP 验证的传统应用（如 Bluesky）登录您的账户。\n\n详细信息：\n- 时间：{timestamp}\n- IP 地址：{ip}\n\n此次登录绕过了 TOTP 保护。该会话对敏感操作的权限有限。\n\n如果这不是您的操作，请：\n1. 立即更改密码\n2. 检查您的活跃会话\n3. 考虑在安全设置中禁用传统应用登录\n\n请注意安全，\n{hostname}", 88 88 + migration_verification_subject: "验证您的邮箱 - {hostname}", 89 89 + migration_verification_body: "欢迎来到 {hostname}！\n\n您的账户已成功迁移。要完成设置，请验证您的邮箱地址。\n\n您的验证码是：\n{code}\n\n复制上述验证码并在此输入：\n{verify_page}\n\n此验证码将在 48 小时后过期。\n\n如果您没有迁移账户，请忽略此邮件。\n\n（或者直接点击链接：{verify_link}）", 90 90 }; 91 91 92 92 static STRINGS_JA: NotificationStrings = NotificationStrings { 93 93 welcome_subject: "{hostname} へようこそ", 94 94 welcome_body: "{hostname} へようこそ！\n\nお客様のハンドル：@{handle}\n\nご登録ありがとうございます。", 95 95 - email_verification_subject: "メール認証 - {hostname}", 96 96 - email_verification_body: "@{handle} 様\n\nメール認証コードは：{code}\n\nこのコードは10分後に期限切れとなります。\n\nこの操作に心当たりがない場合は、このメールを無視してください。", 97 95 password_reset_subject: "パスワードリセット - {hostname}", 98 96 password_reset_body: "@{handle} 様\n\nパスワードリセットコードは：{code}\n\nこのコードは10分後に期限切れとなります。\n\nこの操作に心当たりがない場合は、このメッセージを無視してください。", 99 97 email_update_subject: "新しいメールアドレスの確認 - {hostname}", 100 100 - email_update_body: "@{handle} 様\n\nメールアドレス更新の確認コードは：{code}\n\nこのコードは10分後に期限切れとなります。\n\nこの操作に心当たりがない場合は、このメールを無視してください。", 98 98 + email_update_body: "@{handle} 様\n\n確認コードは：\n{code}\n\n上記のコードをコピーして、こちらで入力してください：\n{verify_page}\n\nこのコードは10分後に期限切れとなります。\n\nこの操作に心当たりがない場合は、このメールを無視してください。\n\n（自己責任でワンクリック認証：{verify_link}）", 101 99 account_deletion_subject: "アカウント削除リクエスト - {hostname}", 102 100 account_deletion_body: "@{handle} 様\n\nアカウント削除の確認コードは：{code}\n\nこのコードは10分後に期限切れとなります。\n\nこの操作に心当たりがない場合は、直ちにアカウントを保護してください。", 103 101 plc_operation_subject: "{hostname} - PLC 操作トークン", ··· 107 105 passkey_recovery_subject: "アカウント復旧 - {hostname}", 108 106 passkey_recovery_body: "@{handle} 様\n\nパスキー専用アカウントの復旧をリクエストされました。\n\n以下のリンクをクリックして一時パスワードを設定し、アクセスを回復してください：\n{url}\n\nこのリンクは1時間後に期限切れとなります。\n\nこの操作に心当たりがない場合は、このメッセージを無視してください。アカウントは安全なままです。", 109 107 signup_verification_subject: "アカウント認証 - {hostname}", 110 110 - signup_verification_body: "ようこそ！アカウント認証コードは：{code}\n\nこのコードは30分後に期限切れとなります。\n\n{hostname} への登録を完了するには、このコードを入力してください。", 108 108 + signup_verification_body: "ようこそ！認証コードは：\n{code}\n\n上記のコードをコピーして、こちらで入力してください：\n{verify_page}\n\nこのコードは30分後に期限切れとなります。\n\n{hostname} でアカウントを作成していない場合は、このメールを無視してください。\n\n（自己責任でワンクリック認証：{verify_link}）", 111 109 legacy_login_subject: "セキュリティ警告：レガシーログインを検出 - {hostname}", 112 110 legacy_login_body: "@{handle} 様\n\nTOTP 認証に対応していないレガシーアプリ（Bluesky など）からのログインが検出されました。\n\n詳細：\n- 時刻：{timestamp}\n- IP アドレス：{ip}\n\nこのログインでは TOTP 保護がバイパスされました。このセッションは機密操作に対する権限が制限されています。\n\n心当たりがない場合は：\n1. 直ちにパスワードを変更してください\n2. アクティブなセッションを確認してください\n3. セキュリティ設定でレガシーアプリのログインを無効にすることを検討してください\n\nご注意ください。\n{hostname}", 111 111 + migration_verification_subject: "メールアドレスの認証 - {hostname}", 112 112 + migration_verification_body: "{hostname} へようこそ！\n\nアカウントの移行が完了しました。設定を完了するには、メールアドレスを認証してください。\n\n認証コードは：\n{code}\n\n上記のコードをコピーして、こちらで入力してください：\n{verify_page}\n\nこのコードは48時間後に期限切れとなります。\n\nアカウントを移行していない場合は、このメールを無視してください。\n\n（自己責任でワンクリック認証：{verify_link}）", 113 113 }; 114 114 115 115 static STRINGS_KO: NotificationStrings = NotificationStrings { 116 116 welcome_subject: "{hostname}에 오신 것을 환영합니다", 117 117 welcome_body: "{hostname}에 오신 것을 환영합니다!\n\n회원님의 핸들은: @{handle}\n\n가입해 주셔서 감사합니다.", 118 118 - email_verification_subject: "이메일 인증 - {hostname}", 119 119 - email_verification_body: "안녕하세요 @{handle}님,\n\n이메일 인증 코드는: {code}\n\n이 코드는 10분 후에 만료됩니다.\n\n요청하지 않으셨다면 이 이메일을 무시하세요.", 120 118 password_reset_subject: "비밀번호 재설정 - {hostname}", 121 119 password_reset_body: "안녕하세요 @{handle}님,\n\n비밀번호 재설정 코드는: {code}\n\n이 코드는 10분 후에 만료됩니다.\n\n요청하지 않으셨다면 이 메시지를 무시하세요.", 122 122 - email_update_subject: "새 이메일 확인 - {hostname}", 123 123 - email_update_body: "안녕하세요 @{handle}님,\n\n이메일 업데이트 확인 코드는: {code}\n\n이 코드는 10분 후에 만료됩니다.\n\n요청하지 않으셨다면 이 이메일을 무시하세요.", 120 120 + email_update_subject: "새 이메일 주소 확인 - {hostname}", 121 121 + email_update_body: "안녕하세요 @{handle}님,\n\n인증 코드는:\n{code}\n\n위 코드를 복사하여 여기에 입력하세요:\n{verify_page}\n\n이 코드는 10분 후에 만료됩니다.\n\n요청하지 않으셨다면 이 이메일을 무시하세요.\n\n(위험을 감수하고 원클릭 인증: {verify_link})", 124 122 account_deletion_subject: "계정 삭제 요청 - {hostname}", 125 123 account_deletion_body: "안녕하세요 @{handle}님,\n\n계정 삭제 확인 코드는: {code}\n\n이 코드는 10분 후에 만료됩니다.\n\n요청하지 않으셨다면 즉시 계정을 보호하세요.", 126 124 plc_operation_subject: "{hostname} - PLC 작업 토큰", ··· 130 128 passkey_recovery_subject: "계정 복구 - {hostname}", 131 129 passkey_recovery_body: "안녕하세요 @{handle}님,\n\n패스키 전용 계정 복구를 요청하셨습니다.