feat: add profiles, public views, settings, and code quality fixes

Phase 3 — Profiles & Public Views:
- Public profile page (/u/{username}) with OG meta tags
- User settings page (display name, bio, visibility, default privacy)
- Avatar upload with image processing
- Password change from settings (verifies current password)
- Home page shows public fave feed for logged-in users
- Must-reset-password guard redirects to /reset-password
- Profile visibility: public (full) or limited (username only)

Code quality improvements from /simplify review:
- Fix signup request persistence bug (was silently discarding data)
- Fix health check to use configured listen address, not hardcoded :8080
- Add rate limiter cleanup goroutine (was leaking memory)
- Extract shared helpers: ClearSessionCookie, IsSecureRequest, scanTags,
  scanUserFrom (scanner interface), SignupRequestStore
- Replace hand-rolled joinPlaceholders with strings.Join
- Remove dead _method hidden field, redundant devMode field
- Simplify rate-limited route registration (remove double-mux)
- Log previously-swallowed errors (session delete, image delete)
- Stop leaking internal error messages to users in image upload

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

cmd/favoritter/main.go

@@ -115,6 +115,7 @@ func main() {
 		middleware.RequestLogger,
 		middleware.SessionLoader(sessions, users),
 		middleware.CSRFProtection(cfg),
+		middleware.MustResetPasswordGuard(cfg.BasePath),
 	)
 
 	srv := &http.Server{

internal/handler/auth.go

@@ -241,7 +241,28 @@ func (h *Handler) handleResetPasswordPost(w http.ResponseWriter, r *http.Request
 }
 
 func (h *Handler) handleHome(w http.ResponseWriter, r *http.Request) {
-	h.deps.Renderer.Page(w, r, "home", render.PageData{})
+	user := middleware.UserFromContext(r.Context())
+
+	var data map[string]any
+	if user != nil {
+		page := queryInt(r, "page", 1)
+		offset := (page - 1) * defaultPageSize
+		faves, total, err := h.deps.Faves.ListPublic(defaultPageSize, offset)
+		if err != nil {
+			slog.Error("list public faves error", "error", err)
+		} else {
+			h.deps.Faves.LoadTags(faves)
+			totalPages := (total + defaultPageSize - 1) / defaultPageSize
+			data = map[string]any{
+				"Faves":      faves,
+				"Page":       page,
+				"TotalPages": totalPages,
+				"Total":      total,
+			}
+		}
+	}
+
+	h.deps.Renderer.Page(w, r, "home", render.PageData{Data: data})
 }
 
 func (h *Handler) handleHealth(w http.ResponseWriter, r *http.Request) {

internal/handler/handler.go

@@ -103,5 +103,14 @@ func (h *Handler) Routes() *http.ServeMux {
 	mux.HandleFunc("GET /tags/search", h.handleTagSearch)
 	mux.HandleFunc("GET /tags/{name}", h.handleTagBrowse)
 
+	// Profiles.
+	mux.HandleFunc("GET /u/{username}", h.handlePublicProfile)
+
+	// User settings (authenticated).
+	mux.Handle("GET /settings", requireLogin(http.HandlerFunc(h.handleSettingsGet)))
+	mux.Handle("POST /settings", requireLogin(http.HandlerFunc(h.handleSettingsPost)))
+	mux.Handle("POST /settings/avatar", requireLogin(http.HandlerFunc(h.handleAvatarPost)))
+	mux.Handle("POST /settings/password", requireLogin(http.HandlerFunc(h.handleSettingsPasswordPost)))
+
 	return mux
 }

