password expiry email

logged in

README.md

@@ -6,20 +6,20 @@ A simple, lightweight web application for managing user profile photos in a Free
 *   **LDAP Authentication**: Secure login with existing FreeIPA credentials.
 *   **Profile Management**: View user details (Display Name, Email).
 *   **Photo Upload**: Users can upload and update their profile picture (`jpegPhoto` attribute).
+*   **Change Password**: Users can change there password once logged in
 *   **Session Management**: Secure, cookie-based sessions with CSRF protection.
 *   **Customizable**: Configurable styling (logo, favicon) and LDAP settings.
 
 ## Prerequisites
-
+*   **Go 1.26+** installed on your machine.
-*   **Go 1.20+** installed on your machine.
+*   Access to a **FreeIPA Server**.
-*   Access to an **FreeIPA Server**.
+*   A Service Account with permission to search and modify the `jpegPhoto` attribute.
-*   A Service Account (Bind DN) with permission to search users and modify the `jpegPhoto` attribute.
 
 ## Setup & Installation
 
 1.  **Clone the Repository**
     ```bash
-    git clone https://git.astraltech.xyz/gawells/Self-Service-Dashboard
+    git clone https://git.astraltech.xyz/gawells/Self-Service-Dashboard.git
     cd Self-Service-Dashboard
     ```
 
@@ -30,7 +30,10 @@ A simple, lightweight web application for managing user profile photos in a Free
     ```
 
 5. **Edit config**
-    put in your config values for ldap, and whatevery styling guidelines you would want to use
+    Edit the config file
+    ```bash
+    nvim data/config.json
+    ``` 
 
 4.  **Install Dependencies**
     ```bash
@@ -41,15 +44,7 @@ A simple, lightweight web application for managing user profile photos in a Free
     ```bash
     go run ./src/main/
     ```
-    The application will be available at `http://<host>:<port>`.
+    The application will be available at `http://localhost:<port>`.
-
-## Directory Structure
-
-*   `src/`: Go source code (`main.go`, `ldap.go`, `session.go`, etc.).
-*   `src/pages/`: HTML templates for login and profile pages.
-*   `static/`: CSS files, images, and other static assets.
-*   `data/`: Configuration files and local assets (logos).
-*   `avatars/`: Stores cached user profile photos.
 
 ## License
 

data/config.example.json

@@ -12,6 +12,14 @@
     "logo_path": "./data/astraltech_logo_large.png"
   },
   "server_config": {
-    "port": 8080
+    "port": 8080,
+    "base_url": "https://profile.example.com"
+  },
+  "email_config": {
+    "username": "noreply",
+    "email": "noreply@example.com",
+    "password": "",
+    "smtp_url": "mx.example.com",
+    "smtp_port": 587
   }
 }

data/email-templates/expired-password.html

@@ -0,0 +1,112 @@
+<!doctype html>
+<html>
+    <head>
+        <!-- Tell iOS we support light mode -->
+        <meta name="color-scheme" content="light" />
+        <meta name="supported-color-schemes" content="light" />
+    </head>
+
+    <body
+        style="margin: 0; padding: 0; background-color: #f7fff7; color: #000000"
+    >
+        <table
+            width="100%"
+            cellpadding="0"
+            cellspacing="0"
+            border="0"
+            style="background-color: #f7fff7"
+        >
+            <tr>
+                <td align="center">
+                    <!-- Outer container -->
+                    <table
+                        width="600"
+                        cellpadding="0"
+                        cellspacing="0"
+                        border="0"
+                        style="
+                            background-color: #ffffff;
+                            border: 1px solid #e2e8f0;
+                            border-radius: 12px;
+                            margin-top: 25px;
+                        "
+                    >
+                        <tr>
+                            <td
+                                style="
+                                    padding: 30px;
+                                    font-family: Arial, sans-serif;
+                                    color: #000000;
+                                "
+                            >
+                                <p style="margin: 0 0 15px 0">
+                                    Hi <strong>{{.Username}}</strong>,
+                                </p>
+
+                                <p style="margin: 0 0 15px 0">
+                                    Your account password has expired and needs
+                                    to be updated to continue accessing your
+                                    account.
+                                </p>
+
+                                <p style="margin: 0 0 15px 0">
+                                    <strong>Expiration Date:</strong><br />
+                                    {{.ExpiredAt}}
+                                </p>
+
+                                <p style="margin: 0 0 20px 0">
+                                    For security reasons, passwords must be
+                                    updated periodically. Please reset your
+                                    password as soon as possible.
+                                </p>
+
+                                <!-- Button -->
+                                <table
+                                    align="center"
+                                    cellpadding="0"
+                                    cellspacing="0"
+                                    border="0"
+                                >
+                                    <tr>
+                                        <td
+                                            bgcolor="#1a535c"
+                                            style="border-radius: 6px"
+                                        >
+                                            <a
+                                                href="{{.ResetURL}}"
+                                                style="
+                                                    display: inline-block;
+                                                    padding: 12px 20px;
+                                                    font-weight: bold;
+                                                    font-family:
+                                                        Arial, sans-serif;
+                                                    color: #ffffff;
+                                                    text-decoration: none;
+                                                    background-color: #1a535c;
+                                                    border-radius: 6px;
+                                                    -webkit-text-fill-color: #ffffff;
+                                                "
+                                            >
+                                                Reset Password
+                                            </a>
+                                        </td>
+                                    </tr>
+                                </table>
+
+                                <p style="margin: 20px 0 15px 0">
+                                    If you did not expect this, please contact
+                                    your system administrator.
+                                </p>
+
+                                <p style="margin: 0">
+                                    Thanks,<br />
+                                    <strong>{{.ServiceName}}</strong>
+                                </p>
+                            </td>
+                        </tr>
+                    </table>
+                </td>
+            </tr>
+        </table>
+    </body>
+</html>

src/components/profile_photo.go

@@ -0,0 +1,165 @@
+package components
+
+import (
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync"
+	"time"
+
+	"astraltech.xyz/accountmanager/src/helpers"
+	"astraltech.xyz/accountmanager/src/ldap"
+	"astraltech.xyz/accountmanager/src/logging"
+	"astraltech.xyz/accountmanager/src/session"
+)
+
+var (
+	photoCreatedTimestamp = make(map[string]time.Time)
+	photoCreatedMutex     sync.Mutex
+	blankPhotoData        []byte
+)
+
+var (
+	sessionManager = session.GetSessionManager()
+	LDAPServer     *ldap.LDAPServer
+
+	BaseDN string
+
+	ServiceUserBindDN   string
+	ServiceUserPassword string
+)
+
+func ReadBlankPhoto() {
+	blank, err := helpers.ReadFile("static/images/blank_profile.jpg")
+	if err != nil {
+		logging.Fatal("Could not load blank profile image")
+	}
+	blankPhotoData = blank
+}
+
+func CreateUserPhoto(username string, photoData []byte) error {
+	helpers.Mkdir("./avatars", os.ModePerm)
+
+	path := fmt.Sprintf("./avatars/%s.jpeg", username)
+	cleaned := filepath.Clean(path)
+	dst, err := helpers.CreateFile(cleaned)
+
+	if err != nil {
+		return fmt.Errorf("Could not save file")
+	}
+	photoCreatedMutex.Lock()
+	photoCreatedTimestamp[username] = time.Now()
+	photoCreatedMutex.Unlock()
+	defer dst.Close()
+	logging.Info("Writing to avarar file")
+	_, err = dst.Write(photoData)
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func UploadPhotoHandler(w http.ResponseWriter, r *http.Request) {
+	sessionData, err := sessionManager.GetSession(r)
+	if err != nil {
+		logging.Error(err.Error())
+		http.Redirect(w, r, "/login", http.StatusSeeOther)
+		return
+	}
+	err = r.ParseMultipartForm(10 << 20) // 10MB limit
+	if err != nil {
+		http.Error(w, "Bad request", http.StatusBadRequest)
+		return
+	}
+
+	if r.FormValue("csrf_token") != sessionData.CSRFToken {
+		http.Error(w, "CSRF Forbidden", http.StatusForbidden)
+		return
+	}
+
+	file, header, err := r.FormFile("photo")
+	if err != nil {
+		http.Error(w, "File not found", http.StatusBadRequest)
+		return
+	}
+	defer file.Close()
+	if header.Size > (10 * 1024 * 1024) {
+		http.Error(w, "File is to large (limit is 10 MB)", http.StatusBadRequest)
+		return
+	}
+
+	// 3. Read file into memory
+	data, err := io.ReadAll(file)
+	if err != nil {
+		http.Error(w, "Failed to read file", http.StatusInternalServerError)
+		return
+	}
+	userDN := fmt.Sprintf("uid=%s,cn=users,cn=accounts,%s", sessionData.UserID, BaseDN)
+	err = LDAPServer.ModifyAttribute(ServiceUserBindDN, ServiceUserPassword, userDN, "jpegphoto", []string{string(data)})
+	if err != nil {
+		logging.Error(err.Error())
+		return
+	}
+	CreateUserPhoto(sessionData.UserID, data)
+}
+
+func AvatarHandler(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "image/jpeg")
+	username := r.URL.Query().Get("user")
+	if strings.Contains(username, "/") {
+		w.Write(blankPhotoData)
+		return
+	}
+
+	filePath := fmt.Sprintf("./avatars/%s.jpeg", username)
+	cleaned := filepath.Clean(filePath)
+	fileExist, err := helpers.DoesFileExist(cleaned)
+	if err != nil {
+		w.Write(blankPhotoData)
+		logging.Error(err.Error())
+		return
+	}
+	photoCreatedMutex.Lock()
+	if fileExist && time.Since(photoCreatedTimestamp[username]) <= 5*time.Minute {
+		photoCreatedMutex.Unlock()
+		val, err := helpers.ReadFile(cleaned)
+		if err != nil {
+			logging.Error(err.Error())
+			w.Write(blankPhotoData)
+			return
+		}
+		w.Write(val)
+		return
+	}
+	photoCreatedMutex.Unlock()
+
+	userSearch, err := LDAPServer.SerchServer(
+		ServiceUserBindDN, ServiceUserPassword,
+		BaseDN,
+		fmt.Sprintf("(&(objectClass=inetOrgPerson)(uid=%s))", ldap.LDAPEscapeFilter(username)),
+		[]string{"jpegphoto"},
+	)
+	if err != nil {
+		logging.Error(err.Error())
+		w.Write(blankPhotoData)
+		return
+	}
+	if userSearch.EntryCount() == 0 {
+		w.Write(blankPhotoData)
+		return
+	}
+
+	entry := userSearch.GetEntry(0)
+	bytes := entry.GetRawAttributeValue("jpegphoto")
+	if len(bytes) == 0 {
+		w.Write(blankPhotoData)
+		return
+	} else {
+		w.Write(bytes)
+		CreateUserPhoto(username, bytes)
+		return
+	}
+}