\n\n아래 링크를 클릭하여 임시 비밀번호를 설정하고 액세스를 복구하세요:\n{url}\n\n이 링크는 1시간 후에 만료됩니다.\n\n요청하지 않으셨다면 이 메시지를 무시하세요. 계정은 안전하게 유지됩니다.", 132 130 signup_verification_subject: "계정 인증 - {hostname}", 133 133 - signup_verification_body: "환영합니다! 계정 인증 코드는: {code}\n\n이 코드는 30분 후에 만료됩니다.\n\n{hostname}에서 등록을 완료하려면 이 코드를 입력하세요.", 131 131 + signup_verification_body: "환영합니다! 인증 코드는:\n{code}\n\n위 코드를 복사하여 여기에 입력하세요:\n{verify_page}\n\n이 코드는 30분 후에 만료됩니다.\n\n{hostname}에서 계정을 만들지 않았다면 이 이메일을 무시하세요.\n\n(위험을 감수하고 원클릭 인증: {verify_link})", 134 132 legacy_login_subject: "보안 알림: 레거시 로그인 감지 - {hostname}", 135 133 legacy_login_body: "안녕하세요 @{handle}님,\n\nTOTP 인증을 지원하지 않는 레거시 앱(예: Bluesky)을 사용한 로그인이 감지되었습니다.\n\n세부 정보:\n- 시간: {timestamp}\n- IP 주소: {ip}\n\n이 로그인에서 TOTP 보호가 우회되었습니다. 이 세션은 민감한 작업에 대한 권한이 제한됩니다.\n\n본인이 아닌 경우:\n1. 즉시 비밀번호를 변경하세요\n2. 활성 세션을 검토하세요\n3. 보안 설정에서 레거시 앱 로그인 비활성화를 고려하세요\n\n{hostname} 드림", 134 134 + migration_verification_subject: "이메일 인증 - {hostname}", 135 135 + migration_verification_body: "{hostname}에 오신 것을 환영합니다!\n\n계정 마이그레이션이 완료되었습니다. 설정을 완료하려면 이메일 주소를 인증하세요.\n\n인증 코드는:\n{code}\n\n위 코드를 복사하여 여기에 입력하세요:\n{verify_page}\n\n이 코드는 48시간 후에 만료됩니다.\n\n계정을 마이그레이션하지 않았다면 이 이메일을 무시하세요.\n\n(위험을 감수하고 원클릭 인증: {verify_link})", 136 136 }; 137 137 138 138 static STRINGS_SV: NotificationStrings = NotificationStrings { 139 139 welcome_subject: "Välkommen till {hostname}", 140 140 welcome_body: "Välkommen till {hostname}!\n\nDitt användarnamn är: @{handle}\n\nTack för att du gick med.", 141 141 - email_verification_subject: "Verifiera din e-post - {hostname}", 142 142 - email_verification_body: "Hej @{handle},\n\nDin e-postverifieringskod är: {code}\n\nDenna kod upphör om 10 minuter.\n\nOm du inte begärde detta kan du ignorera detta meddelande.", 143 141 password_reset_subject: "Lösenordsåterställning - {hostname}", 144 142 password_reset_body: "Hej @{handle},\n\nDin kod för lösenordsåterställning är: {code}\n\nDenna kod upphör om 10 minuter.\n\nOm du inte begärde detta kan du ignorera detta meddelande.", 145 143 email_update_subject: "Bekräfta din nya e-post - {hostname}", 146 146 - email_update_body: "Hej @{handle},\n\nDin bekräftelsekod för e-postuppdatering är: {code}\n\nDenna kod upphör om 10 minuter.\n\nOm du inte begärde detta kan du ignorera detta meddelande.", 144 144 + email_update_body: "Hej @{handle},\n\nDin verifieringskod är:\n{code}\n\nKopiera koden ovan och ange den på:\n{verify_page}\n\nDenna kod upphör om 10 minuter.\n\nOm du inte begärde detta kan du ignorera detta meddelande.\n\n(Eller om du gillar att leva farligt: {verify_link})", 147 145 account_deletion_subject: "Begäran om kontoradering - {hostname}", 148 146 account_deletion_body: "Hej @{handle},\n\nDin bekräftelsekod för kontoradering är: {code}\n\nDenna kod upphör om 10 minuter.\n\nOm du inte begärde detta, skydda ditt konto omedelbart.", 149 147 plc_operation_subject: "{hostname} - PLC-operationstoken", ··· 153 151 passkey_recovery_subject: "Kontoåterställning - {hostname}", 154 152 passkey_recovery_body: "Hej @{handle},\n\nDu begärde att återställa ditt endast nyckelkonto.\n\nKlicka på länken nedan för att ställa in ett tillfälligt lösenord och återfå åtkomst:\n{url}\n\nDenna länk upphör om 1 timme.\n\nOm du inte begärde detta kan du ignorera detta meddelande. Ditt konto förblir säkert.", 155 153 signup_verification_subject: "Verifiera ditt konto - {hostname}", 156 156 - signup_verification_body: "Välkommen! Din kontoverifieringskod är: {code}\n\nDenna kod upphör om 30 minuter.\n\nAnge denna kod för att slutföra din registrering på {hostname}.", 154 154 + signup_verification_body: "Välkommen! Din verifieringskod är:\n{code}\n\nKopiera koden ovan och ange den på:\n{verify_page}\n\nDenna kod upphör om 30 minuter.\n\nOm du inte skapade ett konto på {hostname}, ignorera detta meddelande.\n\n(Eller om du gillar att leva farligt: {verify_link})", 157 155 legacy_login_subject: "Säkerhetsvarning: Äldre inloggning upptäckt - {hostname}", 158 156 legacy_login_body: "Hej @{handle},\n\nEn inloggning till ditt konto upptäcktes med en äldre app (som Bluesky) som inte stöder TOTP-verifiering.\n\nDetaljer:\n- Tid: {timestamp}\n- IP-adress: {ip}\n\nDitt TOTP-skydd kringgicks för denna inloggning. Sessionen har begränsade behörigheter för känsliga operationer.\n\nOm detta inte var du:\n1. Ändra ditt lösenord omedelbart\n2. Granska dina aktiva sessioner\n3. Överväg att inaktivera äldre appinloggningar i dina säkerhetsinställningar\n\nVar försiktig,\n{hostname}", 157 157 + migration_verification_subject: "Verifiera din e-post - {hostname}", 158 158 + migration_verification_body: "Välkommen till {hostname}!