percentage discounts

discounts
category creation fixed now
2026-06-21 22:41:30 +02:00 · 2026-06-21 22:33:47 +02:00 · 2026-06-21 20:38:28 +02:00 · 2026-06-21 20:19:58 +02:00 · 2026-06-21 20:09:57 +02:00 · 2026-06-21 18:22:21 +02:00
44 changed files with 958 additions and 42 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -2650,11 +2650,15 @@ dependencies = [
 "chrono",
 "dotenvy",
 "fluent-templates",
 "form_urlencoded",
 "futures-util",
 "hmac",
 "include_dir",
 "insta",
 "loco-oauth2",
 "loco-rs",
 "migration",
 "multer",
 "passwords",
 "regex",
 "reqwest",
@@ -2663,6 +2667,8 @@ dependencies = [
 "serde",
 "serde_json",
 "serial_test",
 "sha2",
 "subtle",
 "time",
 "tokio",
 "totp-rs",
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -51,6 +51,13 @@ passwords = "3.1.16"
 tower-sessions = "0.14"
 # TOTP (Google Authenticator) for optional two-factor auth
 totp-rs = { version = "5", features = ["qr", "gen_secret"] }
 # CSRF: HMAC-signed double-submit token + body inspection for the `_csrf` field
 hmac = { version = "0.12" }
 sha2 = { version = "0.10" }
 subtle = { version = "2.6" }
 form_urlencoded = { version = "1" }
 multer = { version = "3" }
 futures-util = { version = "0.3" }
 [[bin]]
 name = "kompress-eshop-cli"
--- a/assets/i18n/en/main.ftl
+++ b/assets/i18n/en/main.ftl
@@ -208,6 +208,24 @@ edit-category = Edit category
 product = Product
 name = Name
 price = Price
 sale-price = Sale price
 admin-discounts = Discounts
 admin-discounts-desc = Set discounted product prices. A discount shows up as a sale in the shop.
 on-sale = On sale
 no-discount = No discount
 discount = Discount
 set-discount = Set discount
 remove-discount = Remove discount
 discount-mode-fixed = Fixed price
 discount-mode-percent = Percentage
 discount-percent = Discount (%)
 discount-preview-before = Original price
 discount-preview-after = New price
 discount-preview-save = You save
 discount-invalid = Invalid price.
 discount-must-be-positive = The sale price must be greater than zero.
 discount-below-regular = The sale price must be below the regular price.
 discount-percent-range = The percentage must be between 0 and 100.
 stock = Stock
 sku = SKU
 currency = Currency
@@ -217,6 +235,8 @@ image = Image
 slug = URL slug
 slug-auto = generated automatically
 position = Position
 position-auto = added to the end
 position-hint = Sort order in the menu (lowest first). Leave blank to add it last.
 parent-category = Parent category
 no-parent = — None (top level) —
 quantity = Quantity
--- a/assets/i18n/sk/main.ftl
+++ b/assets/i18n/sk/main.ftl
@@ -208,6 +208,24 @@ edit-category = Upraviť kategóriu
 product = Produkt
 name = Názov
 price = Cena
 sale-price = Zľavnená cena
 admin-discounts = Zľavy
 admin-discounts-desc = Nastavte zľavnené ceny produktov. Zľava sa v obchode zobrazí ako akcia.
 on-sale = V akcii
 no-discount = Bez zľavy
 discount = Zľava
 set-discount = Nastaviť zľavu
 remove-discount = Zrušiť zľavu
 discount-mode-fixed = Pevná cena
 discount-mode-percent = Percentá
 discount-percent = Zľava (%)
 discount-preview-before = Pôvodná cena
 discount-preview-after = Nová cena
 discount-preview-save = Ušetríte
 discount-invalid = Neplatná cena.
 discount-must-be-positive = Zľavnená cena musí byť väčšia ako nula.
 discount-below-regular = Zľavnená cena musí byť nižšia ako bežná cena.
 discount-percent-range = Percento musí byť medzi 0 a 100.
 stock = Sklad
 sku = Kód (SKU)
 currency = Mena
@@ -217,6 +235,8 @@ image = Obrázok
 slug = URL adresa
 slug-auto = vygeneruje sa automaticky
 position = Poradie
 position-auto = pridá sa na koniec
 position-hint = Poradie v menu (najnižšie ako prvé). Nechajte prázdne a pridá sa na koniec.
