From 0ef54c31f874d9bbb374f3398629bc31251c0f2b Mon Sep 17 00:00:00 2001
From: mirivlad <mirvtop@yandex.ru>
Date: Mon, 1 Jun 2026 23:40:48 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20user=20web=20GUI=20=E2=80=94=20login,?=
 =?UTF-8?q?=20dashboard=20with=20devices/keys,=20logout?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 cmd/verstak-server/server.go | 207 +++++++++++++++++++++++++++++++++++
 1 file changed, 207 insertions(+)

diff --git a/cmd/verstak-server/server.go b/cmd/verstak-server/server.go
index 3c61cb6..222ff44 100644
--- a/cmd/verstak-server/server.go
+++ b/cmd/verstak-server/server.go
@@ -324,6 +324,9 @@ func (s *Server) routes() *http.ServeMux {
 	mux.HandleFunc("/api/v1/auth/forgot", s.handleForgot)
 	mux.HandleFunc("/api/v1/auth/reset", s.handleReset)
 	mux.HandleFunc("/api/v1/user/devices", s.handleUserDevices)
+	mux.HandleFunc("/login", s.handleUserWebLogin)
+	mux.HandleFunc("/dashboard", s.handleUserDashboard)
+	mux.HandleFunc("/logout", s.handleUserWebLogout)
 	mux.HandleFunc("/admin/login", s.handleAdminLogin)
 	mux.HandleFunc("/admin/dashboard", s.handleAdminDashboard)
 	mux.HandleFunc("/admin/", s.handleAdminAPI)
@@ -1020,6 +1023,185 @@ func (s *Server) handleBlobs(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+// ============================================================
+// User web GUI
+// ============================================================
+
+func (s *Server) requireUserWeb(w http.ResponseWriter, r *http.Request) (string, bool) {
+	cookie, err := r.Cookie("user_session")
+	if err != nil {
+		http.Redirect(w, r, "/login", http.StatusFound)
+		return "", false
+	}
+	userID, ok := s.userTokens.Check(cookie.Value)
+	if !ok {
+		http.Redirect(w, r, "/login", http.StatusFound)
+		return "", false
+	}
+	return userID, true
+}
+
+func (s *Server) handleUserWebLogin(w http.ResponseWriter, r *http.Request) {
+	switch r.Method {
+	case "GET":
+		w.Header().Set("Content-Type", "text/html; charset=utf-8")
+		w.Write([]byte(userLoginHTML))
+	case "POST":
+		if err := r.ParseForm(); err != nil {
+			jsonErr(w, 400, "bad form")
+			return
+		}
+		username := r.FormValue("username")
+		password := r.FormValue("password")
+		var userID, hash string
+		var confirmed int
+		err := s.db.QueryRow("SELECT id, password_hash, confirmed FROM server_users WHERE username=? OR email=?",
+			username, strings.ToLower(username)).Scan(&userID, &hash, &confirmed)
+		if err != nil || confirmed == 0 || bcrypt.CompareHashAndPassword([]byte(hash), []byte(password)) != nil {
+			w.Header().Set("Content-Type", "text/html; charset=utf-8")
+			w.WriteHeader(401)
+			w.Write([]byte("<html><body><h1>401 Unauthorized</h1><a href='/login'>Try again</a></body></html>"))
+			return
+		}
+		tok := s.userTokens.Create(userID)
+		http.SetCookie(w, &http.Cookie{
+			Name: "user_session", Value: tok, Path: "/",
+			HttpOnly: true, SameSite: http.SameSiteLaxMode,
+			MaxAge: 86400,
+		})
+		http.Redirect(w, r, "/dashboard", http.StatusFound)
+	default:
+		jsonErr(w, 405, "method not allowed")
+	}
+}
+
+func (s *Server) handleUserDashboard(w http.ResponseWriter, r *http.Request) {
+	userID, ok := s.requireUserWeb(w, r)
+	if !ok {
+		return
+	}
+	// Get username.