internal/handler/profile.go

@@ -0,0 +1,212 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package handler
+
+import (
+	"errors"
+	"log/slog"
+	"net/http"
+	"strings"
+
+	"kode.naiv.no/olemd/favoritter/internal/image"
+	"kode.naiv.no/olemd/favoritter/internal/middleware"
+	"kode.naiv.no/olemd/favoritter/internal/model"
+	"kode.naiv.no/olemd/favoritter/internal/render"
+	"kode.naiv.no/olemd/favoritter/internal/store"
+)
+
+// handlePublicProfile shows a user's public profile and their public faves.
+func (h *Handler) handlePublicProfile(w http.ResponseWriter, r *http.Request) {
+	username := r.PathValue("username")
+
+	profileUser, err := h.deps.Users.GetByUsername(username)
+	if err != nil {
+		if errors.Is(err, store.ErrUserNotFound) {
+			http.NotFound(w, r)
+			return
+		}
+		slog.Error("get user error", "error", err)
+		http.Error(w, "Internal error", http.StatusInternalServerError)
+		return
+	}
+
+	if profileUser.Disabled {
+		http.NotFound(w, r)
+		return
+	}
+
+	// Check if the viewing user is the profile owner.
+	viewer := middleware.UserFromContext(r.Context())
+	isOwner := viewer != nil && viewer.ID == profileUser.ID
+
+	page := queryInt(r, "page", 1)
+	offset := (page - 1) * defaultPageSize
+
+	var faves []*model.Fave
+	var total int
+
+	if isOwner {
+		faves, total, err = h.deps.Faves.ListByUser(profileUser.ID, defaultPageSize, offset)
+	} else {
+		faves, total, err = h.deps.Faves.ListPublicByUser(profileUser.ID, defaultPageSize, offset)
+	}
+	if err != nil {
+		slog.Error("list faves error", "error", err)
+		http.Error(w, "Internal error", http.StatusInternalServerError)
+		return
+	}
+
+	if err := h.deps.Faves.LoadTags(faves); err != nil {
+		slog.Error("load tags error", "error", err)
+	}
+
+	totalPages := (total + defaultPageSize - 1) / defaultPageSize
+
+	h.deps.Renderer.Page(w, r, "profile", render.PageData{
+		Title: profileUser.DisplayNameOrUsername() + " sine favoritter",
+		Data: map[string]any{
+			"ProfileUser": profileUser,
+			"IsOwner":     isOwner,
+			"IsLimited":   profileUser.ProfileVisibility == "limited" && !isOwner,
+			"Faves":       faves,
+			"Page":        page,
+			"TotalPages":  totalPages,
+			"Total":       total,
+		},
+	})
+}
+
+// handleSettingsGet shows the user settings page.
+func (h *Handler) handleSettingsGet(w http.ResponseWriter, r *http.Request) {
+	user := middleware.UserFromContext(r.Context())
+
+	h.deps.Renderer.Page(w, r, "settings", render.PageData{
+		Title: "Innstillinger",
+		Data: map[string]any{
+			"SettingsUser": user,
+		},
+	})
+}
+
+// handleSettingsPost processes the settings form.
+func (h *Handler) handleSettingsPost(w http.ResponseWriter, r *http.Request) {
+	user := middleware.UserFromContext(r.Context())
+
+	if err := r.ParseForm(); err != nil {
+		h.flash(w, r, "settings", "Ugyldig forespørsel.", "error", settingsData(user))
+		return
+	}
+
+	displayName := strings.TrimSpace(r.FormValue("display_name"))
+	bio := strings.TrimSpace(r.FormValue("bio"))
+	profileVisibility := r.FormValue("profile_visibility")
+	defaultFavePrivacy := r.FormValue("default_fave_privacy")
+
+	if profileVisibility != "public" && profileVisibility != "limited" {
+		profileVisibility = user.ProfileVisibility
+	}
+	if defaultFavePrivacy != "public" && defaultFavePrivacy != "private" {
+		defaultFavePrivacy = user.DefaultFavePrivacy
+	}
+
+	if err := h.deps.Users.UpdateProfile(user.ID, displayName, bio, profileVisibility, defaultFavePrivacy); err != nil {
