From 9c3ca14578839848ee2aafe812932a9c92bd9f3f Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Sat, 4 Apr 2026 00:17:38 +0200
Subject: [PATCH 1/3] fix: resolve tag autocomplete click bug and display name
 fallback

Tag autocomplete suggestions were silently broken by CSP (script-src
'self') which blocks inline event handlers. Replaced onclick attributes
with data-tag-name + delegated mousedown/touchend listeners in app.js.
Also changed hx-params="*" to hx-params="none" to avoid sending
unrelated form fields to the search endpoint.

Display name in "av <name>" on fave cards was empty for users without
a custom display name. Changed SQL queries to use
COALESCE(NULLIF(u.display_name, ''), u.username) for automatic fallback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 internal/store/fave.go                      | 10 ++++-----
 web/static/js/app.js                        | 24 +++++++++++++++++++--
 web/templates/pages/fave_form.html          |  2 +-
 web/templates/partials/tag_suggestions.html |  2 +-
 4 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/internal/store/fave.go b/internal/store/fave.go
index b429581..70d9613 100644
--- a/internal/store/fave.go
+++ b/internal/store/fave.go
@@ -43,7 +43,7 @@ func (s *FaveStore) GetByID(id int64) (*model.Fave, error) {
 	var createdAt, updatedAt string
 	err := s.db.QueryRow(
 		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
-			f.created_at, f.updated_at, u.username, u.display_name
+			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
 		WHERE f.id = ?`, id,
@@ -97,7 +97,7 @@ func (s *FaveStore) ListByUser(userID int64, limit, offset int) ([]*model.Fave,
 
 	rows, err := s.db.Query(
 		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
-			f.created_at, f.updated_at, u.username, u.display_name
+			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
 		WHERE f.user_id = ?
@@ -126,7 +126,7 @@ func (s *FaveStore) ListPublicByUser(userID int64, limit, offset int) ([]*model.
 
 	rows, err := s.db.Query(
 		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
-			f.created_at, f.updated_at, u.username, u.display_name
+			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
 		WHERE f.user_id = ? AND f.privacy = 'public'
@@ -153,7 +153,7 @@ func (s *FaveStore) ListPublic(limit, offset int) ([]*model.Fave, int, error) {
 
 	rows, err := s.db.Query(
 		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
-			f.created_at, f.updated_at, u.username, u.display_name
+			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
 		WHERE f.privacy = 'public'
@@ -185,7 +185,7 @@ func (s *FaveStore) ListByTag(tagName string, limit, offset int) ([]*model.Fave,
 
 	rows, err := s.db.Query(
 		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
-			f.created_at, f.updated_at, u.username, u.display_name
+			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
 		JOIN fave_tags ft ON ft.fave_id = f.id
diff --git a/web/static/js/app.js b/web/static/js/app.js
index a1d061c..3e5e40b 100644
--- a/web/static/js/app.js
+++ b/web/static/js/app.js
@@ -70,6 +70,26 @@
     // --- Tag autocomplete combobox pattern ---
     var activeIndex = -1;
 
+    // Delegated event handler for tag suggestion selection.
+    // Uses mousedown (not click) to fire before blur removes the element.
+    // Uses touchend for mobile support. Both prevent default to keep
+    // the tags input focused. Inline handlers (onclick/onmousedown) are
+    // blocked by CSP script-src 'self', so we must use addEventListener.
+    document.addEventListener("mousedown", function (event) {
+        var li = event.target.closest("[data-tag-name]");
+        if (li) {
+            event.preventDefault();
+            addTag(null, li.getAttribute("data-tag-name"));
+        }
+    });
+    document.addEventListener("touchend", function (event) {
+        var li = event.target.closest("[data-tag-name]");
+        if (li) {
+            event.preventDefault();
+            addTag(null, li.getAttribute("data-tag-name"));
+        }
+    });
+
     // Handle keyboard navigation in the tag suggestions listbox.
     document.addEventListener("keydown", function (event) {
         var input = document.getElementById("tags");
@@ -152,7 +172,7 @@
     }
 
     // Add a selected tag to the tag input.
-    window.addTag = function (element, tagName) {
+    function addTag(element, tagName) {
         var input = document.getElementById("tags");
         if (!input) return;
 
@@ -162,7 +182,7 @@
         input.focus();
 
         closeSuggestions();
-    };
+    }
 
     function getCookie(name) {
         var match = document.cookie.match(new RegExp("(^| )" + name + "=([^;]+)"));
diff --git a/web/templates/pages/fave_form.html b/web/templates/pages/fave_form.html
index d1e08d8..5dcc665 100644
--- a/web/templates/pages/fave_form.html
+++ b/web/templates/pages/fave_form.html
@@ -64,7 +64,7 @@
                        hx-get="{{basePath}}/tags/search"
                        hx-trigger="keyup changed delay:300ms"
                        hx-target="#tag-suggestions"
-                       hx-params="*"
+                       hx-params="none"
                        hx-vals='{"q": ""}'>
                 <small id="tags-help">Skriv for å søke i eksisterende merkelapper. Maks {{maxTags}} stk. Bruk piltaster for å velge.</small>
             </label>
diff --git a/web/templates/partials/tag_suggestions.html b/web/templates/partials/tag_suggestions.html
index 22911e1..1b833b6 100644
--- a/web/templates/partials/tag_suggestions.html
+++ b/web/templates/partials/tag_suggestions.html
@@ -2,6 +2,6 @@
     id="tag-option-{{$i}}"
     class="tag-suggestion"
     aria-selected="false"
-    onclick="addTag(this, '{{$tag.Name}}')"
+    data-tag-name="{{$tag.Name}}"
     tabindex="-1">{{$tag.Name}}</li>
 {{end}}

From a8f3aa6f7e5c4f218f2ffa35f96895e6ac6d214a Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Sat, 4 Apr 2026 00:18:01 +0200
Subject: [PATCH 2/3] =?UTF-8?q?test:=20add=20comprehensive=20test=20suite?=
 =?UTF-8?q?=20(44=20=E2=86=92=20169=20tests)=20and=20v1.1=20plan?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add 125 new test functions across 10 new test files, covering:
- CSRF middleware (8 tests): double-submit cookie validation
- Auth middleware (12 tests): SessionLoader, RequireAdmin, context helpers
- API handlers (28 tests): auth, faves CRUD, tags, users, export/import
- Web handlers (41 tests): signup, login, password reset, fave CRUD,
  admin panel, feeds, import/export, profiles, settings
- Config (8 tests): env parsing, defaults, trusted proxies, normalization
- Database (6 tests): migrations, PRAGMAs, idempotency, seeding
- Image processing (10 tests): JPEG/PNG, resize, EXIF strip, path traversal
- Render (6 tests): page/error/partial rendering, template functions
- Settings store (3 tests): CRUD operations
- Regression tests for display name fallback and CSP-safe autocomplete

Also adds CSRF middleware to testServer chain for end-to-end CSRF
verification, TESTPLAN.md documenting coverage, and PLANS-v1.1.md
with implementation plans for notes+OG, PWA, editing UX, and admin.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 PLANS-v1.1.md                      |  316 ++++++++
 TESTPLAN.md                        |  388 ++++++++++
 internal/config/config_test.go     |  204 +++++
 internal/database/database_test.go |  140 ++++
 internal/handler/api/api_test.go   |  663 ++++++++++++++++
 internal/handler/handler_test.go   |    4 +-
 internal/handler/web_test.go       | 1153 ++++++++++++++++++++++++++++
 internal/image/image_test.go       |  234 ++++++
 internal/middleware/auth_test.go   |  299 ++++++++
 internal/middleware/csrf_test.go   |  185 +++++
 internal/render/render_test.go     |  161 ++++
 internal/store/settings_test.go    |   75 ++
 12 files changed, 3820 insertions(+), 2 deletions(-)
 create mode 100644 PLANS-v1.1.md
 create mode 100644 TESTPLAN.md
 create mode 100644 internal/config/config_test.go
 create mode 100644 internal/database/database_test.go
 create mode 100644 internal/handler/api/api_test.go
 create mode 100644 internal/handler/web_test.go
 create mode 100644 internal/image/image_test.go
 create mode 100644 internal/middleware/auth_test.go
 create mode 100644 internal/middleware/csrf_test.go
 create mode 100644 internal/render/render_test.go
 create mode 100644 internal/store/settings_test.go