src/email/email.go

@@ -1,4 +1,4 @@
-package main
+package email
 
 import (
 	"net/smtp"
@@ -16,35 +16,38 @@ type EmailAccount struct {
 }
 
 type EmailAccountData struct {
-	username string
+	Username string
-	password string
+	Password string
-	email    string
+	Email    string
 }
 
-func createEmailAccount(accountData EmailAccountData, smtpHost string, smtpPort int) EmailAccount {
+func CreateEmailAccount(accountData EmailAccountData, smtpHost string, smtpPort int) EmailAccount {
-	logging.Debugf("Creating Email Account: \n\tUsername: %s\n\tEmail: %s\n\tSMTP Host: %s:%d", accountData.username, accountData.email, smtpHost, smtpPort)
+	logging.Debugf("Creating Email Account: \n\tUsername: %s\n\tEmail: %s\n\tSMTP Host: %s:%d", accountData.Username, accountData.Email, smtpHost, smtpPort)
 	account := EmailAccount{
-		email:    accountData.email,
+		email:    accountData.Email,
 		smtpHost: smtpHost,
 		smtpPort: strconv.Itoa(smtpPort),
 	}
-	account.auth = smtp.PlainAuth("", accountData.username, accountData.password, smtpHost)
+	account.auth = smtp.PlainAuth("", accountData.Username, accountData.Password, smtpHost)
 	return account
 }
 
-func sendEmail(account EmailAccount, toEmail []string, subject string, message string) {
+func (account *EmailAccount) SendEmail(toEmails []string, subject string, message string) {
-	logging.Debugf("Sending an email from %s to %s", account.email, strings.Join(toEmail, ""))
+	logging.Debugf("Sending an email from %s to %s", account.email, strings.Join(toEmails, ", "))
 
-	ToEmailList := strings.Join(toEmail, "")
+	ToEmailList := strings.Join(toEmails, ", ")
+
+	mime := "MIME-version: 1.0;\r\nContent-Type: text/html; charset=\"UTF-8\";\r\n\r\n"
 
 	messageData := []byte(
 		"From: " + account.email + "\r\n" +
 			"To: " + ToEmailList + "\r\n" +
 			"Subject: " + subject + "\r\n" +
+			mime +
 			"\r\n" +
 			message,
 	)
-	err := smtp.SendMail(account.smtpHost+":"+account.smtpPort, account.auth, account.email, toEmail, messageData)
+	err := smtp.SendMail(account.smtpHost+":"+account.smtpPort, account.auth, account.email, toEmails, messageData)
 	if err != nil {
 		logging.Error("Failed to send email")
 		logging.Error(err.Error())

src/email/render_template.go

@@ -0,0 +1,28 @@
+package email
+
+import (
+	"bytes"
+	"path/filepath"
+	"text/template"
+)
+
+func RenderTemplate(path string, data any, funcMap template.FuncMap) (string, error) {
+	tmpl := template.New("")
+
+	if funcMap != nil {
+		tmpl = tmpl.Funcs(funcMap)
+	}
+
+	tmpl, err := tmpl.ParseFiles(path)
+	if err != nil {
+		return "", err
+	}
+
+	var buf bytes.Buffer
+	err = tmpl.ExecuteTemplate(&buf, filepath.Base(path), data)
+	if err != nil {
+		return "", err
+	}
+
+	return buf.String(), nil
+}

src/helpers/helpers.go

@@ -1,4 +1,4 @@
-package main
+package helpers
 
 import (
 	"net/http"
@@ -52,6 +52,17 @@ func CreateFile(path string) (*os.File, error) {
 	return file, nil
 }
 
+func DoesFileExist(path string) (bool, error) {
+	_, err := os.Stat(path)
+	if err == nil {
+		return true, nil
+	}
+	if os.IsNotExist(err) {
+		return false, nil
+	}
+	return false, err
+}
+
 func HandleFunc(path string, handler func(http.ResponseWriter, *http.Request)) {
 	logging.Infof("Handling %s", path)
 	http.HandleFunc(path, handler)

src/ldap/ldap_helpers.go

@@ -0,0 +1,7 @@
+package ldap
+
+import (
+	"github.com/go-ldap/ldap/v3"
+)
+
+func LDAPEscapeFilter(input string) string { return ldap.EscapeFilter(input) }

src/ldap/ldap_search.go

@@ -0,0 +1,29 @@
+package ldap
+
+import (
+	"github.com/go-ldap/ldap/v3"
+)
+
+type LDAPSearch struct {
+	search *ldap.SearchResult
+}
+
+type LDAPEntry struct {
+	entry *ldap.Entry
+}
+
+func (s *LDAPSearch) EntryCount() int {
+	return len(s.search.Entries)
+}
+
+func (s *LDAPSearch) GetEntry(number int) *LDAPEntry {
+	return &LDAPEntry{s.search.Entries[number]}
+}
+
+func (e *LDAPEntry) GetRawAttributeValue(name string) []byte {
+	return e.entry.GetRawAttributeValue(name)
+}
+
+func (e *LDAPEntry) GetAttributeValue(name string) string {
+	return e.entry.GetAttributeValue(name)
+}

src/ldap/ldap_server.go

@@ -0,0 +1,130 @@
+package ldap
+
+import (
+	"crypto/tls"
+	"strings"
+
+	"astraltech.xyz/accountmanager/src/logging"
+	"github.com/go-ldap/ldap/v3"
+)
+
+type LDAPServer struct {
+	URL                string
+	StartTLS           bool
+	IgnoreInsecureCert bool
+}
+
+func (s *LDAPServer) TestConnection() (bool, error) {
+	l, err := ldap.DialURL(s.URL)
+	l.Close()
+	if err != nil {
+		return false, err
+	}
+	return true, nil
+}
+
+// internal connect, should not be used regularly
+func (s *LDAPServer) connect() (*ldap.Conn, error) {
+	l, err := ldap.DialURL(s.URL)
+	if err != nil {
+		return nil, err
+	}
+
+	if s.StartTLS {
+		err = l.StartTLS(&tls.Config{
+			InsecureSkipVerify: s.IgnoreInsecureCert,
+		})
+		if err != nil {
+			l.Close()
+			return nil, err
+		}
+	}
+
+	return l, nil
+}
+func (s *LDAPServer) connectAsUser(userDN, password string) (*ldap.Conn, error) {
+	conn, err := s.connect()
+	if err != nil {
+		return nil, err
+	}
+	err = conn.Bind(userDN, password)
+	if err != nil {
+		return nil, err
+	}
+	return conn, nil
+}
+
+func (s *LDAPServer) AuthenticateUser(userDN, password string) (bool, error) {
+	conn, err := s.connectAsUser(userDN, password)
+	if err != nil || conn == nil {
+		return false, err
+	}
+	conn.Close()
+	return true, nil
+}
+
+func (s *LDAPServer) SerchServer(
+	userDN string, password string,
+	baseDN string,
+	searchFilter string, attributes []string,
+) (*LDAPSearch, error) {
+	logging.Debugf("Searching %s LDAP server\n\tBase DN: %s\n\tSearch Filter %s\n\tAttributes: %s", s.URL, baseDN, searchFilter, strings.Join(attributes, ","))
+	conn, err := s.connectAsUser(userDN, password)
+	if err != nil {
+		return nil, err
+	}
+	defer conn.Close()
+
+	searchRequest := ldap.NewSearchRequest(
+		baseDN,
+		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
+		searchFilter, attributes,
+		nil,
+	)
+	sr, err := conn.Search(searchRequest)
+	if err != nil {
+		logging.Errorf("Failed to search LDAP server %s\n", err.Error())
+		return nil, err
+	}
+	return &LDAPSearch{sr}, nil
+}
+
+func (s *LDAPServer) ChangePassword(userDN string, oldPassword string, newPassword string) error {
+	conn, err := s.connectAsUser(userDN, oldPassword)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	// Perform password modify extended operation
+	_, err = conn.PasswordModify(&ldap.PasswordModifyRequest{
+		UserIdentity: userDN,
+		OldPassword:  oldPassword,
+		NewPassword:  newPassword,
+	})
+	if err != nil {
+		logging.Errorf("Password modify failed: %s", err.Error())
+		return err
+	}
+	logging.Infof("Password successfully changed for %s", userDN)
+	return nil
+}
+
+func (s *LDAPServer) ModifyAttribute(bindUserDN string, password string, userDN string, attribute string, data []string) error {
+	logging.Infof("Modifing LDAP attribute %s", attribute)
+
+	conn, err := s.connectAsUser(bindUserDN, password)
+	if err != nil {
+		return err
+	}
+	defer conn.Close()
+
+	modify := ldap.NewModifyRequest(userDN, nil)
+	modify.Replace(attribute, data)
+	err = conn.Modify(modify)
+	if err != nil {
+		logging.Errorf("Failed to modify %s", err.Error())
+		return err
+	}
+	return nil
+}

