jamey/berrypod
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity

separate account settings from shop settings
All checks were successful
deploy / deploy (push) Successful in 3m28s
Details

Browse Source 
- Create dedicated /admin/account page for user account management
- Move email, password, and 2FA settings from /admin/settings
- Add Account link to top of admin sidebar navigation
- Add TOTP-based two-factor authentication with NimbleTOTP
- Add TOTP verification LiveView for login flow
- Add AccountController for TOTP session management
- Remove Advanced section from settings (duplicated in dev tools)
- Remove user email from sidebar footer (replaced by Account link)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
jamey
2026-03-08 18:42:29 +00:00
parent 0c2d4ac406
commit 32cc425458
21 changed files with 1396 additions and 308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
lib/berrypod_web/controllers/account_controller.ex Normal file
View File

@@ -0,0 +1,63 @@
defmodule BerrypodWeb.AccountController do
@moduledoc """
Handles account-related session operations that can't be done in LiveView.
These routes manage TOTP setup state in the session, which persists across
LiveView reconnects on mobile devices.
"""
use BerrypodWeb, :controller
alias Berrypod.Accounts
@doc """
Starts TOTP setup by generating a secret and storing it in the session.
The session persists across LiveView reconnects.
"""
def start_totp_setup(conn, _params) do
user = conn.assigns.current_scope.user
unless Accounts.sudo_mode?(user) do
conn
|> put_flash(:error, "Please log in again to enable 2FA.")
|> redirect(to: ~p"/users/log-in?return_to=/admin/account")
else
{secret, _uri} = Accounts.generate_totp_secret(user)
conn
|> put_session(:totp_setup_secret, secret)
|> redirect(to: ~p"/admin/account")
end
end
@doc """
Clears the TOTP setup session state.
"""
def cancel_totp_setup(conn, _params) do
conn
|> delete_session(:totp_setup_secret)
|> redirect(to: ~p"/admin/account")
end
@doc """
Clears the TOTP setup session and stores backup codes for display.
Called via redirect from the LiveView after successful enablement.
"""
def complete_totp_setup(conn, %{"codes" => codes_param}) do
# Codes come as comma-separated string
backup_codes = String.split(codes_param, ",")
conn
|> delete_session(:totp_setup_secret)
|> put_session(:totp_backup_codes, backup_codes)
|> redirect(to: ~p"/admin/account")
end
@doc """
Clears the backup codes from the session after user confirms they've saved them.
"""
def clear_backup_codes(conn, _params) do
conn
|> delete_session(:totp_backup_codes)
|> redirect(to: ~p"/admin/account")
end
end

65
lib/berrypod_web/controllers/user_session_controller.ex
View File

@@ -4,7 +4,7 @@ defmodule BerrypodWeb.UserSessionController do
alias Berrypod.Accounts
alias BerrypodWeb.UserAuth
plug BerrypodWeb.Plugs.RateLimit, [type: :login] when action == :create
plug BerrypodWeb.Plugs.RateLimit, [type: :login] when action in [:create, :verify_totp]
def create(conn, %{"_action" => "confirmed"} = params) do
create(conn, params, "User confirmed successfully.")
@@ -15,14 +15,14 @@ defmodule BerrypodWeb.UserSessionController do
end
# magic link login
defp create(conn, %{"user" => %{"token" => token} = user_params}, info) do
defp create(conn, %{"user" => %{"token" => token} = user_params} = params, info) do
case Accounts.login_user_by_magic_link(token) do
{:ok, {user, tokens_to_disconnect}} ->
UserAuth.disconnect_sessions(tokens_to_disconnect)
conn
|> put_flash(:info, info)
|> UserAuth.log_in_user(user, user_params)
|> maybe_store_return_to(params)
|> maybe_require_totp(user, user_params, info)
_ ->
conn
@@ -32,13 +32,13 @@ defmodule BerrypodWeb.UserSessionController do
end
# email + password login
defp create(conn, %{"user" => user_params}, info) do
defp create(conn, %{"user" => user_params} = params, info) do
%{"email" => email, "password" => password} = user_params
if user = Accounts.get_user_by_email_and_password(email, password) do
conn
|> put_flash(:info, info)
|> UserAuth.log_in_user(user, user_params)
|> maybe_store_return_to(params)
|> maybe_require_totp(user, user_params, info)
else
# In order to prevent user enumeration attacks, don't disclose whether the email is registered.
conn
@@ -48,6 +48,55 @@ defmodule BerrypodWeb.UserSessionController do
end
end
defp maybe_store_return_to(conn, %{"return_to" => "/" <> _ = return_to}) do
put_session(conn, :user_return_to, return_to)
end
defp maybe_store_return_to(conn, _params), do: conn
defp maybe_require_totp(conn, user, user_params, info) do
if Accounts.totp_enabled?(user) do
remember_me = user_params["remember_me"] == "true"
conn
|> put_session(:totp_pending_user_id, user.id)
|> put_session(:totp_pending_remember_me, remember_me)
|> redirect(to: ~p"/users/totp")
else
conn
|> put_flash(:info, info)
|> UserAuth.log_in_user(user, user_params)
end
end
def verify_totp(conn, %{"totp" => %{"code" => code}, "remember_me" => remember_me}) do
user_id = get_session(conn, :totp_pending_user_id)
if user_id do
user = Accounts.get_user!(user_id)
case Accounts.verify_totp(user, code) do
:ok ->
user_params = if remember_me == "true", do: %{"remember_me" => "true"}, else: %{}
conn
|> delete_session(:totp_pending_user_id)
|> delete_session(:totp_pending_remember_me)
|> put_flash(:info, "Welcome back!")
|> UserAuth.log_in_user(user, user_params)
:error ->
conn
|> put_flash(:error, "Invalid code. Please try again.")
|> redirect(to: ~p"/users/totp")
end
else
conn
|> put_flash(:error, "Session expired. Please log in again.")
|> redirect(to: ~p"/users/log-in")
end
end
def update_password(conn, %{"user" => user_params} = params) do
user = conn.assigns.current_scope.user
true = Accounts.sudo_mode?(user)
@@ -57,7 +106,7 @@ defmodule BerrypodWeb.UserSessionController do
UserAuth.disconnect_sessions(expired_tokens)
conn
|> put_session(:user_return_to, ~p"/admin/settings")
|> put_session(:user_return_to, ~p"/admin/account")
|> create(params, "Password updated successfully!")
end