From ab07a7f93fe0edd0f11d1438799089d1a3439521 Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Sun, 29 Mar 2026 19:18:14 +0200
Subject: [PATCH 01/14] fix: use envsubst for nfpm variable expansion in
 Makefile

nfpm v2 does not expand ${VAR} in contents.src fields. The deb/rpm
targets now pipe nfpm.yaml through envsubst to resolve ARCH and
VERSION before passing the config to nfpm.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 Makefile | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/Makefile b/Makefile
index 2c64c94..fb02f84 100644
--- a/Makefile
+++ b/Makefile
@@ -29,24 +29,30 @@ build-all: $(DIST)
 			./cmd/favoritter; \
 	done
 
-## Build .deb packages (requires nfpm)
+## Build .deb packages (requires nfpm and envsubst)
 deb: build-all
 	@for platform in $(PLATFORMS); do \
 		arch=$${platform##*/}; \
 		echo "Packaging deb for $$arch..."; \
-		ARCH=$$arch VERSION=$(VERSION) nfpm package \
+		ARCH=$$arch VERSION=$(VERSION) envsubst < nfpm.yaml > $(DIST)/nfpm-$$arch.yaml; \
+		nfpm package \
+			--config $(DIST)/nfpm-$$arch.yaml \
 			--packager deb \
 			--target $(DIST)/favoritter_$(VERSION)_$${arch}.deb; \
+		rm -f $(DIST)/nfpm-$$arch.yaml; \
 	done
 
-## Build .rpm packages (requires nfpm)
+## Build .rpm packages (requires nfpm and envsubst)
 rpm: build-all
 	@for platform in $(PLATFORMS); do \
 		arch=$${platform##*/}; \
 		echo "Packaging rpm for $$arch..."; \
-		ARCH=$$arch VERSION=$(VERSION) nfpm package \
+		ARCH=$$arch VERSION=$(VERSION) envsubst < nfpm.yaml > $(DIST)/nfpm-$$arch.yaml; \
+		nfpm package \
+			--config $(DIST)/nfpm-$$arch.yaml \
 			--packager rpm \
 			--target $(DIST)/favoritter_$(VERSION)_$${arch}.rpm; \
+		rm -f $(DIST)/nfpm-$$arch.yaml; \
 	done
 
 ## Build container image

From 3341e9a8188c69b89f479430301fd9188173c446 Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Sun, 29 Mar 2026 19:26:29 +0200
Subject: [PATCH 02/14] fix: preserve systemd enable/disable state on package
 upgrade

The preremove script was unconditionally stopping and disabling the
service, which meant upgrades (dpkg -i new.deb) would disable the
service. Users had to manually re-enable after every upgrade.

Now:
- preremove: only stop+disable on actual removal (not upgrade)
  Checks $1 for "remove"/"purge" (deb) or "0" (rpm)
- postinstall: restart the service on upgrade if it was running,
  preserving enable/disable state. Only shows first-install
  instructions on initial install.

Tested with shellcheck.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 dist/postinstall.sh | 26 ++++++++++++++++++++++----
 dist/preremove.sh   | 31 ++++++++++++++++++++++++++-----
 2 files changed, 48 insertions(+), 9 deletions(-)

diff --git a/dist/postinstall.sh b/dist/postinstall.sh
index dd6c02d..e65399b 100755
--- a/dist/postinstall.sh
+++ b/dist/postinstall.sh
@@ -1,6 +1,9 @@
 #!/bin/sh
 # Post-install script for Favoritter .deb/.rpm package.
-# Creates the system user and sets directory permissions.
+# Creates the system user, sets directory permissions, and handles upgrades.
+#
+# Debian/Ubuntu: called with "configure" on install/upgrade.
+# RPM: called with 1 on first install, 2+ on upgrade.
 set -e
 
 # Create system user if it doesn't exist.
@@ -12,10 +15,25 @@ fi
 install -d -o favoritter -g favoritter -m 0750 /var/lib/favoritter
 install -d -o favoritter -g favoritter -m 0750 /var/lib/favoritter/uploads
 
-# Reload systemd to pick up the service file.
+# Reload systemd to pick up any service file changes.
 if command -v systemctl >/dev/null 2>&1; then
     systemctl daemon-reload
+
+    # On upgrade: restart the service if it was running.
+    # This picks up the new binary without losing enable/disable state.
+    if systemctl is-active --quiet favoritter 2>/dev/null; then
+        systemctl restart favoritter
+    fi
 fi
 
-echo "Favoritter installed. Configure /etc/favoritter/favoritter.env then run:"
-echo "  sudo systemctl enable --now favoritter"
+# Only show the setup message on first install (not upgrades).
+action="${1:-}"
+case "$action" in
+    # Debian first install or RPM first install ($1=1).
+    configure|1)
+        if ! systemctl is-enabled --quiet favoritter 2>/dev/null; then
+            echo "Favoritter installed. Configure /etc/favoritter/favoritter.env then run:"
+            echo "  sudo systemctl enable --now favoritter"
+        fi
+        ;;
+esac
diff --git a/dist/preremove.sh b/dist/preremove.sh
index 8e930f5..31e7a59 100755
--- a/dist/preremove.sh
+++ b/dist/preremove.sh
@@ -1,9 +1,30 @@
 #!/bin/sh
 # Pre-remove script for Favoritter .deb/.rpm package.
-# Stops the service before package removal.
+# Only stops and disables the service on actual removal, not on upgrade.
+#
+# Debian/Ubuntu: called with "remove" on uninstall, "upgrade" on upgrade.
+# RPM (Fedora/RHEL): called with 0 on final removal, 1+ on upgrade.
 set -e
 
-if command -v systemctl >/dev/null 2>&1; then
-    systemctl stop favoritter 2>/dev/null || true
-    systemctl disable favoritter 2>/dev/null || true
-fi
+action="${1:-}"
+
+case "$action" in
+    # Debian: full removal.
+    remove|purge)
+        if command -v systemctl >/dev/null 2>&1; then
+            systemctl stop favoritter 2>/dev/null || true
+            systemctl disable favoritter 2>/dev/null || true
+        fi
+        ;;
+    # RPM: $1 is the number of remaining installations.
+    0)
+        if command -v systemctl >/dev/null 2>&1; then
+            systemctl stop favoritter 2>/dev/null || true
+            systemctl disable favoritter 2>/dev/null || true
+        fi
+        ;;
+    # Debian "upgrade" or RPM "1+" — do nothing, the service stays running.
+    # The new postinstall will daemon-reload and restart.
+    *)
+        ;;
+esac

From f4480dd510f7b2bd214e03a773439a064f47eee0 Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Sun, 29 Mar 2026 19:28:22 +0200
Subject: [PATCH 03/14] fix: remove chatty install message from postinstall
 script

README already documents the setup steps. Package install scripts
should be silent on success.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 dist/postinstall.sh | 11 -----------
 1 file changed, 11 deletions(-)

diff --git a/dist/postinstall.sh b/dist/postinstall.sh
index e65399b..a79c611 100755
--- a/dist/postinstall.sh
+++ b/dist/postinstall.sh
@@ -26,14 +26,3 @@ if command -v systemctl >/dev/null 2>&1; then
     fi
 fi
 
-# Only show the setup message on first install (not upgrades).
-action="${1:-}"
-case "$action" in
-    # Debian first install or RPM first install ($1=1).
-    configure|1)
-        if ! systemctl is-enabled --quiet favoritter 2>/dev/null; then
-            echo "Favoritter installed. Configure /etc/favoritter/favoritter.env then run:"
-            echo "  sudo systemctl enable --now favoritter"
-        fi
-        ;;
-esac

From 0a77935d4dd1f8c0f0e392de19597a40c55146a7 Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Sun, 29 Mar 2026 19:33:24 +0200
Subject: [PATCH 04/14] docs: add PLANS.md with roadmap for v1.1, v1.2, and
 future

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 PLANS.md | 37 +++++++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 PLANS.md

diff --git a/PLANS.md b/PLANS.md
new file mode 100644
index 0000000..3823aca
--- /dev/null
+++ b/PLANS.md
@@ -0,0 +1,37 @@
+# Planer for Favoritter
+
+## v1.1
+
+### Fulltekstsøk
+Søk på tvers av favoritter med SQLite FTS5. Indekser beskrivelse, URL og merkelapper. Søkefelt i navigasjonen og egen søkeside med resultater.
+
+### Feltspesifikke valideringsfeil
+Skjemafeil vises i dag som flash-melding øverst på siden. Bør i tillegg markere det aktuelle feltet med `aria-invalid="true"` og vise feilmelding direkte ved feltet med `aria-describedby`. Viktig for universell utforming.
+
+### Mørk modus
+Pico CSS støtter `data-theme="dark"` og `data-theme="light"`. Legg til brukerinnstilling som lagres i profilen, og respekter `prefers-color-scheme` som standard.
+
+### API-tokens
+Personlige API-tokens som alternativ til session cookie for tredjepartsklienter og automatisering. Administreres fra brukerinnstillinger.
+
+### Databasebackup (admin)
+Endepunkt i administrasjonspanelet for å laste ned SQLite-databasen direkte. Nyttig for enkel backup av selvhostede installasjoner.
+
+## v1.2+
+
+### Masseoperasjoner
+Velg flere favoritter og utfør handlinger: slett, endre synlighet, legg til/fjern merkelapper.
+
+### Angre sletting
+Soft delete med 30-dagers oppbevaringsperiode. Slettede favoritter kan gjenopprettes fra en «papirkurv»-visning.
+
+### Internasjonalisering (i18n)
+All brukervendt tekst er hardkodet bokmål i dag. Innfør et i18n-rammeverk med støtte for minst norsk bokmål og engelsk.
+
+### Prometheus-metrikker
+`/metrics`-endepunkt for overvåking. Antall brukere, favoritter, forespørsler per sekund, responstider, databasestørrelse.
+
+## Fremtid
+
+### WebFinger / ActivityPub
+Fødererte favoritter — del favoritter på tvers av Favoritter-installasjoner og andre ActivityPub-kompatible tjenester. Ambisiøst, men passer AGPL-filosofien og det selvhostede økosystemet.

From 9c3ca14578839848ee2aafe812932a9c92bd9f3f Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Sat, 4 Apr 2026 00:17:38 +0200
Subject: [PATCH 05/14] fix: resolve tag autocomplete click bug and display
 name fallback

Tag autocomplete suggestions were silently broken by CSP (script-src
'self') which blocks inline event handlers. Replaced onclick attributes
with data-tag-name + delegated mousedown/touchend listeners in app.js.
Also changed hx-params="*" to hx-params="none" to avoid sending
unrelated form fields to the search endpoint.

Display name in "av <name>" on fave cards was empty for users without
a custom display name. Changed SQL queries to use
COALESCE(NULLIF(u.display_name, ''), u.username) for automatic fallback.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 internal/store/fave.go                      | 10 ++++-----
 web/static/js/app.js                        | 24 +++++++++++++++++++--
 web/templates/pages/fave_form.html          |  2 +-
 web/templates/partials/tag_suggestions.html |  2 +-
 4 files changed, 29 insertions(+), 9 deletions(-)

diff --git a/internal/store/fave.go b/internal/store/fave.go
index b429581..70d9613 100644
--- a/internal/store/fave.go
+++ b/internal/store/fave.go
@@ -43,7 +43,7 @@ func (s *FaveStore) GetByID(id int64) (*model.Fave, error) {
 	var createdAt, updatedAt string
 	err := s.db.QueryRow(
 		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
-			f.created_at, f.updated_at, u.username, u.display_name
+			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
 		WHERE f.id = ?`, id,
@@ -97,7 +97,7 @@ func (s *FaveStore) ListByUser(userID int64, limit, offset int) ([]*model.Fave,
 
 	rows, err := s.db.Query(
 		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
-			f.created_at, f.updated_at, u.username, u.display_name
+			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
 		WHERE f.user_id = ?
@@ -126,7 +126,7 @@ func (s *FaveStore) ListPublicByUser(userID int64, limit, offset int) ([]*model.
 
 	rows, err := s.db.Query(
 		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
-			f.created_at, f.updated_at, u.username, u.display_name
+			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
 		WHERE f.user_id = ? AND f.privacy = 'public'
@@ -153,7 +153,7 @@ func (s *FaveStore) ListPublic(limit, offset int) ([]*model.Fave, int, error) {
 
 	rows, err := s.db.Query(
 		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
-			f.created_at, f.updated_at, u.username, u.display_name
+			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
 		WHERE f.privacy = 'public'
@@ -185,7 +185,7 @@ func (s *FaveStore) ListByTag(tagName string, limit, offset int) ([]*model.Fave,
 
 	rows, err := s.db.Query(
 		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
-			f.created_at, f.updated_at, u.username, u.display_name
+			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
 		JOIN fave_tags ft ON ft.fave_id = f.id
diff --git a/web/static/js/app.js b/web/static/js/app.js
index a1d061c..3e5e40b 100644
--- a/web/static/js/app.js
+++ b/web/static/js/app.js
@@ -70,6 +70,26 @@
     // --- Tag autocomplete combobox pattern ---
     var activeIndex = -1;
 
+    // Delegated event handler for tag suggestion selection.
+    // Uses mousedown (not click) to fire before blur removes the element.
+    // Uses touchend for mobile support. Both prevent default to keep
+    // the tags input focused. Inline handlers (onclick/onmousedown) are
+    // blocked by CSP script-src 'self', so we must use addEventListener.
+    document.addEventListener("mousedown", function (event) {
+        var li = event.target.closest("[data-tag-name]");
+        if (li) {
+            event.preventDefault();
+            addTag(null, li.getAttribute("data-tag-name"));
+        }
+    });
+    document.addEventListener("touchend", function (event) {
+        var li = event.target.closest("[data-tag-name]");
+        if (li) {
+            event.preventDefault();
+            addTag(null, li.getAttribute("data-tag-name"));
+        }
+    });
+
     // Handle keyboard navigation in the tag suggestions listbox.
     document.addEventListener("keydown", function (event) {
         var input = document.getElementById("tags");
@@ -152,7 +172,7 @@
     }
 
     // Add a selected tag to the tag input.
-    window.addTag = function (element, tagName) {
+    function addTag(element, tagName) {
         var input = document.getElementById("tags");
         if (!input) return;
 
@@ -162,7 +182,7 @@
         input.focus();
 
         closeSuggestions();
-    };
+    }
 
     function getCookie(name) {
         var match = document.cookie.match(new RegExp("(^| )" + name + "=([^;]+)"));
diff --git a/web/templates/pages/fave_form.html b/web/templates/pages/fave_form.html
index d1e08d8..5dcc665 100644
--- a/web/templates/pages/fave_form.html
+++ b/web/templates/pages/fave_form.html
@@ -64,7 +64,7 @@
                        hx-get="{{basePath}}/tags/search"
                        hx-trigger="keyup changed delay:300ms"
                        hx-target="#tag-suggestions"
-                       hx-params="*"
+                       hx-params="none"
                        hx-vals='{"q": ""}'>
                 <small id="tags-help">Skriv for å søke i eksisterende merkelapper. Maks {{maxTags}} stk. Bruk piltaster for å velge.</small>
             </label>
diff --git a/web/templates/partials/tag_suggestions.html b/web/templates/partials/tag_suggestions.html
index 22911e1..1b833b6 100644
--- a/web/templates/partials/tag_suggestions.html
+++ b/web/templates/partials/tag_suggestions.html
@@ -2,6 +2,6 @@
     id="tag-option-{{$i}}"
     class="tag-suggestion"
     aria-selected="false"
-    onclick="addTag(this, '{{$tag.Name}}')"
+    data-tag-name="{{$tag.Name}}"
     tabindex="-1">{{$tag.Name}}</li>
 {{end}}

From a8f3aa6f7e5c4f218f2ffa35f96895e6ac6d214a Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Sat, 4 Apr 2026 00:18:01 +0200
Subject: [PATCH 06/14] =?UTF-8?q?test:=20add=20comprehensive=20test=20suit?=
 =?UTF-8?q?e=20(44=20=E2=86=92=20169=20tests)=20and=20v1.1=20plan?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add 125 new test functions across 10 new test files, covering:
- CSRF middleware (8 tests): double-submit cookie validation
- Auth middleware (12 tests): SessionLoader, RequireAdmin, context helpers
- API handlers (28 tests): auth, faves CRUD, tags, users, export/import
- Web handlers (41 tests): signup, login, password reset, fave CRUD,
  admin panel, feeds, import/export, profiles, settings
- Config (8 tests): env parsing, defaults, trusted proxies, normalization
- Database (6 tests): migrations, PRAGMAs, idempotency, seeding
- Image processing (10 tests): JPEG/PNG, resize, EXIF strip, path traversal
- Render (6 tests): page/error/partial rendering, template functions
- Settings store (3 tests): CRUD operations
- Regression tests for display name fallback and CSP-safe autocomplete

Also adds CSRF middleware to testServer chain for end-to-end CSRF
verification, TESTPLAN.md documenting coverage, and PLANS-v1.1.md
with implementation plans for notes+OG, PWA, editing UX, and admin.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 PLANS-v1.1.md                      |  316 ++++++++
 TESTPLAN.md                        |  388 ++++++++++
 internal/config/config_test.go     |  204 +++++
 internal/database/database_test.go |  140 ++++
 internal/handler/api/api_test.go   |  663 ++++++++++++++++
 internal/handler/handler_test.go   |    4 +-
 internal/handler/web_test.go       | 1153 ++++++++++++++++++++++++++++
 internal/image/image_test.go       |  234 ++++++
 internal/middleware/auth_test.go   |  299 ++++++++
 internal/middleware/csrf_test.go   |  185 +++++
 internal/render/render_test.go     |  161 ++++
 internal/store/settings_test.go    |   75 ++
 12 files changed, 3820 insertions(+), 2 deletions(-)
 create mode 100644 PLANS-v1.1.md
 create mode 100644 TESTPLAN.md
 create mode 100644 internal/config/config_test.go
 create mode 100644 internal/database/database_test.go
 create mode 100644 internal/handler/api/api_test.go
 create mode 100644 internal/handler/web_test.go
 create mode 100644 internal/image/image_test.go
 create mode 100644 internal/middleware/auth_test.go
 create mode 100644 internal/middleware/csrf_test.go
 create mode 100644 internal/render/render_test.go
 create mode 100644 internal/store/settings_test.go

