category creation fixed now

Cargo.lock

@@ -572,6 +572,12 @@ dependencies = [
  "thiserror 1.0.69",
 ]
 
+[[package]]
+name = "base32"
+version = "0.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "022dfe9eb35f19ebbcb51e0b40a5ab759f46ad60cadf7297e0bd085afb50e076"
+
 [[package]]
 name = "base64"
 version = "0.22.1"
@@ -755,12 +761,24 @@ version = "0.6.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "175812e0be2bccb6abe50bb8d566126198344f707e304f45c648fd8f2cc0365e"
 
+[[package]]
+name = "bytemuck"
+version = "1.25.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c8efb64bd706a16a1bdde310ae86b351e4d21550d98d056f22f8a7f7a2183fec"
+
 [[package]]
 name = "byteorder"
 version = "1.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b"
 
+[[package]]
+name = "byteorder-lite"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "8f1fe948ff07f4bd06c30984e69f5b4899c516a3ef74f34df92a2df2ab535495"
+
 [[package]]
 name = "bytes"
 version = "1.12.0"
@@ -1059,6 +1077,12 @@ dependencies = [
  "tiny-keccak",
 ]
 
+[[package]]
+name = "constant_time_eq"
+version = "0.3.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7c74b8349d32d297c9134b8c88677813a227df8f779daa29bfc29c183fe3dca6"
+
 [[package]]
 name = "cookie"
 version = "0.18.1"
@@ -1581,6 +1605,15 @@ version = "2.4.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6"
 
+[[package]]
+name = "fdeflate"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "1e6853b52649d4ac5c0bd02320cddc5ba956bdb407c4b75a2c6b75bf51500f8c"
+dependencies = [
+ "simd-adler32",
+]
+
 [[package]]
 name = "find-msvc-tools"
 version = "0.1.9"
@@ -2424,6 +2457,19 @@ dependencies = [
  "winapi-util",
 ]
 
+[[package]]
+name = "image"
+version = "0.25.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "85ab80394333c02fe689eaf900ab500fbd0c2213da414687ebf995a65d5a6104"
+dependencies = [
+ "bytemuck",
+ "byteorder-lite",
+ "moxcms",
+ "num-traits",
+ "png",
+]
+
 [[package]]
 name = "include_dir"
 version = "0.7.4"
@@ -2604,11 +2650,15 @@ dependencies = [
  "chrono",
  "dotenvy",
  "fluent-templates",
+ "form_urlencoded",
+ "futures-util",
+ "hmac",
  "include_dir",
  "insta",
  "loco-oauth2",
  "loco-rs",
  "migration",
+ "multer",
  "passwords",
  "regex",
  "reqwest",
@@ -2617,8 +2667,11 @@ dependencies = [
  "serde",
  "serde_json",
  "serial_test",
+ "sha2",
+ "subtle",
  "time",
  "tokio",
+ "totp-rs",
  "tower-sessions",
  "tracing",
  "tracing-subscriber",
@@ -3052,6 +3105,16 @@ dependencies = [
  "uuid",
 ]
 
+[[package]]
+name = "moxcms"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bb85c154ba489f01b25c0d36ae69a87e4a1c73a72631fc6c0eb6dde34a73e44b"
+dependencies = [
+ "num-traits",
+ "pxfm",
+]
+
 [[package]]
 name = "multer"
 version = "3.1.0"
@@ -3654,6 +3717,19 @@ version = "0.2.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b4596b6d070b27117e987119b4dac604f3c58cfb0b191112e24771b2faeac1a6"
 
+[[package]]
+name = "png"
+version = "0.18.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "60769b8b31b2a9f263dae2776c37b1b28ae246943cf719eb6946a1db05128a61"
+dependencies = [
+ "bitflags",
+ "crc32fast",
+ "fdeflate",
+ "flate2",
+ "miniz_oxide",
+]
+
 [[package]]
 name = "polling"
 version = "3.11.0"
@@ -3816,6 +3892,29 @@ dependencies = [
  "unicase",
 ]
 
+[[package]]
+name = "pxfm"
+version = "0.1.29"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e0c5ccf5294c6ccd63a74f1565028353830a9c2f5eb0c682c355c471726a6e3f"
+
+[[package]]
+name = "qrcodegen"
+version = "1.8.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4339fc7a1021c9c1621d87f5e3505f2805c8c105420ba2f2a4df86814590c142"
+
+[[package]]
+name = "qrcodegen-image"
+version = "1.5.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "99530e45ded4640c0eab5420fc60f9a0ec1be51a22e49cc8578b9a0d8be70712"
+dependencies = [
+ "base64",
+ "image",
+ "qrcodegen",
+]
+
 [[package]]
 name = "quick-xml"
 version = "0.38.4"
@@ -5739,6 +5838,23 @@ version = "0.1.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5d99f8c9a7727884afe522e9bd5edbfc91a3312b36a77b5fb8926e4c31a41801"
 
+[[package]]
+name = "totp-rs"
+version = "5.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a2b36a9dd327e9f401320a2cb4572cc76ff43742bcfc3291f871691050f140ba"
+dependencies = [
+ "base32",
+ "constant_time_eq",
+ "hmac",
+ "qrcodegen-image",
+ "rand 0.9.4",
+ "sha1",
+ "sha2",
+ "url",
+ "urlencoding",
+]
+
 [[package]]
 name = "tower"
 version = "0.4.13"
@@ -6144,6 +6260,12 @@ dependencies = [
  "serde_derive",
 ]
 
+[[package]]
+name = "urlencoding"
+version = "2.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "daf8dba3b7eb870caf1ddeed7bc9d2a049f3cfdfae7cb521b087cc33ae4c49da"
+
 [[package]]
 name = "utf-8"
 version = "0.7.6"

Cargo.toml

@@ -49,6 +49,15 @@ axum-casbin = "1.3.0"
 loco-oauth2 = "0.5.0"
 passwords = "3.1.16"
 tower-sessions = "0.14"
+# TOTP (Google Authenticator) for optional two-factor auth
+totp-rs = { version = "5", features = ["qr", "gen_secret"] }
+# CSRF: HMAC-signed double-submit token + body inspection for the `_csrf` field
+hmac = { version = "0.12" }
+sha2 = { version = "0.10" }
+subtle = { version = "2.6" }
+form_urlencoded = { version = "1" }
+multer = { version = "3" }
+futures-util = { version = "0.3" }
 
 [[bin]]
 name = "kompress-eshop-cli"

assets/i18n/en/main.ftl

@@ -217,6 +217,8 @@ image = Image
 slug = URL slug
 slug-auto = generated automatically
 position = Position
+position-auto = added to the end
+position-hint = Sort order in the menu (lowest first). Leave blank to add it last.
 parent-category = Parent category
 no-parent = — None (top level) —
 quantity = Quantity
@@ -289,6 +291,34 @@ password-change-title = Change password
 password-current = Current password
 password-current-wrong = Your current password is incorrect.
 password-changed = Your password has been changed.
+
+# Two-factor authentication (TOTP / Google Authenticator)
+security-title = Security
+security-2fa-intro = Two-factor authentication (2FA) adds a one-time code from an app like Google Authenticator to your sign-in.
+security-2fa-on = 2FA is on
+security-2fa-off = 2FA is off
+security-2fa-enable = Enable two-factor authentication
+security-2fa-scan = Scan this QR code in Google Authenticator (or any compatible app).
+security-2fa-manual = Or enter the key manually:
+security-2fa-enter-code = Enter the 6-digit code from the app
+security-2fa-confirm = Confirm and enable
+security-2fa-code-wrong = That code is wrong or expired. Please try again.
+security-2fa-enroll-error = Could not start 2FA setup. Please try again.
+security-2fa-enabled-ok = Two-factor authentication is enabled.
+security-2fa-backup-intro = Save these backup codes somewhere safe. Each can be used once if you lose access to your app.
+security-2fa-backup-remaining = Backup codes remaining
+security-2fa-regenerate = Generate new backup codes
+security-2fa-disable = Disable two-factor authentication
+security-2fa-disable-hint = Enter your current password to confirm.
+
+# Second login step (after password)
+login-totp-title = Two-factor authentication
+login-totp-intro = Enter the code from your authenticator app.
+login-totp-error = That code is wrong or expired.
+login-totp-code = Verification code
+login-totp-submit = Verify
+login-totp-backup-hint = No access to your app? Enter one of your backup codes.
+
 account-type-locked = Account type can't be changed after registration.
 checkout-create-account = Create an account from this order
 checkout-create-account-hint = We'll email you a link to set your password. This order will be linked to your account.

assets/i18n/sk/main.ftl

@@ -217,6 +217,8 @@ image = Obrázok
 slug = URL adresa
 slug-auto = vygeneruje sa automaticky
 position = Poradie
+position-auto = pridá sa na koniec
+position-hint = Poradie v menu (najnižšie ako prvé). Nechajte prázdne a pridá sa na koniec.
 parent-category = Nadradená kategória
 no-parent = — Žiadna (najvyššia úroveň) —
 quantity = Množstvo
@@ -289,6 +291,34 @@ password-change-title = Zmeniť heslo
 password-current = Súčasné heslo
 password-current-wrong = Vaše súčasné heslo je nesprávne.
 password-changed = Vaše heslo bolo zmenené.
+
+# Two-factor authentication (TOTP / Google Authenticator)
+security-title = Zabezpečenie
+security-2fa-intro = Dvojfaktorové overenie (2FA) pridáva k prihláseniu jednorazový kód z aplikácie ako Google Authenticator.
+security-2fa-on = 2FA je zapnuté
+security-2fa-off = 2FA je vypnuté
+security-2fa-enable = Zapnúť dvojfaktorové overenie
+security-2fa-scan = Naskenujte tento QR kód v aplikácii Google Authenticator (alebo inej kompatibilnej).
+security-2fa-manual = Alebo zadajte kľúč ručne:
+security-2fa-enter-code = Zadajte 6-miestny kód z aplikácie
+security-2fa-confirm = Potvrdiť a zapnúť
+security-2fa-code-wrong = Kód je nesprávny alebo vypršal. Skúste to znova.
+security-2fa-enroll-error = Nepodarilo sa pripraviť 2FA. Skúste to znova.
+security-2fa-enabled-ok = Dvojfaktorové overenie je zapnuté.
+security-2fa-backup-intro = Uložte si tieto záložné kódy na bezpečné miesto. Každý sa dá použiť iba raz, ak nemáte prístup k aplikácii.
+security-2fa-backup-remaining = Zostávajúce záložné kódy
+security-2fa-regenerate = Vygenerovať nové záložné kódy
+security-2fa-disable = Vypnúť dvojfaktorové overenie
+security-2fa-disable-hint = Na potvrdenie zadajte svoje súčasné heslo.
+
+# Second login step (after password)
+login-totp-title = Dvojfaktorové overenie
+login-totp-intro = Zadajte kód z vašej autentifikačnej aplikácie.
+login-totp-error = Kód je nesprávny alebo vypršal.
+login-totp-code = Overovací kód
+login-totp-submit = Overiť
+login-totp-backup-hint = Nemáte prístup k aplikácii? Zadajte jeden zo svojich záložných kódov.
+
 account-type-locked = Typ účtu sa po registrácii nedá zmeniť.
 checkout-create-account = Vytvoriť účet z tejto objednávky
 checkout-create-account-hint = Pošleme vám e-mail na nastavenie hesla. Objednávka sa priradí k vášmu účtu.

