Merge remote-tracking branch 'origin/main' into modal

Author: github-actions[bot]

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "fastapi-jinja2-postgres-webapp"
-version = "0.1.16"
+version = "0.1.17"
 description = "A template webapp with a pure-Python FastAPI backend, frontend templating with Jinja2, and a Postgres database to power user auth"
 readme = "README.md"
 package-mode = false

routers/core/account.py

@@ -743,7 +743,10 @@ async def add_email(
     message = "Verification email sent. Check your inbox." if sent else "A verification email was already sent. Please check your inbox."
 
     if is_htmx_request(request):
-        return toast_response(request, templates, message, level="success")
+        return toast_response(
+            request, templates, message, level="success",
+            headers={"HX-Trigger": "addEmailFormReset"},
+        )
     profile_path: URLPath = user_router.url_path_for("read_profile")
     response = RedirectResponse(url=str(profile_path), status_code=303)
     set_flash_cookie(response, message)
@@ -753,11 +756,14 @@ async def add_email(
 @router.get("/emails/verify")
 async def verify_email(
     token: str,
-    tokens: tuple[Optional[str], Optional[str]] = Depends(oauth2_scheme_cookie),
     session: Session = Depends(get_session),
 ):
     """
     Verify a new email address using the token from the verification link.
+
+    Always redirects to the login page because verification links are clicked
+    from an email client (cross-site navigation), so samesite=strict auth
+    cookies are never sent — even when the user has an active session.
     """
     account, verification_token = get_account_from_email_verification_token(token, session)
 
@@ -791,22 +797,9 @@ async def verify_email(
     # Send notification to primary email
     send_email_verified_notification(account.email, verification_token.new_email)
 
-    message = "Email address verified and added to your account."
-
-    # Lightweight auth check: just validate the access token to decide redirect target.
-    # We avoid get_optional_user here because it triggers NeedsNewTokens (token rotation)
-    # which would interrupt the verification flow before the route body runs.
-    access_token, _ = tokens
-    is_authenticated = access_token and validate_token(access_token, token_type="access") is not None
-
-    if is_authenticated:
-        profile_path: URLPath = user_router.url_path_for("read_profile")
-        response = RedirectResponse(url=str(profile_path), status_code=303)
-    else:
-        login_path: URLPath = router.url_path_for("read_login")
-        response = RedirectResponse(url=str(login_path), status_code=303)
-
-    set_flash_cookie(response, message)
+    login_path: URLPath = router.url_path_for("read_login")
+    response = RedirectResponse(url=str(login_path), status_code=303)
+    set_flash_cookie(response, "Email address verified and added to your account.")
     return response
 
 

routers/core/user.py

@@ -54,16 +54,14 @@ async def read_profile(
 ):
     # Load account emails
     account_emails = session.exec(
-        select(AccountEmail).where(AccountEmail.account_id == user.account_id)
+        select(AccountEmail)
+        .where(AccountEmail.account_id == user.account_id)
+        .order_by(AccountEmail.is_primary.desc())  # type: ignore[union-attr]
     ).all() if user.account_id else []
 
     return templates.TemplateResponse(
         request,
         "users/profile.html", {
-            "max_file_size_mb": MAX_FILE_SIZE / (1024 * 1024),  # Convert bytes to MB
-            "min_dimension": MIN_DIMENSION,
-            "max_dimension": MAX_DIMENSION,
-            "allowed_formats": list(ALLOWED_CONTENT_TYPES.keys()),
             "show_form": show_form == "true",
             "user": user,
             "account_emails": account_emails,
@@ -72,6 +70,40 @@ async def read_profile(
     )
 
 
+@router.get("/edit-form")
+async def edit_profile_form(
+    request: Request,
+    user: User = Depends(get_authenticated_user),
+):
+    if not is_htmx_request(request):
+        return RedirectResponse(url=router.url_path_for("read_profile"), status_code=303)
+    return templates.TemplateResponse(
+        request,
+        "users/partials/profile_form.html",
+        {
+            "user": user,
+            "max_file_size_mb": MAX_FILE_SIZE / (1024 * 1024),
+            "min_dimension": MIN_DIMENSION,
+            "max_dimension": MAX_DIMENSION,
+            "allowed_formats": list(ALLOWED_CONTENT_TYPES.keys()),
+        },
+    )
+
+
+@router.get("/profile-display")
+async def profile_display(
+    request: Request,
+    user: User = Depends(get_authenticated_user),
+):
+    if not is_htmx_request(request):
+        return RedirectResponse(url=router.url_path_for("read_profile"), status_code=303)
+    return templates.TemplateResponse(
+        request,
+        "users/partials/profile_display.html",
+        {"user": user},
+    )
+
+
 @router.post("/update", response_class=RedirectResponse)
 async def update_profile(
     request: Request,
@@ -80,8 +112,10 @@ async def update_profile(
     user: User = Depends(get_authenticated_user),
     session: Session = Depends(get_session)
 ):
+    avatar_changed = bool(avatar_file and avatar_file.filename)
+
     # Handle avatar update
-    if avatar_file and avatar_file.filename:
+    if avatar_changed:
         avatar_data = await avatar_file.read()
         avatar_content_type = avatar_file.content_type
 