+		slog.Error("update profile error", "error", err)
+		h.flash(w, r, "settings", "Noe gikk galt. Prøv igjen.", "error", settingsData(user))
+		return
+	}
+
+	h.flash(w, r, "settings", "Innstillingene er lagret.", "success", settingsData(user))
+}
+
+// handleSettingsPasswordPost handles password change from the settings page.
+func (h *Handler) handleSettingsPasswordPost(w http.ResponseWriter, r *http.Request) {
+	user := middleware.UserFromContext(r.Context())
+
+	if err := r.ParseForm(); err != nil {
+		h.flash(w, r, "settings", "Ugyldig forespørsel.", "error", settingsData(user))
+		return
+	}
+
+	currentPassword := r.FormValue("current_password")
+	newPassword := r.FormValue("new_password")
+	confirmPassword := r.FormValue("confirm_password")
+
+	// Verify current password.
+	if _, err := h.deps.Users.Authenticate(user.Username, currentPassword); err != nil {
+		h.flash(w, r, "settings", "Nåværende passord er feil.", "error", settingsData(user))
+		return
+	}
+
+	if len(newPassword) < 8 {
+		h.flash(w, r, "settings", "Nytt passord må være minst 8 tegn.", "error", settingsData(user))
+		return
+	}
+
+	if newPassword != confirmPassword {
+		h.flash(w, r, "settings", "Passordene er ikke like.", "error", settingsData(user))
+		return
+	}
+
+	if err := h.deps.Users.UpdatePassword(user.ID, newPassword); err != nil {
+		slog.Error("update password error", "error", err)
+		h.flash(w, r, "settings", "Noe gikk galt. Prøv igjen.", "error", settingsData(user))
+		return
+	}
+
+	// Invalidate other sessions, keep current one.
+	if delErr := h.deps.Sessions.DeleteAllForUser(user.ID); delErr != nil {
+		slog.Error("session cleanup error", "error", delErr)
+	}
+	token, err := h.deps.Sessions.Create(user.ID)
+	if err != nil {
+		slog.Error("session create error", "error", err)
+		http.Redirect(w, r, h.deps.Config.BasePath+"/login", http.StatusSeeOther)
+		return
+	}
+	h.setSessionCookie(w, r, token)
+
+	h.flash(w, r, "settings", "Passordet er endret.", "success", settingsData(user))
+}
+
+// handleAvatarPost handles avatar upload.
+func (h *Handler) handleAvatarPost(w http.ResponseWriter, r *http.Request) {
+	user := middleware.UserFromContext(r.Context())
+
+	if err := r.ParseMultipartForm(h.deps.Config.MaxUploadSize); err != nil {
+		h.flash(w, r, "settings", "Filen er for stor.", "error", settingsData(user))
+		return
+	}
+
+	file, header, err := r.FormFile("avatar")
+	if err != nil {
+		h.flash(w, r, "settings", "Velg et bilde å laste opp.", "error", settingsData(user))
+		return
+	}
+	defer file.Close()
+
+	result, err := image.Process(file, header, h.deps.Config.UploadDir)
+	if err != nil {
+		slog.Error("avatar process error", "error", err)
+		h.flash(w, r, "settings", "Kunne ikke behandle bildet. Sjekk at filen er et gyldig bilde.", "error", settingsData(user))
+		return
+	}
+
+	// Delete old avatar if there was one.
+	if user.AvatarPath != "" {
+		if delErr := image.Delete(h.deps.Config.UploadDir, user.AvatarPath); delErr != nil {
+			slog.Error("avatar delete error", "error", delErr)
+		}
+	}
+
+	if err := h.deps.Users.UpdateAvatar(user.ID, result.Filename); err != nil {
+		slog.Error("update avatar error", "error", err)
+		h.flash(w, r, "settings", "Noe gikk galt. Prøv igjen.", "error", settingsData(user))
+		return
+	}
+
+	h.flash(w, r, "settings", "Profilbildet er oppdatert.", "success", settingsData(user))
+}
+
+func settingsData(user *model.User) map[string]any {
+	return map[string]any{"SettingsUser": user}
+}