assets/views/account/password.html

@@ -22,6 +22,7 @@
 
   <form method="post" action="/account/password" hx-boost="false" class="mt-6 flex flex-col gap-4"
     x-data="{ password: '', confirm: '' }">
+  {{ ui::csrf_field() }}
     <div class="flex flex-col gap-1">
       <label for="current_password" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="password-current", lang=lang | default(value='sk')) }}</label>
       {{ ui::input(name="current_password", id="current_password", type="password", required=true, autocomplete="current-password") }}

assets/views/account/profile.html

@@ -82,6 +82,7 @@
 
   <!-- edit form -->
   <form x-show="editing" x-cloak method="post" action="/account/profile" hx-boost="false" class="mt-6 space-y-6">
+  {{ ui::csrf_field() }}
     <!-- account type is fixed at registration and shown read-only -->
     <fieldset class="space-y-2 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
       <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</legend>

assets/views/account/security.html

@@ -0,0 +1,84 @@
+{% extends "base.html" %}
+{% import "macros/ui.html" as ui %}
+
+{% block title %}{{ t(key="security-title", lang=lang | default(value='sk')) }}{% endblock title %}
+
+{% block content %}
+<div class="mx-auto max-w-md">
+  <h1 class="text-3xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="security-title", lang=lang | default(value='sk')) }}</h1>
+  <p class="mt-2 text-sm text-on-surface dark:text-on-surface-dark">{{ t(key="security-2fa-intro", lang=lang | default(value='sk')) }}</p>
+
+  {% if error == "password" %}
+  {{ ui::alert_danger(message=t(key="password-current-wrong", lang=lang | default(value='sk')), extra="mt-4") }}
+  {% elif error == "code" %}
+  {{ ui::alert_danger(message=t(key="security-2fa-code-wrong", lang=lang | default(value='sk')), extra="mt-4") }}
+  {% elif error == "enroll" %}
+  {{ ui::alert_danger(message=t(key="security-2fa-enroll-error", lang=lang | default(value='sk')), extra="mt-4") }}
+  {% endif %}
+
+  {# --- One-time backup codes, shown right after enabling / regenerating --- #}
+  {% if backup_codes and backup_codes | length > 0 %}
+  <div class="mt-6 rounded-radius border border-success bg-success/10 px-4 py-3" role="status">
+    <p class="text-sm font-medium text-success">{{ t(key="security-2fa-enabled-ok", lang=lang | default(value='sk')) }}</p>
+    <p class="mt-2 text-sm text-on-surface dark:text-on-surface-dark">{{ t(key="security-2fa-backup-intro", lang=lang | default(value='sk')) }}</p>
+    <ul class="mt-3 grid grid-cols-2 gap-2 font-mono text-sm text-on-surface-strong dark:text-on-surface-dark-strong">
+      {% for code in backup_codes %}
+      <li class="rounded-radius bg-surface px-3 py-1.5 text-center tracking-wider dark:bg-surface-dark">{{ code }}</li>
+      {% endfor %}
+    </ul>
+  </div>
+  {% endif %}
+
+  {% if enrolling %}
+  {# --- Step 2: scan the QR and confirm a code --- #}
+  <div class="mt-6 flex flex-col gap-4 rounded-radius border border-outline bg-surface-alt p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
+    <p class="text-sm text-on-surface dark:text-on-surface-dark">{{ t(key="security-2fa-scan", lang=lang | default(value='sk')) }}</p>
+    <img src="{{ qr }}" alt="TOTP QR" class="mx-auto size-48 rounded-radius bg-white p-2" />
+    <div class="text-center">
+      <p class="text-xs text-on-surface dark:text-on-surface-dark">{{ t(key="security-2fa-manual", lang=lang | default(value='sk')) }}</p>
+      <code class="mt-1 inline-block break-all font-mono text-sm text-on-surface-strong dark:text-on-surface-dark-strong">{{ secret }}</code>
+    </div>
+    <form method="post" action="/account/security/confirm" hx-boost="false" class="flex flex-col gap-3">
+  {{ ui::csrf_field() }}
+      <label for="code" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="security-2fa-enter-code", lang=lang | default(value='sk')) }}</label>
+      {{ ui::input(name="code", id="code", type="text", required=true, autocomplete="one-time-code", attrs='inputmode="numeric" pattern="[0-9]*" maxlength="6" autofocus') }}
+      {{ ui::button(label=t(key="security-2fa-confirm", lang=lang | default(value='sk')), type="submit", extra="w-full") }}
+    </form>
+  </div>
+
+  {% elif totp_enabled %}
+  {# --- Enabled: status + remaining backup codes + disable / regenerate --- #}
+  <div class="mt-6 flex items-center gap-2">
+    {{ ui::badge(label=t(key="security-2fa-on", lang=lang | default(value='sk')), variant="success") }}
+    <span class="text-sm text-on-surface dark:text-on-surface-dark">{{ t(key="security-2fa-backup-remaining", lang=lang | default(value='sk')) }}: {{ backup_remaining }}</span>
+  </div>
+
+  <form method="post" action="/account/security/backup-codes" hx-boost="false" class="mt-6 flex flex-col gap-3 rounded-radius border border-outline bg-surface-alt p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
+    <p class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="security-2fa-regenerate", lang=lang | default(value='sk')) }}</p>
+    <label for="regen_pw" class="text-sm text-on-surface dark:text-on-surface-dark">{{ t(key="password-current", lang=lang | default(value='sk')) }}</label>
+    {{ ui::input(name="current_password", id="regen_pw", type="password", required=true, autocomplete="current-password") }}
+    {{ ui::button(label=t(key="security-2fa-regenerate", lang=lang | default(value='sk')), type="submit", variant="outline-secondary", extra="w-full") }}
+  </form>
+
+  <form method="post" action="/account/security/disable" hx-boost="false" class="mt-4 flex flex-col gap-3 rounded-radius border border-danger/40 bg-danger/5 p-5">
+  {{ ui::csrf_field() }}
+    <p class="text-sm font-medium text-danger">{{ t(key="security-2fa-disable", lang=lang | default(value='sk')) }}</p>
+    <p class="text-xs text-on-surface dark:text-on-surface-dark">{{ t(key="security-2fa-disable-hint", lang=lang | default(value='sk')) }}</p>
+    <label for="disable_pw" class="text-sm text-on-surface dark:text-on-surface-dark">{{ t(key="password-current", lang=lang | default(value='sk')) }}</label>
+    {{ ui::input(name="current_password", id="disable_pw", type="password", required=true, autocomplete="current-password") }}
+    {{ ui::button(label=t(key="security-2fa-disable", lang=lang | default(value='sk')), type="submit", variant="danger", extra="w-full") }}
+  </form>
+
+  {% else %}
+  {# --- Disabled: offer to enable --- #}
+  <form method="post" action="/account/security/enable" hx-boost="false" class="mt-6">
+  {{ ui::csrf_field() }}
+    <div class="flex items-center gap-2">
+      {{ ui::badge(label=t(key="security-2fa-off", lang=lang | default(value='sk')), variant="neutral") }}
+    </div>
+    {{ ui::button(label=t(key="security-2fa-enable", lang=lang | default(value='sk')), type="submit", extra="mt-4 w-full") }}
+  </form>
+  {% endif %}
+</div>
+{% endblock content %}

assets/views/admin/base.html

@@ -45,6 +45,7 @@
     <script defer src="/static/vendor/alpine/alpinejs-3.14.9.min.js"></script>
   </head>
   <body
+    hx-headers='{"X-CSRF-Token": "{{ csrf_token() }}"}'
     x-data="{ showSidebar: false }"
     class="min-h-screen bg-surface text-on-surface antialiased dark:bg-surface-dark dark:text-on-surface-dark">
 
@@ -96,6 +97,7 @@
           {{ t(key="admin-exit", lang=lang | default(value='sk')) }}
         </a>
         <form method="post" action="/logout">
+          {{ ui::csrf_field() }}
           <button type="submit" class="flex w-full items-center gap-2 rounded-radius px-2 py-1.5 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-danger/5 focus:outline-hidden focus-visible:underline">
             {{ t(key="logout", lang=lang | default(value='sk')) }}
           </button>

assets/views/admin/catalog/categories.html

@@ -46,6 +46,7 @@
             {{ ui::button(variant="outline-secondary", label=t(key="edit", lang=lang | default(value='sk')), href="/admin/catalog/categories/" ~ row.category.id ~ "/edit", size="px-3 py-1.5 text-xs") }}
             <form method="post" action="/admin/catalog/categories/{{ row.category.id }}/delete"
               onsubmit="return confirm('{{ t(key="confirm-delete", lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
               {{ ui::button(variant="outline-danger", label=t(key="delete", lang=lang | default(value='sk')), type="submit", size="px-3 py-1.5 text-xs") }}
             </form>
           </div>

assets/views/admin/catalog/category_form.html

@@ -15,11 +15,12 @@
 <form method="post" enctype="multipart/form-data"
   action="{% if category %}/admin/catalog/categories/{{ category.id }}{% else %}/admin/catalog/categories{% endif %}"
   class="mt-6 space-y-5 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
 
   {% if category %}
-    {% set v_name = category.name %}{% set v_slug = category.slug %}{% set v_pos = category.position %}{% set v_desc = category.description | default(value="") %}{% set v_pub = category.published %}
+    {% set v_name = category.name %}{% set v_pos = category.position %}{% set v_desc = category.description | default(value="") %}{% set v_pub = category.published %}
   {% else %}
-    {% set v_name = "" %}{% set v_slug = "" %}{% set v_pos = 0 %}{% set v_desc = "" %}{% set v_pub = false %}
+    {% set v_name = "" %}{% set v_pos = "" %}{% set v_desc = "" %}{% set v_pub = false %}
   {% endif %}
 
   <div class="space-y-1.5">
@@ -27,17 +28,6 @@
     {{ ui::input(name="name", id="name", required=true, value=v_name) }}
   </div>
 
-  <div class="grid gap-5 sm:grid-cols-2">
-    <div class="space-y-1.5">
-      <label for="slug" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="slug", lang=lang | default(value='sk')) }}</label>
-      {{ ui::input(name="slug", id="slug", value=v_slug, placeholder=t(key='slug-auto', lang=lang | default(value='sk'))) }}
-    </div>
-    <div class="space-y-1.5">
-      <label for="position" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="position", lang=lang | default(value='sk')) }}</label>
-      {{ ui::input(name="position", id="position", type="number", value=v_pos) }}
-    </div>
-  </div>
-
   <div class="space-y-1.5">
     <label for="parent_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="parent-category", lang=lang | default(value='sk')) }}</label>
     <div class="relative">
@@ -67,6 +57,15 @@
     {{ ui::file_input(name="image", id="image", accept="image/*") }}
   </div>
 