diff --git a/PLANS-v1.1.md b/PLANS-v1.1.md
new file mode 100644
index 0000000..369bd37
--- /dev/null
+++ b/PLANS-v1.1.md
@@ -0,0 +1,316 @@
+# Implementeringsplan v1.1 — Favoritter
+
+Fire funksjoner som utvider Favoritter med notater og OG-metadata, PWA-installering med Android-delingsstøtte, bedre redigeringsflyt, og utvidede admin-verktøy.
+
+## Oversikt
+
+| # | Funksjon | Omfang | Avhengigheter |
+|---|----------|--------|---------------|
+| 1 | OG-støtte + fritekstfelt (notes) | Migrasjon, modell, store, alle handlere, maler, eksport/import, feed | Ingen |
+| 2 | PWA + Android share intent | Service worker, manifest, nye handlere, base-mal, JS | Avhenger av 1 (deling pre-fyller notes) |
+| 3 | Redigeringsforbedringer (UX) | Maler, CSS, ny toggle-rute, ny partial | Avhenger av 1 (notes vises i kort) |
+| 4 | Admin-forbedringer | Store, handlere, maler, ruter | Ingen |
+
+---
+
+## Funksjon 1: OG-støtte + fritekstfelt (notes)
+
+### Beskrivelse
+
+Legger til et valgfritt langtekstfelt «notes» på hver favoritt. Forbedrer Open Graph-metatagger på detaljsiden slik at `og:description` bruker notes når det er tilgjengelig.
+
+### Berørte filer
+
+| Fil | Endring |
+|-----|---------|
+| `internal/database/migrations/002_add_fave_notes.sql` | Ny fil: ALTER TABLE faves ADD COLUMN notes |
+| `internal/model/fave.go` | Legg til `Notes string` i Fave-struct |
+| `internal/store/fave.go` | Oppdater alle SQL-spørringer, Create/Update-signaturer, scanFaves |
+| `internal/handler/fave.go` | Les notes fra skjema i create/edit/update |
+| `internal/handler/api/api.go` | Legg til notes i request/response-structs og faveJSON |
+| `internal/handler/import_export.go` | Legg til notes i ExportFave, CSV-kolonner, import |
+| `internal/handler/feed.go` | Bruk notes som feed item description |
+| `web/templates/pages/fave_form.html` | Legg til textarea for notes mellom URL og bilde |
+| `web/templates/pages/fave_detail.html` | Vis notes, forbedre og:description |
+
+### Migrasjons-SQL
+
+```sql
+-- 002_add_fave_notes.sql
+-- Legger til et valgfritt notatfelt på favoritter.
+ALTER TABLE faves ADD COLUMN notes TEXT NOT NULL DEFAULT '';
+```
+
+### Implementeringssteg
+
+1. **Migrasjon**: Opprett `internal/database/migrations/002_add_fave_notes.sql`
+2. **Modell**: Legg til `Notes string` etter `ImagePath` i `model.Fave`
+3. **Store — Create**: Endre signatur til `Create(userID, description, url, imagePath, notes, privacy)`, oppdater INSERT
+4. **Store — GetByID**: Legg til `f.notes` i SELECT og `&f.Notes` i Scan
+5. **Store — Update**: Endre signatur, legg til `notes = ?` i UPDATE
+6. **Store — Alle list-metoder**: Legg til `f.notes` i SELECT for `ListByUser`, `ListPublicByUser`, `ListPublic`, `ListByTag`
+7. **Store — scanFaves**: Legg til `&f.Notes` i Scan
+8. **Handler — fave.go**: Les `notes` fra form i `handleFaveCreate` og `handleFaveUpdate`. Pass `fave.Notes` i `handleFaveEdit` template data
+9. **Handler — api/api.go**: Legg til `Notes` i request/response-structs, `faveJSON`, import
+10. **Handler — import_export.go**: Legg til notes i `ExportFave`, CSV header/rader, import-parsing
+11. **Handler — feed.go**: Sett `item.Description = f.Notes` når det ikke er tomt i `favesToFeedItems`
+12. **Template — fave_form.html**: Legg til `<textarea id="notes" name="notes">` mellom URL og bilde
+13. **Template — fave_detail.html**: Vis `{{if .Notes}}<div class="fave-notes">{{.Notes}}</div>{{end}}`, forbedre `og:description`:
+
+```html
+{{if .Notes}}
+    <meta property="og:description" content="{{truncate 200 .Notes}}">
+{{else if .URL}}
+    <meta property="og:description" content="{{.URL}}">
+{{else}}
+    <meta property="og:description" content="En favoritt av {{.DisplayName}} på {{$.SiteName}}">
+{{end}}
+```
+
+### Tester
+
+- Oppdater `TestFaveCRUD` (Create/Update-kall med notes)
+- Ny `TestFaveNotes` (CRUD med notes-felt)
+- Oppdater API CRUD-tester, ny `TestAPICreateFaveWithNotes`
+- ~5 nye, ~7 endrede
+
+---
+
+## Funksjon 2: PWA + Android share intent
+
+### Beskrivelse
+
+Gjør Favoritter installerbar som Progressive Web App med offline-støtte for statiske ressurser. Web Share Target API lar Android-brukere dele lenker direkte til Favoritter fra hvilken som helst app.
+
+### Berørte filer
+
+| Fil | Endring |
+|-----|---------|
+| `web/static/sw.js` | Ny fil: Service worker (cache-first statisk, network-first HTML) |
+| `web/static/icons/icon-192.png` | Ny fil: PWA-ikon 192x192 |
+| `web/static/icons/icon-512.png` | Ny fil: PWA-ikon 512x512 |
+| `web/static/icons/icon-512-maskable.png` | Ny fil: Maskable ikon for Android |
+| `internal/handler/pwa.go` | Ny fil: 3 handlere (manifest, SW, share) |
+| `internal/handler/handler.go` | 3 nye ruter |
+| `internal/handler/fave.go` | `handleFaveNew` leser url/description/notes fra query-parametre |
+| `web/templates/layouts/base.html` | Manifest-link, theme-color, base-path meta |
+| `web/static/js/app.js` | SW-registrering |
+
+### Implementeringssteg
+
+1. **Ikoner**: Opprett `web/static/icons/` med 192px, 512px, 512px-maskable PNG-er
+2. **Service worker** (`web/static/sw.js`): Bruk `{{BASE_PATH}}`-plassholder, cache-first for `/static/`, network-first for HTML
+3. **pwa.go — handleManifest**: Dynamisk JSON med BasePath injisert i `start_url`, `scope`, ikonruter og `share_target.action`. Share target bruker **GET** for å unngå CSRF-problemer
+4. **pwa.go — handleServiceWorker**: Les sw.js fra embedded FS, erstatt `{{BASE_PATH}}`, sett `Cache-Control: no-cache`
+5. **pwa.go — handleShare**: GET-handler bak `requireLogin`. Les `url`, `text`, `title` fra query. Mange Android-apper sender URL i `text`-feltet — sjekk begge. Redirect til `/faves/new?url=...&description=...&notes=...`
+6. **Ruter**: `GET /manifest.json` (offentlig), `GET /sw.js` (offentlig), `GET /share` (krever login)
+7. **handleFaveNew**: Les `url`, `description`, `notes` fra query-parametre for pre-fill
+8. **base.html**: `<meta name="theme-color" content="#1095c1">`, `<link rel="manifest">`, `<meta name="base-path">`
+9. **app.js**: SW-registrering via `navigator.serviceWorker.register()`, les base-path fra meta-tag
+
+### Designbeslutninger
+
+- **GET for share target**: Android kan ikke levere CSRF-tokens, så POST er utelukket. GET-handler redirecter til fave-skjema
+- **Dynamisk manifest**: Nødvendig for å injisere BasePath korrekt ved subpath-deployment
+- **SW Cache-Control: no-cache**: Nettleseren må kunne sjekke for oppdateringer
+
+### Tester
+
+- `TestManifestJSON`, `TestServiceWorkerContent`, `TestServiceWorkerBasePath`
+- `TestShareRedirectsToFaveNew`, `TestShareTextFieldFallback`, `TestShareRequiresLogin`
+- ~6 nye
+
+---
+
+## Funksjon 3: Redigeringsforbedringer (UX)
+
+### Beskrivelse
+
+Backend-redigering fungerer allerede (rediger, slett, personvernveksling). Problemet er at handlingene kun er synlige på detaljsiden. Denne funksjonen gjør dem tilgjengelige fra listevisninger.
+
+### Tier 1 — Synlige handlinger i listevisninger
+
+| Fil | Endring |
+|-----|---------|
+| `web/templates/pages/fave_list.html` | Legg til rediger/slett-knapper i hver card footer |
+| `web/templates/pages/profile.html` | Legg til rediger-lenke for eiers egne kort |
+| `web/static/css/style.css` | Kompakte `.fave-card-actions`-stiler |
+
+**fave_list.html**: Legg til etter tags-footer, før `</article>`:
+```html
+<footer class="fave-card-actions">
+    <a href="{{basePath}}/faves/{{.ID}}/edit" class="fave-action-link">Rediger</a>
+    <button hx-delete="{{basePath}}/faves/{{.ID}}"
+            hx-confirm="Er du sikker på at du vil slette denne favoritten?"
+            hx-target="closest article" hx-swap="outerHTML"
+            class="fave-action-btn secondary">Slett</button>
+</footer>
+```
+
+Eksisterende `handleFaveDelete` returnerer allerede tom response for HTMX-forespørsler, så `hx-target="closest article" hx-swap="outerHTML"` fjerner kortet fra DOM.
+
+**profile.html**: Vis kun for eier med `{{if $d.IsOwner}}`.
+
+### Tier 2 — Rask personvernveksler
+
+| Fil | Endring |
+|-----|---------|
+| `internal/store/fave.go` | Ny `UpdatePrivacy(id, privacy)` metode |
+| `internal/handler/fave.go` | Ny `handleFaveTogglePrivacy` handler |
+| `internal/handler/handler.go` | Ny rute: `POST /faves/{id}/privacy` |
+| `web/templates/partials/privacy_toggle.html` | Ny HTMX-partial for toggle-knapp |
+| `web/templates/pages/fave_list.html` | Bruk toggle i stedet for statisk badge |
+| `web/templates/pages/fave_detail.html` | Bruk toggle for eier |
+
+**Store — UpdatePrivacy**:
+```go
+func (s *FaveStore) UpdatePrivacy(id int64, privacy string) error {
+    _, err := s.db.Exec(
+        `UPDATE faves SET privacy = ?,
+            updated_at = strftime('%Y-%m-%dT%H:%M:%SZ', 'now')
+        WHERE id = ?`, privacy, id)
+    return err
+}
+```
+
+**Handler**: Verifiserer eierskap, veksler mellom "public"/"private", returnerer oppdatert partial.
+
+**Partial** (`privacy_toggle.html`):
+```html
+<span class="privacy-toggle" id="privacy-{{.ID}}">
+    <button hx-post="{{basePath}}/faves/{{.ID}}/privacy"
+            hx-target="#privacy-{{.ID}}" hx-swap="outerHTML"
+            class="fave-action-btn {{if eq .Privacy "private"}}secondary{{end}}">
+        {{if eq .Privacy "public"}}Offentlig{{else}}Privat{{end}}
+    </button>
+</span>
+```
+
+CSRF-token håndteres automatisk av `htmx:configRequest`-hooken i app.js.
+
+### Tester
+
+- `TestUpdatePrivacy`, `TestTogglePrivacyOwner`, `TestTogglePrivacyNotOwner`
+- `TestFaveListShowsEditButton`, `TestFaveListDeleteViaHTMX`
+- ~5 nye
+
+---
+
+## Funksjon 4: Admin-forbedringer
+
+### Beskrivelse
+
+Utvider admin-panelet med mulighet til å endre brukerroller og permanent slette brukerkontoer. Eksisterende admin-funksjonalitet som allerede fungerer:
+
+- ✅ Lukke registreringer (`/admin/settings` → signup_mode)
+- ✅ Låse/deaktivere brukere (`/admin/users/{id}/toggle-disabled`)
+- ✅ Tilbakestille passord (`/admin/users/{id}/reset-password`)
+- ✅ Godkjenne/avvise registreringsforespørsler
+- ✅ Opprette brukere
+
+### Del A: Endre brukerrolle
+
+| Fil | Endring |
+|-----|---------|
+| `internal/store/user.go` | Ny `SetRole(userID, role)` metode |
+| `internal/handler/admin.go` | Ny `handleAdminSetRole` handler |
+| `internal/handler/handler.go` | Ny rute: `POST /admin/users/{id}/role` |
+| `web/templates/pages/admin_users.html` | Rolle-dropdown per brukerrad |
+
+**Store — SetRole**: Validerer at role er "user" eller "admin", oppdaterer databasen.
+
+**Handler**: Forhindrer at admin endrer egen rolle. Oppdaterer rolle og viser bekreftelse.
+
+**Template**: `<select name="role">` med `onchange="this.form.submit()"` i handlingskolonnen.
+
+**NB**: `onchange` inline handler blokkeres av CSP (`script-src 'self'`). Bruk i stedet en delegert event listener i app.js, eller legg til en submit-knapp:
+```html
+<form method="POST" action="{{basePath}}/admin/users/{{.ID}}/role" class="inline-form">
+    <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
+    <select name="role" class="inline-input">
+        <option value="user" {{if eq .Role "user"}}selected{{end}}>Bruker</option>
+        <option value="admin" {{if eq .Role "admin"}}selected{{end}}>Admin</option>
+    </select>
+    <button type="submit" class="nav-button outline">Lagre</button>
+</form>
+```
+
+### Del B: Slette brukerkontoer
+
+| Fil | Endring |
+|-----|---------|
+| `internal/store/user.go` | Ny `Delete(userID)` metode |
+| `internal/handler/admin.go` | Ny `handleAdminDeleteUser` handler |
+| `internal/handler/handler.go` | Ny rute: `POST /admin/users/{id}/delete` |
+| `web/templates/pages/admin_users.html` | Slett-knapp med `hx-confirm` |
+
+**Store — Delete**: `DELETE FROM users WHERE id = ?`. Kaskadesletting via foreign keys fjerner sessions, faves og fave_tags automatisk.
+
+**Handler**: Forhindrer selvsletting. Sletter brukerens bilder fra disk **før** databasesletting (fordi kaskaden fjerner fave-radene som refererer til bildefilene). Viser bekreftelse.
+
+**Template**: HTMX-knapp med `hx-confirm`:
+```html
+<button hx-post="{{basePath}}/admin/users/{{.ID}}/delete"
+        hx-confirm="Er du HELT sikker? Dette sletter brukeren og alle favorittene permanent."
+        hx-target="closest tr" hx-swap="outerHTML"
+        class="nav-button outline" style="color: var(--pico-del-color);">Slett</button>
+```
+
+### Tester
+
+- `TestSetRole`, `TestSetRoleInvalid`, `TestDeleteUser`, `TestDeleteUserCascade`
+- `TestAdminSetRoleSuccess`, `TestAdminSetRoleSelf`
+- `TestAdminDeleteUserSuccess`, `TestAdminDeleteUserSelf`, `TestAdminDeleteUserCascadesData`
+- ~9 nye
+
+---
+
+## Samlet implementeringsrekkefølge
+
+```
+Fase 1: Funksjon 1 + Funksjon 4 (parallelt, ingen avhengigheter)
+  ├── 1a: Migrasjon + modell + store (notes)
+  ├── 1b: Handlere og maler (notes + OG)
+  ├── 4a: SetRole + handler + mal
+  └── 4b: Delete + handler + mal
+
+Fase 2: Funksjon 3 (krever notes fra Fase 1)
+  ├── 3a: Tier 1 — rediger/slett-knapper i listevisninger
+  └── 3b: Tier 2 — personvernveksler
+
+Fase 3: Funksjon 2 (krever notes fra Fase 1)
+  ├── 2a: Ikoner + service worker + manifest-handler
+  ├── 2b: Share-handler + pre-fill
+  └── 2c: Base-mal + SW-registrering
+```
+
+### Nye endepunkter
+
+| Metode | Rute | Handler | Auth |
+|--------|------|---------|------|
+| GET | `/manifest.json` | handleManifest | Nei |
+| GET | `/sw.js` | handleServiceWorker | Nei |
+| GET | `/share` | handleShare | Ja |
+| POST | `/faves/{id}/privacy` | handleFaveTogglePrivacy | Ja |
+| POST | `/admin/users/{id}/role` | handleAdminSetRole | Admin |
+| POST | `/admin/users/{id}/delete` | handleAdminDeleteUser | Admin |
+
+### Nye filer
+
+| Fil | Beskrivelse |
+|-----|-------------|
+| `internal/database/migrations/002_add_fave_notes.sql` | Migrasjon: notes-kolonne |
+| `internal/handler/pwa.go` | PWA-handlere (manifest, SW, share) |
+| `web/static/sw.js` | Service worker |
+| `web/static/icons/icon-*.png` | PWA-ikoner (3 stk) |
+| `web/templates/partials/privacy_toggle.html` | HTMX personvernveksler |
+
+### Estimert testtillegg
+
+| Funksjon | Nye tester |
+|----------|------------|
+| 1: Notes + OG | ~5 |
+| 2: PWA + share | ~6 |
+| 3: Redigering UX | ~5 |
+| 4: Admin | ~9 |
+| **Totalt** | **~25** |
diff --git a/TESTPLAN.md b/TESTPLAN.md
new file mode 100644
index 0000000..2e0799a
--- /dev/null
+++ b/TESTPLAN.md
@@ -0,0 +1,388 @@
+# Testplan — Favoritter
+
+## Dekning (oppdatert 2026-04-03)
+
+| Lag | Pakke | Testfiler | Testfunksjoner | Dekning |
+|-----|-------|-----------|----------------|---------|
+| Data | `internal/store` | 6 | 24 | 70.8 % |
+| HTTP (web) | `internal/handler` | 2 | 55 | 56.1 % |
+| HTTP (API) | `internal/handler/api` | 1 | 28 | 75.8 % |
+| Mellomvare | `internal/middleware` | 3 | 29 | 83.1 % |
+| Konfig | `internal/config` | 1 | 8 | 81.1 % |
+| Bilde | `internal/image` | 1 | 10 | 85.7 % |
+| Database | `internal/database` | 1 | 6 | 66.0 % |
+| Rendering | `internal/render` | 1 | 6 | 72.7 % |
+| Modell | `internal/model` | 0 | 0 | 0.0 % (kun datatyper) |
+
+**Totalt**: 16 testfiler, 167 testfunksjoner, alle grønne.
+
+---
+
+## Prioriteter
+
+- **P0 — Kritisk**: Sikkerhet, autentisering, autorisasjon
+- **P1 — Høy**: Forretningslogikk, dataintegritet, API-kontrakter
+- **P2 — Middels**: Konfigurasjon, feilhåndtering, kanttilfeller
+- **P3 — Lav**: Rendering, logging, hjelpefunksjoner
+
+---
+
+## P0 — Sikkerhet og tilgangskontroll
+
+### CSRF-beskyttelse (`internal/middleware/csrf.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestCSRFTokenSetInCookie` | POST uten eksisterende cookie → ny `csrf_token`-cookie settes |
+| 2 | `TestCSRFValidTokenAccepted` | POST med matchende cookie + form-felt → 200 |
+| 3 | `TestCSRFMismatchRejected` | POST med feil token i form-felt → 403 |
+| 4 | `TestCSRFMissingTokenRejected` | POST uten token i form-felt/header → 403 |
+| 5 | `TestCSRFHeaderFallback` | POST med token i `X-CSRF-Token`-header → 200 |
+| 6 | `TestCSRFSkippedForAPI` | POST til `/api/`-ruter → CSRF sjekkes ikke |
+| 7 | `TestCSRFSafeMethodsPassThrough` | GET/HEAD/OPTIONS → ingen validering |
+
+### Auth-mellomvare (`internal/middleware/auth.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestSessionLoaderValidToken` | Gyldig session-cookie → bruker satt i context |
+| 2 | `TestSessionLoaderInvalidToken` | Ugyldig cookie → context uten bruker, ingen feil |
+| 3 | `TestSessionLoaderNoCookie` | Ingen cookie → context uten bruker |
+| 4 | `TestRequireLoginRedirectsToLogin` | Uautentisert → 302 til `/login` |
+| 5 | `TestRequireLoginAllowsAuthenticated` | Autentisert → neste handler kjøres |
+| 6 | `TestRequireAdminRejectsNonAdmin` | Vanlig bruker → 403 |
+| 7 | `TestRequireAdminAllowsAdmin` | Admin-bruker → neste handler kjøres |
+
+### API-autentisering (`internal/handler/api/`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestAPILoginSuccess` | Korrekt brukernavn/passord → token + brukerinfo |
+| 2 | `TestAPILoginWrongPassword` | Feil passord → 401 |
+| 3 | `TestAPILoginInvalidBody` | Ugyldig JSON → 400 |
+| 4 | `TestAPILogout` | Gyldig session → session slettet, cookie fjernet |
+| 5 | `TestAPIRequiresAuth` | Beskyttede endepunkter uten session → 401/redirect |
+
+### Autorisasjon (eierskap)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestCannotEditOtherUsersFave` | PUT `/api/v1/faves/{id}` med annen bruker → 403 |
+| 2 | `TestCannotDeleteOtherUsersFave` | DELETE `/api/v1/faves/{id}` med annen bruker → 403 |
+| 3 | `TestPrivateFaveHiddenFromAPI` | GET `/api/v1/faves/{id}` privat fave, annen bruker → 404 |
+| 4 | `TestPrivateFaveVisibleToOwnerAPI` | GET `/api/v1/faves/{id}` privat fave, eier → 200 |
+| 5 | `TestAdminEndpointsRequireAdminRole` | Ikke-admin → 403 på alle admin-ruter |
+
+---
+
+## P1 — Forretningslogikk og API-kontrakter
+
+### Store: Innstillinger (`internal/store/settings.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestSettingsGetDefault` | Hent standardinnstillinger etter migrasjon |
+| 2 | `TestSettingsUpdate` | Oppdater site_name, description, signup_mode → endringer leses tilbake |
+| 3 | `TestSettingsUpdatePartial` | Oppdater kun ett felt → andre felter beholdes |
+
+### API: Favoritter CRUD (`internal/handler/api/`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestAPICreateFave` | POST med beskrivelse, URL, privacy, tags → 201 + komplett JSON |
+| 2 | `TestAPICreateFaveMinimal` | POST med kun beskrivelse → 201, standardverdier |
+| 3 | `TestAPICreateFaveMissingDescription` | POST uten beskrivelse → 400 |
+| 4 | `TestAPIGetFave` | GET `/api/v1/faves/{id}` → komplett JSON med tagger |
+| 5 | `TestAPIGetFaveNotFound` | GET med ugyldig ID → 404 |
+| 6 | `TestAPIUpdateFave` | PUT med endringer → oppdatert JSON |
+| 7 | `TestAPIUpdateFavePartial` | PUT med kun tags → andre felter uendret |
+| 8 | `TestAPIDeleteFave` | DELETE → 204 No Content |
+| 9 | `TestAPIDeleteFaveNotFound` | DELETE med ugyldig ID → 404 |
+| 10 | `TestAPIListFaves` | GET `/api/v1/faves` → paginert resultat med total |
+| 11 | `TestAPIListFavesPagination` | Sjekk page/limit-parametre og grense (limit ≤ 100) |
+
+### API: Brukere og offentlige favoritter
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestAPIGetUser` | GET `/api/v1/users/{username}` → brukerinfo |
+| 2 | `TestAPIGetUserNotFound` | Ukjent brukernavn → 404 |
+| 3 | `TestAPIGetDisabledUser` | Deaktivert bruker → 404 |
+| 4 | `TestAPIGetUserFaves` | GET `/api/v1/users/{username}/faves` → kun offentlige |
