regstack 0.1.0__py3-none-any.whl

regstack/ui/static/css/core.css

@@ -0,0 +1,204 @@
+/* regstack — structural CSS. Colors and fonts are defined entirely via
+   CSS custom properties in theme.css so this file can ship unchanged
+   regardless of host branding. */
+
+*, *::before, *::after { box-sizing: border-box; }
+
+html { -webkit-text-size-adjust: 100%; }
+
+body {
+  margin: 0;
+  min-height: 100vh;
+  display: flex;
+  flex-direction: column;
+  background: var(--rs-bg);
+  color: var(--rs-fg);
+  font-family: var(--rs-font-body);
+  line-height: 1.5;
+  font-size: 16px;
+}
+
+a { color: var(--rs-accent); text-decoration: none; }
+a:hover, a:focus-visible { text-decoration: underline; }
+
+img { max-width: 100%; height: auto; }
+
+.rs-header {
+  padding: 16px 24px;
+  border-bottom: 1px solid var(--rs-border);
+  display: flex;
+  align-items: center;
+  gap: 16px;
+  background: var(--rs-surface);
+}
+
+.rs-brand {
+  display: inline-flex;
+  align-items: center;
+  gap: 10px;
+  font-family: var(--rs-font-display);
+  font-size: 20px;
+  font-weight: 600;
+  color: var(--rs-fg);
+}
+.rs-brand:hover { text-decoration: none; }
+.rs-brand-logo { height: 28px; width: auto; }
+.rs-brand-tagline { color: var(--rs-fg-muted); font-size: 14px; margin-left: auto; }
+
+.rs-main {
+  flex: 1;
+  display: flex;
+  align-items: flex-start;
+  justify-content: center;
+  padding: 32px 16px;
+}
+
+.rs-card {
+  width: 100%;
+  max-width: 420px;
+  background: var(--rs-surface);
+  border: 1px solid var(--rs-border);
+  border-radius: var(--rs-radius);
+  padding: 28px 28px 32px;
+  box-shadow: var(--rs-shadow);
+}
+
+.rs-title {
+  font-family: var(--rs-font-display);
+  font-size: 24px;
+  margin: 0 0 18px;
+  font-weight: 600;
+}
+
+.rs-meta {
+  margin: 14px 0 0;
+  color: var(--rs-fg-muted);
+  font-size: 14px;
+}
+
+.rs-form {
+  display: flex;
+  flex-direction: column;
+  gap: 14px;
+  margin: 0;
+}
+
+.rs-field {
+  display: flex;
+  flex-direction: column;
+  gap: 6px;
+}
+
+.rs-label {
+  font-size: 13px;
+  font-weight: 500;
+  color: var(--rs-fg-muted);
+}
+
+input[type="email"],
+input[type="text"],
+input[type="password"] {
+  width: 100%;
+  padding: 10px 12px;
+  border: 1px solid var(--rs-border);
+  border-radius: var(--rs-radius);
+  background: var(--rs-bg);
+  color: var(--rs-fg);
+  font: inherit;
+}
+input:focus-visible {
+  outline: 2px solid var(--rs-accent);
+  outline-offset: 1px;
+  border-color: transparent;
+}
+
+.rs-btn {
+  display: inline-flex;
+  align-items: center;
+  justify-content: center;
+  gap: 8px;
+  padding: 10px 18px;
+  border: 1px solid var(--rs-border);
+  border-radius: var(--rs-radius);
+  background: var(--rs-surface);
+  color: var(--rs-fg);
+  font: inherit;
+  font-weight: 500;
+  cursor: pointer;
+  text-decoration: none;
+}
+.rs-btn:hover, .rs-btn:focus-visible { background: var(--rs-bg-hover); }
+
+.rs-btn-primary {
+  background: var(--rs-accent);
+  color: var(--rs-accent-fg);
+  border-color: transparent;
+}
+.rs-btn-primary:hover, .rs-btn-primary:focus-visible {
+  filter: brightness(1.05);
+  background: var(--rs-accent);
+}
+
+.rs-btn-ghost { background: transparent; }
+
+.rs-btn-danger {
+  background: var(--rs-danger);
+  color: var(--rs-danger-fg);
+  border-color: transparent;
+}
+.rs-btn-danger:hover, .rs-btn-danger:focus-visible { filter: brightness(1.05); background: var(--rs-danger); }
+
+.rs-message {
+  margin-top: 14px;
+  padding: 10px 12px;
+  border-radius: var(--rs-radius);
+  font-size: 14px;
+  border: 1px solid var(--rs-border);
+  background: var(--rs-bg);
+}
+.rs-message[data-rs-tone="error"] {
+  border-color: var(--rs-danger);
+  background: var(--rs-danger-bg);
+  color: var(--rs-danger);
+}
+.rs-message[data-rs-tone="success"] {
+  border-color: var(--rs-accent);
+  background: var(--rs-accent-bg);
+  color: var(--rs-accent);
+}
+
+.rs-section {
+  margin-top: 18px;
+  padding: 12px 14px;
+  border: 1px solid var(--rs-border);
+  border-radius: var(--rs-radius);
+  background: var(--rs-bg);
+}
+.rs-section > summary {
+  cursor: pointer;
+  font-weight: 500;
+}
+.rs-section[open] > summary { margin-bottom: 12px; }
+.rs-section-danger { border-color: var(--rs-danger); }
+.rs-section-danger > summary { color: var(--rs-danger); }
+
+.rs-account-summary {
+  display: grid;
+  grid-template-columns: max-content 1fr;
+  gap: 6px 16px;
+  margin: 0 0 8px;
+  font-size: 14px;
+}
+.rs-account-summary dt { color: var(--rs-fg-muted); font-weight: 500; }
+.rs-account-summary dd { margin: 0; word-break: break-word; }
+
+.rs-footer {
+  text-align: center;
+  font-size: 13px;
+  color: var(--rs-fg-muted);
+  padding: 18px 16px 24px;
+}
+
+@media (max-width: 480px) {
+  .rs-card { padding: 20px; }
+}