diff --git a/PLANS-v1.1.md b/PLANS-v1.1.md
new file mode 100644
index 0000000..369bd37
--- /dev/null
+++ b/PLANS-v1.1.md
@@ -0,0 +1,316 @@
+# Implementeringsplan v1.1 — Favoritter
+
+Fire funksjoner som utvider Favoritter med notater og OG-metadata, PWA-installering med Android-delingsstøtte, bedre redigeringsflyt, og utvidede admin-verktøy.
+
+## Oversikt
+
+| # | Funksjon | Omfang | Avhengigheter |
+|---|----------|--------|---------------|
+| 1 | OG-støtte + fritekstfelt (notes) | Migrasjon, modell, store, alle handlere, maler, eksport/import, feed | Ingen |
+| 2 | PWA + Android share intent | Service worker, manifest, nye handlere, base-mal, JS | Avhenger av 1 (deling pre-fyller notes) |
+| 3 | Redigeringsforbedringer (UX) | Maler, CSS, ny toggle-rute, ny partial | Avhenger av 1 (notes vises i kort) |
+| 4 | Admin-forbedringer | Store, handlere, maler, ruter | Ingen |
+
+---
+
+## Funksjon 1: OG-støtte + fritekstfelt (notes)
+
+### Beskrivelse
+
+Legger til et valgfritt langtekstfelt «notes» på hver favoritt. Forbedrer Open Graph-metatagger på detaljsiden slik at `og:description` bruker notes når det er tilgjengelig.
+
+### Berørte filer
+
+| Fil | Endring |
+|-----|---------|
+| `internal/database/migrations/002_add_fave_notes.sql` | Ny fil: ALTER TABLE faves ADD COLUMN notes |
+| `internal/model/fave.go` | Legg til `Notes string` i Fave-struct |
+| `internal/store/fave.go` | Oppdater alle SQL-spørringer, Create/Update-signaturer, scanFaves |
+| `internal/handler/fave.go` | Les notes fra skjema i create/edit/update |
+| `internal/handler/api/api.go` | Legg til notes i request/response-structs og faveJSON |
+| `internal/handler/import_export.go` | Legg til notes i ExportFave, CSV-kolonner, import |
+| `internal/handler/feed.go` | Bruk notes som feed item description |
+| `web/templates/pages/fave_form.html` | Legg til textarea for notes mellom URL og bilde |
+| `web/templates/pages/fave_detail.html` | Vis notes, forbedre og:description |
+
+### Migrasjons-SQL
+
+```sql
+-- 002_add_fave_notes.sql
+-- Legger til et valgfritt notatfelt på favoritter.
+ALTER TABLE faves ADD COLUMN notes TEXT NOT NULL DEFAULT '';
+```
+
+### Implementeringssteg
+
+1. **Migrasjon**: Opprett `internal/database/migrations/002_add_fave_notes.sql`
+2. **Modell**: Legg til `Notes string` etter `ImagePath` i `model.Fave`
+3. **Store — Create**: Endre signatur til `Create(userID, description, url, imagePath, notes, privacy)`, oppdater INSERT
+4. **Store — GetByID**: Legg til `f.notes` i SELECT og `&f.Notes` i Scan
+5. **Store — Update**: Endre signatur, legg til `notes = ?` i UPDATE
+6. **Store — Alle list-metoder**: Legg til `f.notes` i SELECT for `ListByUser`, `ListPublicByUser`, `ListPublic`, `ListByTag`
+7. **Store — scanFaves**: Legg til `&f.Notes` i Scan
+8. **Handler — fave.go**: Les `notes` fra form i `handleFaveCreate` og `handleFaveUpdate`. Pass `fave.Notes` i `handleFaveEdit` template data
+9. **Handler — api/api.go**: Legg til `Notes` i request/response-structs, `faveJSON`, import
+10. **Handler — import_export.go**: Legg til notes i `ExportFave`, CSV header/rader, import-parsing
+11. **Handler — feed.go**: Sett `item.Description = f.Notes` når det ikke er tomt i `favesToFeedItems`
+12. **Template — fave_form.html**: Legg til `<textarea id="notes" name="notes">` mellom URL og bilde
+13. **Template — fave_detail.html**: Vis `{{if .Notes}}<div class="fave-notes">{{.Notes}}</div>{{end}}`, forbedre `og:description`:
+
+```html
+{{if .Notes}}
+    <meta property="og:description" content="{{truncate 200 .Notes}}">
+{{else if .URL}}
+    <meta property="og:description" content="{{.URL}}">
+{{else}}
+    <meta property="og:description" content="En favoritt av {{.DisplayName}} på {{$.SiteName}}">
+{{end}}
+```
+
+### Tester
+
+- Oppdater `TestFaveCRUD` (Create/Update-kall med notes)
+- Ny `TestFaveNotes` (CRUD med notes-felt)
+- Oppdater API CRUD-tester, ny `TestAPICreateFaveWithNotes`
+- ~5 nye, ~7 endrede
+
+---
+
+## Funksjon 2: PWA + Android share intent
+
+### Beskrivelse
+
+Gjør Favoritter installerbar som Progressive Web App med offline-støtte for statiske ressurser. Web Share Target API lar Android-brukere dele lenker direkte til Favoritter fra hvilken som helst app.
+
+### Berørte filer
+
+| Fil | Endring |
+|-----|---------|
+| `web/static/sw.js` | Ny fil: Service worker (cache-first statisk, network-first HTML) |
+| `web/static/icons/icon-192.png` | Ny fil: PWA-ikon 192x192 |
+| `web/static/icons/icon-512.png` | Ny fil: PWA-ikon 512x512 |
+| `web/static/icons/icon-512-maskable.png` | Ny fil: Maskable ikon for Android |
+| `internal/handler/pwa.go` | Ny fil: 3 handlere (manifest, SW, share) |
+| `internal/handler/handler.go` | 3 nye ruter |
+| `internal/handler/fave.go` | `handleFaveNew` leser url/description/notes fra query-parametre |
+| `web/templates/layouts/base.html` | Manifest-link, theme-color, base-path meta |
+| `web/static/js/app.js` | SW-registrering |
+
+### Implementeringssteg
+
+1. **Ikoner**: Opprett `web/static/icons/` med 192px, 512px, 512px-maskable PNG-er
+2. **Service worker** (`web/static/sw.js`): Bruk `{{BASE_PATH}}`-plassholder, cache-first for `/static/`, network-first for HTML
+3. **pwa.go — handleManifest**: Dynamisk JSON med BasePath injisert i `start_url`, `scope`, ikonruter og `share_target.action`. Share target bruker **GET** for å unngå CSRF-problemer
+4. **pwa.go — handleServiceWorker**: Les sw.js fra embedded FS, erstatt `{{BASE_PATH}}`, sett `Cache-Control: no-cache`
+5. **pwa.go — handleShare**: GET-handler bak `requireLogin`. Les `url`, `text`, `title` fra query. Mange Android-apper sender URL i `text`-feltet — sjekk begge. Redirect til `/faves/new?url=...&description=...&notes=...`
+6. **Ruter**: `GET /manifest.json` (offentlig), `GET /sw.js` (offentlig), `GET /share` (krever login)
+7. **handleFaveNew**: Les `url`, `description`, `notes` fra query-parametre for pre-fill
+8. **base.html**: `<meta name="theme-color" content="#1095c1">`, `<link rel="manifest">`, `<meta name="base-path">`
+9. **app.js**: SW-registrering via `navigator.serviceWorker.register()`, les base-path fra meta-tag
+
+### Designbeslutninger
+
+- **GET for share target**: Android kan ikke levere CSRF-tokens, så POST er utelukket. GET-handler redirecter til fave-skjema
+- **Dynamisk manifest**: Nødvendig for å injisere BasePath korrekt ved subpath-deployment
+- **SW Cache-Control: no-cache**: Nettleseren må kunne sjekke for oppdateringer
+
+### Tester
+
+- `TestManifestJSON`, `TestServiceWorkerContent`, `TestServiceWorkerBasePath`
+- `TestShareRedirectsToFaveNew`, `TestShareTextFieldFallback`, `TestShareRequiresLogin`
+- ~6 nye
+
+---
+
+## Funksjon 3: Redigeringsforbedringer (UX)
+
+### Beskrivelse
+
+Backend-redigering fungerer allerede (rediger, slett, personvernveksling). Problemet er at handlingene kun er synlige på detaljsiden. Denne funksjonen gjør dem tilgjengelige fra listevisninger.
+
+### Tier 1 — Synlige handlinger i listevisninger
+
+| Fil | Endring |
+|-----|---------|
+| `web/templates/pages/fave_list.html` | Legg til rediger/slett-knapper i hver card footer |
+| `web/templates/pages/profile.html` | Legg til rediger-lenke for eiers egne kort |
+| `web/static/css/style.css` | Kompakte `.fave-card-actions`-stiler |
+
+**fave_list.html**: Legg til etter tags-footer, før `</article>`:
+```html
+<footer class="fave-card-actions">
+    <a href="{{basePath}}/faves/{{.ID}}/edit" class="fave-action-link">Rediger</a>
+    <button hx-delete="{{basePath}}/faves/{{.ID}}"
+            hx-confirm="Er du sikker på at du vil slette denne favoritten?"
+            hx-target="closest article" hx-swap="outerHTML"
+            class="fave-action-btn secondary">Slett</button>
+</footer>
+```
+
+Eksisterende `handleFaveDelete` returnerer allerede tom response for HTMX-forespørsler, så `hx-target="closest article" hx-swap="outerHTML"` fjerner kortet fra DOM.
+
+**profile.html**: Vis kun for eier med `{{if $d.IsOwner}}`.
+
+### Tier 2 — Rask personvernveksler
+
+| Fil | Endring |
+|-----|---------|
+| `internal/store/fave.go` | Ny `UpdatePrivacy(id, privacy)` metode |
+| `internal/handler/fave.go` | Ny `handleFaveTogglePrivacy` handler |
+| `internal/handler/handler.go` | Ny rute: `POST /faves/{id}/privacy` |
+| `web/templates/partials/privacy_toggle.html` | Ny HTMX-partial for toggle-knapp |
+| `web/templates/pages/fave_list.html` | Bruk toggle i stedet for statisk badge |
+| `web/templates/pages/fave_detail.html` | Bruk toggle for eier |
+
+**Store — UpdatePrivacy**:
+```go
+func (s *FaveStore) UpdatePrivacy(id int64, privacy string) error {
+    _, err := s.db.Exec(
+        `UPDATE faves SET privacy = ?,
+            updated_at = strftime('%Y-%m-%dT%H:%M:%SZ', 'now')
+        WHERE id = ?`, privacy, id)
+    return err
+}
+```
+
+**Handler**: Verifiserer eierskap, veksler mellom "public"/"private", returnerer oppdatert partial.
+
+**Partial** (`privacy_toggle.html`):
+```html
+<span class="privacy-toggle" id="privacy-{{.ID}}">
+    <button hx-post="{{basePath}}/faves/{{.ID}}/privacy"
+            hx-target="#privacy-{{.ID}}" hx-swap="outerHTML"
+            class="fave-action-btn {{if eq .Privacy "private"}}secondary{{end}}">
+        {{if eq .Privacy "public"}}Offentlig{{else}}Privat{{end}}
+    </button>
+</span>
+```
+
+CSRF-token håndteres automatisk av `htmx:configRequest`-hooken i app.js.
+
+### Tester
+
+- `TestUpdatePrivacy`, `TestTogglePrivacyOwner`, `TestTogglePrivacyNotOwner`
+- `TestFaveListShowsEditButton`, `TestFaveListDeleteViaHTMX`
+- ~5 nye
+
+---
+
+## Funksjon 4: Admin-forbedringer
+
+### Beskrivelse
+
+Utvider admin-panelet med mulighet til å endre brukerroller og permanent slette brukerkontoer. Eksisterende admin-funksjonalitet som allerede fungerer:
+
+- ✅ Lukke registreringer (`/admin/settings` → signup_mode)
+- ✅ Låse/deaktivere brukere (`/admin/users/{id}/toggle-disabled`)
+- ✅ Tilbakestille passord (`/admin/users/{id}/reset-password`)
+- ✅ Godkjenne/avvise registreringsforespørsler
+- ✅ Opprette brukere
+
+### Del A: Endre brukerrolle
+
+| Fil | Endring |
+|-----|---------|
+| `internal/store/user.go` | Ny `SetRole(userID, role)` metode |
+| `internal/handler/admin.go` | Ny `handleAdminSetRole` handler |
+| `internal/handler/handler.go` | Ny rute: `POST /admin/users/{id}/role` |
+| `web/templates/pages/admin_users.html` | Rolle-dropdown per brukerrad |
+
+**Store — SetRole**: Validerer at role er "user" eller "admin", oppdaterer databasen.
+
+**Handler**: Forhindrer at admin endrer egen rolle. Oppdaterer rolle og viser bekreftelse.
+
+**Template**: `<select name="role">` med `onchange="this.form.submit()"` i handlingskolonnen.
+
+**NB**: `onchange` inline handler blokkeres av CSP (`script-src 'self'`). Bruk i stedet en delegert event listener i app.js, eller legg til en submit-knapp:
+```html
+<form method="POST" action="{{basePath}}/admin/users/{{.ID}}/role" class="inline-form">
+    <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
+    <select name="role" class="inline-input">
+        <option value="user" {{if eq .Role "user"}}selected{{end}}>Bruker</option>
+        <option value="admin" {{if eq .Role "admin"}}selected{{end}}>Admin</option>
+    </select>
+    <button type="submit" class="nav-button outline">Lagre</button>
+</form>
+```
+
+### Del B: Slette brukerkontoer
+
+| Fil | Endring |
+|-----|---------|
+| `internal/store/user.go` | Ny `Delete(userID)` metode |
+| `internal/handler/admin.go` | Ny `handleAdminDeleteUser` handler |
+| `internal/handler/handler.go` | Ny rute: `POST /admin/users/{id}/delete` |
+| `web/templates/pages/admin_users.html` | Slett-knapp med `hx-confirm` |
+
+**Store — Delete**: `DELETE FROM users WHERE id = ?`. Kaskadesletting via foreign keys fjerner sessions, faves og fave_tags automatisk.
+
+**Handler**: Forhindrer selvsletting. Sletter brukerens bilder fra disk **før** databasesletting (fordi kaskaden fjerner fave-radene som refererer til bildefilene). Viser bekreftelse.
+
+**Template**: HTMX-knapp med `hx-confirm`:
+```html
+<button hx-post="{{basePath}}/admin/users/{{.ID}}/delete"
+        hx-confirm="Er du HELT sikker? Dette sletter brukeren og alle favorittene permanent."
+        hx-target="closest tr" hx-swap="outerHTML"
+        class="nav-button outline" style="color: var(--pico-del-color);">Slett</button>
+```
+
+### Tester
+
+- `TestSetRole`, `TestSetRoleInvalid`, `TestDeleteUser`, `TestDeleteUserCascade`
+- `TestAdminSetRoleSuccess`, `TestAdminSetRoleSelf`
+- `TestAdminDeleteUserSuccess`, `TestAdminDeleteUserSelf`, `TestAdminDeleteUserCascadesData`
+- ~9 nye
+
+---
+
+## Samlet implementeringsrekkefølge
+
+```
+Fase 1: Funksjon 1 + Funksjon 4 (parallelt, ingen avhengigheter)
+  ├── 1a: Migrasjon + modell + store (notes)
+  ├── 1b: Handlere og maler (notes + OG)
+  ├── 4a: SetRole + handler + mal
+  └── 4b: Delete + handler + mal
+
+Fase 2: Funksjon 3 (krever notes fra Fase 1)
+  ├── 3a: Tier 1 — rediger/slett-knapper i listevisninger
+  └── 3b: Tier 2 — personvernveksler
+
+Fase 3: Funksjon 2 (krever notes fra Fase 1)
+  ├── 2a: Ikoner + service worker + manifest-handler
+  ├── 2b: Share-handler + pre-fill
+  └── 2c: Base-mal + SW-registrering
+```
+
+### Nye endepunkter
+
+| Metode | Rute | Handler | Auth |
+|--------|------|---------|------|
+| GET | `/manifest.json` | handleManifest | Nei |
+| GET | `/sw.js` | handleServiceWorker | Nei |
+| GET | `/share` | handleShare | Ja |
+| POST | `/faves/{id}/privacy` | handleFaveTogglePrivacy | Ja |
+| POST | `/admin/users/{id}/role` | handleAdminSetRole | Admin |
+| POST | `/admin/users/{id}/delete` | handleAdminDeleteUser | Admin |
+
+### Nye filer
+
+| Fil | Beskrivelse |
+|-----|-------------|
+| `internal/database/migrations/002_add_fave_notes.sql` | Migrasjon: notes-kolonne |
+| `internal/handler/pwa.go` | PWA-handlere (manifest, SW, share) |
+| `web/static/sw.js` | Service worker |
+| `web/static/icons/icon-*.png` | PWA-ikoner (3 stk) |
+| `web/templates/partials/privacy_toggle.html` | HTMX personvernveksler |
+
+### Estimert testtillegg
+
+| Funksjon | Nye tester |
+|----------|------------|
+| 1: Notes + OG | ~5 |
+| 2: PWA + share | ~6 |
+| 3: Redigering UX | ~5 |
+| 4: Admin | ~9 |
+| **Totalt** | **~25** |
diff --git a/TESTPLAN.md b/TESTPLAN.md
new file mode 100644
index 0000000..2e0799a
--- /dev/null
+++ b/TESTPLAN.md
@@ -0,0 +1,388 @@
+# Testplan — Favoritter
+
+## Dekning (oppdatert 2026-04-03)
+
+| Lag | Pakke | Testfiler | Testfunksjoner | Dekning |
+|-----|-------|-----------|----------------|---------|
+| Data | `internal/store` | 6 | 24 | 70.8 % |
+| HTTP (web) | `internal/handler` | 2 | 55 | 56.1 % |
+| HTTP (API) | `internal/handler/api` | 1 | 28 | 75.8 % |
+| Mellomvare | `internal/middleware` | 3 | 29 | 83.1 % |
+| Konfig | `internal/config` | 1 | 8 | 81.1 % |
+| Bilde | `internal/image` | 1 | 10 | 85.7 % |
+| Database | `internal/database` | 1 | 6 | 66.0 % |
+| Rendering | `internal/render` | 1 | 6 | 72.7 % |
+| Modell | `internal/model` | 0 | 0 | 0.0 % (kun datatyper) |
+
+**Totalt**: 16 testfiler, 167 testfunksjoner, alle grønne.
+
+---
+
+## Prioriteter
+
+- **P0 — Kritisk**: Sikkerhet, autentisering, autorisasjon
+- **P1 — Høy**: Forretningslogikk, dataintegritet, API-kontrakter
+- **P2 — Middels**: Konfigurasjon, feilhåndtering, kanttilfeller
+- **P3 — Lav**: Rendering, logging, hjelpefunksjoner
+
+---
+
+## P0 — Sikkerhet og tilgangskontroll
+
+### CSRF-beskyttelse (`internal/middleware/csrf.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestCSRFTokenSetInCookie` | POST uten eksisterende cookie → ny `csrf_token`-cookie settes |
+| 2 | `TestCSRFValidTokenAccepted` | POST med matchende cookie + form-felt → 200 |
+| 3 | `TestCSRFMismatchRejected` | POST med feil token i form-felt → 403 |
+| 4 | `TestCSRFMissingTokenRejected` | POST uten token i form-felt/header → 403 |
+| 5 | `TestCSRFHeaderFallback` | POST med token i `X-CSRF-Token`-header → 200 |
+| 6 | `TestCSRFSkippedForAPI` | POST til `/api/`-ruter → CSRF sjekkes ikke |
+| 7 | `TestCSRFSafeMethodsPassThrough` | GET/HEAD/OPTIONS → ingen validering |
+
+### Auth-mellomvare (`internal/middleware/auth.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestSessionLoaderValidToken` | Gyldig session-cookie → bruker satt i context |
+| 2 | `TestSessionLoaderInvalidToken` | Ugyldig cookie → context uten bruker, ingen feil |
+| 3 | `TestSessionLoaderNoCookie` | Ingen cookie → context uten bruker |
+| 4 | `TestRequireLoginRedirectsToLogin` | Uautentisert → 302 til `/login` |
+| 5 | `TestRequireLoginAllowsAuthenticated` | Autentisert → neste handler kjøres |
+| 6 | `TestRequireAdminRejectsNonAdmin` | Vanlig bruker → 403 |
+| 7 | `TestRequireAdminAllowsAdmin` | Admin-bruker → neste handler kjøres |
+
+### API-autentisering (`internal/handler/api/`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestAPILoginSuccess` | Korrekt brukernavn/passord → token + brukerinfo |
+| 2 | `TestAPILoginWrongPassword` | Feil passord → 401 |
+| 3 | `TestAPILoginInvalidBody` | Ugyldig JSON → 400 |
+| 4 | `TestAPILogout` | Gyldig session → session slettet, cookie fjernet |
+| 5 | `TestAPIRequiresAuth` | Beskyttede endepunkter uten session → 401/redirect |
+
+### Autorisasjon (eierskap)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestCannotEditOtherUsersFave` | PUT `/api/v1/faves/{id}` med annen bruker → 403 |
+| 2 | `TestCannotDeleteOtherUsersFave` | DELETE `/api/v1/faves/{id}` med annen bruker → 403 |
+| 3 | `TestPrivateFaveHiddenFromAPI` | GET `/api/v1/faves/{id}` privat fave, annen bruker → 404 |
+| 4 | `TestPrivateFaveVisibleToOwnerAPI` | GET `/api/v1/faves/{id}` privat fave, eier → 200 |
+| 5 | `TestAdminEndpointsRequireAdminRole` | Ikke-admin → 403 på alle admin-ruter |
+
+---
+
+## P1 — Forretningslogikk og API-kontrakter
+
+### Store: Innstillinger (`internal/store/settings.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestSettingsGetDefault` | Hent standardinnstillinger etter migrasjon |
+| 2 | `TestSettingsUpdate` | Oppdater site_name, description, signup_mode → endringer leses tilbake |
+| 3 | `TestSettingsUpdatePartial` | Oppdater kun ett felt → andre felter beholdes |
+
+### API: Favoritter CRUD (`internal/handler/api/`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestAPICreateFave` | POST med beskrivelse, URL, privacy, tags → 201 + komplett JSON |
+| 2 | `TestAPICreateFaveMinimal` | POST med kun beskrivelse → 201, standardverdier |
+| 3 | `TestAPICreateFaveMissingDescription` | POST uten beskrivelse → 400 |
+| 4 | `TestAPIGetFave` | GET `/api/v1/faves/{id}` → komplett JSON med tagger |
+| 5 | `TestAPIGetFaveNotFound` | GET med ugyldig ID → 404 |
+| 6 | `TestAPIUpdateFave` | PUT med endringer → oppdatert JSON |
+| 7 | `TestAPIUpdateFavePartial` | PUT med kun tags → andre felter uendret |
+| 8 | `TestAPIDeleteFave` | DELETE → 204 No Content |
+| 9 | `TestAPIDeleteFaveNotFound` | DELETE med ugyldig ID → 404 |
+| 10 | `TestAPIListFaves` | GET `/api/v1/faves` → paginert resultat med total |
+| 11 | `TestAPIListFavesPagination` | Sjekk page/limit-parametre og grense (limit ≤ 100) |
+
+### API: Brukere og offentlige favoritter
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestAPIGetUser` | GET `/api/v1/users/{username}` → brukerinfo |
+| 2 | `TestAPIGetUserNotFound` | Ukjent brukernavn → 404 |
+| 3 | `TestAPIGetDisabledUser` | Deaktivert bruker → 404 |
+| 4 | `TestAPIGetUserFaves` | GET `/api/v1/users/{username}/faves` → kun offentlige |
+| 5 | `TestAPIGetUserFavesEmpty` | Bruker uten favoritter → tom liste |
+
+### API: Tagger
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestAPISearchTags` | GET `/api/v1/tags?q=prefix` → matchende tagger |
+| 2 | `TestAPISearchTagsEmpty` | Søk uten treff → tom liste |
+| 3 | `TestAPISearchTagsLimit` | `limit`-parameter respekteres, maks 100 |
+
+### API: Eksport/import
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestAPIExport` | GET `/api/v1/export/json` → alle brukerens favoritter |
+| 2 | `TestAPIImportValid` | POST med JSON-array → imported/total-svar |
+| 3 | `TestAPIImportSkipsEmpty` | Oppføringer uten beskrivelse → hoppes over |
+| 4 | `TestAPIImportInvalidJSON` | Ugyldig JSON → 400 |
+| 5 | `TestAPIImportBodyLimit` | Stor body → avvist (MaxUploadSize) |
+
+### Handler: Registrering og pålogging (`internal/handler/auth.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestSignupPageRendering` | GET `/signup` → skjema med CSRF-token |
+| 2 | `TestSignupSuccess` | POST med gyldig data → registreringsforespørsel opprettet |
+| 3 | `TestSignupDuplicate` | Duplisert brukernavn → feilmelding |
+| 4 | `TestSignupDisabled` | `signup_mode=closed` → 403 eller redirect |
+| 5 | `TestPasswordResetFlow` | Bruker med must_reset → tvinges til å endre passord |
+| 6 | `TestPasswordChangeSuccess` | POST med korrekt gammelt + nytt passord → oppdatert |
+| 7 | `TestPasswordChangeMismatch` | Nytt passord ≠ bekreftelse → feilmelding |
+| 8 | `TestLogout` | POST `/logout` → session slettet, redirect til login |
+
+### Handler: Favoritter CRUD (web) (`internal/handler/fave.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestCreateFavePage` | GET `/faves/new` → skjema rendres |
+| 2 | `TestCreateFaveSubmit` | POST med gyldig data → redirect til favoritt |
+| 3 | `TestCreateFaveWithImage` | POST med multipart/bilde → bilde lagret |
+| 4 | `TestEditFavePage` | GET `/faves/{id}/edit` → skjema med eksisterende data |
+| 5 | `TestEditFaveSubmit` | POST med endringer → oppdatert |
+| 6 | `TestEditFaveNotOwner` | Annen bruker → 403 |
+| 7 | `TestDeleteFave` | POST `/faves/{id}/delete` → slettet, redirect |
+| 8 | `TestDeleteFaveNotOwner` | Annen bruker → 403 |
+| 9 | `TestFaveListPagination` | Navigasjon med page-parameter |
+
+### Handler: Administrasjon (`internal/handler/admin.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestAdminDashboard` | GET `/admin` → statistikk rendres |
+| 2 | `TestAdminUserList` | GET `/admin/users` → alle brukere vises |
+| 3 | `TestAdminDisableUser` | POST → bruker deaktiveres |
+| 4 | `TestAdminEnableUser` | POST → bruker reaktiveres |
+| 5 | `TestAdminApproveSignup` | POST → bruker opprettes, forespørsel fjernes |
+| 6 | `TestAdminRejectSignup` | POST → forespørsel fjernes, bruker opprettes ikke |
+| 7 | `TestAdminUpdateSettings` | POST → innstillinger oppdateres |
+
+### Handler: Profil (`internal/handler/profile.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestPublicProfileVisible` | Offentlig profil → bio, visningsnavn vist |
+| 2 | `TestLimitedProfileHidesBio` | Begrenset profil → bio skjult, merknad vist |
+| 3 | `TestProfileEditPage` | GET `/profile/edit` → skjema med gjeldende verdier |
+| 4 | `TestProfileUpdateDisplayName` | POST → visningsnavn oppdatert |
+| 5 | `TestProfileUpdateVisibility` | POST → synlighet endret |
+| 6 | `TestProfileAvatarUpload` | POST med bilde → avatar lagret |
+
+### Handler: Feed (`internal/handler/feed.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestGlobalFeedAtom` | GET `/feed` → gyldig Atom XML |
+| 2 | `TestUserFeedAtom` | GET `/{username}/feed` → kun brukerens offentlige |
+| 3 | `TestFeedExcludesPrivate` | Private favoritter utelates |
+| 4 | `TestFeedLinksUseExternalURL` | Lenker bruker `EXTERNAL_URL`, ikke localhost |
+
+### Handler: Import/Eksport (web) (`internal/handler/import_export.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestExportPageRendering` | GET `/export` → eksportvalg vist |
+| 2 | `TestExportJSON` | GET `/export/json` → JSON-array med alle faves |
+| 3 | `TestExportCSV` | GET `/export/csv` → gyldig CSV med header |
+| 4 | `TestImportJSON` | POST med JSON-fil → favoritter importert |
+| 5 | `TestImportCSV` | POST med CSV-fil → favoritter importert |
+| 6 | `TestImportDuplicateHandling` | Duplikater → håndteres uten feil |
+
+---
+
+## P2 — Konfigurasjon, bilde, database
+
+### Konfigurasjon (`internal/config/config.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestLoadDefaults` | Ingen env-variabler → fornuftige standardverdier |
+| 2 | `TestLoadFromEnv` | Alle env-variabler satt → config inneholder riktige verdier |
+| 3 | `TestTrustedProxiesParsing` | `TRUSTED_PROXIES=10.0.0.0/8,192.168.0.0/16` → korrekte IPNet |
+| 4 | `TestTrustedProxiesInvalid` | Ugyldig CIDR → logges, hoppes over |
+| 5 | `TestBasePathNormalization` | Trailing slash fjernes, tom streng beholdes |
+| 6 | `TestSessionLifetimeParsing` | `SESSION_LIFETIME=48h` → korrekt Duration |
+| 7 | `TestDevModeFlag` | `FAVORITTER_DEV_MODE=true` → DevMode = true |
+| 8 | `TestMaxUploadSizeParsing` | `MAX_UPLOAD_SIZE=10485760` → korrekt int64 |
+
+### Bildebehandling (`internal/image/image.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestProcessJPEG` | Gyldig JPEG → UUID-filnavn, lagret i uploadDir |
+| 2 | `TestProcessPNG` | Gyldig PNG → re-encoded, EXIF strippet |
+| 3 | `TestProcessResizeWideImage` | Bilde > 1920px bredt → nedskalert til MaxWidth |
+| 4 | `TestProcessSmallImageNotResized` | Bilde < 1920px → beholdes som det er |
+| 5 | `TestProcessInvalidMIME` | `text/plain`-fil → feil returneres |
+| 6 | `TestProcessCorruptImage` | Korrupt bildedata → feil returneres |
+| 7 | `TestProcessUUIDFilename` | Filnavn bruker UUID, aldri brukerens opprinnelige filnavn |
+| 8 | `TestAllowedTypes` | Sjekk at JPEG, PNG, GIF, WebP er tillatt |
+
+### Databasemigrasjoner (`internal/database/database.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestOpenInMemory` | `:memory:` → fungerende tilkobling |
+| 2 | `TestMigrateCreatesAllTables` | Migrasjon → alle forventede tabeller finnes |
+| 3 | `TestMigrateIdempotent` | Kjør Migrate to ganger → ingen feil |
+| 4 | `TestPRAGMAs` | WAL-modus, foreign_keys, journal_size_limit satt |
+| 5 | `TestSingleConnection` | MaxOpenConns = 1 verifisert |
+
+### Mellomvare: Context-hjelpere (`internal/middleware/context.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestUserFromContextPresent` | Bruker i context → returneres |
+| 2 | `TestUserFromContextAbsent` | Ingen bruker → nil |
+| 3 | `TestCSRFTokenFromContext` | Token i context → returneres |
+| 4 | `TestFlashFromContext` | Flash-melding i context → returneres |
+
+### Mellomvare: Logger (`internal/middleware/logger.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestLoggerRecordsStatusCode` | Response status kodes logges |
+| 2 | `TestLoggerRecordsDuration` | Forespørselstid logges |
+| 3 | `TestLoggerIncludesPath` | URL-path inkluderes i loggoppføring |
+
+---
+
+## P3 — Rendering og hjelpefunksjoner
+
+### Template-rendering (`internal/render/render.go`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestRenderPage` | Rendrer side med layout → komplett HTML |
+| 2 | `TestRenderPageWithData` | PageData (Title, brukerinfo) → interpolert i template |
+| 3 | `TestRenderPartial` | Rendrer partial uten layout |
+| 4 | `TestRenderMissingTemplate` | Ukjent template-navn → feilhåndtering |
+| 5 | `TestCSRFTokenInTemplate` | CSRF-token tilgjengelig i template-context |
+
+### API JSON-hjelpere (`internal/handler/api/`)
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestJsonOKFormat` | Content-Type: application/json, gyldig JSON |
+| 2 | `TestJsonErrorFormat` | Feil → `{"error": "melding"}` + riktig statuskode |
+| 3 | `TestUserJSONPublicProfile` | Offentlig profil → bio og avatar inkludert |
+| 4 | `TestUserJSONLimitedProfile` | Begrenset profil → bio og avatar utelatt |
+| 5 | `TestFaveJSONComplete` | Alle felter mappet korrekt |
+| 6 | `TestQueryIntFallback` | Ugyldig/manglende parameter → standardverdi |
+| 7 | `TestQueryIntNegative` | Negativ verdi → standardverdi |
+
+---
+
+## Integrasjonstester (tverrgående)
+
+Disse testene verifiserer hele flyten fra HTTP-forespørsel gjennom mellomvare, handler, store og tilbake.
+
+| # | Test | Verifiserer |
+|---|------|-------------|
+| 1 | `TestFullLoginFlow` | GET login → POST credentials → session cookie → GET /faves → 200 |
+| 2 | `TestFullSignupApprovalFlow` | Registrering → admin godkjenner → bruker logger inn → endrer passord |
+| 3 | `TestFullFaveCRUDFlow` | Opprett → les → rediger → slett favoritt via web |
+| 4 | `TestFullAPIFaveCRUDFlow` | Login → opprett → hent → oppdater → slett via JSON API |
+| 5 | `TestImportExportRoundtrip` | Eksporter → importer til ny bruker → verifiser likhet |
+| 6 | `TestFeedReflectsNewFaves` | Opprett favoritt → feed oppdateres |
+| 7 | `TestRateLimitOnLogin` | Mange mislykkede pålogginger → 429 |
+| 8 | `TestCSRFProtectionEndToEnd` | Hent side → ekstraher token → POST med token → suksess |
+| 9 | `TestBasePathPropagation` | Alle lenker og redirects respekterer base path |
+| 10 | `TestMultiUserPrivacy` | Bruker A ser ikke bruker Bs private favoritter i noen visning |
+
+---
+
+## Testinfrastruktur
+
+### Eksisterende hjelpere (gjenbruk)
+
+- `testDB(t)` — in-memory SQLite med migrasjoner (`store/*_test.go`)
+- `testServer(t)` — komplett handler-stack med mellomvare (`handler/handler_test.go`)
+- `loginUser(t, h, username, password, role)` — oppretter bruker og returnerer session-cookie
+- `extractCookie(rr, name)` — henter cookie fra response
+
+### Nye hjelpere som trengs
+
+| Hjelper | Bruksområde |
+|---------|-------------|
+| `testAPIServer(t)` | Setup for API-handler med in-memory DB |
+| `apiLogin(t, server, username, password)` | Hent session-token for API-tester |