+| 5 | `TestAPIGetUserFavesEmpty` | Bruker uten favoritter → tom liste |
+
+### API: Tagger
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestAPISearchTags` | GET `/api/v1/tags?q=prefix` → matchende tagger |
+| 2 | `TestAPISearchTagsEmpty` | Søk uten treff → tom liste |
+| 3 | `TestAPISearchTagsLimit` | `limit`-parameter respekteres, maks 100 |
+
+### API: Eksport/import
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestAPIExport` | GET `/api/v1/export/json` → alle brukerens favoritter |
+| 2 | `TestAPIImportValid` | POST med JSON-array → imported/total-svar |
+| 3 | `TestAPIImportSkipsEmpty` | Oppføringer uten beskrivelse → hoppes over |
+| 4 | `TestAPIImportInvalidJSON` | Ugyldig JSON → 400 |
+| 5 | `TestAPIImportBodyLimit` | Stor body → avvist (MaxUploadSize) |
+
+### Handler: Registrering og pålogging (`internal/handler/auth.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestSignupPageRendering` | GET `/signup` → skjema med CSRF-token |
+| 2 | `TestSignupSuccess` | POST med gyldig data → registreringsforespørsel opprettet |
+| 3 | `TestSignupDuplicate` | Duplisert brukernavn → feilmelding |
+| 4 | `TestSignupDisabled` | `signup_mode=closed` → 403 eller redirect |
+| 5 | `TestPasswordResetFlow` | Bruker med must_reset → tvinges til å endre passord |
+| 6 | `TestPasswordChangeSuccess` | POST med korrekt gammelt + nytt passord → oppdatert |
+| 7 | `TestPasswordChangeMismatch` | Nytt passord ≠ bekreftelse → feilmelding |
+| 8 | `TestLogout` | POST `/logout` → session slettet, redirect til login |
+
+### Handler: Favoritter CRUD (web) (`internal/handler/fave.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestCreateFavePage` | GET `/faves/new` → skjema rendres |
+| 2 | `TestCreateFaveSubmit` | POST med gyldig data → redirect til favoritt |
+| 3 | `TestCreateFaveWithImage` | POST med multipart/bilde → bilde lagret |
+| 4 | `TestEditFavePage` | GET `/faves/{id}/edit` → skjema med eksisterende data |
+| 5 | `TestEditFaveSubmit` | POST med endringer → oppdatert |
+| 6 | `TestEditFaveNotOwner` | Annen bruker → 403 |
+| 7 | `TestDeleteFave` | POST `/faves/{id}/delete` → slettet, redirect |
+| 8 | `TestDeleteFaveNotOwner` | Annen bruker → 403 |
+| 9 | `TestFaveListPagination` | Navigasjon med page-parameter |
+
+### Handler: Administrasjon (`internal/handler/admin.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestAdminDashboard` | GET `/admin` → statistikk rendres |
+| 2 | `TestAdminUserList` | GET `/admin/users` → alle brukere vises |
+| 3 | `TestAdminDisableUser` | POST → bruker deaktiveres |
+| 4 | `TestAdminEnableUser` | POST → bruker reaktiveres |
+| 5 | `TestAdminApproveSignup` | POST → bruker opprettes, forespørsel fjernes |
+| 6 | `TestAdminRejectSignup` | POST → forespørsel fjernes, bruker opprettes ikke |
+| 7 | `TestAdminUpdateSettings` | POST → innstillinger oppdateres |
+
+### Handler: Profil (`internal/handler/profile.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestPublicProfileVisible` | Offentlig profil → bio, visningsnavn vist |
+| 2 | `TestLimitedProfileHidesBio` | Begrenset profil → bio skjult, merknad vist |
+| 3 | `TestProfileEditPage` | GET `/profile/edit` → skjema med gjeldende verdier |
+| 4 | `TestProfileUpdateDisplayName` | POST → visningsnavn oppdatert |
+| 5 | `TestProfileUpdateVisibility` | POST → synlighet endret |
+| 6 | `TestProfileAvatarUpload` | POST med bilde → avatar lagret |
+
+### Handler: Feed (`internal/handler/feed.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestGlobalFeedAtom` | GET `/feed` → gyldig Atom XML |
+| 2 | `TestUserFeedAtom` | GET `/{username}/feed` → kun brukerens offentlige |
+| 3 | `TestFeedExcludesPrivate` | Private favoritter utelates |
+| 4 | `TestFeedLinksUseExternalURL` | Lenker bruker `EXTERNAL_URL`, ikke localhost |
+
+### Handler: Import/Eksport (web) (`internal/handler/import_export.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestExportPageRendering` | GET `/export` → eksportvalg vist |
+| 2 | `TestExportJSON` | GET `/export/json` → JSON-array med alle faves |
+| 3 | `TestExportCSV` | GET `/export/csv` → gyldig CSV med header |
+| 4 | `TestImportJSON` | POST med JSON-fil → favoritter importert |
+| 5 | `TestImportCSV` | POST med CSV-fil → favoritter importert |
+| 6 | `TestImportDuplicateHandling` | Duplikater → håndteres uten feil |
+
+---
+
+## P2 — Konfigurasjon, bilde, database
+
+### Konfigurasjon (`internal/config/config.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestLoadDefaults` | Ingen env-variabler → fornuftige standardverdier |
+| 2 | `TestLoadFromEnv` | Alle env-variabler satt → config inneholder riktige verdier |
+| 3 | `TestTrustedProxiesParsing` | `TRUSTED_PROXIES=10.0.0.0/8,192.168.0.0/16` → korrekte IPNet |
+| 4 | `TestTrustedProxiesInvalid` | Ugyldig CIDR → logges, hoppes over |
+| 5 | `TestBasePathNormalization` | Trailing slash fjernes, tom streng beholdes |
+| 6 | `TestSessionLifetimeParsing` | `SESSION_LIFETIME=48h` → korrekt Duration |
+| 7 | `TestDevModeFlag` | `FAVORITTER_DEV_MODE=true` → DevMode = true |
+| 8 | `TestMaxUploadSizeParsing` | `MAX_UPLOAD_SIZE=10485760` → korrekt int64 |
+
+### Bildebehandling (`internal/image/image.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestProcessJPEG` | Gyldig JPEG → UUID-filnavn, lagret i uploadDir |
+| 2 | `TestProcessPNG` | Gyldig PNG → re-encoded, EXIF strippet |
+| 3 | `TestProcessResizeWideImage` | Bilde > 1920px bredt → nedskalert til MaxWidth |
+| 4 | `TestProcessSmallImageNotResized` | Bilde < 1920px → beholdes som det er |
+| 5 | `TestProcessInvalidMIME` | `text/plain`-fil → feil returneres |
+| 6 | `TestProcessCorruptImage` | Korrupt bildedata → feil returneres |
+| 7 | `TestProcessUUIDFilename` | Filnavn bruker UUID, aldri brukerens opprinnelige filnavn |
+| 8 | `TestAllowedTypes` | Sjekk at JPEG, PNG, GIF, WebP er tillatt |
+
+### Databasemigrasjoner (`internal/database/database.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestOpenInMemory` | `:memory:` → fungerende tilkobling |
+| 2 | `TestMigrateCreatesAllTables` | Migrasjon → alle forventede tabeller finnes |
+| 3 | `TestMigrateIdempotent` | Kjør Migrate to ganger → ingen feil |
+| 4 | `TestPRAGMAs` | WAL-modus, foreign_keys, journal_size_limit satt |
+| 5 | `TestSingleConnection` | MaxOpenConns = 1 verifisert |
+
+### Mellomvare: Context-hjelpere (`internal/middleware/context.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestUserFromContextPresent` | Bruker i context → returneres |
+| 2 | `TestUserFromContextAbsent` | Ingen bruker → nil |
+| 3 | `TestCSRFTokenFromContext` | Token i context → returneres |
+| 4 | `TestFlashFromContext` | Flash-melding i context → returneres |
+
+### Mellomvare: Logger (`internal/middleware/logger.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestLoggerRecordsStatusCode` | Response status kodes logges |
+| 2 | `TestLoggerRecordsDuration` | Forespørselstid logges |
+| 3 | `TestLoggerIncludesPath` | URL-path inkluderes i loggoppføring |
+
+---
+
+## P3 — Rendering og hjelpefunksjoner
+
+### Template-rendering (`internal/render/render.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestRenderPage` | Rendrer side med layout → komplett HTML |
+| 2 | `TestRenderPageWithData` | PageData (Title, brukerinfo) → interpolert i template |
+| 3 | `TestRenderPartial` | Rendrer partial uten layout |
+| 4 | `TestRenderMissingTemplate` | Ukjent template-navn → feilhåndtering |
+| 5 | `TestCSRFTokenInTemplate` | CSRF-token tilgjengelig i template-context |
+
+### API JSON-hjelpere (`internal/handler/api/`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestJsonOKFormat` | Content-Type: application/json, gyldig JSON |
+| 2 | `TestJsonErrorFormat` | Feil → `{"error": "melding"}` + riktig statuskode |
+| 3 | `TestUserJSONPublicProfile` | Offentlig profil → bio og avatar inkludert |
+| 4 | `TestUserJSONLimitedProfile` | Begrenset profil → bio og avatar utelatt |
+| 5 | `TestFaveJSONComplete` | Alle felter mappet korrekt |
+| 6 | `TestQueryIntFallback` | Ugyldig/manglende parameter → standardverdi |
+| 7 | `TestQueryIntNegative` | Negativ verdi → standardverdi |
+
+---
+
+## Integrasjonstester (tverrgående)
+
+Disse testene verifiserer hele flyten fra HTTP-forespørsel gjennom mellomvare, handler, store og tilbake.
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestFullLoginFlow` | GET login → POST credentials → session cookie → GET /faves → 200 |
+| 2 | `TestFullSignupApprovalFlow` | Registrering → admin godkjenner → bruker logger inn → endrer passord |
+| 3 | `TestFullFaveCRUDFlow` | Opprett → les → rediger → slett favoritt via web |
+| 4 | `TestFullAPIFaveCRUDFlow` | Login → opprett → hent → oppdater → slett via JSON API |
+| 5 | `TestImportExportRoundtrip` | Eksporter → importer til ny bruker → verifiser likhet |
+| 6 | `TestFeedReflectsNewFaves` | Opprett favoritt → feed oppdateres |
+| 7 | `TestRateLimitOnLogin` | Mange mislykkede pålogginger → 429 |
+| 8 | `TestCSRFProtectionEndToEnd` | Hent side → ekstraher token → POST med token → suksess |
+| 9 | `TestBasePathPropagation` | Alle lenker og redirects respekterer base path |
+| 10 | `TestMultiUserPrivacy` | Bruker A ser ikke bruker Bs private favoritter i noen visning |
+
+---
+
+## Testinfrastruktur
+
+### Eksisterende hjelpere (gjenbruk)
+
+- `testDB(t)` — in-memory SQLite med migrasjoner (`store/*_test.go`)
+- `testServer(t)` — komplett handler-stack med mellomvare (`handler/handler_test.go`)
+- `loginUser(t, h, username, password, role)` — oppretter bruker og returnerer session-cookie
+- `extractCookie(rr, name)` — henter cookie fra response
+
+### Nye hjelpere som trengs
+
+| Hjelper | Bruksområde |
+|---------|-------------|
+| `testAPIServer(t)` | Setup for API-handler med in-memory DB |
+| `apiLogin(t, server, username, password)` | Hent session-token for API-tester |
+| `testImage(t, width, height, mime)` | Generer test-bilde med gitte dimensjoner |
+| `setEnv(t, key, value)` | Sett env-variabel med automatisk cleanup |
+
+### Konvensjoner
+
+- Bruk `:memory:` SQLite for alle tester
+- Sett raske Argon2-parametre (`Memory=1024, Time=1`) i alle passord-tester
+- Bruk `t.Helper()` på alle hjelpefunksjoner
+- Bruk `t.Cleanup()` for opprydding, aldri manuell defer i hjelpere
+- Bruk `httptest.NewRecorder()` og `httptest.NewRequest()` for HTTP-tester
+- Bruk `t.TempDir()` for bildebehandlingstester
+- Tabell-drevne tester der det er naturlig (f.eks. config-parsing, feilkoder)
+- Norske testbeskrivelser i kommentarer, engelske funksjons-/variabelnavn
+
+---
+
+## Implementeringsrekkefølge
+
+```
+Fase 1 (P0): Sikkerhet
+  ├── middleware/csrf_test.go         (~7 tester)
+  ├── middleware/auth_test.go         (~7 tester)  ← utvid eksisterende fil
+  └── handler/api/api_test.go         (~5 auth-tester)
+
+Fase 2 (P1a): Store + API-kontrakter
+  ├── store/settings_test.go          (~3 tester)
+  └── handler/api/api_test.go         (~25 tester, utvid)
+
+Fase 3 (P1b): Web-handlere
+  ├── handler/handler_test.go         (~30 tester, utvid eksisterende)
+  └── handler/auth_test.go            (~8 tester)
+
+Fase 4 (P2): Konfig, bilde, database
+  ├── config/config_test.go           (~8 tester)
+  ├── image/image_test.go             (~8 tester)
+  ├── database/database_test.go       (~5 tester)
+  └── middleware/context_test.go      (~4 tester)
+
+Fase 5 (P3): Rendering og hjelpere
+  ├── render/render_test.go           (~5 tester)
+  └── handler/api/helpers_test.go     (~7 tester)
+
+Fase 6: Integrasjonstester
+  └── integration_test.go             (~10 tester, build tag)
+```
+
+**Totalt**: ~132 nye tester → fra 44 til ~176 testfunksjoner.
+
+---
+
+## Kjøring
+
+```bash
+# Alle tester
+go test ./...
+
+# Én pakke
+go test ./internal/store/...
+
+# Med dekning
+go test -cover ./...
+
+# Detaljert dekningsrapport
+go test -coverprofile=coverage.out ./... && go tool cover -html=coverage.out
+
+# Kun integrasjonstester (om build tag brukes)
+go test -tags=integration ./...
+```
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
new file mode 100644
index 0000000..a5bbb22
--- /dev/null
+++ b/internal/config/config_test.go
@@ -0,0 +1,204 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package config
+
+import (
+	"testing"
+	"time"
+)
+
+func TestLoadDefaults(t *testing.T) {
+	// Clear all FAVORITTER_ env vars to test defaults.
+	for _, key := range []string{
+		"FAVORITTER_DB_PATH", "FAVORITTER_LISTEN", "FAVORITTER_BASE_PATH",
+		"FAVORITTER_EXTERNAL_URL", "FAVORITTER_UPLOAD_DIR", "FAVORITTER_MAX_UPLOAD_SIZE",
+		"FAVORITTER_SESSION_LIFETIME", "FAVORITTER_ARGON2_MEMORY", "FAVORITTER_ARGON2_TIME",
+		"FAVORITTER_ARGON2_PARALLELISM", "FAVORITTER_RATE_LIMIT", "FAVORITTER_ADMIN_USERNAME",
+		"FAVORITTER_ADMIN_PASSWORD", "FAVORITTER_SITE_NAME", "FAVORITTER_DEV_MODE",
+		"FAVORITTER_TRUSTED_PROXIES",
+	} {
+		t.Setenv(key, "")
+	}
+
+	cfg := Load()
+
+	if cfg.DBPath != "./data/favoritter.db" {
+		t.Errorf("DBPath = %q, want default", cfg.DBPath)
+	}
+	if cfg.Listen != ":8080" {
+		t.Errorf("Listen = %q, want :8080", cfg.Listen)
+	}
+	if cfg.BasePath != "" {
+		t.Errorf("BasePath = %q, want empty (root)", cfg.BasePath)
+	}
+	if cfg.MaxUploadSize != 10<<20 {
+		t.Errorf("MaxUploadSize = %d, want %d", cfg.MaxUploadSize, 10<<20)
+	}
+	if cfg.SessionLifetime != 720*time.Hour {
+		t.Errorf("SessionLifetime = %v, want 720h", cfg.SessionLifetime)
+	}
+	if cfg.SiteName != "Favoritter" {
+		t.Errorf("SiteName = %q, want Favoritter", cfg.SiteName)
+	}
+	if cfg.DevMode {
+		t.Error("DevMode should be false by default")
+	}
+	if cfg.RateLimit != 60 {
+		t.Errorf("RateLimit = %d, want 60", cfg.RateLimit)
+	}
+}
+
+func TestLoadFromEnv(t *testing.T) {
+	t.Setenv("FAVORITTER_DB_PATH", "/custom/db.sqlite")
+	t.Setenv("FAVORITTER_LISTEN", ":9090")
+	t.Setenv("FAVORITTER_BASE_PATH", "/faves")
+	t.Setenv("FAVORITTER_EXTERNAL_URL", "https://faves.example.com/")
+	t.Setenv("FAVORITTER_UPLOAD_DIR", "/custom/uploads")
+	t.Setenv("FAVORITTER_MAX_UPLOAD_SIZE", "20971520")
+	t.Setenv("FAVORITTER_SESSION_LIFETIME", "48h")
+	t.Setenv("FAVORITTER_ARGON2_MEMORY", "131072")
+	t.Setenv("FAVORITTER_ARGON2_TIME", "5")
+	t.Setenv("FAVORITTER_ARGON2_PARALLELISM", "4")
+	t.Setenv("FAVORITTER_RATE_LIMIT", "100")
+	t.Setenv("FAVORITTER_ADMIN_USERNAME", "admin")
+	t.Setenv("FAVORITTER_ADMIN_PASSWORD", "secret")
+	t.Setenv("FAVORITTER_SITE_NAME", "Mine Favoritter")
+	t.Setenv("FAVORITTER_DEV_MODE", "true")
+	t.Setenv("FAVORITTER_TRUSTED_PROXIES", "10.0.0.0/8,192.168.1.0/24")
+
+	cfg := Load()
+
+	if cfg.DBPath != "/custom/db.sqlite" {
+		t.Errorf("DBPath = %q", cfg.DBPath)
+	}
+	if cfg.Listen != ":9090" {
+		t.Errorf("Listen = %q", cfg.Listen)
+	}
+	if cfg.BasePath != "/faves" {
+		t.Errorf("BasePath = %q, want /faves", cfg.BasePath)
+	}
+	// External URL should have trailing slash stripped.
+	if cfg.ExternalURL != "https://faves.example.com" {
+		t.Errorf("ExternalURL = %q, want trailing slash stripped", cfg.ExternalURL)
+	}
+	if cfg.MaxUploadSize != 20971520 {
+		t.Errorf("MaxUploadSize = %d", cfg.MaxUploadSize)
+	}
+	if cfg.SessionLifetime != 48*time.Hour {
+		t.Errorf("SessionLifetime = %v", cfg.SessionLifetime)
+	}
+	if cfg.Argon2Memory != 131072 {
+		t.Errorf("Argon2Memory = %d", cfg.Argon2Memory)
+	}
+	if cfg.Argon2Time != 5 {
+		t.Errorf("Argon2Time = %d", cfg.Argon2Time)
+	}
+	if cfg.Argon2Parallelism != 4 {
+		t.Errorf("Argon2Parallelism = %d", cfg.Argon2Parallelism)
+	}
+	if cfg.RateLimit != 100 {
+		t.Errorf("RateLimit = %d", cfg.RateLimit)
+	}
+	if cfg.AdminUsername != "admin" {
+		t.Errorf("AdminUsername = %q", cfg.AdminUsername)
+	}
+	if cfg.AdminPassword != "secret" {
+		t.Errorf("AdminPassword = %q", cfg.AdminPassword)
+	}
+	if cfg.SiteName != "Mine Favoritter" {
+		t.Errorf("SiteName = %q", cfg.SiteName)
+	}
+	if !cfg.DevMode {
+		t.Error("DevMode should be true")
+	}
+	if len(cfg.TrustedProxies) != 2 {
+		t.Errorf("TrustedProxies: got %d, want 2", len(cfg.TrustedProxies))
+	}
+}
+
+func TestTrustedProxiesParsing(t *testing.T) {
+	t.Setenv("FAVORITTER_TRUSTED_PROXIES", "10.0.0.0/8, 192.168.0.0/16, 127.0.0.1")
+
+	cfg := Load()
+
+	if len(cfg.TrustedProxies) != 3 {
+		t.Fatalf("TrustedProxies: got %d, want 3", len(cfg.TrustedProxies))
+	}
+	// 127.0.0.1 without CIDR should become 127.0.0.1/32.
+	last := cfg.TrustedProxies[2]
+	if ones, _ := last.Mask.Size(); ones != 32 {
+		t.Errorf("bare IP mask = /%d, want /32", ones)
+	}
+}
+
+func TestTrustedProxiesInvalid(t *testing.T) {
+	t.Setenv("FAVORITTER_TRUSTED_PROXIES", "not-an-ip, 10.0.0.0/8")
+
+	cfg := Load()
+
+	// Invalid entries are skipped; valid ones remain.
+	if len(cfg.TrustedProxies) != 1 {
+		t.Errorf("TrustedProxies: got %d, want 1 (invalid skipped)", len(cfg.TrustedProxies))
+	}
+}
+
+func TestBasePathNormalization(t *testing.T) {
+	tests := []struct {
+		input string
+		want  string
+	}{
+		{"/", ""},
+		{"", ""},
+		{"/faves", "/faves"},
+		{"/faves/", "/faves"},
+		{"faves", "/faves"},
+		{"/sub/path/", "/sub/path"},
+	}
+
+	for _, tt := range tests {
+		got := normalizePath(tt.input)
+		if got != tt.want {
+			t.Errorf("normalizePath(%q) = %q, want %q", tt.input, got, tt.want)
+		}
+	}
+}
+
+func TestDevModeFlag(t *testing.T) {
+	t.Setenv("FAVORITTER_DEV_MODE", "true")
+	cfg := Load()
+	if !cfg.DevMode {
+		t.Error("DevMode should be true when env is 'true'")
+	}
+
+	t.Setenv("FAVORITTER_DEV_MODE", "false")
+	cfg = Load()
+	if cfg.DevMode {
+		t.Error("DevMode should be false when env is 'false'")
+	}
+}
+
+func TestExternalHostname(t *testing.T) {
+	cfg := &Config{ExternalURL: "https://faves.example.com/base"}
+	if got := cfg.ExternalHostname(); got != "faves.example.com" {
+		t.Errorf("ExternalHostname = %q, want faves.example.com", got)
+	}
+
+	cfg = &Config{}
+	if got := cfg.ExternalHostname(); got != "" {
+		t.Errorf("empty ExternalURL: ExternalHostname = %q, want empty", got)
+	}
+}
+
+func TestBaseURL(t *testing.T) {
+	// With external URL configured.
+	cfg := &Config{ExternalURL: "https://faves.example.com"}
+	if got := cfg.BaseURL("localhost:8080"); got != "https://faves.example.com" {
+		t.Errorf("BaseURL with external = %q", got)
+	}
+
+	// Without external URL — falls back to request host.
+	cfg = &Config{BasePath: "/faves"}
+	if got := cfg.BaseURL("myhost.local:8080"); got != "https://myhost.local:8080/faves" {
+		t.Errorf("BaseURL fallback = %q", got)
+	}
+}
diff --git a/internal/database/database_test.go b/internal/database/database_test.go
new file mode 100644
index 0000000..506981e
--- /dev/null
+++ b/internal/database/database_test.go
@@ -0,0 +1,140 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package database
+
+import (
+	"testing"
+
+	_ "modernc.org/sqlite"
+)
+
+func TestOpenInMemory(t *testing.T) {
+	db, err := Open(":memory:")
+	if err != nil {
+		t.Fatalf("Open(:memory:): %v", err)
+	}
+	defer db.Close()
+
+	// Verify the connection is usable.
+	var result int
+	if err := db.QueryRow("SELECT 1").Scan(&result); err != nil {
+		t.Fatalf("query: %v", err)
+	}
+	if result != 1 {
+		t.Errorf("SELECT 1 = %d", result)
+	}
+}
+
+func TestMigrateCreatesAllTables(t *testing.T) {
+	db, err := Open(":memory:")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	defer db.Close()
+
+	if err := Migrate(db); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+
+	// Check that core tables exist.
+	tables := []string{"users", "faves", "tags", "fave_tags", "sessions", "site_settings", "schema_migrations", "signup_requests"}
+	for _, table := range tables {
+		var count int