regstack/ui/static/css/theme.css

@@ -0,0 +1,43 @@
+/* regstack — default theme. Each variable is the seam at which a host
+   theme.css can override the look without touching core.css. */
+
+:root {
+  --rs-bg: #ffffff;
+  --rs-bg-hover: #f3f4f6;
+  --rs-surface: #ffffff;
+  --rs-fg: #111827;
+  --rs-fg-muted: #4b5563;
+  --rs-border: #e5e7eb;
+
+  --rs-accent: #2563eb;
+  --rs-accent-fg: #ffffff;
+  --rs-accent-bg: rgba(37, 99, 235, 0.08);
+
+  --rs-danger: #b91c1c;
+  --rs-danger-fg: #ffffff;
+  --rs-danger-bg: rgba(185, 28, 28, 0.08);
+
+  --rs-radius: 6px;
+  --rs-shadow: 0 1px 2px rgba(0, 0, 0, 0.04), 0 4px 10px rgba(0, 0, 0, 0.04);
+
+  --rs-font-display: -apple-system, BlinkMacSystemFont, "Segoe UI", "Inter", sans-serif;
+  --rs-font-body: -apple-system, BlinkMacSystemFont, "Segoe UI", "Inter", sans-serif;
+}
+
+@media (prefers-color-scheme: dark) {
+  :root {
+    --rs-bg: #0b1220;
+    --rs-bg-hover: #14213a;
+    --rs-surface: #111a30;
+    --rs-fg: #e5e7eb;
+    --rs-fg-muted: #9ca3af;
+    --rs-border: #1f2a44;
+    --rs-accent: #60a5fa;
+    --rs-accent-fg: #0b1220;
+    --rs-accent-bg: rgba(96, 165, 250, 0.12);
+    --rs-danger: #f87171;
+    --rs-danger-fg: #0b1220;
+    --rs-danger-bg: rgba(248, 113, 113, 0.12);
+    --rs-shadow: 0 1px 2px rgba(0, 0, 0, 0.4), 0 4px 14px rgba(0, 0, 0, 0.3);
+  }
+}