+	var username string
+	s.db.QueryRow("SELECT username FROM server_users WHERE id=?", userID).Scan(&username)
+
+	// Get devices.
+	rows, err := s.db.Query(`
+		SELECT d.id, d.name, d.api_key, d.last_seen, d.created_at
+		FROM server_devices d
+		JOIN server_user_devices ud ON ud.device_id = d.id
+		WHERE ud.user_id = ?
+		ORDER BY d.created_at`, userID)
+	if err != nil {
+		jsonErr(w, 500, err.Error())
+		return
+	}
+	defer rows.Close()
+
+	type dev struct {
+		ID, Name, APIKey, LastSeen, CreatedAt string
+	}
+	var devices []dev
+	for rows.Next() {
+		var d dev
+		var lastSeen sql.NullString
+		if err := rows.Scan(&d.ID, &d.Name, &d.APIKey, &lastSeen, &d.CreatedAt); err != nil {
+			continue
+		}
+		d.LastSeen = lastSeen.String
+		devices = append(devices, d)
+	}
+
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	// Build device rows HTML.
+	deviceRows := ""
+	if len(devices) == 0 {
+		deviceRows = "<tr><td colspan='4' style='color:#666;text-align:center;padding:24px'>Нет подключённых устройств</td></tr>"
+	} else {
+		for _, d := range devices {
+			lastSeen := d.LastSeen
+			if lastSeen == "" {
+				lastSeen = "—"
+			}
+			escKey := strings.ReplaceAll(d.APIKey, "'", "\\'")
+			deviceRows += fmt.Sprintf(`<tr>
+				<td>%s</td>
+				<td class="key-cell" title="%s">%s</td>
+				<td>%s</td>
+				<td>
+					<button class="btn copy-btn" onclick="copyKey('%s',this)">Копировать</button>
+					<button class="btn btn-danger" onclick="delDevice('%s')">Отключить</button>
+				</td>
+			</tr>`, d.Name, d.APIKey, d.APIKey, lastSeen, escKey, d.ID)
+		}
+	}
+
+	html := fmt.Sprintf(`<!DOCTYPE html>
+<html lang="ru">
+<head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Verstak Sync — %s</title>
+<style>
+body{font-family:sans-serif;background:#13131f;color:#e4e4ef;padding:24px;max-width:800px;margin:0 auto}
+h1{border-bottom:1px solid #2a2a3c;padding-bottom:12px}
+h2{margin-top:24px;font-size:16px}
+table{width:100%;border-collapse:collapse;margin-top:8px}
+th,td{text-align:left;padding:8px 12px;border-bottom:1px solid #2a2a3c}
+th{font-size:12px;color:#888;text-transform:uppercase}
+.key-cell{max-width:300px;overflow:hidden;text-overflow:ellipsis;font-family:monospace;font-size:12px;color:#b0b0c0}
+.btn{font-family:inherit;font-size:12px;padding:6px 12px;border-radius:6px;border:1px solid #2a2a3c;background:#1a1a28;color:#ccc;cursor:pointer;display:inline-flex;align-items:center;gap:4px}
+.btn:hover{background:#222233}
+.btn-primary{background:#6366f1;border-color:#6366f1;color:#fff}
+.btn-primary:hover{background:#4f46e5}
+.btn-danger{color:#ff6b6b;border-color:#4a2222}
+.btn-danger:hover{background:#3a2222}
+.copy-btn{padding:2px 8px;font-size:11px}
+input{font-family:inherit;font-size:14px;padding:8px 12px;border:1px solid #2a2a3c;background:#13131f;color:#e4e4ef;border-radius:6px;margin-right:8px;flex:1}
+input:focus{outline:none;border-color:#6366f1}
+.top{display:flex;justify-content:space-between;align-items:center}
+a{color:#6366f1}
+</style>
+</head><body>
+<div class="top">
+<h1>Verstak Sync</h1>
+<span>%s · <a href="/logout">Выйти</a></span>
+</div>
+<h2>Устройства</h2>
+<table><tr><th>Устройство</th><th>API-ключ</th><th>Последняя активность</th><th></th></tr>%s</table>
+
+<h2>Новое устройство</h2>