+		err := db.QueryRow("SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name=?", table).Scan(&count)
+		if err != nil {
+			t.Errorf("check table %s: %v", table, err)
+		}
+		if count != 1 {
+			t.Errorf("table %s does not exist", table)
+		}
+	}
+}
+
+func TestMigrateIdempotent(t *testing.T) {
+	db, err := Open(":memory:")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	defer db.Close()
+
+	// First migration.
+	if err := Migrate(db); err != nil {
+		t.Fatalf("first migrate: %v", err)
+	}
+
+	// Second migration should be a no-op.
+	if err := Migrate(db); err != nil {
+		t.Fatalf("second migrate: %v", err)
+	}
+
+	// Verify schema_migrations has entries (no duplicates).
+	var count int
+	db.QueryRow("SELECT COUNT(*) FROM schema_migrations").Scan(&count)
+	if count < 1 {
+		t.Error("expected at least one migration record")
+	}
+}
+
+func TestPRAGMAs(t *testing.T) {
+	db, err := Open(":memory:")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	defer db.Close()
+
+	// WAL mode.
+	var journalMode string
+	db.QueryRow("PRAGMA journal_mode").Scan(&journalMode)
+	// In-memory databases use "memory" journal mode, not "wal".
+	// WAL is only meaningful for file-based databases.
+	// We just verify the pragma was accepted without error.
+
+	// Foreign keys should be ON.
+	var fk int
+	db.QueryRow("PRAGMA foreign_keys").Scan(&fk)
+	if fk != 1 {
+		t.Errorf("foreign_keys = %d, want 1", fk)
+	}
+
+	// Busy timeout.
+	var timeout int
+	db.QueryRow("PRAGMA busy_timeout").Scan(&timeout)
+	if timeout != 5000 {
+		t.Errorf("busy_timeout = %d, want 5000", timeout)
+	}
+}
+
+func TestSingleConnection(t *testing.T) {
+	db, err := Open(":memory:")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	defer db.Close()
+
+	stats := db.Stats()
+	if stats.MaxOpenConnections != 1 {
+		t.Errorf("MaxOpenConnections = %d, want 1", stats.MaxOpenConnections)
+	}
+}
+
+func TestSiteSettingsSeeded(t *testing.T) {
+	db, err := Open(":memory:")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	defer db.Close()
+
+	if err := Migrate(db); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+
+	// Migrations should seed a default site_settings row.
+	var siteName string
+	err = db.QueryRow("SELECT site_name FROM site_settings WHERE id = 1").Scan(&siteName)
+	if err != nil {
+		t.Fatalf("query site_settings: %v", err)
+	}
+	if siteName == "" {
+		t.Error("expected non-empty default site_name")
+	}
+}
diff --git a/internal/handler/api/api_test.go b/internal/handler/api/api_test.go
new file mode 100644
index 0000000..8158d15
--- /dev/null
+++ b/internal/handler/api/api_test.go
@@ -0,0 +1,663 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"strings"
+	"testing"
+
+	"kode.naiv.no/olemd/favoritter/internal/config"
+	"kode.naiv.no/olemd/favoritter/internal/database"
+	"kode.naiv.no/olemd/favoritter/internal/middleware"
+	"kode.naiv.no/olemd/favoritter/internal/store"
+)
+
+// testAPIServer creates a wired API handler with in-memory DB.
+func testAPIServer(t *testing.T) (*Handler, *http.ServeMux, *store.UserStore, *store.SessionStore) {
+	t.Helper()
+
+	db, err := database.Open(":memory:")
+	if err != nil {
+		t.Fatalf("open db: %v", err)
+	}
+	if err := database.Migrate(db); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+	t.Cleanup(func() { db.Close() })
+
+	store.Argon2Memory = 1024
+	store.Argon2Time = 1
+
+	cfg := &config.Config{
+		MaxUploadSize: 10 << 20, // 10 MB
+	}
+
+	users := store.NewUserStore(db)
+	sessions := store.NewSessionStore(db)
+	faves := store.NewFaveStore(db)
+	tags := store.NewTagStore(db)
+
+	h := New(Deps{
+		Config:   cfg,
+		Users:    users,
+		Sessions: sessions,
+		Faves:    faves,
+		Tags:     tags,
+	})
+
+	mux := http.NewServeMux()
+	h.Routes(mux)
+
+	// Wrap with SessionLoader so authenticated API requests work.
+	chain := middleware.SessionLoader(sessions, users)(mux)
+	wrappedMux := http.NewServeMux()
+	wrappedMux.Handle("/", chain)
+
+	return h, wrappedMux, users, sessions
+}
+
+// apiLogin creates a user and returns a session cookie.
+func apiLogin(t *testing.T, users *store.UserStore, sessions *store.SessionStore, username, password, role string) *http.Cookie {
+	t.Helper()
+	user, err := users.Create(username, password, role)
+	if err != nil {
+		t.Fatalf("create user %s: %v", username, err)
+	}
+	token, err := sessions.Create(user.ID)
+	if err != nil {
+		t.Fatalf("create session: %v", err)
+	}
+	return &http.Cookie{Name: "session", Value: token}
+}
+
+// jsonBody is a helper to parse JSON response bodies.
+func jsonBody(t *testing.T, rr *httptest.ResponseRecorder) map[string]any {
+	t.Helper()
+	var result map[string]any
+	if err := json.Unmarshal(rr.Body.Bytes(), &result); err != nil {
+		t.Fatalf("parse response JSON: %v\nbody: %s", err, rr.Body.String())
+	}
+	return result
+}
+
+// --- Auth ---
+
+func TestAPILoginSuccess(t *testing.T) {
+	_, mux, users, _ := testAPIServer(t)
+	users.Create("testuser", "password123", "user")
+
+	body := `{"username":"testuser","password":"password123"}`
+	req := httptest.NewRequest("POST", "/api/v1/auth/login", strings.NewReader(body))
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("login: got %d, want 200\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	result := jsonBody(t, rr)
+	if result["token"] == nil || result["token"] == "" {
+		t.Error("expected token in response")
+	}
+	user, ok := result["user"].(map[string]any)
+	if !ok {
+		t.Fatal("expected user object in response")
+	}
+	if user["username"] != "testuser" {
+		t.Errorf("username = %v, want testuser", user["username"])
+	}
+}
+
+func TestAPILoginWrongPassword(t *testing.T) {
+	_, mux, users, _ := testAPIServer(t)
+	users.Create("testuser", "password123", "user")
+
+	body := `{"username":"testuser","password":"wrong"}`
+	req := httptest.NewRequest("POST", "/api/v1/auth/login", strings.NewReader(body))
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusUnauthorized {
+		t.Errorf("wrong password: got %d, want 401", rr.Code)
+	}
+}
+
+func TestAPILoginInvalidBody(t *testing.T) {
+	_, mux, _, _ := testAPIServer(t)
+
+	req := httptest.NewRequest("POST", "/api/v1/auth/login", strings.NewReader("not json"))
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusBadRequest {
+		t.Errorf("invalid body: got %d, want 400", rr.Code)
+	}
+}
+
+func TestAPILogout(t *testing.T) {
+	_, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	req := httptest.NewRequest("POST", "/api/v1/auth/logout", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("logout: got %d, want 200", rr.Code)
+	}
+
+	// Session should be invalid now.
+	_, err := sessions.Validate(cookie.Value)
+	if err == nil {
+		t.Error("session should be invalidated after logout")
+	}
+}
+
+// --- Faves CRUD ---
+
+func TestAPICreateFave(t *testing.T) {
+	_, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	body := `{"description":"My favorite thing","url":"https://example.com","privacy":"public","tags":["go","web"]}`
+	req := httptest.NewRequest("POST", "/api/v1/faves", strings.NewReader(body))
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusCreated {
+		t.Fatalf("create fave: got %d, want 201\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	result := jsonBody(t, rr)
+	if result["description"] != "My favorite thing" {
+		t.Errorf("description = %v", result["description"])
+	}
+	if result["url"] != "https://example.com" {
+		t.Errorf("url = %v", result["url"])
+	}
+	tags, ok := result["tags"].([]any)
+	if !ok || len(tags) != 2 {
+		t.Errorf("expected 2 tags, got %v", result["tags"])
+	}
+}
+
+func TestAPICreateFaveMissingDescription(t *testing.T) {
+	_, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	body := `{"url":"https://example.com"}`
+	req := httptest.NewRequest("POST", "/api/v1/faves", strings.NewReader(body))
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusBadRequest {
+		t.Errorf("missing description: got %d, want 400", rr.Code)
+	}
+}
+
+func TestAPICreateFaveRequiresAuth(t *testing.T) {
+	_, mux, _, _ := testAPIServer(t)
+
+	body := `{"description":"test"}`
+	req := httptest.NewRequest("POST", "/api/v1/faves", strings.NewReader(body))
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	// Should redirect or return non-2xx.
+	if rr.Code == http.StatusCreated || rr.Code == http.StatusOK {
+		t.Errorf("unauthenticated create: got %d, should not be 2xx", rr.Code)
+	}
+}
+
+func TestAPIGetFave(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	// Create a public fave directly.
+	user, _ := users.GetByUsername("testuser")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test fave", "https://example.com", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"test"})
+
+	req := httptest.NewRequest("GET", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("get fave: got %d, want 200", rr.Code)
+	}
+
+	result := jsonBody(t, rr)
+	if result["description"] != "Test fave" {
+		t.Errorf("description = %v", result["description"])
+	}
+}
+
+func TestAPIGetFaveNotFound(t *testing.T) {
+	_, mux, _, _ := testAPIServer(t)
+
+	req := httptest.NewRequest("GET", "/api/v1/faves/99999", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("nonexistent fave: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAPIPrivateFaveHiddenFromOthers(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	// User A creates a private fave.
+	userA, _ := users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "Secret", "", "", "private")
+
+	// User B tries to access it.
+	cookieB := apiLogin(t, users, sessions, "userb", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
+	req.AddCookie(cookieB)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("private fave for other user: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAPIPrivateFaveVisibleToOwner(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	userA, _ := users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "My secret", "", "", "private")
+
+	tokenA, _ := sessions.Create(userA.ID)
+	cookieA := &http.Cookie{Name: "session", Value: tokenA}
+
+	req := httptest.NewRequest("GET", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
+	req.AddCookie(cookieA)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("own private fave: got %d, want 200", rr.Code)
+	}
+}
+
+func TestAPIUpdateFave(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Original", "https://old.com", "", "public")
+	token, _ := sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	body := `{"description":"Updated","url":"https://new.com","tags":["updated"]}`
+	req := httptest.NewRequest("PUT", "/api/v1/faves/"+faveIDStr(fave.ID), strings.NewReader(body))
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("update fave: got %d, want 200\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	result := jsonBody(t, rr)
+	if result["description"] != "Updated" {
+		t.Errorf("description = %v, want Updated", result["description"])
+	}
+	if result["url"] != "https://new.com" {
+		t.Errorf("url = %v, want https://new.com", result["url"])
+	}
+}
+
+func TestAPIUpdateFaveNotOwner(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	userA, _ := users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+
+	cookieB := apiLogin(t, users, sessions, "userb", "pass123", "user")
+
+	body := `{"description":"Hijacked"}`
+	req := httptest.NewRequest("PUT", "/api/v1/faves/"+faveIDStr(fave.ID), strings.NewReader(body))
+	req.AddCookie(cookieB)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("update by non-owner: got %d, want 403", rr.Code)
+	}
+}
+
+func TestAPIDeleteFave(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Delete me", "", "", "public")
+	token, _ := sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	req := httptest.NewRequest("DELETE", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNoContent {
+		t.Errorf("delete fave: got %d, want 204", rr.Code)
+	}
+
+	// Verify it's gone.
+	req = httptest.NewRequest("GET", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
+	req.AddCookie(cookie)
+	rr = httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("deleted fave: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAPIDeleteFaveNotOwner(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	userA, _ := users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+
+	cookieB := apiLogin(t, users, sessions, "userb", "pass123", "user")
+
+	req := httptest.NewRequest("DELETE", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
+	req.AddCookie(cookieB)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("delete by non-owner: got %d, want 403", rr.Code)
+	}
+}
+
+func TestAPIListFaves(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	h.deps.Faves.Create(user.ID, "Fave 1", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Fave 2", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Fave 3", "", "", "private")
+	token, _ := sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	req := httptest.NewRequest("GET", "/api/v1/faves", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("list faves: got %d, want 200", rr.Code)
+	}
+
+	result := jsonBody(t, rr)
+	total, _ := result["total"].(float64)
+	if total != 3 {
+		t.Errorf("total = %v, want 3 (all faves including private)", total)
+	}
+}
+
+func TestAPIListFavesPagination(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	for i := 0; i < 5; i++ {
+		h.deps.Faves.Create(user.ID, "Fave", "", "", "public")
+	}
+	token, _ := sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	req := httptest.NewRequest("GET", "/api/v1/faves?page=1&limit=2", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	result := jsonBody(t, rr)
+	faves, ok := result["faves"].([]any)
+	if !ok {
+		t.Fatal("expected faves array")
+	}
+	if len(faves) != 2 {
+		t.Errorf("page size: got %d faves, want 2", len(faves))
+	}
+	total, _ := result["total"].(float64)
+	if total != 5 {
+		t.Errorf("total = %v, want 5", total)
+	}
+}
+
+// --- Tags ---
+
+func TestAPISearchTags(t *testing.T) {
+	h, mux, users, _ := testAPIServer(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang", "goroutines", "python"})
+
+	req := httptest.NewRequest("GET", "/api/v1/tags?q=go", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("search tags: got %d, want 200", rr.Code)
+	}
+
+	result := jsonBody(t, rr)
+	tags, ok := result["tags"].([]any)
+	if !ok {
+		t.Fatal("expected tags array")
+	}
+	if len(tags) < 1 {
+		t.Error("expected at least one tag matching 'go'")
+	}
+}
+
+func TestAPISearchTagsEmpty(t *testing.T) {
+	_, mux, _, _ := testAPIServer(t)
+
+	req := httptest.NewRequest("GET", "/api/v1/tags?q=nonexistent", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("empty tag search: got %d, want 200", rr.Code)
+	}
+
+	result := jsonBody(t, rr)
+	tags, _ := result["tags"].([]any)
+	if len(tags) != 0 {
+		t.Errorf("expected empty tags, got %v", tags)
+	}
+}
+
+// --- Users ---
+
+func TestAPIGetUser(t *testing.T) {
+	_, mux, users, _ := testAPIServer(t)
+	users.Create("testuser", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/api/v1/users/testuser", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("get user: got %d, want 200", rr.Code)
+	}
+
+	result := jsonBody(t, rr)
+	if result["username"] != "testuser" {
+		t.Errorf("username = %v", result["username"])
+	}
+}
+
+func TestAPIGetUserNotFound(t *testing.T) {
+	_, mux, _, _ := testAPIServer(t)
+
+	req := httptest.NewRequest("GET", "/api/v1/users/nobody", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("nonexistent user: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAPIGetDisabledUser(t *testing.T) {
+	_, mux, users, _ := testAPIServer(t)
+	user, _ := users.Create("disabled", "pass123", "user")
+	users.SetDisabled(user.ID, true)
+
+	req := httptest.NewRequest("GET", "/api/v1/users/disabled", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("disabled user: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAPIGetUserFaves(t *testing.T) {
+	h, mux, users, _ := testAPIServer(t)
+	user, _ := users.Create("testuser", "pass123", "user")
+	h.deps.Faves.Create(user.ID, "Public fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Private fave", "", "", "private")
+
+	req := httptest.NewRequest("GET", "/api/v1/users/testuser/faves", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("user faves: got %d, want 200", rr.Code)
+	}
+
+	result := jsonBody(t, rr)
+	total, _ := result["total"].(float64)
+	if total != 1 {
+		t.Errorf("total = %v, want 1 (only public faves)", total)
+	}
+}
+
+// --- Export/Import ---
+
+func TestAPIExport(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	h.deps.Faves.Create(user.ID, "Fave 1", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Fave 2", "", "", "private")
+	token, _ := sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	req := httptest.NewRequest("GET", "/api/v1/export/json", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("export: got %d, want 200", rr.Code)
+	}
+
+	// Export returns a JSON array directly.
+	var faves []any
+	if err := json.Unmarshal(rr.Body.Bytes(), &faves); err != nil {
+		t.Fatalf("parse export JSON: %v", err)
+	}
+	if len(faves) != 2 {
+		t.Errorf("exported %d faves, want 2", len(faves))
+	}
+}
+
+func TestAPIImportValid(t *testing.T) {
+	_, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	body := `[{"description":"Imported 1","privacy":"public"},{"description":"Imported 2","tags":["test"]}]`
+	req := httptest.NewRequest("POST", "/api/v1/import", strings.NewReader(body))
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("import: got %d, want 200\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	result := jsonBody(t, rr)
+	imported, _ := result["imported"].(float64)
+	if imported != 2 {
+		t.Errorf("imported = %v, want 2", imported)
+	}
+}
+
+func TestAPIImportSkipsEmpty(t *testing.T) {
+	_, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	body := `[{"description":"Valid"},{"description":"","url":"https://empty.com"}]`
+	req := httptest.NewRequest("POST", "/api/v1/import", strings.NewReader(body))
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	result := jsonBody(t, rr)
+	imported, _ := result["imported"].(float64)
+	total, _ := result["total"].(float64)
+	if imported != 1 {
+		t.Errorf("imported = %v, want 1", imported)
+	}
+	if total != 2 {
+		t.Errorf("total = %v, want 2", total)
+	}
+}
+
+func TestAPIImportInvalidJSON(t *testing.T) {
+	_, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	req := httptest.NewRequest("POST", "/api/v1/import", strings.NewReader("not json"))
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusBadRequest {
+		t.Errorf("invalid JSON import: got %d, want 400", rr.Code)
+	}
+}
+
+// --- JSON helpers ---
+
+func TestQueryIntFallback(t *testing.T) {
+	tests := []struct {
+		query string
+		want  int
+	}{
+		{"", 10},
+		{"page=abc", 10},
+		{"page=-1", 10},
+		{"page=0", 10},
+		{"page=5", 5},
+	}
+	for _, tt := range tests {
+		req := httptest.NewRequest("GET", "/test?"+tt.query, nil)
+		got := queryInt(req, "page", 10)
+		if got != tt.want {
+			t.Errorf("queryInt(%q) = %d, want %d", tt.query, got, tt.want)
+		}
+	}
+}
+
+// faveIDStr converts an int64 to a string for URL paths.
+func faveIDStr(id int64) string {
+	return strconv.FormatInt(id, 10)
+}
diff --git a/internal/handler/handler_test.go b/internal/handler/handler_test.go
index f5d6769..e12d232 100644
--- a/internal/handler/handler_test.go
+++ b/internal/handler/handler_test.go
@@ -67,8 +67,8 @@ func testServer(t *testing.T) (*Handler, *http.ServeMux) {
 