regstack/ui/static/js/regstack.js

@@ -0,0 +1,411 @@
+// regstack — small client for the SSR pages. Reads its endpoints from
+// data attributes on <body> so a single static file works for every host.
+
+(function () {
+  "use strict";
+
+  const STORAGE_KEY = "regstack.access_token";
+  const MFA_PENDING_KEY = "regstack.mfa_pending";
+  const body = document.body;
+  const apiPrefix = body.dataset.rsApi || "/api/auth";
+  const uiPrefix = body.dataset.rsUi || "/account";
+  const page = body.dataset.rsPage;
+
+  const messageEl = document.querySelector("[data-rs-message]");
+
+  function getToken() {
+    return window.localStorage.getItem(STORAGE_KEY);
+  }
+
+  function setToken(token) {
+    if (token) {
+      window.localStorage.setItem(STORAGE_KEY, token);
+    } else {
+      window.localStorage.removeItem(STORAGE_KEY);
+    }
+  }
+
+  function showMessage(text, tone) {
+    if (!messageEl) return;
+    messageEl.textContent = text;
+    messageEl.hidden = false;
+    if (tone) {
+      messageEl.dataset.rsTone = tone;
+    } else {
+      delete messageEl.dataset.rsTone;
+    }
+  }
+
+  function clearMessage() {
+    if (!messageEl) return;
+    messageEl.hidden = true;
+    messageEl.textContent = "";
+    delete messageEl.dataset.rsTone;
+  }
+
+  function tokenFromQuery() {
+    const params = new URLSearchParams(window.location.search);
+    return params.get("token");
+  }
+
+  async function api(method, path, body, withAuth = false) {
+    const headers = { "content-type": "application/json" };
+    if (withAuth) {
+      const token = getToken();
+      if (!token) {
+        window.location.href = uiPrefix + "/login";
+        throw new Error("not authenticated");
+      }
+      headers["authorization"] = "Bearer " + token;
+    }
+    const res = await fetch(apiPrefix + path, {
+      method: method,
+      headers: headers,
+      body: body == null ? undefined : JSON.stringify(body),
+    });
+    let payload = null;
+    try {
+      payload = await res.json();
+    } catch (_) {
+      payload = null;
+    }
+    return { ok: res.ok, status: res.status, body: payload };
+  }
+
+  function formData(form) {
+    const out = {};
+    for (const [key, value] of new FormData(form).entries()) {
+      out[key] = value;
+    }
+    return out;
+  }
+
+  function detailFromError(payload, fallback) {
+    if (!payload) return fallback;
+    if (typeof payload.detail === "string") return payload.detail;
+    if (Array.isArray(payload.detail) && payload.detail.length) {
+      return payload.detail.map((e) => e.msg || e).join("; ");
+    }
+    return fallback;
+  }
+
+  function on(formName, handler) {
+    const form = document.querySelector(`[data-rs-form="${formName}"]`);
+    if (!form) return;
+    form.addEventListener("submit", async (event) => {
+      event.preventDefault();
+      clearMessage();
+      const submitButton = form.querySelector("button[type='submit']");
+      if (submitButton) submitButton.disabled = true;
+      try {
+        await handler(formData(form), form);
+      } catch (err) {
+        showMessage(err.message || String(err), "error");
+      } finally {
+        if (submitButton) submitButton.disabled = false;
+      }
+    });
+  }
+
+  // --- Page wiring -----------------------------------------------------
+
+  async function wireLogin() {
+    if (getToken()) {
+      window.location.href = uiPrefix + "/me";
+      return;
+    }
+    on("login", async (data) => {
+      const res = await api("POST", "/login", data);
+      if (!res.ok) {
+        throw new Error(detailFromError(res.body, "Login failed."));
+      }
+      if (res.body && res.body.status === "mfa_required") {
+        window.sessionStorage.setItem(MFA_PENDING_KEY, res.body.mfa_pending_token);
+        window.location.href = uiPrefix + "/mfa-confirm";
+        return;
+      }
+      setToken(res.body.access_token);
+      window.location.href = uiPrefix + "/me";
+    });
+  }
+
+  async function wireMfaConfirm() {
+    const pending = window.sessionStorage.getItem(MFA_PENDING_KEY);
+    if (!pending) {
+      window.location.href = uiPrefix + "/login";
+      return;
+    }
+    on("mfa-confirm", async (data) => {
+      const res = await api("POST", "/login/mfa-confirm", {
+        mfa_pending_token: pending,
+        code: data.code,
+      });
+      if (!res.ok) {
+        throw new Error(detailFromError(res.body, "Code rejected."));
+      }
+      window.sessionStorage.removeItem(MFA_PENDING_KEY);
+      setToken(res.body.access_token);
+      window.location.href = uiPrefix + "/me";