\n\nDitt konto har migrerats framgångsrikt. För att slutföra installationen, verifiera din e-postadress.\n\nDin verifieringskod är:\n{code}\n\nKopiera koden ovan och ange den på:\n{verify_page}\n\nDenna kod upphör om 48 timmar.\n\nOm du inte migrerade ditt konto kan du ignorera detta meddelande.\n\n(Eller om du gillar att leva farligt: {verify_link})", 159 159 }; 160 160 161 161 static STRINGS_FI: NotificationStrings = NotificationStrings { 162 162 welcome_subject: "Tervetuloa palveluun {hostname}", 163 163 welcome_body: "Tervetuloa palveluun {hostname}!\n\nKäyttäjänimesi on: @{handle}\n\nKiitos liittymisestä.", 164 164 - email_verification_subject: "Vahvista sähköpostisi - {hostname}", 165 165 - email_verification_body: "Hei @{handle},\n\nSähköpostin vahvistuskoodisi on: {code}\n\nTämä koodi vanhenee 10 minuutissa.\n\nJos et pyytänyt tätä, voit jättää tämän viestin huomiotta.", 166 164 password_reset_subject: "Salasanan palautus - {hostname}", 167 165 password_reset_body: "Hei @{handle},\n\nSalasanan palautuskoodisi on: {code}\n\nTämä koodi vanhenee 10 minuutissa.\n\nJos et pyytänyt tätä, voit jättää tämän viestin huomiotta.", 168 168 - email_update_subject: "Vahvista uusi sähköpostiosoitteesi - {hostname}", 169 169 - email_update_body: "Hei @{handle},\n\nSähköpostin päivityksen vahvistuskoodisi on: {code}\n\nTämä koodi vanhenee 10 minuutissa.\n\nJos et pyytänyt tätä, voit jättää tämän viestin huomiotta.", 166 166 + email_update_subject: "Vahvista uusi sähköpostisi - {hostname}", 167 167 + email_update_body: "Hei @{handle},\n\nVahvistuskoodisi on:\n{code}\n\nKopioi koodi yllä ja syötä se osoitteessa:\n{verify_page}\n\nTämä koodi vanhenee 10 minuutissa.\n\nJos et pyytänyt tätä, voit jättää tämän viestin huomiotta.\n\n(Tai jos pidät vaarallisesta elämästä: {verify_link})", 170 168 account_deletion_subject: "Tilin poistopyyntö - {hostname}", 171 169 account_deletion_body: "Hei @{handle},\n\nTilin poiston vahvistuskoodisi on: {code}\n\nTämä koodi vanhenee 10 minuutissa.\n\nJos et pyytänyt tätä, suojaa tilisi välittömästi.", 172 170 plc_operation_subject: "{hostname} - PLC-toimintotunniste", ··· 176 174 passkey_recovery_subject: "Tilin palautus - {hostname}", 177 175 passkey_recovery_body: "Hei @{handle},\n\nPyysit palauttamaan vain pääsyavaintilisi.\n\nKlikkaa alla olevaa linkkiä asettaaksesi väliaikaisen salasanan ja saadaksesi pääsyn takaisin:\n{url}\n\nTämä linkki vanhenee tunnissa.\n\nJos et pyytänyt tätä, voit jättää tämän viestin huomiotta. Tilisi pysyy turvassa.", 178 176 signup_verification_subject: "Vahvista tilisi - {hostname}", 179 179 - signup_verification_body: "Tervetuloa! Tilin vahvistuskoodisi on: {code}\n\nTämä koodi vanhenee 30 minuutissa.\n\nSyötä tämä koodi viimeistelläksesi rekisteröintisi palveluun {hostname}.", 177 177 + signup_verification_body: "Tervetuloa! Vahvistuskoodisi on:\n{code}\n\nKopioi koodi yllä ja syötä se osoitteessa:\n{verify_page}\n\nTämä koodi vanhenee 30 minuutissa.\n\nJos et luonut tiliä palveluun {hostname}, jätä tämä viesti huomiotta.\n\n(Tai jos pidät vaarallisesta elämästä: {verify_link})", 180 178 legacy_login_subject: "Turvallisuushälytys: Vanha kirjautuminen havaittu - {hostname}", 181 179 legacy_login_body: "Hei @{handle},\n\nTilillesi havaittiin kirjautuminen vanhalla sovelluksella (kuten Bluesky), joka ei tue TOTP-vahvistusta.\n\nTiedot:\n- Aika: {timestamp}\n- IP-osoite: {ip}\n\nTOTP-suojauksesi ohitettiin tässä kirjautumisessa. Istunnolla on rajoitetut oikeudet arkaluontoisiin toimintoihin.\n\nJos tämä et ollut sinä:\n1. Vaihda salasanasi välittömästi\n2. Tarkista aktiiviset istuntosi\n3. Harkitse vanhojen sovellusten kirjautumisen poistamista käytöstä turvallisuusasetuksissa\n\nOle varovainen,\n{hostname}", 180 180 + migration_verification_subject: "Vahvista sähköpostisi - {hostname}", 181 181 + migration_verification_body: "Tervetuloa palveluun {hostname}!\n\nTilisi on siirretty onnistuneesti. Viimeistele asennus vahvistamalla sähköpostiosoitteesi.\n\nVahvistuskoodisi on:\n{code}\n\nKopioi koodi yllä ja syötä se osoitteessa:\n{verify_page}\n\nTämä koodi vanhenee 48 tunnissa.\n\nJos et siirtänyt tiliäsi, voit jättää tämän viestin huomiotta.\n\n(Tai jos pidät vaarallisesta elämästä: {verify_link})", 182 182 }; 183 183 184 184 pub fn format_message(template: &str, vars: &[(&str, &str)]) -> String {