+  <div class="space-y-1.5">
+    <label for="position" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
+      {{ t(key="position", lang=lang | default(value='sk')) }}
+      <span class="font-normal text-on-surface/60 dark:text-on-surface-dark/60">({{ t(key="field-optional", lang=lang | default(value='sk')) }})</span>
+    </label>
+    {{ ui::input(name="position", id="position", type="number", value=v_pos, placeholder=t(key='position-auto', lang=lang | default(value='sk'))) }}
+    <p class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="position-hint", lang=lang | default(value='sk')) }}</p>
+  </div>
+
   {{ ui::checkbox(name="published", id="published", label=t(key="published", lang=lang | default(value='sk')), checked=v_pub) }}
 
   <div class="flex gap-3 pt-2">

assets/views/admin/catalog/product_form.html

@@ -15,11 +15,12 @@
 <form method="post" enctype="multipart/form-data"
   action="{% if product %}/admin/catalog/products/{{ product.id }}{% else %}/admin/catalog/products{% endif %}"
   class="mt-6 space-y-5 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
 
   {% if product %}
-    {% set v_name = product.name %}{% set v_price = product.price %}{% set v_currency = product.currency %}{% set v_stock = product.stock %}{% set v_sku = product.sku | default(value="") %}{% set v_slug = product.slug %}{% set v_desc = product.description | default(value="") %}{% set v_pub = product.published %}
+    {% set v_name = product.name %}{% set v_price = product.price %}{% set v_currency = product.currency %}{% set v_stock = product.stock %}{% set v_sku = product.sku | default(value="") %}{% set v_desc = product.description | default(value="") %}{% set v_pub = product.published %}
   {% else %}
-    {% set v_name = "" %}{% set v_price = "" %}{% set v_currency = "EUR" %}{% set v_stock = 0 %}{% set v_sku = "" %}{% set v_slug = "" %}{% set v_desc = "" %}{% set v_pub = false %}
+    {% set v_name = "" %}{% set v_price = "" %}{% set v_currency = "EUR" %}{% set v_stock = 0 %}{% set v_sku = "" %}{% set v_desc = "" %}{% set v_pub = false %}
   {% endif %}
 
   <div class="space-y-1.5">
@@ -63,11 +64,6 @@
     </div>
   </div>
 
-  <div class="space-y-1.5">
-    <label for="slug" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="slug", lang=lang | default(value='sk')) }}</label>
-    {{ ui::input(name="slug", id="slug", value=v_slug, placeholder=t(key='slug-auto', lang=lang | default(value='sk'))) }}
-  </div>
-
   <div class="space-y-1.5">
     <label for="description" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="description", lang=lang | default(value='sk')) }}</label>
     {{ ui::textarea(name="description", id="description", rows="5", value=v_desc) }}

assets/views/admin/catalog/products.html

@@ -56,6 +56,7 @@
             {{ ui::button(variant="outline-secondary", label=t(key="view", lang=lang | default(value='sk')), href="/shop/" ~ product.slug, size="px-3 py-1.5 text-xs") }}
             <form method="post" action="/admin/catalog/products/{{ product.id }}/delete"
               onsubmit="return confirm('{{ t(key="confirm-delete", lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
               {{ ui::button(variant="outline-danger", label=t(key="delete", lang=lang | default(value='sk')), type="submit", size="px-3 py-1.5 text-xs") }}
             </form>
           </div>

assets/views/admin/orders/show.html

@@ -110,6 +110,7 @@
       <p class="text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="order-send-hint", lang=lang | default(value='sk')) }}</p>
       <form method="post" action="/admin/orders/{{ order.id }}/ship"
         onsubmit="return confirm('{{ t(key="order-send-confirm", lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
         {% set carrier_up = carrier | upper %}
         {% set ship_label = t(key="order-send-to-carrier", lang=lang | default(value='sk')) ~ " " ~ carrier_up %}
         {{ ui::button(label=ship_label, type="submit", extra="w-full") }}
@@ -118,6 +119,7 @@
     </div>
 
     <form method="post" action="/admin/orders/{{ order.id }}/status" class="space-y-3 rounded-radius border border-outline bg-surface p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
       <label for="status" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="order-status", lang=lang | default(value='sk')) }}</label>
       <div class="relative">
         <select id="status" name="status"

assets/views/admin/shipping/index.html

@@ -14,6 +14,7 @@
   {% for method in methods %}
   <form method="post" action="/admin/shipping/{{ method.id }}"
     class="flex flex-wrap items-end gap-4 rounded-radius border border-outline bg-surface p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
+  {{ ui::csrf_field() }}
     <div class="min-w-40">
       <p class="font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ method.name }}</p>
       <p class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ method.carrier | upper }}{% if method.requires_pickup_point %} · {{ t(key="checkout-pickup-point", lang=lang | default(value='sk')) }}{% endif %}</p>

assets/views/auth/login.html

@@ -30,6 +30,7 @@
       {% endif %}
 
       <form method="post" action="/login" hx-boost="false" class="mt-4 flex flex-col gap-4">
+        {{ ui::csrf_field() }}
         <div class="flex flex-col gap-1">
           <label for="email"
             class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">

assets/views/auth/login_totp.html

@@ -0,0 +1,48 @@
+{% extends "base.html" %}
+{% import "macros/ui.html" as ui %}
+
+{% block title %}{{ t(key="login-totp-title", lang=lang | default(value='sk')) }}{% endblock title %}
+
+{% block content %}
+<div class="mx-auto mt-8 max-w-sm">
+  <div
+    class="rounded-radius border border-outline bg-surface-alt shadow-sm dark:border-outline-dark dark:bg-surface-dark-alt">
+    <div
+      class="flex items-center justify-between border-b border-outline px-5 py-3 dark:border-outline-dark">
+      <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
+        {{ t(key="brand", lang=lang | default(value='sk')) }}
+      </span>
+      {{ ui::badge(label=t(key="auth", lang=lang | default(value='sk')), variant="primary") }}
+    </div>
+
+    <div class="p-5">
+      <h1 class="text-xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">
+        {{ t(key="login-totp-title", lang=lang | default(value='sk')) }}
+      </h1>
+      <p class="mt-2 text-sm text-on-surface dark:text-on-surface-dark">
+        {{ t(key="login-totp-intro", lang=lang | default(value='sk')) }}
+      </p>
+
+      {% if error %}
+      {{ ui::alert_danger(message=t(key="login-totp-error", lang=lang | default(value='sk')), extra="mt-3") }}
+      {% endif %}
+
+      <form method="post" action="/login/totp" hx-boost="false" class="mt-4 flex flex-col gap-4">
+  {{ ui::csrf_field() }}
+        <div class="flex flex-col gap-1">
+          <label for="code"
+            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
+            {{ t(key="login-totp-code", lang=lang | default(value='sk')) }}
+          </label>
+          {{ ui::input(name="code", id="code", type="text", required=true, autocomplete="one-time-code", attrs='inputmode="numeric" autofocus') }}
+        </div>
+        {{ ui::button(label=t(key="login-totp-submit", lang=lang | default(value='sk')), type="submit", extra="mt-1 w-full") }}
+      </form>
+
+      <p class="mt-4 text-xs text-on-surface dark:text-on-surface-dark">
+        {{ t(key="login-totp-backup-hint", lang=lang | default(value='sk')) }}
+      </p>
+    </div>
+  </div>
+</div>
+{% endblock content %}

assets/views/auth/register.html

@@ -32,6 +32,7 @@
 
       <form method="post" action="/register" hx-boost="false" class="mt-4 flex flex-col gap-4"
         x-data="{ password: '', confirm: '' }">
+  {{ ui::csrf_field() }}
         <div class="flex flex-col gap-1.5">
           <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</span>
           <div class="grid grid-cols-2 gap-2">

assets/views/auth/resend_verification.html

@@ -24,6 +24,7 @@
       {% else %}
       <p class="mt-1 text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="resend-verification-intro", lang=lang | default(value='sk')) }}</p>
       <form method="post" action="/resend-verification" hx-boost="false" class="mt-4 flex flex-col gap-4">
+  {{ ui::csrf_field() }}
         <div class="flex flex-col gap-1">
           <label for="email" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="login-email", lang=lang | default(value='sk')) }}</label>
           {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email", attrs="autofocus") }}

assets/views/auth/set_password.html

@@ -29,6 +29,7 @@
       {% endif %}
 
       <form method="post" action="/set-password" hx-boost="false" class="mt-4 flex flex-col gap-4">
+  {{ ui::csrf_field() }}
         <input type="hidden" name="token" value="{{ token }}">
         <div class="flex flex-col gap-1">
           <label for="password" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="set-password-new", lang=lang | default(value='sk')) }}</label>

assets/views/base.html

@@ -69,6 +69,7 @@
     <script defer src="/static/vendor/alpine/alpinejs-3.14.9.min.js"></script>
   </head>
   <body hx-boost="true"
+    hx-headers='{"X-CSRF-Token": "{{ csrf_token() }}"}'
     x-data="{ cats: false, lg: window.matchMedia('(min-width: 1024px)').matches }"
     x-init="window.matchMedia('(min-width: 1024px)').addEventListener('change', e => lg = e.matches)"
     class="min-h-screen bg-surface text-on-surface antialiased dark:bg-surface-dark dark:text-on-surface-dark">
@@ -91,6 +92,7 @@
           <li>{{ ui::nav_link(label=t(key="admin-title", lang=lang | default(value='sk')), href="/admin/dashboard", data_nav="/admin", variant="warning", attrs='hx-boost="false"') }}</li>
           <li>
             <form method="post" action="/logout" hx-boost="false">
+  {{ ui::csrf_field() }}
               <button type="submit" class="text-sm font-medium text-danger underline-offset-2 transition hover:opacity-75 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
             </form>
           </li>
@@ -163,6 +165,7 @@
           <li><a href="/admin/dashboard" hx-boost="false" data-nav="/admin" class="block rounded-radius px-3 py-2 text-sm font-medium text-warning underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="admin-title", lang=lang | default(value='sk')) }}</a></li>
           <li>
             <form method="post" action="/logout" hx-boost="false">
+  {{ ui::csrf_field() }}
               <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
             </form>
           </li>
@@ -170,6 +173,7 @@
           <li><a href="/account/profile" data-nav="/account" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="nav-profile", lang=lang | default(value='sk')) }}</a></li>
           <li>
             <form method="post" action="/logout" hx-boost="false">
+  {{ ui::csrf_field() }}
               <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
             </form>
           </li>
@@ -196,8 +200,10 @@
           <li><a href="/account/orders" data-nav="/account/orders" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="account-orders", lang=lang | default(value='sk')) }}</a></li>
           <li><a href="/account/profile" data-nav="/account/profile" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="profile-title", lang=lang | default(value='sk')) }}</a></li>
           <li><a href="/account/password" data-nav="/account/password" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="account-change-password", lang=lang | default(value='sk')) }}</a></li>
+          <li><a href="/account/security" data-nav="/account/security" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="security-title", lang=lang | default(value='sk')) }}</a></li>
         </ul>
         <form method="post" action="/logout" hx-boost="false" class="mt-4 border-t border-outline pt-3 dark:border-outline-dark">
+  {{ ui::csrf_field() }}
           <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
         </form>
       </aside>

assets/views/macros/ui.html

@@ -29,6 +29,13 @@
        outline : outline-primary | outline-secondary | outline-alternate | outline-danger
        ghost   : ghost-primary | ghost-secondary | ghost-danger #}
 