+    });
+  }
+
+  async function wireRegister() {
+    if (getToken()) {
+      window.location.href = uiPrefix + "/me";
+      return;
+    }
+    on("register", async (data) => {
+      const res = await api("POST", "/register", data);
+      if (!res.ok) {
+        throw new Error(detailFromError(res.body, "Registration failed."));
+      }
+      if (res.body && res.body.status === "pending_verification") {
+        showMessage(
+          "Account created — please check " + (data.email || "your email") + " for a verification link.",
+          "success"
+        );
+      } else {
+        showMessage("Account created. You can now sign in.", "success");
+      }
+    });
+  }
+
+  async function wireForgot() {
+    on("forgot", async (data) => {
+      const res = await api("POST", "/forgot-password", data);
+      if (!res.ok) {
+        throw new Error(detailFromError(res.body, "Request failed."));
+      }
+      showMessage(
+        "If an account exists for that email, a reset link has been sent.",
+        "success"
+      );
+    });
+  }
+
+  async function wireReset() {
+    const tokenInput = document.querySelector("[data-rs-token]");
+    const queryToken = tokenFromQuery();
+    if (tokenInput && queryToken) tokenInput.value = queryToken;
+    on("reset", async (data) => {
+      if (!data.token) {
+        throw new Error("Missing reset token. Use the link from your email.");
+      }
+      const res = await api("POST", "/reset-password", {
+        token: data.token,
+        new_password: data.new_password,
+      });
+      if (!res.ok) {
+        throw new Error(detailFromError(res.body, "Reset failed."));
+      }
+      showMessage("Password reset. Redirecting to sign in…", "success");
+      setToken(null);
+      setTimeout(() => {
+        window.location.href = uiPrefix + "/login";
+      }, 1200);
+    });
+  }
+
+  async function wireVerify() {
+    const status = document.querySelector("[data-rs-status]");
+    const token = tokenFromQuery();
+    if (!token) {
+      if (status) status.textContent = "Missing verification token.";
+      showMessage("No token in URL.", "error");
+      return;
+    }
+    const res = await api("POST", "/verify", { token: token });
+    if (!res.ok) {
+      const msg = detailFromError(res.body, "Verification failed.");
+      if (status) status.textContent = msg;
+      showMessage(msg, "error");
+      return;
+    }
+    if (status) status.textContent = "Email confirmed — you can sign in.";
+    showMessage("Email confirmed.", "success");
+  }
+
+  async function wireConfirmEmailChange() {
+    const status = document.querySelector("[data-rs-status]");
+    const token = tokenFromQuery();
+    if (!token) {
+      if (status) status.textContent = "Missing token.";
+      showMessage("No token in URL.", "error");
+      return;
+    }
+    const res = await api("POST", "/confirm-email-change", { token: token });
+    if (!res.ok) {
+      const msg = detailFromError(res.body, "Confirmation failed.");
+      if (status) status.textContent = msg;
+      showMessage(msg, "error");
+      return;
+    }
+    setToken(null); // bulk revoke fired — old session is dead
+    if (status) status.textContent = "Email updated — please sign in again.";
+    showMessage("Email updated. Sign in with your new address.", "success");
+  }
+
+  async function wireMe() {
+    if (!getToken()) {
+      window.location.href = uiPrefix + "/login";
+      return;
+    }
+    const res = await api("GET", "/me", null, true);
+    if (!res.ok) {
+      setToken(null);
+      window.location.href = uiPrefix + "/login";
+      return;
+    }
+    fillAccount(res.body);
+
+    on("update-profile", async (data) => {
+      const r = await api("PATCH", "/me", { full_name: data.full_name || null }, true);
+      if (!r.ok) throw new Error(detailFromError(r.body, "Update failed."));
+      fillAccount(r.body);
+      showMessage("Profile updated.", "success");
+    });
+
+    on("change-password", async (data) => {
+      const r = await api("POST", "/change-password", data, true);
+      if (!r.ok) throw new Error(detailFromError(r.body, "Change failed."));
+      setToken(null);
+      showMessage("Password changed. Redirecting to sign in…", "success");
+      setTimeout(() => {
+        window.location.href = uiPrefix + "/login";
+      }, 1200);
+    });
+
+    on("change-email", async (data) => {
+      const r = await api("POST", "/change-email", data, true);
+      if (!r.ok) throw new Error(detailFromError(r.body, "Change failed."));