src/main/config.go

@@ -22,13 +22,23 @@ type StyleConfig struct {
 }
 
 type WebserverConfig struct {
-	Port int `json:"port"`
+	Port    int    `json:"port"`
+	BaseURL string `json:"base_url"`
+}
+
+type EmailConfig struct {
+	Username string `json:"username"`
+	Email    string `json:"email"`
+	Password string `json:"password"`
+	SMTPURL  string `json:"smtp_url"`
+	SMTPPort int    `json:"smtp_port"`
 }
 
 type ServerConfig struct {
 	LDAPConfig      LDAPConfig      `json:"ldap_config"`
 	StyleConfig     StyleConfig     `json:"style_config"`
 	WebserverConfig WebserverConfig `json:"server_config"`
+	EmailConfig     EmailConfig     `json:"email_config"`
 }
 
 func loadServerConfig(path string) (*ServerConfig, error) {

src/main/ldap.go

@@ -1,181 +0,0 @@
-package main
-
-import (
-	"crypto/tls"
-	"fmt"
-	"strings"
-
-	"astraltech.xyz/accountmanager/src/logging"
-	"github.com/go-ldap/ldap/v3"
-)
-
-type LDAPServer struct {
-	URL                string
-	StartTLS           bool
-	IgnoreInsecureCert bool
-	Connection         *ldap.Conn
-}
-
-type LDAPSearch struct {
-	Succeeded  bool
-	LDAPSearch *ldap.SearchResult
-}
-
-func connectToLDAPServer(URL string, starttls bool, ignore_cert bool) *LDAPServer {
-	logging.Debugf("Connecting to LDAP server %s", URL)
-	l, err := ldap.DialURL(URL)
-	if err != nil {
-		logging.Fatal("Failed to connect to LDAP server")
-		logging.Fatal(err.Error())
-	}
-	logging.Infof("Connected to LDAP server")
-
-	if starttls {
-		logging.Debugf("Enabling StartTLS")
-		if err := l.StartTLS(&tls.Config{InsecureSkipVerify: ignore_cert}); err != nil {
-			logging.Errorf("StartTLS failed %s", err.Error())
-		}
-		logging.Infof("StartTLS enabled")
-	}
-
-	return &LDAPServer{
-		Connection:         l,
-		URL:                URL,
-		StartTLS:           starttls,
-		IgnoreInsecureCert: ignore_cert,
-	}
-}
-
-func reconnectToLDAPServer(server *LDAPServer) error {
-	logging.Debugf("Reconnecting to %s LDAP server", server.URL)
-	if server == nil {
-		logging.Errorf("Cannot reconnect: server is nil")
-		return fmt.Errorf("Server is nil")
-	}
-
-	l, err := ldap.DialURL(server.URL)
-	if err != nil {
-		logging.Errorf("Failed to connect to LDAP server (has server gone down)")
-		return err
-	}
-
-	if server.StartTLS {
-		logging.Debugf("StartTLS enabling")
-		if err := l.StartTLS(&tls.Config{InsecureSkipVerify: server.IgnoreInsecureCert}); err != nil {
-			logging.Error("StartTLS failed")
-			return err
-		}
-		logging.Debugf("Successfully Started TLS")
-	}
-
-	server.Connection = l
-	return nil
-}
-
-func connectAsLDAPUser(server *LDAPServer, bindDN, password string) error {
-	logging.Debugf("Connecting to %s LDAP server with %s BindDN", server.URL, bindDN)
-	if server == nil {
-		logging.Errorf("Failed to connect as user, LDAP server is NULL")
-		return fmt.Errorf("LDAP server is null")
-	}
-
-	if server.Connection == nil || server.Connection.IsClosing() {
-		err := reconnectToLDAPServer(server)
-		return err
-	}
-	err := server.Connection.Bind(bindDN, password)
-	if err != nil {
-		logging.Errorf("Failed to bind to LDAP as user %s", err.Error())
-		return err
-	}
-	return nil
-}
-
-func searchLDAPServer(server *LDAPServer, baseDN string, searchFilter string, attributes []string) LDAPSearch {
-	logging.Debugf("Searching %s LDAP server\n\tBase DN: %s\n\tSearch Filter %s\n\tAttributes: %s", server.URL, baseDN, searchFilter, strings.Join(attributes, ","))
-	if server == nil {
-		logging.Errorf("Server is nil, failed to search LDAP server")
-		return LDAPSearch{false, nil}
-	}
-
-	if server.Connection == nil {
-		reconnectToLDAPServer(server)
-		if server.Connection == nil {
-			return LDAPSearch{false, nil}
-		}
-	}
-
-	searchRequest := ldap.NewSearchRequest(
-		baseDN,
-		ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
-		searchFilter, attributes,
-		nil,
-	)
-
-	sr, err := server.Connection.Search(searchRequest)
-	if err != nil {
-		logging.Errorf("Failed to search LDAP server %s\n", err.Error())
-		return LDAPSearch{false, nil}
-	}
-
-	return LDAPSearch{true, sr}
-}
-
-func modifyLDAPAttribute(server *LDAPServer, userDN string, attribute string, data []string) error {
-	logging.Infof("Modifing LDAP attribute %s", attribute)
-	modify := ldap.NewModifyRequest(userDN, nil)
-	modify.Replace(attribute, data)
-	err := server.Connection.Modify(modify)
-	if err != nil {
-		logging.Errorf("Failed to modify %s", err.Error())
-		return err
-	}
-	return nil
-}
-
-func changeLDAPPassword(server *LDAPServer, userDN, oldPassword, newPassword string) error {
-	logging.Infof("Changing LDAP password for %s", userDN)
-
-	if server == nil || server.Connection == nil {
-		return fmt.Errorf("LDAP connection not initialized")
-	}
-
-	// Ensure connection is alive
-	if server.Connection.IsClosing() {
-		if err := reconnectToLDAPServer(server); err != nil {
-			return err
-		}
-	}
-
-	// Bind as the user (required for FreeIPA self-password change)
-	err := server.Connection.Bind(userDN, oldPassword)
-	if err != nil {
-		logging.Errorf("Failed to bind as user: %s", err.Error())
-		return err
-	}
-
-	// Perform password modify extended operation
-	_, err = server.Connection.PasswordModify(&ldap.PasswordModifyRequest{
-		UserIdentity: userDN,
-		OldPassword:  oldPassword,
-		NewPassword:  newPassword,
-	})
-	if err != nil {
-		logging.Errorf("Password modify failed: %s", err.Error())
-		return err
-	}
-	logging.Infof("Password successfully changed for %s", userDN)
-	return nil
-}
-
-func closeLDAPServer(server *LDAPServer) {
-	if server != nil && server.Connection != nil {
-		logging.Debug("Closing connection to LDAP server")
-		err := server.Connection.Close()
-		if err != nil {
-			logging.Errorf("Failed to close LDAP server %s", err.Error())
-		}
-	}
-}
-
-func ldapEscapeFilter(input string) string { return ldap.EscapeFilter(input) }

src/main/main.go

@@ -3,95 +3,76 @@ package main
 import (
 	"fmt"
 	"html/template"
-	"io"
 	"log"
 	"net/http"
-	"os"
-	"path/filepath"
 	"strings"
 	"sync"
-	"time"
 