internal/middleware/resetguard.go

@@ -0,0 +1,33 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package middleware
+
+import (
+	"net/http"
+	"strings"
+)
+
+// MustResetPasswordGuard redirects users who must reset their password
+// to the reset page. Allows through: static assets, health, logout,
+// and the reset-password page itself.
+func MustResetPasswordGuard(basePath string) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			user := UserFromContext(r.Context())
+			if user != nil && user.MustResetPassword {
+				path := r.URL.Path
+				// Allow these paths through without redirect.
+				if path == "/reset-password" ||
+					path == "/logout" ||
+					path == "/health" ||
+					strings.HasPrefix(path, "/static/") {
+					next.ServeHTTP(w, r)
+					return
+				}
+				http.Redirect(w, r, basePath+"/reset-password", http.StatusSeeOther)
+				return
+			}
+			next.ServeHTTP(w, r)
+		})
+	}
+}

web/static/css/style.css

@@ -88,6 +88,23 @@
     vertical-align: middle;
 }
 
+/* Profile header */
+.profile-header {
+    display: flex;
+    align-items: center;
+    gap: 1.5rem;
+    margin-bottom: 1rem;
+}
+
+/* Avatar */
+.avatar-large {
+    width: 120px;
+    height: 120px;
+    border-radius: 50%;
+    object-fit: cover;
+    flex-shrink: 0;
+}
+
 /* Tag chips */
 .tag-chip {
     display: inline-block;

web/templates/pages/home.html

@@ -1,10 +1,59 @@
 {{define "content"}}
-<hgroup>
+{{if .User}}
-    <h1>Velkommen til {{.SiteName}}</h1>
+    <hgroup>
-    <p>Del dine favoritter med verden — eller behold dem for deg selv.</p>
+        <h1>Siste offentlige favoritter</h1>
-</hgroup>
+        <p>Se hva folk deler</p>
+    </hgroup>
 
-{{if not .User}}
+    {{with .Data}}
+        {{if .Faves}}
+            <div class="fave-grid" role="list">
+                {{range .Faves}}
+                    <article class="fave-card" role="listitem">
+                        {{if .ImagePath}}
+                            <img src="{{basePath}}/uploads/{{.ImagePath}}"
+                                 alt="Bilde for: {{.Description}}"
+                                 loading="lazy">
+                        {{end}}
+                        <header>
+                            <a href="{{basePath}}/faves/{{.ID}}">
+                                <strong>{{.Description}}</strong>
+                            </a>
+                            <small>av <a href="{{basePath}}/u/{{.Username}}">{{.DisplayName}}</a></small>
+                        </header>
+                        {{if .Tags}}
+                            <footer>
+                                {{range .Tags}}
+                                    <a href="{{basePath}}/tags/{{.Name}}" class="tag-chip">{{.Name}}</a>
+                                {{end}}
+                            </footer>
+                        {{end}}
+                    </article>
+                {{end}}
+            </div>
+
+            {{if gt .TotalPages 1}}
+                <nav aria-label="Sidenavigasjon">
+                    <ul>
+                        {{if gt .Page 1}}
+                            <li><a href="{{basePath}}/?page={{subtract .Page 1}}">← Forrige</a></li>
+                        {{end}}
+                        <li>Side {{.Page}} av {{.TotalPages}}</li>
+                        {{if lt .Page .TotalPages}}
+                            <li><a href="{{basePath}}/?page={{add .Page 1}}">Neste →</a></li>
+                        {{end}}
+                    </ul>
+                </nav>
+            {{end}}
+        {{else}}
+            <p>Ingen offentlige favoritter ennå. <a href="{{basePath}}/faves/new">Legg til din første!</a></p>
+        {{end}}
+    {{end}}
+{{else}}
+    <hgroup>
+        <h1>Velkommen til {{.SiteName}}</h1>
+        <p>Del dine favoritter med verden — eller behold dem for deg selv.</p>
+    </hgroup>
     <div class="grid">
         <a href="{{basePath}}/login" role="button">Logg inn</a>
         <a href="{{basePath}}/signup" role="button" class="outline">Registrer deg</a>