+1 -1

src/comms/mod.rs

··· 10 10 11 11 pub use service::{ 12 12 CommsService, channel_display_name, enqueue_2fa_code, enqueue_account_deletion, enqueue_comms, 13 13 - enqueue_email_update, enqueue_email_verification, enqueue_passkey_recovery, 13 13 + enqueue_email_update, enqueue_migration_verification, enqueue_passkey_recovery, 14 14 enqueue_password_reset, enqueue_plc_operation, enqueue_signup_verification, enqueue_welcome, 15 15 queue_legacy_login_notification, 16 16 };

+81 -34

src/comms/service.rs

··· 313 313 .await 314 314 } 315 315 316 316 - pub async fn enqueue_email_verification( 317 317 - db: &PgPool, 318 318 - user_id: Uuid, 319 319 - email: &str, 320 320 - handle: &str, 321 321 - code: &str, 322 322 - hostname: &str, 323 323 - ) -> Result<Uuid, sqlx::Error> { 324 324 - let prefs = get_user_comms_prefs(db, user_id).await?; 325 325 - let strings = get_strings(&prefs.locale); 326 326 - let body = format_message( 327 327 - strings.email_verification_body, 328 328 - &[("handle", handle), ("code", code)], 329 329 - ); 330 330 - let subject = format_message(strings.email_verification_subject, &[("hostname", hostname)]); 331 331 - enqueue_comms( 332 332 - db, 333 333 - NewComms::email( 334 334 - user_id, 335 335 - super::types::CommsType::EmailVerification, 336 336 - email.to_string(), 337 337 - subject, 338 338 - body, 339 339 - ), 340 340 - ) 341 341 - .await 342 342 - } 343 343 - 344 316 pub async fn enqueue_password_reset( 345 317 db: &PgPool, 346 318 user_id: Uuid, ··· 378 350 ) -> Result<Uuid, sqlx::Error> { 379 351 let prefs = get_user_comms_prefs(db, user_id).await?; 380 352 let strings = get_strings(&prefs.locale); 353 353 + let encoded_email = urlencoding::encode(new_email); 354 354 + let encoded_token = urlencoding::encode(code); 355 355 + let verify_page = format!("https://{}/#/verify", hostname); 356 356 + let verify_link = format!( 357 357 + "https://{}/#/verify?token={}&identifier={}", 358 358 + hostname, encoded_token, encoded_email 359 359 + ); 381 360 let body = format_message( 382 361 strings.email_update_body, 383 383 - &[("handle", handle), ("code", code)], 362 362 + &[ 363 363 + ("handle", handle), 364 364 + ("code", code), 365 365 + ("verify_page", &verify_page), 366 366 + ("verify_link", &verify_link), 367 367 + ], 384 368 ); 385 369 let subject = format_message(strings.email_update_subject, &[("hostname", hostname)]); 386 370 enqueue_comms( ··· 530 514 _ => CommsChannel::Email, 531 515 }; 532 516 let strings = get_strings(locale.unwrap_or("en")); 517 517 + let (verify_page, verify_link) = if comms_channel == CommsChannel::Email { 518 518 + let encoded_email = urlencoding::encode(recipient); 519 519 + let encoded_token = urlencoding::encode(code); 520 520 + ( 521 521 + format!("https://{}/#/verify", hostname), 522 522 + format!( 523 523 + "https://{}/#/verify?token={}&identifier={}", 524 524 + hostname, encoded_token, encoded_email 525 525 + ), 526 526 + ) 527 527 + } else { 528 528 + (String::new(), String::new()) 529 529 + }; 533 530 let body = format_message( 534 531 strings.signup_verification_body, 535 535 - &[("code", code), ("hostname", &hostname)], 532 532 + &[ 533 533 + ("code", code), 534 534 + ("hostname", &hostname), 535 535 + ("verify_page", &verify_page), 536 536 + ("verify_link", &verify_link), 537 537 + ], 536 538 ); 537 539 let subject = match comms_channel { 538 538 - CommsChannel::Email => { 539 539 - Some(format_message(strings.signup_verification_subject, &[("hostname", &hostname)])) 540 540 - } 540 540 + CommsChannel::Email => Some(format_message( 541 541 + strings.signup_verification_subject, 542 542 + &[("hostname", &hostname)], 543 543 + )), 541 544 _ => None, 542 545 }; 543 546 enqueue_comms( ··· 554 557 .await 555 558 } 556 559 560 560 + pub async fn enqueue_migration_verification( 561 561 + db: &PgPool, 562 562 + user_id: Uuid, 563 563 + email: &str, 564 564 + token: &str, 565 565 + hostname: &str, 566 566 + ) -> Result<Uuid, sqlx::Error> { 567 567 + let prefs = get_user_comms_prefs(db, user_id).await?; 568 568 + let strings = get_strings(&prefs.locale); 569 569 + let encoded_email = urlencoding::encode(email); 570 570 + let encoded_token = urlencoding::encode(token); 571 571 + let verify_page = format!("https://{}/#/verify", hostname); 572 572 + let verify_link = format!( 573 573 + "https://{}/#/verify?token={}&identifier={}", 574 574 + hostname, encoded_token, encoded_email 575 575 + ); 576 576 + let body = format_message( 577 577 + strings.migration_verification_body, 578 578 + &[ 579 579 + ("code", token), 580 580 + ("hostname", hostname), 581 581 + ("verify_page", &verify_page), 582 582 + ("verify_link", &verify_link), 583 583 + ], 584 584 + ); 585 585 + let subject = format_message( 586 586 + strings.migration_verification_subject, 587 587 + &[("hostname", hostname)], 588 588 + ); 589 589 + enqueue_comms( 590 590 + db, 591 591 + NewComms::email( 592 592 + user_id, 593 593 + super::types::CommsType::MigrationVerification, 594 594 + email.to_string(), 595 595 + subject, 596 596 + body, 597 597 + ), 598 598 + ) 599 599 + .await 600 600 + } 601 601 + 557 602 pub async fn queue_legacy_login_notification( 558 603 db: &PgPool, 559 604 user_id: Uuid, ··· 563 608 ) -> Result<Uuid, sqlx::Error> { 564 609 let prefs = get_user_comms_prefs(db, user_id).await?; 565 610 let strings = get_strings(&prefs.locale); 566 566 - let timestamp = chrono::Utc::now().format("%Y-%m-%d %H:%M:%S UTC").to_string(); 611 611 + let timestamp = chrono::Utc::now() 612 612 + .format("%Y-%m-%d %H:%M:%S UTC") 613 613 + .to_string(); 567 614 let body = format_message( 568 615 strings.legacy_login_body, 569 616 &[