+{# CSRF hidden field for native (non-htmx) <form method="post"> submits. htmx
+   requests instead inherit the X-CSRF-Token header from <body hx-headers>.
+   `csrf_token()` is a global Tera function bound per-request by shared::csrf. #}
+{% macro csrf_field() -%}
+<input type="hidden" name="_csrf" value="{{ csrf_token() }}">
+{%- endmacro %}
+
 {% macro button(label, variant="primary", type="button", href="", attrs="", extra="", icon="", size="px-4 py-2 text-sm") -%}
 {%- if variant == "secondary" -%}{% set cls = "border border-secondary bg-secondary text-on-secondary focus-visible:outline-secondary dark:border-secondary-dark dark:bg-secondary-dark dark:text-on-secondary-dark dark:focus-visible:outline-secondary-dark" -%}
 {%- elif variant == "danger" -%}{% set cls = "border border-danger bg-danger text-on-danger focus-visible:outline-danger dark:bg-danger dark:border-danger dark:text-on-danger dark:focus-visible:outline-danger" -%}

assets/views/partials/profile_menu.html

@@ -61,10 +61,15 @@
         <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" aria-hidden="true" fill="currentColor" class="size-4 shrink-0"><path fill-rule="evenodd" d="M15.75 1.5a6.75 6.75 0 00-6.651 7.906c.067.39-.032.717-.221.906l-6.5 6.499a3 3 0 00-.878 2.121v2.818c0 .414.336.75.75.75H6a.75.75 0 00.75-.75v-1.5h1.5A.75.75 0 009 21v-1.5h1.5a.75.75 0 00.53-.22l2.658-2.658c.19-.189.517-.288.906-.22A6.75 6.75 0 1015.75 1.5zm0 3a.75.75 0 000 1.5A2.25 2.25 0 0118 8.25a.75.75 0 001.5 0 3.75 3.75 0 00-3.75-3.75z" clip-rule="evenodd"/></svg>
         {{ t(key="account-change-password", lang=lang | default(value='sk')) }}
       </a>
+      <a href="/account/security" data-nav="/account/security" role="menuitem" class="flex items-center gap-2 bg-surface-alt px-4 py-2 text-sm text-on-surface hover:bg-surface-dark-alt/5 hover:text-on-surface-strong focus-visible:bg-surface-dark-alt/10 focus-visible:text-on-surface-strong focus-visible:outline-hidden dark:bg-surface-dark-alt dark:text-on-surface-dark dark:hover:bg-surface-alt/5 dark:hover:text-on-surface-dark-strong dark:focus-visible:bg-surface-alt/10 dark:focus-visible:text-on-surface-dark-strong">
+        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" aria-hidden="true" fill="currentColor" class="size-4 shrink-0"><path fill-rule="evenodd" d="M12 1.5a5.25 5.25 0 00-5.25 5.25v3a3 3 0 00-3 3v6.75a3 3 0 003 3h10.5a3 3 0 003-3v-6.75a3 3 0 00-3-3v-3c0-2.9-2.35-5.25-5.25-5.25zm3.75 8.25v-3a3.75 3.75 0 10-7.5 0v3h7.5z" clip-rule="evenodd"/></svg>
+        {{ t(key="security-title", lang=lang | default(value='sk')) }}
+      </a>
     </div>
     <!-- logout -->
     <div class="flex flex-col py-1.5">
-      <form method="post" action="/logout" hx-boost="false"><button type="submit" role="menuitem" class="flex w-full items-center gap-2 bg-surface-alt px-4 py-2 text-left text-sm text-on-surface hover:bg-surface-dark-alt/5 hover:text-on-surface-strong focus-visible:bg-surface-dark-alt/10 focus-visible:text-on-surface-strong focus-visible:outline-hidden dark:bg-surface-dark-alt dark:text-on-surface-dark dark:hover:bg-surface-alt/5 dark:hover:text-on-surface-dark-strong dark:focus-visible:bg-surface-alt/10 dark:focus-visible:text-on-surface-dark-strong">
+      <form method="post" action="/logout" hx-boost="false">
+  <input type="hidden" name="_csrf" value="{{ csrf_token() }}"><button type="submit" role="menuitem" class="flex w-full items-center gap-2 bg-surface-alt px-4 py-2 text-left text-sm text-on-surface hover:bg-surface-dark-alt/5 hover:text-on-surface-strong focus-visible:bg-surface-dark-alt/10 focus-visible:text-on-surface-strong focus-visible:outline-hidden dark:bg-surface-dark-alt dark:text-on-surface-dark dark:hover:bg-surface-alt/5 dark:hover:text-on-surface-dark-strong dark:focus-visible:bg-surface-alt/10 dark:focus-visible:text-on-surface-dark-strong">
         <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" aria-hidden="true" fill="currentColor" class="size-4 shrink-0"><path fill-rule="evenodd" d="M7.5 3.75A1.5 1.5 0 006 5.25v13.5a1.5 1.5 0 001.5 1.5h6a1.5 1.5 0 001.5-1.5V15a.75.75 0 011.5 0v3.75a3 3 0 01-3 3h-6a3 3 0 01-3-3V5.25a3 3 0 013-3h6a3 3 0 013 3V9A.75.75 0 0115 9V5.25a1.5 1.5 0 00-1.5-1.5h-6zm10.72 4.72a.75.75 0 011.06 0l3 3a.75.75 0 010 1.06l-3 3a.75.75 0 11-1.06-1.06l1.72-1.72H9a.75.75 0 010-1.5h10.94l-1.72-1.72a.75.75 0 010-1.06z" clip-rule="evenodd"/></svg>
         {{ t(key="logout", lang=lang | default(value='sk')) }}
       </button></form>

assets/views/partials/settings_dropdown.html

@@ -20,6 +20,7 @@
   class="absolute right-0 mt-2 flex w-56 flex-col overflow-hidden rounded-radius border border-outline bg-surface-alt py-1 shadow-lg dark:border-outline-dark dark:bg-surface-dark-alt"
   role="menu">
   <form method="post" action="/lang" hx-boost="false">
+  <input type="hidden" name="_csrf" value="{{ csrf_token() }}">
     <p class="px-4 py-1.5 text-xs font-semibold uppercase tracking-wide text-on-surface/60 dark:text-on-surface-dark/60">
       {{ t(key="settings-language", lang=lang | default(value='sk')) }}
     </p>

assets/views/shop/_card.html

@@ -26,6 +26,7 @@
     <p class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="in-stock", lang=lang | default(value='sk')) }}: {{ product.stock }}</p>
     <form method="post" action="/cart/add" hx-post="/cart/add" hx-swap="none"
       hx-on::after-request="if (event.detail.successful) toast('{{ t(key='cart-added', lang=lang | default(value='sk')) }}')">
+  <input type="hidden" name="_csrf" value="{{ csrf_token() }}">
       <input type="hidden" name="product_id" value="{{ product.id }}">
       <input type="hidden" name="quantity" value="1">
       {{ ui::button(label=t(key="add-to-cart", lang=lang | default(value='sk')), type="submit", extra="w-full", icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" fill="currentColor" aria-hidden="true" class="size-3.5"><path fill-rule="evenodd" d="M5 4a3 3 0 0 1 6 0v1h.643a1.5 1.5 0 0 1 1.492 1.35l.7 7A1.5 1.5 0 0 1 12.342 15H3.657a1.5 1.5 0 0 1-1.492-1.65l.7-7A1.5 1.5 0 0 1 4.357 5H5V4Zm4.5 0v1h-3V4a1.5 1.5 0 0 1 3 0Zm-3 3.75a.75.75 0 0 0-1.5 0v1a3 3 0 1 0 6 0v-1a.75.75 0 0 0-1.5 0v1a1.5 1.5 0 1 1-3 0v-1Z" clip-rule="evenodd" /></svg>') }}

assets/views/shop/_cart_body.html

@@ -27,6 +27,7 @@
              reverting to the previous quantity if the customer cancels. #}
           <form method="post" action="/cart/update"
             hx-post="/cart/update" hx-trigger="cartchange" hx-target="#cart-body" hx-swap="innerHTML">
+  {{ ui::csrf_field() }}
             <input type="hidden" name="product_id" value="{{ item.id }}">
             <input type="number" name="quantity" min="0" max="{{ item.stock }}" value="{{ item.quantity }}"
               @change="
@@ -43,6 +44,7 @@
         <td class="px-4 py-3 text-right">
           <form method="post" action="/cart/remove"
             hx-post="/cart/remove" hx-target="#cart-body" hx-swap="innerHTML">
+  {{ ui::csrf_field() }}
             <input type="hidden" name="product_id" value="{{ item.id }}">
             {{ ui::button(variant="ghost-danger", label=t(key="cart-remove", lang=lang | default(value='sk')), type="submit", size="px-2 py-1 text-xs") }}
           </form>
@@ -62,7 +64,7 @@
 
 <div class="mt-6 flex flex-wrap justify-between gap-3">
   {{ ui::button(variant="outline-secondary", label=t(key="cart-continue", lang=lang | default(value='sk')), href="/shop") }}
-  {{ ui::button(label=t(key="cart-checkout", lang=lang | default(value='sk')), href="/checkout", size="px-5 py-2 text-sm") }}
+  {{ ui::button(label=t(key="cart-checkout", lang=lang | default(value='sk')), href="/checkout", size="px-5 py-2 text-sm", attrs='hx-boost="false"') }}
 </div>
 {% else %}
 <div class="rounded-radius border border-outline px-6 py-16 text-center dark:border-outline-dark">

assets/views/shop/checkout.html

@@ -30,6 +30,7 @@
     }
   }"
   class="mt-6 grid gap-8 lg:grid-cols-3">
+  {{ ui::csrf_field() }}
 
   <div class="space-y-6 lg:col-span-2">
     <!-- personal vs company. Fixed (read-only) for a logged-in account; a guest

assets/views/shop/show.html

@@ -63,6 +63,7 @@
     {% if product.stock > 0 %}
     <form method="post" action="/cart/add" hx-post="/cart/add" hx-swap="none" class="flex flex-wrap items-end gap-3"
       hx-on::after-request="if (event.detail.successful) toast('{{ t(key='cart-added', lang=lang | default(value='sk')) }}')">
+  {{ ui::csrf_field() }}
       <input type="hidden" name="product_id" value="{{ product.id }}">
       <div class="space-y-1.5">
         <label for="quantity" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="quantity", lang=lang | default(value='sk')) }}</label>

migration/src/lib.rs

@@ -34,6 +34,7 @@ mod m20260618_000001_o_auth2_sessions;
 mod m20260618_000002_customer_profiles;
 mod m20260618_000003_account_type;
 mod m20260618_000004_account_ownership;
+mod m20260620_000001_add_totp_to_users;
 pub struct Migrator;
 