 	mux := h.Routes()
 
-	// Wrap with SessionLoader so authenticated tests work.
-	chain := middleware.SessionLoader(sessions, users)(mux)
+	// Wrap with SessionLoader and CSRFProtection so authenticated tests work.
+	chain := middleware.CSRFProtection(cfg)(middleware.SessionLoader(sessions, users)(mux))
 	wrappedMux := http.NewServeMux()
 	wrappedMux.Handle("/", chain)
 
diff --git a/internal/handler/web_test.go b/internal/handler/web_test.go
new file mode 100644
index 0000000..5d5268a
--- /dev/null
+++ b/internal/handler/web_test.go
@@ -0,0 +1,1153 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package handler
+
+import (
+	"bytes"
+	"encoding/csv"
+	"encoding/json"
+	"mime/multipart"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+)
+
+// csrfToken performs a GET to extract a CSRF token cookie from the response.
+func csrfToken(t *testing.T, mux *http.ServeMux, path string) string {
+	t.Helper()
+	req := httptest.NewRequest("GET", path, nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+	token := extractCookie(rr, "csrf_token")
+	if token == "" {
+		t.Fatal("no csrf_token cookie from GET " + path)
+	}
+	return token
+}
+
+// postForm creates a POST request with form data and CSRF token.
+func postForm(path string, csrf string, values url.Values, cookies ...*http.Cookie) *http.Request {
+	values.Set("csrf_token", csrf)
+	req := httptest.NewRequest("POST", path, strings.NewReader(values.Encode()))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+	return req
+}
+
+// --- Auth flows ---
+
+func TestSignupOpenMode(t *testing.T) {
+	h, mux := testServer(t)
+
+	// Set signup mode to open.
+	h.deps.Settings.Update("Test", "", "open")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"newuser"},
+		"password":         {"password123"},
+		"password_confirm": {"password123"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusSeeOther {
+		t.Errorf("signup: got %d, want 303\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	// Should have a session cookie (auto-login after signup).
+	if extractCookie(rr, "session") == "" {
+		t.Error("expected session cookie after signup")
+	}
+}
+
+func TestSignupDuplicate(t *testing.T) {
+	h, mux := testServer(t)
+	h.deps.Settings.Update("Test", "", "open")
+	h.deps.Users.Create("existing", "password123", "user")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"existing"},
+		"password":         {"password123"},
+		"password_confirm": {"password123"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("duplicate signup: got %d, want 200 (re-render)", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "allerede i bruk") {
+		t.Error("should show duplicate username error")
+	}
+}
+
+func TestSignupClosedMode(t *testing.T) {
+	h, mux := testServer(t)
+	h.deps.Settings.Update("Test", "", "closed")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"newuser"},
+		"password":         {"password123"},
+		"password_confirm": {"password123"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "stengt") {
+		t.Error("closed signup should show 'stengt' message")
+	}
+}
+
+func TestSignupRequestMode(t *testing.T) {
+	h, mux := testServer(t)
+	h.deps.Settings.Update("Test", "", "requests")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"requester"},
+		"password":         {"password123"},
+		"password_confirm": {"password123"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "sendt") {
+		t.Error("request mode signup should show 'sendt' message")
+	}
+
+	// Verify a signup request was created.
+	requests, _ := h.deps.SignupRequests.ListPending()
+	if len(requests) != 1 {
+		t.Errorf("expected 1 pending request, got %d", len(requests))
+	}
+}
+
+func TestSignupInvalidUsername(t *testing.T) {
+	h, mux := testServer(t)
+	h.deps.Settings.Update("Test", "", "open")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"a"}, // Too short (min 2).
+		"password":         {"password123"},
+		"password_confirm": {"password123"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "Ugyldig brukernavn") {
+		t.Error("should show username validation error")
+	}
+}
+
+func TestSignupPasswordTooShort(t *testing.T) {
+	h, mux := testServer(t)
+	h.deps.Settings.Update("Test", "", "open")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"newuser"},
+		"password":         {"short"},
+		"password_confirm": {"short"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "minst 8 tegn") {
+		t.Error("should show password length error")
+	}
+}
+
+func TestSignupPasswordMismatch(t *testing.T) {
+	h, mux := testServer(t)
+	h.deps.Settings.Update("Test", "", "open")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"newuser"},
+		"password":         {"password123"},
+		"password_confirm": {"different456"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "ikke like") {
+		t.Error("should show password mismatch error")
+	}
+}
+
+func TestLogout(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	csrf := csrfToken(t, mux, "/login")
+
+	req := postForm("/logout", csrf, url.Values{}, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusSeeOther {
+		t.Errorf("logout: got %d, want 303", rr.Code)
+	}
+	loc := rr.Header().Get("Location")
+	if !strings.Contains(loc, "/login") {
+		t.Errorf("logout redirect = %q, want /login", loc)
+	}
+}
+
+func TestPasswordResetFlow(t *testing.T) {
+	h, mux := testServer(t)
+
+	// Create user with must_reset flag.
+	user, _ := h.deps.Users.CreateWithReset("resetuser", "temppass", "user")
+	token, _ := h.deps.Sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	// Accessing /reset-password should render the form.
+	req := httptest.NewRequest("GET", "/reset-password", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("reset page: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Endre passord") {
+		t.Error("should render password reset form")
+	}
+}
+
+func TestPasswordResetSubmit(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.CreateWithReset("resetuser", "temppass", "user")
+	token, _ := h.deps.Sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	// Get CSRF token.
+	getReq := httptest.NewRequest("GET", "/reset-password", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{
+		"password":         {"newpassword123"},
+		"password_confirm": {"newpassword123"},
+	}
+	req := postForm("/reset-password", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusSeeOther {
+		t.Errorf("reset submit: got %d, want 303\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	// Verify new password works.
+	_, err := h.deps.Users.Authenticate("resetuser", "newpassword123")
+	if err != nil {
+		t.Errorf("new password should work: %v", err)
+	}
+}
+
+// --- Fave CRUD (web) ---
+
+func TestCreateFavePageRendering(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/faves/new", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("new fave page: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Ny favoritt") {
+		t.Error("should render new fave form")
+	}
+}
+
+func TestCreateFaveSubmit(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	// Get CSRF token.
+	getReq := httptest.NewRequest("GET", "/faves/new", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	// POST multipart form (fave creation uses ParseMultipartForm).
+	var body bytes.Buffer
+	writer := multipart.NewWriter(&body)
+	writer.WriteField("csrf_token", csrf)
+	writer.WriteField("description", "Min nye favoritt")
+	writer.WriteField("url", "https://example.com")
+	writer.WriteField("privacy", "public")
+	writer.WriteField("tags", "test, go")
+	writer.Close()
+
+	req := httptest.NewRequest("POST", "/faves", &body)
+	req.Header.Set("Content-Type", writer.FormDataContentType())
+	req.AddCookie(cookie)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusSeeOther {
+		t.Errorf("create fave: got %d, want 303\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	// Verify redirect points to the new fave.
+	loc := rr.Header().Get("Location")
+	if !strings.Contains(loc, "/faves/") {
+		t.Errorf("redirect = %q, should point to /faves/{id}", loc)
+	}
+}
+
+func TestCreateFaveMissingDescription(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/faves/new", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	var body bytes.Buffer
+	writer := multipart.NewWriter(&body)
+	writer.WriteField("csrf_token", csrf)
+	writer.WriteField("description", "")
+	writer.Close()
+
+	req := httptest.NewRequest("POST", "/faves", &body)
+	req.Header.Set("Content-Type", writer.FormDataContentType())
+	req.AddCookie(cookie)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "Beskrivelse er påkrevd") {
+		t.Error("should show description required error")
+	}
+}
+
+func TestEditFaveNotOwner(t *testing.T) {
+	h, mux := testServer(t)
+
+	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+
+	cookieB := loginUser(t, h, "userb", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/faves/"+faveIDStr(fave.ID)+"/edit", nil)
+	req.AddCookie(cookieB)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("edit by non-owner: got %d, want 403", rr.Code)
+	}
+}
+
+func TestDeleteFaveHTMX(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Delete me", "", "", "public")
+	token, _ := h.deps.Sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	getReq := httptest.NewRequest("GET", "/faves/"+faveIDStr(fave.ID), nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	req := httptest.NewRequest("DELETE", "/faves/"+faveIDStr(fave.ID), nil)
+	req.Header.Set("HX-Request", "true")
+	req.Header.Set("X-CSRF-Token", csrf)
+	req.AddCookie(cookie)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("HTMX delete: got %d, want 200", rr.Code)
+	}
+}
+
+func TestDeleteFaveNotOwner(t *testing.T) {
+	h, mux := testServer(t)
+
+	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+
+	cookieB := loginUser(t, h, "userb", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/faves/"+faveIDStr(fave.ID), nil)
+	getReq.AddCookie(cookieB)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	req := httptest.NewRequest("DELETE", "/faves/"+faveIDStr(fave.ID), nil)
+	req.Header.Set("X-CSRF-Token", csrf)
+	req.AddCookie(cookieB)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("delete by non-owner: got %d, want 403", rr.Code)
+	}
+}
+
+// --- Admin ---
+
+func TestAdminUserList(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+	h.deps.Users.Create("regular", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/admin/users", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("admin users: got %d, want 200", rr.Code)
+	}
+	body := rr.Body.String()
+	if !strings.Contains(body, "admin") || !strings.Contains(body, "regular") {
+		t.Error("admin users page should list all users")
+	}
+}
+
+func TestAdminCreateUser(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+
+	getReq := httptest.NewRequest("GET", "/admin/users", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{
+		"username": {"newuser"},
+		"role":     {"user"},
+	}
+	req := postForm("/admin/users", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "Bruker opprettet") {
+		t.Error("should show user created message")
+	}
+
+	// Verify user was created.
+	_, err := h.deps.Users.GetByUsername("newuser")
+	if err != nil {
+		t.Errorf("new user should exist: %v", err)
+	}
+}
+
+func TestAdminToggleDisabled(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+	user, _ := h.deps.Users.Create("target", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/admin/users", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	req := postForm("/admin/users/"+faveIDStr(user.ID)+"/toggle-disabled", csrf, url.Values{}, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "deaktivert") {
+		t.Error("should show deactivated message")
+	}
+}
+
+func TestAdminCannotDisableSelf(t *testing.T) {
+	h, mux := testServer(t)
+
+	admin, _ := h.deps.Users.Create("admin", "pass123", "admin")
+	token, _ := h.deps.Sessions.Create(admin.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	getReq := httptest.NewRequest("GET", "/admin/users", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	req := postForm("/admin/users/"+faveIDStr(admin.ID)+"/toggle-disabled", csrf, url.Values{}, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "din egen konto") {
+		t.Error("should prevent self-disable")
+	}
+}
+
+func TestAdminSettings(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+
+	// GET settings page.
+	getReq := httptest.NewRequest("GET", "/admin/settings", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+
+	if getRR.Code != http.StatusOK {
+		t.Errorf("admin settings GET: got %d, want 200", getRR.Code)
+	}
+
+	csrf := extractCookie(getRR, "csrf_token")
+
+	// POST updated settings.
+	form := url.Values{
+		"site_name":        {"Nytt Navn"},
+		"site_description": {"En beskrivelse"},
+		"signup_mode":      {"closed"},
+	}
+	req := postForm("/admin/settings", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "lagret") {
+		t.Error("should show settings saved message")
+	}
+
+	// Verify settings were updated.
+	settings, _ := h.deps.Settings.Get()
+	if settings.SiteName != "Nytt Navn" {
+		t.Errorf("site_name = %q, want 'Nytt Navn'", settings.SiteName)
+	}
+}
+
+func TestAdminApproveSignupRequest(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+
+	// Create a signup request.
+	h.deps.SignupRequests.Create("requester", "password123")
+
+	requests, _ := h.deps.SignupRequests.ListPending()
+	if len(requests) == 0 {
+		t.Fatal("expected pending request")
+	}
+
+	getReq := httptest.NewRequest("GET", "/admin/signup-requests", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{"action": {"approve"}}
+	req := postForm("/admin/signup-requests/"+faveIDStr(requests[0].ID), csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "godkjent") {
+		t.Error("should show approved message")
+	}
+
+	// User should now exist.
+	_, err := h.deps.Users.GetByUsername("requester")
+	if err != nil {
+		t.Errorf("approved user should exist: %v", err)
+	}
+}
+
+func TestAdminRejectSignupRequest(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+
+	h.deps.SignupRequests.Create("rejectable", "password123")
+	requests, _ := h.deps.SignupRequests.ListPending()
+
+	getReq := httptest.NewRequest("GET", "/admin/signup-requests", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{"action": {"reject"}}
+	req := postForm("/admin/signup-requests/"+faveIDStr(requests[0].ID), csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "avvist") {
+		t.Error("should show rejected message")
+	}
+}
+
+func TestAdminTags(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+
+	// Create a tag via a fave.
+	admin, _ := h.deps.Users.GetByUsername("admin")
+	fave, _ := h.deps.Faves.Create(admin.ID, "Test", "", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"testmerke"})
+
+	req := httptest.NewRequest("GET", "/admin/tags", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("admin tags: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "testmerke") {
+		t.Error("admin tags page should list tags")
+	}
+}
+
+// --- Feeds ---
+
+func TestUserFeed(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("feeduser", "pass123", "user")
+	h.deps.Users.UpdateProfile(user.ID, "Feed User", "", "public", "public")
+	h.deps.Faves.Create(user.ID, "User fave", "", "", "public")
+
+	req := httptest.NewRequest("GET", "/u/feeduser/feed.xml", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("user feed: got %d, want 200", rr.Code)
+	}
+	ct := rr.Header().Get("Content-Type")
+	if !strings.Contains(ct, "atom+xml") {
+		t.Errorf("content-type = %q", ct)
+	}
+	if !strings.Contains(rr.Body.String(), "User fave") {
+		t.Error("user feed should contain fave")
+	}
+}
+
+func TestFeedExcludesPrivate(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
+	h.deps.Faves.Create(user.ID, "Public fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Secret fave", "", "", "private")
+
+	req := httptest.NewRequest("GET", "/feed.xml", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "Public fave") {
+		t.Error("feed should contain public fave")
+	}
+	if strings.Contains(body, "Secret fave") {
+		t.Error("feed should NOT contain private fave")
+	}
+}
+
+func TestTagFeed(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Tagged fave", "", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang"})
+
+	req := httptest.NewRequest("GET", "/tags/golang/feed.xml", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("tag feed: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Tagged fave") {
+		t.Error("tag feed should contain tagged fave")
+	}
+}
+
+func TestLimitedProfileFeedReturns404(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("limited", "pass123", "user")
+	h.deps.Users.UpdateProfile(user.ID, "Limited", "", "limited", "public")
+
+	req := httptest.NewRequest("GET", "/u/limited/feed.xml", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("limited profile feed: got %d, want 404", rr.Code)
+	}
+}
+
+// --- Import/Export (web) ---
+
+func TestExportJSON(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	user, _ := h.deps.Users.GetByUsername("testuser")
+	fave, _ := h.deps.Faves.Create(user.ID, "Export me", "https://example.com", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"test"})
+
+	req := httptest.NewRequest("GET", "/export/json", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("export JSON: got %d, want 200", rr.Code)
+	}
+
+	ct := rr.Header().Get("Content-Type")
+	if !strings.Contains(ct, "application/json") {
+		t.Errorf("content-type = %q", ct)
+	}
+
+	var faves []ExportFave
+	if err := json.Unmarshal(rr.Body.Bytes(), &faves); err != nil {
+		t.Fatalf("parse export: %v", err)
+	}
+	if len(faves) != 1 {
+		t.Fatalf("exported %d, want 1", len(faves))
+	}
+	if faves[0].Description != "Export me" {
+		t.Errorf("description = %q", faves[0].Description)
+	}
+}
+
+func TestExportCSV(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	user, _ := h.deps.Users.GetByUsername("testuser")
+	h.deps.Faves.Create(user.ID, "CSV fave", "", "", "public")
+
+	req := httptest.NewRequest("GET", "/export/csv", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("export CSV: got %d, want 200", rr.Code)
+	}
+
+	ct := rr.Header().Get("Content-Type")
+	if !strings.Contains(ct, "text/csv") {
+		t.Errorf("content-type = %q", ct)
+	}
+
+	reader := csv.NewReader(bytes.NewReader(rr.Body.Bytes()))
+	records, err := reader.ReadAll()
+	if err != nil {
+		t.Fatalf("parse CSV: %v", err)
+	}
+	// Header + 1 data row.
+	if len(records) != 2 {
+		t.Errorf("CSV rows = %d, want 2 (header + data)", len(records))
+	}
+	if records[0][0] != "description" {
+		t.Errorf("CSV header = %q, want 'description'", records[0][0])
+	}
+}
+
+func TestImportJSONFile(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/import", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	// Build multipart form with JSON file.
+	var body bytes.Buffer
+	writer := multipart.NewWriter(&body)
+	writer.WriteField("csrf_token", csrf)
+	part, _ := writer.CreateFormFile("file", "import.json")
+	jsonData := `[{"description":"Imported 1","privacy":"public","tags":["go"]},{"description":"Imported 2"}]`
+	part.Write([]byte(jsonData))
+	writer.Close()
+
+	req := httptest.NewRequest("POST", "/import", &body)
+	req.Header.Set("Content-Type", writer.FormDataContentType())
+	req.AddCookie(cookie)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "Importert 2 av 2") {
+		t.Errorf("import result: %s", rr.Body.String())
+	}
+}
+
+func TestImportCSVFile(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/import", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	// Build multipart form with CSV file.
+	var body bytes.Buffer
+	writer := multipart.NewWriter(&body)
+	writer.WriteField("csrf_token", csrf)
+	part, _ := writer.CreateFormFile("file", "import.csv")
+	csvData := "description,url,privacy,tags\nCSV Fave,https://example.com,public,test\n"
+	part.Write([]byte(csvData))
+	writer.Close()
+
+	req := httptest.NewRequest("POST", "/import", &body)
+	req.Header.Set("Content-Type", writer.FormDataContentType())
+	req.AddCookie(cookie)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "Importert 1 av 1") {
+		t.Errorf("import CSV result: %s", rr.Body.String())
+	}
+}
+
+// --- Profile ---
+
+func TestProfileDisabledUser(t *testing.T) {
+	h, mux := testServer(t)
+	user, _ := h.deps.Users.Create("disabled", "pass123", "user")
+	h.deps.Users.SetDisabled(user.ID, true)
+
+	req := httptest.NewRequest("GET", "/u/disabled", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("disabled profile: got %d, want 404", rr.Code)
+	}
+}
+
+func TestProfileOwnerSeesPrivateFaves(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("owner", "pass123", "user")
+	h.deps.Faves.Create(user.ID, "Private fave", "", "", "private")
+	token, _ := h.deps.Sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	req := httptest.NewRequest("GET", "/u/owner", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("own profile: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Private fave") {
+		t.Error("owner should see their own private faves on profile")
+	}
+}
+
+func TestProfileVisitorCannotSeePrivateFaves(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("owner", "pass123", "user")
+	h.deps.Users.UpdateProfile(user.ID, "Owner", "", "public", "public")
+	h.deps.Faves.Create(user.ID, "Only public", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Hidden secret", "", "", "private")
+
+	req := httptest.NewRequest("GET", "/u/owner", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "Only public") {
+		t.Error("visitor should see public fave")
+	}
+	if strings.Contains(body, "Hidden secret") {
+		t.Error("visitor should NOT see private fave")
+	}
+}
+
+// --- Tag browsing ---
+
+func TestTagBrowse(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Tagged", "", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang"})
+
+	req := httptest.NewRequest("GET", "/tags/golang", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("tag browse: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Tagged") {
+		t.Error("tag browse should show tagged fave")
+	}
+}
+
+// --- Home page ---
+
+func TestHomePageUnauthenticated(t *testing.T) {
+	_, mux := testServer(t)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("home page: got %d, want 200", rr.Code)
+	}
+}
+
+func TestHomePageAuthenticated(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	user, _ := h.deps.Users.GetByUsername("testuser")
+	h.deps.Faves.Create(user.ID, "Home fave", "", "", "public")
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("authenticated home: got %d, want 200", rr.Code)
+	}
+}
+
+// --- Settings ---
+
+func TestSettingsPageRendering(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/settings", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("settings page: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Innstillinger") {
+		t.Error("should render settings page")
+	}
+}
+
+func TestSettingsUpdateProfile(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/settings", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{
+		"display_name":       {"Nytt Navn"},
+		"bio":                {"Min bio"},
+		"profile_visibility": {"public"},
+		"default_fave_privacy": {"private"},
+	}
+	req := postForm("/settings", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "lagret") {
+		t.Error("should show settings saved message")
+	}
+
+	user, _ := h.deps.Users.GetByUsername("testuser")
+	if user.DisplayName != "Nytt Navn" {
+		t.Errorf("display_name = %q", user.DisplayName)
+	}
+}
+
+func TestSettingsChangePassword(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/settings", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{
+		"current_password": {"pass123"},
+		"new_password":     {"newpass456"},
+		"confirm_password": {"newpass456"},
+	}
+	req := postForm("/settings/password", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "endret") {
+		t.Errorf("should show password changed: %s", rr.Body.String())
+	}
+
+	// Verify new password works.
+	_, err := h.deps.Users.Authenticate("testuser", "newpass456")
+	if err != nil {
+		t.Errorf("new password should work: %v", err)
+	}
+}
+
+func TestSettingsChangePasswordWrongCurrent(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/settings", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{
+		"current_password": {"wrongpass"},
+		"new_password":     {"newpass456"},
+		"confirm_password": {"newpass456"},
+	}
+	req := postForm("/settings/password", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "feil") {
+		t.Error("should show wrong password error")
+	}
+}
+
+// --- Tag autocomplete ---
+
+// TestTagSuggestionsNoInlineHandlers is a regression test for the autocomplete click bug.
+// Tag suggestions must NOT use inline event handlers (onclick, onmousedown) because
+// they are blocked by CSP (script-src 'self'). Instead, they must use data-tag-name
+// attributes and delegated event listeners in app.js.
+func TestTagSuggestionsNoInlineHandlers(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang", "goroutines"})
+
+	req := httptest.NewRequest("GET", "/tags/search?q=go", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("tag search: got %d, want 200", rr.Code)
+	}
+
+	body := rr.Body.String()
+
+	// Must NOT use inline handlers — they are blocked by CSP script-src 'self'.
+	if strings.Contains(body, "onclick=") {
+		t.Error("tag suggestions must not use onclick (blocked by CSP)")
+	}
+	if strings.Contains(body, "onmousedown=") {
+		t.Error("tag suggestions must not use onmousedown (blocked by CSP)")
+	}
+	if strings.Contains(body, "ontouchstart=") {
+		t.Error("tag suggestions must not use ontouchstart (blocked by CSP)")
+	}
+
+	// Must use data-tag-name for delegated event handling in app.js.
+	if !strings.Contains(body, "data-tag-name=") {
+		t.Error("tag suggestions must use data-tag-name attribute for delegated event handling")
+	}
+
+	// Verify the tag names are in the data attributes.
+	if !strings.Contains(body, `data-tag-name="golang"`) {
+		t.Error("suggestion should have data-tag-name with the tag name")
+	}
+}
+
+// TestTagSuggestionsDisplayName verifies that the "av" display name bug is fixed.
+// The fave list should show the username as fallback when display_name is empty.
+func TestDisplayNameFallbackToUsername(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	// Create a user WITHOUT a display name and a public fave.
+	user, _ := h.deps.Users.GetByUsername("testuser")
+	h.deps.Faves.Create(user.ID, "Test fave", "", "", "public")
+
+	// The home page shows "av <display_name>" — with no display name set,
+	// it should fall back to the username.