web/templates/pages/profile.html

@@ -0,0 +1,106 @@
+{{define "head"}}
+{{with .Data}}{{with .ProfileUser}}
+    {{if eq .ProfileVisibility "public"}}
+        <meta property="og:title" content="{{.DisplayNameOrUsername}} sine favoritter">
+        <meta property="og:type" content="profile">
+        {{if $.ExternalURL}}
+            <meta property="og:url" content="{{$.ExternalURL}}/u/{{.Username}}">
+            {{if .AvatarPath}}
+                <meta property="og:image" content="{{$.ExternalURL}}/uploads/{{.AvatarPath}}">
+            {{end}}
+        {{end}}
+        <meta property="og:site_name" content="{{$.SiteName}}">
+    {{end}}
+{{end}}{{end}}
+{{end}}
+
+{{define "content"}}
+{{with .Data}}
+    {{with .ProfileUser}}
+        <section class="profile-header">
+            {{if .AvatarPath}}
+                <img src="{{basePath}}/uploads/{{.AvatarPath}}"
+                     alt="Profilbilde for {{.DisplayNameOrUsername}}"
+                     class="avatar-large">
+            {{end}}
+            <hgroup>
+                <h1>{{.DisplayNameOrUsername}}</h1>
+                {{if and (ne .DisplayName "") (ne .DisplayName .Username)}}
+                    <p>@{{.Username}}</p>
+                {{end}}
+            </hgroup>
+        </section>
+
+        {{if not $.IsLimited}}
+            {{if .Bio}}
+                <p>{{.Bio}}</p>
+            {{end}}
+
+            <p><small>Medlem siden {{.CreatedAt.Format "02.01.2006"}}</small></p>
+
+            {{if $.IsOwner}}
+                <p>
+                    <a href="{{basePath}}/settings" role="button" class="outline">Rediger profil</a>
+                    <a href="{{basePath}}/faves/new" role="button">+ Ny favoritt</a>
+                </p>
+            {{end}}
+
+            <h2>
+                {{if $.IsOwner}}Favoritter{{else}}Offentlige favoritter{{end}}
+                <small>({{$.Total}})</small>
+            </h2>
+
+            {{if $.Faves}}
+                <div class="fave-grid" role="list">
+                    {{range $.Faves}}
+                        <article class="fave-card" role="listitem">
+                            {{if .ImagePath}}
+                                <img src="{{basePath}}/uploads/{{.ImagePath}}"
+                                     alt="Bilde for: {{.Description}}"
+                                     loading="lazy">
+                            {{end}}
+                            <header>
+                                <a href="{{basePath}}/faves/{{.ID}}">
+                                    <strong>{{.Description}}</strong>
+                                </a>
+                                {{if eq .Privacy "private"}}
+                                    <small class="badge-private" aria-label="Privat">Privat</small>
+                                {{end}}
+                            </header>
+                            {{if .Tags}}
+                                <footer>
+                                    {{range .Tags}}
+                                        <a href="{{basePath}}/tags/{{.Name}}" class="tag-chip">{{.Name}}</a>
+                                    {{end}}
+                                </footer>
+                            {{end}}
+                        </article>
+                    {{end}}
+                </div>
+
+                {{if gt $.TotalPages 1}}
+                    <nav aria-label="Sidenavigasjon">
+                        <ul>
+                            {{if gt $.Page 1}}
+                                <li><a href="{{basePath}}/u/{{.Username}}?page={{subtract $.Page 1}}">← Forrige</a></li>
+                            {{end}}
+                            <li>Side {{$.Page}} av {{$.TotalPages}}</li>
+                            {{if lt $.Page $.TotalPages}}
+                                <li><a href="{{basePath}}/u/{{.Username}}?page={{add $.Page 1}}">Neste →</a></li>
+                            {{end}}
+                        </ul>
+                    </nav>
+                {{end}}
+            {{else}}
+                {{if $.IsOwner}}
+                    <p>Du har ingen favoritter ennå. <a href="{{basePath}}/faves/new">Legg til din første!</a></p>
+                {{else}}
+                    <p>Ingen offentlige favoritter ennå.</p>
+                {{end}}
+            {{end}}
+        {{else}}
+            <p><small>Denne profilen har begrenset synlighet.</small></p>
+        {{end}}
+    {{end}}
+{{end}}
+{{end}}