+1

src/comms/types.rs

··· 34 34 TwoFactorCode, 35 35 PasskeyRecovery, 36 36 LegacyLoginAlert, 37 37 + MigrationVerification, 37 38 } 38 39 39 40 #[derive(Debug, Clone, FromRow)]

+5 -2

src/config.rs

··· 114 114 .expect("HKDF expansion failed"); 115 115 116 116 let mut device_cookie_key = [0u8; 32]; 117 117 - hk.expand(b"tranquil-pds-device-cookie-signing", &mut device_cookie_key) 118 118 - .expect("HKDF expansion failed"); 117 117 + hk.expand( 118 118 + b"tranquil-pds-device-cookie-signing", 119 119 + &mut device_cookie_key, 120 120 + ) 121 121 + .expect("HKDF expansion failed"); 119 122 120 123 AuthConfig { 121 124 jwt_secret,

+12

src/lib.rs

··· 296 296 post(api::server::reserve_signing_key), 297 297 ) 298 298 .route( 299 299 + "/xrpc/com.atproto.server.verifyMigrationEmail", 300 300 + post(api::server::verify_migration_email), 301 301 + ) 302 302 + .route( 303 303 + "/xrpc/com.atproto.server.resendMigrationVerification", 304 304 + post(api::server::resend_migration_verification), 305 305 + ) 306 306 + .route( 299 307 "/xrpc/com.atproto.identity.updateHandle", 300 308 post(api::identity::update_handle), 301 309 ) ··· 549 557 .route( 550 558 "/xrpc/com.tranquil.account.confirmChannelVerification", 551 559 post(api::verification::confirm_channel_verification), 560 560 + ) 561 561 + .route( 562 562 + "/xrpc/com.tranquil.account.verifyToken", 563 563 + post(api::server::verify_token), 552 564 ) 553 565 .route("/xrpc/{*method}", any(api::proxy::proxy_handler)) 554 566 .layer(middleware::from_fn(metrics::metrics_middleware))

+2 -1

src/oauth/endpoints/metadata.rs

··· 172 172 "refresh_token".to_string(), 173 173 ], 174 174 response_types: vec!["code".to_string()], 175 175 - scope: "atproto repo:*?action=create repo:*?action=update repo:*?action=delete blob:*/*".to_string(), 175 175 + scope: "atproto repo:*?action=create repo:*?action=update repo:*?action=delete blob:*/*" 176 176 + .to_string(), 176 177 token_endpoint_auth_method: "none".to_string(), 177 178 application_type: "web".to_string(), 178 179 dpop_bound_access_tokens: true,

+4 -3

src/rate_limit.rs

··· 74 74 email_update: Arc::new(RateLimiter::keyed(Quota::per_hour( 75 75 NonZeroU32::new(5).unwrap(), 76 76 ))), 77 77 - totp_verify: Arc::new(RateLimiter::keyed(Quota::with_period(std::time::Duration::from_secs(60)) 78 78 - .unwrap() 79 79 - .allow_burst(NonZeroU32::new(5).unwrap()), 77 77 + totp_verify: Arc::new(RateLimiter::keyed( 78 78 + Quota::with_period(std::time::Duration::from_secs(60)) 79 79 + .unwrap() 80 80 + .allow_burst(NonZeroU32::new(5).unwrap()), 80 81 )), 81 82 } 82 83 }

+51 -13

src/validation/mod.rs

··· 458 458 459 459 fn is_common_password(password: &str) -> bool { 460 460 const COMMON_PASSWORDS: &[&str] = &[ 461 461 - "password", "Password1", "Password123", "Passw0rd", "Passw0rd!", 462 462 - "12345678", "123456789", "1234567890", 463 463 - "qwerty123", "Qwerty123", "qwertyui", "Qwertyui", 464 464 - "letmein1", "Letmein1", "welcome1", "Welcome1", 465 465 - "admin123", "Admin123", "password1", "Password1!", 466 466 - "iloveyou", "Iloveyou1", "monkey123", "Monkey123", 467 467 - "dragon12", "Dragon123", "master12", "Master123", 468 468 - "login123", "Login123", "abc12345", "Abc12345", 469 469 - "football", "Football1", "baseball", "Baseball1", 470 470 - "trustno1", "Trustno1", "sunshine", "Sunshine1", 471 471 - "princess", "Princess1", "computer", "Computer1", 472 472 - "whatever", "Whatever1", "nintendo", "Nintendo1", 473 473 - "bluesky1", "Bluesky1", "Bluesky123", 461 461 + "password", 462 462 + "Password1", 463 463 + "Password123", 464 464 + "Passw0rd", 465 465 + "Passw0rd!", 466 466 + "12345678", 467 467 + "123456789", 468 468 + "1234567890", 469 469 + "qwerty123", 470 470 + "Qwerty123", 471 471 + "qwertyui", 472 472 + "Qwertyui", 473 473 + "letmein1", 474 474 + "Letmein1", 475 475 + "welcome1", 476 476 + "Welcome1", 477 477 + "admin123", 478 478 + "Admin123", 479 479 + "password1", 480 480 + "Password1!", 481 481 + "iloveyou", 482 482 + "Iloveyou1", 483 483 + "monkey123", 484 484 + "Monkey123", 485 485 + "dragon12", 486 486 + "Dragon123", 487 487 + "master12", 488 488 + "Master123", 489 489 + "login123", 490 490 + "Login123", 491 491 + "abc12345", 492 492 + "Abc12345", 493 493 + "football", 494 494 + "Football1", 495 495 + "baseball", 496 496 + "Baseball1", 497 497 + "trustno1", 498 498 + "Trustno1", 499 499 + "sunshine", 500 500 + "Sunshine1", 501 501 + "princess", 502 502 + "Princess1", 503 503 + "computer", 504 504 + "Computer1", 505 505 + "whatever", 506 506 + "Whatever1", 507 507 + "nintendo", 508 508 + "Nintendo1", 509 509 + "bluesky1", 510 510 + "Bluesky1", 511 511 + "Bluesky123", 474 512 ]; 475 513 476 514 let lower = password.to_lowercase();