+| `testImage(t, width, height, mime)` | Generer test-bilde med gitte dimensjoner |
+| `setEnv(t, key, value)` | Sett env-variabel med automatisk cleanup |
+
+### Konvensjoner
+
+- Bruk `:memory:` SQLite for alle tester
+- Sett raske Argon2-parametre (`Memory=1024, Time=1`) i alle passord-tester
+- Bruk `t.Helper()` på alle hjelpefunksjoner
+- Bruk `t.Cleanup()` for opprydding, aldri manuell defer i hjelpere
+- Bruk `httptest.NewRecorder()` og `httptest.NewRequest()` for HTTP-tester
+- Bruk `t.TempDir()` for bildebehandlingstester
+- Tabell-drevne tester der det er naturlig (f.eks. config-parsing, feilkoder)
+- Norske testbeskrivelser i kommentarer, engelske funksjons-/variabelnavn
+
+---
+
+## Implementeringsrekkefølge
+
+```
+Fase 1 (P0): Sikkerhet
+  ├── middleware/csrf_test.go         (~7 tester)
+  ├── middleware/auth_test.go         (~7 tester)  ← utvid eksisterende fil
+  └── handler/api/api_test.go         (~5 auth-tester)
+
+Fase 2 (P1a): Store + API-kontrakter
+  ├── store/settings_test.go          (~3 tester)
+  └── handler/api/api_test.go         (~25 tester, utvid)
+
+Fase 3 (P1b): Web-handlere
+  ├── handler/handler_test.go         (~30 tester, utvid eksisterende)
+  └── handler/auth_test.go            (~8 tester)
+
+Fase 4 (P2): Konfig, bilde, database
+  ├── config/config_test.go           (~8 tester)
+  ├── image/image_test.go             (~8 tester)
+  ├── database/database_test.go       (~5 tester)
+  └── middleware/context_test.go      (~4 tester)
+
+Fase 5 (P3): Rendering og hjelpere
+  ├── render/render_test.go           (~5 tester)
+  └── handler/api/helpers_test.go     (~7 tester)
+
+Fase 6: Integrasjonstester
+  └── integration_test.go             (~10 tester, build tag)
+```
+
+**Totalt**: ~132 nye tester → fra 44 til ~176 testfunksjoner.
+
+---
+
+## Kjøring
+
+```bash
+# Alle tester
+go test ./...
+
+# Én pakke
+go test ./internal/store/...
+
+# Med dekning
+go test -cover ./...
+
+# Detaljert dekningsrapport
+go test -coverprofile=coverage.out ./... && go tool cover -html=coverage.out
+
+# Kun integrasjonstester (om build tag brukes)
+go test -tags=integration ./...
+```
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
new file mode 100644
index 0000000..a5bbb22
--- /dev/null
+++ b/internal/config/config_test.go
@@ -0,0 +1,204 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package config
+
+import (
+	"testing"
+	"time"
+)
+
+func TestLoadDefaults(t *testing.T) {
+	// Clear all FAVORITTER_ env vars to test defaults.
+	for _, key := range []string{
+		"FAVORITTER_DB_PATH", "FAVORITTER_LISTEN", "FAVORITTER_BASE_PATH",
+		"FAVORITTER_EXTERNAL_URL", "FAVORITTER_UPLOAD_DIR", "FAVORITTER_MAX_UPLOAD_SIZE",
+		"FAVORITTER_SESSION_LIFETIME", "FAVORITTER_ARGON2_MEMORY", "FAVORITTER_ARGON2_TIME",
+		"FAVORITTER_ARGON2_PARALLELISM", "FAVORITTER_RATE_LIMIT", "FAVORITTER_ADMIN_USERNAME",
+		"FAVORITTER_ADMIN_PASSWORD", "FAVORITTER_SITE_NAME", "FAVORITTER_DEV_MODE",
+		"FAVORITTER_TRUSTED_PROXIES",
+	} {
+		t.Setenv(key, "")
+	}
+
+	cfg := Load()
+
+	if cfg.DBPath != "./data/favoritter.db" {
+		t.Errorf("DBPath = %q, want default", cfg.DBPath)
+	}
+	if cfg.Listen != ":8080" {
+		t.Errorf("Listen = %q, want :8080", cfg.Listen)
+	}
+	if cfg.BasePath != "" {
+		t.Errorf("BasePath = %q, want empty (root)", cfg.BasePath)
+	}
+	if cfg.MaxUploadSize != 10<<20 {
+		t.Errorf("MaxUploadSize = %d, want %d", cfg.MaxUploadSize, 10<<20)
+	}
+	if cfg.SessionLifetime != 720*time.Hour {
+		t.Errorf("SessionLifetime = %v, want 720h", cfg.SessionLifetime)
+	}
+	if cfg.SiteName != "Favoritter" {
+		t.Errorf("SiteName = %q, want Favoritter", cfg.SiteName)
+	}
+	if cfg.DevMode {
+		t.Error("DevMode should be false by default")
+	}
+	if cfg.RateLimit != 60 {
+		t.Errorf("RateLimit = %d, want 60", cfg.RateLimit)
+	}
+}
+
+func TestLoadFromEnv(t *testing.T) {
+	t.Setenv("FAVORITTER_DB_PATH", "/custom/db.sqlite")
+	t.Setenv("FAVORITTER_LISTEN", ":9090")
+	t.Setenv("FAVORITTER_BASE_PATH", "/faves")
+	t.Setenv("FAVORITTER_EXTERNAL_URL", "https://faves.example.com/")
+	t.Setenv("FAVORITTER_UPLOAD_DIR", "/custom/uploads")
+	t.Setenv("FAVORITTER_MAX_UPLOAD_SIZE", "20971520")
+	t.Setenv("FAVORITTER_SESSION_LIFETIME", "48h")
+	t.Setenv("FAVORITTER_ARGON2_MEMORY", "131072")
+	t.Setenv("FAVORITTER_ARGON2_TIME", "5")
+	t.Setenv("FAVORITTER_ARGON2_PARALLELISM", "4")
+	t.Setenv("FAVORITTER_RATE_LIMIT", "100")
+	t.Setenv("FAVORITTER_ADMIN_USERNAME", "admin")
+	t.Setenv("FAVORITTER_ADMIN_PASSWORD", "secret")
+	t.Setenv("FAVORITTER_SITE_NAME", "Mine Favoritter")
+	t.Setenv("FAVORITTER_DEV_MODE", "true")
+	t.Setenv("FAVORITTER_TRUSTED_PROXIES", "10.0.0.0/8,192.168.1.0/24")
+
+	cfg := Load()
+
+	if cfg.DBPath != "/custom/db.sqlite" {
+		t.Errorf("DBPath = %q", cfg.DBPath)
+	}
+	if cfg.Listen != ":9090" {
+		t.Errorf("Listen = %q", cfg.Listen)
+	}
+	if cfg.BasePath != "/faves" {
+		t.Errorf("BasePath = %q, want /faves", cfg.BasePath)
+	}
+	// External URL should have trailing slash stripped.
+	if cfg.ExternalURL != "https://faves.example.com" {
+		t.Errorf("ExternalURL = %q, want trailing slash stripped", cfg.ExternalURL)
+	}
+	if cfg.MaxUploadSize != 20971520 {
+		t.Errorf("MaxUploadSize = %d", cfg.MaxUploadSize)
+	}
+	if cfg.SessionLifetime != 48*time.Hour {
+		t.Errorf("SessionLifetime = %v", cfg.SessionLifetime)
+	}
+	if cfg.Argon2Memory != 131072 {
+		t.Errorf("Argon2Memory = %d", cfg.Argon2Memory)
+	}
+	if cfg.Argon2Time != 5 {
+		t.Errorf("Argon2Time = %d", cfg.Argon2Time)
+	}
+	if cfg.Argon2Parallelism != 4 {
+		t.Errorf("Argon2Parallelism = %d", cfg.Argon2Parallelism)
+	}
+	if cfg.RateLimit != 100 {
+		t.Errorf("RateLimit = %d", cfg.RateLimit)
+	}
+	if cfg.AdminUsername != "admin" {
+		t.Errorf("AdminUsername = %q", cfg.AdminUsername)
+	}
+	if cfg.AdminPassword != "secret" {
+		t.Errorf("AdminPassword = %q", cfg.AdminPassword)
+	}
+	if cfg.SiteName != "Mine Favoritter" {
+		t.Errorf("SiteName = %q", cfg.SiteName)
+	}
+	if !cfg.DevMode {
+		t.Error("DevMode should be true")
+	}
+	if len(cfg.TrustedProxies) != 2 {
+		t.Errorf("TrustedProxies: got %d, want 2", len(cfg.TrustedProxies))
+	}
+}
+
+func TestTrustedProxiesParsing(t *testing.T) {
+	t.Setenv("FAVORITTER_TRUSTED_PROXIES", "10.0.0.0/8, 192.168.0.0/16, 127.0.0.1")
+
+	cfg := Load()
+
+	if len(cfg.TrustedProxies) != 3 {
+		t.Fatalf("TrustedProxies: got %d, want 3", len(cfg.TrustedProxies))
+	}
+	// 127.0.0.1 without CIDR should become 127.0.0.1/32.
+	last := cfg.TrustedProxies[2]
+	if ones, _ := last.Mask.Size(); ones != 32 {
+		t.Errorf("bare IP mask = /%d, want /32", ones)
+	}
+}
+
+func TestTrustedProxiesInvalid(t *testing.T) {
+	t.Setenv("FAVORITTER_TRUSTED_PROXIES", "not-an-ip, 10.0.0.0/8")
+
+	cfg := Load()
+
+	// Invalid entries are skipped; valid ones remain.
+	if len(cfg.TrustedProxies) != 1 {
+		t.Errorf("TrustedProxies: got %d, want 1 (invalid skipped)", len(cfg.TrustedProxies))
+	}
+}
+
+func TestBasePathNormalization(t *testing.T) {
+	tests := []struct {
+		input string
+		want  string
+	}{
+		{"/", ""},
+		{"", ""},
+		{"/faves", "/faves"},
+		{"/faves/", "/faves"},
+		{"faves", "/faves"},
+		{"/sub/path/", "/sub/path"},
+	}
+
+	for _, tt := range tests {
+		got := normalizePath(tt.input)
+		if got != tt.want {
+			t.Errorf("normalizePath(%q) = %q, want %q", tt.input, got, tt.want)
+		}
+	}
+}
+
+func TestDevModeFlag(t *testing.T) {
+	t.Setenv("FAVORITTER_DEV_MODE", "true")
+	cfg := Load()
+	if !cfg.DevMode {
+		t.Error("DevMode should be true when env is 'true'")
+	}
+
+	t.Setenv("FAVORITTER_DEV_MODE", "false")
+	cfg = Load()
+	if cfg.DevMode {
+		t.Error("DevMode should be false when env is 'false'")
+	}
+}
+
+func TestExternalHostname(t *testing.T) {
+	cfg := &Config{ExternalURL: "https://faves.example.com/base"}
+	if got := cfg.ExternalHostname(); got != "faves.example.com" {
+		t.Errorf("ExternalHostname = %q, want faves.example.com", got)
+	}
+
+	cfg = &Config{}
+	if got := cfg.ExternalHostname(); got != "" {
+		t.Errorf("empty ExternalURL: ExternalHostname = %q, want empty", got)
+	}
+}
+
+func TestBaseURL(t *testing.T) {
+	// With external URL configured.
+	cfg := &Config{ExternalURL: "https://faves.example.com"}
+	if got := cfg.BaseURL("localhost:8080"); got != "https://faves.example.com" {
+		t.Errorf("BaseURL with external = %q", got)
+	}
+
+	// Without external URL — falls back to request host.
+	cfg = &Config{BasePath: "/faves"}
+	if got := cfg.BaseURL("myhost.local:8080"); got != "https://myhost.local:8080/faves" {
+		t.Errorf("BaseURL fallback = %q", got)
+	}
+}
diff --git a/internal/database/database_test.go b/internal/database/database_test.go
new file mode 100644
index 0000000..506981e
--- /dev/null
+++ b/internal/database/database_test.go
@@ -0,0 +1,140 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package database
+
+import (
+	"testing"
+
+	_ "modernc.org/sqlite"
+)
+
+func TestOpenInMemory(t *testing.T) {
+	db, err := Open(":memory:")
+	if err != nil {
+		t.Fatalf("Open(:memory:): %v", err)
+	}
+	defer db.Close()
+
+	// Verify the connection is usable.
+	var result int
+	if err := db.QueryRow("SELECT 1").Scan(&result); err != nil {
+		t.Fatalf("query: %v", err)
+	}
+	if result != 1 {
+		t.Errorf("SELECT 1 = %d", result)
+	}
+}
+
+func TestMigrateCreatesAllTables(t *testing.T) {
+	db, err := Open(":memory:")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	defer db.Close()
+
+	if err := Migrate(db); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+
+	// Check that core tables exist.
+	tables := []string{"users", "faves", "tags", "fave_tags", "sessions", "site_settings", "schema_migrations", "signup_requests"}
+	for _, table := range tables {
+		var count int
+		err := db.QueryRow("SELECT COUNT(*) FROM sqlite_master WHERE type='table' AND name=?", table).Scan(&count)
+		if err != nil {
+			t.Errorf("check table %s: %v", table, err)
+		}
+		if count != 1 {
+			t.Errorf("table %s does not exist", table)
+		}
+	}
+}
+
+func TestMigrateIdempotent(t *testing.T) {
+	db, err := Open(":memory:")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	defer db.Close()
+
+	// First migration.
+	if err := Migrate(db); err != nil {
+		t.Fatalf("first migrate: %v", err)
+	}
+
+	// Second migration should be a no-op.
+	if err := Migrate(db); err != nil {
+		t.Fatalf("second migrate: %v", err)
+	}
+
+	// Verify schema_migrations has entries (no duplicates).
+	var count int
+	db.QueryRow("SELECT COUNT(*) FROM schema_migrations").Scan(&count)
+	if count < 1 {
+		t.Error("expected at least one migration record")
+	}
+}
+
+func TestPRAGMAs(t *testing.T) {
+	db, err := Open(":memory:")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	defer db.Close()
+
+	// WAL mode.
+	var journalMode string
+	db.QueryRow("PRAGMA journal_mode").Scan(&journalMode)
+	// In-memory databases use "memory" journal mode, not "wal".
+	// WAL is only meaningful for file-based databases.
+	// We just verify the pragma was accepted without error.
+
+	// Foreign keys should be ON.
+	var fk int
+	db.QueryRow("PRAGMA foreign_keys").Scan(&fk)
+	if fk != 1 {
+		t.Errorf("foreign_keys = %d, want 1", fk)
+	}
+
+	// Busy timeout.
+	var timeout int
+	db.QueryRow("PRAGMA busy_timeout").Scan(&timeout)
+	if timeout != 5000 {
+		t.Errorf("busy_timeout = %d, want 5000", timeout)
+	}
+}
+
+func TestSingleConnection(t *testing.T) {
+	db, err := Open(":memory:")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	defer db.Close()
+
+	stats := db.Stats()
+	if stats.MaxOpenConnections != 1 {
+		t.Errorf("MaxOpenConnections = %d, want 1", stats.MaxOpenConnections)
+	}
+}
+
+func TestSiteSettingsSeeded(t *testing.T) {
+	db, err := Open(":memory:")
+	if err != nil {
+		t.Fatalf("open: %v", err)
+	}
+	defer db.Close()
+
+	if err := Migrate(db); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+
+	// Migrations should seed a default site_settings row.
+	var siteName string
+	err = db.QueryRow("SELECT site_name FROM site_settings WHERE id = 1").Scan(&siteName)
+	if err != nil {
+		t.Fatalf("query site_settings: %v", err)
+	}
+	if siteName == "" {
+		t.Error("expected non-empty default site_name")
+	}
+}
diff --git a/internal/handler/api/api_test.go b/internal/handler/api/api_test.go
new file mode 100644
index 0000000..8158d15
--- /dev/null
+++ b/internal/handler/api/api_test.go
@@ -0,0 +1,663 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strconv"
+	"strings"
+	"testing"
+
+	"kode.naiv.no/olemd/favoritter/internal/config"
+	"kode.naiv.no/olemd/favoritter/internal/database"
+	"kode.naiv.no/olemd/favoritter/internal/middleware"
+	"kode.naiv.no/olemd/favoritter/internal/store"
+)
+
+// testAPIServer creates a wired API handler with in-memory DB.
+func testAPIServer(t *testing.T) (*Handler, *http.ServeMux, *store.UserStore, *store.SessionStore) {
+	t.Helper()
+
+	db, err := database.Open(":memory:")
+	if err != nil {
+		t.Fatalf("open db: %v", err)
+	}
+	if err := database.Migrate(db); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+	t.Cleanup(func() { db.Close() })
+
+	store.Argon2Memory = 1024
+	store.Argon2Time = 1
+
+	cfg := &config.Config{
+		MaxUploadSize: 10 << 20, // 10 MB
+	}
+
+	users := store.NewUserStore(db)
+	sessions := store.NewSessionStore(db)
+	faves := store.NewFaveStore(db)
+	tags := store.NewTagStore(db)
+
+	h := New(Deps{
+		Config:   cfg,
+		Users:    users,
+		Sessions: sessions,
+		Faves:    faves,
+		Tags:     tags,
+	})
+
+	mux := http.NewServeMux()
+	h.Routes(mux)
+
+	// Wrap with SessionLoader so authenticated API requests work.
+	chain := middleware.SessionLoader(sessions, users)(mux)
+	wrappedMux := http.NewServeMux()
+	wrappedMux.Handle("/", chain)
+
+	return h, wrappedMux, users, sessions
+}
+
+// apiLogin creates a user and returns a session cookie.
+func apiLogin(t *testing.T, users *store.UserStore, sessions *store.SessionStore, username, password, role string) *http.Cookie {
+	t.Helper()
+	user, err := users.Create(username, password, role)
+	if err != nil {
+		t.Fatalf("create user %s: %v", username, err)
+	}
+	token, err := sessions.Create(user.ID)
+	if err != nil {
+		t.Fatalf("create session: %v", err)
+	}
+	return &http.Cookie{Name: "session", Value: token}
+}
+
+// jsonBody is a helper to parse JSON response bodies.
+func jsonBody(t *testing.T, rr *httptest.ResponseRecorder) map[string]any {
+	t.Helper()
+	var result map[string]any
+	if err := json.Unmarshal(rr.Body.Bytes(), &result); err != nil {
+		t.Fatalf("parse response JSON: %v\nbody: %s", err, rr.Body.String())
+	}
+	return result
+}
+
+// --- Auth ---
+
+func TestAPILoginSuccess(t *testing.T) {
+	_, mux, users, _ := testAPIServer(t)
+	users.Create("testuser", "password123", "user")
+
+	body := `{"username":"testuser","password":"password123"}`
+	req := httptest.NewRequest("POST", "/api/v1/auth/login", strings.NewReader(body))
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("login: got %d, want 200\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	result := jsonBody(t, rr)
+	if result["token"] == nil || result["token"] == "" {
+		t.Error("expected token in response")
+	}
+	user, ok := result["user"].(map[string]any)
+	if !ok {
+		t.Fatal("expected user object in response")
+	}
+	if user["username"] != "testuser" {
+		t.Errorf("username = %v, want testuser", user["username"])
+	}
+}
+
+func TestAPILoginWrongPassword(t *testing.T) {
+	_, mux, users, _ := testAPIServer(t)
+	users.Create("testuser", "password123", "user")
+
+	body := `{"username":"testuser","password":"wrong"}`
+	req := httptest.NewRequest("POST", "/api/v1/auth/login", strings.NewReader(body))
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusUnauthorized {
+		t.Errorf("wrong password: got %d, want 401", rr.Code)
+	}
+}
+
+func TestAPILoginInvalidBody(t *testing.T) {
+	_, mux, _, _ := testAPIServer(t)
+
+	req := httptest.NewRequest("POST", "/api/v1/auth/login", strings.NewReader("not json"))
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusBadRequest {
+		t.Errorf("invalid body: got %d, want 400", rr.Code)
+	}
+}
+
+func TestAPILogout(t *testing.T) {
+	_, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	req := httptest.NewRequest("POST", "/api/v1/auth/logout", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("logout: got %d, want 200", rr.Code)
+	}
+
+	// Session should be invalid now.
+	_, err := sessions.Validate(cookie.Value)
+	if err == nil {
+		t.Error("session should be invalidated after logout")
+	}
+}
+
+// --- Faves CRUD ---
+
+func TestAPICreateFave(t *testing.T) {
+	_, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	body := `{"description":"My favorite thing","url":"https://example.com","privacy":"public","tags":["go","web"]}`
+	req := httptest.NewRequest("POST", "/api/v1/faves", strings.NewReader(body))
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusCreated {
+		t.Fatalf("create fave: got %d, want 201\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	result := jsonBody(t, rr)
+	if result["description"] != "My favorite thing" {
+		t.Errorf("description = %v", result["description"])
+	}
+	if result["url"] != "https://example.com" {
+		t.Errorf("url = %v", result["url"])
+	}
+	tags, ok := result["tags"].([]any)
+	if !ok || len(tags) != 2 {
+		t.Errorf("expected 2 tags, got %v", result["tags"])
+	}
+}
+
+func TestAPICreateFaveMissingDescription(t *testing.T) {
+	_, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	body := `{"url":"https://example.com"}`
+	req := httptest.NewRequest("POST", "/api/v1/faves", strings.NewReader(body))
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusBadRequest {
+		t.Errorf("missing description: got %d, want 400", rr.Code)
+	}
+}
+
+func TestAPICreateFaveRequiresAuth(t *testing.T) {
+	_, mux, _, _ := testAPIServer(t)
+
+	body := `{"description":"test"}`
+	req := httptest.NewRequest("POST", "/api/v1/faves", strings.NewReader(body))
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	// Should redirect or return non-2xx.
+	if rr.Code == http.StatusCreated || rr.Code == http.StatusOK {
+		t.Errorf("unauthenticated create: got %d, should not be 2xx", rr.Code)
+	}
+}
+
+func TestAPIGetFave(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	// Create a public fave directly.
+	user, _ := users.GetByUsername("testuser")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test fave", "https://example.com", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"test"})
+
+	req := httptest.NewRequest("GET", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("get fave: got %d, want 200", rr.Code)
+	}
+
+	result := jsonBody(t, rr)
+	if result["description"] != "Test fave" {
+		t.Errorf("description = %v", result["description"])
+	}
+}
+
+func TestAPIGetFaveNotFound(t *testing.T) {
+	_, mux, _, _ := testAPIServer(t)
+
+	req := httptest.NewRequest("GET", "/api/v1/faves/99999", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("nonexistent fave: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAPIPrivateFaveHiddenFromOthers(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	// User A creates a private fave.
+	userA, _ := users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "Secret", "", "", "private")
+
+	// User B tries to access it.
+	cookieB := apiLogin(t, users, sessions, "userb", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
+	req.AddCookie(cookieB)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("private fave for other user: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAPIPrivateFaveVisibleToOwner(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	userA, _ := users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "My secret", "", "", "private")
+
+	tokenA, _ := sessions.Create(userA.ID)
+	cookieA := &http.Cookie{Name: "session", Value: tokenA}
+
+	req := httptest.NewRequest("GET", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
+	req.AddCookie(cookieA)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("own private fave: got %d, want 200", rr.Code)
+	}
+}
+
+func TestAPIUpdateFave(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Original", "https://old.com", "", "public")
+	token, _ := sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	body := `{"description":"Updated","url":"https://new.com","tags":["updated"]}`
+	req := httptest.NewRequest("PUT", "/api/v1/faves/"+faveIDStr(fave.ID), strings.NewReader(body))
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("update fave: got %d, want 200\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	result := jsonBody(t, rr)
+	if result["description"] != "Updated" {
+		t.Errorf("description = %v, want Updated", result["description"])
+	}
+	if result["url"] != "https://new.com" {
+		t.Errorf("url = %v, want https://new.com", result["url"])
+	}
+}
+
+func TestAPIUpdateFaveNotOwner(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	userA, _ := users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+
+	cookieB := apiLogin(t, users, sessions, "userb", "pass123", "user")
+
+	body := `{"description":"Hijacked"}`
+	req := httptest.NewRequest("PUT", "/api/v1/faves/"+faveIDStr(fave.ID), strings.NewReader(body))
+	req.AddCookie(cookieB)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("update by non-owner: got %d, want 403", rr.Code)
+	}
+}
+
+func TestAPIDeleteFave(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Delete me", "", "", "public")
+	token, _ := sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	req := httptest.NewRequest("DELETE", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNoContent {
+		t.Errorf("delete fave: got %d, want 204", rr.Code)
+	}
+
+	// Verify it's gone.
+	req = httptest.NewRequest("GET", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
+	req.AddCookie(cookie)
+	rr = httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("deleted fave: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAPIDeleteFaveNotOwner(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	userA, _ := users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+
+	cookieB := apiLogin(t, users, sessions, "userb", "pass123", "user")
+
+	req := httptest.NewRequest("DELETE", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
+	req.AddCookie(cookieB)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("delete by non-owner: got %d, want 403", rr.Code)
+	}
+}
+
+func TestAPIListFaves(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	h.deps.Faves.Create(user.ID, "Fave 1", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Fave 2", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Fave 3", "", "", "private")
+	token, _ := sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	req := httptest.NewRequest("GET", "/api/v1/faves", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("list faves: got %d, want 200", rr.Code)
+	}
+
+	result := jsonBody(t, rr)
+	total, _ := result["total"].(float64)
+	if total != 3 {
+		t.Errorf("total = %v, want 3 (all faves including private)", total)
+	}
+}
+
+func TestAPIListFavesPagination(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	for i := 0; i < 5; i++ {
+		h.deps.Faves.Create(user.ID, "Fave", "", "", "public")
+	}
+	token, _ := sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	req := httptest.NewRequest("GET", "/api/v1/faves?page=1&limit=2", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	result := jsonBody(t, rr)
+	faves, ok := result["faves"].([]any)
+	if !ok {
+		t.Fatal("expected faves array")
+	}
+	if len(faves) != 2 {
+		t.Errorf("page size: got %d faves, want 2", len(faves))
+	}
+	total, _ := result["total"].(float64)
+	if total != 5 {
+		t.Errorf("total = %v, want 5", total)
+	}
+}
+
+// --- Tags ---
+
+func TestAPISearchTags(t *testing.T) {
+	h, mux, users, _ := testAPIServer(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang", "goroutines", "python"})
+
+	req := httptest.NewRequest("GET", "/api/v1/tags?q=go", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("search tags: got %d, want 200", rr.Code)
+	}
+
+	result := jsonBody(t, rr)
+	tags, ok := result["tags"].([]any)
+	if !ok {
+		t.Fatal("expected tags array")
+	}
+	if len(tags) < 1 {
+		t.Error("expected at least one tag matching 'go'")
+	}
+}
+
+func TestAPISearchTagsEmpty(t *testing.T) {
+	_, mux, _, _ := testAPIServer(t)
+
+	req := httptest.NewRequest("GET", "/api/v1/tags?q=nonexistent", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("empty tag search: got %d, want 200", rr.Code)
+	}
+
+	result := jsonBody(t, rr)
+	tags, _ := result["tags"].([]any)
+	if len(tags) != 0 {
+		t.Errorf("expected empty tags, got %v", tags)
+	}
+}
+
+// --- Users ---
+
+func TestAPIGetUser(t *testing.T) {
+	_, mux, users, _ := testAPIServer(t)
+	users.Create("testuser", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/api/v1/users/testuser", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("get user: got %d, want 200", rr.Code)
+	}
+
+	result := jsonBody(t, rr)
+	if result["username"] != "testuser" {
+		t.Errorf("username = %v", result["username"])
+	}
+}
+
+func TestAPIGetUserNotFound(t *testing.T) {
+	_, mux, _, _ := testAPIServer(t)
+
+	req := httptest.NewRequest("GET", "/api/v1/users/nobody", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("nonexistent user: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAPIGetDisabledUser(t *testing.T) {
+	_, mux, users, _ := testAPIServer(t)
+	user, _ := users.Create("disabled", "pass123", "user")
+	users.SetDisabled(user.ID, true)
+
+	req := httptest.NewRequest("GET", "/api/v1/users/disabled", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("disabled user: got %d, want 404", rr.Code)
+	}
+}
+
+func TestAPIGetUserFaves(t *testing.T) {
+	h, mux, users, _ := testAPIServer(t)
+	user, _ := users.Create("testuser", "pass123", "user")
+	h.deps.Faves.Create(user.ID, "Public fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Private fave", "", "", "private")
+
+	req := httptest.NewRequest("GET", "/api/v1/users/testuser/faves", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("user faves: got %d, want 200", rr.Code)
+	}
+
+	result := jsonBody(t, rr)
+	total, _ := result["total"].(float64)
+	if total != 1 {
+		t.Errorf("total = %v, want 1 (only public faves)", total)
+	}
+}
+
+// --- Export/Import ---
+
+func TestAPIExport(t *testing.T) {
+	h, mux, users, sessions := testAPIServer(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	h.deps.Faves.Create(user.ID, "Fave 1", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Fave 2", "", "", "private")
+	token, _ := sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	req := httptest.NewRequest("GET", "/api/v1/export/json", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("export: got %d, want 200", rr.Code)
+	}
+
+	// Export returns a JSON array directly.
+	var faves []any
+	if err := json.Unmarshal(rr.Body.Bytes(), &faves); err != nil {
+		t.Fatalf("parse export JSON: %v", err)
+	}
+	if len(faves) != 2 {
+		t.Errorf("exported %d faves, want 2", len(faves))
+	}
+}
+
+func TestAPIImportValid(t *testing.T) {
+	_, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	body := `[{"description":"Imported 1","privacy":"public"},{"description":"Imported 2","tags":["test"]}]`
+	req := httptest.NewRequest("POST", "/api/v1/import", strings.NewReader(body))
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("import: got %d, want 200\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	result := jsonBody(t, rr)
+	imported, _ := result["imported"].(float64)
+	if imported != 2 {
+		t.Errorf("imported = %v, want 2", imported)
+	}
+}
+
+func TestAPIImportSkipsEmpty(t *testing.T) {
+	_, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	body := `[{"description":"Valid"},{"description":"","url":"https://empty.com"}]`
+	req := httptest.NewRequest("POST", "/api/v1/import", strings.NewReader(body))
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	result := jsonBody(t, rr)
+	imported, _ := result["imported"].(float64)
+	total, _ := result["total"].(float64)
+	if imported != 1 {
+		t.Errorf("imported = %v, want 1", imported)
+	}
+	if total != 2 {
+		t.Errorf("total = %v, want 2", total)
+	}
+}
+
+func TestAPIImportInvalidJSON(t *testing.T) {
+	_, mux, users, sessions := testAPIServer(t)
+	cookie := apiLogin(t, users, sessions, "testuser", "pass123", "user")
+
+	req := httptest.NewRequest("POST", "/api/v1/import", strings.NewReader("not json"))
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusBadRequest {
+		t.Errorf("invalid JSON import: got %d, want 400", rr.Code)
+	}
+}
+
+// --- JSON helpers ---
+
+func TestQueryIntFallback(t *testing.T) {
+	tests := []struct {
+		query string
+		want  int
+	}{
+		{"", 10},
+		{"page=abc", 10},
+		{"page=-1", 10},
+		{"page=0", 10},
+		{"page=5", 5},
+	}
+	for _, tt := range tests {
+		req := httptest.NewRequest("GET", "/test?"+tt.query, nil)
+		got := queryInt(req, "page", 10)
+		if got != tt.want {
+			t.Errorf("queryInt(%q) = %d, want %d", tt.query, got, tt.want)
+		}
+	}
+}
+
+// faveIDStr converts an int64 to a string for URL paths.
+func faveIDStr(id int64) string {
+	return strconv.FormatInt(id, 10)
+}
diff --git a/internal/handler/handler_test.go b/internal/handler/handler_test.go
index f5d6769..e12d232 100644
--- a/internal/handler/handler_test.go
+++ b/internal/handler/handler_test.go
@@ -67,8 +67,8 @@ func testServer(t *testing.T) (*Handler, *http.ServeMux) {
 