 parent-category = Nadradená kategória
 no-parent = — Žiadna (najvyššia úroveň) —
 quantity = Množstvo
--- a/assets/static/css/app.css
+++ b/assets/static/css/app.css
--- a/assets/views/account/password.html
+++ b/assets/views/account/password.html
@@ -22,6 +22,7 @@
  <form method="post" action="/account/password" hx-boost="false" class="mt-6 flex flex-col gap-4"
    x-data="{ password: '', confirm: '' }">
  {{ ui::csrf_field() }}
    <div class="flex flex-col gap-1">
      <label for="current_password" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="password-current", lang=lang | default(value='sk')) }}</label>
      {{ ui::input(name="current_password", id="current_password", type="password", required=true, autocomplete="current-password") }}
--- a/assets/views/account/profile.html
+++ b/assets/views/account/profile.html
@@ -82,6 +82,7 @@
  <!-- edit form -->
  <form x-show="editing" x-cloak method="post" action="/account/profile" hx-boost="false" class="mt-6 space-y-6">
  {{ ui::csrf_field() }}
    <!-- account type is fixed at registration and shown read-only -->
    <fieldset class="space-y-2 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</legend>
--- a/assets/views/account/security.html
+++ b/assets/views/account/security.html
@@ -39,6 +39,7 @@
      <code class="mt-1 inline-block break-all font-mono text-sm text-on-surface-strong dark:text-on-surface-dark-strong">{{ secret }}</code>
    </div>
    <form method="post" action="/account/security/confirm" hx-boost="false" class="flex flex-col gap-3">
  {{ ui::csrf_field() }}
      <label for="code" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="security-2fa-enter-code", lang=lang | default(value='sk')) }}</label>
      {{ ui::input(name="code", id="code", type="text", required=true, autocomplete="one-time-code", attrs='inputmode="numeric" pattern="[0-9]*" maxlength="6" autofocus') }}
      {{ ui::button(label=t(key="security-2fa-confirm", lang=lang | default(value='sk')), type="submit", extra="w-full") }}
@@ -53,6 +54,7 @@
  </div>
  <form method="post" action="/account/security/backup-codes" hx-boost="false" class="mt-6 flex flex-col gap-3 rounded-radius border border-outline bg-surface-alt p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
  {{ ui::csrf_field() }}
    <p class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="security-2fa-regenerate", lang=lang | default(value='sk')) }}</p>
    <label for="regen_pw" class="text-sm text-on-surface dark:text-on-surface-dark">{{ t(key="password-current", lang=lang | default(value='sk')) }}</label>
    {{ ui::input(name="current_password", id="regen_pw", type="password", required=true, autocomplete="current-password") }}
@@ -60,6 +62,7 @@
  </form>
  <form method="post" action="/account/security/disable" hx-boost="false" class="mt-4 flex flex-col gap-3 rounded-radius border border-danger/40 bg-danger/5 p-5">
  {{ ui::csrf_field() }}
    <p class="text-sm font-medium text-danger">{{ t(key="security-2fa-disable", lang=lang | default(value='sk')) }}</p>
    <p class="text-xs text-on-surface dark:text-on-surface-dark">{{ t(key="security-2fa-disable-hint", lang=lang | default(value='sk')) }}</p>
    <label for="disable_pw" class="text-sm text-on-surface dark:text-on-surface-dark">{{ t(key="password-current", lang=lang | default(value='sk')) }}</label>
@@ -70,6 +73,7 @@
  {% else %}
  {# --- Disabled: offer to enable --- #}
  <form method="post" action="/account/security/enable" hx-boost="false" class="mt-6">
  {{ ui::csrf_field() }}
    <div class="flex items-center gap-2">
      {{ ui::badge(label=t(key="security-2fa-off", lang=lang | default(value='sk')), variant="neutral") }}
    </div>
--- a/assets/views/admin/base.html
+++ b/assets/views/admin/base.html
@@ -45,6 +45,7 @@
    <script defer src="/static/vendor/alpine/alpinejs-3.14.9.min.js"></script>
  </head>
  <body
    hx-headers='{"X-CSRF-Token": "{{ csrf_token() }}"}'
    x-data="{ showSidebar: false }"
    class="min-h-screen bg-surface text-on-surface antialiased dark:bg-surface-dark dark:text-on-surface-dark">
@@ -77,6 +78,10 @@
          class="flex items-center gap-2 rounded-radius px-2 py-1.5 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-on-surface-strong focus:outline-hidden focus-visible:underline aria-[current=page]:bg-primary/10 aria-[current=page]:text-on-surface-strong dark:text-on-surface-dark dark:hover:bg-primary-dark/5 dark:hover:text-on-surface-dark-strong dark:aria-[current=page]:bg-primary-dark/10 dark:aria-[current=page]:text-on-surface-dark-strong">
          {{ t(key="admin-products", lang=lang | default(value='sk')) }}
        </a>
        <a href="/admin/catalog/discounts" data-nav="/admin/catalog/discounts"