+44 -8

tests/account_notifications.rs

··· 92 92 .await 93 93 .expect("User not found"); 94 94 95 95 - let code: String = sqlx::query_scalar!( 96 96 - "SELECT code FROM channel_verifications WHERE user_id = $1 AND channel = 'discord'", 95 95 + let row = sqlx::query!( 96 96 + "SELECT body, metadata FROM comms_queue WHERE user_id = $1 AND comms_type = 'channel_verification' ORDER BY created_at DESC LIMIT 1", 97 97 user_id 98 98 ) 99 99 .fetch_one(&pool) 100 100 .await 101 101 .expect("Verification code not found"); 102 102 103 103 + let code = row 104 104 + .metadata 105 105 + .as_ref() 106 106 + .and_then(|m| m.get("code")) 107 107 + .and_then(|c| c.as_str()) 108 108 + .expect("No code in metadata"); 109 109 + 103 110 let input = json!({ 104 111 "channel": "discord", 112 112 + "identifier": "123456789", 105 113 "code": code 106 114 }); 107 115 let resp = client ··· 153 161 154 162 let input = json!({ 155 163 "channel": "telegram", 156 156 - "code": "000000" 164 164 + "identifier": "testuser", 165 165 + "code": "XXXX-XXXX-XXXX-XXXX" 157 166 }); 158 167 let resp = client 159 168 .post(format!( ··· 165 174 .send() 166 175 .await 167 176 .unwrap(); 168 168 - assert_eq!(resp.status(), 400); 177 177 + assert!( 178 178 + resp.status() == 400 || resp.status() == 422, 179 179 + "Expected 400 or 422, got {}", 180 180 + resp.status() 181 181 + ); 169 182 } 170 183 171 184 #[tokio::test] ··· 176 189 177 190 let input = json!({ 178 191 "channel": "signal", 179 179 - "code": "123456" 192 192 + "identifier": "123456", 193 193 + "code": "XXXX-XXXX-XXXX-XXXX" 180 194 }); 181 195 let resp = client 182 196 .post(format!( ··· 188 202 .send() 189 203 .await 190 204 .unwrap(); 191 191 - assert_eq!(resp.status(), 400); 205 205 + assert!( 206 206 + resp.status() == 400 || resp.status() == 422, 207 207 + "Expected 400 or 422, got {}", 208 208 + resp.status() 209 209 + ); 192 210 } 193 211 194 212 #[tokio::test] ··· 226 244 .await 227 245 .expect("User not found"); 228 246 229 229 - let code: String = sqlx::query_scalar!( 230 230 - "SELECT code FROM channel_verifications WHERE user_id = $1 AND channel = 'email'", 247 247 + let body_text: String = sqlx::query_scalar!( 248 248 + "SELECT body FROM comms_queue WHERE user_id = $1 AND comms_type = 'email_update' ORDER BY created_at DESC LIMIT 1", 231 249 user_id 232 250 ) 233 251 .fetch_one(&pool) 234 252 .await 235 253 .expect("Verification code not found"); 236 254 255 255 + let code = body_text 256 256 + .lines() 257 257 + .skip_while(|line| !line.contains("verification code")) 258 258 + .nth(1) 259 259 + .map(|line| line.trim().to_string()) 260 260 + .filter(|line| !line.is_empty() && line.contains('-')) 261 261 + .unwrap_or_else(|| { 262 262 + body_text 263 263 + .lines() 264 264 + .find(|line| { 265 265 + let trimmed = line.trim(); 266 266 + trimmed.starts_with("MX") && trimmed.contains('-') 267 267 + }) 268 268 + .map(|s| s.trim().to_string()) 269 269 + .unwrap_or_default() 270 270 + }); 271 271 + 237 272 let input = json!({ 238 273 "channel": "email", 274 274 + "identifier": unique_email, 239 275 "code": code 240 276 }); 241 277 let resp = client

+48 -5

tests/common/mod.rs

··· 297 297 .connect(&conn_str) 298 298 .await 299 299 .expect("Failed to connect to test database"); 300 300 - let verification_code: String = sqlx::query_scalar!( 301 301 - "SELECT code FROM channel_verifications WHERE user_id = (SELECT id FROM users WHERE did = $1) AND channel = 'email'", 300 300 + let body_text: String = sqlx::query_scalar!( 301 301 + "SELECT body FROM comms_queue WHERE user_id = (SELECT id FROM users WHERE did = $1) AND comms_type = 'email_verification' ORDER BY created_at DESC LIMIT 1", 302 302 did 303 303 ) 304 304 .fetch_one(&pool) 305 305 .await 306 306 .expect("Failed to get verification code"); 307 307 + 308 308 + let verification_code = body_text 309 309 + .lines() 310 310 + .find(|line| line.contains("verification code:") || line.contains("code is:")) 311 311 + .and_then(|line| { 312 312 + if line.contains("verification code:") { 313 313 + line.split("verification code:") 314 314 + .nth(1) 315 315 + .map(|s| s.trim().to_string()) 316 316 + } else { 317 317 + line.split("code is:").nth(1).map(|s| s.trim().to_string()) 318 318 + } 319 319 + }) 320 320 + .unwrap_or_else(|| { 321 321 + body_text 322 322 + .lines() 323 323 + .find(|line| line.trim().starts_with("MX") && line.contains('-')) 324 324 + .map(|s| s.trim().to_string()) 325 325 + .unwrap_or_default() 326 326 + }); 307 327 308 328 let confirm_payload = json!({ 309 329 "did": did, ··· 453 473 if let Some(access_jwt) = body["accessJwt"].as_str() { 454 474 return (access_jwt.to_string(), did); 455 475 } 456 456 - let verification_code: String = sqlx::query_scalar!( 457 457 - "SELECT code FROM channel_verifications WHERE user_id = (SELECT id FROM users WHERE did = $1) AND channel = 'email'", 476 476 + let body_text: String = sqlx::query_scalar!( 477 477 + "SELECT body FROM comms_queue WHERE user_id = (SELECT id FROM users WHERE did = $1) AND comms_type = 'email_verification' ORDER BY created_at DESC LIMIT 1", 458 478 &did 459 479 ) 460 480 .fetch_one(&pool) 461 481 .await 462 462 - .expect("Failed to get verification code"); 482 482 + .expect("Failed to get verification from comms_queue"); 483 483 + let verification_code = body_text 484 484 + .lines() 485 485 + .find(|line| line.contains("verification code:") || line.contains("code is:")) 486 486 + .and_then(|line| { 487 487 + if line.contains("verification code:") { 488 488 + line.split("verification code:") 489 489 + .nth(1) 490 490 + .map(|s| s.trim().to_string()) 491 491 + } else if line.contains("code is:") { 492 492 + line.split("code is:").nth(1).map(|s| s.trim().to_string()) 493 493 + } else { 494 494 + None 495 495 + } 496 496 + }) 497 497 + .unwrap_or_else(|| { 498 498 + body_text 499 499 + .split_whitespace() 500 500 + .find(|word| { 501 501 + word.contains('-') && word.chars().filter(|c| *c == '-').count() >= 3 502 502 + }) 503 503 + .unwrap_or(&body_text) 504 504 + .to_string() 505 505 + }); 463 506 464 507 let confirm_payload = json!({ 465 508 "did": did,