+	"astraltech.xyz/accountmanager/src/components"
+	"astraltech.xyz/accountmanager/src/email"
+	"astraltech.xyz/accountmanager/src/helpers"
+	"astraltech.xyz/accountmanager/src/ldap"
 	"astraltech.xyz/accountmanager/src/logging"
+	"astraltech.xyz/accountmanager/src/session"
 )
 
 var (
-	ldapServer      *LDAPServer
+	ldapServer     ldap.LDAPServer
-	ldapServerMutex sync.Mutex
+	serverConfig   *ServerConfig
-	serverConfig    *ServerConfig
+	sessionManager *session.SessionManager
+	noReplyEmail   email.EmailAccount
 )
 
 type UserData struct {
 	isAuth      bool
-	Username    string
 	DisplayName string
 	Email       string
 }
 
 var (
-	photoCreatedTimestamp = make(map[string]time.Time)
+	userData      = make(map[string]*UserData)
-	photoCreatedMutex     sync.Mutex
+	userDataMutex sync.RWMutex
-	blankPhotoData        []byte
 )
 
-func createUserPhoto(username string, photoData []byte) error {
+func authenticateUser(username, password string) (*UserData, error) {
-	Mkdir("./avatars", os.ModePerm)
-
-	path := fmt.Sprintf("./avatars/%s.jpeg", username)
-	cleaned := filepath.Clean(path)
-	dst, err := CreateFile(cleaned)
-
-	if err != nil {
-		return fmt.Errorf("Could not save file")
-	}
-	photoCreatedMutex.Lock()
-	photoCreatedTimestamp[username] = time.Now()
-	photoCreatedMutex.Unlock()
-	defer dst.Close()
-	logging.Info("Writing to avarar file")
-	_, err = dst.Write(photoData)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-func authenticateUser(username, password string) (UserData, error) {
 	logging.Event(logging.AuthenticateUser, username)
-	ldapServerMutex.Lock()
-	defer ldapServerMutex.Unlock()
-	if ldapServer.Connection == nil {
-		return UserData{isAuth: false}, fmt.Errorf("LDAP server not connected")
-	}
 	userDN := fmt.Sprintf("uid=%s,cn=users,cn=accounts,%s", username, serverConfig.LDAPConfig.BaseDN)
-	connected := connectAsLDAPUser(ldapServer, userDN, password)
-	if connected != nil {
-		return UserData{isAuth: false}, connected
-	}
 
-	userSearch := searchLDAPServer(
+	connected, err := ldapServer.AuthenticateUser(userDN, password)
-		ldapServer,
+	if err != nil {
+		if strings.Contains(err.Error(), "Password is expired") {
+			return nil, fmt.Errorf("Password expired for %s\n", username)
+		}
+		return nil, err
+	}
+	if connected == false {
+		logging.Debug("Failed to authenticate user")
+		return nil, fmt.Errorf("Failed to authenticate user %s", username)
+	}
+	logging.Info("User authenticated successfully")
+
+	userSearch, err := ldapServer.SerchServer(
+		userDN, password,
 		serverConfig.LDAPConfig.BaseDN,
-		fmt.Sprintf("(&(objectClass=inetOrgPerson)(uid=%s))", ldapEscapeFilter(username)),
+		fmt.Sprintf("(&(objectClass=inetOrgPerson)(uid=%s))", ldap.LDAPEscapeFilter(username)),
 		[]string{"displayName", "mail", "jpegphoto"},
 	)
-	if !userSearch.Succeeded {
+	if err != nil {
-		return UserData{isAuth: false}, fmt.Errorf("user metadata not found")
+		return nil, err
 	}
 
-	entry := userSearch.LDAPSearch.Entries[0]
+	entry := userSearch.GetEntry(0)
 	user := UserData{
 		isAuth:      true,
-		Username:    username,
 		DisplayName: entry.GetAttributeValue("displayName"),
 		Email:       entry.GetAttributeValue("mail"),
 	}
 
 	photoData := entry.GetRawAttributeValue("jpegphoto")
 	if len(photoData) > 0 {
-		createUserPhoto(user.Username, photoData)
+		components.CreateUserPhoto(username, photoData)
 	}
-	return user, nil
+	return &user, nil
 }
 
 type LoginPageData struct {
@@ -109,7 +90,6 @@ func loginHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// 2. Logic for processing the form
 	if r.Method == http.MethodPost {
 		username := r.FormValue("username")
 		if strings.Contains(username, "/") {
@@ -118,15 +98,19 @@ func loginHandler(w http.ResponseWriter, r *http.Request) {
 		password := r.FormValue("password")
 
 		logging.Infof("New Login request for %s\n", username)
-		userData, err := authenticateUser(username, password)
+		newUserData, err := authenticateUser(username, password)
+		userDataMutex.Lock()
+		userData[username] = newUserData
+		userDataMutex.Unlock()
 		if err != nil {
-			log.Print(err)
+			logging.Error(err.Error())
 			tmpl.Execute(w, LoginPageData{IsHiddenClassList: ""})
 		} else {
-			if userData.isAuth == true {
+			if newUserData.isAuth == true {
-				cookie := createSession(&userData)
+				cookie, err := sessionManager.CreateSession(username)
-				if cookie == nil {
+				if err != nil {
-					http.Error(w, "Session error", 500)
+					logging.Error(err.Error())
+					http.Error(w, "Session error", http.StatusInternalServerError)
 					return
 				}
 				http.SetCookie(w, cookie)
@@ -147,75 +131,27 @@ type ProfileData struct {
 
 func profileHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "text/html; charset=utf-8")
-	exist, sessionData := validateSession(r)
+	sessionData, err := sessionManager.GetSession(r)
-	if !exist {
+	if err != nil {
+		logging.Error(err.Error())
 		http.Redirect(w, r, "/login", http.StatusSeeOther)
 		return
 	}
 
 	if r.Method == http.MethodGet {
 		tmpl := template.Must(template.ParseFiles("src/pages/profile_page.html"))
+		userDataMutex.RLock()
 		tmpl.Execute(w, ProfileData{
-			Username:    sessionData.data.Username,
+			Username:    sessionData.UserID,
-			Email:       sessionData.data.Email,
+			Email:       userData[sessionData.UserID].Email,
-			DisplayName: sessionData.data.DisplayName,
+			DisplayName: userData[sessionData.UserID].DisplayName,
 			CSRFToken:   sessionData.CSRFToken,
 		})
+		userDataMutex.RUnlock()
 		return
 	}
 }
 
-func avatarHandler(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Content-Type", "image/jpeg")
-	username := r.URL.Query().Get("user")
-	if strings.Contains(username, "/") {
-		w.Write(blankPhotoData)
-		return
-	}
-
-	filePath := fmt.Sprintf("./avatars/%s.jpeg", username)
-	cleaned := filepath.Clean(filePath)
-	value, err := ReadFile(cleaned)
-
-	if err == nil {
-		photoCreatedMutex.Lock()
-		if time.Since(photoCreatedTimestamp[username]) <= 5*time.Minute {
-			photoCreatedMutex.Unlock()
-			w.Write(value)
-			return
-		}
-		photoCreatedMutex.Unlock()
-	}
-
-	ldapServerMutex.Lock()
-	defer ldapServerMutex.Unlock()
-	connected := connectAsLDAPUser(ldapServer, serverConfig.LDAPConfig.BindDN, serverConfig.LDAPConfig.BindPassword)
-	if connected != nil {
-		w.Write(blankPhotoData)
-		return
-	}
-
-	userSearch := searchLDAPServer(
-		ldapServer,
-		serverConfig.LDAPConfig.BaseDN,
-		fmt.Sprintf("(&(objectClass=inetOrgPerson)(uid=%s))", ldapEscapeFilter(username)),
-		[]string{"jpegphoto"},
-	)
-	if !userSearch.Succeeded || len(userSearch.LDAPSearch.Entries) == 0 {
-		w.Write(blankPhotoData)
-		return
-	}
-	entry := userSearch.LDAPSearch.Entries[0]
-	bytes := entry.GetRawAttributeValue("jpegphoto")
-	if len(bytes) == 0 {
-		w.Write(blankPhotoData)
-		return
-	} else {
-		w.Write(bytes)
-		createUserPhoto(username, bytes)
-	}
-}
-
 func logoutHandler(w http.ResponseWriter, r *http.Request) {
 	cookie, err := r.Cookie("session_token")
 	if err != nil {
@@ -224,59 +160,19 @@ func logoutHandler(w http.ResponseWriter, r *http.Request) {
 	}
 	token := cookie.Value
 
-	exist, sessionData := validateSession(r)
+	sessionData, err := sessionManager.GetSession(r)
-	if exist {
-		if r.FormValue("csrf_token") != sessionData.CSRFToken {
-			http.Error(w, "Unable to log user out", http.StatusForbidden)
-			logging.Debugf("%s attempted to logout with invalid csrf token", sessionData.data.Username)
-			return
-		}
-	}
-	logging.Infof("handling logout event for %s", sessionData.data.Username)
-
-	deleteSession(token)
-	http.Redirect(w, r, "/login", http.StatusSeeOther)
-}
-
-func uploadPhotoHandler(w http.ResponseWriter, r *http.Request) {
-	exist, sessionData := validateSession(r)
-	if !exist {
-		http.Redirect(w, r, "/login", http.StatusSeeOther)
-		return
-	}
-	err := r.ParseMultipartForm(10 << 20) // 10MB limit
 	if err != nil {
-		http.Error(w, "Bad request", http.StatusBadRequest)
+		logging.Error(err.Error())
-		return
 	}
-
 	if r.FormValue("csrf_token") != sessionData.CSRFToken {
-		http.Error(w, "CSRF Forbidden", http.StatusForbidden)
+		http.Error(w, "Unable to log user out", http.StatusForbidden)
+		logging.Debugf("%s attempted to logout with invalid csrf token", sessionData.UserID)
 		return
 	}
+	logging.Infof("handling logout event for %s", sessionData.UserID)
 