+	req := httptest.NewRequest("GET", "/", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	body := rr.Body.String()
+	// Should show "av testuser" (username as fallback), not just "av".
+	if !strings.Contains(body, "testuser") {
+		t.Error("home page should show username as fallback when display_name is empty")
+	}
+}
+
+// --- Export page ---
+
+func TestExportPageRendering(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/export", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("export page: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Eksporter") {
+		t.Error("should render export page")
+	}
+}
diff --git a/internal/image/image_test.go b/internal/image/image_test.go
new file mode 100644
index 0000000..8b06481
--- /dev/null
+++ b/internal/image/image_test.go
@@ -0,0 +1,234 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package image
+
+import (
+	"bytes"
+	"image"
+	"image/jpeg"
+	"image/png"
+	"mime/multipart"
+	"net/textproto"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+// testJPEG creates a test JPEG image in memory with given dimensions.
+func testJPEG(t *testing.T, width, height int) (*bytes.Buffer, *multipart.FileHeader) {
+	t.Helper()
+	img := image.NewRGBA(image.Rect(0, 0, width, height))
+	var buf bytes.Buffer
+	if err := jpeg.Encode(&buf, img, &jpeg.Options{Quality: 75}); err != nil {
+		t.Fatalf("encode test jpeg: %v", err)
+	}
+	header := &multipart.FileHeader{
+		Filename: "test.jpg",
+		Size:     int64(buf.Len()),
+		Header:   textproto.MIMEHeader{"Content-Type": {"image/jpeg"}},
+	}
+	return &buf, header
+}
+
+// testPNG creates a test PNG image in memory with given dimensions.
+func testPNG(t *testing.T, width, height int) (*bytes.Buffer, *multipart.FileHeader) {
+	t.Helper()
+	img := image.NewRGBA(image.Rect(0, 0, width, height))
+	var buf bytes.Buffer
+	if err := png.Encode(&buf, img); err != nil {
+		t.Fatalf("encode test png: %v", err)
+	}
+	header := &multipart.FileHeader{
+		Filename: "test.png",
+		Size:     int64(buf.Len()),
+		Header:   textproto.MIMEHeader{"Content-Type": {"image/png"}},
+	}
+	return &buf, header
+}
+
+// bufferReadSeeker wraps a bytes.Reader to implement multipart.File.
+type bufferReadSeeker struct {
+	*bytes.Reader
+}
+
+func (b *bufferReadSeeker) Close() error { return nil }
+
+func TestProcessJPEG(t *testing.T) {
+	uploadDir := t.TempDir()
+	buf, header := testJPEG(t, 800, 600)
+
+	result, err := Process(&bufferReadSeeker{bytes.NewReader(buf.Bytes())}, header, uploadDir)
+	if err != nil {
+		t.Fatalf("Process JPEG: %v", err)
+	}
+
+	if result.Filename == "" {
+		t.Error("expected non-empty filename")
+	}
+	if !strings.HasSuffix(result.Filename, ".jpg") {
+		t.Errorf("filename %q should end with .jpg", result.Filename)
+	}
+
+	// Verify file was written.
+	if _, err := os.Stat(result.Path); err != nil {
+		t.Errorf("output file not found: %v", err)
+	}
+}
+
+func TestProcessPNG(t *testing.T) {
+	uploadDir := t.TempDir()
+	buf, header := testPNG(t, 640, 480)
+
+	result, err := Process(&bufferReadSeeker{bytes.NewReader(buf.Bytes())}, header, uploadDir)
+	if err != nil {
+		t.Fatalf("Process PNG: %v", err)
+	}
+
+	if !strings.HasSuffix(result.Filename, ".png") {
+		t.Errorf("filename %q should end with .png", result.Filename)
+	}
+}
+
+func TestProcessResizeWideImage(t *testing.T) {
+	uploadDir := t.TempDir()
+	buf, header := testJPEG(t, 3840, 2160) // 4K width
+
+	result, err := Process(&bufferReadSeeker{bytes.NewReader(buf.Bytes())}, header, uploadDir)
+	if err != nil {
+		t.Fatalf("Process wide image: %v", err)
+	}
+
+	// Read back and check dimensions.
+	f, err := os.Open(result.Path)
+	if err != nil {
+		t.Fatalf("open result: %v", err)
+	}
+	defer f.Close()
+
+	img, _, err := image.Decode(f)
+	if err != nil {
+		t.Fatalf("decode result: %v", err)
+	}
+
+	bounds := img.Bounds()
+	if bounds.Dx() != MaxWidth {
+		t.Errorf("resized width = %d, want %d", bounds.Dx(), MaxWidth)
+	}
+	// Aspect ratio should be maintained.
+	expectedHeight := 2160 * MaxWidth / 3840
+	if bounds.Dy() != expectedHeight {
+		t.Errorf("resized height = %d, want %d", bounds.Dy(), expectedHeight)
+	}
+}
+
+func TestProcessSmallImageNotResized(t *testing.T) {
+	uploadDir := t.TempDir()
+	buf, header := testJPEG(t, 800, 600)
+
+	result, err := Process(&bufferReadSeeker{bytes.NewReader(buf.Bytes())}, header, uploadDir)
+	if err != nil {
+		t.Fatalf("Process small image: %v", err)
+	}
+
+	f, err := os.Open(result.Path)
+	if err != nil {
+		t.Fatalf("open result: %v", err)
+	}
+	defer f.Close()
+
+	img, _, err := image.Decode(f)
+	if err != nil {
+		t.Fatalf("decode result: %v", err)
+	}
+
+	if img.Bounds().Dx() != 800 {
+		t.Errorf("small image width = %d, should not be resized", img.Bounds().Dx())
+	}
+}
+
+func TestProcessInvalidMIME(t *testing.T) {
+	uploadDir := t.TempDir()
+	header := &multipart.FileHeader{
+		Filename: "test.txt",
+		Header:   textproto.MIMEHeader{"Content-Type": {"text/plain"}},
+	}
+	buf := bytes.NewReader([]byte("not an image"))
+
+	_, err := Process(&bufferReadSeeker{buf}, header, uploadDir)
+	if err == nil {
+		t.Error("expected error for text/plain MIME type")
+	}
+	if !strings.Contains(err.Error(), "unsupported image type") {
+		t.Errorf("error = %q, should mention unsupported type", err)
+	}
+}
+
+func TestProcessCorruptImage(t *testing.T) {
+	uploadDir := t.TempDir()
+	header := &multipart.FileHeader{
+		Filename: "corrupt.jpg",
+		Header:   textproto.MIMEHeader{"Content-Type": {"image/jpeg"}},
+	}
+	buf := bytes.NewReader([]byte("this is not valid jpeg data"))
+
+	_, err := Process(&bufferReadSeeker{buf}, header, uploadDir)
+	if err == nil {
+		t.Error("expected error for corrupt image data")
+	}
+}
+
+func TestProcessUUIDFilename(t *testing.T) {
+	uploadDir := t.TempDir()
+	buf, header := testJPEG(t, 100, 100)
+	// Give a user-supplied filename.
+	header.Filename = "my-vacation-photo.jpg"
+
+	result, err := Process(&bufferReadSeeker{bytes.NewReader(buf.Bytes())}, header, uploadDir)
+	if err != nil {
+		t.Fatalf("Process: %v", err)
+	}
+
+	if strings.Contains(result.Filename, "vacation") {
+		t.Error("filename should be UUID-based, not user-supplied")
+	}
+	// UUID format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.ext
+	if len(result.Filename) < 36 {
+		t.Errorf("filename %q too short for UUID", result.Filename)
+	}
+}
+
+func TestAllowedTypes(t *testing.T) {
+	expected := []string{"image/jpeg", "image/png", "image/gif", "image/webp"}
+	for _, mime := range expected {
+		if _, ok := AllowedTypes[mime]; !ok {
+			t.Errorf("AllowedTypes missing %s", mime)
+		}
+	}
+}
+
+func TestDeletePathTraversal(t *testing.T) {
+	uploadDir := t.TempDir()
+
+	// Create a file outside uploadDir.
+	outsideFile := filepath.Join(t.TempDir(), "sensitive.txt")
+	os.WriteFile(outsideFile, []byte("secret"), 0644)
+
+	// Attempt to delete it via path traversal.
+	err := Delete(uploadDir, "../../../"+filepath.Base(outsideFile))
+	if err == nil {
+		t.Error("expected error for path traversal")
+	}
+
+	// File should still exist.
+	if _, statErr := os.Stat(outsideFile); statErr != nil {
+		t.Error("path traversal should not have deleted the file")
+	}
+}
+
+func TestDeleteEmpty(t *testing.T) {
+	// Empty filename should be a no-op.
+	if err := Delete(t.TempDir(), ""); err != nil {
+		t.Errorf("Delete empty filename: %v", err)
+	}
+}
diff --git a/internal/middleware/auth_test.go b/internal/middleware/auth_test.go
new file mode 100644
index 0000000..9ecbea9
--- /dev/null
+++ b/internal/middleware/auth_test.go
@@ -0,0 +1,299 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package middleware
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"kode.naiv.no/olemd/favoritter/internal/database"
+	"kode.naiv.no/olemd/favoritter/internal/model"
+	"kode.naiv.no/olemd/favoritter/internal/store"
+)
+
+// testStores creates in-memory stores for auth middleware tests.
+func testStores(t *testing.T) (*store.SessionStore, *store.UserStore) {
+	t.Helper()
+	db, err := database.Open(":memory:")
+	if err != nil {
+		t.Fatalf("open db: %v", err)
+	}
+	if err := database.Migrate(db); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+	t.Cleanup(func() { db.Close() })
+
+	store.Argon2Memory = 1024
+	store.Argon2Time = 1
+
+	return store.NewSessionStore(db), store.NewUserStore(db)
+}
+
+func TestSessionLoaderValidToken(t *testing.T) {
+	sessions, users := testStores(t)
+
+	user, err := users.Create("testuser", "pass123", "user")
+	if err != nil {
+		t.Fatalf("create user: %v", err)
+	}
+	token, err := sessions.Create(user.ID)
+	if err != nil {
+		t.Fatalf("create session: %v", err)
+	}
+
+	var ctxUser *model.User
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctxUser = UserFromContext(r.Context())
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := SessionLoader(sessions, users)(inner)
+	req := httptest.NewRequest("GET", "/faves", nil)
+	req.AddCookie(&http.Cookie{Name: SessionCookieName, Value: token})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if ctxUser == nil {
+		t.Fatal("expected user in context, got nil")
+	}
+	if ctxUser.ID != user.ID {
+		t.Errorf("context user ID = %d, want %d", ctxUser.ID, user.ID)
+	}
+}
+
+func TestSessionLoaderInvalidToken(t *testing.T) {
+	sessions, users := testStores(t)
+
+	var ctxUser *model.User
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctxUser = UserFromContext(r.Context())
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := SessionLoader(sessions, users)(inner)
+	req := httptest.NewRequest("GET", "/faves", nil)
+	req.AddCookie(&http.Cookie{Name: SessionCookieName, Value: "invalid-token"})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("invalid token: got %d, want 200", rr.Code)
+	}
+	if ctxUser != nil {
+		t.Error("expected nil user for invalid token")
+	}
+
+	// Should clear the invalid session cookie.
+	for _, c := range rr.Result().Cookies() {
+		if c.Name == SessionCookieName && c.MaxAge == -1 {
+			return // Cookie cleared, good.
+		}
+	}
+	t.Error("expected session cookie to be cleared for invalid token")
+}
+
+func TestSessionLoaderNoCookie(t *testing.T) {
+	sessions, users := testStores(t)
+
+	var ctxUser *model.User
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctxUser = UserFromContext(r.Context())
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := SessionLoader(sessions, users)(inner)
+	req := httptest.NewRequest("GET", "/faves", nil)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("no cookie: got %d, want 200", rr.Code)
+	}
+	if ctxUser != nil {
+		t.Error("expected nil user when no cookie")
+	}
+}
+
+func TestSessionLoaderSkipsStaticPaths(t *testing.T) {
+	sessions, users := testStores(t)
+
+	var handlerCalled bool
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		handlerCalled = true
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := SessionLoader(sessions, users)(inner)
+
+	for _, path := range []string{"/static/css/style.css", "/uploads/image.jpg"} {
+		handlerCalled = false
+		req := httptest.NewRequest("GET", path, nil)
+		req.AddCookie(&http.Cookie{Name: SessionCookieName, Value: "some-token"})
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
+
+		if !handlerCalled {
+			t.Errorf("handler not called for %s", path)
+		}
+		if rr.Code != http.StatusOK {
+			t.Errorf("%s: got %d, want 200", path, rr.Code)
+		}
+	}
+}
+
+func TestSessionLoaderDisabledUser(t *testing.T) {
+	sessions, users := testStores(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	token, _ := sessions.Create(user.ID)
+	users.SetDisabled(user.ID, true)
+
+	var ctxUser *model.User
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctxUser = UserFromContext(r.Context())
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := SessionLoader(sessions, users)(inner)
+	req := httptest.NewRequest("GET", "/faves", nil)
+	req.AddCookie(&http.Cookie{Name: SessionCookieName, Value: token})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if ctxUser != nil {
+		t.Error("disabled user should not be in context")
+	}
+	// Session should be deleted and cookie cleared.
+	for _, c := range rr.Result().Cookies() {
+		if c.Name == SessionCookieName && c.MaxAge == -1 {
+			return
+		}
+	}
+	t.Error("expected session cookie to be cleared for disabled user")
+}
+
+func TestRequireAdminRejectsNonAdmin(t *testing.T) {
+	handler := RequireAdmin(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Regular user in context.
+	user := &model.User{ID: 1, Username: "regular", Role: "user"}
+	ctx := context.WithValue(context.Background(), userKey, user)
+	req := httptest.NewRequest("GET", "/admin", nil).WithContext(ctx)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("non-admin: got %d, want 403", rr.Code)
+	}
+}
+
+func TestRequireAdminAllowsAdmin(t *testing.T) {
+	handler := RequireAdmin(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	user := &model.User{ID: 1, Username: "admin", Role: "admin"}
+	ctx := context.WithValue(context.Background(), userKey, user)
+	req := httptest.NewRequest("GET", "/admin", nil).WithContext(ctx)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("admin: got %d, want 200", rr.Code)
+	}
+}
+
+func TestRequireAdminNoUser(t *testing.T) {
+	handler := RequireAdmin(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest("GET", "/admin", nil)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("no user: got %d, want 403", rr.Code)
+	}
+}
+
+func TestContextHelpers(t *testing.T) {
+	// UserFromContext with user.
+	user := &model.User{ID: 42, Username: "tester"}
+	ctx := context.WithValue(context.Background(), userKey, user)
+	got := UserFromContext(ctx)
+	if got == nil || got.ID != 42 {
+		t.Errorf("UserFromContext with user: got %v", got)
+	}
+
+	// UserFromContext without user.
+	if UserFromContext(context.Background()) != nil {
+		t.Error("UserFromContext should return nil for empty context")
+	}
+
+	// CSRFTokenFromContext.
+	ctx = context.WithValue(context.Background(), csrfTokenKey, "my-token")
+	if CSRFTokenFromContext(ctx) != "my-token" {
+		t.Error("CSRFTokenFromContext failed")
+	}
+	if CSRFTokenFromContext(context.Background()) != "" {
+		t.Error("CSRFTokenFromContext should return empty for missing key")
+	}
+
+	// RealIPFromContext.
+	ctx = context.WithValue(context.Background(), realIPKey, "1.2.3.4")
+	if RealIPFromContext(ctx) != "1.2.3.4" {
+		t.Error("RealIPFromContext failed")
+	}
+	if RealIPFromContext(context.Background()) != "" {
+		t.Error("RealIPFromContext should return empty for missing key")
+	}
+}
+
+func TestMustResetPasswordGuardRedirects(t *testing.T) {
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+	handler := MustResetPasswordGuard("")(inner)
+
+	// User with must_reset_password on a regular path → redirect.
+	user := &model.User{ID: 1, Username: "resetme", MustResetPassword: true}
+	ctx := context.WithValue(context.Background(), userKey, user)
+
+	req := httptest.NewRequest("GET", "/faves", nil).WithContext(ctx)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusSeeOther {
+		t.Errorf("must-reset on /faves: got %d, want 303", rr.Code)
+	}
+	if loc := rr.Header().Get("Location"); loc != "/reset-password" {
+		t.Errorf("redirect location = %q, want /reset-password", loc)
+	}
+}
+
+func TestMustResetPasswordGuardAllowsPaths(t *testing.T) {
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+	handler := MustResetPasswordGuard("")(inner)
+
+	user := &model.User{ID: 1, Username: "resetme", MustResetPassword: true}
+	ctx := context.WithValue(context.Background(), userKey, user)
+
+	// These paths should pass through even with must_reset.
+	allowedPaths := []string{"/reset-password", "/logout", "/health", "/static/css/style.css"}
+	for _, path := range allowedPaths {
+		req := httptest.NewRequest("GET", path, nil).WithContext(ctx)
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
+
+		if rr.Code != http.StatusOK {
+			t.Errorf("must-reset on %s: got %d, want 200", path, rr.Code)
+		}
+	}
+}
diff --git a/internal/middleware/csrf_test.go b/internal/middleware/csrf_test.go
new file mode 100644
index 0000000..9eee68e
--- /dev/null
+++ b/internal/middleware/csrf_test.go
@@ -0,0 +1,185 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"kode.naiv.no/olemd/favoritter/internal/config"
+)
+
+func testCSRFHandler(cfg *config.Config) http.Handler {
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Echo the CSRF token from context so tests can verify it.
+		token := CSRFTokenFromContext(r.Context())
+		w.Write([]byte(token))
+	})
+	return CSRFProtection(cfg)(inner)
+}
+
+func TestCSRFTokenSetInCookie(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("GET: got %d, want 200", rr.Code)
+	}
+
+	// Should set a csrf_token cookie.
+	var found bool
+	for _, c := range rr.Result().Cookies() {
+		if c.Name == "csrf_token" {
+			found = true
+			if c.Value == "" {
+				t.Error("csrf_token cookie is empty")
+			}
+			if c.HttpOnly {
+				t.Error("csrf_token cookie should not be HttpOnly (JS needs to read it)")
+			}
+		}
+	}
+	if !found {
+		t.Error("csrf_token cookie not set on first request")
+	}
+
+	// The context token should match the cookie.
+	body := rr.Body.String()
+	if body == "" {
+		t.Error("CSRF token not set in context")
+	}
+}
+
+func TestCSRFValidTokenAccepted(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	// First GET to obtain a token.
+	getReq := httptest.NewRequest("GET", "/", nil)
+	getRR := httptest.NewRecorder()
+	handler.ServeHTTP(getRR, getReq)
+
+	var token string
+	for _, c := range getRR.Result().Cookies() {
+		if c.Name == "csrf_token" {
+			token = c.Value
+		}
+	}
+	if token == "" {
+		t.Fatal("no csrf_token cookie from GET")
+	}
+
+	// POST with matching cookie + form field.
+	form := "csrf_token=" + token
+	req := httptest.NewRequest("POST", "/submit", strings.NewReader(form))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: token})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("valid CSRF POST: got %d, want 200", rr.Code)
+	}
+}
+
+func TestCSRFMismatchRejected(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	form := "csrf_token=wrong-token"
+	req := httptest.NewRequest("POST", "/submit", strings.NewReader(form))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: "real-token"})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("mismatched CSRF: got %d, want 403", rr.Code)
+	}
+}
+
+func TestCSRFMissingTokenRejected(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	// POST with cookie but no form field or header.
+	req := httptest.NewRequest("POST", "/submit", nil)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: "some-token"})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("missing CSRF form field: got %d, want 403", rr.Code)
+	}
+}
+
+func TestCSRFHeaderFallback(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	token := "valid-header-token"
+	req := httptest.NewRequest("POST", "/submit", nil)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: token})
+	req.Header.Set("X-CSRF-Token", token)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("CSRF via header: got %d, want 200", rr.Code)
+	}
+}
+
+func TestCSRFSkippedForAPI(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	// POST to /api/ path — should skip CSRF validation.
+	req := httptest.NewRequest("POST", "/api/v1/faves", strings.NewReader(`{}`))
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: "some-token"})
+	// Intentionally no CSRF form field or header.
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("API route CSRF skip: got %d, want 200", rr.Code)
+	}
+}
+
+func TestCSRFSafeMethodsPassThrough(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	for _, method := range []string{"GET", "HEAD", "OPTIONS"} {
+		req := httptest.NewRequest(method, "/page", nil)
+		// No CSRF cookie or token at all.
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
+
+		if rr.Code != http.StatusOK {
+			t.Errorf("%s without CSRF: got %d, want 200", method, rr.Code)
+		}
+	}
+}
+
+func TestCSRFExistingCookieReused(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	// Send a request with an existing csrf_token cookie.
+	existingToken := "pre-existing-token-value"
+	req := httptest.NewRequest("GET", "/", nil)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: existingToken})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	// The context token should be the existing one.
+	body := rr.Body.String()
+	if body != existingToken {
+		t.Errorf("context token = %q, want existing %q", body, existingToken)
+	}
+
+	// Should NOT set a new cookie (existing one is reused).
+	for _, c := range rr.Result().Cookies() {
+		if c.Name == "csrf_token" {
+			t.Error("should not set new csrf_token cookie when one already exists")
+		}
+	}
+}
diff --git a/internal/render/render_test.go b/internal/render/render_test.go
new file mode 100644
index 0000000..5e975f1
--- /dev/null
+++ b/internal/render/render_test.go
@@ -0,0 +1,161 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package render
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"kode.naiv.no/olemd/favoritter/internal/config"
+)
+
+func testRenderer(t *testing.T) *Renderer {
+	t.Helper()
+	cfg := &config.Config{
+		SiteName: "Test Site",
+		BasePath: "/test",
+	}
+	r, err := New(cfg)
+	if err != nil {
+		t.Fatalf("create renderer: %v", err)
+	}
+	return r
+}
+
+func TestRenderPage(t *testing.T) {
+	r := testRenderer(t)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	r.Page(rr, req, "login", PageData{
+		Title: "Logg inn",
+	})
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("render page: got %d, want 200", rr.Code)
+	}
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "Logg inn") {
+		t.Error("page should contain title")
+	}
+	ct := rr.Header().Get("Content-Type")
+	if !strings.Contains(ct, "text/html") {
+		t.Errorf("content-type = %q, want text/html", ct)
+	}
+}
+
+func TestRenderPageWithData(t *testing.T) {
+	r := testRenderer(t)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	r.Page(rr, req, "login", PageData{
+		Title:    "Test Page",
+		SiteName: "My Site",
+		BasePath: "/base",
+	})
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "Test Page") {
+		t.Error("should contain title in output")
+	}
+}
+
+func TestRenderMissingTemplate(t *testing.T) {
+	r := testRenderer(t)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	r.Page(rr, req, "nonexistent_template_xyz", PageData{})
+
+	if rr.Code != http.StatusInternalServerError {
+		t.Errorf("missing template: got %d, want 500", rr.Code)
+	}
+}
+
+func TestRenderErrorPage(t *testing.T) {
+	r := testRenderer(t)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	r.Error(rr, req, http.StatusNotFound, "Ikke funnet")
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("error page: got %d, want 404", rr.Code)
+	}
+	body := rr.Body.String()
+	if !strings.Contains(body, "Ikke funnet") {
+		t.Error("error page should contain message")
+	}
+}
+
+func TestRenderPopulatesCommonData(t *testing.T) {
+	cfg := &config.Config{
+		SiteName:    "Favoritter",
+		BasePath:    "/app",
+		ExternalURL: "https://example.com",
+	}
+	r, err := New(cfg)
+	if err != nil {
+		t.Fatalf("create renderer: %v", err)
+	}
+
+	req := httptest.NewRequest("GET", "/", nil)
+	// Add a CSRF token to the context.
+	type contextKey string
+	ctx := context.WithValue(req.Context(), contextKey("csrf_token"), "test-token")
+	req = req.WithContext(ctx)
+
+	rr := httptest.NewRecorder()
+	r.Page(rr, req, "login", PageData{Title: "Test"})
+
+	// BasePath and SiteName should be populated from config.
+	body := rr.Body.String()
+	if !strings.Contains(body, "/app") {
+		t.Error("should contain basePath from config")
+	}
+}
+
+func TestTemplateFuncs(t *testing.T) {
+	cfg := &config.Config{BasePath: "/test", ExternalURL: "https://example.com"}
+	r, _ := New(cfg)
+
+	funcs := r.templateFuncs()
+
+	// Test truncate function.
+	truncate := funcs["truncate"].(func(int, string) string)
+	if got := truncate(5, "Hello, world!"); got != "Hello..." {
+		t.Errorf("truncate(5, long) = %q, want Hello...", got)
+	}
+	if got := truncate(20, "Short"); got != "Short" {
+		t.Errorf("truncate(20, short) = %q, want Short", got)
+	}
+	// Test with Norwegian characters (Ærlig = 5 runes: Æ r l i g).
+	if got := truncate(3, "Ærlig"); got != "Ærl..." {
+		t.Errorf("truncate(3, Ærlig) = %q, want Ærl...", got)
+	}
+
+	// Test add/subtract.
+	add := funcs["add"].(func(int, int) int)
+	if add(2, 3) != 5 {
+		t.Error("add(2,3) should be 5")
+	}
+	sub := funcs["subtract"].(func(int, int) int)
+	if sub(5, 3) != 2 {
+		t.Error("subtract(5,3) should be 2")
+	}
+
+	// Test basePath function.
+	bp := funcs["basePath"].(func() string)
+	if bp() != "/test" {
+		t.Errorf("basePath() = %q", bp())
+	}
+}
diff --git a/internal/store/settings_test.go b/internal/store/settings_test.go
new file mode 100644
index 0000000..597341e
--- /dev/null
+++ b/internal/store/settings_test.go
@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package store
+
+import (
+	"testing"
+)
+
+func TestSettingsGetDefault(t *testing.T) {
+	db := testDB(t)
+	settings := NewSettingsStore(db)
+
+	s, err := settings.Get()
+	if err != nil {
+		t.Fatalf("get default settings: %v", err)
+	}
+
+	// Migration should insert a default row.
+	if s.SiteName == "" {
+		t.Error("expected non-empty default site name")
+	}
+	if s.SignupMode == "" {
+		t.Error("expected non-empty default signup mode")
+	}
+}
+
+func TestSettingsUpdate(t *testing.T) {
+	db := testDB(t)
+	settings := NewSettingsStore(db)
+
+	err := settings.Update("Nye Favoritter", "En kul side", "requests")
+	if err != nil {
+		t.Fatalf("update settings: %v", err)
+	}
+
+	s, err := settings.Get()
+	if err != nil {
+		t.Fatalf("get after update: %v", err)
+	}
+
+	if s.SiteName != "Nye Favoritter" {
+		t.Errorf("site_name = %q, want %q", s.SiteName, "Nye Favoritter")
+	}
+	if s.SiteDescription != "En kul side" {
+		t.Errorf("site_description = %q, want %q", s.SiteDescription, "En kul side")
+	}
+	if s.SignupMode != "requests" {
+		t.Errorf("signup_mode = %q, want %q", s.SignupMode, "requests")
+	}
+	if s.UpdatedAt.IsZero() {
+		t.Error("expected non-zero updated_at after update")
+	}
+}
+
+func TestSettingsUpdatePreservesOtherFields(t *testing.T) {
+	db := testDB(t)
+	settings := NewSettingsStore(db)
+
+	// Set initial values.
+	settings.Update("Site A", "Desc A", "open")
+
+	// Update with different values.
+	settings.Update("Site B", "Desc B", "closed")
+
+	s, _ := settings.Get()
+	if s.SiteName != "Site B" {
+		t.Errorf("site_name = %q, want %q", s.SiteName, "Site B")
+	}
+	if s.SiteDescription != "Desc B" {
+		t.Errorf("site_description = %q, want %q", s.SiteDescription, "Desc B")
+	}
+	if s.SignupMode != "closed" {
+		t.Errorf("signup_mode = %q, want %q", s.SignupMode, "closed")
+	}
+}