+18 -14

tests/did_web.rs

··· 1 1 mod common; 2 2 - use base64::engine::general_purpose::URL_SAFE_NO_PAD; 3 2 use base64::Engine; 3 3 + use base64::engine::general_purpose::URL_SAFE_NO_PAD; 4 4 use common::*; 5 5 use k256::ecdsa::{SigningKey, signature::Signer}; 6 6 use reqwest::StatusCode; ··· 387 387 let mock_uri = mock_server.uri(); 388 388 let mock_addr = mock_uri.trim_start_matches("http://"); 389 389 let unique_id = uuid::Uuid::new_v4().to_string().replace("-", ""); 390 390 - let did = format!("did:web:{}:byod:{}", mock_addr.replace(":", "%3A"), unique_id); 390 390 + let did = format!( 391 391 + "did:web:{}:byod:{}", 392 392 + mock_addr.replace(":", "%3A"), 393 393 + unique_id 394 394 + ); 391 395 let handle = format!("byod_{}", uuid::Uuid::new_v4()); 392 396 let pds_endpoint = base_url().await.replace("http://", "https://"); 393 393 - let pds_did = format!( 394 394 - "did:web:{}", 395 395 - pds_endpoint.trim_start_matches("https://") 396 396 - ); 397 397 + let pds_did = format!("did:web:{}", pds_endpoint.trim_start_matches("https://")); 397 398 398 399 let temp_key = SigningKey::random(&mut rand::thread_rng()); 399 400 let public_key_multibase = signing_key_to_multibase(&temp_key); ··· 443 444 let body: Value = res.json().await.expect("Response was not JSON"); 444 445 let returned_did = body["did"].as_str().expect("No DID in response"); 445 446 assert_eq!(returned_did, did, "Returned DID should match requested DID"); 446 446 - let access_jwt = body["accessJwt"] 447 447 - .as_str() 448 448 - .expect("No accessJwt in response"); 447 447 + assert_eq!( 448 448 + body["verificationRequired"], true, 449 449 + "BYOD accounts should require verification" 450 450 + ); 451 451 + 452 452 + let access_jwt = common::verify_new_account(&client, returned_did).await; 449 453 450 454 let res = client 451 455 .get(format!( 452 456 "{}/xrpc/com.atproto.server.checkAccountStatus", 453 457 base_url().await 454 458 )) 455 455 - .bearer_auth(access_jwt) 459 459 + .bearer_auth(&access_jwt) 456 460 .send() 457 461 .await 458 462 .expect("Failed to check account status"); ··· 468 472 "{}/xrpc/com.atproto.identity.getRecommendedDidCredentials", 469 473 base_url().await 470 474 )) 471 471 - .bearer_auth(access_jwt) 475 475 + .bearer_auth(&access_jwt) 472 476 .send() 473 477 .await 474 478 .expect("Failed to get recommended credentials"); ··· 491 495 "{}/xrpc/com.atproto.server.activateAccount", 492 496 base_url().await 493 497 )) 494 494 - .bearer_auth(access_jwt) 498 498 + .bearer_auth(&access_jwt) 495 499 .send() 496 500 .await 497 501 .expect("Failed to activate account"); ··· 506 510 "{}/xrpc/com.atproto.server.checkAccountStatus", 507 511 base_url().await 508 512 )) 509 509 - .bearer_auth(access_jwt) 513 513 + .bearer_auth(&access_jwt) 510 514 .send() 511 515 .await 512 516 .expect("Failed to check account status"); ··· 522 526 "{}/xrpc/com.atproto.repo.createRecord", 523 527 base_url().await 524 528 )) 525 525 - .bearer_auth(access_jwt) 529 529 + .bearer_auth(&access_jwt) 526 530 .json(&json!({ 527 531 "repo": did, 528 532 "collection": "app.bsky.feed.post",