 	mux := h.Routes()
 
-	// Wrap with SessionLoader so authenticated tests work.
-	chain := middleware.SessionLoader(sessions, users)(mux)
+	// Wrap with SessionLoader and CSRFProtection so authenticated tests work.
+	chain := middleware.CSRFProtection(cfg)(middleware.SessionLoader(sessions, users)(mux))
 	wrappedMux := http.NewServeMux()
 	wrappedMux.Handle("/", chain)
 
diff --git a/internal/handler/web_test.go b/internal/handler/web_test.go
new file mode 100644
index 0000000..5d5268a
--- /dev/null
+++ b/internal/handler/web_test.go
@@ -0,0 +1,1153 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package handler
+
+import (
+	"bytes"
+	"encoding/csv"
+	"encoding/json"
+	"mime/multipart"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"strings"
+	"testing"
+)
+
+// csrfToken performs a GET to extract a CSRF token cookie from the response.
+func csrfToken(t *testing.T, mux *http.ServeMux, path string) string {
+	t.Helper()
+	req := httptest.NewRequest("GET", path, nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+	token := extractCookie(rr, "csrf_token")
+	if token == "" {
+		t.Fatal("no csrf_token cookie from GET " + path)
+	}
+	return token
+}
+
+// postForm creates a POST request with form data and CSRF token.
+func postForm(path string, csrf string, values url.Values, cookies ...*http.Cookie) *http.Request {
+	values.Set("csrf_token", csrf)
+	req := httptest.NewRequest("POST", path, strings.NewReader(values.Encode()))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	for _, c := range cookies {
+		req.AddCookie(c)
+	}
+	return req
+}
+
+// --- Auth flows ---
+
+func TestSignupOpenMode(t *testing.T) {
+	h, mux := testServer(t)
+
+	// Set signup mode to open.
+	h.deps.Settings.Update("Test", "", "open")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"newuser"},
+		"password":         {"password123"},
+		"password_confirm": {"password123"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusSeeOther {
+		t.Errorf("signup: got %d, want 303\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	// Should have a session cookie (auto-login after signup).
+	if extractCookie(rr, "session") == "" {
+		t.Error("expected session cookie after signup")
+	}
+}
+
+func TestSignupDuplicate(t *testing.T) {
+	h, mux := testServer(t)
+	h.deps.Settings.Update("Test", "", "open")
+	h.deps.Users.Create("existing", "password123", "user")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"existing"},
+		"password":         {"password123"},
+		"password_confirm": {"password123"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("duplicate signup: got %d, want 200 (re-render)", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "allerede i bruk") {
+		t.Error("should show duplicate username error")
+	}
+}
+
+func TestSignupClosedMode(t *testing.T) {
+	h, mux := testServer(t)
+	h.deps.Settings.Update("Test", "", "closed")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"newuser"},
+		"password":         {"password123"},
+		"password_confirm": {"password123"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "stengt") {
+		t.Error("closed signup should show 'stengt' message")
+	}
+}
+
+func TestSignupRequestMode(t *testing.T) {
+	h, mux := testServer(t)
+	h.deps.Settings.Update("Test", "", "requests")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"requester"},
+		"password":         {"password123"},
+		"password_confirm": {"password123"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "sendt") {
+		t.Error("request mode signup should show 'sendt' message")
+	}
+
+	// Verify a signup request was created.
+	requests, _ := h.deps.SignupRequests.ListPending()
+	if len(requests) != 1 {
+		t.Errorf("expected 1 pending request, got %d", len(requests))
+	}
+}
+
+func TestSignupInvalidUsername(t *testing.T) {
+	h, mux := testServer(t)
+	h.deps.Settings.Update("Test", "", "open")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"a"}, // Too short (min 2).
+		"password":         {"password123"},
+		"password_confirm": {"password123"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "Ugyldig brukernavn") {
+		t.Error("should show username validation error")
+	}
+}
+
+func TestSignupPasswordTooShort(t *testing.T) {
+	h, mux := testServer(t)
+	h.deps.Settings.Update("Test", "", "open")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"newuser"},
+		"password":         {"short"},
+		"password_confirm": {"short"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "minst 8 tegn") {
+		t.Error("should show password length error")
+	}
+}
+
+func TestSignupPasswordMismatch(t *testing.T) {
+	h, mux := testServer(t)
+	h.deps.Settings.Update("Test", "", "open")
+
+	csrf := csrfToken(t, mux, "/signup")
+
+	form := url.Values{
+		"username":         {"newuser"},
+		"password":         {"password123"},
+		"password_confirm": {"different456"},
+	}
+	req := postForm("/signup", csrf, form)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "ikke like") {
+		t.Error("should show password mismatch error")
+	}
+}
+
+func TestLogout(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	csrf := csrfToken(t, mux, "/login")
+
+	req := postForm("/logout", csrf, url.Values{}, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusSeeOther {
+		t.Errorf("logout: got %d, want 303", rr.Code)
+	}
+	loc := rr.Header().Get("Location")
+	if !strings.Contains(loc, "/login") {
+		t.Errorf("logout redirect = %q, want /login", loc)
+	}
+}
+
+func TestPasswordResetFlow(t *testing.T) {
+	h, mux := testServer(t)
+
+	// Create user with must_reset flag.
+	user, _ := h.deps.Users.CreateWithReset("resetuser", "temppass", "user")
+	token, _ := h.deps.Sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	// Accessing /reset-password should render the form.
+	req := httptest.NewRequest("GET", "/reset-password", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("reset page: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Endre passord") {
+		t.Error("should render password reset form")
+	}
+}
+
+func TestPasswordResetSubmit(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.CreateWithReset("resetuser", "temppass", "user")
+	token, _ := h.deps.Sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	// Get CSRF token.
+	getReq := httptest.NewRequest("GET", "/reset-password", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{
+		"password":         {"newpassword123"},
+		"password_confirm": {"newpassword123"},
+	}
+	req := postForm("/reset-password", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusSeeOther {
+		t.Errorf("reset submit: got %d, want 303\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	// Verify new password works.
+	_, err := h.deps.Users.Authenticate("resetuser", "newpassword123")
+	if err != nil {
+		t.Errorf("new password should work: %v", err)
+	}
+}
+
+// --- Fave CRUD (web) ---
+
+func TestCreateFavePageRendering(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/faves/new", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("new fave page: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Ny favoritt") {
+		t.Error("should render new fave form")
+	}
+}
+
+func TestCreateFaveSubmit(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	// Get CSRF token.
+	getReq := httptest.NewRequest("GET", "/faves/new", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	// POST multipart form (fave creation uses ParseMultipartForm).
+	var body bytes.Buffer
+	writer := multipart.NewWriter(&body)
+	writer.WriteField("csrf_token", csrf)
+	writer.WriteField("description", "Min nye favoritt")
+	writer.WriteField("url", "https://example.com")
+	writer.WriteField("privacy", "public")
+	writer.WriteField("tags", "test, go")
+	writer.Close()
+
+	req := httptest.NewRequest("POST", "/faves", &body)
+	req.Header.Set("Content-Type", writer.FormDataContentType())
+	req.AddCookie(cookie)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusSeeOther {
+		t.Errorf("create fave: got %d, want 303\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	// Verify redirect points to the new fave.
+	loc := rr.Header().Get("Location")
+	if !strings.Contains(loc, "/faves/") {
+		t.Errorf("redirect = %q, should point to /faves/{id}", loc)
+	}
+}
+
+func TestCreateFaveMissingDescription(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/faves/new", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	var body bytes.Buffer
+	writer := multipart.NewWriter(&body)
+	writer.WriteField("csrf_token", csrf)
+	writer.WriteField("description", "")
+	writer.Close()
+
+	req := httptest.NewRequest("POST", "/faves", &body)
+	req.Header.Set("Content-Type", writer.FormDataContentType())
+	req.AddCookie(cookie)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "Beskrivelse er påkrevd") {
+		t.Error("should show description required error")
+	}
+}
+
+func TestEditFaveNotOwner(t *testing.T) {
+	h, mux := testServer(t)
+
+	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+
+	cookieB := loginUser(t, h, "userb", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/faves/"+faveIDStr(fave.ID)+"/edit", nil)
+	req.AddCookie(cookieB)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("edit by non-owner: got %d, want 403", rr.Code)
+	}
+}
+
+func TestDeleteFaveHTMX(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Delete me", "", "", "public")
+	token, _ := h.deps.Sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	getReq := httptest.NewRequest("GET", "/faves/"+faveIDStr(fave.ID), nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	req := httptest.NewRequest("DELETE", "/faves/"+faveIDStr(fave.ID), nil)
+	req.Header.Set("HX-Request", "true")
+	req.Header.Set("X-CSRF-Token", csrf)
+	req.AddCookie(cookie)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("HTMX delete: got %d, want 200", rr.Code)
+	}
+}
+
+func TestDeleteFaveNotOwner(t *testing.T) {
+	h, mux := testServer(t)
+
+	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+
+	cookieB := loginUser(t, h, "userb", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/faves/"+faveIDStr(fave.ID), nil)
+	getReq.AddCookie(cookieB)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	req := httptest.NewRequest("DELETE", "/faves/"+faveIDStr(fave.ID), nil)
+	req.Header.Set("X-CSRF-Token", csrf)
+	req.AddCookie(cookieB)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("delete by non-owner: got %d, want 403", rr.Code)
+	}
+}
+
+// --- Admin ---
+
+func TestAdminUserList(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+	h.deps.Users.Create("regular", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/admin/users", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("admin users: got %d, want 200", rr.Code)
+	}
+	body := rr.Body.String()
+	if !strings.Contains(body, "admin") || !strings.Contains(body, "regular") {
+		t.Error("admin users page should list all users")
+	}
+}
+
+func TestAdminCreateUser(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+
+	getReq := httptest.NewRequest("GET", "/admin/users", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{
+		"username": {"newuser"},
+		"role":     {"user"},
+	}
+	req := postForm("/admin/users", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "Bruker opprettet") {
+		t.Error("should show user created message")
+	}
+
+	// Verify user was created.
+	_, err := h.deps.Users.GetByUsername("newuser")
+	if err != nil {
+		t.Errorf("new user should exist: %v", err)
+	}
+}
+
+func TestAdminToggleDisabled(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+	user, _ := h.deps.Users.Create("target", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/admin/users", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	req := postForm("/admin/users/"+faveIDStr(user.ID)+"/toggle-disabled", csrf, url.Values{}, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "deaktivert") {
+		t.Error("should show deactivated message")
+	}
+}
+
+func TestAdminCannotDisableSelf(t *testing.T) {
+	h, mux := testServer(t)
+
+	admin, _ := h.deps.Users.Create("admin", "pass123", "admin")
+	token, _ := h.deps.Sessions.Create(admin.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	getReq := httptest.NewRequest("GET", "/admin/users", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	req := postForm("/admin/users/"+faveIDStr(admin.ID)+"/toggle-disabled", csrf, url.Values{}, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "din egen konto") {
+		t.Error("should prevent self-disable")
+	}
+}
+
+func TestAdminSettings(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+
+	// GET settings page.
+	getReq := httptest.NewRequest("GET", "/admin/settings", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+
+	if getRR.Code != http.StatusOK {
+		t.Errorf("admin settings GET: got %d, want 200", getRR.Code)
+	}
+
+	csrf := extractCookie(getRR, "csrf_token")
+
+	// POST updated settings.
+	form := url.Values{
+		"site_name":        {"Nytt Navn"},
+		"site_description": {"En beskrivelse"},
+		"signup_mode":      {"closed"},
+	}
+	req := postForm("/admin/settings", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "lagret") {
+		t.Error("should show settings saved message")
+	}
+
+	// Verify settings were updated.
+	settings, _ := h.deps.Settings.Get()
+	if settings.SiteName != "Nytt Navn" {
+		t.Errorf("site_name = %q, want 'Nytt Navn'", settings.SiteName)
+	}
+}
+
+func TestAdminApproveSignupRequest(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+
+	// Create a signup request.
+	h.deps.SignupRequests.Create("requester", "password123")
+
+	requests, _ := h.deps.SignupRequests.ListPending()
+	if len(requests) == 0 {
+		t.Fatal("expected pending request")
+	}
+
+	getReq := httptest.NewRequest("GET", "/admin/signup-requests", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{"action": {"approve"}}
+	req := postForm("/admin/signup-requests/"+faveIDStr(requests[0].ID), csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "godkjent") {
+		t.Error("should show approved message")
+	}
+
+	// User should now exist.
+	_, err := h.deps.Users.GetByUsername("requester")
+	if err != nil {
+		t.Errorf("approved user should exist: %v", err)
+	}
+}
+
+func TestAdminRejectSignupRequest(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+
+	h.deps.SignupRequests.Create("rejectable", "password123")
+	requests, _ := h.deps.SignupRequests.ListPending()
+
+	getReq := httptest.NewRequest("GET", "/admin/signup-requests", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{"action": {"reject"}}
+	req := postForm("/admin/signup-requests/"+faveIDStr(requests[0].ID), csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "avvist") {
+		t.Error("should show rejected message")
+	}
+}
+
+func TestAdminTags(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+
+	// Create a tag via a fave.
+	admin, _ := h.deps.Users.GetByUsername("admin")
+	fave, _ := h.deps.Faves.Create(admin.ID, "Test", "", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"testmerke"})
+
+	req := httptest.NewRequest("GET", "/admin/tags", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("admin tags: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "testmerke") {
+		t.Error("admin tags page should list tags")
+	}
+}
+
+// --- Feeds ---
+
+func TestUserFeed(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("feeduser", "pass123", "user")
+	h.deps.Users.UpdateProfile(user.ID, "Feed User", "", "public", "public")
+	h.deps.Faves.Create(user.ID, "User fave", "", "", "public")
+
+	req := httptest.NewRequest("GET", "/u/feeduser/feed.xml", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("user feed: got %d, want 200", rr.Code)
+	}
+	ct := rr.Header().Get("Content-Type")
+	if !strings.Contains(ct, "atom+xml") {
+		t.Errorf("content-type = %q", ct)
+	}
+	if !strings.Contains(rr.Body.String(), "User fave") {
+		t.Error("user feed should contain fave")
+	}
+}
+
+func TestFeedExcludesPrivate(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
+	h.deps.Faves.Create(user.ID, "Public fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Secret fave", "", "", "private")
+
+	req := httptest.NewRequest("GET", "/feed.xml", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "Public fave") {
+		t.Error("feed should contain public fave")
+	}
+	if strings.Contains(body, "Secret fave") {
+		t.Error("feed should NOT contain private fave")
+	}
+}
+
+func TestTagFeed(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Tagged fave", "", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang"})
+
+	req := httptest.NewRequest("GET", "/tags/golang/feed.xml", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("tag feed: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Tagged fave") {
+		t.Error("tag feed should contain tagged fave")
+	}
+}
+
+func TestLimitedProfileFeedReturns404(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("limited", "pass123", "user")
+	h.deps.Users.UpdateProfile(user.ID, "Limited", "", "limited", "public")
+
+	req := httptest.NewRequest("GET", "/u/limited/feed.xml", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("limited profile feed: got %d, want 404", rr.Code)
+	}
+}
+
+// --- Import/Export (web) ---
+
+func TestExportJSON(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	user, _ := h.deps.Users.GetByUsername("testuser")
+	fave, _ := h.deps.Faves.Create(user.ID, "Export me", "https://example.com", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"test"})
+
+	req := httptest.NewRequest("GET", "/export/json", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("export JSON: got %d, want 200", rr.Code)
+	}
+
+	ct := rr.Header().Get("Content-Type")
+	if !strings.Contains(ct, "application/json") {
+		t.Errorf("content-type = %q", ct)
+	}
+
+	var faves []ExportFave
+	if err := json.Unmarshal(rr.Body.Bytes(), &faves); err != nil {
+		t.Fatalf("parse export: %v", err)
+	}
+	if len(faves) != 1 {
+		t.Fatalf("exported %d, want 1", len(faves))
+	}
+	if faves[0].Description != "Export me" {
+		t.Errorf("description = %q", faves[0].Description)
+	}
+}
+
+func TestExportCSV(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	user, _ := h.deps.Users.GetByUsername("testuser")
+	h.deps.Faves.Create(user.ID, "CSV fave", "", "", "public")
+
+	req := httptest.NewRequest("GET", "/export/csv", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("export CSV: got %d, want 200", rr.Code)
+	}
+
+	ct := rr.Header().Get("Content-Type")
+	if !strings.Contains(ct, "text/csv") {
+		t.Errorf("content-type = %q", ct)
+	}
+
+	reader := csv.NewReader(bytes.NewReader(rr.Body.Bytes()))
+	records, err := reader.ReadAll()
+	if err != nil {
+		t.Fatalf("parse CSV: %v", err)
+	}
+	// Header + 1 data row.
+	if len(records) != 2 {
+		t.Errorf("CSV rows = %d, want 2 (header + data)", len(records))
+	}
+	if records[0][0] != "description" {
+		t.Errorf("CSV header = %q, want 'description'", records[0][0])
+	}
+}
+
+func TestImportJSONFile(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/import", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	// Build multipart form with JSON file.
+	var body bytes.Buffer
+	writer := multipart.NewWriter(&body)
+	writer.WriteField("csrf_token", csrf)
+	part, _ := writer.CreateFormFile("file", "import.json")
+	jsonData := `[{"description":"Imported 1","privacy":"public","tags":["go"]},{"description":"Imported 2"}]`
+	part.Write([]byte(jsonData))
+	writer.Close()
+
+	req := httptest.NewRequest("POST", "/import", &body)
+	req.Header.Set("Content-Type", writer.FormDataContentType())
+	req.AddCookie(cookie)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "Importert 2 av 2") {
+		t.Errorf("import result: %s", rr.Body.String())
+	}
+}
+
+func TestImportCSVFile(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/import", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	// Build multipart form with CSV file.
+	var body bytes.Buffer
+	writer := multipart.NewWriter(&body)
+	writer.WriteField("csrf_token", csrf)
+	part, _ := writer.CreateFormFile("file", "import.csv")
+	csvData := "description,url,privacy,tags\nCSV Fave,https://example.com,public,test\n"
+	part.Write([]byte(csvData))
+	writer.Close()
+
+	req := httptest.NewRequest("POST", "/import", &body)
+	req.Header.Set("Content-Type", writer.FormDataContentType())
+	req.AddCookie(cookie)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: csrf})
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "Importert 1 av 1") {
+		t.Errorf("import CSV result: %s", rr.Body.String())
+	}
+}
+
+// --- Profile ---
+
+func TestProfileDisabledUser(t *testing.T) {
+	h, mux := testServer(t)
+	user, _ := h.deps.Users.Create("disabled", "pass123", "user")
+	h.deps.Users.SetDisabled(user.ID, true)
+
+	req := httptest.NewRequest("GET", "/u/disabled", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("disabled profile: got %d, want 404", rr.Code)
+	}
+}
+
+func TestProfileOwnerSeesPrivateFaves(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("owner", "pass123", "user")
+	h.deps.Faves.Create(user.ID, "Private fave", "", "", "private")
+	token, _ := h.deps.Sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	req := httptest.NewRequest("GET", "/u/owner", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("own profile: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Private fave") {
+		t.Error("owner should see their own private faves on profile")
+	}
+}
+
+func TestProfileVisitorCannotSeePrivateFaves(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("owner", "pass123", "user")
+	h.deps.Users.UpdateProfile(user.ID, "Owner", "", "public", "public")
+	h.deps.Faves.Create(user.ID, "Only public", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Hidden secret", "", "", "private")
+
+	req := httptest.NewRequest("GET", "/u/owner", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "Only public") {
+		t.Error("visitor should see public fave")
+	}
+	if strings.Contains(body, "Hidden secret") {
+		t.Error("visitor should NOT see private fave")
+	}
+}
+
+// --- Tag browsing ---
+
+func TestTagBrowse(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Tagged", "", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang"})
+
+	req := httptest.NewRequest("GET", "/tags/golang", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("tag browse: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Tagged") {
+		t.Error("tag browse should show tagged fave")
+	}
+}
+
+// --- Home page ---
+
+func TestHomePageUnauthenticated(t *testing.T) {
+	_, mux := testServer(t)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("home page: got %d, want 200", rr.Code)
+	}
+}
+
+func TestHomePageAuthenticated(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	user, _ := h.deps.Users.GetByUsername("testuser")
+	h.deps.Faves.Create(user.ID, "Home fave", "", "", "public")
+
+	req := httptest.NewRequest("GET", "/", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("authenticated home: got %d, want 200", rr.Code)
+	}
+}
+
+// --- Settings ---
+
+func TestSettingsPageRendering(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/settings", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("settings page: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Innstillinger") {
+		t.Error("should render settings page")
+	}
+}
+
+func TestSettingsUpdateProfile(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/settings", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{
+		"display_name":       {"Nytt Navn"},
+		"bio":                {"Min bio"},
+		"profile_visibility": {"public"},
+		"default_fave_privacy": {"private"},
+	}
+	req := postForm("/settings", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "lagret") {
+		t.Error("should show settings saved message")
+	}
+
+	user, _ := h.deps.Users.GetByUsername("testuser")
+	if user.DisplayName != "Nytt Navn" {
+		t.Errorf("display_name = %q", user.DisplayName)
+	}
+}
+
+func TestSettingsChangePassword(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/settings", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{
+		"current_password": {"pass123"},
+		"new_password":     {"newpass456"},
+		"confirm_password": {"newpass456"},
+	}
+	req := postForm("/settings/password", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "endret") {
+		t.Errorf("should show password changed: %s", rr.Body.String())
+	}
+
+	// Verify new password works.
+	_, err := h.deps.Users.Authenticate("testuser", "newpass456")
+	if err != nil {
+		t.Errorf("new password should work: %v", err)
+	}
+}
+
+func TestSettingsChangePasswordWrongCurrent(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/settings", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{
+		"current_password": {"wrongpass"},
+		"new_password":     {"newpass456"},
+		"confirm_password": {"newpass456"},
+	}
+	req := postForm("/settings/password", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "feil") {
+		t.Error("should show wrong password error")
+	}
+}
+
+// --- Tag autocomplete ---
+
+// TestTagSuggestionsNoInlineHandlers is a regression test for the autocomplete click bug.
+// Tag suggestions must NOT use inline event handlers (onclick, onmousedown) because
+// they are blocked by CSP (script-src 'self'). Instead, they must use data-tag-name
+// attributes and delegated event listeners in app.js.
+func TestTagSuggestionsNoInlineHandlers(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "public")
+	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang", "goroutines"})
+
+	req := httptest.NewRequest("GET", "/tags/search?q=go", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("tag search: got %d, want 200", rr.Code)
+	}
+
+	body := rr.Body.String()
+
+	// Must NOT use inline handlers — they are blocked by CSP script-src 'self'.
+	if strings.Contains(body, "onclick=") {
+		t.Error("tag suggestions must not use onclick (blocked by CSP)")
+	}
+	if strings.Contains(body, "onmousedown=") {
+		t.Error("tag suggestions must not use onmousedown (blocked by CSP)")
+	}
+	if strings.Contains(body, "ontouchstart=") {
+		t.Error("tag suggestions must not use ontouchstart (blocked by CSP)")
+	}
+
+	// Must use data-tag-name for delegated event handling in app.js.
+	if !strings.Contains(body, "data-tag-name=") {
+		t.Error("tag suggestions must use data-tag-name attribute for delegated event handling")
+	}
+
+	// Verify the tag names are in the data attributes.
+	if !strings.Contains(body, `data-tag-name="golang"`) {
+		t.Error("suggestion should have data-tag-name with the tag name")
+	}
+}
+
+// TestTagSuggestionsDisplayName verifies that the "av" display name bug is fixed.
+// The fave list should show the username as fallback when display_name is empty.
+func TestDisplayNameFallbackToUsername(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	// Create a user WITHOUT a display name and a public fave.
+	user, _ := h.deps.Users.GetByUsername("testuser")
+	h.deps.Faves.Create(user.ID, "Test fave", "", "", "public")
+
+	// The home page shows "av <display_name>" — with no display name set,
+	// it should fall back to the username.
+	req := httptest.NewRequest("GET", "/", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	body := rr.Body.String()
+	// Should show "av testuser" (username as fallback), not just "av".
+	if !strings.Contains(body, "testuser") {
+		t.Error("home page should show username as fallback when display_name is empty")
+	}
+}
+
+// --- Export page ---
+
+func TestExportPageRendering(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/export", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("export page: got %d, want 200", rr.Code)
+	}
+	if !strings.Contains(rr.Body.String(), "Eksporter") {
+		t.Error("should render export page")
+	}
+}
diff --git a/internal/image/image_test.go b/internal/image/image_test.go
new file mode 100644
index 0000000..8b06481
--- /dev/null
+++ b/internal/image/image_test.go
@@ -0,0 +1,234 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package image
+
+import (
+	"bytes"
+	"image"
+	"image/jpeg"
+	"image/png"
+	"mime/multipart"
+	"net/textproto"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+// testJPEG creates a test JPEG image in memory with given dimensions.
+func testJPEG(t *testing.T, width, height int) (*bytes.Buffer, *multipart.FileHeader) {
+	t.Helper()
+	img := image.NewRGBA(image.Rect(0, 0, width, height))
+	var buf bytes.Buffer
+	if err := jpeg.Encode(&buf, img, &jpeg.Options{Quality: 75}); err != nil {
+		t.Fatalf("encode test jpeg: %v", err)
+	}
+	header := &multipart.FileHeader{
+		Filename: "test.jpg",
+		Size:     int64(buf.Len()),
+		Header:   textproto.MIMEHeader{"Content-Type": {"image/jpeg"}},
+	}
+	return &buf, header
+}
+
+// testPNG creates a test PNG image in memory with given dimensions.
+func testPNG(t *testing.T, width, height int) (*bytes.Buffer, *multipart.FileHeader) {
+	t.Helper()
+	img := image.NewRGBA(image.Rect(0, 0, width, height))
+	var buf bytes.Buffer
+	if err := png.Encode(&buf, img); err != nil {
+		t.Fatalf("encode test png: %v", err)
+	}
+	header := &multipart.FileHeader{
+		Filename: "test.png",
+		Size:     int64(buf.Len()),
+		Header:   textproto.MIMEHeader{"Content-Type": {"image/png"}},
+	}
+	return &buf, header
+}
+
+// bufferReadSeeker wraps a bytes.Reader to implement multipart.File.
+type bufferReadSeeker struct {
+	*bytes.Reader
+}
+
+func (b *bufferReadSeeker) Close() error { return nil }
+
+func TestProcessJPEG(t *testing.T) {
+	uploadDir := t.TempDir()
+	buf, header := testJPEG(t, 800, 600)
+
+	result, err := Process(&bufferReadSeeker{bytes.NewReader(buf.Bytes())}, header, uploadDir)
+	if err != nil {
+		t.Fatalf("Process JPEG: %v", err)
+	}
+
+	if result.Filename == "" {
+		t.Error("expected non-empty filename")
+	}
+	if !strings.HasSuffix(result.Filename, ".jpg") {
+		t.Errorf("filename %q should end with .jpg", result.Filename)
+	}
+
+	// Verify file was written.
+	if _, err := os.Stat(result.Path); err != nil {
+		t.Errorf("output file not found: %v", err)
+	}
+}
+
+func TestProcessPNG(t *testing.T) {
+	uploadDir := t.TempDir()
+	buf, header := testPNG(t, 640, 480)
+
+	result, err := Process(&bufferReadSeeker{bytes.NewReader(buf.Bytes())}, header, uploadDir)
+	if err != nil {
+		t.Fatalf("Process PNG: %v", err)
+	}
+
+	if !strings.HasSuffix(result.Filename, ".png") {
+		t.Errorf("filename %q should end with .png", result.Filename)
+	}
+}
+
+func TestProcessResizeWideImage(t *testing.T) {
+	uploadDir := t.TempDir()
+	buf, header := testJPEG(t, 3840, 2160) // 4K width
+
+	result, err := Process(&bufferReadSeeker{bytes.NewReader(buf.Bytes())}, header, uploadDir)
+	if err != nil {
+		t.Fatalf("Process wide image: %v", err)
+	}
+
+	// Read back and check dimensions.
+	f, err := os.Open(result.Path)
+	if err != nil {
+		t.Fatalf("open result: %v", err)
+	}
+	defer f.Close()
+
+	img, _, err := image.Decode(f)
+	if err != nil {
+		t.Fatalf("decode result: %v", err)
+	}
+
+	bounds := img.Bounds()
+	if bounds.Dx() != MaxWidth {
+		t.Errorf("resized width = %d, want %d", bounds.Dx(), MaxWidth)
+	}
+	// Aspect ratio should be maintained.
+	expectedHeight := 2160 * MaxWidth / 3840
+	if bounds.Dy() != expectedHeight {
+		t.Errorf("resized height = %d, want %d", bounds.Dy(), expectedHeight)
+	}
+}
+
+func TestProcessSmallImageNotResized(t *testing.T) {
+	uploadDir := t.TempDir()
+	buf, header := testJPEG(t, 800, 600)
+
+	result, err := Process(&bufferReadSeeker{bytes.NewReader(buf.Bytes())}, header, uploadDir)
+	if err != nil {
+		t.Fatalf("Process small image: %v", err)
+	}
+
+	f, err := os.Open(result.Path)
+	if err != nil {
+		t.Fatalf("open result: %v", err)
+	}
+	defer f.Close()
+
+	img, _, err := image.Decode(f)
+	if err != nil {
+		t.Fatalf("decode result: %v", err)
+	}
+
+	if img.Bounds().Dx() != 800 {
+		t.Errorf("small image width = %d, should not be resized", img.Bounds().Dx())
+	}
+}
+
+func TestProcessInvalidMIME(t *testing.T) {
+	uploadDir := t.TempDir()
+	header := &multipart.FileHeader{
+		Filename: "test.txt",
+		Header:   textproto.MIMEHeader{"Content-Type": {"text/plain"}},
+	}
+	buf := bytes.NewReader([]byte("not an image"))
+
+	_, err := Process(&bufferReadSeeker{buf}, header, uploadDir)
+	if err == nil {
+		t.Error("expected error for text/plain MIME type")
+	}
+	if !strings.Contains(err.Error(), "unsupported image type") {
+		t.Errorf("error = %q, should mention unsupported type", err)
+	}
+}
+
+func TestProcessCorruptImage(t *testing.T) {
+	uploadDir := t.TempDir()
+	header := &multipart.FileHeader{
+		Filename: "corrupt.jpg",
+		Header:   textproto.MIMEHeader{"Content-Type": {"image/jpeg"}},
+	}
+	buf := bytes.NewReader([]byte("this is not valid jpeg data"))
+
+	_, err := Process(&bufferReadSeeker{buf}, header, uploadDir)
+	if err == nil {
+		t.Error("expected error for corrupt image data")
+	}
+}
+
+func TestProcessUUIDFilename(t *testing.T) {
+	uploadDir := t.TempDir()
+	buf, header := testJPEG(t, 100, 100)
+	// Give a user-supplied filename.
+	header.Filename = "my-vacation-photo.jpg"
+
+	result, err := Process(&bufferReadSeeker{bytes.NewReader(buf.Bytes())}, header, uploadDir)
+	if err != nil {
+		t.Fatalf("Process: %v", err)
+	}
+
+	if strings.Contains(result.Filename, "vacation") {
+		t.Error("filename should be UUID-based, not user-supplied")
+	}
+	// UUID format: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.ext
+	if len(result.Filename) < 36 {
+		t.Errorf("filename %q too short for UUID", result.Filename)
+	}
+}
+
+func TestAllowedTypes(t *testing.T) {
+	expected := []string{"image/jpeg", "image/png", "image/gif", "image/webp"}
+	for _, mime := range expected {
+		if _, ok := AllowedTypes[mime]; !ok {
+			t.Errorf("AllowedTypes missing %s", mime)
+		}
+	}
+}
+
+func TestDeletePathTraversal(t *testing.T) {
+	uploadDir := t.TempDir()
+
+	// Create a file outside uploadDir.
+	outsideFile := filepath.Join(t.TempDir(), "sensitive.txt")
+	os.WriteFile(outsideFile, []byte("secret"), 0644)
+
+	// Attempt to delete it via path traversal.
+	err := Delete(uploadDir, "../../../"+filepath.Base(outsideFile))
+	if err == nil {
+		t.Error("expected error for path traversal")
+	}
+
+	// File should still exist.
+	if _, statErr := os.Stat(outsideFile); statErr != nil {
+		t.Error("path traversal should not have deleted the file")
+	}
+}
+
+func TestDeleteEmpty(t *testing.T) {
+	// Empty filename should be a no-op.
+	if err := Delete(t.TempDir(), ""); err != nil {
+		t.Errorf("Delete empty filename: %v", err)
+	}
+}
diff --git a/internal/middleware/auth_test.go b/internal/middleware/auth_test.go
new file mode 100644
index 0000000..9ecbea9
--- /dev/null
+++ b/internal/middleware/auth_test.go
@@ -0,0 +1,299 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package middleware
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	"kode.naiv.no/olemd/favoritter/internal/database"
+	"kode.naiv.no/olemd/favoritter/internal/model"
+	"kode.naiv.no/olemd/favoritter/internal/store"
+)
+
+// testStores creates in-memory stores for auth middleware tests.
+func testStores(t *testing.T) (*store.SessionStore, *store.UserStore) {
+	t.Helper()
+	db, err := database.Open(":memory:")
+	if err != nil {
+		t.Fatalf("open db: %v", err)
+	}
+	if err := database.Migrate(db); err != nil {
+		t.Fatalf("migrate: %v", err)
+	}
+	t.Cleanup(func() { db.Close() })
+
+	store.Argon2Memory = 1024
+	store.Argon2Time = 1
+
+	return store.NewSessionStore(db), store.NewUserStore(db)
+}
+
+func TestSessionLoaderValidToken(t *testing.T) {
+	sessions, users := testStores(t)
+
+	user, err := users.Create("testuser", "pass123", "user")
+	if err != nil {
+		t.Fatalf("create user: %v", err)
+	}
+	token, err := sessions.Create(user.ID)
+	if err != nil {
+		t.Fatalf("create session: %v", err)
+	}
+
+	var ctxUser *model.User
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctxUser = UserFromContext(r.Context())
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := SessionLoader(sessions, users)(inner)
+	req := httptest.NewRequest("GET", "/faves", nil)
+	req.AddCookie(&http.Cookie{Name: SessionCookieName, Value: token})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if ctxUser == nil {
+		t.Fatal("expected user in context, got nil")
+	}
+	if ctxUser.ID != user.ID {
+		t.Errorf("context user ID = %d, want %d", ctxUser.ID, user.ID)
+	}
+}
+
+func TestSessionLoaderInvalidToken(t *testing.T) {
+	sessions, users := testStores(t)
+
+	var ctxUser *model.User
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctxUser = UserFromContext(r.Context())
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := SessionLoader(sessions, users)(inner)
+	req := httptest.NewRequest("GET", "/faves", nil)
+	req.AddCookie(&http.Cookie{Name: SessionCookieName, Value: "invalid-token"})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("invalid token: got %d, want 200", rr.Code)
+	}
+	if ctxUser != nil {
+		t.Error("expected nil user for invalid token")
+	}
+
+	// Should clear the invalid session cookie.
+	for _, c := range rr.Result().Cookies() {
+		if c.Name == SessionCookieName && c.MaxAge == -1 {
+			return // Cookie cleared, good.
+		}
+	}
+	t.Error("expected session cookie to be cleared for invalid token")
+}
+
+func TestSessionLoaderNoCookie(t *testing.T) {
+	sessions, users := testStores(t)
+
+	var ctxUser *model.User
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctxUser = UserFromContext(r.Context())
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := SessionLoader(sessions, users)(inner)
+	req := httptest.NewRequest("GET", "/faves", nil)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("no cookie: got %d, want 200", rr.Code)
+	}
+	if ctxUser != nil {
+		t.Error("expected nil user when no cookie")
+	}
+}
+
+func TestSessionLoaderSkipsStaticPaths(t *testing.T) {
+	sessions, users := testStores(t)
+
+	var handlerCalled bool
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		handlerCalled = true
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := SessionLoader(sessions, users)(inner)
+
+	for _, path := range []string{"/static/css/style.css", "/uploads/image.jpg"} {
+		handlerCalled = false
+		req := httptest.NewRequest("GET", path, nil)
+		req.AddCookie(&http.Cookie{Name: SessionCookieName, Value: "some-token"})
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
+
+		if !handlerCalled {
+			t.Errorf("handler not called for %s", path)
+		}
+		if rr.Code != http.StatusOK {
+			t.Errorf("%s: got %d, want 200", path, rr.Code)
+		}
+	}
+}
+
+func TestSessionLoaderDisabledUser(t *testing.T) {
+	sessions, users := testStores(t)
+
+	user, _ := users.Create("testuser", "pass123", "user")
+	token, _ := sessions.Create(user.ID)
+	users.SetDisabled(user.ID, true)
+
+	var ctxUser *model.User
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		ctxUser = UserFromContext(r.Context())
+		w.WriteHeader(http.StatusOK)
+	})
+
+	handler := SessionLoader(sessions, users)(inner)
+	req := httptest.NewRequest("GET", "/faves", nil)
+	req.AddCookie(&http.Cookie{Name: SessionCookieName, Value: token})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if ctxUser != nil {
+		t.Error("disabled user should not be in context")
+	}
+	// Session should be deleted and cookie cleared.
+	for _, c := range rr.Result().Cookies() {
+		if c.Name == SessionCookieName && c.MaxAge == -1 {
+			return
+		}
+	}
+	t.Error("expected session cookie to be cleared for disabled user")
+}
+
+func TestRequireAdminRejectsNonAdmin(t *testing.T) {
+	handler := RequireAdmin(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	// Regular user in context.
+	user := &model.User{ID: 1, Username: "regular", Role: "user"}
+	ctx := context.WithValue(context.Background(), userKey, user)
+	req := httptest.NewRequest("GET", "/admin", nil).WithContext(ctx)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("non-admin: got %d, want 403", rr.Code)
+	}
+}
+
+func TestRequireAdminAllowsAdmin(t *testing.T) {
+	handler := RequireAdmin(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	user := &model.User{ID: 1, Username: "admin", Role: "admin"}
+	ctx := context.WithValue(context.Background(), userKey, user)
+	req := httptest.NewRequest("GET", "/admin", nil).WithContext(ctx)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("admin: got %d, want 200", rr.Code)
+	}
+}
+
+func TestRequireAdminNoUser(t *testing.T) {
+	handler := RequireAdmin(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	req := httptest.NewRequest("GET", "/admin", nil)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("no user: got %d, want 403", rr.Code)
+	}
+}
+
+func TestContextHelpers(t *testing.T) {
+	// UserFromContext with user.
+	user := &model.User{ID: 42, Username: "tester"}
+	ctx := context.WithValue(context.Background(), userKey, user)
+	got := UserFromContext(ctx)
+	if got == nil || got.ID != 42 {
+		t.Errorf("UserFromContext with user: got %v", got)
+	}
+
+	// UserFromContext without user.
+	if UserFromContext(context.Background()) != nil {
+		t.Error("UserFromContext should return nil for empty context")
+	}
+
+	// CSRFTokenFromContext.
+	ctx = context.WithValue(context.Background(), csrfTokenKey, "my-token")
+	if CSRFTokenFromContext(ctx) != "my-token" {
+		t.Error("CSRFTokenFromContext failed")
+	}
+	if CSRFTokenFromContext(context.Background()) != "" {
+		t.Error("CSRFTokenFromContext should return empty for missing key")
+	}
+
+	// RealIPFromContext.
+	ctx = context.WithValue(context.Background(), realIPKey, "1.2.3.4")
+	if RealIPFromContext(ctx) != "1.2.3.4" {
+		t.Error("RealIPFromContext failed")
+	}
+	if RealIPFromContext(context.Background()) != "" {
+		t.Error("RealIPFromContext should return empty for missing key")
+	}
+}
+
+func TestMustResetPasswordGuardRedirects(t *testing.T) {
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+	handler := MustResetPasswordGuard("")(inner)
+
+	// User with must_reset_password on a regular path → redirect.
+	user := &model.User{ID: 1, Username: "resetme", MustResetPassword: true}
+	ctx := context.WithValue(context.Background(), userKey, user)
+
+	req := httptest.NewRequest("GET", "/faves", nil).WithContext(ctx)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusSeeOther {
+		t.Errorf("must-reset on /faves: got %d, want 303", rr.Code)
+	}
+	if loc := rr.Header().Get("Location"); loc != "/reset-password" {
+		t.Errorf("redirect location = %q, want /reset-password", loc)
+	}
+}
+
+func TestMustResetPasswordGuardAllowsPaths(t *testing.T) {
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	})
+	handler := MustResetPasswordGuard("")(inner)
+
+	user := &model.User{ID: 1, Username: "resetme", MustResetPassword: true}
+	ctx := context.WithValue(context.Background(), userKey, user)
+
+	// These paths should pass through even with must_reset.
+	allowedPaths := []string{"/reset-password", "/logout", "/health", "/static/css/style.css"}
+	for _, path := range allowedPaths {
+		req := httptest.NewRequest("GET", path, nil).WithContext(ctx)
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
+
+		if rr.Code != http.StatusOK {
+			t.Errorf("must-reset on %s: got %d, want 200", path, rr.Code)
+		}
+	}
+}
diff --git a/internal/middleware/csrf_test.go b/internal/middleware/csrf_test.go
new file mode 100644
index 0000000..9eee68e
--- /dev/null
+++ b/internal/middleware/csrf_test.go
@@ -0,0 +1,185 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package middleware
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"kode.naiv.no/olemd/favoritter/internal/config"
+)
+
+func testCSRFHandler(cfg *config.Config) http.Handler {
+	inner := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// Echo the CSRF token from context so tests can verify it.
+		token := CSRFTokenFromContext(r.Context())
+		w.Write([]byte(token))
+	})
+	return CSRFProtection(cfg)(inner)
+}
+
+func TestCSRFTokenSetInCookie(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("GET: got %d, want 200", rr.Code)
+	}
+
+	// Should set a csrf_token cookie.
+	var found bool
+	for _, c := range rr.Result().Cookies() {
+		if c.Name == "csrf_token" {
+			found = true
+			if c.Value == "" {
+				t.Error("csrf_token cookie is empty")
+			}
+			if c.HttpOnly {
+				t.Error("csrf_token cookie should not be HttpOnly (JS needs to read it)")
+			}
+		}
+	}
+	if !found {
+		t.Error("csrf_token cookie not set on first request")
+	}
+
+	// The context token should match the cookie.
+	body := rr.Body.String()
+	if body == "" {
+		t.Error("CSRF token not set in context")
+	}
+}
+
+func TestCSRFValidTokenAccepted(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	// First GET to obtain a token.
+	getReq := httptest.NewRequest("GET", "/", nil)
+	getRR := httptest.NewRecorder()
+	handler.ServeHTTP(getRR, getReq)
+
+	var token string
+	for _, c := range getRR.Result().Cookies() {
+		if c.Name == "csrf_token" {
+			token = c.Value
+		}
+	}
+	if token == "" {
+		t.Fatal("no csrf_token cookie from GET")
+	}
+
+	// POST with matching cookie + form field.
+	form := "csrf_token=" + token
+	req := httptest.NewRequest("POST", "/submit", strings.NewReader(form))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: token})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("valid CSRF POST: got %d, want 200", rr.Code)
+	}
+}
+
+func TestCSRFMismatchRejected(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	form := "csrf_token=wrong-token"
+	req := httptest.NewRequest("POST", "/submit", strings.NewReader(form))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: "real-token"})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("mismatched CSRF: got %d, want 403", rr.Code)
+	}
+}
+
+func TestCSRFMissingTokenRejected(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	// POST with cookie but no form field or header.
+	req := httptest.NewRequest("POST", "/submit", nil)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: "some-token"})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("missing CSRF form field: got %d, want 403", rr.Code)
+	}
+}
+
+func TestCSRFHeaderFallback(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	token := "valid-header-token"
+	req := httptest.NewRequest("POST", "/submit", nil)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: token})
+	req.Header.Set("X-CSRF-Token", token)
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("CSRF via header: got %d, want 200", rr.Code)
+	}
+}
+
+func TestCSRFSkippedForAPI(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	// POST to /api/ path — should skip CSRF validation.
+	req := httptest.NewRequest("POST", "/api/v1/faves", strings.NewReader(`{}`))
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: "some-token"})
+	// Intentionally no CSRF form field or header.
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("API route CSRF skip: got %d, want 200", rr.Code)
+	}
+}
+
+func TestCSRFSafeMethodsPassThrough(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	for _, method := range []string{"GET", "HEAD", "OPTIONS"} {
+		req := httptest.NewRequest(method, "/page", nil)
+		// No CSRF cookie or token at all.
+		rr := httptest.NewRecorder()
+		handler.ServeHTTP(rr, req)
+
+		if rr.Code != http.StatusOK {
+			t.Errorf("%s without CSRF: got %d, want 200", method, rr.Code)
+		}
+	}
+}
+
+func TestCSRFExistingCookieReused(t *testing.T) {
+	handler := testCSRFHandler(&config.Config{})
+
+	// Send a request with an existing csrf_token cookie.
+	existingToken := "pre-existing-token-value"
+	req := httptest.NewRequest("GET", "/", nil)
+	req.AddCookie(&http.Cookie{Name: "csrf_token", Value: existingToken})
+	rr := httptest.NewRecorder()
+	handler.ServeHTTP(rr, req)
+
+	// The context token should be the existing one.
+	body := rr.Body.String()
+	if body != existingToken {
+		t.Errorf("context token = %q, want existing %q", body, existingToken)
+	}
+
+	// Should NOT set a new cookie (existing one is reused).
+	for _, c := range rr.Result().Cookies() {
+		if c.Name == "csrf_token" {
+			t.Error("should not set new csrf_token cookie when one already exists")
+		}
+	}
+}
diff --git a/internal/render/render_test.go b/internal/render/render_test.go
new file mode 100644
index 0000000..5e975f1
--- /dev/null
+++ b/internal/render/render_test.go
@@ -0,0 +1,161 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package render
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"kode.naiv.no/olemd/favoritter/internal/config"
+)
+
+func testRenderer(t *testing.T) *Renderer {
+	t.Helper()
+	cfg := &config.Config{
+		SiteName: "Test Site",
+		BasePath: "/test",
+	}
+	r, err := New(cfg)
+	if err != nil {
+		t.Fatalf("create renderer: %v", err)
+	}
+	return r
+}
+
+func TestRenderPage(t *testing.T) {
+	r := testRenderer(t)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	r.Page(rr, req, "login", PageData{
+		Title: "Logg inn",
+	})
+
+	if rr.Code != http.StatusOK {
+		t.Errorf("render page: got %d, want 200", rr.Code)
+	}
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "Logg inn") {
+		t.Error("page should contain title")
+	}
+	ct := rr.Header().Get("Content-Type")
+	if !strings.Contains(ct, "text/html") {
+		t.Errorf("content-type = %q, want text/html", ct)
+	}
+}
+
+func TestRenderPageWithData(t *testing.T) {
+	r := testRenderer(t)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	r.Page(rr, req, "login", PageData{
+		Title:    "Test Page",
+		SiteName: "My Site",
+		BasePath: "/base",
+	})
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "Test Page") {
+		t.Error("should contain title in output")
+	}
+}
+
+func TestRenderMissingTemplate(t *testing.T) {
+	r := testRenderer(t)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	r.Page(rr, req, "nonexistent_template_xyz", PageData{})
+
+	if rr.Code != http.StatusInternalServerError {
+		t.Errorf("missing template: got %d, want 500", rr.Code)
+	}
+}
+
+func TestRenderErrorPage(t *testing.T) {
+	r := testRenderer(t)
+
+	req := httptest.NewRequest("GET", "/", nil)
+	rr := httptest.NewRecorder()
+
+	r.Error(rr, req, http.StatusNotFound, "Ikke funnet")
+
+	if rr.Code != http.StatusNotFound {
+		t.Errorf("error page: got %d, want 404", rr.Code)
+	}
+	body := rr.Body.String()
+	if !strings.Contains(body, "Ikke funnet") {
+		t.Error("error page should contain message")
+	}
+}
+
+func TestRenderPopulatesCommonData(t *testing.T) {
+	cfg := &config.Config{
+		SiteName:    "Favoritter",
+		BasePath:    "/app",
+		ExternalURL: "https://example.com",
+	}
+	r, err := New(cfg)
+	if err != nil {
+		t.Fatalf("create renderer: %v", err)
+	}
+
+	req := httptest.NewRequest("GET", "/", nil)
+	// Add a CSRF token to the context.
+	type contextKey string
+	ctx := context.WithValue(req.Context(), contextKey("csrf_token"), "test-token")
+	req = req.WithContext(ctx)
+
+	rr := httptest.NewRecorder()
+	r.Page(rr, req, "login", PageData{Title: "Test"})
+
+	// BasePath and SiteName should be populated from config.
+	body := rr.Body.String()
+	if !strings.Contains(body, "/app") {
+		t.Error("should contain basePath from config")
+	}
+}
+
+func TestTemplateFuncs(t *testing.T) {
+	cfg := &config.Config{BasePath: "/test", ExternalURL: "https://example.com"}
+	r, _ := New(cfg)
+
+	funcs := r.templateFuncs()
+
+	// Test truncate function.
+	truncate := funcs["truncate"].(func(int, string) string)
+	if got := truncate(5, "Hello, world!"); got != "Hello..." {
+		t.Errorf("truncate(5, long) = %q, want Hello...", got)
+	}
+	if got := truncate(20, "Short"); got != "Short" {
+		t.Errorf("truncate(20, short) = %q, want Short", got)
+	}
+	// Test with Norwegian characters (Ærlig = 5 runes: Æ r l i g).
+	if got := truncate(3, "Ærlig"); got != "Ærl..." {
+		t.Errorf("truncate(3, Ærlig) = %q, want Ærl...", got)
+	}
+
+	// Test add/subtract.
+	add := funcs["add"].(func(int, int) int)
+	if add(2, 3) != 5 {
+		t.Error("add(2,3) should be 5")
+	}
+	sub := funcs["subtract"].(func(int, int) int)
+	if sub(5, 3) != 2 {
+		t.Error("subtract(5,3) should be 2")
+	}
+
+	// Test basePath function.
+	bp := funcs["basePath"].(func() string)
+	if bp() != "/test" {
+		t.Errorf("basePath() = %q", bp())
+	}
+}
diff --git a/internal/store/settings_test.go b/internal/store/settings_test.go
new file mode 100644
index 0000000..597341e
--- /dev/null
+++ b/internal/store/settings_test.go
@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package store
+
+import (
+	"testing"
+)
+
+func TestSettingsGetDefault(t *testing.T) {
+	db := testDB(t)
+	settings := NewSettingsStore(db)
+
+	s, err := settings.Get()
+	if err != nil {
+		t.Fatalf("get default settings: %v", err)
+	}
+
+	// Migration should insert a default row.
+	if s.SiteName == "" {
+		t.Error("expected non-empty default site name")
+	}
+	if s.SignupMode == "" {
+		t.Error("expected non-empty default signup mode")
+	}
+}
+
+func TestSettingsUpdate(t *testing.T) {
+	db := testDB(t)
+	settings := NewSettingsStore(db)
+
+	err := settings.Update("Nye Favoritter", "En kul side", "requests")
+	if err != nil {
+		t.Fatalf("update settings: %v", err)
+	}
+
+	s, err := settings.Get()
+	if err != nil {
+		t.Fatalf("get after update: %v", err)
+	}
+
+	if s.SiteName != "Nye Favoritter" {
+		t.Errorf("site_name = %q, want %q", s.SiteName, "Nye Favoritter")
+	}
+	if s.SiteDescription != "En kul side" {
+		t.Errorf("site_description = %q, want %q", s.SiteDescription, "En kul side")
+	}
+	if s.SignupMode != "requests" {
+		t.Errorf("signup_mode = %q, want %q", s.SignupMode, "requests")
+	}
+	if s.UpdatedAt.IsZero() {
+		t.Error("expected non-zero updated_at after update")
+	}
+}
+
+func TestSettingsUpdatePreservesOtherFields(t *testing.T) {
+	db := testDB(t)
+	settings := NewSettingsStore(db)
+
+	// Set initial values.
+	settings.Update("Site A", "Desc A", "open")
+
+	// Update with different values.
+	settings.Update("Site B", "Desc B", "closed")
+
+	s, _ := settings.Get()
+	if s.SiteName != "Site B" {
+		t.Errorf("site_name = %q, want %q", s.SiteName, "Site B")
+	}
+	if s.SiteDescription != "Desc B" {
+		t.Errorf("site_description = %q, want %q", s.SiteDescription, "Desc B")
+	}
+	if s.SignupMode != "closed" {
+		t.Errorf("signup_mode = %q, want %q", s.SignupMode, "closed")
+	}
+}