+      showMessage(
+        "Confirmation sent to " + data.new_email + ". Click the link to finish.",
+        "success"
+      );
+    });
+
+    on("delete-account", async (data) => {
+      if (!window.confirm("This permanently deletes your account. Continue?")) return;
+      const r = await api("DELETE", "/account", data, true);
+      if (!r.ok) throw new Error(detailFromError(r.body, "Delete failed."));
+      setToken(null);
+      window.location.href = uiPrefix + "/login";
+    });
+
+    wireMfaSection(res.body);
+
+    const logoutBtn = document.querySelector("[data-rs-action='logout']");
+    if (logoutBtn) {
+      logoutBtn.addEventListener("click", async () => {
+        try {
+          await api("POST", "/logout", null, true);
+        } catch (_) {
+          // ignore — we're signing out client-side anyway
+        }
+        setToken(null);
+        window.location.href = uiPrefix + "/login";
+      });
+    }
+  }
+
+  function wireMfaSection(user) {
+    const section = document.querySelector("[data-rs-mfa-section]");
+    if (!section) return;
+
+    const status = section.querySelector("[data-rs-mfa-status]");
+    const enableBlock = section.querySelector("[data-rs-mfa-enable]");
+    const disableBlock = section.querySelector("[data-rs-mfa-disable]");
+    const confirmForm = section.querySelector(
+      "[data-rs-form='phone-setup-confirm']"
+    );
+
+    if (user.is_mfa_enabled) {
+      if (status) {
+        status.textContent =
+          "Enabled — sign-in codes go to " + (user.phone_number || "your phone") + ".";
+      }
+      enableBlock.hidden = true;
+      disableBlock.hidden = false;
+    } else {
+      if (status) status.textContent = "Disabled. Add a phone number to enable.";
+      enableBlock.hidden = false;
+      disableBlock.hidden = true;
+    }
+
+    let setupPendingToken = null;
+    on("phone-setup-start", async (data) => {
+      const res = await api("POST", "/phone/start", data, true);
+      if (!res.ok) throw new Error(detailFromError(res.body, "Send failed."));
+      setupPendingToken = res.body.pending_token;
+      confirmForm.hidden = false;
+      showMessage("Code sent — enter it below to enable 2FA.", "success");
+    });
+
+    on("phone-setup-confirm", async (data) => {
+      if (!setupPendingToken) {
+        throw new Error("Request a code first.");
+      }
+      const res = await api(
+        "POST",
+        "/phone/confirm",
+        { pending_token: setupPendingToken, code: data.code },
+        false
+      );
+      if (!res.ok) throw new Error(detailFromError(res.body, "Confirm failed."));
+      setupPendingToken = null;
+      showMessage("SMS 2FA enabled — sign in again to confirm.", "success");
+      setTimeout(() => window.location.reload(), 1200);
+    });
+
+    on("mfa-disable", async (data) => {
+      const res = await fetch(apiPrefix + "/phone", {
+        method: "DELETE",
+        headers: {
+          "content-type": "application/json",
+          authorization: "Bearer " + getToken(),
+        },
+        body: JSON.stringify(data),
+      });
+      let payload = null;
+      try {
+        payload = await res.json();
+      } catch (_) {
+        payload = null;
+      }
+      if (!res.ok) {
+        throw new Error(detailFromError(payload, "Disable failed."));
+      }
+      showMessage("SMS 2FA disabled.", "success");
+      setTimeout(() => window.location.reload(), 1200);
+    });
+  }
+
+  function fillAccount(user) {
+    if (!user) return;
+    document.querySelectorAll("[data-rs-field]").forEach((el) => {
+      const key = el.dataset.rsField;
+      let value = user[key];
+      if (key === "is_verified") value = value ? "yes" : "no";
+      if (key === "created_at" && value) value = new Date(value).toLocaleString();
+      if (value === null || value === undefined || value === "") value = "—";
+      el.textContent = String(value);
+    });
+    const fnInput = document.querySelector(
+      "[data-rs-form='update-profile'] input[name='full_name']"
+    );
+    if (fnInput) fnInput.value = user.full_name || "";
+  }
+
+  // Dispatch by page name set on <html>/<body>.
+  switch (page) {
+    case "login": wireLogin(); break;
+    case "register": wireRegister(); break;
+    case "forgot": wireForgot(); break;
+    case "reset": wireReset(); break;
+    case "verify": wireVerify(); break;
+    case "confirm-email-change": wireConfirmEmailChange(); break;
+    case "mfa-confirm": wireMfaConfirm(); break;
+    case "me": wireMe(); break;
+    default: break;
+  }
+})();