-	file, header, err := r.FormFile("photo")
+	sessionManager.DeleteSession(token)
-	if err != nil {
+	http.Redirect(w, r, "/login", http.StatusSeeOther)
-		http.Error(w, "File not found", http.StatusBadRequest)
-		return
-	}
-	defer file.Close()
-	if header.Size > (10 * 1024 * 1024) {
-		http.Error(w, "File is to large (limit is 10 MB)", http.StatusBadRequest)
-		return
-	}
-
-	// 3. Read file into memory
-	data, err := io.ReadAll(file)
-	if err != nil {
-		http.Error(w, "Failed to read file", http.StatusInternalServerError)
-		return
-	}
-	userDN := fmt.Sprintf("uid=%s,cn=users,cn=accounts,%s", sessionData.data.Username, serverConfig.LDAPConfig.BaseDN)
-	ldapServerMutex.Lock()
-	defer ldapServerMutex.Unlock()
-	modifyLDAPAttribute(ldapServer, userDN, "jpegphoto", []string{string(data)})
-	createUserPhoto(sessionData.data.Username, data)
 }
 
 func faviconHandler(w http.ResponseWriter, r *http.Request) {
@@ -289,37 +185,18 @@ func logoHandler(w http.ResponseWriter, r *http.Request) {
 	http.ServeFile(w, r, serverConfig.StyleConfig.LogoPath)
 }
 
-func cleanupSessions() {
-	logging.Debug("Cleaning up stale session\n")
-
-	sessionMutex.Lock()
-	sessions_to_delete := []string{}
-	for session_token, session_data := range sessions {
-		timeUntilRemoval := time.Minute * 5
-		if session_data.loggedIn {
-			timeUntilRemoval = time.Hour
-		}
-		if time.Since(session_data.timeCreated) > timeUntilRemoval {
-			sessions_to_delete = append(sessions_to_delete, session_token)
-		}
-	}
-	sessionMutex.Unlock()
-	for _, session_id := range sessions_to_delete {
-		deleteSession(session_id)
-	}
-}
-
 func changePasswordHandler(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 
-	exist, sessionData := validateSession(r)
+	sessionData, err := sessionManager.GetSession(r)
-	if !exist {
+	if err != nil {
+		logging.Error(err.Error())
 		w.WriteHeader(http.StatusUnauthorized)
 		w.Write([]byte(`{"success": false, "error": "Not authenticated"}`))
 		return
 	}
 
-	err := r.ParseMultipartForm(10 << 20)
+	err = r.ParseMultipartForm(10 << 20)
 	if err != nil {
 		w.WriteHeader(http.StatusBadRequest)
 		w.Write([]byte(`{"success": false, "error": "Bad request"}`))
@@ -344,11 +221,11 @@ func changePasswordHandler(w http.ResponseWriter, r *http.Request) {
 
 	userDN := fmt.Sprintf(
 		"uid=%s,cn=users,cn=accounts,%s",
-		sessionData.data.Username,
+		sessionData.UserID,
 		serverConfig.LDAPConfig.BaseDN,
 	)
 
-	err = changeLDAPPassword(ldapServer, userDN, oldPassword, newPassword)
+	err = ldapServer.ChangePassword(userDN, oldPassword, newPassword)
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 
@@ -368,37 +245,55 @@ func changePasswordHandler(w http.ResponseWriter, r *http.Request) {
 
 func main() {
 	logging.Info("Starting the server")
+	sessionManager = session.GetSessionManager()
+	sessionManager.SetStoreType(session.InMemory)
 
-	var err error = nil
+	var err error
-	blankPhotoData, err = ReadFile("static/blank_profile.jpg")
-	if err != nil {
-		logging.Fatal("Could not load blank profile image")
-	}
 	serverConfig, err = loadServerConfig("./data/config.json")
 	if err != nil {
 		log.Fatal("Could not load server config")
 	}
 
-	ldapServerMutex.Lock()
+	noReplyEmail = email.CreateEmailAccount(email.EmailAccountData{
-	server := connectToLDAPServer(serverConfig.LDAPConfig.LDAPURL, serverConfig.LDAPConfig.Security == "tls", serverConfig.LDAPConfig.IgnoreInvalidCert)
+		Username: serverConfig.EmailConfig.Username,
-	ldapServer = server
+		Password: serverConfig.EmailConfig.Password,
-	ldapServerMutex.Unlock()
+		Email:    serverConfig.EmailConfig.Email,
-	defer closeLDAPServer(ldapServer)
+	}, serverConfig.EmailConfig.SMTPURL, serverConfig.EmailConfig.SMTPPort)
 
-	createWorker(time.Minute*5, cleanupSessions)
+	ldapServer = ldap.LDAPServer{
-	HandleFunc("/favicon.ico", faviconHandler)
+		URL:                serverConfig.LDAPConfig.LDAPURL,
-	HandleFunc("/logo", logoHandler)
+		StartTLS:           serverConfig.LDAPConfig.Security == "tls",
+		IgnoreInsecureCert: serverConfig.LDAPConfig.IgnoreInvalidCert,
+	}
+
+	components.LDAPServer = &ldapServer
+	components.BaseDN = serverConfig.LDAPConfig.BaseDN
+	components.ServiceUserBindDN = serverConfig.LDAPConfig.BindDN
+	components.ServiceUserPassword = serverConfig.LDAPConfig.BindPassword
+
+	connected, err := ldapServer.TestConnection()
+	if connected != true || err != nil {
+		if err != nil {
+			logging.Error(err.Error())
+		}
+		logging.Fatal("Failed to connect to LDAP server")
+	}
+
+	InitPasswordExpiry()
+
+	helpers.HandleFunc("/favicon.ico", faviconHandler)
+	helpers.HandleFunc("/logo", logoHandler)
 
 	http.Handle("/static/", http.StripPrefix("/static/", http.FileServer(http.Dir("static"))))
-	HandleFunc("/login", loginHandler)
+	helpers.HandleFunc("/login", loginHandler)
-	HandleFunc("/profile", profileHandler)
+	helpers.HandleFunc("/profile", profileHandler)
-	HandleFunc("/logout", logoutHandler)
+	helpers.HandleFunc("/logout", logoutHandler)
 
-	HandleFunc("/avatar", avatarHandler)
+	helpers.HandleFunc("/avatar", components.AvatarHandler)
-	HandleFunc("/change-photo", uploadPhotoHandler)
+	helpers.HandleFunc("/change-photo", components.UploadPhotoHandler)
-	HandleFunc("/change-password", changePasswordHandler)
+	helpers.HandleFunc("/change-password", changePasswordHandler)
 
-	HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+	helpers.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		http.Redirect(w, r, "/profile", http.StatusFound) // 302 redirect
 	})
 

src/main/password_expiry.go

@@ -0,0 +1,57 @@
+package main
+
+import (
+	"fmt"
+	"time"
+
+	"astraltech.xyz/accountmanager/src/email"
+	"astraltech.xyz/accountmanager/src/logging"
+	"astraltech.xyz/accountmanager/src/worker"
+)
+
+func InitPasswordExpiry() {
+	go func() {
+		CheckPasswordExpriy()
+	}()
+	worker.CreateWorker(time.Hour*12, CheckPasswordExpriy)
+}
+
+func CheckPasswordExpriy() {
+	logging.Infof("Starting password expiry check")
+
+	now := time.Now().UTC()
+	formatted := now.Format("20060102150405Z")
+
+	search, err := ldapServer.SerchServer(serverConfig.LDAPConfig.BindDN, serverConfig.LDAPConfig.BindPassword, serverConfig.LDAPConfig.BaseDN, fmt.Sprintf("(&(objectclass=person)(krbPasswordExpiration<=%s))", formatted), []string{"cn", "mail", "krbPasswordExpiration"})
+	if err != nil {
+		logging.Warn(err.Error())
+	}
+
+	logging.Infof("%d users with expired passwords", search.EntryCount())
+
+	for i := range search.EntryCount() {
+		emailAddr := search.GetEntry(i).GetAttributeValue("mail")
+		if len(emailAddr) <= 0 {
+			continue
+		}
+
+		t, err := time.Parse("20060102150405Z", search.GetEntry(i).GetAttributeValue("krbPasswordExpiration"))
+		if err != nil {
+			panic(err)
+		}
+		formatted := t.Format("January 2, 2006 at 3:04 PM MST")
+
+		data := map[string]any{
+			"Username":    search.GetEntry(i).GetAttributeValue("cn"),
+			"ExpiredAt":   formatted,
+			"ResetURL":    fmt.Sprintf("%s", serverConfig.WebserverConfig.BaseURL),
+			"ServiceName": "Astral Tech",
+		}
+
+		email_template, err := email.RenderTemplate("./data/email-templates/expired-password.html", data, nil)
+		if err != nil {
+			logging.Errorf("Failed to load email template: %s", err.Error())
+		}
+		noReplyEmail.SendEmail([]string{emailAddr}, "Password expired", email_template)
+	}
+}