From 485d01ce4528299fdc23979f897de8064a36ef76 Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Sat, 4 Apr 2026 00:40:08 +0200
Subject: [PATCH 07/14] feat: add notes field to favorites and enhance OG meta
 tags
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add an optional long-form "notes" text field to each favorite for
reviews, thoughts, or extended descriptions. The field is stored in
SQLite via a new migration (002_add_fave_notes.sql) and propagated
through the entire stack:

- Model: Notes field on Fave struct
- Store: All SQL queries (Create, GetByID, Update, list methods,
  scanFaves) updated with notes column
- Web handlers: Read/write notes in create, edit, update forms
- API handlers: Notes in create, update, get, import request/response
- Export: Notes included in both JSON and CSV exports
- Import: Notes parsed from both JSON and CSV imports
- Feed: Notes used as Atom feed item summary when present
- Form template: New textarea between URL and image fields
- Detail template: Display notes, enhanced og:description with
  cascade: notes (truncated) → URL → generic fallback text

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../migrations/002_add_fave_notes.sql         |  2 +
 internal/handler/api/api.go                   | 10 +++-
 internal/handler/api/api_test.go              | 32 +++++------
 internal/handler/fave.go                      | 11 ++--
 internal/handler/feed.go                      |  4 ++
 internal/handler/handler_test.go              |  8 +--
 internal/handler/import_export.go             | 10 +++-
 internal/handler/web_test.go                  | 34 ++++++------
 internal/model/fave.go                        |  1 +
 internal/store/fave.go                        | 28 +++++-----
 internal/store/fave_test.go                   | 55 +++++++++++++++++--
 internal/store/tag_test.go                    |  8 +--
 web/templates/pages/fave_detail.html          | 12 +++-
 web/templates/pages/fave_form.html            |  7 +++
 14 files changed, 151 insertions(+), 71 deletions(-)
 create mode 100644 internal/database/migrations/002_add_fave_notes.sql

diff --git a/internal/database/migrations/002_add_fave_notes.sql b/internal/database/migrations/002_add_fave_notes.sql
new file mode 100644
index 0000000..b4cf1cc
--- /dev/null
+++ b/internal/database/migrations/002_add_fave_notes.sql
@@ -0,0 +1,2 @@
+-- Legger til et valgfritt notatfelt på favoritter.
+ALTER TABLE faves ADD COLUMN notes TEXT NOT NULL DEFAULT '';
diff --git a/internal/handler/api/api.go b/internal/handler/api/api.go
index 2c3e685..7996a16 100644
--- a/internal/handler/api/api.go
+++ b/internal/handler/api/api.go
@@ -135,6 +135,7 @@ func (h *Handler) handleCreateFave(w http.ResponseWriter, r *http.Request) {
 	var req struct {
 		Description string   `json:"description"`
 		URL         string   `json:"url"`
+		Notes       string   `json:"notes"`
 		Privacy     string   `json:"privacy"`
 		Tags        []string `json:"tags"`
 	}
@@ -151,7 +152,7 @@ func (h *Handler) handleCreateFave(w http.ResponseWriter, r *http.Request) {
 		req.Privacy = user.DefaultFavePrivacy
 	}
 
-	fave, err := h.deps.Faves.Create(user.ID, req.Description, req.URL, "", req.Privacy)
+	fave, err := h.deps.Faves.Create(user.ID, req.Description, req.URL, "", req.Notes, req.Privacy)
 	if err != nil {
 		slog.Error("api: create fave error", "error", err)
 		jsonError(w, "Internal error", http.StatusInternalServerError)
@@ -222,6 +223,7 @@ func (h *Handler) handleUpdateFave(w http.ResponseWriter, r *http.Request) {
 	var req struct {
 		Description string   `json:"description"`
 		URL         string   `json:"url"`
+		Notes       string   `json:"notes"`
 		Privacy     string   `json:"privacy"`
 		Tags        []string `json:"tags"`
 	}
@@ -237,7 +239,7 @@ func (h *Handler) handleUpdateFave(w http.ResponseWriter, r *http.Request) {
 		req.Privacy = fave.Privacy
 	}
 
-	if err := h.deps.Faves.Update(id, req.Description, req.URL, fave.ImagePath, req.Privacy); err != nil {
+	if err := h.deps.Faves.Update(id, req.Description, req.URL, fave.ImagePath, req.Notes, req.Privacy); err != nil {
 		slog.Error("api: update fave error", "error", err)
 		jsonError(w, "Internal error", http.StatusInternalServerError)
 		return
@@ -378,6 +380,7 @@ func (h *Handler) handleImport(w http.ResponseWriter, r *http.Request) {
 	var faves []struct {
 		Description string   `json:"description"`
 		URL         string   `json:"url"`
+		Notes       string   `json:"notes"`
 		Privacy     string   `json:"privacy"`
 		Tags        []string `json:"tags"`
 	}
@@ -395,7 +398,7 @@ func (h *Handler) handleImport(w http.ResponseWriter, r *http.Request) {
 		if privacy != "public" && privacy != "private" {
 			privacy = user.DefaultFavePrivacy
 		}
-		fave, err := h.deps.Faves.Create(user.ID, f.Description, f.URL, "", privacy)
+		fave, err := h.deps.Faves.Create(user.ID, f.Description, f.URL, "", f.Notes, privacy)
 		if err != nil {
 			continue
 		}
@@ -446,6 +449,7 @@ func faveJSON(f *model.Fave) map[string]any {
 		"id":          f.ID,
 		"description": f.Description,
 		"url":         f.URL,
+		"notes":       f.Notes,
 		"image_path":  f.ImagePath,
 		"privacy":     f.Privacy,
 		"tags":        tags,
diff --git a/internal/handler/api/api_test.go b/internal/handler/api/api_test.go
index 8158d15..4eb9270 100644
--- a/internal/handler/api/api_test.go
+++ b/internal/handler/api/api_test.go
@@ -222,7 +222,7 @@ func TestAPIGetFave(t *testing.T) {
 
 	// Create a public fave directly.
 	user, _ := users.GetByUsername("testuser")
-	fave, _ := h.deps.Faves.Create(user.ID, "Test fave", "https://example.com", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test fave", "https://example.com", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"test"})
 
 	req := httptest.NewRequest("GET", "/api/v1/faves/"+faveIDStr(fave.ID), nil)
@@ -257,7 +257,7 @@ func TestAPIPrivateFaveHiddenFromOthers(t *testing.T) {
 
 	// User A creates a private fave.
 	userA, _ := users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "Secret", "", "", "private")
+	fave, _ := h.deps.Faves.Create(userA.ID, "Secret", "", "", "", "private")
 
 	// User B tries to access it.
 	cookieB := apiLogin(t, users, sessions, "userb", "pass123", "user")
@@ -276,7 +276,7 @@ func TestAPIPrivateFaveVisibleToOwner(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	userA, _ := users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "My secret", "", "", "private")
+	fave, _ := h.deps.Faves.Create(userA.ID, "My secret", "", "", "", "private")
 
 	tokenA, _ := sessions.Create(userA.ID)
 	cookieA := &http.Cookie{Name: "session", Value: tokenA}
@@ -295,7 +295,7 @@ func TestAPIUpdateFave(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	user, _ := users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Original", "https://old.com", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Original", "https://old.com", "", "", "public")
 	token, _ := sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
 
@@ -322,7 +322,7 @@ func TestAPIUpdateFaveNotOwner(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	userA, _ := users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "", "public")
 
 	cookieB := apiLogin(t, users, sessions, "userb", "pass123", "user")
 
@@ -341,7 +341,7 @@ func TestAPIDeleteFave(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	user, _ := users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Delete me", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Delete me", "", "", "", "public")
 	token, _ := sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
 
@@ -368,7 +368,7 @@ func TestAPIDeleteFaveNotOwner(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	userA, _ := users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "", "public")
 
 	cookieB := apiLogin(t, users, sessions, "userb", "pass123", "user")
 
@@ -386,9 +386,9 @@ func TestAPIListFaves(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	user, _ := users.Create("testuser", "pass123", "user")
-	h.deps.Faves.Create(user.ID, "Fave 1", "", "", "public")
-	h.deps.Faves.Create(user.ID, "Fave 2", "", "", "public")
-	h.deps.Faves.Create(user.ID, "Fave 3", "", "", "private")
+	h.deps.Faves.Create(user.ID, "Fave 1", "", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Fave 2", "", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Fave 3", "", "", "", "private")
 	token, _ := sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
 
@@ -413,7 +413,7 @@ func TestAPIListFavesPagination(t *testing.T) {
 
 	user, _ := users.Create("testuser", "pass123", "user")
 	for i := 0; i < 5; i++ {
-		h.deps.Faves.Create(user.ID, "Fave", "", "", "public")
+		h.deps.Faves.Create(user.ID, "Fave", "", "", "", "public")
 	}
 	token, _ := sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
@@ -443,7 +443,7 @@ func TestAPISearchTags(t *testing.T) {
 	h, mux, users, _ := testAPIServer(t)
 
 	user, _ := users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang", "goroutines", "python"})
 
 	req := httptest.NewRequest("GET", "/api/v1/tags?q=go", nil)
@@ -531,8 +531,8 @@ func TestAPIGetDisabledUser(t *testing.T) {
 func TestAPIGetUserFaves(t *testing.T) {
 	h, mux, users, _ := testAPIServer(t)
 	user, _ := users.Create("testuser", "pass123", "user")
-	h.deps.Faves.Create(user.ID, "Public fave", "", "", "public")
-	h.deps.Faves.Create(user.ID, "Private fave", "", "", "private")
+	h.deps.Faves.Create(user.ID, "Public fave", "", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Private fave", "", "", "", "private")
 
 	req := httptest.NewRequest("GET", "/api/v1/users/testuser/faves", nil)
 	rr := httptest.NewRecorder()
@@ -555,8 +555,8 @@ func TestAPIExport(t *testing.T) {
 	h, mux, users, sessions := testAPIServer(t)
 
 	user, _ := users.Create("testuser", "pass123", "user")
-	h.deps.Faves.Create(user.ID, "Fave 1", "", "", "public")
-	h.deps.Faves.Create(user.ID, "Fave 2", "", "", "private")
+	h.deps.Faves.Create(user.ID, "Fave 1", "", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Fave 2", "", "", "", "private")
 	token, _ := sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
 
diff --git a/internal/handler/fave.go b/internal/handler/fave.go
index 220093c..9a5dd82 100644
--- a/internal/handler/fave.go
+++ b/internal/handler/fave.go
@@ -72,12 +72,13 @@ func (h *Handler) handleFaveCreate(w http.ResponseWriter, r *http.Request) {
 
 	description := strings.TrimSpace(r.FormValue("description"))
 	url := strings.TrimSpace(r.FormValue("url"))
+	notes := strings.TrimSpace(r.FormValue("notes"))
 	privacy := r.FormValue("privacy")
 	tagStr := r.FormValue("tags")
 
 	if description == "" {
 		h.flash(w, r, "fave_form", "Beskrivelse er påkrevd.", "error", map[string]any{
-			"IsNew": true, "Description": description, "URL": url, "Tags": tagStr, "Privacy": privacy,
+			"IsNew": true, "Description": description, "URL": url, "Notes": notes, "Tags": tagStr, "Privacy": privacy,
 		})
 		return
 	}
@@ -95,7 +96,7 @@ func (h *Handler) handleFaveCreate(w http.ResponseWriter, r *http.Request) {
 		if err != nil {
 			slog.Error("image process error", "error", err)
 			h.flash(w, r, "fave_form", "Kunne ikke behandle bildet. Sjekk at filen er et gyldig bilde (JPEG, PNG, GIF eller WebP).", "error", map[string]any{
-				"IsNew": true, "Description": description, "URL": url, "Tags": tagStr, "Privacy": privacy,
+				"IsNew": true, "Description": description, "URL": url, "Notes": notes, "Tags": tagStr, "Privacy": privacy,
 			})
 			return
 		}
@@ -103,7 +104,7 @@ func (h *Handler) handleFaveCreate(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// Create the fave.
-	fave, err := h.deps.Faves.Create(user.ID, description, url, imagePath, privacy)
+	fave, err := h.deps.Faves.Create(user.ID, description, url, imagePath, notes, privacy)
 	if err != nil {
 		slog.Error("create fave error", "error", err)
 		h.flash(w, r, "fave_form", "Noe gikk galt. Prøv igjen.", "error", map[string]any{"IsNew": true})
@@ -205,6 +206,7 @@ func (h *Handler) handleFaveEdit(w http.ResponseWriter, r *http.Request) {
 			"Fave":        fave,
 			"Description": fave.Description,
 			"URL":         fave.URL,
+			"Notes":       fave.Notes,
 			"Privacy":     fave.Privacy,
 			"Tags":        strings.Join(tagNames, ", "),
 		},
@@ -244,6 +246,7 @@ func (h *Handler) handleFaveUpdate(w http.ResponseWriter, r *http.Request) {
 
 	description := strings.TrimSpace(r.FormValue("description"))
 	url := strings.TrimSpace(r.FormValue("url"))
+	notes := strings.TrimSpace(r.FormValue("notes"))
 	privacy := r.FormValue("privacy")
 	tagStr := r.FormValue("tags")
 
@@ -283,7 +286,7 @@ func (h *Handler) handleFaveUpdate(w http.ResponseWriter, r *http.Request) {
 		imagePath = ""
 	}
 
-	if err := h.deps.Faves.Update(id, description, url, imagePath, privacy); err != nil {
+	if err := h.deps.Faves.Update(id, description, url, imagePath, notes, privacy); err != nil {
 		slog.Error("update fave error", "error", err)
 		h.flash(w, r, "fave_form", "Noe gikk galt. Prøv igjen.", "error", map[string]any{"IsNew": false, "Fave": fave})
 		return
diff --git a/internal/handler/feed.go b/internal/handler/feed.go
index d5d945c..d1eaba0 100644
--- a/internal/handler/feed.go
+++ b/internal/handler/feed.go
@@ -129,6 +129,10 @@ func favesToFeedItems(faves []*model.Fave, baseURL string) []*feeds.Item {
 			Updated: f.UpdatedAt,
 		}
 
+		if f.Notes != "" {
+			item.Description = f.Notes
+		}
+
 		if f.URL != "" {
 			escaped := html.EscapeString(f.URL)
 			item.Content = `<p><a href="` + escaped + `">` + escaped + `</a></p>`
diff --git a/internal/handler/handler_test.go b/internal/handler/handler_test.go
index e12d232..e21672d 100644
--- a/internal/handler/handler_test.go
+++ b/internal/handler/handler_test.go
@@ -220,7 +220,7 @@ func TestPrivateFaveHiddenFromOthers(t *testing.T) {
 
 	// User A creates a private fave.
 	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "Secret fave", "", "", "private")
+	fave, _ := h.deps.Faves.Create(userA.ID, "Secret fave", "", "", "", "private")
 
 	// User B tries to view it.
 	cookieB := loginUser(t, h, "userb", "pass123", "user")
@@ -239,7 +239,7 @@ func TestPrivateFaveVisibleToOwner(t *testing.T) {
 	h, mux := testServer(t)
 
 	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "My secret", "", "", "private")
+	fave, _ := h.deps.Faves.Create(userA.ID, "My secret", "", "", "", "private")
 
 	tokenA, _ := h.deps.Sessions.Create(userA.ID)
 	cookieA := &http.Cookie{Name: "session", Value: tokenA}
@@ -290,7 +290,7 @@ func TestTagSearchEndpoint(t *testing.T) {
 
 	// Create some tags via faves.
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"music", "movies", "manga"})
 
 	req := httptest.NewRequest("GET", "/tags/search?q=mu", nil)
@@ -310,7 +310,7 @@ func TestFeedGlobal(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	h.deps.Faves.Create(user.ID, "Public fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Public fave", "", "", "", "public")
 
 	req := httptest.NewRequest("GET", "/feed.xml", nil)
 	rr := httptest.NewRecorder()
diff --git a/internal/handler/import_export.go b/internal/handler/import_export.go
index 9978570..5dcd2d9 100644
--- a/internal/handler/import_export.go
+++ b/internal/handler/import_export.go
@@ -21,6 +21,7 @@ const maxExportFaves = 100000
 type ExportFave struct {
 	Description string   `json:"description"`
 	URL         string   `json:"url,omitempty"`
+	Notes       string   `json:"notes,omitempty"`
 	Privacy     string   `json:"privacy"`
 	Tags        []string `json:"tags,omitempty"`
 	CreatedAt   string   `json:"created_at"`
@@ -57,6 +58,7 @@ func (h *Handler) handleExportJSON(w http.ResponseWriter, r *http.Request) {
 		export[i] = ExportFave{
 			Description: f.Description,
 			URL:         f.URL,
+			Notes:       f.Notes,
 			Privacy:     f.Privacy,
 			Tags:        tags,
 			CreatedAt:   f.CreatedAt.Format("2006-01-02T15:04:05Z"),
@@ -89,7 +91,7 @@ func (h *Handler) handleExportCSV(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Disposition", "attachment; filename=favoritter.csv")
 
 	cw := csv.NewWriter(w)
-	cw.Write([]string{"description", "url", "privacy", "tags", "created_at"})
+	cw.Write([]string{"description", "url", "notes", "privacy", "tags", "created_at"})
 
 	for _, f := range faves {
 		tags := make([]string, len(f.Tags))
@@ -99,6 +101,7 @@ func (h *Handler) handleExportCSV(w http.ResponseWriter, r *http.Request) {
 		cw.Write([]string{
 			f.Description,
 			f.URL,
+			f.Notes,
 			f.Privacy,
 			strings.Join(tags, ","),
 			f.CreatedAt.Format("2006-01-02T15:04:05Z"),
@@ -159,7 +162,7 @@ func (h *Handler) handleImportPost(w http.ResponseWriter, r *http.Request) {
 			privacy = user.DefaultFavePrivacy
 		}
 
-		fave, err := h.deps.Faves.Create(user.ID, ef.Description, ef.URL, "", privacy)
+		fave, err := h.deps.Faves.Create(user.ID, ef.Description, ef.URL, "", ef.Notes, privacy)
 		if err != nil {
 			slog.Error("import: create fave error", "error", err)
 			continue
@@ -213,6 +216,9 @@ func parseImportCSV(r io.Reader) ([]ExportFave, error) {
 		if idx, ok := colMap["url"]; ok && idx < len(row) {
 			f.URL = row[idx]
 		}
+		if idx, ok := colMap["notes"]; ok && idx < len(row) {
+			f.Notes = row[idx]
+		}
 		if idx, ok := colMap["privacy"]; ok && idx < len(row) {
 			f.Privacy = row[idx]
 		}
diff --git a/internal/handler/web_test.go b/internal/handler/web_test.go
index 5d5268a..6cda977 100644
--- a/internal/handler/web_test.go
+++ b/internal/handler/web_test.go
@@ -364,7 +364,7 @@ func TestEditFaveNotOwner(t *testing.T) {
 	h, mux := testServer(t)
 
 	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "", "public")
 
 	cookieB := loginUser(t, h, "userb", "pass123", "user")
 
@@ -382,7 +382,7 @@ func TestDeleteFaveHTMX(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Delete me", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Delete me", "", "", "", "public")
 	token, _ := h.deps.Sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
 
@@ -409,7 +409,7 @@ func TestDeleteFaveNotOwner(t *testing.T) {
 	h, mux := testServer(t)
 
 	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "public")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "", "public")
 
 	cookieB := loginUser(t, h, "userb", "pass123", "user")
 
@@ -623,7 +623,7 @@ func TestAdminTags(t *testing.T) {
 
 	// Create a tag via a fave.
 	admin, _ := h.deps.Users.GetByUsername("admin")
-	fave, _ := h.deps.Faves.Create(admin.ID, "Test", "", "", "public")
+	fave, _ := h.deps.Faves.Create(admin.ID, "Test", "", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"testmerke"})
 
 	req := httptest.NewRequest("GET", "/admin/tags", nil)
@@ -646,7 +646,7 @@ func TestUserFeed(t *testing.T) {
 
 	user, _ := h.deps.Users.Create("feeduser", "pass123", "user")
 	h.deps.Users.UpdateProfile(user.ID, "Feed User", "", "public", "public")
-	h.deps.Faves.Create(user.ID, "User fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "User fave", "", "", "", "public")
 
 	req := httptest.NewRequest("GET", "/u/feeduser/feed.xml", nil)
 	rr := httptest.NewRecorder()
@@ -668,8 +668,8 @@ func TestFeedExcludesPrivate(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	h.deps.Faves.Create(user.ID, "Public fave", "", "", "public")
-	h.deps.Faves.Create(user.ID, "Secret fave", "", "", "private")
+	h.deps.Faves.Create(user.ID, "Public fave", "", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Secret fave", "", "", "", "private")
 
 	req := httptest.NewRequest("GET", "/feed.xml", nil)
 	rr := httptest.NewRecorder()
@@ -688,7 +688,7 @@ func TestTagFeed(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Tagged fave", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Tagged fave", "", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang"})
 
 	req := httptest.NewRequest("GET", "/tags/golang/feed.xml", nil)
@@ -725,7 +725,7 @@ func TestExportJSON(t *testing.T) {
 	cookie := loginUser(t, h, "testuser", "pass123", "user")
 
 	user, _ := h.deps.Users.GetByUsername("testuser")
-	fave, _ := h.deps.Faves.Create(user.ID, "Export me", "https://example.com", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Export me", "https://example.com", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"test"})
 
 	req := httptest.NewRequest("GET", "/export/json", nil)
@@ -759,7 +759,7 @@ func TestExportCSV(t *testing.T) {
 	cookie := loginUser(t, h, "testuser", "pass123", "user")
 
 	user, _ := h.deps.Users.GetByUsername("testuser")
-	h.deps.Faves.Create(user.ID, "CSV fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "CSV fave", "", "", "", "public")
 
 	req := httptest.NewRequest("GET", "/export/csv", nil)
 	req.AddCookie(cookie)
@@ -871,7 +871,7 @@ func TestProfileOwnerSeesPrivateFaves(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("owner", "pass123", "user")
-	h.deps.Faves.Create(user.ID, "Private fave", "", "", "private")
+	h.deps.Faves.Create(user.ID, "Private fave", "", "", "", "private")
 	token, _ := h.deps.Sessions.Create(user.ID)
 	cookie := &http.Cookie{Name: "session", Value: token}
 
@@ -893,8 +893,8 @@ func TestProfileVisitorCannotSeePrivateFaves(t *testing.T) {
 
 	user, _ := h.deps.Users.Create("owner", "pass123", "user")
 	h.deps.Users.UpdateProfile(user.ID, "Owner", "", "public", "public")
-	h.deps.Faves.Create(user.ID, "Only public", "", "", "public")
-	h.deps.Faves.Create(user.ID, "Hidden secret", "", "", "private")
+	h.deps.Faves.Create(user.ID, "Only public", "", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Hidden secret", "", "", "", "private")
 
 	req := httptest.NewRequest("GET", "/u/owner", nil)
 	rr := httptest.NewRecorder()
@@ -915,7 +915,7 @@ func TestTagBrowse(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Tagged", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Tagged", "", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang"})
 
 	req := httptest.NewRequest("GET", "/tags/golang", nil)
@@ -949,7 +949,7 @@ func TestHomePageAuthenticated(t *testing.T) {
 	cookie := loginUser(t, h, "testuser", "pass123", "user")
 
 	user, _ := h.deps.Users.GetByUsername("testuser")
-	h.deps.Faves.Create(user.ID, "Home fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Home fave", "", "", "", "public")
 
 	req := httptest.NewRequest("GET", "/", nil)
 	req.AddCookie(cookie)
@@ -1074,7 +1074,7 @@ func TestTagSuggestionsNoInlineHandlers(t *testing.T) {
 	h, mux := testServer(t)
 
 	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
-	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "public")
+	fave, _ := h.deps.Faves.Create(user.ID, "Test", "", "", "", "public")
 	h.deps.Tags.SetFaveTags(fave.ID, []string{"golang", "goroutines"})
 
 	req := httptest.NewRequest("GET", "/tags/search?q=go", nil)
@@ -1117,7 +1117,7 @@ func TestDisplayNameFallbackToUsername(t *testing.T) {
 
 	// Create a user WITHOUT a display name and a public fave.
 	user, _ := h.deps.Users.GetByUsername("testuser")
-	h.deps.Faves.Create(user.ID, "Test fave", "", "", "public")
+	h.deps.Faves.Create(user.ID, "Test fave", "", "", "", "public")
 
 	// The home page shows "av <display_name>" — with no display name set,
 	// it should fall back to the username.
diff --git a/internal/model/fave.go b/internal/model/fave.go
index 6b81290..beda156 100644
--- a/internal/model/fave.go
+++ b/internal/model/fave.go
@@ -10,6 +10,7 @@ type Fave struct {
 	Description string
 	URL         string
 	ImagePath   string
+	Notes       string
 	Privacy     string
 	Tags        []Tag
 	CreatedAt   time.Time
diff --git a/internal/store/fave.go b/internal/store/fave.go
index 70d9613..5888490 100644
--- a/internal/store/fave.go
+++ b/internal/store/fave.go
@@ -23,11 +23,11 @@ func NewFaveStore(db *sql.DB) *FaveStore {
 }
 
 // Create inserts a new fave and returns it with its ID populated.
-func (s *FaveStore) Create(userID int64, description, url, imagePath, privacy string) (*model.Fave, error) {
+func (s *FaveStore) Create(userID int64, description, url, imagePath, notes, privacy string) (*model.Fave, error) {
 	result, err := s.db.Exec(
-		`INSERT INTO faves (user_id, description, url, image_path, privacy)
-		VALUES (?, ?, ?, ?, ?)`,
-		userID, description, url, imagePath, privacy,
+		`INSERT INTO faves (user_id, description, url, image_path, notes, privacy)
+		VALUES (?, ?, ?, ?, ?, ?)`,
+		userID, description, url, imagePath, notes, privacy,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("insert fave: %w", err)
@@ -42,13 +42,13 @@ func (s *FaveStore) GetByID(id int64) (*model.Fave, error) {
 	f := &model.Fave{}
 	var createdAt, updatedAt string
 	err := s.db.QueryRow(
-		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
+		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.notes, f.privacy,
 			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
 		WHERE f.id = ?`, id,
 	).Scan(
-		&f.ID, &f.UserID, &f.Description, &f.URL, &f.ImagePath, &f.Privacy,
+		&f.ID, &f.UserID, &f.Description, &f.URL, &f.ImagePath, &f.Notes, &f.Privacy,
 		&createdAt, &updatedAt, &f.Username, &f.DisplayName,
 	)
 	if errors.Is(err, sql.ErrNoRows) {
@@ -63,12 +63,12 @@ func (s *FaveStore) GetByID(id int64) (*model.Fave, error) {
 }
 
 // Update modifies an existing fave's fields.
-func (s *FaveStore) Update(id int64, description, url, imagePath, privacy string) error {
+func (s *FaveStore) Update(id int64, description, url, imagePath, notes, privacy string) error {
 	_, err := s.db.Exec(
-		`UPDATE faves SET description = ?, url = ?, image_path = ?, privacy = ?,
+		`UPDATE faves SET description = ?, url = ?, image_path = ?, notes = ?, privacy = ?,
 			updated_at = strftime('%Y-%m-%dT%H:%M:%SZ', 'now')
 		WHERE id = ?`,
-		description, url, imagePath, privacy, id,
+		description, url, imagePath, notes, privacy, id,
 	)
 	return err
 }
@@ -96,7 +96,7 @@ func (s *FaveStore) ListByUser(userID int64, limit, offset int) ([]*model.Fave,
 	}
 
 	rows, err := s.db.Query(
-		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
+		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.notes, f.privacy,
 			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
@@ -125,7 +125,7 @@ func (s *FaveStore) ListPublicByUser(userID int64, limit, offset int) ([]*model.
 	}
 
 	rows, err := s.db.Query(
-		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
+		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.notes, f.privacy,
 			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
@@ -152,7 +152,7 @@ func (s *FaveStore) ListPublic(limit, offset int) ([]*model.Fave, int, error) {
 	}
 
 	rows, err := s.db.Query(
-		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
+		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.notes, f.privacy,
 			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
@@ -184,7 +184,7 @@ func (s *FaveStore) ListByTag(tagName string, limit, offset int) ([]*model.Fave,
 	}
 
 	rows, err := s.db.Query(
-		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.privacy,
+		`SELECT f.id, f.user_id, f.description, f.url, f.image_path, f.notes, f.privacy,
 			f.created_at, f.updated_at, u.username, COALESCE(NULLIF(u.display_name, ''), u.username)
 		FROM faves f
 		JOIN users u ON u.id = f.user_id
@@ -261,7 +261,7 @@ func (s *FaveStore) scanFaves(rows *sql.Rows) ([]*model.Fave, error) {
 		f := &model.Fave{}
 		var createdAt, updatedAt string
 		err := rows.Scan(
-			&f.ID, &f.UserID, &f.Description, &f.URL, &f.ImagePath, &f.Privacy,
+			&f.ID, &f.UserID, &f.Description, &f.URL, &f.ImagePath, &f.Notes, &f.Privacy,
 			&createdAt, &updatedAt, &f.Username, &f.DisplayName,
 		)
 		if err != nil {
diff --git a/internal/store/fave_test.go b/internal/store/fave_test.go
index 7779b3d..f96ce8f 100644
--- a/internal/store/fave_test.go
+++ b/internal/store/fave_test.go
@@ -23,7 +23,7 @@ func TestFaveCRUD(t *testing.T) {
 	}
 