+40 -57

tests/email_update.rs

··· 12 12 .expect("Failed to connect to test database") 13 13 } 14 14 15 15 + async fn get_email_update_token(pool: &PgPool, did: &str) -> String { 16 16 + let body_text: String = sqlx::query_scalar!( 17 17 + "SELECT body FROM comms_queue WHERE user_id = (SELECT id FROM users WHERE did = $1) AND comms_type = 'email_update' ORDER BY created_at DESC LIMIT 1", 18 18 + did 19 19 + ) 20 20 + .fetch_one(pool) 21 21 + .await 22 22 + .expect("Verification not found"); 23 23 + 24 24 + body_text 25 25 + .lines() 26 26 + .skip_while(|line| !line.contains("verification code")) 27 27 + .nth(1) 28 28 + .map(|line| line.trim().to_string()) 29 29 + .filter(|line| !line.is_empty() && line.contains('-')) 30 30 + .unwrap_or_else(|| { 31 31 + body_text 32 32 + .lines() 33 33 + .find(|line| line.trim().starts_with("MX") && line.contains('-')) 34 34 + .map(|s| s.trim().to_string()) 35 35 + .unwrap_or_default() 36 36 + }) 37 37 + } 38 38 + 15 39 async fn create_verified_account( 16 40 client: &reqwest::Client, 17 41 base_url: &str, ··· 61 85 let body: Value = res.json().await.expect("Invalid JSON"); 62 86 assert_eq!(body["tokenRequired"], true); 63 87 64 64 - let verification = sqlx::query!( 65 65 - "SELECT pending_identifier, code FROM channel_verifications WHERE user_id = (SELECT id FROM users WHERE did = $1) AND channel = 'email'", 66 66 - did 67 67 - ) 68 68 - .fetch_one(&pool) 69 69 - .await 70 70 - .expect("Verification not found"); 71 71 - 72 72 - assert_eq!( 73 73 - verification.pending_identifier.as_deref(), 74 74 - Some(new_email.as_str()) 75 75 - ); 76 76 - let code = verification.code; 88 88 + let code = get_email_update_token(&pool, &did).await; 77 89 let res = client 78 90 .post(format!("{}/xrpc/com.atproto.server.confirmEmail", base_url)) 79 91 .bearer_auth(&access_jwt) ··· 90 102 .await 91 103 .expect("User not found"); 92 104 assert_eq!(user.email, Some(new_email)); 93 93 - 94 94 - let verification = sqlx::query!( 95 95 - "SELECT code FROM channel_verifications WHERE user_id = (SELECT id FROM users WHERE did = $1) AND channel = 'email'", 96 96 - did 97 97 - ) 98 98 - .fetch_optional(&pool) 99 99 - .await 100 100 - .expect("DB error"); 101 101 - assert!(verification.is_none()); 102 105 } 103 106 104 107 #[tokio::test] ··· 180 183 .await 181 184 .expect("Failed to request email update"); 182 185 assert_eq!(res.status(), StatusCode::OK); 183 183 - let verification = sqlx::query!( 184 184 - "SELECT code FROM channel_verifications WHERE user_id = (SELECT id FROM users WHERE did = $1) AND channel = 'email'", 185 185 - did 186 186 - ) 187 187 - .fetch_one(&pool) 188 188 - .await 189 189 - .expect("Verification not found"); 190 190 - let code = verification.code; 186 186 + let code = get_email_update_token(&pool, &did).await; 191 187 let res = client 192 188 .post(format!("{}/xrpc/com.atproto.server.confirmEmail", base_url)) 193 189 .bearer_auth(&access_jwt) ··· 200 196 .expect("Failed to confirm email"); 201 197 assert_eq!(res.status(), StatusCode::BAD_REQUEST); 202 198 let body: Value = res.json().await.expect("Invalid JSON"); 203 203 - assert_eq!(body["message"], "Email does not match pending update"); 199 199 + assert!( 200 200 + body["message"].as_str().unwrap().contains("mismatch") || body["error"] == "InvalidToken" 201 201 + ); 204 202 } 205 203 206 204 #[tokio::test] 207 207 - async fn test_update_email_success_no_token_required() { 205 205 + async fn test_update_email_requires_token() { 208 206 let client = common::client(); 209 207 let base_url = common::base_url().await; 210 210 - let pool = get_pool().await; 211 208 let handle = format!("emailup_direct_{}", uuid::Uuid::new_v4()); 212 209 let email = format!("{}@example.com", handle); 213 213 - let (access_jwt, did) = create_verified_account(&client, &base_url, &handle, &email).await; 210 210 + let (access_jwt, _) = create_verified_account(&client, &base_url, &handle, &email).await; 214 211 let new_email = format!("direct_{}@example.com", handle); 215 212 let res = client 216 213 .post(format!("{}/xrpc/com.atproto.server.updateEmail", base_url)) ··· 219 216 .send() 220 217 .await 221 218 .expect("Failed to update email"); 222 222 - assert_eq!(res.status(), StatusCode::OK); 223 223 - let user = sqlx::query!("SELECT email FROM users WHERE did = $1", did) 224 224 - .fetch_one(&pool) 225 225 - .await 226 226 - .expect("User not found"); 227 227 - assert_eq!(user.email, Some(new_email)); 219 219 + assert_eq!(res.status(), StatusCode::BAD_REQUEST); 220 220 + let body: Value = res.json().await.expect("Invalid JSON"); 221 221 + assert_eq!(body["error"], "TokenRequired"); 228 222 } 229 223 230 224 #[tokio::test] ··· 299 293 .await 300 294 .expect("Failed to request email update"); 301 295 assert_eq!(res.status(), StatusCode::OK); 302 302 - let verification = sqlx::query!( 303 303 - "SELECT code FROM channel_verifications WHERE user_id = (SELECT id FROM users WHERE did = $1) AND channel = 'email'", 304 304 - did 305 305 - ) 306 306 - .fetch_one(&pool) 307 307 - .await 308 308 - .expect("Verification not found"); 309 309 - let code = verification.code; 296 296 + let code = get_email_update_token(&pool, &did).await; 310 297 let res = client 311 298 .post(format!("{}/xrpc/com.atproto.server.updateEmail", base_url)) 312 299 .bearer_auth(&access_jwt) ··· 323 310 .await 324 311 .expect("User not found"); 325 312 assert_eq!(user.email, Some(new_email)); 326 326 - let verification = sqlx::query!( 327 327 - "SELECT code FROM channel_verifications WHERE user_id = (SELECT id FROM users WHERE did = $1) AND channel = 'email'", 328 328 - did 329 329 - ) 330 330 - .fetch_optional(&pool) 331 331 - .await 332 332 - .expect("DB error"); 333 333 - assert!(verification.is_none()); 334 313 } 335 314 336 315 #[tokio::test] ··· 387 366 assert_eq!(res.status(), StatusCode::BAD_REQUEST); 388 367 let body: Value = res.json().await.expect("Invalid JSON"); 389 368 assert!( 390 390 - body["message"].as_str().unwrap().contains("already in use") 369 369 + body["error"] == "TokenRequired" 370 370 + || body["message"] 371 371 + .as_str() 372 372 + .unwrap_or("") 373 373 + .contains("already in use") 391 374 || body["error"] == "InvalidRequest" 392 375 ); 393 376 }

+21 -2

tests/jwt_security.rs

··· 688 688 .connect(&get_db_connection_string().await) 689 689 .await 690 690 .unwrap(); 691 691 - let code: String = sqlx::query_scalar!( 692 692 - "SELECT code FROM channel_verifications WHERE user_id = (SELECT id FROM users WHERE did = $1) AND channel = 'email'", 691 691 + let body_text: String = sqlx::query_scalar!( 692 692 + "SELECT body FROM comms_queue WHERE user_id = (SELECT id FROM users WHERE did = $1) AND comms_type = 'email_verification' ORDER BY created_at DESC LIMIT 1", 693 693 did 694 694 ).fetch_one(&pool).await.unwrap(); 695 695 + let code = body_text 696 696 + .lines() 697 697 + .find(|line| line.contains("verification code:") || line.contains("code is:")) 698 698 + .and_then(|line| { 699 699 + if line.contains("verification code:") { 700 700 + line.split("verification code:") 701 701 + .nth(1) 702 702 + .map(|s| s.trim().to_string()) 703 703 + } else { 704 704 + line.split("code is:").nth(1).map(|s| s.trim().to_string()) 705 705 + } 706 706 + }) 707 707 + .unwrap_or_else(|| { 708 708 + body_text 709 709 + .lines() 710 710 + .find(|line| line.trim().starts_with("MX") && line.contains('-')) 711 711 + .map(|s| s.trim().to_string()) 712 712 + .unwrap_or_default() 713 713 + }); 695 714 696 715 let confirm = http_client 697 716 .post(format!("{}/xrpc/com.atproto.server.confirmSignup", url))