 #[async_trait::async_trait]
@@ -72,6 +73,7 @@ impl MigratorTrait for Migrator {
             Box::new(m20260618_000002_customer_profiles::Migration),
             Box::new(m20260618_000003_account_type::Migration),
             Box::new(m20260618_000004_account_ownership::Migration),
+            Box::new(m20260620_000001_add_totp_to_users::Migration),
             // inject-above (do not remove this comment)
         ]
     }

migration/src/m20260620_000001_add_totp_to_users.rs

@@ -0,0 +1,32 @@
+use loco_rs::schema::*;
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+// Optional TOTP (Google Authenticator) two-factor auth. All three columns are
+// nullable and only populated once a user opts in:
+//   - `totp_secret`         base32 shared secret; present while enrolling/enabled.
+//                           TODO(security): stored PLAINTEXT and is password-
+//                           equivalent (must stay reversible to recompute codes).
+//                           Encrypt at rest later with an out-of-DB key. See the
+//                           TODO(security) block in src/models/users.rs.
+//   - `totp_enabled_at`     NULL = 2FA off. Set only after the user confirms a
+//                           code, so a half-finished enrollment never gates login.
+//   - `totp_backup_codes`   JSON array of hashed one-time recovery codes.
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, m: &SchemaManager) -> Result<(), DbErr> {
+        add_column(m, "users", "totp_secret", ColType::TextNull).await?;
+        add_column(m, "users", "totp_enabled_at", ColType::TimestampWithTimeZoneNull).await?;
+        add_column(m, "users", "totp_backup_codes", ColType::TextNull).await?;
+        Ok(())
+    }
+
+    async fn down(&self, m: &SchemaManager) -> Result<(), DbErr> {
+        remove_column(m, "users", "totp_backup_codes").await?;
+        remove_column(m, "users", "totp_enabled_at").await?;
+        remove_column(m, "users", "totp_secret").await?;
+        Ok(())
+    }
+}

src/app.rs

@@ -68,6 +68,12 @@ impl Hooks for App {
             .layer(axum::middleware::from_fn_with_state(
                 ctx.clone(),
                 crate::shared::rbac::inject_subject,
+            ))
+            // CSRF runs outermost so it validates the double-submit token before
+            // any handler sees the request and stamps the cookie on safe ones.
+            .layer(axum::middleware::from_fn_with_state(
+                ctx.clone(),
+                crate::shared::csrf::protect,
             )))
     }
 

src/controllers/account.rs

@@ -363,6 +363,177 @@ async fn change_password(
     password_view(&v, &jar, &user, true, None)
 }
 
+// ---- Two-factor authentication (TOTP / Google Authenticator) -------------
+//
+// Entirely opt-in. The security page has three shapes, all rendered from
+// `security.html`:
+//   * disabled  -> an "enable" button,
+//   * enrolling -> the QR + a confirm-code field (secret staged, not yet on),
+//   * enabled   -> status, remaining backup codes, disable/regenerate forms.
+// Both turning 2FA off and regenerating backup codes require re-entering the
+// account password, so a walk-up attacker on an open session can't weaken it.
+
+#[derive(Debug, Deserialize)]
+struct ConfirmTotpForm {
+    code: String,
+}
+
+#[derive(Debug, Deserialize)]
+struct PasswordConfirmForm {
+    current_password: String,
+}
+
+/// Render the security page. Exactly one of (`enrolling`, plain status) applies;
+/// `backup_codes` is non-empty only on the one render right after enabling or
+/// regenerating, where the plaintext codes are shown once.
+#[allow(clippy::too_many_arguments)]
+fn security_view(
+    v: &TeraView,
+    jar: &CookieJar,
+    user: &users::Model,
+    enrolling: bool,
+    qr: Option<&str>,
+    secret: Option<&str>,
+    backup_codes: &[String],
+    error: Option<&str>,
+) -> Result<Response> {
+    format::view(
+        v,
+        "account/security.html",
+        json!({
+            "logged_in_admin": false,
+            "logged_in_customer": true,
+            "account_nav": true,
+            "customer_name": user.name,
+            "customer_account_type": user.account_type,
+            "totp_enabled": user.totp_enabled(),
+            "enrolling": enrolling,
+            "qr": qr,
+            "secret": secret,
+            "backup_codes": backup_codes,
+            "backup_remaining": user.backup_codes_remaining(),
+            "error": error,
+            "lang": current_lang(jar),
+        }),
+    )
+}
+
+/// Common guard for every security handler: a signed-in, non-admin customer.
+async fn require_customer(ctx: &AppContext, jar: &CookieJar) -> Result<users::Model> {
+    match guard::current_user(ctx, jar).await {
+        Some(user) if guard::is_admin(ctx, &user) => Err(Error::string("admin")),
+        Some(user) => Ok(user),
+        None => Err(Error::Unauthorized("login required".into())),
+    }
+}
+
+#[debug_handler]
+async fn security_page(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+) -> Result<Response> {
+    let Some(user) = guard::current_user(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+    if guard::is_admin(&ctx, &user) {
+        return format::redirect("/admin/dashboard");
+    }
+    security_view(&v, &jar, &user, false, None, None, &[], None)
+}
+
+/// Stage a fresh secret and show the QR + confirm-code field.
+#[debug_handler]
+async fn enable_totp(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+) -> Result<Response> {
+    let Ok(user) = require_customer(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+    // Already on — nothing to enroll.
+    if user.totp_enabled() {
+        return security_view(&v, &jar, &user, false, None, None, &[], None);
+    }
+    let user = user.into_active_model().begin_totp_enrollment(&ctx.db).await?;
+    let Some((qr, secret)) = user.totp_provisioning() else {
+        return security_view(&v, &jar, &user, false, None, None, &[], Some("enroll"));
+    };
+    security_view(&v, &jar, &user, true, Some(&qr), Some(&secret), &[], None)
+}
+
+/// Verify the first code against the staged secret; on success flip 2FA on and
+/// show the one-time backup codes. On a wrong code, re-show the QR to retry.
+#[debug_handler]
+async fn confirm_totp(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Form(form): Form<ConfirmTotpForm>,
+) -> Result<Response> {
+    let Ok(user) = require_customer(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+    if user.totp_enabled() {
+        return security_view(&v, &jar, &user, false, None, None, &[], None);
+    }
+    if !user.verify_totp_code(&form.code) {
+        let qr = user.totp_provisioning();
+        let (qr, secret) = match &qr {
+            Some((q, s)) => (Some(q.as_str()), Some(s.as_str())),
+            None => (None, None),
+        };
+        return security_view(&v, &jar, &user, true, qr, secret, &[], Some("code"));
+    }
+    let (user, backup_codes) = user.into_active_model().enable_totp(&ctx.db).await?;
+    security_view(&v, &jar, &user, false, None, None, &backup_codes, None)
+}
+
+/// Turn 2FA off — requires the account password as confirmation.
+#[debug_handler]
+async fn disable_totp(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Form(form): Form<PasswordConfirmForm>,
+) -> Result<Response> {
+    let Ok(user) = require_customer(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+    if !user.totp_enabled() {
+        return security_view(&v, &jar, &user, false, None, None, &[], None);
+    }
+    if !user.verify_password(&form.current_password) {
+        return security_view(&v, &jar, &user, false, None, None, &[], Some("password"));
+    }
+    let user = user.into_active_model().disable_totp(&ctx.db).await?;
+    security_view(&v, &jar, &user, false, None, None, &[], None)
+}
+
+/// Issue a fresh set of backup codes (invalidating the old ones) — also gated by
+/// the account password.
+#[debug_handler]
+async fn regenerate_backup_codes(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Form(form): Form<PasswordConfirmForm>,
+) -> Result<Response> {
+    let Ok(user) = require_customer(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+    if !user.totp_enabled() {
+        return security_view(&v, &jar, &user, false, None, None, &[], None);
+    }
+    if !user.verify_password(&form.current_password) {
+        return security_view(&v, &jar, &user, false, None, None, &[], Some("password"));
+    }
+    let (user, backup_codes) =
+        user.into_active_model().regenerate_backup_codes(&ctx.db).await?;
+    security_view(&v, &jar, &user, false, None, None, &backup_codes, None)
+}
+
 pub fn routes() -> Routes {
     Routes::new()
         .add("/account/profile", get(profile_page))
@@ -371,4 +542,9 @@ pub fn routes() -> Routes {
         .add("/account/orders/{order_number}", get(order_detail_page))
         .add("/account/password", get(change_password_page))
         .add("/account/password", post(change_password))
+        .add("/account/security", get(security_page))
+        .add("/account/security/enable", post(enable_totp))
+        .add("/account/security/confirm", post(confirm_totp))
+        .add("/account/security/disable", post(disable_totp))
+        .add("/account/security/backup-codes", post(regenerate_backup_codes))
 }

src/controllers/admin_categories.rs

@@ -49,10 +49,6 @@ async fn parse_category_fields(
         .text("name")
         .ok_or_else(|| Error::BadRequest("category name is required".to_string()))?;
     let description = form.text("description");
-    let position = form
-        .text("position")
-        .and_then(|s| s.parse::<i32>().ok())
-        .unwrap_or(0);
     let published = form.checked("published");
 
     // Resolve the chosen parent, rejecting cycles: a category may not be its
@@ -81,6 +77,28 @@ async fn parse_category_fields(
         None => None,
     };
 
+    // Position is optional: an explicit value sorts the category among its
+    // siblings, but a blank field appends it to the end of its parent's group
+    // (one past the current max), so new categories land last instead of first.
+    let position = match form.text("position").and_then(|s| s.parse::<i32>().ok()) {
+        Some(explicit) => explicit,
+        None => {
+            let mut query = categories::Entity::find();
+            query = match parent_id {
+                Some(pid) => query.filter(categories::Column::ParentId.eq(pid)),
+                None => query.filter(categories::Column::ParentId.is_null()),
+            };
+            query
+                .all(&ctx.db)
+                .await?
+                .iter()
+                .filter(|c| Some(c.id) != current_id)
+                .map(|c| c.position)
+                .max()
+                .map_or(0, |max| max + 1)
+        }
+    };
+
     let desired = form
         .text("slug")
         .map(|s| slugify(&s))

src/controllers/auth.rs

@@ -13,6 +13,13 @@ use time::Duration as TimeDuration;
 
 pub static EMAIL_DOMAIN_RE: OnceLock<Regex> = OnceLock::new();
 pub(crate) const AUTH_COOKIE: &str = "auth_token";
+/// Short-lived cookie that carries a half-authenticated session between the
+/// password step and the TOTP step. It is a *separate* name from `auth_token`
+/// on purpose: the auth guards only read `auth_token`, so this cookie can never
+/// authenticate a request on its own — it only proves the password step passed.
+pub(crate) const TOTP_PENDING_COOKIE: &str = "totp_pending";
+/// How long the user has to enter their 2FA code after the password step.
+pub(crate) const TOTP_PENDING_TTL_SECS: u64 = 300;
 
 fn get_allow_email_domain_re() -> &'static Regex {
     EMAIL_DOMAIN_RE.get_or_init(|| {
@@ -38,6 +45,24 @@ pub(crate) fn clear_auth_cookie() -> Cookie<'static> {
         .build()
 }
 