 	// Create a fave.
-	fave, err := faves.Create(user.ID, "Blade Runner 2049", "https://example.com", "", "public")
+	fave, err := faves.Create(user.ID, "Blade Runner 2049", "https://example.com", "", "", "public")
 	if err != nil {
 		t.Fatalf("create fave: %v", err)
 	}
@@ -44,7 +44,7 @@ func TestFaveCRUD(t *testing.T) {
 	}
 
 	// Update.
-	err = faves.Update(fave.ID, "Blade Runner 2049 (Final Cut)", "https://example.com/br2049", "", "private")
+	err = faves.Update(fave.ID, "Blade Runner 2049 (Final Cut)", "https://example.com/br2049", "", "", "private")
 	if err != nil {
 		t.Fatalf("update fave: %v", err)
 	}
@@ -107,6 +107,49 @@ func TestFaveCRUD(t *testing.T) {
 	}
 }
 
+func TestFaveNotes(t *testing.T) {
+	db := testDB(t)
+	users := NewUserStore(db)
+	faves := NewFaveStore(db)
+
+	Argon2Memory = 1024
+	Argon2Time = 1
+	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
+
+	user, _ := users.Create("testuser", "password123", "user")
+
+	// Create with notes.
+	fave, err := faves.Create(user.ID, "Film", "https://example.com", "", "En fantastisk film", "public")
+	if err != nil {
+		t.Fatalf("create fave with notes: %v", err)
+	}
+	if fave.Notes != "En fantastisk film" {
+		t.Errorf("notes = %q, want %q", fave.Notes, "En fantastisk film")
+	}
+
+	// Update notes.
+	err = faves.Update(fave.ID, fave.Description, fave.URL, fave.ImagePath, "Oppdatert anmeldelse", fave.Privacy)
+	if err != nil {
+		t.Fatalf("update notes: %v", err)
+	}
+	updated, _ := faves.GetByID(fave.ID)
+	if updated.Notes != "Oppdatert anmeldelse" {
+		t.Errorf("updated notes = %q", updated.Notes)
+	}
+
+	// Notes appear in list queries.
+	list, _, _ := faves.ListByUser(user.ID, 10, 0)
+	if len(list) != 1 || list[0].Notes != "Oppdatert anmeldelse" {
+		t.Error("notes should be loaded in list queries")
+	}
+
+	// Empty notes by default.
+	fave2, _ := faves.Create(user.ID, "No notes", "", "", "", "public")
+	if fave2.Notes != "" {
+		t.Errorf("default notes = %q, want empty", fave2.Notes)
+	}
+}
+
 func TestListByTag(t *testing.T) {
 	db := testDB(t)
 	users := NewUserStore(db)
@@ -120,9 +163,9 @@ func TestListByTag(t *testing.T) {
 	user, _ := users.Create("testuser", "password123", "user")
 
 	// Create two public faves with overlapping tags.
-	f1, _ := faves.Create(user.ID, "Fave 1", "", "", "public")
-	f2, _ := faves.Create(user.ID, "Fave 2", "", "", "public")
-	f3, _ := faves.Create(user.ID, "Private Fave", "", "", "private")
+	f1, _ := faves.Create(user.ID, "Fave 1", "", "", "", "public")
+	f2, _ := faves.Create(user.ID, "Fave 2", "", "", "", "public")
+	f3, _ := faves.Create(user.ID, "Private Fave", "", "", "", "private")
 
 	tags.SetFaveTags(f1.ID, []string{"music", "jazz"})
 	tags.SetFaveTags(f2.ID, []string{"music", "rock"})
@@ -154,7 +197,7 @@ func TestFavePagination(t *testing.T) {
 
 	// Create 5 faves.
 	for i := 0; i < 5; i++ {
-		faves.Create(user.ID, "Fave "+string(rune('A'+i)), "", "", "public")
+		faves.Create(user.ID, "Fave "+string(rune('A'+i)), "", "", "", "public")
 	}
 
 	// Page 1 with limit 2.
diff --git a/internal/store/tag_test.go b/internal/store/tag_test.go
index 1e967fd..3d0d4a8 100644
--- a/internal/store/tag_test.go
+++ b/internal/store/tag_test.go
@@ -42,8 +42,8 @@ func TestTagSearch(t *testing.T) {
 	user, _ := users.Create("testuser", "password123", "user")
 
 	// Create some tags via faves to give them usage counts.
-	f1, _ := faves.Create(user.ID, "F1", "", "", "public")
-	f2, _ := faves.Create(user.ID, "F2", "", "", "public")
+	f1, _ := faves.Create(user.ID, "Fave 1", "", "", "", "public")
+	f2, _ := faves.Create(user.ID, "Fave 2", "", "", "", "public")
 
 	tags.SetFaveTags(f1.ID, []string{"music", "movies", "misc"})
 	tags.SetFaveTags(f2.ID, []string{"music", "manga"})
@@ -94,7 +94,7 @@ func TestTagSetFaveTagsLimit(t *testing.T) {
 	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
 
 	user, _ := users.Create("testuser", "password123", "user")
-	fave, _ := faves.Create(user.ID, "Test", "", "", "public")
+	fave, _ := faves.Create(user.ID, "Test", "", "", "", "public")
 
 	// Try to set more than MaxTagsPerFave tags.
 	manyTags := make([]string, 30)
@@ -124,7 +124,7 @@ func TestTagCleanupOrphans(t *testing.T) {
 	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
 
 	user, _ := users.Create("testuser", "password123", "user")
-	fave, _ := faves.Create(user.ID, "Test", "", "", "public")
+	fave, _ := faves.Create(user.ID, "Test", "", "", "", "public")
 
 	tags.SetFaveTags(fave.ID, []string{"keep", "orphan"})
 
diff --git a/web/templates/pages/fave_detail.html b/web/templates/pages/fave_detail.html
index ea671b5..74aa810 100644
--- a/web/templates/pages/fave_detail.html
+++ b/web/templates/pages/fave_detail.html
@@ -2,7 +2,13 @@
 {{with .Data}}{{with .Fave}}
     {{if eq .Privacy "public"}}
         <meta property="og:title" content="{{truncate 70 .Description}}">
-        <meta property="og:description" content="En favoritt av {{.DisplayName}} på {{$.SiteName}}">
+        {{if .Notes}}
+            <meta property="og:description" content="{{truncate 200 .Notes}}">
+        {{else if .URL}}
+            <meta property="og:description" content="{{.URL}}">
+        {{else}}
+            <meta property="og:description" content="En favoritt av {{.DisplayName}} på {{$.SiteName}}">
+        {{end}}
         <meta property="og:type" content="article">
         {{if $.ExternalURL}}
             <meta property="og:url" content="{{$.ExternalURL}}/faves/{{.ID}}">
@@ -45,6 +51,10 @@
                 <p><a href="{{.URL}}" target="_blank" rel="noopener noreferrer">{{.URL}}</a></p>
             {{end}}
 
+            {{if .Notes}}
+                <div class="fave-notes">{{.Notes}}</div>
+            {{end}}
+
             {{if .Tags}}
                 <p>
                     {{range .Tags}}
diff --git a/web/templates/pages/fave_form.html b/web/templates/pages/fave_form.html
index 5dcc665..4b1cd20 100644
--- a/web/templates/pages/fave_form.html
+++ b/web/templates/pages/fave_form.html
@@ -30,6 +30,13 @@
                        placeholder="https://...">
             </label>
 
+            <label for="notes">
+                Notater (valgfri)
+                <textarea id="notes" name="notes"
+                          rows="4"
+                          placeholder="Utfyllende tekst, anmeldelse, tanker...">{{.Notes}}</textarea>
+            </label>
+
             <label for="image">
                 Bilde (valgfri)
                 <input type="file" id="image" name="image"

From 1260cfd18fa341973910e9badc5b435a41c042f8 Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Tue, 7 Apr 2026 10:06:18 +0200
Subject: [PATCH 08/14] feat: add PWA support with Android share intent
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Make Favoritter installable as a Progressive Web App with offline
static asset caching and Web Share Target API for Android.

New files:
- internal/handler/pwa.go: handlers for manifest, service worker,
  and share target
- web/static/sw.js: service worker (cache-first static, network-first
  HTML) with {{BASE_PATH}} placeholder for subpath deployments
- web/static/icons/: placeholder PWA icons (192, 512, 512-maskable)

Key design decisions:
- Share target uses GET (not POST) to avoid CSRF token issues — Android
  apps cannot provide CSRF tokens
- Manifest is generated dynamically to inject BasePath into start_url,
  scope, icon paths, and share_target action
- Service worker served at /sw.js with Cache-Control: no-cache and
  BasePath injected via string replacement
- handleShare extracts URLs from Android's "text" field as fallback
  (many apps put the URL there instead of "url")
- handleFaveNew replaced with handleFaveNewPreFill that reads url,
  description, notes from query params (enables share + bookmarklets)
- SW registration in app.js reads base-path from <meta> tag (CSP-safe)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 internal/handler/fave.go               |  13 ---
 internal/handler/handler.go            |   7 +-
 internal/handler/pwa.go                | 142 +++++++++++++++++++++++
 internal/handler/web_test.go           | 149 +++++++++++++++++++++++++
 web/static/icons/icon-192.png          | Bin 0 -> 1137 bytes
 web/static/icons/icon-512-maskable.png | Bin 0 -> 3386 bytes
 web/static/icons/icon-512.png          | Bin 0 -> 3386 bytes
 web/static/js/app.js                   |   7 ++
 web/static/sw.js                       |  66 +++++++++++
 web/templates/layouts/base.html        |   5 +
 10 files changed, 375 insertions(+), 14 deletions(-)
 create mode 100644 internal/handler/pwa.go
 create mode 100644 web/static/icons/icon-192.png
 create mode 100644 web/static/icons/icon-512-maskable.png
 create mode 100644 web/static/icons/icon-512.png
 create mode 100644 web/static/sw.js

diff --git a/internal/handler/fave.go b/internal/handler/fave.go
index 9a5dd82..fb75784 100644
--- a/internal/handler/fave.go
+++ b/internal/handler/fave.go
@@ -48,19 +48,6 @@ func (h *Handler) handleFaveList(w http.ResponseWriter, r *http.Request) {
 	})
 }
 
-// handleFaveNew shows the form for creating a new fave.
-func (h *Handler) handleFaveNew(w http.ResponseWriter, r *http.Request) {
-	user := middleware.UserFromContext(r.Context())
-
-	h.deps.Renderer.Page(w, r, "fave_form", render.PageData{
-		Title: "Ny favoritt",
-		Data: map[string]any{
-			"IsNew":          true,
-			"DefaultPrivacy": user.DefaultFavePrivacy,
-		},
-	})
-}
-
 // handleFaveCreate processes the form for creating a new fave.
 func (h *Handler) handleFaveCreate(w http.ResponseWriter, r *http.Request) {
 	user := middleware.UserFromContext(r.Context())
diff --git a/internal/handler/handler.go b/internal/handler/handler.go
index 2b5f879..c2f3a80 100644
--- a/internal/handler/handler.go
+++ b/internal/handler/handler.go
@@ -74,6 +74,10 @@ func (h *Handler) Routes() *http.ServeMux {
 	// Health check.
 	mux.HandleFunc("GET /health", h.handleHealth)
 
+	// PWA: manifest and service worker (public, no auth).
+	mux.HandleFunc("GET /manifest.json", h.handleManifest)
+	mux.HandleFunc("GET /sw.js", h.handleServiceWorker)
+
 	// Auth routes (rate-limited).
 	mux.Handle("POST /login", h.rateLimiter.Limit(http.HandlerFunc(h.handleLoginPost)))
 	mux.Handle("POST /signup", h.rateLimiter.Limit(http.HandlerFunc(h.handleSignupPost)))
@@ -91,8 +95,9 @@ func (h *Handler) Routes() *http.ServeMux {
 
 	// Faves — authenticated routes use requireLogin wrapper.
 	requireLogin := middleware.RequireLogin(h.deps.Config.BasePath)
+	mux.Handle("GET /share", requireLogin(http.HandlerFunc(h.handleShare)))
 	mux.Handle("GET /faves", requireLogin(http.HandlerFunc(h.handleFaveList)))
-	mux.Handle("GET /faves/new", requireLogin(http.HandlerFunc(h.handleFaveNew)))
+	mux.Handle("GET /faves/new", requireLogin(http.HandlerFunc(h.handleFaveNewPreFill)))
 	mux.Handle("POST /faves", requireLogin(http.HandlerFunc(h.handleFaveCreate)))
 	mux.HandleFunc("GET /faves/{id}", h.handleFaveDetail)
 	mux.Handle("GET /faves/{id}/edit", requireLogin(http.HandlerFunc(h.handleFaveEdit)))
diff --git a/internal/handler/pwa.go b/internal/handler/pwa.go
new file mode 100644
index 0000000..f64fb20
--- /dev/null
+++ b/internal/handler/pwa.go
@@ -0,0 +1,142 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package handler
+
+import (
+	"encoding/json"
+	"io/fs"
+	"net/http"
+	"net/url"
+	"strings"
+
+	"kode.naiv.no/olemd/favoritter/internal/middleware"
+	"kode.naiv.no/olemd/favoritter/internal/render"
+	"kode.naiv.no/olemd/favoritter/web"
+)
+
+// handleManifest serves the Web App Manifest with dynamic BasePath injection.
+func (h *Handler) handleManifest(w http.ResponseWriter, r *http.Request) {
+	bp := h.deps.Config.BasePath
+
+	manifest := map[string]any{
+		"name":             h.deps.Config.SiteName,
+		"short_name":       h.deps.Config.SiteName,
+		"description":      "Lagre og del dine favoritter",
+		"start_url":        bp + "/",
+		"scope":            bp + "/",
+		"display":          "standalone",
+		"background_color": "#ffffff",
+		"theme_color":      "#1095c1",
+		"icons": []map[string]any{
+			{"src": bp + "/static/icons/icon-192.png", "sizes": "192x192", "type": "image/png"},
+			{"src": bp + "/static/icons/icon-512.png", "sizes": "512x512", "type": "image/png"},
+			{"src": bp + "/static/icons/icon-512-maskable.png", "sizes": "512x512", "type": "image/png", "purpose": "maskable"},
+		},
+		"share_target": map[string]any{
+			"action": bp + "/share",
+			"method": "GET",
+			"params": map[string]string{
+				"url":   "url",
+				"text":  "text",
+				"title": "title",
+			},
+		},
+	}
+
+	w.Header().Set("Content-Type", "application/manifest+json")
+	json.NewEncoder(w).Encode(manifest)
+}
+
+// handleServiceWorker serves the service worker JS from root scope.
+// BasePath is injected via placeholder replacement so the SW can
+// cache the correct static asset paths.
+func (h *Handler) handleServiceWorker(w http.ResponseWriter, r *http.Request) {
+	staticFS, err := fs.Sub(web.StaticFS, "static")
+	if err != nil {
+		http.Error(w, "Not found", http.StatusNotFound)
+		return
+	}
+
+	data, err := fs.ReadFile(staticFS, "sw.js")
+	if err != nil {
+		http.Error(w, "Not found", http.StatusNotFound)
+		return
+	}
+
+	content := strings.ReplaceAll(string(data), "{{BASE_PATH}}", h.deps.Config.BasePath)
+
+	w.Header().Set("Content-Type", "application/javascript")
+	w.Header().Set("Cache-Control", "no-cache")
+	w.Write([]byte(content))
+}
+
+// handleShare receives Android share intents via the Web Share Target API
+// and redirects to the new-fave form with pre-filled values.
+// Uses GET to avoid CSRF issues (Android cannot provide CSRF tokens).
+func (h *Handler) handleShare(w http.ResponseWriter, r *http.Request) {
+	user := middleware.UserFromContext(r.Context())
+	if user == nil {
+		http.Redirect(w, r, h.deps.Config.BasePath+"/login", http.StatusSeeOther)
+		return
+	}
+
+	sharedURL := r.URL.Query().Get("url")
+	sharedTitle := r.URL.Query().Get("title")
+	sharedText := r.URL.Query().Get("text")
+
+	// Many Android apps send the URL in the "text" field instead of "url".
+	if sharedURL == "" && sharedText != "" {
+		sharedURL = extractURL(sharedText)
+		if sharedURL != "" {
+			// Remove the URL from text so it's not duplicated.
+			sharedText = strings.TrimSpace(strings.Replace(sharedText, sharedURL, "", 1))
+		}
+	}
+
+	description := sharedTitle
+	if description == "" && sharedText != "" {
+		description = sharedText
+		sharedText = "" // Don't duplicate into notes.
+	}
+
+	target := h.deps.Config.BasePath + "/faves/new?"
+	params := url.Values{}
+	if sharedURL != "" {
+		params.Set("url", sharedURL)
+	}
+	if description != "" {
+		params.Set("description", description)
+	}
+	if sharedText != "" {
+		params.Set("notes", sharedText)
+	}
+
+	http.Redirect(w, r, target+params.Encode(), http.StatusSeeOther)
+}
+
+// handleFaveNewWithPreFill shows the new fave form, optionally pre-filled
+// from query parameters (used by share target and bookmarklets).
+func (h *Handler) handleFaveNewPreFill(w http.ResponseWriter, r *http.Request) {
+	user := middleware.UserFromContext(r.Context())
+
+	h.deps.Renderer.Page(w, r, "fave_form", render.PageData{
+		Title: "Ny favoritt",
+		Data: map[string]any{
+			"IsNew":          true,
+			"DefaultPrivacy": user.DefaultFavePrivacy,
+			"Description":    r.URL.Query().Get("description"),
+			"URL":            r.URL.Query().Get("url"),
+			"Notes":          r.URL.Query().Get("notes"),
+		},
+	})
+}
+
+// extractURL finds the first http:// or https:// URL in a string.
+func extractURL(s string) string {
+	for _, word := range strings.Fields(s) {
+		if strings.HasPrefix(word, "http://") || strings.HasPrefix(word, "https://") {
+			return word
+		}
+	}
+	return ""
+}
diff --git a/internal/handler/web_test.go b/internal/handler/web_test.go
index 6cda977..aa53c2e 100644
--- a/internal/handler/web_test.go
+++ b/internal/handler/web_test.go
@@ -1133,6 +1133,155 @@ func TestDisplayNameFallbackToUsername(t *testing.T) {
 	}
 }
 
+// --- PWA ---
+
+func TestManifestJSON(t *testing.T) {
+	_, mux := testServer(t)
+
+	req := httptest.NewRequest("GET", "/manifest.json", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("manifest: got %d, want 200", rr.Code)
+	}
+
+	ct := rr.Header().Get("Content-Type")
+	if !strings.Contains(ct, "manifest+json") {
+		t.Errorf("content-type = %q, want manifest+json", ct)
+	}
+
+	var manifest map[string]any
+	if err := json.Unmarshal(rr.Body.Bytes(), &manifest); err != nil {
+		t.Fatalf("parse manifest: %v", err)
+	}
+
+	if manifest["name"] != "Test" {
+		t.Errorf("name = %v, want Test", manifest["name"])
+	}
+
+	// share_target should exist with GET method.
+	st, ok := manifest["share_target"].(map[string]any)
+	if !ok {
+		t.Fatal("manifest missing share_target")
+	}
+	if st["method"] != "GET" {
+		t.Errorf("share_target method = %v, want GET", st["method"])
+	}
+}
+
+func TestServiceWorkerContent(t *testing.T) {
+	_, mux := testServer(t)
+
+	req := httptest.NewRequest("GET", "/sw.js", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("sw.js: got %d, want 200", rr.Code)
+	}
+
+	ct := rr.Header().Get("Content-Type")
+	if !strings.Contains(ct, "javascript") {
+		t.Errorf("content-type = %q, want javascript", ct)
+	}
+
+	cc := rr.Header().Get("Cache-Control")
+	if cc != "no-cache" {
+		t.Errorf("Cache-Control = %q, want no-cache", cc)
+	}
+
+	body := rr.Body.String()
+	if strings.Contains(body, "{{BASE_PATH}}") {
+		t.Error("sw.js should have BASE_PATH placeholder replaced")
+	}
+	if !strings.Contains(body, "CACHE_NAME") {
+		t.Error("sw.js should contain service worker code")
+	}
+}
+
+func TestShareRedirectsToFaveNew(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/share?url=https://example.com&title=Test+Page", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusSeeOther {
+		t.Fatalf("share: got %d, want 303", rr.Code)
+	}
+
+	loc := rr.Header().Get("Location")
+	if !strings.Contains(loc, "/faves/new") {
+		t.Errorf("redirect = %q, should point to /faves/new", loc)
+	}
+	if !strings.Contains(loc, "url=https") {
+		t.Errorf("redirect = %q, should contain url param", loc)
+	}
+	if !strings.Contains(loc, "description=Test") {
+		t.Errorf("redirect = %q, should contain description from title", loc)
+	}
+}
+
+func TestShareTextFieldFallback(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	// Some Android apps put the URL in "text" instead of "url".
+	req := httptest.NewRequest("GET", "/share?text=Check+this+out+https://example.com/article", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	loc := rr.Header().Get("Location")
+	if !strings.Contains(loc, "url=https") {
+		t.Errorf("should extract URL from text field: %q", loc)
+	}
+}
+
+func TestShareRequiresLogin(t *testing.T) {
+	_, mux := testServer(t)
+
+	req := httptest.NewRequest("GET", "/share?url=https://example.com", nil)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusSeeOther {
+		t.Errorf("unauthenticated share: got %d, want 303", rr.Code)
+	}
+	loc := rr.Header().Get("Location")
+	if !strings.Contains(loc, "/login") {
+		t.Errorf("should redirect to login: %q", loc)
+	}
+}
+
+func TestFaveNewPreFill(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	req := httptest.NewRequest("GET", "/faves/new?url=https://example.com&description=Shared+Page&notes=Great+article", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("fave new pre-fill: got %d, want 200", rr.Code)
+	}
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "https://example.com") {
+		t.Error("URL should be pre-filled")
+	}
+	if !strings.Contains(body, "Shared Page") {
+		t.Error("description should be pre-filled")
+	}
+	if !strings.Contains(body, "Great article") {
+		t.Error("notes should be pre-filled")
+	}
+}
+
 // --- Export page ---
 
 func TestExportPageRendering(t *testing.T) {
diff --git a/web/static/icons/icon-192.png b/web/static/icons/icon-192.png
new file mode 100644
index 0000000000000000000000000000000000000000..95fe080e98bd0f9ed0039372081f423513edf292
GIT binary patch
literal 1137
zcmeAS@N?(olHy`uVBq!ia0vp^2SAvE2}s`E_d9@rfyKhp#WAE}&YMebCtgkvU`Z5r
zWtbqqIFbJeGv`Dm`<kbpZ%*>Nwr5gW+3(H-`(LlO$Jgr}2#Y@_$8eK_Lx`!Vr9nYa
z!DB#}b|2qA@89gc!Og*Y-Pa2jn3!gj-sj~#tGFQZ{Lu>+RG4NNT<7AoRbJqJdg_G>
z%uK%$eC16_`Wx=8)o*Ug<9Km)weN)sqKvU-*BzW$N(8MJEPTiKlGP-CMXAH$y8Am9
z?qlrzTXnl_7TcEN`>V~a7%up0cXz|WGRC)mALsFY<$5vW{kE(Xfe!Bfw)#8AGFkmw
z>?@Tecp-BCn+pMd8_xYr`q|dS{^WywyX3cEONII8fBG23+-$g0_ss0PhAH!>KhvIv
zENWu3{C~1?Tka~>C;t`ybH)d0EtqnD$(fyQa~n48n`HX7Nr_SQpK{@|bWx^Le_h@^
zG5^T8^uI#wzc&q+*4K;fbuDnXSYAJ2w|ADqPVxD|y8=@j7H<C+@+hv7Q8lh|?~b>J
zn7VeqXN$B}W1UhO>3U(AAtUSEl8!00#!Oy2pG62pv$Kd49-sT;{X4k{|5?AM)iJ(q
zIFny4@!a|c+mo8Dk8j2uHc_};J@>?CwLZqmxKoV}Q{ONd?U^XL{r3&lFMq$^2L}GL
zGWp#NJo!%!e=q{6c~vsc+>rOgx486;d)x9I&V^gg_$<4I*=YY=!!!C1K-QE$-CynC
zAXt9K`N%a%#-%aE3#Qa2GjZ)&sh4qiNy8?+-I3S&5*d%){T^C)`zh;`il<YBzIX9x
ze7Sbo$=r)q<NKq@Mdh4)8o%CsU$p%MpT^%`tk3%SHGZ-0oP0loL*t8Zr?I`ZP{1Ag
zP0L~f)E6vR4+_qe4N7&7?H_utVomv{`26NJO^FF_=i4k7y2^9nLv-Hfo**-Y)$>6S
z^t8dp?zzF?x-RyTU;neNUshTmygy>!JUzy_pHB0AHQ{>kpx<oe@^FXtzgzun-!fS}
z*uD1EONk5X?B9j?Uv4P-RdTrM7n{kS`?jw$WiK39zkTiUY6oXvVv=Lp)xm1AzP;gI
z&g+IMju&@Vn+BX0W!xKmpXKWvfeY-}rxwhsX8Dq_lmAtvgM;uht%dW_SxnyU6n!<*
z#bNWi?uGL#S++d6#rsu9VS#_Zd7}Z%cM3n{85sWmuMAiHu`9F(RFp7yy85}Sb4q9e
E012YzzyJUM

literal 0
HcmV?d00001

diff --git a/web/static/icons/icon-512-maskable.png b/web/static/icons/icon-512-maskable.png
new file mode 100644
index 0000000000000000000000000000000000000000..9879528c937c5fe4eb874a82fbcdc5432912981f
GIT binary patch
literal 3386
zcmeI#`#)6q9|!RFIVPQx*qO1uYJ?frEksFX%H^bpT&iy+lBEl((F~@E8qBF|OPf?m
zY@@OJsO_Pmq$QV_)lx38-9{LfE_BmSvth#cPT%?`zTe0GbUu&s{`~NHoX7j~dcIG_
znxK{XGZ-@fK;O@I#lHbi?Ggp-^Fzc~UZj1G_^nvBK1nk8cqrb=pH_cgAJvhuX4aVx
zPoGma&Er*lanCBo$AH9*Q3LLG4r<m3#p21XT8&DFbQ5<>0t~VMexU&K6hIms$TcWX
zR{?n8KzxS)X8lj`f9NCJ*NnD_2U96eeBkcKG7W>UN0^VsyW3$Q4jCTvYjml;kgj?x
z=fX}3X`i+6d!2L(pm44aF$e>MS^qw&9lS80o$KDC&pZH5y<BcFa?}=PCPv?JAv-8!
zW2@s$U8h`dl5glLLISLzWzV}^T(HDJr@N$`A#+1zi$)!O*L6AyPEFk=+AS8)QWBl-
zLN1_?tYGDJU8h6f^v5S}Ip|WMv+MVI29byoe9^`bogIO&<4T<-I7v4t6aLze-(RG%
z8vYh3xUlPN*t>mw7*ZhpnH#1m>_d=(yr!jL>W)53q#*l~Uf2}=)D|hooZr>i&sheq
zerdlnvVYT79Q5}n9v*88U?2sRHU6EWjW`QV$y1hBd3u)OAiNjSHk<#4FG{S<-Ya-e
z<&*(y?pN1KMtx>7;gqw`?qZE`3J$-weBao?U%3<|SonDE@UcBCSbw7QD2Kl)9wqRd
zXLCnt9$CTQnTo@C{J^=WEV^-N?u2qZ69%^<Dac|vl$E6Llc(>c!N|4!Luy7W3t}UO
zJU#@5tcH+#4^rySY*~Or&NUg$9lE^=l`WCK!y+=GD5UpbXMBwj7X!PH8!_sw_DoQ;
z=G<yXe9l8<x2`;yU1L^G2j2GDR+WB57Q`7h3ymU9p2eX2T4?(R_liRh=gt*Qk2u|o
zgK_D)(f7M6av;uHPv{zvtB1pxl0fcQ>t=7bd3eL7#`Xa^Dw{TVe}4_<B@Qv6zlJC8
z3!+0%$uf~zBVj>x>!<a7j>8L)KJUF34W<sZV{r8v`|+4%H33OK7Zo;&pN66`!Igk0
zjlpUfoQsTjqsn3j0lVq?o~Nthk3(E~;OqLSXBg5alApH}XYz6Ay=IxBPIR*Yx2?-6
zRnzwoFn01??jPb8cBt&-l?E$~jg$@^TO0@8uU7lQSpJ3FCTYJbDw94*@0f__F@)3-
z1AHPXl@6Ln<AkyHY8s@5q!Ai6D*Gmk+ALlP4?+)Y*QBzM^a0KDnO276W}XLMk`{te
zoAO_}zhq^DRYI5gZXsp`@d`oBv)J=A(w@i8;;`0InCVsbXsvz*i0{*2f#f0G3oLH7
zxi#ncF+o+)Sl!S#do>&u{K&bj&I<$^fr!&Kmk|IB3H*v9rHf8O%Zr8t2isj%$gI2J
z{RXX%-B72@u%;AA@fJ$tx1-rroNd{dY!1(c%ig&SlTnpcb{xJlCZq5y-*SXH7$H)!
zs@S4#oZ$1ABF=##oY<x`Gh+Xkf)g8grb2dRAWrxzO&+teO>x4L$8h1~y~7A+<*d^j
z=`D<~<r#nET*$--6Qxl&`*Ju&e8c<p7Q4g&BXpE>Q%?CuoDlM8DV$sNII&atO*iNE
zX`Be>891{Wqi|xaa%MKW%>^gCd3q}L<7qg-QR3@3U5_!sfrpiHo?gHRmQoj&sFqL)
zW|SYC6C|RcYYvVRjF=h}dD0fh%+9XOhu8sw<1Ol5e^@*|UOQDaPKz{oDR$J>O~2Gn
z_1PS6$h%6wr8x7uPj48r;D?(=R&lLwspKYwezc&@pGGDqsJ|tYU8a#o6ov!wm-Oi5
zuZn-!#Gm8R$x6lS=(v;3bn<~>PNm?mogw)~Vg4y$|4)XbuEJtT0`ILMX{NB=AHOw>
zN-kD>R~Z*vMJ0n2c5ei$OlV}ZV*WgVhloa|Di-WYSlC4)a}<j%#oH{Ulf??xH*t)!
zbh1IQWL})XIGyZKxQ`^DVTR<0g4i2BQfWxyisf>_8(k{NQuqWX^h8rhj>1nK_n?7F
zu2lpm2aX0>z{8tT#hup-AJ9$kuQ()d$<p>k@z=g+&g`Gp`d~fklqYK57j!=ob&_;7
z&u(ptMV+KeTeuR*dkXX5*_KjC9tAyKmomV<Xq^U>_{*F+P9qCK6}!y@UcX|*99PLz
zw#iNk^Mt5%Wso-$!TQTo=Tyi2AfZB49Z%ni6N_BUW0-kxUNDud9)C&!J8F~mZj5cw
zL)FhQs0~S*qjBL=$cRBNRGcTJke($5rRv&hTbO9|3FvS8V1o1+=4>^aI+aBs+d6*o
zn+Wu<hUCUwEq$IJjF3KB*Zq9YyE>@M)!sKkW16MC*rk@HYHqSWu>bt|?`PupG>AJD
z__|K|jEVH&ITt*p(w|evmru?#O_-ju0JnQhk6zRc+arBOWxp}RX~q~hUS|u(jH`Vh
zDZjf=7SR`l%I3;r9DAkC6tXn-ulY4@w%Sa)w&JaNKw=A<Z<`gp;0kc0Z(;CG{ocIG
z7;L;An5g=pLK`~^^n~WUIb0mtOV=e1Z>W$!oE}%`(3`y!gT#{1jqj~1G9b>fS$K|r
zH-$oqI<7h=yYsBIQG4WT)Xpdy46T`^hrv%FH=ZZk$*CYO;jSE8Wp4@gQQc;$ln_5{
zj5mCZaUK8B6a2dUsLX6c=^k;&fkN)S(qqzlAe=(x$4VV#KA(Ni`|87)ibMY;L#qh)
ziy~TBGQPmV!kfQX^Jt;SJf_z49R~dY;f;ku-VrF_ttw0CF<C&unn&mBC4bM?8vDp)
zn`=z<G_AuIgb{7ZHf<vj!W7pVL)nI2u%qDl$-T+Z4=`~5yYu1qtNraiV|n=tmghBP
za<SK#AME(;LtSv{;xS)%b#b6oo;)v!fE|UMoxvhAwimp*)H)#FM^8Eee}(+eUo<>(
zSgUIJt#R(;PA%K~_8DQ~N<**-sjZhwk<Zl6zy2{s7l}OPQWZNndpXSNR|?BC+LHzd
zdVRvghiRZ&xvj9sQ-y(ZcvZVxdV)fh6mQ!7wrxEs+y1h=>yxu~%24D@E7!ExK+9<7
zu`qFiAy~Lo4alVwlsNMIEN@clxpsCLluPHJM9!UY-eiUa{Hfm6U*xHsZdRC=_k1$+
z1?*$$`y$Ug3b~nI#h=Wuh83k6E5m>0-2abZUt<n1HN`B)a_+vKaM1n}fuDEKiej(G
GgZ}|1$h_GA