+<form action="/api/v1/device/register" method="POST" style="display:flex;gap:8px;margin-top:8px"
+      onsubmit="event.preventDefault();var f=this;fetch('/api/v1/device/register',{method:'POST',headers:{'Content-Type':'application/json'},body:JSON.stringify({name:f.name.value,username:'%s',password:document.getElementById('regpass').value})}).then(r=>r.json()).then(d=>{if(d.api_key){f.name.value='';location.reload()}else{alert(d.error||'error')}})">
+<input name="name" placeholder="Название устройства" required>
+<input type="hidden" id="regpass" value="">
+<button class="btn btn-primary" type="button" onclick="var p=prompt('Ваш пароль:');if(p){document.getElementById('regpass').value=p;this.form.requestSubmit()}">Подключить</button>
+</form>
+<script>
+function copyKey(key,btn){
+  navigator.clipboard.writeText(key).then(()=>{
+    var old=btn.textContent;btn.textContent='Скопировано';btn.style.color='#4ade80'
+    setTimeout(function(){btn.textContent=old;btn.style.color=''},1500)
+  })
+}
+function delDevice(id){
+  if(!confirm('Отключить устройство?'))return
+  fetch('/admin/api/keys/'+id,{method:'DELETE'}).then(()=>location.reload())
+}
+</script>
+</body></html>`, username, username, deviceRows, username)
+	w.Write([]byte(html))
+}
+
+func (s *Server) handleUserWebLogout(w http.ResponseWriter, r *http.Request) {
+	http.SetCookie(w, &http.Cookie{
+		Name: "user_session", Value: "", Path: "/",
+		HttpOnly: true, MaxAge: -1,
+	})
+	http.Redirect(w, r, "/login", http.StatusFound)
+}
+
+// ============================================================
+// Admin handlers
+// ============================================================
+
 func (s *Server) handleAdminLogin(w http.ResponseWriter, r *http.Request) {
 	switch r.Method {
 	case "GET":
@@ -1232,6 +1414,31 @@ func (s *Server) handleAdminAPI(w http.ResponseWriter, r *http.Request) {
 // Embedded admin login HTML
 // ============================================================
 
+const userLoginHTML = `<!DOCTYPE html>
+<html lang="ru">
+<head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">
+<title>Verstak Sync — Вход</title>
+<style>body{font-family:sans-serif;background:#13131f;color:#e4e4ef;display:flex;justify-content:center;align-items:center;height:100vh;margin:0}
+form{background:#1a1a28;border:1px solid #2a2a3c;border-radius:12px;padding:32px;width:320px}
+h1{font-size:20px;margin:0 0 20px;text-align:center}
+p{text-align:center;font-size:12px;color:#666;margin-top:16px}
+a{color:#6366f1}
+label{display:block;font-size:12px;color:#888;margin-bottom:4px}
+input{width:100%;padding:8px 12px;border:1px solid #2a2a3c;background:#13131f;color:#e4e4ef;border-radius:6px;font-size:14px;margin-bottom:16px;box-sizing:border-box}
+button{width:100%;padding:10px;background:#6366f1;color:#fff;border:none;border-radius:6px;font-size:14px;cursor:pointer}
+button:hover{background:#4f46e5}</style>
+</head><body>
+<form method="POST">
+<h1>Verstak Sync</h1>
+<label>Логин или Email</label>
+<input type="text" name="username" autofocus required>
+<label>Пароль</label>
+<input type="password" name="password" required>
+<button>Войти</button>
+<p><a href="/admin/login">Администратор?</a></p>
+</form>
+</body></html>`
+
 const adminLoginHTML = `<!DOCTYPE html>
 <html lang="ru">
 <head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1">