src/main/session.go

@@ -1,106 +0,0 @@
-package main
-
-import (
-	"crypto/rand"
-	"crypto/sha256"
-	"encoding/base64"
-	"net/http"
-	"sync"
-	"time"
-
-	"astraltech.xyz/accountmanager/src/logging"
-)
-
-type SessionData struct {
-	loggedIn    bool
-	data        *UserData
-	timeCreated time.Time
-	CSRFToken   string
-}
-
-var (
-	sessions     = make(map[string]SessionData)
-	sessionMutex sync.Mutex
-)
-
-func GenerateSessionToken(length int) (string, error) {
-	b := make([]byte, length)
-	_, err := rand.Read(b)
-	if err != nil {
-		return "", err
-	}
-	token := base64.RawURLEncoding.EncodeToString(b)
-	return token, nil
-}
-
-func createSession(userData *UserData) *http.Cookie {
-	logging.Debugf("Creating a new session for %s", userData.Username)
-	token, err := GenerateSessionToken(32) // Use crypto/rand for this
-	if err != nil {
-		logging.Error(err.Error())
-		return nil
-	}
-	CSRFToken, err := GenerateSessionToken(32)
-	if err != nil {
-		logging.Error(err.Error())
-		return nil
-	}
-
-	tokenEncoded := sha256.Sum256([]byte(token))
-	tokenEncodedString := string(tokenEncoded[:])
-
-	sessionMutex.Lock()
-	defer sessionMutex.Unlock()
-	loggedIn := false
-	if userData != nil {
-		loggedIn = true
-	}
-	sessions[tokenEncodedString] = SessionData{
-		data:        userData,
-		timeCreated: time.Now(),
-		CSRFToken:   CSRFToken,
-		loggedIn:    loggedIn,
-	}
-	cookie := &http.Cookie{
-		Name:     "session_token",
-		Value:    token,
-		Path:     "/",
-		HttpOnly: true, // Essential: prevents JS access
-		Secure:   true, // Set to TRUE in production (HTTPS)
-		SameSite: http.SameSiteLaxMode,
-		MaxAge:   3600, // 1 hour
-	}
-	return cookie
-}
-
-func validateSession(r *http.Request) (bool, *SessionData) {
-	logging.Debugf("Validating session")
-	cookie, err := r.Cookie("session_token")
-	if err != nil {
-		logging.Error(err.Error())
-		return false, &SessionData{}
-	}
-	token := cookie.Value
-
-	tokenEncoded := sha256.Sum256([]byte(token))
-	tokenEncodedString := string(tokenEncoded[:])
-
-	sessionMutex.Lock()
-	sessionData, exists := sessions[tokenEncodedString]
-	sessionMutex.Unlock()
-	if !exists || !sessionData.loggedIn {
-		return false, &SessionData{}
-	}
-	logging.Infof("Validated session for %s", sessionData.data.Username)
-	return true, &sessionData
-}
-
-func deleteSession(session_id string) {
-	sessionMutex.Lock()
-
-	tokenEncoded := sha256.Sum256([]byte(session_id))
-	tokenEncodedString := string(tokenEncoded[:])
-
-	delete(sessions, tokenEncodedString)
-	sessionMutex.Unlock()
-}

src/pages/login_page.html

@@ -28,9 +28,16 @@
 
     <div>
         <label class="input_label">Password</label><br />
-        <input type="password" name="password" placeholder="" required />
+        <div class="password_box">
+            <input type="password" name="password" placeholder="" required />
+            <button type="button" class="show_password_toggle closed"></button>
+        </div>
     </div>
     <button type="submit">Login</button>
 </form>
 
 <script src="/static/error/error.js" type="text/javascript"></script>
+<script
+    src="/static/javascript/show_password.js"
+    type="text/javascript"
+></script>

src/pages/profile_page.html

@@ -9,14 +9,24 @@
 <link rel="stylesheet" href="static/card.css" />
 <link rel="stylesheet" href="static/error/error.css" />
 <link rel="stylesheet" href="static/profile_page.css" />
+<link rel="stylesheet" href="static/progress_bar.css" />
 
 <div id="popup_background" class="blocked hidden"></div>
 
-<div id="change_password_dialogue" class="hidden card static_center">
+<div id="change_password_dialogue" class="card static_center hidden">
-    Change Password
+    <div class="dialouge_title">Change Password</div>
-
     <button id="close_password_dialogue">X</button>
 
+    <hr
+        style="
+            border: 0;
+            border-top: 1px solid var(--border-subtle);
+            margin: 20px 0;
+            margin-bottom: 0px;
+            margin-top: 0px;
+        "
+    />
+
     <div id="password_error" class="error hidden">
         <div id="password_text"></div>
         <button id="password_error_close_button" class="close_error_button">
@@ -26,37 +36,68 @@
 
     <div>
         <label class="input_label">Current password</label><br />
-        <input
+        <div class="password_box">
-            type="password"
+            <input
-            id="current_password"
+                type="password"
-            name="current_password"
+                id="current_password"
-            placeholder=""
+                name="current_password"
-            required
+                placeholder=""
-        />
+                required
+            />
+            <button type="button" class="show_password_toggle closed"></button>
+        </div>
     </div>
 
     <div>
         <label class="input_label">New password</label><br />
-        <input
+        <div class="password_box">
-            type="password"
+            <input
-            id="new_password"
+                type="password"
-            name="new_password"
+                id="new_password"
-            placeholder=""
+                name="new_password"
-            required
+                placeholder=""
-        />
+                required
+            />
+            <button type="button" class="show_password_toggle closed"></button>
+        </div>
     </div>
 
     <div>
         <label class="input_label">New password (repeat)</label><br />
-        <input
+        <div class="password_box">
-            type="password"
+            <input
-            id="new_password_repeat"
+                type="password"
-            name="new_password_repeat"
+                id="new_password_repeat"
-            placeholder=""
+                name="new_password_repeat"
-            required
+                placeholder=""
-        />
+                required
+            />
+            <button type="button" class="show_password_toggle closed"></button>
+        </div>
     </div>
 
+    <div>
+        <label class="input_label" id="strengh-label">Strength: Weak</label
+        ><br />
+        <div class="progress-bar">
+            <div
+                class="progress-bar-progress"
+                id="password-progress"
+                style="width: 0%"
+            ></div>
+        </div>
+    </div>
+
+    <!--<div id="password_errors">
+        <div class="password_error">Error 1</div>
+        <div class="password_error">Error 2</div>
+    </div>
+
+    <div id="password_warnings">
+        <div class="password_error">Error 1</div>
+        <div class="password_error">Error 2</div>
+    </div>-->
+
     <button id="final_change_password_button">Change Password</button>
 </div>
 
@@ -80,7 +121,7 @@
 
                 <button id="edit_picture_button">
                     <img
-                        src="/static/crayon_icon.png"
+                        src="/static/images/crayon_icon.png"
                         id="edit_picture_image"
                     />
                 </button>
@@ -136,96 +177,6 @@
     });
 </script>
 
-<script type="text/javascript">
-    const popup_botton = document.getElementById("change_password_button");
-
-    popup_botton.addEventListener("click", () => {
-        document.getElementById("popup_background").classList.remove("hidden");
-        document
-            .getElementById("change_password_dialogue")
-            .classList.remove("hidden");
-    });
-</script>
-
-<script type="text/javascript">
-    const changePasswordButton = document.getElementById(
-        "final_change_password_button",
-    );
-
-    function displayError(errorText) {
-        document.getElementById("password_error").classList.remove("hidden");
-        document.getElementById("password_text").innerText =
-            "⚠️ " + errorText + ".";
-        return;
-    }
-
-    changePasswordButton.addEventListener("click", () => {
-        if (document.getElementById("current_password").value === "") {
-            displayError("Please enter current password");
-            return;
-        }
-
-        if (document.getElementById("new_password").value === "") {
-            displayError("No value for new password");
-            return;
-        }
-
-        if (document.getElementById("new_password_repeat").value === "") {
-            displayError("Please repeat new password");
-            return;
-        }
-
-        if (
-            document.getElementById("new_password").value !==
-            document.getElementById("new_password_repeat").value
-        ) {
-            displayError("New password and new password repeat do not match");
-            return;
-        }
-
-        const formData = new FormData();
-        formData.append(
-            "csrf_token",
-            document.getElementById("csrf_token_storage").value,
-        );
-        formData.append(
-            "old_password",
-            document.getElementById("current_password").value,
-        );
-        formData.append(
-            "new_password",
-            document.getElementById("new_password").value,
-        );
-        formData.append(
-            "new_password_repeat",
-            document.getElementById("new_password_repeat").value,
-        );
-
-        fetch("/change-password", {
-            method: "POST",
-            body: formData,
-        })
-            .then(async (res) => {
-                const data = await res.json();
-                if (!res.ok) {
-                    throw new Error(data.error || "Request failed");
-                }
-                return data;
-            })
-            .then((data) => {
-                document
-                    .getElementById("change_password_dialogue")
-                    .classList.add("hidden");
-                document
-                    .getElementById("popup_background")
-                    .classList.add("hidden");
-            })
-            .catch((err) => {
-                displayError(err.message);
-            });
-    });
-</script>
-
 <script type="text/javascript">
     var currentPreviewURL = null;
 