+pub(crate) fn totp_pending_cookie(token: &str, max_age_seconds: u64) -> Cookie<'static> {
+    Cookie::build((TOTP_PENDING_COOKIE, token.to_string()))
+        .path("/")
+        .http_only(true)
+        .same_site(SameSite::Lax)
+        .max_age(TimeDuration::seconds(max_age_seconds as i64))
+        .build()
+}
+
+pub(crate) fn clear_totp_pending_cookie() -> Cookie<'static> {
+    Cookie::build((TOTP_PENDING_COOKIE, ""))
+        .path("/")
+        .http_only(true)
+        .same_site(SameSite::Lax)
+        .max_age(TimeDuration::seconds(0))
+        .build()
+}
+
 #[derive(Debug, Deserialize, Serialize)]
 pub struct ForgotParams {
     pub email: String,

src/controllers/auth_pages.rs

@@ -85,6 +85,23 @@ async fn login(
     }
 
     let jwt_secret = ctx.config.get_jwt_config()?;
+
+    // If the user opted into 2FA, the password is only the first factor: don't
+    // issue the real auth cookie yet. Hand out a short-lived, separate "pending"
+    // cookie and send them to the code-entry page. Everyone without 2FA logs in
+    // in a single step exactly as before.
+    if user.totp_enabled() {
+        let pending = user
+            .generate_jwt(&jwt_secret.secret, auth_controller::TOTP_PENDING_TTL_SECS)
+            .or_else(|_| unauthorized("unauthorized!"))?;
+        return format::render()
+            .cookies(&[auth_controller::totp_pending_cookie(
+                &pending,
+                auth_controller::TOTP_PENDING_TTL_SECS,
+            )])?
+            .redirect("/login/totp");
+    }
+
     let token = user
         .generate_jwt(&jwt_secret.secret, jwt_secret.expiration)
         .or_else(|_| unauthorized("unauthorized!"))?;
@@ -94,6 +111,89 @@ async fn login(
         .redirect(home_for(&ctx, &user))
 }
 
+/// Resolve the user behind a valid, unexpired `totp_pending` cookie. Returns
+/// `None` (never errors) when the cookie is missing, malformed, or expired —
+/// the caller bounces such requests back to `/login`.
+async fn user_from_pending(ctx: &AppContext, jar: &CookieJar) -> Option<users::Model> {
+    let cookie = jar.get(auth_controller::TOTP_PENDING_COOKIE)?;
+    let jwt_config = ctx.config.get_jwt_config().ok()?;
+    let claims = loco_rs::auth::jwt::JWT::new(&jwt_config.secret)
+        .validate(cookie.value())
+        .ok()?;
+    let user = users::Model::find_by_pid(&ctx.db, &claims.claims.pid).await.ok()?;
+    // Defend against a stale pending cookie outliving a 2FA disable.
+    user.totp_enabled().then_some(user)
+}
+
+fn login_totp_view(v: &TeraView, jar: &CookieJar, error: Option<&str>) -> Result<Response> {
+    format::view(
+        v,
+        "auth/login_totp.html",
+        json!({
+            "error": error,
+            "logged_in_admin": false,
+            "lang": current_lang(jar),
+        }),
+    )
+}
+
+#[debug_handler]
+async fn login_totp_page(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+) -> Result<Response> {
+    if user_from_pending(&ctx, &jar).await.is_none() {
+        return format::redirect("/login");
+    }
+    login_totp_view(&v, &jar, None)
+}
+
+/// Second login factor. Accepts either a 6-digit authenticator code or one of
+/// the one-time backup codes (auto-detected by length). On success the pending
+/// cookie is cleared and the real `auth_token` is issued.
+#[derive(Debug, serde::Deserialize)]
+struct TotpLoginForm {
+    code: String,
+}
+
+#[debug_handler]
+async fn login_totp(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Form(form): Form<TotpLoginForm>,
+) -> Result<Response> {
+    let Some(user) = user_from_pending(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+
+    let code = form.code.trim();
+    let via_totp = user.verify_totp_code(code);
+    let via_backup = !via_totp && user.matches_backup_code(code);
+
+    if !via_totp && !via_backup {
+        return login_totp_view(&v, &jar, Some("invalid"));
+    }
+
+    // A used backup code must be burned so it can't be replayed.
+    if via_backup {
+        user.clone().into_active_model().consume_backup_code(&ctx.db, code).await?;
+    }
+
+    let jwt_secret = ctx.config.get_jwt_config()?;
+    let token = user
+        .generate_jwt(&jwt_secret.secret, jwt_secret.expiration)
+        .or_else(|_| unauthorized("unauthorized!"))?;
+
+    format::render()
+        .cookies(&[
+            auth_controller::auth_cookie(&token, jwt_secret.expiration),
+            auth_controller::clear_totp_pending_cookie(),
+        ])?
+        .redirect(home_for(&ctx, &user))
+}
+
 #[debug_handler]
 async fn register_page(
     jar: CookieJar,
@@ -366,6 +466,8 @@ pub fn routes() -> Routes {
     Routes::new()
         .add("/login", get(login_page))
         .add("/login", post(login))
+        .add("/login/totp", get(login_totp_page))
+        .add("/login/totp", post(login_totp))
         .add("/register", get(register_page))
         .add("/register", post(register))
         .add("/verify/{token}", get(verify))

src/controllers/checkout.rs

@@ -132,6 +132,10 @@ async fn checkout_page(
             "packeta_api_key": settings::get(&ctx, "packeta_api_key").unwrap_or(""),
             "logged_in_admin": is_admin,
             "logged_in_customer": is_customer,
+            // Required by the navbar profile menu (base.html includes it whenever
+            // logged_in_customer is true); None for admins/guests.
+            "customer_name": user.as_ref().filter(|_| is_customer).map(|u| u.name.clone()),
+            "customer_account_type": user.as_ref().filter(|_| is_customer).map(|u| u.account_type.clone()),
             "profile_filled": profile_filled,
             // A logged-in customer's account type is fixed; only guests pick it
             // and may opt to create an account from the order.

src/fixtures/users.yaml

@@ -6,6 +6,7 @@
   api_key: lo-95ec80d7-cb60-4b70-9b4b-9ef74cb88758
   name: user1
   theme: light
+  account_type: personal
   created_at: "2023-11-12T12:34:56.789Z"
   updated_at: "2023-11-12T12:34:56.789Z"
 - id: 3
@@ -15,5 +16,6 @@
   api_key: lo-153561ca-fa84-4e1b-813a-c62526d0a77e
   name: user2
   theme: light
+  account_type: personal
   created_at: "2023-11-12T12:34:56.789Z"
   updated_at: "2023-11-12T12:34:56.789Z"

src/initializers/view_engine.rs

@@ -6,6 +6,7 @@ use loco_rs::{
     controller::views::{engines, ViewEngine},
     Error, Result,
 };
+use std::collections::HashMap;
 use tracing::info;
 
 const I18N_DIR: &str = "assets/i18n";
@@ -23,7 +24,9 @@ impl Initializer for ViewEngineInitializer {
     }
 
     async fn after_routes(&self, router: AxumRouter, _ctx: &AppContext) -> Result<AxumRouter> {
-        let tera_engine = if std::path::Path::new(I18N_DIR).exists() {
+        // Load locales only if present; `t` is registered conditionally below so
+        // the single post-process closure covers both cases.
+        let locales = if std::path::Path::new(I18N_DIR).exists() {
             let arc = std::sync::Arc::new(
                 ArcLoader::builder(&I18N_DIR, unic_langid::langid!("sk"))
                     .shared_resources(Some(&[I18N_SHARED.into()]))
@@ -32,15 +35,28 @@ impl Initializer for ViewEngineInitializer {
                     .map_err(|e| Error::string(&e.to_string()))?,
             );
             info!("locales loaded");
-
+            Some(arc)
-            engines::TeraView::build()?.post_process(move |tera| {
-                tera.register_function("t", FluentLoader::new(arc.clone()));
-                Ok(())
-            })?
         } else {
-            engines::TeraView::build()?
+            None
         };
 
+        let tera_engine = engines::TeraView::build()?.post_process(move |tera| {
+            if let Some(arc) = &locales {
+                tera.register_function("t", FluentLoader::new(arc.clone()));
+            }
+            // `csrf_token()`: the in-flight request's CSRF token (bound by
+            // `shared::csrf::protect`), rendered into `<body hx-headers>` and
+            // `ui::csrf_field()`. Inlined so its `tera::Error` return is inferred
+            // from `register_function` — we never name a `tera` type, keeping it
+            // off our direct deps and pinned to loco's.
+            tera.register_function("csrf_token", |_args: &HashMap<String, serde_json::Value>| {
+                Ok(serde_json::Value::String(
+                    crate::shared::csrf::current_token().unwrap_or_default(),
+                ))
+            });
+            Ok(())
+        })?;
+
         Ok(router.layer(Extension(ViewEngine::from(tera_engine))))
     }
 }

src/models/_entities/users.rs

@@ -26,6 +26,9 @@ pub struct Model {
     pub magic_link_expiration: Option<DateTimeWithTimeZone>,
     pub theme: String,
     pub account_type: String,
+    pub totp_secret: Option<String>,
+    pub totp_enabled_at: Option<DateTimeWithTimeZone>,
+    pub totp_backup_codes: Option<String>,
 }
 
 #[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]

src/models/users.rs

@@ -5,6 +5,7 @@ use loco_rs::{auth::jwt, hash, prelude::*};
 use passwords::PasswordGenerator;
 use serde::{Deserialize, Serialize};
 use serde_json::Map;
+use totp_rs::{Algorithm, Secret, TOTP};
 use uuid::Uuid;
 
 use crate::models::_entities::o_auth2_sessions;
@@ -16,6 +17,45 @@ pub const MAGIC_LINK_EXPIRATION_MIN: i8 = 5;
 /// Minimum gap between verification-email resends for one account, in seconds.
 pub const VERIFICATION_RESEND_COOLDOWN_SECS: i64 = 60;
 