From 485d01ce4528299fdc23979f897de8064a36ef76 Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Sat, 4 Apr 2026 00:40:08 +0200
Subject: [PATCH 3/3] feat: add notes field to favorites and enhance OG meta
 tags
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add an optional long-form "notes" text field to each favorite for
reviews, thoughts, or extended descriptions. The field is stored in
SQLite via a new migration (002_add_fave_notes.sql) and propagated
through the entire stack:

- Model: Notes field on Fave struct
- Store: All SQL queries (Create, GetByID, Update, list methods,
  scanFaves) updated with notes column
- Web handlers: Read/write notes in create, edit, update forms
- API handlers: Notes in create, update, get, import request/response
- Export: Notes included in both JSON and CSV exports
- Import: Notes parsed from both JSON and CSV imports
- Feed: Notes used as Atom feed item summary when present
- Form template: New textarea between URL and image fields
- Detail template: Display notes, enhanced og:description with
  cascade: notes (truncated) → URL → generic fallback text

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../migrations/002_add_fave_notes.sql         |  2 +
 internal/handler/api/api.go                   | 10 +++-
 internal/handler/api/api_test.go              | 32 +++++------
 internal/handler/fave.go                      | 11 ++--
 internal/handler/feed.go                      |  4 ++
 internal/handler/handler_test.go              |  8 +--
 internal/handler/import_export.go             | 10 +++-
 internal/handler/web_test.go                  | 34 ++++++------
 internal/model/fave.go                        |  1 +
 internal/store/fave.go                        | 28 +++++-----
 internal/store/fave_test.go                   | 55 +++++++++++++++++--
 internal/store/tag_test.go                    |  8 +--
 web/templates/pages/fave_detail.html          | 12 +++-
 web/templates/pages/fave_form.html            |  7 +++
 14 files changed, 151 insertions(+), 71 deletions(-)
 create mode 100644 internal/database/migrations/002_add_fave_notes.sql

diff --git a/internal/database/migrations/002_add_fave_notes.sql b/internal/database/migrations/002_add_fave_notes.sql
new file mode 100644
index 0000000..b4cf1cc
--- /dev/null
+++ b/internal/database/migrations/002_add_fave_notes.sql
@@ -0,0 +1,2 @@
+-- Legger til et valgfritt notatfelt på favoritter.
+ALTER TABLE faves ADD COLUMN notes TEXT NOT NULL DEFAULT '';
diff --git a/internal/handler/api/api.go b/internal/handler/api/api.go
index 2c3e685..7996a16 100644
--- a/internal/handler/api/api.go
+++ b/internal/handler/api/api.go
@@ -135,6 +135,7 @@ func (h *Handler) handleCreateFave(w http.ResponseWriter, r *http.Request) {
 	var req struct {
 		Description string   `json:"description"`
 		URL         string   `json:"url"`
+		Notes       string   `json:"notes"`
 		Privacy     string   `json:"privacy"`
 		Tags        []string `json:"tags"`
 	}
@@ -151,7 +152,7 @@ func (h *Handler) handleCreateFave(w http.ResponseWriter, r *http.Request) {
 		req.Privacy = user.DefaultFavePrivacy
 	}
 
-	fave, err := h.deps.Faves.Create(user.ID, req.Description, req.URL, "", req.Privacy)
+	fave, err := h.deps.Faves.Create(user.ID, req.Description, req.URL, "", req.Notes, req.Privacy)
 	if err != nil {
 		slog.Error("api: create fave error", "error", err)
 		jsonError(w, "Internal error", http.StatusInternalServerError)
@@ -222,6 +223,7 @@ func (h *Handler) handleUpdateFave(w http.ResponseWriter, r *http.Request) {
 	var req struct {
 		Description string   `json:"description"`
 		URL         string   `json:"url"`
+		Notes       string   `json:"notes"`
 		Privacy     string   `json:"privacy"`
 		Tags        []string `json:"tags"`
 	}
@@ -237,7 +239,7 @@ func (h *Handler) handleUpdateFave(w http.ResponseWriter, r *http.Request) {
 		req.Privacy = fave.Privacy
 	}
 
-	if err := h.deps.Faves.Update(id, req.Description, req.URL, fave.ImagePath, req.Privacy); err != nil {
+	if err := h.deps.Faves.Update(id, req.Description, req.URL, fave.ImagePath, req.Notes, req.Privacy); err != nil {
 		slog.Error("api: update fave error", "error", err)
 		jsonError(w, "Internal error", http.StatusInternalServerError)
 		return
@@ -378,6 +380,7 @@ func (h *Handler) handleImport(w http.ResponseWriter, r *http.Request) {
 	var faves []struct {
 		Description string   `json:"description"`
 		URL         string   `json:"url"`
+		Notes       string   `json:"notes"`
 		Privacy     string   `json:"privacy"`
 		Tags        []string `json:"tags"`
 	}
@@ -395,7 +398,7 @@ func (h *Handler) handleImport(w http.ResponseWriter, r *http.Request) {
 		if privacy != "public" && privacy != "private" {
 			privacy = user.DefaultFavePrivacy
 		}
-		fave, err := h.deps.Faves.Create(user.ID, f.Description, f.URL, "", privacy)
+		fave, err := h.deps.Faves.Create(user.ID, f.Description, f.URL, "", f.Notes, privacy)
 		if err != nil {
 			continue
 		}
@@ -446,6 +449,7 @@ func faveJSON(f *model.Fave) map[string]any {
 		"id":          f.ID,
 		"description": f.Description,
 		"url":         f.URL,
+		"notes":       f.Notes,
 		"image_path":  f.ImagePath,
 		"privacy":     f.Privacy,
 		"tags":        tags,
diff --git a/internal/handler/api/api_test.go b/internal/handler/api/api_test.go
index 8158d15..4eb9270 100644
--- a/internal/handler/api/api_test.go
+++ b/internal/handler/api/api_test.go
@@ -222,7 +222,7 @@ func TestAPIGetFave(t *testing.T) {
 
 	// Create a public fave directly.
 	user, _ := users.GetByUsername("testuser")
-	fave, _ := h.deps.Faves.Create(user.ID, "Test fave", "https://example.com", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test fave", "https://example.com", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"test"})
 
 	req := httptest.NewRequest("GET", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
@@ -257,7 +257,7 @@ func TestAPIPrivateFaveHiddenFromOthers(t *testing.T) {
 
 	// User A creates a private fave.
 	userA, _ := users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "Secret", "", "", "private")
+	fave, _ := h.deps.Faves.Create(userA.ID, "Secret", "", "", "", "private")
 
 	// User B tries to access it.
 	cookieB := apiLogin(t, users, sessions, "userb", "pass123", "user")
@@ -276,7 +276,7 @@ func TestAPIPrivateFaveVisibleToOwner(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	userA, _ := users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "My secret", "", "", "private")
+	fave, _ := h.deps.Faves.Create(userA.ID, "My secret", "", "", "", "private")
 
 	tokenA, _ := sessions.Create(userA.ID)
 	cookieA := &http.Cookie{Name: "session", Value: tokenA}
@@ -295,7 +295,7 @@ func TestAPIUpdateFave(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	user, _ := users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Original", "https://old.com", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Original", "https://old.com", "", "", "public")
 	token, _ := sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
 
@@ -322,7 +322,7 @@ func TestAPIUpdateFaveNotOwner(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	userA, _ := users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "", "public")
 
 	cookieB := apiLogin(t, users, sessions, "userb", "pass123", "user")
 
@@ -341,7 +341,7 @@ func TestAPIDeleteFave(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	user, _ := users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Delete me", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Delete me", "", "", "", "public")
 	token, _ := sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
 
@@ -368,7 +368,7 @@ func TestAPIDeleteFaveNotOwner(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	userA, _ := users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "", "public")
 
 	cookieB := apiLogin(t, users, sessions, "userb", "pass123", "user")
 
@@ -386,9 +386,9 @@ func TestAPIListFaves(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	user, _ := users.Create("testuser", "pass123", "user")
-	h.deps.Faves.Create(user.ID, "Fave 1", "", "", "public")
-	h.deps.Faves.Create(user.ID, "Fave 2", "", "", "public")
-	h.deps.Faves.Create(user.ID, "Fave 3", "", "", "private")
+	h.deps.Faves.Create(user.ID, "Fave 1", "", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Fave 2", "", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Fave 3", "", "", "", "private")
 	token, _ := sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
 
@@ -413,7 +413,7 @@ func TestAPIListFavesPagination(t *testing.T) {
 
 	user, _ := users.Create("testuser", "pass123", "user")
 	for i := 0; i < 5; i++ {
-		h.deps.Faves.Create(user.ID, "Fave", "", "", "public")
+		h.deps.Faves.Create(user.ID, "Fave", "", "", "", "public")
 	}
 	token, _ := sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
@@ -443,7 +443,7 @@ func TestAPISearchTags(t *testing.T) {
 	h, mux, users, _ := testAPIServer(t)
 
 	user, _ := users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang", "goroutines", "python"})
 
 	req := httptest.NewRequest("GET", "/api/v1/tags?q=go", nil)
@@ -531,8 +531,8 @@ func TestAPIGetDisabledUser(t *testing.T) {
 func TestAPIGetUserFaves(t *testing.T) {
 	h, mux, users, _ := testAPIServer(t)
 	user, _ := users.Create("testuser", "pass123", "user")
-	h.deps.Faves.Create(user.ID, "Public fave", "", "", "public")
-	h.deps.Faves.Create(user.ID, "Private fave", "", "", "private")
+	h.deps.Faves.Create(user.ID, "Public fave", "", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Private fave", "", "", "", "private")
 
 	req := httptest.NewRequest("GET", "/api/v1/users/testuser/faves", nil)
 	rr := httptest.NewRecorder()
@@ -555,8 +555,8 @@ func TestAPIExport(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	user, _ := users.Create("testuser", "pass123", "user")
-	h.deps.Faves.Create(user.ID, "Fave 1", "", "", "public")
-	h.deps.Faves.Create(user.ID, "Fave 2", "", "", "private")
+	h.deps.Faves.Create(user.ID, "Fave 1", "", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Fave 2", "", "", "", "private")
 	token, _ := sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
 
diff --git a/internal/handler/fave.go b/internal/handler/fave.go
index 220093c..9a5dd82 100644
--- a/internal/handler/fave.go
+++ b/internal/handler/fave.go
@@ -72,12 +72,13 @@ func (h *Handler) handleFaveCreate(w http.ResponseWriter, r *http.Request) {
 
 	description := strings.TrimSpace(r.FormValue("description"))
 	url := strings.TrimSpace(r.FormValue("url"))
+	notes := strings.TrimSpace(r.FormValue("notes"))
 	privacy := r.FormValue("privacy")
 	tagStr := r.FormValue("tags")
 
 	if description == "" {
 		h.flash(w, r, "fave_form", "Beskrivelse er påkrevd.", "error", map[string]any{
-			"IsNew": true, "Description": description, "URL": url, "Tags": tagStr, "Privacy": privacy,
+			"IsNew": true, "Description": description, "URL": url, "Notes": notes, "Tags": tagStr, "Privacy": privacy,
 		})
 		return
 	}
@@ -95,7 +96,7 @@ func (h *Handler) handleFaveCreate(w http.ResponseWriter, r *http.Request) {
 		if err != nil {
 			slog.Error("image process error", "error", err)
 			h.flash(w, r, "fave_form", "Kunne ikke behandle bildet. Sjekk at filen er et gyldig bilde (JPEG, PNG, GIF eller WebP).", "error", map[string]any{
-				"IsNew": true, "Description": description, "URL": url, "Tags": tagStr, "Privacy": privacy,
+				"IsNew": true, "Description": description, "URL": url, "Notes": notes, "Tags": tagStr, "Privacy": privacy,
 			})
 			return
 		}
@@ -103,7 +104,7 @@ func (h *Handler) handleFaveCreate(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Create the fave.
-	fave, err := h.deps.Faves.Create(user.ID, description, url, imagePath, privacy)
+	fave, err := h.deps.Faves.Create(user.ID, description, url, imagePath, notes, privacy)
 	if err != nil {
 		slog.Error("create fave error", "error", err)
 		h.flash(w, r, "fave_form", "Noe gikk galt. Prøv igjen.", "error", map[string]any{"IsNew": true})
@@ -205,6 +206,7 @@ func (h *Handler) handleFaveEdit(w http.ResponseWriter, r *http.Request) {
 			"Fave":        fave,
 			"Description": fave.Description,
 			"URL":         fave.URL,
+			"Notes":       fave.Notes,
 			"Privacy":     fave.Privacy,
 			"Tags":        strings.Join(tagNames, ", "),
 		},
@@ -244,6 +246,7 @@ func (h *Handler) handleFaveUpdate(w http.ResponseWriter, r *http.Request) {
 
 	description := strings.TrimSpace(r.FormValue("description"))
 	url := strings.TrimSpace(r.FormValue("url"))
+	notes := strings.TrimSpace(r.FormValue("notes"))
 	privacy := r.FormValue("privacy")
 	tagStr := r.FormValue("tags")
 
@@ -283,7 +286,7 @@ func (h *Handler) handleFaveUpdate(w http.ResponseWriter, r *http.Request) {
 		imagePath = ""
 	}
 
-	if err := h.deps.Faves.Update(id, description, url, imagePath, privacy); err != nil {
+	if err := h.deps.Faves.Update(id, description, url, imagePath, notes, privacy); err != nil {
 		slog.Error("update fave error", "error", err)
 		h.flash(w, r, "fave_form", "Noe gikk galt. Prøv igjen.", "error", map[string]any{"IsNew": false, "Fave": fave})
 		return
diff --git a/internal/handler/feed.go b/internal/handler/feed.go
index d5d945c..d1eaba0 100644
--- a/internal/handler/feed.go
+++ b/internal/handler/feed.go
@@ -129,6 +129,10 @@ func favesToFeedItems(faves []*model.Fave, baseURL string) []*feeds.Item {
 			Updated: f.UpdatedAt,
 		}
 
+		if f.Notes != "" {
+			item.Description = f.Notes
+		}
+
 		if f.URL != "" {
 			escaped := html.EscapeString(f.URL)
 			item.Content = `<p><a href="` + escaped + `">` + escaped + `</a></p>`
diff --git a/internal/handler/handler_test.go b/internal/handler/handler_test.go
index e12d232..e21672d 100644
--- a/internal/handler/handler_test.go
+++ b/internal/handler/handler_test.go
@@ -220,7 +220,7 @@ func TestPrivateFaveHiddenFromOthers(t *testing.T) {
 
 	// User A creates a private fave.
 	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "Secret fave", "", "", "private")
+	fave, _ := h.deps.Faves.Create(userA.ID, "Secret fave", "", "", "", "private")
 
 	// User B tries to view it.
 	cookieB := loginUser(t, h, "userb", "pass123", "user")
@@ -239,7 +239,7 @@ func TestPrivateFaveVisibleToOwner(t *testing.T) {
 	h, mux := testServer(t)
 
 	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "My secret", "", "", "private")
+	fave, _ := h.deps.Faves.Create(userA.ID, "My secret", "", "", "", "private")
 
 	tokenA, _ := h.deps.Sessions.Create(userA.ID)
 	cookieA := &http.Cookie{Name: "session", Value: tokenA}
@@ -290,7 +290,7 @@ func TestTagSearchEndpoint(t *testing.T) {
 