@@ -265,15 +216,17 @@
     });
 </script>
 
-<script type="text/javascript">
-    document
-        .getElementById("close_password_dialogue")
-        .addEventListener("click", () => {
-            document
-                .getElementById("change_password_dialogue")
-                .classList.add("hidden");
-            document.getElementById("popup_background").classList.add("hidden");
-        });
-</script>
-
 <script src="/static/error/error.js" type="text/javascript"></script>
+<script
+    src="/static/javascript/password_strength.js"
+    type="text/javascript"
+></script>
+<script
+    src="/static/javascript/handle_password_change.js"
+    type="text/javascript"
+></script>
+
+<script
+    src="/static/javascript/show_password.js"
+    type="text/javascript"
+></script>

src/session/session_errors.go

@@ -0,0 +1,7 @@
+package session
+
+import "errors"
+
+var ErrSessionNotFound = errors.New("session not found")
+var ErrSessionAlreadyExists = errors.New("session already exists")
+var ErrSessionExpired = errors.New("session expired")

src/session/session_helpers.go

@@ -0,0 +1,24 @@
+package session
+
+import (
+	"crypto/rand"
+	"crypto/sha256"
+	"encoding/base64"
+)
+
+// helper function for secure session storage
+func GenerateSessionToken(length int) (string, error) {
+	b := make([]byte, length)
+	_, err := rand.Read(b)
+	if err != nil {
+		return "", err
+	}
+	token := base64.RawURLEncoding.EncodeToString(b)
+	return token, nil
+}
+
+// more helper
+func hashSession(session_id string) string {
+	tokenEncoded := sha256.Sum256([]byte(session_id))
+	return base64.RawURLEncoding.EncodeToString(tokenEncoded[:])
+}

src/session/session_in_memory.go

@@ -0,0 +1,94 @@
+package session
+
+import (
+	"sync"
+	"time"
+
+	"astraltech.xyz/accountmanager/src/logging"
+	"astraltech.xyz/accountmanager/src/worker"
+)
+
+type MemoryStore struct {
+	sessions map[string]*SessionData
+	lock     sync.RWMutex
+}
+
+func NewMemoryStore() *MemoryStore {
+	logging.Debug("Creating new in memory session store")
+	store := &MemoryStore{
+		sessions: make(map[string]*SessionData),
+	}
+	worker.CreateWorker(time.Minute*5, store.cleanup)
+	return store
+}
+
+func (m *MemoryStore) Create(sessionID string, session *SessionData) (err error) {
+	hashedSession := hashSession(sessionID)
+
+	m.lock.Lock()
+	defer m.lock.Unlock()
+	_, exist := m.sessions[hashedSession]
+	if exist {
+		return ErrSessionAlreadyExists
+	}
+
+	m.sessions[hashedSession] = session
+	return nil
+}
+func (m *MemoryStore) Get(sessionID string) (*SessionData, error) {
+	m.lock.RLock()
+	hashed := hashSession(sessionID)
+	data, exists := m.sessions[hashed]
+	m.lock.RUnlock()
+	if exists == false {
+		return nil, ErrSessionNotFound
+	}
+	if time.Now().After(data.ExpiresAt) {
+		_ = m.Delete(sessionID) // ignore error
+		return nil, ErrSessionExpired
+	}
+	copy := *data
+	return &copy, nil
+}
+func (m *MemoryStore) Update(sessionID string, session *SessionData) error {
+	hashedSession := hashSession(sessionID)
+
+	m.lock.Lock()
+	defer m.lock.Unlock()
+	_, exist := m.sessions[hashedSession]
+	if !exist {
+		return ErrSessionNotFound
+	}
+	m.sessions[hashedSession] = session
+	return nil
+}
+
+func (m *MemoryStore) cleanup() {
+	logging.Debug("Cleaning up memory store sessions")
+	now := time.Now()
+
+	m.lock.Lock()
+	defer m.lock.Unlock()
+
+	deleted := 0
+	for id, session := range m.sessions {
+		if now.After(session.ExpiresAt) {
+			delete(m.sessions, id)
+			deleted = deleted + 1
+		}
+	}
+	logging.Infof("Cleaned up %d stale sessions", deleted)
+}
+
+func (m *MemoryStore) Delete(sessionID string) error {
+	hashedSession := hashSession(sessionID)
+
+	m.lock.Lock()
+	defer m.lock.Unlock()
+	_, exist := m.sessions[hashedSession]
+	if !exist {
+		return ErrSessionNotFound
+	}
+	delete(m.sessions, hashedSession)
+	return nil
+}

src/session/session_manager.go

@@ -0,0 +1,95 @@
+package session
+
+import (
+	"net/http"
+	"sync"
+	"time"
+
+	"astraltech.xyz/accountmanager/src/logging"
+)
+
+const SessionCookieName = "session_token"
+
+type SessionManager struct {
+	store SessionStore
+}
+
+var instance *SessionManager
+var once sync.Once
+
+type StoreType int
+
+const (
+	InMemory StoreType = iota
+)
+
+func GetSessionManager() *SessionManager {
+	once.Do(func() {
+		instance = &SessionManager{}
+	})
+	return instance
+}
+
+func (manager *SessionManager) SetStoreType(storeType StoreType) {
+	logging.Infof("Changing session manager store type")
+	switch storeType {
+	case InMemory:
+		{
+			manager.store = NewMemoryStore()
+			break
+		}
+	}
+}
+
+func (manager *SessionManager) CreateSession(userID string) (cookie *http.Cookie, err error) {
+	logging.Debugf("Creating a new session for %s", userID)
+	token, err := GenerateSessionToken(32) // Use crypto/rand for this
+	if err != nil {
+		return nil, err
+	}
+	CSRFToken, err := GenerateSessionToken(32)
+	if err != nil {
+		return nil, err
+	}
+	newSessionData := SessionData{
+		UserID:    userID,
+		CSRFToken: CSRFToken,
+		ExpiresAt: time.Now().Add(time.Hour),
+	}
+	err = manager.store.Create(token, &newSessionData)
+	if err != nil {
+		return nil, err
+	}
+
+	newCookie := &http.Cookie{
+		Name:     SessionCookieName,
+		Value:    token,
+		Path:     "/",
+		HttpOnly: true, // Essential: prevents JS access
+		Secure:   true, // Set to TRUE in production (HTTPS)
+		SameSite: http.SameSiteLaxMode,
+		MaxAge:   3600, // 1 hour
+	}
+	return newCookie, nil
+}
+
+func (manager *SessionManager) GetSession(r *http.Request) (*SessionData, error) {
+	logging.Debug("Validating session from request")
+	cookie, err := r.Cookie(SessionCookieName)
+	if err != nil {
+		return nil, ErrSessionNotFound
+	}
+	token := cookie.Value
+	if token == "" {
+		return nil, ErrSessionNotFound
+	}
+	data, err := manager.store.Get(token)
+	if err != nil {
+		return nil, ErrSessionNotFound
+	}
+	return data, nil
+}
+
+func (manager *SessionManager) DeleteSession(sessionId string) error {
+	return manager.store.Delete(sessionId)
+}

src/session/session_store.go

@@ -0,0 +1,16 @@
+package session
+
+import "time"
+
+type SessionData struct {
+	UserID    string
+	CSRFToken string
+	ExpiresAt time.Time
+}
+
+type SessionStore interface {
+	Create(sessionID string, session *SessionData) error
+	Get(sessionID string) (*SessionData, error)
+	Update(sessionID string, session *SessionData) error
+	Delete(sessionID string) error
+}

src/worker/worker.go

@@ -1,4 +1,4 @@
-package main
+package worker
 
 import (
 	"time"
@@ -6,7 +6,7 @@ import (
 	"astraltech.xyz/accountmanager/src/logging"
 )
 