+// TODO(security): `users.totp_secret` is stored as a PLAINTEXT base32 string.
+// Unlike `password` (a one-way hash) the TOTP secret must be kept in reversible
+// form — the server needs the original value to recompute codes — so it is
+// effectively password-equivalent: anyone who can read this column can mint
+// valid 2FA codes for that user. It is deliberately left in plaintext for now
+// and treated like the app's other server-side secrets (e.g. the SMTP password,
+// kept out of the DB entirely). When secrets get a proper at-rest story, encrypt
+// this column with a key held OUTSIDE the database (env / `pass`), decrypting
+// only in memory. The single read/write site is `build_totp` +
+// `begin_totp_enrollment` below; `totp_backup_codes` are already hashed and need
+// no change. Grep `TODO(security)` to find this.
+
+/// TOTP (Google Authenticator) parameters. These are the values Google
+/// Authenticator assumes; it ignores anything else encoded in the otpauth URL,
+/// so they must stay SHA1 / 6 digits / 30s or codes won't match.
+const TOTP_ISSUER: &str = "Kompress";
+const TOTP_DIGITS: usize = 6;
+/// Accept codes ±1 time-step (~30s) to tolerate client/server clock drift.
+const TOTP_SKEW: u8 = 1;
+const TOTP_STEP: u64 = 30;
+/// Number of one-time recovery codes generated when 2FA is enabled.
+pub const TOTP_BACKUP_CODE_COUNT: usize = 8;
+
+/// Build a [`TOTP`] from a stored base32 secret and the account label (email).
+/// Returns `None` if the secret can't be decoded.
+fn build_totp(secret_base32: &str, account: &str) -> Option<TOTP> {
+    let bytes = Secret::Encoded(secret_base32.to_string()).to_bytes().ok()?;
+    TOTP::new(
+        Algorithm::SHA1,
+        TOTP_DIGITS,
+        TOTP_SKEW,
+        TOTP_STEP,
+        bytes,
+        Some(TOTP_ISSUER.to_string()),
+        account.to_string(),
+    )
+    .ok()
+}
+
 #[derive(Debug, Deserialize, Serialize)]
 pub struct LoginParams {
     pub email: String,
@@ -241,6 +281,68 @@ impl Model {
         self.account_type == "company"
     }
 
+    /// Whether two-factor auth is active for this account. This is the single
+    /// source of truth used by the login flow: a secret may be present during a
+    /// half-finished enrollment, but 2FA only gates login once it is *confirmed*
+    /// (which is what sets `totp_enabled_at`).
+    #[must_use]
+    pub fn totp_enabled(&self) -> bool {
+        self.totp_enabled_at.is_some()
+    }
+
+    /// Build the [`TOTP`] for this user from its stored secret, if any.
+    fn totp(&self) -> Option<TOTP> {
+        let secret = self.totp_secret.as_deref()?;
+        build_totp(secret, &self.email)
+    }
+
+    /// A `data:image/png;base64,...` QR for the *pending* secret plus the secret
+    /// itself (shown as a manual-entry fallback). Used on the enrollment page.
+    /// Returns `None` if no secret is staged or QR rendering fails.
+    #[must_use]
+    pub fn totp_provisioning(&self) -> Option<(String, String)> {
+        let totp = self.totp()?;
+        let qr = totp.get_qr_base64().ok()?;
+        Some((
+            format!("data:image/png;base64,{qr}"),
+            self.totp_secret.clone()?,
+        ))
+    }
+
+    /// Verify a 6-digit authenticator code against the stored secret. Returns
+    /// false if no secret is staged or the code is wrong. Works both during
+    /// enrollment confirmation and at login.
+    #[must_use]
+    pub fn verify_totp_code(&self, code: &str) -> bool {
+        let code = code.trim().replace(' ', "");
+        self.totp()
+            .and_then(|t| t.check_current(&code).ok())
+            .unwrap_or(false)
+    }
+
+    /// Whether `code` matches one of the still-unused backup codes.
+    #[must_use]
+    pub fn matches_backup_code(&self, code: &str) -> bool {
+        let code = code.trim().replace([' ', '-'], "");
+        self.backup_code_hashes()
+            .iter()
+            .any(|h| hash::verify_password(&code, h))
+    }
+
+    /// The stored hashed backup codes (empty if none).
+    fn backup_code_hashes(&self) -> Vec<String> {
+        self.totp_backup_codes
+            .as_deref()
+            .and_then(|s| serde_json::from_str::<Vec<String>>(s).ok())
+            .unwrap_or_default()
+    }
+
+    /// How many unused backup codes remain.
+    #[must_use]
+    pub fn backup_codes_remaining(&self) -> usize {
+        self.backup_code_hashes().len()
+    }
+
     /// Seconds the user must still wait before another verification email may be
     /// sent — 0 means a resend is allowed now. Throttling resends off the last
     /// `email_verification_sent_at` keeps the endpoint from being an easy way to
@@ -446,6 +548,96 @@ impl ActiveModel {
         self.magic_link_expiration = ActiveValue::set(None);
         self.update(db).await.map_err(ModelError::from)
     }
+
+    /// Stage a fresh TOTP secret for enrollment. This does **not** turn 2FA on —
+    /// `totp_enabled_at` stays null until the user proves they scanned it by
+    /// confirming a code (see [`Self::enable_totp`]). Any previously staged
+    /// secret/backup codes are discarded so re-enrolling always starts clean.
+    pub async fn begin_totp_enrollment(mut self, db: &DatabaseConnection) -> ModelResult<Model> {
+        let secret = match Secret::generate_secret().to_encoded() {
+            Secret::Encoded(s) => s,
+            // generate_secret() always yields raw bytes that encode cleanly.
+            Secret::Raw(_) => unreachable!("to_encoded() returns Encoded"),
+        };
+        self.totp_secret = ActiveValue::set(Some(secret));
+        self.totp_enabled_at = ActiveValue::set(None);
+        self.totp_backup_codes = ActiveValue::set(None);
+        self.update(db).await.map_err(ModelError::from)
+    }
+
+    /// Confirm enrollment and switch 2FA on. The caller must have already
+    /// verified a code against the staged secret. Generates and stores hashed
+    /// one-time backup codes and returns the plaintext codes to display **once**.
+    pub async fn enable_totp(
+        mut self,
+        db: &DatabaseConnection,
+    ) -> ModelResult<(Model, Vec<String>)> {
+        let (plain, hashes) = generate_backup_codes()?;
+        let encoded = serde_json::to_string(&hashes).map_err(|e| ModelError::Any(e.into()))?;
+        self.totp_enabled_at = ActiveValue::set(Some(Local::now().into()));
+        self.totp_backup_codes = ActiveValue::set(Some(encoded));
+        let model = self.update(db).await.map_err(ModelError::from)?;
+        Ok((model, plain))
+    }
+
+    /// Turn 2FA off and wipe all TOTP state. Callers gate this behind a fresh
+    /// confirmation (password or a current code).
+    pub async fn disable_totp(mut self, db: &DatabaseConnection) -> ModelResult<Model> {
+        self.totp_secret = ActiveValue::set(None);
+        self.totp_enabled_at = ActiveValue::set(None);
+        self.totp_backup_codes = ActiveValue::set(None);
+        self.update(db).await.map_err(ModelError::from)
+    }
+
+    /// Remove a used backup code from the stored set so it can't be reused.
+    /// `code` is matched against the remaining hashes; a no-op if it doesn't
+    /// match (the caller decides whether a match was required).
+    pub async fn consume_backup_code(
+        mut self,
+        db: &DatabaseConnection,
+        code: &str,
+    ) -> ModelResult<Model> {
+        let code = code.trim().replace([' ', '-'], "");
+        let current: Vec<String> = match self.totp_backup_codes.as_ref() {
+            Some(s) => serde_json::from_str(s.as_str()).unwrap_or_default(),
+            None => Vec::new(),
+        };
+        let remaining: Vec<String> = current
+            .into_iter()
+            .filter(|h| !hash::verify_password(&code, h))
+            .collect();
+        let encoded = serde_json::to_string(&remaining).map_err(|e| ModelError::Any(e.into()))?;
+        self.totp_backup_codes = ActiveValue::set(Some(encoded));
+        self.update(db).await.map_err(ModelError::from)
+    }
+
+    /// Replace the backup codes with a fresh set (e.g. after the user used some).
+    /// Only meaningful while 2FA is enabled; returns the new plaintext codes.
+    pub async fn regenerate_backup_codes(
+        mut self,
+        db: &DatabaseConnection,
+    ) -> ModelResult<(Model, Vec<String>)> {
+        let (plain, hashes) = generate_backup_codes()?;
+        let encoded = serde_json::to_string(&hashes).map_err(|e| ModelError::Any(e.into()))?;
+        self.totp_backup_codes = ActiveValue::set(Some(encoded));
+        let model = self.update(db).await.map_err(ModelError::from)?;
+        Ok((model, plain))
+    }
+}
+
+/// Generate `TOTP_BACKUP_CODE_COUNT` recovery codes, returning
+/// `(plaintext, hashes)`. Only the hashes are persisted; the plaintext is shown
+/// to the user once and never stored.
+fn generate_backup_codes() -> ModelResult<(Vec<String>, Vec<String>)> {
+    let mut plain = Vec::with_capacity(TOTP_BACKUP_CODE_COUNT);
+    let mut hashes = Vec::with_capacity(TOTP_BACKUP_CODE_COUNT);
+    for _ in 0..TOTP_BACKUP_CODE_COUNT {
+        let code = hash::random_string(10).to_lowercase();
+        let hashed = hash::hash_password(&code).map_err(|e| ModelError::Any(e.into()))?;
+        plain.push(code);
+        hashes.push(hashed);
+    }
+    Ok((plain, hashes))
 }
 
 /// Google OpenID Connect user profile (the fields our scopes request).