literal 0
HcmV?d00001

diff --git a/web/static/icons/icon-512.png b/web/static/icons/icon-512.png
new file mode 100644
index 0000000000000000000000000000000000000000..9879528c937c5fe4eb874a82fbcdc5432912981f
GIT binary patch
literal 3386
zcmeI#`#)6q9|!RFIVPQx*qO1uYJ?frEksFX%H^bpT&iy+lBEl((F~@E8qBF|OPf?m
zY@@OJsO_Pmq$QV_)lx38-9{LfE_BmSvth#cPT%?`zTe0GbUu&s{`~NHoX7j~dcIG_
znxK{XGZ-@fK;O@I#lHbi?Ggp-^Fzc~UZj1G_^nvBK1nk8cqrb=pH_cgAJvhuX4aVx
zPoGma&Er*lanCBo$AH9*Q3LLG4r<m3#p21XT8&DFbQ5<>0t~VMexU&K6hIms$TcWX
zR{?n8KzxS)X8lj`f9NCJ*NnD_2U96eeBkcKG7W>UN0^VsyW3$Q4jCTvYjml;kgj?x
z=fX}3X`i+6d!2L(pm44aF$e>MS^qw&9lS80o$KDC&pZH5y<BcFa?}=PCPv?JAv-8!
zW2@s$U8h`dl5glLLISLzWzV}^T(HDJr@N$`A#+1zi$)!O*L6AyPEFk=+AS8)QWBl-
zLN1_?tYGDJU8h6f^v5S}Ip|WMv+MVI29byoe9^`bogIO&<4T<-I7v4t6aLze-(RG%
z8vYh3xUlPN*t>mw7*ZhpnH#1m>_d=(yr!jL>W)53q#*l~Uf2}=)D|hooZr>i&sheq
zerdlnvVYT79Q5}n9v*88U?2sRHU6EWjW`QV$y1hBd3u)OAiNjSHk<#4FG{S<-Ya-e
z<&*(y?pN1KMtx>7;gqw`?qZE`3J$-weBao?U%3<|SonDE@UcBCSbw7QD2Kl)9wqRd
zXLCnt9$CTQnTo@C{J^=WEV^-N?u2qZ69%^<Dac|vl$E6Llc(>c!N|4!Luy7W3t}UO
zJU#@5tcH+#4^rySY*~Or&NUg$9lE^=l`WCK!y+=GD5UpbXMBwj7X!PH8!_sw_DoQ;
z=G<yXe9l8<x2`;yU1L^G2j2GDR+WB57Q`7h3ymU9p2eX2T4?(R_liRh=gt*Qk2u|o
zgK_D)(f7M6av;uHPv{zvtB1pxl0fcQ>t=7bd3eL7#`Xa^Dw{TVe}4_<B@Qv6zlJC8
z3!+0%$uf~zBVj>x>!<a7j>8L)KJUF34W<sZV{r8v`|+4%H33OK7Zo;&pN66`!Igk0
zjlpUfoQsTjqsn3j0lVq?o~Nthk3(E~;OqLSXBg5alApH}XYz6Ay=IxBPIR*Yx2?-6
zRnzwoFn01??jPb8cBt&-l?E$~jg$@^TO0@8uU7lQSpJ3FCTYJbDw94*@0f__F@)3-
z1AHPXl@6Ln<AkyHY8s@5q!Ai6D*Gmk+ALlP4?+)Y*QBzM^a0KDnO276W}XLMk`{te
zoAO_}zhq^DRYI5gZXsp`@d`oBv)J=A(w@i8;;`0InCVsbXsvz*i0{*2f#f0G3oLH7
zxi#ncF+o+)Sl!S#do>&u{K&bj&I<$^fr!&Kmk|IB3H*v9rHf8O%Zr8t2isj%$gI2J
z{RXX%-B72@u%;AA@fJ$tx1-rroNd{dY!1(c%ig&SlTnpcb{xJlCZq5y-*SXH7$H)!
zs@S4#oZ$1ABF=##oY<x`Gh+Xkf)g8grb2dRAWrxzO&+teO>x4L$8h1~y~7A+<*d^j
z=`D<~<r#nET*$--6Qxl&`*Ju&e8c<p7Q4g&BXpE>Q%?CuoDlM8DV$sNII&atO*iNE
zX`Be>891{Wqi|xaa%MKW%>^gCd3q}L<7qg-QR3@3U5_!sfrpiHo?gHRmQoj&sFqL)
zW|SYC6C|RcYYvVRjF=h}dD0fh%+9XOhu8sw<1Ol5e^@*|UOQDaPKz{oDR$J>O~2Gn
z_1PS6$h%6wr8x7uPj48r;D?(=R&lLwspKYwezc&@pGGDqsJ|tYU8a#o6ov!wm-Oi5
zuZn-!#Gm8R$x6lS=(v;3bn<~>PNm?mogw)~Vg4y$|4)XbuEJtT0`ILMX{NB=AHOw>
zN-kD>R~Z*vMJ0n2c5ei$OlV}ZV*WgVhloa|Di-WYSlC4)a}<j%#oH{Ulf??xH*t)!
zbh1IQWL})XIGyZKxQ`^DVTR<0g4i2BQfWxyisf>_8(k{NQuqWX^h8rhj>1nK_n?7F
zu2lpm2aX0>z{8tT#hup-AJ9$kuQ()d$<p>k@z=g+&g`Gp`d~fklqYK57j!=ob&_;7
z&u(ptMV+KeTeuR*dkXX5*_KjC9tAyKmomV<Xq^U>_{*F+P9qCK6}!y@UcX|*99PLz
zw#iNk^Mt5%Wso-$!TQTo=Tyi2AfZB49Z%ni6N_BUW0-kxUNDud9)C&!J8F~mZj5cw
zL)FhQs0~S*qjBL=$cRBNRGcTJke($5rRv&hTbO9|3FvS8V1o1+=4>^aI+aBs+d6*o
zn+Wu<hUCUwEq$IJjF3KB*Zq9YyE>@M)!sKkW16MC*rk@HYHqSWu>bt|?`PupG>AJD
z__|K|jEVH&ITt*p(w|evmru?#O_-ju0JnQhk6zRc+arBOWxp}RX~q~hUS|u(jH`Vh
zDZjf=7SR`l%I3;r9DAkC6tXn-ulY4@w%Sa)w&JaNKw=A<Z<`gp;0kc0Z(;CG{ocIG
z7;L;An5g=pLK`~^^n~WUIb0mtOV=e1Z>W$!oE}%`(3`y!gT#{1jqj~1G9b>fS$K|r
zH-$oqI<7h=yYsBIQG4WT)Xpdy46T`^hrv%FH=ZZk$*CYO;jSE8Wp4@gQQc;$ln_5{
zj5mCZaUK8B6a2dUsLX6c=^k;&fkN)S(qqzlAe=(x$4VV#KA(Ni`|87)ibMY;L#qh)
ziy~TBGQPmV!kfQX^Jt;SJf_z49R~dY;f;ku-VrF_ttw0CF<C&unn&mBC4bM?8vDp)
zn`=z<G_AuIgb{7ZHf<vj!W7pVL)nI2u%qDl$-T+Z4=`~5yYu1qtNraiV|n=tmghBP
za<SK#AME(;LtSv{;xS)%b#b6oo;)v!fE|UMoxvhAwimp*)H)#FM^8Eee}(+eUo<>(
zSgUIJt#R(;PA%K~_8DQ~N<**-sjZhwk<Zl6zy2{s7l}OPQWZNndpXSNR|?BC+LHzd
zdVRvghiRZ&xvj9sQ-y(ZcvZVxdV)fh6mQ!7wrxEs+y1h=>yxu~%24D@E7!ExK+9<7
zu`qFiAy~Lo4alVwlsNMIEN@clxpsCLluPHJM9!UY-eiUa{Hfm6U*xHsZdRC=_k1$+
z1?*$$`y$Ug3b~nI#h=Wuh83k6E5m>0-2abZUt<n1HN`B)a_+vKaM1n}fuDEKiej(G
GgZ}|1$h_GA

literal 0
HcmV?d00001

diff --git a/web/static/js/app.js b/web/static/js/app.js
index 3e5e40b..952ece5 100644
--- a/web/static/js/app.js
+++ b/web/static/js/app.js
@@ -188,4 +188,11 @@
         var match = document.cookie.match(new RegExp("(^| )" + name + "=([^;]+)"));
         return match ? match[2] : null;
     }
+
+    // Register service worker for PWA support.
+    if ("serviceWorker" in navigator) {
+        var baseMeta = document.querySelector('meta[name="base-path"]');
+        var base = baseMeta ? baseMeta.getAttribute("content") : "";
+        navigator.serviceWorker.register(base + "/sw.js", { scope: base + "/" });
+    }
 })();
diff --git a/web/static/sw.js b/web/static/sw.js
new file mode 100644
index 0000000..1fe129c
--- /dev/null
+++ b/web/static/sw.js
@@ -0,0 +1,66 @@
+// Favoritter — Service Worker for PWA offline support.
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+var BASE = "{{BASE_PATH}}";
+var CACHE_NAME = "favoritter-v1";
+var STATIC_URLS = [
+    BASE + "/static/vendor/pico.min.css",
+    BASE + "/static/vendor/htmx.min.js",
+    BASE + "/static/css/style.css",
+    BASE + "/static/js/app.js",
+    BASE + "/static/icons/icon-192.png"
+];
+
+self.addEventListener("install", function (event) {
+    event.waitUntil(
+        caches.open(CACHE_NAME).then(function (cache) {
+            return cache.addAll(STATIC_URLS);
+        })
+    );
+    self.skipWaiting();
+});
+
+self.addEventListener("activate", function (event) {
+    event.waitUntil(
+        caches.keys().then(function (names) {
+            return Promise.all(
+                names.filter(function (n) { return n !== CACHE_NAME; })
+                    .map(function (n) { return caches.delete(n); })
+            );
+        })
+    );
+    self.clients.claim();
+});
+
+self.addEventListener("fetch", function (event) {
+    var url = new URL(event.request.url);
+
+    // Cache-first for static assets.
+    if (url.pathname.startsWith(BASE + "/static/")) {
+        event.respondWith(
+            caches.match(event.request).then(function (cached) {
+                return cached || fetch(event.request).then(function (response) {
+                    var clone = response.clone();
+                    caches.open(CACHE_NAME).then(function (cache) {
+                        cache.put(event.request, clone);
+                    });
+                    return response;
+                });
+            })
+        );
+        return;
+    }
+
+    // Network-first for navigation (HTML pages).
+    if (event.request.mode === "navigate") {
+        event.respondWith(
+            fetch(event.request).catch(function () {
+                return caches.match(event.request);
+            })
+        );
+        return;
+    }
+
+    // Default: network only.
+    event.respondWith(fetch(event.request));
+});
diff --git a/web/templates/layouts/base.html b/web/templates/layouts/base.html
index c08d892..4c0d73f 100644
--- a/web/templates/layouts/base.html
+++ b/web/templates/layouts/base.html
@@ -6,6 +6,11 @@
     <title>{{if .Title}}{{.Title}} — {{end}}{{.SiteName}}</title>
     <link rel="stylesheet" href="{{basePath}}/static/vendor/pico.min.css">
     <link rel="stylesheet" href="{{basePath}}/static/css/style.css">
+    <meta name="theme-color" content="#1095c1">
+    <link rel="manifest" href="{{basePath}}/manifest.json">
+    <link rel="icon" type="image/png" sizes="192x192" href="{{basePath}}/static/icons/icon-192.png">
+    <link rel="apple-touch-icon" href="{{basePath}}/static/icons/icon-192.png">
+    <meta name="base-path" content="{{basePath}}">
     {{block "head" .}}{{end}}
 </head>
 <body>

From b186fb4bc53ccb6006254fbe6971e0c1eb3679d6 Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Tue, 7 Apr 2026 10:17:46 +0200
Subject: [PATCH 09/14] feat: add edit/delete buttons to list views and inline
 privacy toggle
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fave cards in the list and profile views now show edit, delete, and
privacy toggle buttons directly — no need to open the detail page first.

- New POST /faves/{id}/privacy route with HTMX privacy toggle partial
- New UpdatePrivacy store method for single-column update
- fave_list.html: edit link, HTMX delete, privacy toggle on every card
- profile.html: edit/delete for owner's own cards
- privacy_toggle.html: new HTMX partial that swaps inline on toggle
- CSS: compact .fave-card-actions styles

The existing handleFaveDelete already returns empty 200 for HTMX
requests, so hx-target="closest article" hx-swap="outerHTML" removes
the card from DOM seamlessly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 internal/handler/fave.go                   |  45 +++++
 internal/handler/handler.go                |   3 +
 internal/handler/web_test.go               | 191 +++++++++++++++++++++
 internal/store/fave.go                     |  11 ++
 internal/store/fave_test.go                |  31 ++++
 web/static/css/style.css                   |  34 ++++
 web/templates/pages/fave_list.html         |  24 ++-
 web/templates/pages/profile.html           |  14 ++
 web/templates/partials/privacy_toggle.html |  10 ++
 9 files changed, 360 insertions(+), 3 deletions(-)
 create mode 100644 web/templates/partials/privacy_toggle.html

diff --git a/internal/handler/fave.go b/internal/handler/fave.go
index fb75784..5960762 100644
--- a/internal/handler/fave.go
+++ b/internal/handler/fave.go
@@ -335,6 +335,51 @@ func (h *Handler) handleFaveDelete(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, h.deps.Config.BasePath+"/faves", http.StatusSeeOther)
 }
 
+// handleFaveTogglePrivacy toggles a fave's privacy and returns the updated toggle partial.
+func (h *Handler) handleFaveTogglePrivacy(w http.ResponseWriter, r *http.Request) {
+	user := middleware.UserFromContext(r.Context())
+
+	id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
+	if err != nil {
+		h.notFound(w, r)
+		return
+	}
+
+	fave, err := h.deps.Faves.GetByID(id)
+	if err != nil {
+		if errors.Is(err, store.ErrFaveNotFound) {
+			h.notFound(w, r)
+			return
+		}
+		slog.Error("get fave error", "error", err)
+		http.Error(w, "Internal error", http.StatusInternalServerError)
+		return
+	}
+
+	if user.ID != fave.UserID {
+		h.forbidden(w, r)
+		return
+	}
+
+	newPrivacy := "private"
+	if fave.Privacy == "private" {
+		newPrivacy = "public"
+	}
+
+	if err := h.deps.Faves.UpdatePrivacy(id, newPrivacy); err != nil {
+		slog.Error("toggle privacy error", "error", err)
+		http.Error(w, "Internal error", http.StatusInternalServerError)
+		return
+	}
+
+	fave.Privacy = newPrivacy
+
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
+	if err := h.deps.Renderer.Partial(w, "privacy_toggle", fave); err != nil {
+		slog.Error("render privacy toggle error", "error", err)
+	}
+}
+
 // handleTagSearch handles tag autocomplete HTMX requests.
 func (h *Handler) handleTagSearch(w http.ResponseWriter, r *http.Request) {
 	q := r.URL.Query().Get("q")
diff --git a/internal/handler/handler.go b/internal/handler/handler.go
index c2f3a80..d0c550f 100644
--- a/internal/handler/handler.go
+++ b/internal/handler/handler.go
@@ -103,6 +103,7 @@ func (h *Handler) Routes() *http.ServeMux {
 	mux.Handle("GET /faves/{id}/edit", requireLogin(http.HandlerFunc(h.handleFaveEdit)))
 	mux.Handle("POST /faves/{id}", requireLogin(http.HandlerFunc(h.handleFaveUpdate)))
 	mux.Handle("DELETE /faves/{id}", requireLogin(http.HandlerFunc(h.handleFaveDelete)))
+	mux.Handle("POST /faves/{id}/privacy", requireLogin(http.HandlerFunc(h.handleFaveTogglePrivacy)))
 
 	// Tags.
 	mux.HandleFunc("GET /tags/search", h.handleTagSearch)
@@ -138,6 +139,8 @@ func (h *Handler) Routes() *http.ServeMux {
 	mux.Handle("POST /admin/users", admin(h.handleAdminCreateUser))
 	mux.Handle("POST /admin/users/{id}/reset-password", admin(h.handleAdminResetPassword))
 	mux.Handle("POST /admin/users/{id}/toggle-disabled", admin(h.handleAdminToggleDisabled))
+	mux.Handle("POST /admin/users/{id}/role", admin(h.handleAdminSetRole))
+	mux.Handle("POST /admin/users/{id}/delete", admin(h.handleAdminDeleteUser))
 	mux.Handle("GET /admin/tags", admin(h.handleAdminTags))
 	mux.Handle("POST /admin/tags/{id}/rename", admin(h.handleAdminRenameTag))
 	mux.Handle("POST /admin/tags/{id}/delete", admin(h.handleAdminDeleteTag))
diff --git a/internal/handler/web_test.go b/internal/handler/web_test.go
index aa53c2e..9070357 100644
--- a/internal/handler/web_test.go
+++ b/internal/handler/web_test.go
@@ -1282,6 +1282,197 @@ func TestFaveNewPreFill(t *testing.T) {
 	}
 }
 
+// --- Privacy toggle ---
+
+func TestTogglePrivacyOwner(t *testing.T) {
+	h, mux := testServer(t)
+
+	user, _ := h.deps.Users.Create("testuser", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(user.ID, "Toggle me", "", "", "", "public")
+	token, _ := h.deps.Sessions.Create(user.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	getReq := httptest.NewRequest("GET", "/faves/"+faveIDStr(fave.ID), nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	req := postForm("/faves/"+faveIDStr(fave.ID)+"/privacy", csrf, url.Values{}, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusOK {
+		t.Fatalf("toggle privacy: got %d, want 200\nbody: %s", rr.Code, rr.Body.String())
+	}
+
+	// Should now be private.
+	updated, _ := h.deps.Faves.GetByID(fave.ID)
+	if updated.Privacy != "private" {
+		t.Errorf("privacy = %q, want private after toggle from public", updated.Privacy)
+	}
+
+	// Response should contain the toggle partial with "Privat".
+	if !strings.Contains(rr.Body.String(), "Privat") {
+		t.Error("toggle response should show new privacy state")
+	}
+}
+
+func TestTogglePrivacyNotOwner(t *testing.T) {
+	h, mux := testServer(t)
+
+	userA, _ := h.deps.Users.Create("usera", "pass123", "user")
+	fave, _ := h.deps.Faves.Create(userA.ID, "A's fave", "", "", "", "public")
+
+	cookieB := loginUser(t, h, "userb", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/faves/"+faveIDStr(fave.ID), nil)
+	getReq.AddCookie(cookieB)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	req := postForm("/faves/"+faveIDStr(fave.ID)+"/privacy", csrf, url.Values{}, cookieB)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if rr.Code != http.StatusForbidden {
+		t.Errorf("toggle by non-owner: got %d, want 403", rr.Code)
+	}
+}
+
+func TestFaveListShowsEditButton(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "testuser", "pass123", "user")
+
+	user, _ := h.deps.Users.GetByUsername("testuser")
+	h.deps.Faves.Create(user.ID, "Editable fave", "", "", "", "public")
+
+	req := httptest.NewRequest("GET", "/faves", nil)
+	req.AddCookie(cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	body := rr.Body.String()
+	if !strings.Contains(body, "Rediger") {
+		t.Error("fave list should show edit link")
+	}
+	if !strings.Contains(body, "Slett") {
+		t.Error("fave list should show delete button")
+	}
+	if !strings.Contains(body, "Offentlig") {
+		t.Error("fave list should show privacy toggle")
+	}
+}
+
+// --- Admin: role + delete ---
+
+func TestAdminSetRoleSuccess(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+
+	user, _ := h.deps.Users.Create("target", "pass123", "user")
+
+	getReq := httptest.NewRequest("GET", "/admin/users", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{"role": {"admin"}}
+	req := postForm("/admin/users/"+faveIDStr(user.ID)+"/role", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "endret til admin") {
+		t.Errorf("should show role changed: %s", rr.Body.String())
+	}
+
+	updated, _ := h.deps.Users.GetByID(user.ID)
+	if updated.Role != "admin" {
+		t.Errorf("role = %q, want admin", updated.Role)
+	}
+}
+
+func TestAdminSetRoleSelf(t *testing.T) {
+	h, mux := testServer(t)
+
+	admin, _ := h.deps.Users.Create("admin", "pass123", "admin")
+	token, _ := h.deps.Sessions.Create(admin.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	getReq := httptest.NewRequest("GET", "/admin/users", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	form := url.Values{"role": {"user"}}
+	req := postForm("/admin/users/"+faveIDStr(admin.ID)+"/role", csrf, form, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "din egen rolle") {
+		t.Error("should prevent changing own role")
+	}
+}
+
+func TestAdminDeleteUserSuccess(t *testing.T) {
+	h, mux := testServer(t)
+	cookie := loginUser(t, h, "admin", "pass123", "admin")
+
+	user, _ := h.deps.Users.Create("deleteme", "pass123", "user")
+	h.deps.Faves.Create(user.ID, "Will be deleted", "", "", "", "public")
+
+	getReq := httptest.NewRequest("GET", "/admin/users", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	req := postForm("/admin/users/"+faveIDStr(user.ID)+"/delete", csrf, url.Values{}, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "permanent slettet") {
+		t.Errorf("should show deleted: %s", rr.Body.String())
+	}
+
+	// User should be gone.
+	_, err := h.deps.Users.GetByUsername("deleteme")
+	if err == nil {
+		t.Error("deleted user should not exist")
+	}
+
+	// Faves should be cascade-deleted.
+	faves, total, _ := h.deps.Faves.ListByUser(user.ID, 10, 0)
+	if total != 0 || len(faves) != 0 {
+		t.Error("faves should be cascade-deleted with user")
+	}
+}
+
+func TestAdminDeleteUserSelf(t *testing.T) {
+	h, mux := testServer(t)
+
+	admin, _ := h.deps.Users.Create("admin", "pass123", "admin")
+	token, _ := h.deps.Sessions.Create(admin.ID)
+	cookie := &http.Cookie{Name: "session", Value: token}
+
+	getReq := httptest.NewRequest("GET", "/admin/users", nil)
+	getReq.AddCookie(cookie)
+	getRR := httptest.NewRecorder()
+	mux.ServeHTTP(getRR, getReq)
+	csrf := extractCookie(getRR, "csrf_token")
+
+	req := postForm("/admin/users/"+faveIDStr(admin.ID)+"/delete", csrf, url.Values{}, cookie)
+	rr := httptest.NewRecorder()
+	mux.ServeHTTP(rr, req)
+
+	if !strings.Contains(rr.Body.String(), "din egen konto") {
+		t.Error("should prevent self-deletion")
+	}
+}
+
 // --- Export page ---
 
 func TestExportPageRendering(t *testing.T) {
diff --git a/internal/store/fave.go b/internal/store/fave.go
index 5888490..62f6fc3 100644
--- a/internal/store/fave.go
+++ b/internal/store/fave.go
@@ -73,6 +73,17 @@ func (s *FaveStore) Update(id int64, description, url, imagePath, notes, privacy
 	return err
 }
 
+// UpdatePrivacy toggles a fave's privacy setting.
+func (s *FaveStore) UpdatePrivacy(id int64, privacy string) error {
+	_, err := s.db.Exec(
+		`UPDATE faves SET privacy = ?,
+			updated_at = strftime('%Y-%m-%dT%H:%M:%SZ', 'now')
+		WHERE id = ?`,
+		privacy, id,
+	)
+	return err
+}
+
 // Delete removes a fave by its ID. The cascade will clean up fave_tags.
 func (s *FaveStore) Delete(id int64) error {
 	result, err := s.db.Exec("DELETE FROM faves WHERE id = ?", id)
diff --git a/internal/store/fave_test.go b/internal/store/fave_test.go
index f96ce8f..c870080 100644
--- a/internal/store/fave_test.go
+++ b/internal/store/fave_test.go
@@ -150,6 +150,37 @@ func TestFaveNotes(t *testing.T) {
 	}
 }
 
+func TestUpdatePrivacy(t *testing.T) {
+	db := testDB(t)
+	users := NewUserStore(db)
+	faves := NewFaveStore(db)
+
+	Argon2Memory = 1024
+	Argon2Time = 1
+	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
+
+	user, _ := users.Create("testuser", "password123", "user")
+	fave, _ := faves.Create(user.ID, "Toggle me", "", "", "", "public")
+
+	// Toggle to private.
+	err := faves.UpdatePrivacy(fave.ID, "private")
+	if err != nil {
+		t.Fatalf("update privacy: %v", err)
+	}
+
+	got, _ := faves.GetByID(fave.ID)
+	if got.Privacy != "private" {
+		t.Errorf("privacy = %q, want private", got.Privacy)
+	}
+
+	// Toggle back to public.
+	faves.UpdatePrivacy(fave.ID, "public")
+	got, _ = faves.GetByID(fave.ID)
+	if got.Privacy != "public" {
+		t.Errorf("privacy = %q, want public", got.Privacy)
+	}
+}
+
 func TestListByTag(t *testing.T) {
 	db := testDB(t)
 	users := NewUserStore(db)
diff --git a/web/static/css/style.css b/web/static/css/style.css
index 56780dd..4710dea 100644
--- a/web/static/css/style.css
+++ b/web/static/css/style.css
@@ -92,6 +92,40 @@
     padding: 0 1rem 0.5rem;
 }
 
+/* Card action buttons (edit/delete/privacy toggle) */
+.fave-card-actions {
+    display: flex;
+    gap: 0.5rem;
+    padding: 0 1rem 0.5rem;
+    align-items: center;
+}
+
+.fave-action-link {
+    font-size: 0.8rem;
+    text-decoration: none;
+}
+
+.fave-action-btn {
+    font-size: 0.75rem;
+    padding: 0.15rem 0.5rem;
+    margin: 0;
+    border: 1px solid var(--pico-muted-border-color);
+    background: transparent;
+    cursor: pointer;
+    border-radius: var(--pico-border-radius);
+    color: inherit;
+}
+
+.fave-action-btn:hover {
+    border-color: var(--pico-primary);
+    color: var(--pico-primary);
+}
+
+.fave-action-btn.secondary:hover {
+    border-color: var(--pico-del-color);
+    color: var(--pico-del-color);
+}
+
 /* Privacy badge */
 .badge-private {
     background: var(--pico-muted-border-color);
diff --git a/web/templates/pages/fave_list.html b/web/templates/pages/fave_list.html
index 155445f..77f8874 100644
--- a/web/templates/pages/fave_list.html
+++ b/web/templates/pages/fave_list.html
@@ -21,9 +21,6 @@
                         <a href="{{basePath}}/faves/{{.ID}}">
                             <strong>{{.Description}}</strong>
                         </a>
-                        {{if eq .Privacy "private"}}
-                            <small class="badge-private" aria-label="Privat">Privat</small>
-                        {{end}}
                     </header>
                     {{if .Tags}}
                         <footer>
@@ -32,6 +29,27 @@
                             {{end}}
                         </footer>
                     {{end}}
+                    <footer class="fave-card-actions">
+                        <span class="privacy-toggle" id="privacy-{{.ID}}">
+                            <button
+                                hx-post="{{basePath}}/faves/{{.ID}}/privacy"
+                                hx-target="#privacy-{{.ID}}"
+                                hx-swap="outerHTML"
+                                class="fave-action-btn {{if eq .Privacy "private"}}secondary{{end}}"
+                                title="{{if eq .Privacy "public"}}Gjør privat{{else}}Gjør offentlig{{end}}"
+                            >{{if eq .Privacy "public"}}Offentlig{{else}}Privat{{end}}</button>
+                        </span>
+                        <a href="{{basePath}}/faves/{{.ID}}/edit" class="fave-action-link"
+                           aria-label="Rediger {{.Description}}">Rediger</a>
+                        <button
+                            hx-delete="{{basePath}}/faves/{{.ID}}"
+                            hx-confirm="Er du sikker på at du vil slette denne favoritten?"
+                            hx-target="closest article"
+                            hx-swap="outerHTML"
+                            class="fave-action-btn secondary"
+                            aria-label="Slett {{.Description}}"
+                        >Slett</button>
+                    </footer>
                 </article>
             {{end}}
         </div>
diff --git a/web/templates/pages/profile.html b/web/templates/pages/profile.html
index 0cf2f4b..21371dd 100644
--- a/web/templates/pages/profile.html
+++ b/web/templates/pages/profile.html
@@ -75,6 +75,20 @@
                                     {{end}}
                                 </footer>
                             {{end}}
+                            {{if $d.IsOwner}}
+                                <footer class="fave-card-actions">
+                                    <a href="{{basePath}}/faves/{{.ID}}/edit" class="fave-action-link"
+                                       aria-label="Rediger {{.Description}}">Rediger</a>
+                                    <button
+                                        hx-delete="{{basePath}}/faves/{{.ID}}"
+                                        hx-confirm="Er du sikker på at du vil slette denne favoritten?"
+                                        hx-target="closest article"
+                                        hx-swap="outerHTML"
+                                        class="fave-action-btn secondary"
+                                        aria-label="Slett {{.Description}}"
+                                    >Slett</button>
+                                </footer>
+                            {{end}}
                         </article>
                     {{end}}
                 </div>
diff --git a/web/templates/partials/privacy_toggle.html b/web/templates/partials/privacy_toggle.html
new file mode 100644
index 0000000..90a0b9f
--- /dev/null
+++ b/web/templates/partials/privacy_toggle.html
@@ -0,0 +1,10 @@
+<span class="privacy-toggle" id="privacy-{{.ID}}">
+    <button
+        hx-post="{{basePath}}/faves/{{.ID}}/privacy"
+        hx-target="#privacy-{{.ID}}"
+        hx-swap="outerHTML"
+        class="fave-action-btn {{if eq .Privacy "private"}}secondary{{end}}"
+        aria-label="{{if eq .Privacy "public"}}Gjør privat{{else}}Gjør offentlig{{end}}"
+        title="{{if eq .Privacy "public"}}Gjør privat{{else}}Gjør offentlig{{end}}"
+    >{{if eq .Privacy "public"}}Offentlig{{else}}Privat{{end}}</button>
+</span>

From 254573316a5f344e41c8fbad1f72ef7f7cb2c0a1 Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Tue, 7 Apr 2026 10:18:00 +0200
Subject: [PATCH 10/14] feat: add admin role management and user deletion
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Admins can now change user roles and permanently delete user accounts.