-func createWorker(interval time.Duration, task func()) {
+func CreateWorker(interval time.Duration, task func()) {
 	logging.Debugf("Creating worker that runs on a %s interval", interval.String())
 	go func() {
 		ticker := time.NewTicker(interval)

static/card.css

@@ -1,10 +1,5 @@
 .card {
-    background: rgba(
+    background: rgba(255, 255, 255, 1);
-        255,
-        255,
-        255,
-        1
-    ); /* Semi-transparent white for light theme */
     border: 1px solid var(--border-subtle);
     border-radius: 12px;
     padding: 2.5rem;

static/javascript/handle_password_change.js

@@ -0,0 +1,106 @@
+document
+  .getElementById("close_password_dialogue")
+  .addEventListener("click", () => {
+    document.getElementById("change_password_dialogue").classList.add("hidden");
+    document.getElementById("popup_background").classList.add("hidden");
+  });
+
+const popup_botton = document.getElementById("change_password_button");
+
+const currentPasswordButton = document.getElementById("current_password"),
+  newPasswordButton = document.getElementById("new_password"),
+  newPasswordRepeatButton = document.getElementById("new_password_repeat");
+
+const strengh_label = document.getElementById("strengh-label");
+const password_progress = document.getElementById("password-progress");
+
+popup_botton.addEventListener("click", () => {
+  document.getElementById("popup_background").classList.remove("hidden");
+  document
+    .getElementById("change_password_dialogue")
+    .classList.remove("hidden");
+
+  currentPasswordButton.value = "";
+  newPasswordButton.value = "";
+  newPasswordRepeatButton.value = "";
+  strengh_label.innerText = "Strength: Weak";
+  password_progress.style.width = "0%";
+});
+
+const changePasswordButton = document.getElementById(
+  "final_change_password_button",
+);
+
+function displayError(errorText) {
+  document.getElementById("password_error").classList.remove("hidden");
+  document.getElementById("password_text").innerText = "⚠️ " + errorText + ".";
+  return;
+}
+
+changePasswordButton.addEventListener("click", () => {
+  if (currentPasswordButton.value === "") {
+    displayError("Please enter current password");
+    return;
+  }
+
+  if (newPasswordButton.value === "") {
+    displayError("No value for new password");
+    return;
+  }
+
+  if (newPasswordRepeatButton.value === "") {
+    displayError("Please repeat new password");
+    return;
+  }
+
+  if (newPasswordButton.value !== newPasswordRepeatButton.value) {
+    displayError("New passwords do not match");
+    return;
+  }
+
+  const formData = new FormData();
+  formData.append(
+    "csrf_token",
+    document.getElementById("csrf_token_storage").value,
+  );
+  formData.append("old_password", currentPasswordButton.value);
+  formData.append("new_password", newPasswordButton.value);
+  formData.append("new_password_repeat", newPasswordRepeatButton.value);
+
+  fetch("/change-password", {
+    method: "POST",
+    body: formData,
+  })
+    .then(async (res) => {
+      const data = await res.json();
+      if (!res.ok) {
+        throw new Error(data.error || "Request failed");
+      }
+      return data;
+    })
+    .then((data) => {
+      document
+        .getElementById("change_password_dialogue")
+        .classList.add("hidden");
+      document.getElementById("popup_background").classList.add("hidden");
+    })
+    .catch((err) => {
+      displayError(err.message);
+    });
+});
+
+document.getElementById("new_password").addEventListener("input", () => {
+  score = EvaluatePassword(document.getElementById("new_password").value).score;
+  password_progress.style.width = score + "%";
+
+  if (score <= 40) {
+    strengh_label.innerText = "Strength: Weak";
+    password_progress.style.backgroundColor = "var(--password-strength-weak)";
+  } else if (score > 40 && score <= 70) {
+    strengh_label.innerText = "Strength: Medium";
+    password_progress.style.backgroundColor = "var(--password-strength-medium)";
+  } else if (score > 40 && score >= 70) {
+    strengh_label.innerText = "Strength: Strong";
+    password_progress.style.backgroundColor = "var(--password-strength-strong)";
+  }
+});

static/javascript/password_strength.js

@@ -0,0 +1,51 @@
+// build in evaluate password function
+// Errors: reasons why the FreeIPA server would reject the password
+// Suggestions: reasons the password should be made stronger
+// You can change this code to change how complexity is rated
+// Return values
+// Score: 0-100
+// Errors: A list of errors that would cause the server to reject the password
+// Suggestions: A list of suggestions to make the password stronger
+function EvaluatePassword(password) {
+  let score = 0;
+  let errors = [];
+  let suggestions = [];
+
+  const hasUpper = /[A-Z]/.test(password);
+  const hasLower = /[a-z]/.test(password);
+  const hasNumber = /[0-9]/.test(password);
+  const hasSpecial = /[^A-Za-z0-9]/.test(password);
+  const isLongEnough = password.length >= 8;
+
+  if (!isLongEnough) {
+    errors.push("Password must be at least 8 characters long.");
+  }
+  score += Math.min(password.length * 3, 60);
+  if (hasUpper) score += 10;
+  if (hasLower) score += 10;
+  if (hasNumber) score += 10;
+  if (hasSpecial) score += 10;
+  if (score < 100) {
+    if (password.length < 20) {
+      suggestions.push(
+        `Add ${20 - password.length} more characters to reach maximum length points.`,
+      );
+    }
+    if (!hasUpper) suggestions.push("Add an uppercase letter.");
+    if (!hasLower) suggestions.push("Add a lowercase letter.");
+    if (!hasNumber) suggestions.push("Add a number.");
+    if (!hasSpecial)
+      suggestions.push("Add a special character (e.g., !, @, #).");
+    if (score > 70 && score < 100) {
+      suggestions.push(
+        "Pro-tip: Use a full sentence (passphrase) to make it easier to remember and harder to crack.",
+      );
+    }
+  }
+
+  return {
+    score: Math.min(score, 100),
+    errors: errors,
+    suggestions: suggestions,
+  };
+}

static/javascript/show_password.js

@@ -0,0 +1,22 @@
+const showPasswordButtons = document.getElementsByClassName(
+  "show_password_toggle",
+);
+
+for (const button of showPasswordButtons) {
+  button.addEventListener("click", function () {
+    const input = this.parentElement.querySelector(
+      "input[type='password'], input[type='text']",
+    );
+    if (!input) return;
+    const isHidden = input.type === "password";
+    input.type = isHidden ? "text" : "password";
+
+    if (isHidden) {
+      this.classList.add("open");
+      this.classList.remove("closed");
+    } else {
+      this.classList.remove("open");
+      this.classList.add("closed");
+    }
+  });
+}

static/profile_page.css

@@ -128,7 +128,31 @@
 }
 
 #close_password_dialogue {
-    width: fit-content;
+    display: inline-block;
+    aspect-ratio: 1 / 1;
     position: absolute;
     right: 2.5rem;
+    padding: 0px;
+    margin: 0px;
+    width: 30px;
+}
+
+#password_errors {
+    background-color: var(--error-red);
+    border-radius: 8px;
+    padding: 20px;
+    border-color: var(--error-border-red);
+    border-width: 2px;
+    border-style: solid;
+    color: var(--text-main);
+}
+
+#password_warnings {
+    background-color: var(--warning-yellow);
+    border-radius: 8px;
+    padding: 20px;
+    border-color: var(--warning-border-yellow);
+    border-width: 2px;
+    border-style: solid;
+    color: var(--text-main);
 }

static/progress_bar.css

@@ -0,0 +1,16 @@
+:root {
+    --progress-top: #becbd8;
+}
+
+.progress-bar {
+    width: 100%;
+    background-color: var(--bg-input);
+    height: 20px;
+    border-radius: 10px;
+}
+
+.progress-bar-progress {
+    background-color: var(--progress-top);
+    height: 20px;
+    border-radius: 10px;
+}

static/style.css

@@ -16,6 +16,13 @@
     --error-red: #ef4444; /* Professional Red */
     --error-border-red: #e22d2d;
 
+    --warning-yellow: #fef08a;
+    --warning-border-yellow: #fde047;
+
+    --password-strength-weak: var(--error-red);
+    --password-strength-medium: var(--warning-border-yellow);
+    --password-strength-strong: #43ef6b;
+
     font-family: "Inter", sans-serif;
     -webkit-font-smoothing: antialiased;
 }
@@ -39,6 +46,10 @@ button:hover {
     background-color: var(--primary-hover);
 }
 
+button:focus {
+    outline: 2px solid var(--primary-accent);
+}
+
 input {
     padding: 12px;
     background-color: var(--bg-input);
@@ -47,6 +58,10 @@ input {
     border-radius: 6px;
 }
 
+input:focus {
+    outline: 2px solid var(--primary-accent);
+}
+
 input::placeholder {
     color: var(--text-muted);
 }
@@ -70,6 +85,47 @@ input::placeholder {
     height: 100%;
     z-index: 9999; /* higher = on top */
 
-    background-color: black;
+    backdrop-filter: blur(4px);
-    opacity: 10%;
+    background-color: rgba(0, 0, 0, 0.3);
+    pointer-events: all;
+}
+
+.dialouge_title {
+    font-size: 20px;
+    margin-bottom: 0px;
+    color: var(--text-main) !important;
+}
+
+.password_box {
+    position: relative;
+    display: inline-block;
+}
+
+.show_password_toggle {
+    width: 10px;
+    height: 10px;
+    position: absolute;
+    right: 5px;
+    bottom: 50%;
+    transform: translateY(50%);
+    background-size: contain;
+    background-repeat: no-repeat;
+    background-position: center;
+    background-color: rgba(0, 0, 0, 0);
+}
+
+.show_password_toggle.closed {
+    background-image: url("/static/images/closed_eye.png");
+}
+
+.show_password_toggle.open {
+    background-image: url("/static/images/filled_eye.png");
+}
+
+.show_password_toggle:hover {
+    background-color: rgba(0, 0, 0, 0);
+}
+
+.show_password_toggle:focus {
+    outline: none !important;
 }