regstack/ui/templates/auth/email_change_confirm.html

@@ -0,0 +1,10 @@
+{% extends "base.html" %}
+{% block title %}Confirm email change — {{ app_name }}{% endblock %}
+{% block content %}
+<h1 class="rs-title">Confirming your new email…</h1>
+<p class="rs-meta" data-rs-status="pending">One moment while we update your account.</p>
+<input type="hidden" data-rs-token>
+<p class="rs-meta">
+  <a href="{{ ui_prefix }}/login">Sign in</a>
+</p>
+{% endblock %}

regstack/ui/templates/auth/forgot.html

@@ -0,0 +1,14 @@
+{% extends "base.html" %}
+{% block title %}Forgot password — {{ app_name }}{% endblock %}
+{% block content %}
+<h1 class="rs-title">Reset your password</h1>
+<p class="rs-meta">Enter your email and we'll send a reset link.</p>
+<form class="rs-form" data-rs-form="forgot" autocomplete="on">
+  <label class="rs-field">
+    <span class="rs-label">Email</span>
+    <input type="email" name="email" required autocomplete="email" autofocus>
+  </label>
+  <button type="submit" class="rs-btn rs-btn-primary">Send reset link</button>
+</form>
+<p class="rs-meta"><a href="{{ ui_prefix }}/login">Back to sign in</a></p>
+{% endblock %}

regstack/ui/templates/auth/login.html

@@ -0,0 +1,24 @@
+{% extends "base.html" %}
+{% block title %}Sign in — {{ app_name }}{% endblock %}
+{% block content %}
+<h1 class="rs-title">Sign in</h1>
+<form class="rs-form" data-rs-form="login" autocomplete="on">
+  <label class="rs-field">
+    <span class="rs-label">Email</span>
+    <input type="email" name="email" required autocomplete="email" autofocus>
+  </label>
+  <label class="rs-field">
+    <span class="rs-label">Password</span>
+    <input type="password" name="password" required minlength="8" autocomplete="current-password">
+  </label>
+  <button type="submit" class="rs-btn rs-btn-primary">Sign in</button>
+</form>
+<p class="rs-meta">
+  {% if allow_registration %}
+  No account? <a href="{{ ui_prefix }}/register">Create one</a>.
+  {% endif %}
+  {% if enable_password_reset %}
+  <br><a href="{{ ui_prefix }}/forgot">Forgot password?</a>
+  {% endif %}
+</p>
+{% endblock %}