src/shared/csrf.rs

@@ -0,0 +1,304 @@
+//! Stateless CSRF protection (signed double-submit cookie).
+//!
+//! Authentication is cookie-based (the `auth_token` JWT cookie, see
+//! [`crate::shared::guard`]), so any state-changing request the browser can be
+//! tricked into making carries the victim's credentials. `SameSite=Lax` on the
+//! auth cookie already blocks the cross-site *form* POST case; this layer is the
+//! defense-in-depth on top of it.
+//!
+//! ## How it works
+//! On every safe request we ensure the browser holds a `csrf_token` cookie whose
+//! value is `<random>.<hmac>` — the HMAC is keyed by the app's JWT secret, so the
+//! server can recognise its own tokens without storing any per-session state
+//! (no session table, survives restarts and multiple instances). On every unsafe
+//! request ([`protect`]) the same token must be echoed back, either as the
+//! `X-CSRF-Token` header (htmx requests) or a `_csrf` form field (native
+//! `<form>` submits, which cannot set a custom header). Because a cross-origin
+//! attacker can neither read the cookie nor forge a valid signature, they cannot
+//! produce a matching echo.
+//!
+//! The browser side lives in the two base templates (`base.html`,
+//! `admin/base.html`): an `htmx:configRequest` hook adds the header and a
+//! `submit` hook injects the hidden `_csrf` field.
+//!
+//! `/api/*` is exempt: that subtree is the token-authenticated JSON API and the
+//! OAuth2 callback, neither of which is driven by the browser session cookie.
+
+use axum::{
+    body::{to_bytes, Body},
+    extract::{Request, State},
+    http::{header, Method, StatusCode},
+    middleware::Next,
+    response::{IntoResponse, Response},
+};
+use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
+use bytes::Bytes;
+use hmac::{Hmac, Mac};
+use loco_rs::prelude::*;
+use sha2::Sha256;
+use subtle::ConstantTimeEq;
+use time::Duration as TimeDuration;
+use uuid::Uuid;
+
+/// Cookie that holds the signed token. Deliberately *not* `HttpOnly`: the page
+/// JS has to read it to echo it back in the header / hidden field.
+pub const CSRF_COOKIE: &str = "csrf_token";
+/// Header carrying the echoed token on htmx (and any scripted) requests.
+pub const CSRF_HEADER: &str = "x-csrf-token";
+/// Hidden form field carrying the echoed token on native `<form>` submits.
+pub const CSRF_FIELD: &str = "_csrf";
+
+/// Cookie lifetime. Long enough to outlast a normal browsing session; the token
+/// only needs to be stable, not short-lived (it is not a credential on its own).
+const COOKIE_MAX_AGE_SECS: i64 = 60 * 60 * 24 * 14;
+/// Upper bound on a body we will buffer to find the `_csrf` field. Covers the
+/// largest native multipart submit (a 10 MiB image upload plus the other
+/// fields); anything bigger is rejected rather than buffered.
+const MAX_BODY_BYTES: usize = 16 * 1024 * 1024;
+
+tokio::task_local! {
+    /// CSRF token bound to the in-flight request. [`protect`] sets it so the
+    /// `csrf_token()` Tera function can render it into pages (the `hx-headers`
+    /// on `<body>` and the `ui::csrf_field()` hidden input) without every
+    /// controller having to thread it through the view context.
+    static REQUEST_TOKEN: String;
+}
+
+/// The CSRF token for the current request task, if one is bound. Returns `None`
+/// outside a request (e.g. a mailer rendering a template). Used by the
+/// `csrf_token()` Tera function registered in the view engine.
+#[must_use]
+pub fn current_token() -> Option<String> {
+    REQUEST_TOKEN.try_with(String::clone).ok()
+}
+
+type HmacSha256 = Hmac<Sha256>;
+
+fn to_hex(bytes: &[u8]) -> String {
+    let mut s = String::with_capacity(bytes.len() * 2);
+    for b in bytes {
+        s.push_str(&format!("{b:02x}"));
+    }
+    s
+}
+
+/// HMAC-SHA256 of the random part, keyed by the app secret.
+fn sign(secret: &str, random: &str) -> String {
+    let mut mac =
+        HmacSha256::new_from_slice(secret.as_bytes()).expect("HMAC accepts a key of any length");
+    mac.update(random.as_bytes());
+    to_hex(&mac.finalize().into_bytes())
+}
+
+/// Mint a fresh `<random>.<hmac>` token.
+pub fn make_token(secret: &str) -> String {
+    let random = Uuid::new_v4().simple().to_string();
+    let sig = sign(secret, &random);
+    format!("{random}.{sig}")
+}
+
+/// True when `token` is well-formed and its signature is the one this server
+/// would produce — i.e. it is one of *our* tokens, not an attacker-injected one.
+fn signature_valid(secret: &str, token: &str) -> bool {
+    let Some((random, sig)) = token.split_once('.') else {
+        return false;
+    };
+    let expected = sign(secret, random);
+    expected.as_bytes().ct_eq(sig.as_bytes()).into()
+}
+
+/// Constant-time equality of two full tokens (the double-submit comparison).
+fn tokens_match(a: &str, b: &str) -> bool {
+    a.as_bytes().ct_eq(b.as_bytes()).into()
+}
+
+fn issue_cookie(token: String) -> Cookie<'static> {
+    Cookie::build((CSRF_COOKIE, token))
+        .path("/")
+        .http_only(false)
+        .same_site(SameSite::Lax)
+        .max_age(TimeDuration::seconds(COOKIE_MAX_AGE_SECS))
+        .build()
+}
+
+fn forbidden(reason: &str) -> Response {
+    tracing::debug!(reason, "CSRF check rejected request");
+    (StatusCode::FORBIDDEN, "CSRF validation failed").into_response()
+}
+
+/// Attach the given token to an outgoing response as the `csrf_token` cookie.
+fn attach_cookie(res: &mut Response, token: &str) {
+    let cookie = issue_cookie(token.to_string());
+    if let Ok(value) = cookie.encoded().to_string().parse() {
+        res.headers_mut().append(header::SET_COOKIE, value);
+    }
+}
+
+/// Pull the `_csrf` value out of an `application/x-www-form-urlencoded` body.
+fn field_from_urlencoded(bytes: &[u8]) -> Option<String> {
+    form_urlencoded::parse(bytes)
+        .find(|(k, _)| k == CSRF_FIELD)
+        .map(|(_, v)| v.into_owned())
+}
+
+/// Pull the `_csrf` value out of a `multipart/form-data` body. Parses a *copy*
+/// of the buffered bytes purely to read the field; the original bytes are still
+/// forwarded to the handler unchanged.
+async fn field_from_multipart(content_type: &str, bytes: Bytes) -> Option<String> {
+    let boundary = multer::parse_boundary(content_type).ok()?;
+    let stream = futures_util::stream::once(async move { Ok::<_, std::io::Error>(bytes) });
+    let mut multipart = multer::Multipart::new(stream, boundary);
+    while let Ok(Some(field)) = multipart.next_field().await {
+        if field.name() == Some(CSRF_FIELD) {
+            return field.text().await.ok();
+        }
+    }
+    None
+}
+
+/// CSRF enforcement middleware. Safe methods get a token cookie (minted if
+/// missing); unsafe methods must echo a valid, matching token. See the module
+/// docs for the full scheme.
+pub async fn protect(
+    State(ctx): State<AppContext>,
+    jar: CookieJar,
+    req: Request,
+    next: Next,
+) -> Response {
+    // The token is keyed by the JWT secret. If no secret is configured we cannot
+    // validate, so fail open rather than 403 the whole site — the same secret is
+    // already required for auth to work at all.
+    let Ok(jwt) = ctx.config.get_jwt_config() else {
+        return next.run(req).await;
+    };
+    let secret = jwt.secret.clone();
+
+    // The token the browser currently holds, accepted only if untampered.
+    let cookie_token = jar
+        .get(CSRF_COOKIE)
+        .map(|c| c.value().to_string())
+        .filter(|t| signature_valid(&secret, t));
+
+    let is_safe = matches!(
+        *req.method(),
+        Method::GET | Method::HEAD | Method::OPTIONS | Method::TRACE
+    );
+    // Token-auth JSON API + OAuth2 callback: not browser-cookie-driven.
+    let exempt = req.uri().path().starts_with("/api/");
+
+    if is_safe || exempt {
+        // Bind a token for the page to render even on the very first visit, and
+        // persist that same token in the cookie so the later submit matches.
+        let token = cookie_token.clone().unwrap_or_else(|| make_token(&secret));
+        let mut res = REQUEST_TOKEN.scope(token.clone(), next.run(req)).await;
+        if cookie_token.is_none() {
+            attach_cookie(&mut res, &token);
+        }
+        return res;
+    }
+
+    // ---- unsafe, non-exempt: require a valid double-submit ----
+    let Some(expected) = cookie_token else {
+        return forbidden("missing or tampered CSRF cookie");
+    };
+
+    // htmx and other scripted requests send the token as a header; prefer it so
+    // we never have to touch the body.
+    let header_token = req
+        .headers()
+        .get(CSRF_HEADER)
+        .and_then(|v| v.to_str().ok())
+        .map(str::to_string);
+    if let Some(header_token) = header_token {
+        if tokens_match(&header_token, &expected) {
+            return REQUEST_TOKEN.scope(expected, next.run(req)).await;
+        }
+        return forbidden("CSRF header did not match cookie");
+    }
+
+    // Native <form> submit: the token is a `_csrf` body field. Buffer the body,
+    // read the field from a copy, then forward the original bytes untouched.
+    let content_type = req
+        .headers()
+        .get(header::CONTENT_TYPE)
+        .and_then(|v| v.to_str().ok())
+        .unwrap_or("")
+        .to_string();
+
+    let (parts, body) = req.into_parts();
+    let Ok(bytes) = to_bytes(body, MAX_BODY_BYTES).await else {
+        return forbidden("request body too large to validate CSRF");
+    };
+
+    let submitted = if content_type.starts_with("application/x-www-form-urlencoded") {
+        field_from_urlencoded(&bytes)
+    } else if content_type.starts_with("multipart/form-data") {
+        field_from_multipart(&content_type, bytes.clone()).await
+    } else {
+        None
+    };
+
+    let valid = submitted
+        .as_deref()
+        .is_some_and(|t| tokens_match(t, &expected));
+    if !valid {
+        return forbidden("missing or non-matching CSRF form field");
+    }
+
+    let req = Request::from_parts(parts, Body::from(bytes));
+    REQUEST_TOKEN.scope(expected, next.run(req)).await
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    const SECRET: &str = "test-secret";
+
+    #[test]
+    fn fresh_token_validates() {
+        let token = make_token(SECRET);
+        assert!(signature_valid(SECRET, &token));
+    }
+
+    #[test]
+    fn tampered_or_foreign_token_rejected() {
+        let token = make_token(SECRET);
+        // Flip the random part but keep the old signature.
+        let (_, sig) = token.split_once('.').unwrap();
+        let forged = format!("{}.{sig}", Uuid::new_v4().simple());
+        assert!(!signature_valid(SECRET, &forged));
+        // A token minted under a different secret is not ours.
+        assert!(!signature_valid(SECRET, &make_token("other-secret")));
+        // Malformed input never validates.
+        assert!(!signature_valid(SECRET, "no-dot-here"));
+    }
+
+    #[test]
+    fn double_submit_compare() {
+        let token = make_token(SECRET);
+        assert!(tokens_match(&token, &token.clone()));
+        assert!(!tokens_match(&token, &make_token(SECRET)));
+    }
+
+    #[test]
+    fn extract_field_from_urlencoded() {
+        let body = b"email=a%40b.com&_csrf=abc.def&password=x";
+        assert_eq!(field_from_urlencoded(body), Some("abc.def".to_string()));
+        assert_eq!(field_from_urlencoded(b"email=x"), None);
+    }
+
+    #[tokio::test]
+    async fn extract_field_from_multipart() {
+        let boundary = "X-BOUNDARY";
+        let content_type = format!("multipart/form-data; boundary={boundary}");
+        let body = format!(
+            "--{b}\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nWidget\r\n\
+             --{b}\r\nContent-Disposition: form-data; name=\"_csrf\"\r\n\r\nabc.def\r\n\
+             --{b}--\r\n",
+            b = boundary
+        );
+        let got = field_from_multipart(&content_type, Bytes::from(body)).await;
+        assert_eq!(got, Some("abc.def".to_string()));
+    }
+}

src/shared/mod.rs

@@ -1,5 +1,6 @@
 //! Cross-cutting helpers used across feature slices.
 
+pub mod csrf;
 pub mod guard;
 pub mod money;
 pub mod rbac;