 	// Create some tags via faves.
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"music", "movies", "manga"})
 
 	req := httptest.NewRequest("GET", "/tags/search?q=mu", nil)
@@ -310,7 +310,7 @@ func TestFeedGlobal(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	h.deps.Faves.Create(user.ID, "Public fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Public fave", "", "", "", "public")
 
 	req := httptest.NewRequest("GET", "/feed.xml", nil)
 	rr := httptest.NewRecorder()
diff --git a/internal/handler/import_export.go b/internal/handler/import_export.go
index 9978570..5dcd2d9 100644
--- a/internal/handler/import_export.go
+++ b/internal/handler/import_export.go
@@ -21,6 +21,7 @@ const maxExportFaves = 100000
 type ExportFave struct {
 	Description string   `json:"description"`
 	URL         string   `json:"url,omitempty"`
+	Notes       string   `json:"notes,omitempty"`
 	Privacy     string   `json:"privacy"`
 	Tags        []string `json:"tags,omitempty"`
 	CreatedAt   string   `json:"created_at"`
@@ -57,6 +58,7 @@ func (h *Handler) handleExportJSON(w http.ResponseWriter, r *http.Request) {
 		export[i] = ExportFave{
 			Description: f.Description,
 			URL:         f.URL,
+			Notes:       f.Notes,
 			Privacy:     f.Privacy,
 			Tags:        tags,
 			CreatedAt:   f.CreatedAt.Format("2006-01-02T15:04:05Z"),
@@ -89,7 +91,7 @@ func (h *Handler) handleExportCSV(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Disposition", "attachment; filename=favoritter.csv")
 
 	cw := csv.NewWriter(w)
-	cw.Write([]string{"description", "url", "privacy", "tags", "created_at"})
+	cw.Write([]string{"description", "url", "notes", "privacy", "tags", "created_at"})
 
 	for _, f := range faves {
 		tags := make([]string, len(f.Tags))
@@ -99,6 +101,7 @@ func (h *Handler) handleExportCSV(w http.ResponseWriter, r *http.Request) {
 		cw.Write([]string{
 			f.Description,
 			f.URL,
+			f.Notes,
 			f.Privacy,
 			strings.Join(tags, ","),
 			f.CreatedAt.Format("2006-01-02T15:04:05Z"),
@@ -159,7 +162,7 @@ func (h *Handler) handleImportPost(w http.ResponseWriter, r *http.Request) {
 			privacy = user.DefaultFavePrivacy
 		}
 
-		fave, err := h.deps.Faves.Create(user.ID, ef.Description, ef.URL, "", privacy)
+		fave, err := h.deps.Faves.Create(user.ID, ef.Description, ef.URL, "", ef.Notes, privacy)
 		if err != nil {
 			slog.Error("import: create fave error", "error", err)
 			continue
@@ -213,6 +216,9 @@ func parseImportCSV(r io.Reader) ([]ExportFave, error) {
 		if idx, ok := colMap["url"]; ok && idx < len(row) {
 			f.URL = row[idx]
 		}
+		if idx, ok := colMap["notes"]; ok && idx < len(row) {
+			f.Notes = row[idx]
+		}
 		if idx, ok := colMap["privacy"]; ok && idx < len(row) {
 			f.Privacy = row[idx]
 		}
diff --git a/internal/handler/web_test.go b/internal/handler/web_test.go
index 5d5268a..6cda977 100644
--- a/internal/handler/web_test.go
+++ b/internal/handler/web_test.go
@@ -364,7 +364,7 @@ func TestEditFaveNotOwner(t *testing.T) {
 	h, mux := testServer(t)
 
 	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "", "public")
 
 	cookieB := loginUser(t, h, "userb", "pass123", "user")
 
@@ -382,7 +382,7 @@ func TestDeleteFaveHTMX(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Delete me", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Delete me", "", "", "", "public")
 	token, _ := h.deps.Sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
 
@@ -409,7 +409,7 @@ func TestDeleteFaveNotOwner(t *testing.T) {
 	h, mux := testServer(t)
 
 	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "", "public")
 
 	cookieB := loginUser(t, h, "userb", "pass123", "user")
 
@@ -623,7 +623,7 @@ func TestAdminTags(t *testing.T) {
 
 	// Create a tag via a fave.
 	admin, _ := h.deps.Users.GetByUsername("admin")
-	fave, _ := h.deps.Faves.Create(admin.ID, "Test", "", "", "public")
+	fave, _ := h.deps.Faves.Create(admin.ID, "Test", "", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"testmerke"})
 
 	req := httptest.NewRequest("GET", "/admin/tags", nil)
@@ -646,7 +646,7 @@ func TestUserFeed(t *testing.T) {
 
 	user, _ := h.deps.Users.Create("feeduser", "pass123", "user")
 	h.deps.Users.UpdateProfile(user.ID, "Feed User", "", "public", "public")
-	h.deps.Faves.Create(user.ID, "User fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "User fave", "", "", "", "public")
 
 	req := httptest.NewRequest("GET", "/u/feeduser/feed.xml", nil)
 	rr := httptest.NewRecorder()
@@ -668,8 +668,8 @@ func TestFeedExcludesPrivate(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	h.deps.Faves.Create(user.ID, "Public fave", "", "", "public")
-	h.deps.Faves.Create(user.ID, "Secret fave", "", "", "private")
+	h.deps.Faves.Create(user.ID, "Public fave", "", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Secret fave", "", "", "", "private")
 
 	req := httptest.NewRequest("GET", "/feed.xml", nil)
 	rr := httptest.NewRecorder()
@@ -688,7 +688,7 @@ func TestTagFeed(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Tagged fave", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Tagged fave", "", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang"})
 
 	req := httptest.NewRequest("GET", "/tags/golang/feed.xml", nil)
@@ -725,7 +725,7 @@ func TestExportJSON(t *testing.T) {
 	cookie := loginUser(t, h, "testuser", "pass123", "user")
 
 	user, _ := h.deps.Users.GetByUsername("testuser")
-	fave, _ := h.deps.Faves.Create(user.ID, "Export me", "https://example.com", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Export me", "https://example.com", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"test"})
 
 	req := httptest.NewRequest("GET", "/export/json", nil)
@@ -759,7 +759,7 @@ func TestExportCSV(t *testing.T) {
 	cookie := loginUser(t, h, "testuser", "pass123", "user")
 
 	user, _ := h.deps.Users.GetByUsername("testuser")
-	h.deps.Faves.Create(user.ID, "CSV fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "CSV fave", "", "", "", "public")
 
 	req := httptest.NewRequest("GET", "/export/csv", nil)
 	req.AddCookie(cookie)
@@ -871,7 +871,7 @@ func TestProfileOwnerSeesPrivateFaves(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("owner", "pass123", "user")
-	h.deps.Faves.Create(user.ID, "Private fave", "", "", "private")
+	h.deps.Faves.Create(user.ID, "Private fave", "", "", "", "private")
 	token, _ := h.deps.Sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
 
@@ -893,8 +893,8 @@ func TestProfileVisitorCannotSeePrivateFaves(t *testing.T) {
 
 	user, _ := h.deps.Users.Create("owner", "pass123", "user")
 	h.deps.Users.UpdateProfile(user.ID, "Owner", "", "public", "public")
-	h.deps.Faves.Create(user.ID, "Only public", "", "", "public")
-	h.deps.Faves.Create(user.ID, "Hidden secret", "", "", "private")
+	h.deps.Faves.Create(user.ID, "Only public", "", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Hidden secret", "", "", "", "private")
 
 	req := httptest.NewRequest("GET", "/u/owner", nil)
 	rr := httptest.NewRecorder()
@@ -915,7 +915,7 @@ func TestTagBrowse(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Tagged", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Tagged", "", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang"})
 
 	req := httptest.NewRequest("GET", "/tags/golang", nil)
@@ -949,7 +949,7 @@ func TestHomePageAuthenticated(t *testing.T) {
 	cookie := loginUser(t, h, "testuser", "pass123", "user")
 
 	user, _ := h.deps.Users.GetByUsername("testuser")
-	h.deps.Faves.Create(user.ID, "Home fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Home fave", "", "", "", "public")
 
 	req := httptest.NewRequest("GET", "/", nil)
 	req.AddCookie(cookie)
@@ -1074,7 +1074,7 @@ func TestTagSuggestionsNoInlineHandlers(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang", "goroutines"})
 
 	req := httptest.NewRequest("GET", "/tags/search?q=go", nil)
@@ -1117,7 +1117,7 @@ func TestDisplayNameFallbackToUsername(t *testing.T) {
 
 	// Create a user WITHOUT a display name and a public fave.
 	user, _ := h.deps.Users.GetByUsername("testuser")
-	h.deps.Faves.Create(user.ID, "Test fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Test fave", "", "", "", "public")
 
 	// The home page shows "av <display_name>" — with no display name set,
 	// it should fall back to the username.
diff --git a/internal/model/fave.go b/internal/model/fave.go
index 6b81290..beda156 100644
--- a/internal/model/fave.go
+++ b/internal/model/fave.go
@@ -10,6 +10,7 @@ type Fave struct {
 	Description string
 	URL         string
 	ImagePath   string
+	Notes       string
 	Privacy     string
 	Tags        []Tag
 	CreatedAt   time.Time
diff --git a/internal/store/fave.go b/internal/store/fave.go
index 70d9613..5888490 100644
--- a/internal/store/fave.go
+++ b/internal/store/fave.go
@@ -23,11 +23,11 @@ func NewFaveStore(db *sql.DB) *FaveStore {
 }
 
 // Create inserts a new fave and returns it with its ID populated.
-func (s *FaveStore) Create(userID int64, description, url, imagePath, privacy string) (*model.Fave, error) {
+func (s *FaveStore) Create(userID int64, description, url, imagePath, notes, privacy string) (*model.Fave, error) {
 	result, err := s.db.Exec(
-		`INSERT INTO faves (user_id, description, url, image_path, privacy)
-		VALUES (?, ?, ?, ?, ?)`,
-		userID, description, url, imagePath, privacy,
+		`INSERT INTO faves (user_id, description, url, image_path, notes, privacy)
+		VALUES (?, ?, ?, ?, ?, ?)`,
+		userID, description, url, imagePath, notes, privacy,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("insert fave: %w", err)
@@ -42,13 +42,13 @@ func (s *FaveStore) GetByID(id int64) (*model.Fave, error) {
 	f := &model.Fave{}
 	var createdAt, updatedAt string
 	err := s.db.QueryRow(
-		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
+		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.notes, f.privacy,
 			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
 		WHERE f.id = ?`, id,
 	).Scan(
-		&f.ID, &f.UserID, &f.Description, &f.URL, &f.ImagePath, &f.Privacy,
+		&f.ID, &f.UserID, &f.Description, &f.URL, &f.ImagePath, &f.Notes, &f.Privacy,
 		&createdAt, &updatedAt, &f.Username, &f.DisplayName,
 	)
 	if errors.Is(err, sql.ErrNoRows) {
@@ -63,12 +63,12 @@ func (s *FaveStore) GetByID(id int64) (*model.Fave, error) {
 }
 
 // Update modifies an existing fave's fields.
-func (s *FaveStore) Update(id int64, description, url, imagePath, privacy string) error {
+func (s *FaveStore) Update(id int64, description, url, imagePath, notes, privacy string) error {
 	_, err := s.db.Exec(
-		`UPDATE faves SET description = ?, url = ?, image_path = ?, privacy = ?,
+		`UPDATE faves SET description = ?, url = ?, image_path = ?, notes = ?, privacy = ?,
 			updated_at = strftime('%Y-%m-%dT%H:%M:%SZ', 'now')
 		WHERE id = ?`,
-		description, url, imagePath, privacy, id,
+		description, url, imagePath, notes, privacy, id,
 	)
 	return err
 }
@@ -96,7 +96,7 @@ func (s *FaveStore) ListByUser(userID int64, limit, offset int) ([]*model.Fave,
 	}
 
 	rows, err := s.db.Query(
-		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
+		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.notes, f.privacy,
 			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
@@ -125,7 +125,7 @@ func (s *FaveStore) ListPublicByUser(userID int64, limit, offset int) ([]*model.
 	}
 
 	rows, err := s.db.Query(
-		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
+		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.notes, f.privacy,
 			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
@@ -152,7 +152,7 @@ func (s *FaveStore) ListPublic(limit, offset int) ([]*model.Fave, int, error) {
 	}
 
 	rows, err := s.db.Query(
-		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
+		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.notes, f.privacy,
 			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
@@ -184,7 +184,7 @@ func (s *FaveStore) ListByTag(tagName string, limit, offset int) ([]*model.Fave,
 	}
 
 	rows, err := s.db.Query(
-		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
+		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.notes, f.privacy,
 			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
@@ -261,7 +261,7 @@ func (s *FaveStore) scanFaves(rows *sql.Rows) ([]*model.Fave, error) {
 		f := &model.Fave{}
 		var createdAt, updatedAt string
 		err := rows.Scan(
-			&f.ID, &f.UserID, &f.Description, &f.URL, &f.ImagePath, &f.Privacy,
+			&f.ID, &f.UserID, &f.Description, &f.URL, &f.ImagePath, &f.Notes, &f.Privacy,
 			&createdAt, &updatedAt, &f.Username, &f.DisplayName,
 		)
 		if err != nil {
diff --git a/internal/store/fave_test.go b/internal/store/fave_test.go
index 7779b3d..f96ce8f 100644
--- a/internal/store/fave_test.go
+++ b/internal/store/fave_test.go
@@ -23,7 +23,7 @@ func TestFaveCRUD(t *testing.T) {
 	}
 
 	// Create a fave.
-	fave, err := faves.Create(user.ID, "Blade Runner 2049", "https://example.com", "", "public")
+	fave, err := faves.Create(user.ID, "Blade Runner 2049", "https://example.com", "", "", "public")
 	if err != nil {
 		t.Fatalf("create fave: %v", err)
 	}
@@ -44,7 +44,7 @@ func TestFaveCRUD(t *testing.T) {
 	}
 
 	// Update.
-	err = faves.Update(fave.ID, "Blade Runner 2049 (Final Cut)", "https://example.com/br2049", "", "private")
+	err = faves.Update(fave.ID, "Blade Runner 2049 (Final Cut)", "https://example.com/br2049", "", "", "private")
 	if err != nil {
 		t.Fatalf("update fave: %v", err)
 	}
@@ -107,6 +107,49 @@ func TestFaveCRUD(t *testing.T) {
 	}
 }
 
+func TestFaveNotes(t *testing.T) {
+	db := testDB(t)
+	users := NewUserStore(db)
+	faves := NewFaveStore(db)
+
+	Argon2Memory = 1024
+	Argon2Time = 1
+	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
+
+	user, _ := users.Create("testuser", "password123", "user")
+
+	// Create with notes.
+	fave, err := faves.Create(user.ID, "Film", "https://example.com", "", "En fantastisk film", "public")
+	if err != nil {
+		t.Fatalf("create fave with notes: %v", err)
+	}
+	if fave.Notes != "En fantastisk film" {
+		t.Errorf("notes = %q, want %q", fave.Notes, "En fantastisk film")
+	}
+
+	// Update notes.
+	err = faves.Update(fave.ID, fave.Description, fave.URL, fave.ImagePath, "Oppdatert anmeldelse", fave.Privacy)
+	if err != nil {
+		t.Fatalf("update notes: %v", err)
+	}
+	updated, _ := faves.GetByID(fave.ID)
+	if updated.Notes != "Oppdatert anmeldelse" {
+		t.Errorf("updated notes = %q", updated.Notes)
+	}
+
+	// Notes appear in list queries.
+	list, _, _ := faves.ListByUser(user.ID, 10, 0)
+	if len(list) != 1 || list[0].Notes != "Oppdatert anmeldelse" {
+		t.Error("notes should be loaded in list queries")
+	}
+
+	// Empty notes by default.
+	fave2, _ := faves.Create(user.ID, "No notes", "", "", "", "public")
+	if fave2.Notes != "" {
+		t.Errorf("default notes = %q, want empty", fave2.Notes)
+	}
+}
+
 func TestListByTag(t *testing.T) {
 	db := testDB(t)
 	users := NewUserStore(db)
@@ -120,9 +163,9 @@ func TestListByTag(t *testing.T) {
 	user, _ := users.Create("testuser", "password123", "user")
 
 	// Create two public faves with overlapping tags.
-	f1, _ := faves.Create(user.ID, "Fave 1", "", "", "public")
-	f2, _ := faves.Create(user.ID, "Fave 2", "", "", "public")
-	f3, _ := faves.Create(user.ID, "Private Fave", "", "", "private")
+	f1, _ := faves.Create(user.ID, "Fave 1", "", "", "", "public")
+	f2, _ := faves.Create(user.ID, "Fave 2", "", "", "", "public")
+	f3, _ := faves.Create(user.ID, "Private Fave", "", "", "", "private")
 
 	tags.SetFaveTags(f1.ID, []string{"music", "jazz"})
 	tags.SetFaveTags(f2.ID, []string{"music", "rock"})
@@ -154,7 +197,7 @@ func TestFavePagination(t *testing.T) {
 
 	// Create 5 faves.
 	for i := 0; i < 5; i++ {
-		faves.Create(user.ID, "Fave "+string(rune('A'+i)), "", "", "public")
+		faves.Create(user.ID, "Fave "+string(rune('A'+i)), "", "", "", "public")
 	}
 
 	// Page 1 with limit 2.
diff --git a/internal/store/tag_test.go b/internal/store/tag_test.go
index 1e967fd..3d0d4a8 100644
--- a/internal/store/tag_test.go
+++ b/internal/store/tag_test.go
@@ -42,8 +42,8 @@ func TestTagSearch(t *testing.T) {
 	user, _ := users.Create("testuser", "password123", "user")
 
 	// Create some tags via faves to give them usage counts.
-	f1, _ := faves.Create(user.ID, "F1", "", "", "public")
-	f2, _ := faves.Create(user.ID, "F2", "", "", "public")
+	f1, _ := faves.Create(user.ID, "Fave 1", "", "", "", "public")
+	f2, _ := faves.Create(user.ID, "Fave 2", "", "", "", "public")
 
 	tags.SetFaveTags(f1.ID, []string{"music", "movies", "misc"})
 	tags.SetFaveTags(f2.ID, []string{"music", "manga"})
@@ -94,7 +94,7 @@ func TestTagSetFaveTagsLimit(t *testing.T) {
 	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
 
 	user, _ := users.Create("testuser", "password123", "user")
-	fave, _ := faves.Create(user.ID, "Test", "", "", "public")
+	fave, _ := faves.Create(user.ID, "Test", "", "", "", "public")
 
 	// Try to set more than MaxTagsPerFave tags.
 	manyTags := make([]string, 30)
@@ -124,7 +124,7 @@ func TestTagCleanupOrphans(t *testing.T) {
 	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
 
 	user, _ := users.Create("testuser", "password123", "user")
-	fave, _ := faves.Create(user.ID, "Test", "", "", "public")
+	fave, _ := faves.Create(user.ID, "Test", "", "", "", "public")
 
 	tags.SetFaveTags(fave.ID, []string{"keep", "orphan"})
 
diff --git a/web/templates/pages/fave_detail.html b/web/templates/pages/fave_detail.html
index ea671b5..74aa810 100644
--- a/web/templates/pages/fave_detail.html
+++ b/web/templates/pages/fave_detail.html
@@ -2,7 +2,13 @@
 {{with .Data}}{{with .Fave}}
     {{if eq .Privacy "public"}}
         <meta property="og:title" content="{{truncate 70 .Description}}">
-        <meta property="og:description" content="En favoritt av {{.DisplayName}} på {{$.SiteName}}">
+        {{if .Notes}}
+            <meta property="og:description" content="{{truncate 200 .Notes}}">
+        {{else if .URL}}
+            <meta property="og:description" content="{{.URL}}">
+        {{else}}
+            <meta property="og:description" content="En favoritt av {{.DisplayName}} på {{$.SiteName}}">
+        {{end}}
         <meta property="og:type" content="article">
         {{if $.ExternalURL}}
             <meta property="og:url" content="{{$.ExternalURL}}/faves/{{.ID}}">
@@ -45,6 +51,10 @@
                 <p><a href="{{.URL}}" target="_blank" rel="noopener noreferrer">{{.URL}}</a></p>
             {{end}}
 
+            {{if .Notes}}
+                <div class="fave-notes">{{.Notes}}</div>
+            {{end}}
+
             {{if .Tags}}
                 <p>
                     {{range .Tags}}
diff --git a/web/templates/pages/fave_form.html b/web/templates/pages/fave_form.html
index 5dcc665..4b1cd20 100644
--- a/web/templates/pages/fave_form.html
+++ b/web/templates/pages/fave_form.html
@@ -30,6 +30,13 @@
                        placeholder="https://...">
             </label>
 
+            <label for="notes">
+                Notater (valgfri)
+                <textarea id="notes" name="notes"
+                          rows="4"
+                          placeholder="Utfyllende tekst, anmeldelse, tanker...">{{.Notes}}</textarea>
+            </label>
+
             <label for="image">
                 Bilde (valgfri)
                 <input type="file" id="image" name="image"