@@ -107,18 +141,17 @@ async def update_profile(
     session.refresh(user)
 
     if is_htmx_request(request):
+        if avatar_changed:
+            # Avatar affects the navbar, which is outside the swap target.
+            # Tell HTMX to do a full page refresh so everything updates.
+            response = Response(status_code=200)
+            response.headers["HX-Refresh"] = "true"
+            return response
         response = templates.TemplateResponse(
             request,
             "users/partials/profile_display.html",
-            {
-                "user": user,
-                "max_file_size_mb": MAX_FILE_SIZE / (1024 * 1024),
-                "min_dimension": MIN_DIMENSION,
-                "max_dimension": MAX_DIMENSION,
-                "allowed_formats": list(ALLOWED_CONTENT_TYPES.keys()),
-            },
+            {"user": user},
         )
-        response.headers["HX-Trigger"] = "profileUpdated"
         return append_toast(response, request, templates, "Profile updated successfully.")
     return RedirectResponse(url=router.url_path_for("read_profile"), status_code=303)
 

templates/base/partials/header.html

@@ -37,7 +37,7 @@
                     <a class="nav-link dropdown-toggle" href="#" id="navbarDropdown" role="button" data-bs-toggle="dropdown" aria-expanded="false">
                         <button class="profile-button btn p-0 border-0 bg-transparent">
                             {% if user.avatar %}
-                                <img src="{{ url_for('get_avatar') }}" alt="User Avatar" class="d-inline-block align-top" width="30" height="30" style="border-radius: 50%;">
+                                <img src="{{ url_for('get_avatar') }}?v={{ range(1000000)|random }}" alt="User Avatar" class="d-inline-block align-top" width="30" height="30" style="border-radius: 50%;">
                             {% else %}
                                 {{ render_silhouette() }}
                             {% endif %}

templates/users/partials/profile_display.html

@@ -1,16 +1,20 @@
-{# Partial: profile display card body. Swapped into #profile-display. #}
+{# Partial: profile display card. Swapped into #profile-card. #}
 {% from 'base/macros/silhouette.html' import render_silhouette %}
-<p><strong>Name:</strong> {{ user.name }}</p>
-<p><strong>Email:</strong> {{ user.account.email }}</p>
-<div class="mb-3">
-    {% if user.avatar %}
-        <img src="{{ url_for('get_avatar') }}" alt="User Avatar" class="img-thumbnail" width="150">
-    {% else %}
-        {{ render_silhouette(width=150, height=150) }}
-    {% endif %}
+<div class="card-header">
+    Basic Information
 </div>
-<button class="btn btn-primary mt-3" onclick="toggleEditProfile()">Edit</button>
-
-<div id="profile-form" hx-swap-oob="innerHTML">
-    {% include 'users/partials/profile_form.html' %}
+<div class="card-body">
+    <p><strong>Name:</strong> {{ user.name }}</p>
+    <p><strong>Email:</strong> {{ user.account.email }}</p>
+    <div class="mb-3">
+        {% if user.avatar %}
+            <img src="{{ url_for('get_avatar') }}?v={{ range(1000000)|random }}" alt="User Avatar" class="img-thumbnail" width="150">
+        {% else %}
+            {{ render_silhouette(width=150, height=150) }}
+        {% endif %}
+    </div>
+    <button class="btn btn-primary mt-3"
+            hx-get="{{ url_for('edit_profile_form') }}"
+            hx-target="#profile-card"
+            hx-swap="innerHTML">Edit</button>
 </div>