- New SetRole store method with validation (user/admin only)
- New Delete store method — cascades via foreign keys to sessions,
  faves, and fave_tags
- handleAdminSetRole: change role with self-modification prevention
- handleAdminDeleteUser: permanent deletion with image cleanup from
  disk before cascade delete, self-deletion prevention
- admin_users.html: role dropdown with save button per user row,
  delete button with hx-confirm for safety
- Routes: POST /admin/users/{id}/role, POST /admin/users/{id}/delete

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 internal/handler/admin.go            | 83 ++++++++++++++++++++++++++++
 internal/store/user.go               | 28 ++++++++++
 internal/store/user_test.go          | 68 +++++++++++++++++++++++
 web/templates/pages/admin_users.html | 16 ++++++
 4 files changed, 195 insertions(+)

diff --git a/internal/handler/admin.go b/internal/handler/admin.go
index ea3b0d2..1c8c2e5 100644
--- a/internal/handler/admin.go
+++ b/internal/handler/admin.go
@@ -11,6 +11,7 @@ import (
 	"strconv"
 	"strings"
 
+	"kode.naiv.no/olemd/favoritter/internal/image"
 	"kode.naiv.no/olemd/favoritter/internal/middleware"
 	"kode.naiv.no/olemd/favoritter/internal/render"
 	"kode.naiv.no/olemd/favoritter/internal/store"
@@ -158,6 +159,88 @@ func (h *Handler) handleAdminToggleDisabled(w http.ResponseWriter, r *http.Reque
 	h.adminUsersFlash(w, r, "Bruker "+user.Username+" er "+action+".", "success")
 }
 
+// handleAdminSetRole changes a user's role.
+func (h *Handler) handleAdminSetRole(w http.ResponseWriter, r *http.Request) {
+	admin := middleware.UserFromContext(r.Context())
+
+	id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
+	if err != nil {
+		http.NotFound(w, r)
+		return
+	}
+
+	if id == admin.ID {
+		h.adminUsersFlash(w, r, "Du kan ikke endre din egen rolle.", "error")
+		return
+	}
+
+	if err := r.ParseForm(); err != nil {
+		http.Error(w, "Bad request", http.StatusBadRequest)
+		return
+	}
+
+	role := r.FormValue("role")
+	if role != "user" && role != "admin" {
+		h.adminUsersFlash(w, r, "Ugyldig rolle.", "error")
+		return
+	}
+
+	if err := h.deps.Users.SetRole(id, role); err != nil {
+		slog.Error("set role error", "error", err)
+		h.adminUsersFlash(w, r, "Noe gikk galt.", "error")
+		return
+	}
+
+	user, _ := h.deps.Users.GetByID(id)
+	h.adminUsersFlash(w, r, "Rollen til "+user.Username+" er endret til "+role+".", "success")
+}
+
+// handleAdminDeleteUser permanently deletes a user and all their data.
+func (h *Handler) handleAdminDeleteUser(w http.ResponseWriter, r *http.Request) {
+	admin := middleware.UserFromContext(r.Context())
+
+	id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
+	if err != nil {
+		http.NotFound(w, r)
+		return
+	}
+
+	if id == admin.ID {
+		h.adminUsersFlash(w, r, "Du kan ikke slette din egen konto.", "error")
+		return
+	}
+
+	user, err := h.deps.Users.GetByID(id)
+	if err != nil {
+		slog.Error("get user error", "error", err)
+		h.adminUsersFlash(w, r, "Noe gikk galt.", "error")
+		return
+	}
+
+	// Delete user's images from disk before database deletion.
+	faves, _, _ := h.deps.Faves.ListByUser(id, 100000, 0)
+	for _, f := range faves {
+		if f.ImagePath != "" {
+			if delErr := image.Delete(h.deps.Config.UploadDir, f.ImagePath); delErr != nil {
+				slog.Error("image delete error", "fave_id", f.ID, "error", delErr)
+			}
+		}
+	}
+	if user.AvatarPath != "" {
+		if delErr := image.Delete(h.deps.Config.UploadDir, user.AvatarPath); delErr != nil {
+			slog.Error("avatar delete error", "user_id", id, "error", delErr)
+		}
+	}
+
+	if err := h.deps.Users.Delete(id); err != nil {
+		slog.Error("delete user error", "error", err)
+		h.adminUsersFlash(w, r, "Noe gikk galt.", "error")
+		return
+	}
+
+	h.adminUsersFlash(w, r, "Bruker "+user.Username+" er permanent slettet.", "success")
+}
+
 // handleAdminTags lists all tags.
 func (h *Handler) handleAdminTags(w http.ResponseWriter, r *http.Request) {
 	tags, err := h.deps.Tags.ListAll()
diff --git a/internal/store/user.go b/internal/store/user.go
index 22b766a..2035c34 100644
--- a/internal/store/user.go
+++ b/internal/store/user.go
@@ -198,6 +198,34 @@ func (s *UserStore) SetDisabled(userID int64, disabled bool) error {
 	return err
 }
 
+// SetRole changes a user's role (user/admin).
+func (s *UserStore) SetRole(userID int64, role string) error {
+	if role != "user" && role != "admin" {
+		return fmt.Errorf("invalid role: %s", role)
+	}
+	_, err := s.db.Exec(
+		`UPDATE users SET role = ?,
+			updated_at = strftime('%Y-%m-%dT%H:%M:%SZ', 'now')
+		WHERE id = ?`,
+		role, userID,
+	)
+	return err
+}
+
+// Delete permanently removes a user. Cascading foreign keys handle
+// sessions, faves, and fave_tags. Image cleanup must be done by the caller.
+func (s *UserStore) Delete(userID int64) error {
+	result, err := s.db.Exec("DELETE FROM users WHERE id = ?", userID)
+	if err != nil {
+		return fmt.Errorf("delete user: %w", err)
+	}
+	n, _ := result.RowsAffected()
+	if n == 0 {
+		return ErrUserNotFound
+	}
+	return nil
+}
+
 // ListAll returns all users, ordered by username.
 func (s *UserStore) ListAll() ([]*model.User, error) {
 	rows, err := s.db.Query(
diff --git a/internal/store/user_test.go b/internal/store/user_test.go
index ec5f5f0..3902fd9 100644
--- a/internal/store/user_test.go
+++ b/internal/store/user_test.go
@@ -203,3 +203,71 @@ func TestDisabledUser(t *testing.T) {
 		t.Errorf("disabled user error = %v, want ErrUserDisabled", err)
 	}
 }
+
+func TestSetRole(t *testing.T) {
+	db := testDB(t)
+	users := NewUserStore(db)
+
+	Argon2Memory = 1024
+	Argon2Time = 1
+	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
+
+	user, _ := users.Create("testuser", "password123", "user")
+	if user.Role != "user" {
+		t.Fatalf("initial role = %q", user.Role)
+	}
+
+	// Promote to admin.
+	err := users.SetRole(user.ID, "admin")
+	if err != nil {
+		t.Fatalf("set role: %v", err)
+	}
+
+	updated, _ := users.GetByID(user.ID)
+	if updated.Role != "admin" {
+		t.Errorf("role = %q, want admin", updated.Role)
+	}
+
+	// Invalid role should error.
+	err = users.SetRole(user.ID, "superadmin")
+	if err == nil {
+		t.Error("invalid role should return error")
+	}
+}
+
+func TestDeleteUser(t *testing.T) {
+	db := testDB(t)
+	users := NewUserStore(db)
+	faves := NewFaveStore(db)
+
+	Argon2Memory = 1024
+	Argon2Time = 1
+	defer func() { Argon2Memory = 65536; Argon2Time = 3 }()
+
+	user, _ := users.Create("deleteme", "password123", "user")
+	faves.Create(user.ID, "Fave 1", "", "", "", "public")
+	faves.Create(user.ID, "Fave 2", "", "", "", "public")
+
+	err := users.Delete(user.ID)
+	if err != nil {
+		t.Fatalf("delete user: %v", err)
+	}
+
+	// User should be gone.
+	_, err = users.GetByUsername("deleteme")
+	if err != ErrUserNotFound {
+		t.Errorf("expected ErrUserNotFound, got %v", err)
+	}
+
+	// Faves should be cascade-deleted.
+	list, total, _ := faves.ListByUser(user.ID, 10, 0)
+	if total != 0 || len(list) != 0 {
+		t.Errorf("faves should be cascade-deleted: total=%d, len=%d", total, len(list))
+	}
+
+	// Deleting non-existent user should return error.
+	err = users.Delete(99999)
+	if err != ErrUserNotFound {
+		t.Errorf("delete nonexistent: %v, want ErrUserNotFound", err)
+	}
+}
diff --git a/web/templates/pages/admin_users.html b/web/templates/pages/admin_users.html
index bedcd70..d61a3f5 100644
--- a/web/templates/pages/admin_users.html
+++ b/web/templates/pages/admin_users.html
@@ -54,6 +54,14 @@
             </td>
             <td>{{.CreatedAt.Format "02.01.2006"}}</td>
             <td>
+                <form method="POST" action="{{basePath}}/admin/users/{{.ID}}/role" class="inline-form">
+                    <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
+                    <select name="role" class="inline-input">
+                        <option value="user" {{if eq .Role "user"}}selected{{end}}>Bruker</option>
+                        <option value="admin" {{if eq .Role "admin"}}selected{{end}}>Admin</option>
+                    </select>
+                    <button type="submit" class="outline nav-button">Lagre</button>
+                </form>
                 <form method="POST" action="{{basePath}}/admin/users/{{.ID}}/reset-password" class="inline-form">
                     <input type="hidden" name="csrf_token" value="{{$.CSRFToken}}">
                     <button type="submit" class="outline secondary nav-button">Tilbakestill passord</button>
@@ -64,6 +72,14 @@
                         {{if .Disabled}}Aktiver{{else}}Deaktiver{{end}}
                     </button>
                 </form>
+                <button
+                    hx-post="{{basePath}}/admin/users/{{.ID}}/delete"
+                    hx-confirm="Er du HELT sikker? Dette sletter brukeren og alle favorittene permanent."
+                    hx-target="closest tr"
+                    hx-swap="outerHTML"
+                    class="outline secondary nav-button"
+                    style="color: var(--pico-del-color);"
+                >Slett</button>
             </td>
         </tr>
         {{end}}

From e379039fe8f01771358840aa94afae89eb2d36c8 Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Tue, 7 Apr 2026 10:47:13 +0200
Subject: [PATCH 11/14] refactor: simplify PWA handlers and fix review findings
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Address code review findings from reuse, quality, and efficiency agents:

- Cache manifest JSON and service worker JS at init (was rebuilt per
  request with allocations and JSON encoding on every hit)
- Add ImagePathsByUser store method for targeted image cleanup (was
  loading 100k full fave objects just to read image_path)
- Add missing aria-label on privacy toggle in fave_list.html (inline
  copy had drifted from the partial — accessibility bug)
- Fix comment/function name mismatch in pwa.go
- Remove redundant user nil-check in handleShare (requireLogin guards)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 internal/handler/admin.go          | 10 +++---
 internal/handler/handler.go        |  8 ++++-
 internal/handler/pwa.go            | 51 ++++++++++++------------------
 internal/store/fave.go             | 23 ++++++++++++++
 web/templates/pages/fave_list.html |  1 +
 5 files changed, 55 insertions(+), 38 deletions(-)

diff --git a/internal/handler/admin.go b/internal/handler/admin.go
index 1c8c2e5..b179bc5 100644
--- a/internal/handler/admin.go
+++ b/internal/handler/admin.go
@@ -218,12 +218,10 @@ func (h *Handler) handleAdminDeleteUser(w http.ResponseWriter, r *http.Request)
 	}
 
 	// Delete user's images from disk before database deletion.
-	faves, _, _ := h.deps.Faves.ListByUser(id, 100000, 0)
-	for _, f := range faves {
-		if f.ImagePath != "" {
-			if delErr := image.Delete(h.deps.Config.UploadDir, f.ImagePath); delErr != nil {
-				slog.Error("image delete error", "fave_id", f.ID, "error", delErr)
-			}
+	imagePaths, _ := h.deps.Faves.ImagePathsByUser(id)
+	for _, p := range imagePaths {
+		if delErr := image.Delete(h.deps.Config.UploadDir, p); delErr != nil {
+			slog.Error("image delete error", "error", delErr)
 		}
 	}
 	if user.AvatarPath != "" {
diff --git a/internal/handler/handler.go b/internal/handler/handler.go
index d0c550f..f04e3c6 100644
--- a/internal/handler/handler.go
+++ b/internal/handler/handler.go
@@ -32,14 +32,20 @@ type Deps struct {
 type Handler struct {
 	deps        Deps
 	rateLimiter *middleware.RateLimiter
+
+	// Cached PWA responses (computed once at init, never change).
+	manifestJSON []byte
+	swJS         []byte
 }
 
 // New creates a new Handler with the given dependencies.
 func New(deps Deps) *Handler {
-	return &Handler{
+	h := &Handler{
 		deps:        deps,
 		rateLimiter: middleware.NewRateLimiter(deps.Config.RateLimit),
 	}
+	h.initPWACache()
+	return h
 }
 
 // RateLimiterCleanupLoop periodically evicts stale rate limiter entries.
diff --git a/internal/handler/pwa.go b/internal/handler/pwa.go
index f64fb20..61430bb 100644
--- a/internal/handler/pwa.go
+++ b/internal/handler/pwa.go
@@ -14,8 +14,9 @@ import (
 	"kode.naiv.no/olemd/favoritter/web"
 )
 
-// handleManifest serves the Web App Manifest with dynamic BasePath injection.
-func (h *Handler) handleManifest(w http.ResponseWriter, r *http.Request) {
+// initPWACache pre-computes the manifest JSON and service worker JS
+// so they can be served without per-request allocations.
+func (h *Handler) initPWACache() {
 	bp := h.deps.Config.BasePath
 
 	manifest := map[string]any{
@@ -42,44 +43,33 @@ func (h *Handler) handleManifest(w http.ResponseWriter, r *http.Request) {
 			},
 		},
 	}
+	h.manifestJSON, _ = json.Marshal(manifest)
 
-	w.Header().Set("Content-Type", "application/manifest+json")
-	json.NewEncoder(w).Encode(manifest)
+	staticFS, err := fs.Sub(web.StaticFS, "static")
+	if err == nil {
+		if data, err := fs.ReadFile(staticFS, "sw.js"); err == nil {
+			h.swJS = []byte(strings.ReplaceAll(string(data), "{{BASE_PATH}}", bp))
+		}
+	}
 }
 
-// handleServiceWorker serves the service worker JS from root scope.
-// BasePath is injected via placeholder replacement so the SW can
-// cache the correct static asset paths.
+// handleManifest serves the pre-computed Web App Manifest.
+func (h *Handler) handleManifest(w http.ResponseWriter, r *http.Request) {
+	w.Header().Set("Content-Type", "application/manifest+json")
+	w.Write(h.manifestJSON)
+}
+
+// handleServiceWorker serves the pre-computed service worker JS.
 func (h *Handler) handleServiceWorker(w http.ResponseWriter, r *http.Request) {
-	staticFS, err := fs.Sub(web.StaticFS, "static")
-	if err != nil {
-		http.Error(w, "Not found", http.StatusNotFound)
-		return
-	}
-
-	data, err := fs.ReadFile(staticFS, "sw.js")
-	if err != nil {
-		http.Error(w, "Not found", http.StatusNotFound)
-		return
-	}
-
-	content := strings.ReplaceAll(string(data), "{{BASE_PATH}}", h.deps.Config.BasePath)
-
 	w.Header().Set("Content-Type", "application/javascript")
 	w.Header().Set("Cache-Control", "no-cache")
-	w.Write([]byte(content))
+	w.Write(h.swJS)
 }
 
 // handleShare receives Android share intents via the Web Share Target API
 // and redirects to the new-fave form with pre-filled values.
 // Uses GET to avoid CSRF issues (Android cannot provide CSRF tokens).
 func (h *Handler) handleShare(w http.ResponseWriter, r *http.Request) {
-	user := middleware.UserFromContext(r.Context())
-	if user == nil {
-		http.Redirect(w, r, h.deps.Config.BasePath+"/login", http.StatusSeeOther)
-		return
-	}
-
 	sharedURL := r.URL.Query().Get("url")
 	sharedTitle := r.URL.Query().Get("title")
 	sharedText := r.URL.Query().Get("text")
@@ -88,7 +78,6 @@ func (h *Handler) handleShare(w http.ResponseWriter, r *http.Request) {
 	if sharedURL == "" && sharedText != "" {
 		sharedURL = extractURL(sharedText)
 		if sharedURL != "" {
-			// Remove the URL from text so it's not duplicated.
 			sharedText = strings.TrimSpace(strings.Replace(sharedText, sharedURL, "", 1))
 		}
 	}
@@ -96,7 +85,7 @@ func (h *Handler) handleShare(w http.ResponseWriter, r *http.Request) {
 	description := sharedTitle
 	if description == "" && sharedText != "" {
 		description = sharedText
-		sharedText = "" // Don't duplicate into notes.
+		sharedText = ""
 	}
 
 	target := h.deps.Config.BasePath + "/faves/new?"
@@ -114,7 +103,7 @@ func (h *Handler) handleShare(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, target+params.Encode(), http.StatusSeeOther)
 }
 
-// handleFaveNewWithPreFill shows the new fave form, optionally pre-filled
+// handleFaveNewPreFill shows the new fave form, optionally pre-filled
 // from query parameters (used by share target and bookmarklets).
 func (h *Handler) handleFaveNewPreFill(w http.ResponseWriter, r *http.Request) {
 	user := middleware.UserFromContext(r.Context())
diff --git a/internal/store/fave.go b/internal/store/fave.go
index 62f6fc3..69f5cf6 100644
--- a/internal/store/fave.go
+++ b/internal/store/fave.go
@@ -97,6 +97,29 @@ func (s *FaveStore) Delete(id int64) error {
 	return nil
 }
 
+// ImagePathsByUser returns all non-empty image paths for a user's faves.
+// Used for cleanup before user deletion.
+func (s *FaveStore) ImagePathsByUser(userID int64) ([]string, error) {
+	rows, err := s.db.Query(
+		"SELECT image_path FROM faves WHERE user_id = ? AND image_path != ''",
+		userID,
+	)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	var paths []string
+	for rows.Next() {
+		var p string
+		if err := rows.Scan(&p); err != nil {
+			return nil, err
+		}
+		paths = append(paths, p)
+	}
+	return paths, rows.Err()
+}
+
 // ListByUser returns all faves for a user (both public and private),
 // ordered by newest first, with pagination.
 func (s *FaveStore) ListByUser(userID int64, limit, offset int) ([]*model.Fave, int, error) {
diff --git a/web/templates/pages/fave_list.html b/web/templates/pages/fave_list.html
index 77f8874..814bd17 100644
--- a/web/templates/pages/fave_list.html
+++ b/web/templates/pages/fave_list.html
@@ -36,6 +36,7 @@
                                 hx-target="#privacy-{{.ID}}"
                                 hx-swap="outerHTML"
                                 class="fave-action-btn {{if eq .Privacy "private"}}secondary{{end}}"
+                                aria-label="{{if eq .Privacy "public"}}Gjør privat{{else}}Gjør offentlig{{end}}"
                                 title="{{if eq .Privacy "public"}}Gjør privat{{else}}Gjør offentlig{{end}}"
                             >{{if eq .Privacy "public"}}Offentlig{{else}}Privat{{end}}</button>
                         </span>

From fe925fc292fcc2fa9063968e96067257d78fee23 Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Tue, 7 Apr 2026 10:54:23 +0200
Subject: [PATCH 12/14] feat: add OG meta tags to home page, tag browse, and
 profile bio

Complete Open Graph coverage across all public pages:

- Home page: og:title (site name), og:description, og:type=website,
  og:url, og:site_name
- Tag browse: og:title with tag name, og:description with count,
  og:url, og:site_name
- Profile: add og:description using bio (truncated to 200 chars)
  with fallback to generic text

Previously only fave detail and profile (without description) had
OG tags.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 web/templates/pages/home.html       | 10 ++++++++++
 web/templates/pages/profile.html    |  5 +++++
 web/templates/pages/tag_browse.html | 12 ++++++++++++
 3 files changed, 27 insertions(+)

diff --git a/web/templates/pages/home.html b/web/templates/pages/home.html
index 9d28f9e..1515c85 100644
--- a/web/templates/pages/home.html
+++ b/web/templates/pages/home.html
@@ -1,3 +1,13 @@
+{{define "head"}}
+<meta property="og:title" content="{{.SiteName}}">
+<meta property="og:description" content="Lagre og del dine favoritter">
+<meta property="og:type" content="website">
+{{if .ExternalURL}}
+    <meta property="og:url" content="{{.ExternalURL}}">
+{{end}}
+<meta property="og:site_name" content="{{.SiteName}}">
+{{end}}
+
 {{define "content"}}
 {{if .User}}
     <hgroup>
diff --git a/web/templates/pages/profile.html b/web/templates/pages/profile.html
index 21371dd..ca25524 100644
--- a/web/templates/pages/profile.html
+++ b/web/templates/pages/profile.html
@@ -2,6 +2,11 @@
 {{with .Data}}{{$d := .}}{{with .ProfileUser}}
     {{if eq .ProfileVisibility "public"}}
         <meta property="og:title" content="{{.DisplayNameOrUsername}} sine favoritter">
+        {{if .Bio}}
+            <meta property="og:description" content="{{truncate 200 .Bio}}">
+        {{else}}
+            <meta property="og:description" content="{{.DisplayNameOrUsername}} sine favoritter på {{$.SiteName}}">
+        {{end}}
         <meta property="og:type" content="profile">
         {{if $.ExternalURL}}
             <meta property="og:url" content="{{$.ExternalURL}}/u/{{.Username}}">
diff --git a/web/templates/pages/tag_browse.html b/web/templates/pages/tag_browse.html
index 2502082..84cfaa9 100644
--- a/web/templates/pages/tag_browse.html
+++ b/web/templates/pages/tag_browse.html
@@ -1,3 +1,15 @@
+{{define "head"}}
+{{with .Data}}
+<meta property="og:title" content="Favoritter med merkelapp: {{.TagName}}">
+<meta property="og:description" content="{{.Total}} offentlige favoritter med merkelappen «{{.TagName}}»">
+<meta property="og:type" content="website">
+{{if $.ExternalURL}}
+    <meta property="og:url" content="{{$.ExternalURL}}/tags/{{.TagName}}">
+{{end}}
+<meta property="og:site_name" content="{{$.SiteName}}">
+{{end}}
+{{end}}
+
 {{define "content"}}
 {{with .Data}}
 <hgroup>

From 04c6dd3df622e6219042cf44c35936ca5745ca2b Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Tue, 7 Apr 2026 10:57:59 +0200
Subject: [PATCH 13/14] chore: add .claude to .gitignore

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitignore | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
index 7da7645..2b3721a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -15,9 +15,10 @@
 *.out
 /vendor/
 
-# IDE
+# IDE / AI
 .vscode/
 .idea/
+.claude/
 *.swp
 *.swo
 *~

From a456d0096abdb93fc8d5784789050c49fa496201 Mon Sep 17 00:00:00 2001
From: Ole-Morten Duesund <olemd@glemt.net>
Date: Tue, 7 Apr 2026 13:37:39 +0200
Subject: [PATCH 14/14] feat: add CLI commands for user management

Adds subcommands to the binary for admin tasks without needing
the web UI: list users, set passwords, promote/demote roles,
and lock/unlock accounts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 CLAUDE.md                  |  15 ++-
 cmd/favoritter/cli_user.go | 246 +++++++++++++++++++++++++++++++++++++
 cmd/favoritter/main.go     |  23 ++--
 go.mod                     |   1 +
 go.sum                     |   2 +
 5 files changed, 275 insertions(+), 12 deletions(-)
 create mode 100644 cmd/favoritter/cli_user.go

diff --git a/CLAUDE.md b/CLAUDE.md
index 9519306..494a620 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -14,13 +14,24 @@ make test                            # Run tests
 make container                       # Build container image
 ```
 
+### CLI Admin Commands
+
+```bash
+favoritter user list                  # List all users
+favoritter user set-password <user>   # Change a user's password
+favoritter user promote <user>        # Promote user to admin
+favoritter user demote <user>         # Remove admin role
+favoritter user lock <user>           # Disable user account
+favoritter user unlock <user>         # Enable user account
+```
+
 ## Architecture
 
 Single Go binary serving HTML (server-rendered templates + HTMX) and a JSON API. SQLite for storage, filesystem for uploaded images. All templates and static assets are embedded via `go:embed`.
 
 ### Directory Layout
 
-- `cmd/favoritter/` — Entry point, wiring, graceful shutdown
+- `cmd/favoritter/` — Entry point, wiring, graceful shutdown, CLI admin commands (`cli_*.go`)
 - `internal/config/` — Environment variable configuration
 - `internal/database/` — SQLite connection, PRAGMAs, migration runner
 - `internal/model/` — Domain types (no logic, no DB)
@@ -37,7 +48,7 @@ Single Go binary serving HTML (server-rendered templates + HTMX) and a JSON API.
 ### Key Design Decisions
 
 - **Go 1.22+ stdlib router** — no framework, `http.ServeMux` with method routing
-- **3 external dependencies** — modernc.org/sqlite (pure Go), golang.org/x/crypto (Argon2id), gorilla/feeds
+- **Minimal dependencies** — modernc.org/sqlite (pure Go), golang.org/x/crypto (Argon2id), gorilla/feeds, google/uuid, golang.org/x/term
 - **`SetMaxOpenConns(1)`** — SQLite works best with a single writer; PRAGMAs are set once on the single connection
 - **Templates embedded in binary** — `//go:embed` for single-binary deployment; dev mode reads from disk for live reload
 - **Middleware chain order matters** — Recovery → SecurityHeaders → BasePath → RealIP → Logger → SessionLoader → CSRF → MustResetGuard
diff --git a/cmd/favoritter/cli_user.go b/cmd/favoritter/cli_user.go
new file mode 100644
index 0000000..ed48237
--- /dev/null
+++ b/cmd/favoritter/cli_user.go
@@ -0,0 +1,246 @@
+// SPDX-License-Identifier: AGPL-3.0-or-later
+
+package main
+
+import (
+	"fmt"
+	"os"
+	"strings"
+	"text/tabwriter"
+
+	"golang.org/x/term"
+
+	"kode.naiv.no/olemd/favoritter/internal/config"
+	"kode.naiv.no/olemd/favoritter/internal/database"
+	"kode.naiv.no/olemd/favoritter/internal/store"
+)
+
+// runUserCommand dispatches user management subcommands.
+func runUserCommand(args []string) {
+	if len(args) == 0 {
+		printUserUsage()
+		os.Exit(1)
+	}
+
+	switch args[0] {
+	case "list":
+		runUserList()
+	case "set-password":
+		if len(args) < 2 {
+			fmt.Fprintf(os.Stderr, "Bruk: favoritter user set-password <brukernavn>\n")
+			os.Exit(1)
+		}
+		runUserSetPassword(args[1])
+	case "promote":
+		if len(args) < 2 {
+			fmt.Fprintf(os.Stderr, "Bruk: favoritter user promote <brukernavn>\n")
+			os.Exit(1)
+		}
+		runUserSetRole(args[1], "admin")
+	case "demote":
+		if len(args) < 2 {
+			fmt.Fprintf(os.Stderr, "Bruk: favoritter user demote <brukernavn>\n")
+			os.Exit(1)
+		}
+		runUserSetRole(args[1], "user")
+	case "lock":
+		if len(args) < 2 {
+			fmt.Fprintf(os.Stderr, "Bruk: favoritter user lock <brukernavn>\n")
+			os.Exit(1)
+		}
+		runUserSetDisabled(args[1], true)
+	case "unlock":
+		if len(args) < 2 {
+			fmt.Fprintf(os.Stderr, "Bruk: favoritter user unlock <brukernavn>\n")
+			os.Exit(1)
+		}
+		runUserSetDisabled(args[1], false)
+	default:
+		fmt.Fprintf(os.Stderr, "Ukjent underkommando: %s\n\n", args[0])
+		printUserUsage()
+		os.Exit(1)
+	}
+}
+
+// printUserUsage prints help text for the user subcommand.
+func printUserUsage() {
+	fmt.Fprintf(os.Stderr, "Bruk: favoritter user <kommando>\n\n")
+	fmt.Fprintf(os.Stderr, "Kommandoer:\n")
+	fmt.Fprintf(os.Stderr, "  list                   Vis alle brukere\n")
+	fmt.Fprintf(os.Stderr, "  set-password <bruker>   Endre passord for en bruker\n")
+	fmt.Fprintf(os.Stderr, "  promote <bruker>        Gjør bruker til administrator\n")
+	fmt.Fprintf(os.Stderr, "  demote <bruker>         Fjern administratorrettigheter\n")
+	fmt.Fprintf(os.Stderr, "  lock <bruker>           Deaktiver brukerkonto\n")
+	fmt.Fprintf(os.Stderr, "  unlock <bruker>         Aktiver brukerkonto\n")
+}
+
+// openDB loads config, opens the database, and runs migrations.
+// It exits the process on failure.
+func openDB() (*store.UserStore, func()) {
+	cfg := config.Load()
+	db, err := database.Open(cfg.DBPath)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Feil: kunne ikke åpne databasen: %v\n", err)
+		os.Exit(1)
+	}
+
+	if err := database.Migrate(db); err != nil {
+		db.Close()
+		fmt.Fprintf(os.Stderr, "Feil: migrering feilet: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Configure Argon2 parameters from config.
+	store.Argon2Memory = cfg.Argon2Memory
+	store.Argon2Time = cfg.Argon2Time
+	store.Argon2Parallelism = cfg.Argon2Parallelism
+
+	users := store.NewUserStore(db)
+	return users, func() { db.Close() }
+}
+
+// runUserList prints all users in a table.
+func runUserList() {
+	users, cleanup := openDB()
+	defer cleanup()
+
+	all, err := users.ListAll()
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Feil: kunne ikke hente brukere: %v\n", err)
+		os.Exit(1)
+	}
+
+	if len(all) == 0 {
+		fmt.Println("Ingen brukere funnet.")
+		return
+	}
+
+	w := tabwriter.NewWriter(os.Stdout, 0, 4, 2, ' ', 0)
+	fmt.Fprintln(w, "ID\tBRUKERNAVN\tVISNINGSNAVN\tROLLE\tSTATUS\tOPPRETTET")
+	for _, u := range all {
+		status := "aktiv"
+		if u.Disabled {
+			status = "deaktivert"
+		}
+		if u.MustResetPassword {
+			status += ", må bytte passord"
+		}
+		fmt.Fprintf(w, "%d\t%s\t%s\t%s\t%s\t%s\n",
+			u.ID,
+			u.Username,
+			u.DisplayName,
+			u.Role,
+			status,
+			u.CreatedAt.Format("2006-01-02"),
+		)
+	}
+	w.Flush()
+}
+
+// runUserSetPassword prompts for a new password and updates it.
+func runUserSetPassword(username string) {
+	users, cleanup := openDB()
+	defer cleanup()
+
+	user, err := users.GetByUsername(username)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Feil: bruker %q ikke funnet\n", username)
+		os.Exit(1)
+	}
+
+	// Read new password from terminal.
+	fmt.Fprintf(os.Stderr, "Nytt passord for %s: ", username)
+	pw1, err := term.ReadPassword(int(os.Stdin.Fd()))
+	fmt.Fprintln(os.Stderr)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Feil: kunne ikke lese passord: %v\n", err)
+		os.Exit(1)
+	}
+
+	fmt.Fprintf(os.Stderr, "Gjenta passord: ")
+	pw2, err := term.ReadPassword(int(os.Stdin.Fd()))
+	fmt.Fprintln(os.Stderr)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Feil: kunne ikke lese passord: %v\n", err)
+		os.Exit(1)
+	}
+
+	password := strings.TrimSpace(string(pw1))
+	if password != strings.TrimSpace(string(pw2)) {
+		fmt.Fprintf(os.Stderr, "Feil: passordene stemmer ikke overens\n")
+		os.Exit(1)
+	}
+
+	if len(password) < 8 {
+		fmt.Fprintf(os.Stderr, "Feil: passordet må være minst 8 tegn\n")
+		os.Exit(1)
+	}
+
+	if err := users.UpdatePassword(user.ID, password); err != nil {
+		fmt.Fprintf(os.Stderr, "Feil: kunne ikke oppdatere passord: %v\n", err)
+		os.Exit(1)
+	}
+
+	fmt.Printf("Passord oppdatert for %s.\n", username)
+}
+
+// runUserSetRole promotes or demotes a user.
+func runUserSetRole(username, role string) {
+	users, cleanup := openDB()
+	defer cleanup()
+
+	user, err := users.GetByUsername(username)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Feil: bruker %q ikke funnet\n", username)
+		os.Exit(1)
+	}
+
+	if user.Role == role {
+		fmt.Fprintf(os.Stderr, "%s har allerede rollen %q\n", username, role)
+		return
+	}
+
+	if err := users.SetRole(user.ID, role); err != nil {
+		fmt.Fprintf(os.Stderr, "Feil: kunne ikke endre rolle: %v\n", err)
+		os.Exit(1)
+	}
+
+	switch role {
+	case "admin":
+		fmt.Printf("%s er nå administrator.\n", username)
+	default:
+		fmt.Printf("%s er ikke lenger administrator.\n", username)
+	}
+}
+
+// runUserSetDisabled locks or unlocks a user account.
+func runUserSetDisabled(username string, disabled bool) {
+	users, cleanup := openDB()
+	defer cleanup()
+
+	user, err := users.GetByUsername(username)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Feil: bruker %q ikke funnet\n", username)
+		os.Exit(1)
+	}
+
+	if user.Disabled == disabled {
+		if disabled {
+			fmt.Fprintf(os.Stderr, "%s er allerede deaktivert\n", username)
+		} else {
+			fmt.Fprintf(os.Stderr, "%s er allerede aktiv\n", username)
+		}
+		return
+	}
+
+	if err := users.SetDisabled(user.ID, disabled); err != nil {
+		fmt.Fprintf(os.Stderr, "Feil: kunne ikke endre kontostatus: %v\n", err)
+		os.Exit(1)
+	}
+
+	if disabled {
+		fmt.Printf("%s er nå deaktivert.\n", username)
+	} else {
+		fmt.Printf("%s er nå aktivert.\n", username)
+	}
+}
diff --git a/cmd/favoritter/main.go b/cmd/favoritter/main.go
index d194a18..5bb264b 100644
--- a/cmd/favoritter/main.go
+++ b/cmd/favoritter/main.go
@@ -28,16 +28,19 @@ var (
 )
 
 func main() {
-	// Handle -healthcheck flag for container health checks.
-	if len(os.Args) > 1 && os.Args[1] == "-healthcheck" {
-		runHealthCheck()
-		return
-	}
-
-	// Handle -version flag.
-	if len(os.Args) > 1 && os.Args[1] == "-version" {
-		fmt.Printf("favoritter %s (built %s)\n", version, buildDate)
-		return
+	// Handle flags and subcommands before starting the server.
+	if len(os.Args) > 1 {
+		switch os.Args[1] {
+		case "-healthcheck":
+			runHealthCheck()
+			return
+		case "-version":
+			fmt.Printf("favoritter %s (built %s)\n", version, buildDate)
+			return
+		case "user":
+			runUserCommand(os.Args[2:])
+			return
+		}
 	}
 
 	cfg := config.Load()
diff --git a/go.mod b/go.mod
index 336ed5f..1867857 100644
--- a/go.mod
+++ b/go.mod
@@ -6,6 +6,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/gorilla/feeds v1.2.0
 	golang.org/x/crypto v0.49.0
+	golang.org/x/term v0.41.0
 	modernc.org/sqlite v1.48.0
 )
 
diff --git a/go.sum b/go.sum
index b1e95be..3793a55 100644
--- a/go.sum
+++ b/go.sum
@@ -29,6 +29,8 @@ golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
 golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU=
+golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A=
 golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=
 golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=
 modernc.org/cc/v4 v4.27.1 h1:9W30zRlYrefrDV2JE2O8VDtJ1yPGownxciz5rrbQZis=