web/templates/pages/settings.html

@@ -0,0 +1,95 @@
+{{define "head"}}
+<meta name="robots" content="noindex">
+{{end}}
+
+{{define "content"}}
+{{with .Data}}{{with .SettingsUser}}
+<h1>Innstillinger</h1>
+
+<article>
+    <h2>Profil</h2>
+    <form method="POST" action="{{basePath}}/settings">
+        <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
+        <label for="display_name">
+            Visningsnavn
+            <input type="text" id="display_name" name="display_name"
+                   value="{{.DisplayName}}" maxlength="50"
+                   placeholder="Vises i stedet for brukernavnet">
+        </label>
+        <label for="bio">
+            Om meg
+            <textarea id="bio" name="bio" rows="3" maxlength="500"
+                      placeholder="Kort om deg selv">{{.Bio}}</textarea>
+        </label>
+        <fieldset>
+            <legend>Profilsynlighet</legend>
+            <label>
+                <input type="radio" name="profile_visibility" value="public"
+                       {{if eq .ProfileVisibility "public"}}checked{{end}}>
+                Offentlig — visningsnavn, bio og favoritter synlig for alle
+            </label>
+            <label>
+                <input type="radio" name="profile_visibility" value="limited"
+                       {{if eq .ProfileVisibility "limited"}}checked{{end}}>
+                Begrenset — bare brukernavn synlig
+            </label>
+        </fieldset>
+        <fieldset>
+            <legend>Standard synlighet for nye favoritter</legend>
+            <label>
+                <input type="radio" name="default_fave_privacy" value="public"
+                       {{if eq .DefaultFavePrivacy "public"}}checked{{end}}>
+                Offentlig
+            </label>
+            <label>
+                <input type="radio" name="default_fave_privacy" value="private"
+                       {{if eq .DefaultFavePrivacy "private"}}checked{{end}}>
+                Privat
+            </label>
+        </fieldset>
+        <button type="submit">Lagre profil</button>
+    </form>
+</article>
+
+<article>
+    <h2>Profilbilde</h2>
+    {{if .AvatarPath}}
+        <img src="{{basePath}}/uploads/{{.AvatarPath}}"
+             alt="Nåværende profilbilde"
+             class="avatar-large">
+    {{end}}
+    <form method="POST" action="{{basePath}}/settings/avatar" enctype="multipart/form-data">
+        <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
+        <label for="avatar">
+            Last opp nytt profilbilde
+            <input type="file" id="avatar" name="avatar"
+                   accept="image/jpeg,image/png,image/gif,image/webp">
+        </label>
+        <button type="submit">Last opp</button>
+    </form>
+</article>
+
+<article>
+    <h2>Endre passord</h2>
+    <form method="POST" action="{{basePath}}/settings/password">
+        <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
+        <label for="current_password">
+            Nåværende passord
+            <input type="password" id="current_password" name="current_password" required
+                   autocomplete="current-password">
+        </label>
+        <label for="new_password">
+            Nytt passord
+            <input type="password" id="new_password" name="new_password" required
+                   autocomplete="new-password" minlength="8">
+        </label>
+        <label for="confirm_password">
+            Bekreft nytt passord
+            <input type="password" id="confirm_password" name="confirm_password" required
+                   autocomplete="new-password">
+        </label>
+        <button type="submit">Endre passord</button>
+    </form>
+</article>
+{{end}}{{end}}
+{{end}}