templates/users/partials/profile_form.html

@@ -1,25 +1,79 @@
-{# Partial: profile edit form card body. Swapped into #profile-form. #}
-<form action="{{ url_for('update_profile') }}" method="post" enctype="multipart/form-data"
-      hx-post="{{ url_for('update_profile') }}"
-      hx-target="#profile-display"
-      hx-swap="innerHTML"
-      hx-encoding="multipart/form-data">
-    <div class="mb-3">
-        <label for="name" class="form-label">Name</label>
-        <input type="text" class="form-control" id="name" name="name" value="{{ user.name }}">
-    </div>
-    <div class="mb-3">
-        <label for="avatar_file" class="form-label">Avatar</label>
-        <input type="file" class="form-control" id="avatar_file" name="avatar_file" accept="image/*">
-        <div class="form-text">
-            <ul class="mb-0">
-                <li>Maximum file size: {{ max_file_size_mb }} MB</li>
-                <li>Minimum dimension: {{ min_dimension }}x{{ min_dimension }} pixels</li>
-                <li>Maximum dimension: {{ max_dimension }}x{{ max_dimension }} pixels</li>
-                <li>Allowed formats: {{ allowed_formats|join(', ') }}</li>
-                <li>Image will be cropped to a square</li>
-            </ul>
+{# Partial: profile edit form card. Swapped into #profile-card. #}
+<div class="card-header">
+    Edit Profile
+</div>
+<div class="card-body">
+    <form action="{{ url_for('update_profile') }}" method="post" enctype="multipart/form-data"
+          hx-post="{{ url_for('update_profile') }}"
+          hx-target="#profile-card"
+          hx-swap="innerHTML"
+          hx-encoding="multipart/form-data">
+        <div class="mb-3">
+            <label for="name" class="form-label">Name</label>
+            <input type="text" class="form-control" id="name" name="name" value="{{ user.name }}">
         </div>
-    </div>
-    <button type="submit" class="btn btn-primary">Save Changes</button>
-</form>
+        <div class="mb-3">
+            <label for="avatar_file" class="form-label">Avatar</label>
+            <input type="file" class="form-control" id="avatar_file" name="avatar_file" accept="image/*"
+                   data-max-size-mb="{{ max_file_size_mb }}"
+                   data-min-dim="{{ min_dimension }}"
+                   data-max-dim="{{ max_dimension }}"
+                   data-allowed-formats="{{ allowed_formats|join(',') }}">
+            <div class="form-text">
+                <ul class="mb-0">
+                    <li>Maximum file size: {{ max_file_size_mb }} MB</li>
+                    <li>Minimum dimension: {{ min_dimension }}x{{ min_dimension }} pixels</li>
+                    <li>Maximum dimension: {{ max_dimension }}x{{ max_dimension }} pixels</li>
+                    <li>Allowed formats: {{ allowed_formats|join(', ') }}</li>
+                    <li>Image will be cropped to a square</li>
+                </ul>
+            </div>
+        </div>
+        <button type="submit" class="btn btn-primary">Save Changes</button>
+        <button type="button" class="btn btn-secondary ms-2"
+                hx-get="{{ url_for('profile_display') }}"
+                hx-target="#profile-card"
+                hx-swap="innerHTML">Cancel</button>
+    </form>
+</div>
+<script>
+    document.getElementById('avatar_file').addEventListener('change', function(e) {
+        var file = e.target.files[0];
+        if (!file) return;
+
+        var maxSizeMB = parseFloat(this.dataset.maxSizeMb);
+        var minDim = parseInt(this.dataset.minDim);
+        var maxDim = parseInt(this.dataset.maxDim);
+        var allowedFormats = this.dataset.allowedFormats.split(',');
+
+        var fileSizeMB = file.size / (1024 * 1024);
+        if (fileSizeMB > maxSizeMB) {
+            showToast('File size must be less than ' + maxSizeMB + 'MB', 'danger');
+            this.value = '';
+            return;
+        }
+
+        if (allowedFormats.indexOf(file.type) === -1) {
+            showToast('File format must be one of: ' + allowedFormats.join(', '), 'danger');
+            this.value = '';
+            return;
+        }
+
+        var input = this;
+        var img = new Image();
+        img.src = URL.createObjectURL(file);
+        img.onload = function() {
+            URL.revokeObjectURL(this.src);
+            if (this.width < minDim || this.height < minDim) {
+                showToast('Image dimensions must be at least ' + minDim + 'x' + minDim + ' pixels', 'danger');
+                input.value = '';
+                return;
+            }
+            if (this.width > maxDim || this.height > maxDim) {
+                showToast('Image dimensions must not exceed ' + maxDim + 'x' + maxDim + ' pixels', 'danger');
+                input.value = '';
+                return;
+            }
+        };
+    });
+</script>