          class="flex items-center gap-2 rounded-radius px-2 py-1.5 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-on-surface-strong focus:outline-hidden focus-visible:underline aria-[current=page]:bg-primary/10 aria-[current=page]:text-on-surface-strong dark:text-on-surface-dark dark:hover:bg-primary-dark/5 dark:hover:text-on-surface-dark-strong dark:aria-[current=page]:bg-primary-dark/10 dark:aria-[current=page]:text-on-surface-dark-strong">
          {{ t(key="admin-discounts", lang=lang | default(value='sk')) }}
        </a>
        <a href="/admin/catalog/categories" data-nav="/admin/catalog/categories"
          class="flex items-center gap-2 rounded-radius px-2 py-1.5 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-on-surface-strong focus:outline-hidden focus-visible:underline aria-[current=page]:bg-primary/10 aria-[current=page]:text-on-surface-strong dark:text-on-surface-dark dark:hover:bg-primary-dark/5 dark:hover:text-on-surface-dark-strong dark:aria-[current=page]:bg-primary-dark/10 dark:aria-[current=page]:text-on-surface-dark-strong">
          {{ t(key="admin-categories", lang=lang | default(value='sk')) }}
@@ -96,6 +101,7 @@
          {{ t(key="admin-exit", lang=lang | default(value='sk')) }}
        </a>
        <form method="post" action="/logout">
          {{ ui::csrf_field() }}
          <button type="submit" class="flex w-full items-center gap-2 rounded-radius px-2 py-1.5 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-danger/5 focus:outline-hidden focus-visible:underline">
            {{ t(key="logout", lang=lang | default(value='sk')) }}
          </button>
--- a/assets/views/admin/catalog/categories.html
+++ b/assets/views/admin/catalog/categories.html
@@ -46,6 +46,7 @@
            {{ ui::button(variant="outline-secondary", label=t(key="edit", lang=lang | default(value='sk')), href="/admin/catalog/categories/" ~ row.category.id ~ "/edit", size="px-3 py-1.5 text-xs") }}
            <form method="post" action="/admin/catalog/categories/{{ row.category.id }}/delete"
              onsubmit="return confirm('{{ t(key="confirm-delete", lang=lang | default(value='sk')) }}')">
  {{ ui::csrf_field() }}
              {{ ui::button(variant="outline-danger", label=t(key="delete", lang=lang | default(value='sk')), type="submit", size="px-3 py-1.5 text-xs") }}
            </form>
          </div>
--- a/assets/views/admin/catalog/category_form.html
+++ b/assets/views/admin/catalog/category_form.html
@@ -15,11 +15,12 @@
 <form method="post" enctype="multipart/form-data"
  action="{% if category %}/admin/catalog/categories/{{ category.id }}{% else %}/admin/catalog/categories{% endif %}"
  class="mt-6 space-y-5 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
  {{ ui::csrf_field() }}
  {% if category %}
-    {% set v_name = category.name %}{% set v_slug = category.slug %}{% set v_pos = category.position %}{% set v_desc = category.description | default(value="") %}{% set v_pub = category.published %}
+    {% set v_name = category.name %}{% set v_pos = category.position %}{% set v_desc = category.description | default(value="") %}{% set v_pub = category.published %}
  {% else %}
-    {% set v_name = "" %}{% set v_slug = "" %}{% set v_pos = 0 %}{% set v_desc = "" %}{% set v_pub = false %}
+    {% set v_name = "" %}{% set v_pos = "" %}{% set v_desc = "" %}{% set v_pub = false %}
  {% endif %}
  <div class="space-y-1.5">
@@ -27,17 +28,6 @@
    {{ ui::input(name="name", id="name", required=true, value=v_name) }}
  </div>
  <div class="grid gap-5 sm:grid-cols-2">
    <div class="space-y-1.5">
      <label for="slug" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="slug", lang=lang | default(value='sk')) }}</label>
      {{ ui::input(name="slug", id="slug", value=v_slug, placeholder=t(key='slug-auto', lang=lang | default(value='sk'))) }}
    </div>
    <div class="space-y-1.5">
      <label for="position" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="position", lang=lang | default(value='sk')) }}</label>
      {{ ui::input(name="position", id="position", type="number", value=v_pos) }}
    </div>
  </div>
  <div class="space-y-1.5">
    <label for="parent_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="parent-category", lang=lang | default(value='sk')) }}</label>
    <div class="relative">
@@ -67,6 +57,15 @@
    {{ ui::file_input(name="image", id="image", accept="image/*") }}
  </div>
  <div class="space-y-1.5">
    <label for="position" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
      {{ t(key="position", lang=lang | default(value='sk')) }}
      <span class="font-normal text-on-surface/60 dark:text-on-surface-dark/60">({{ t(key="field-optional", lang=lang | default(value='sk')) }})</span>
    </label>
    {{ ui::input(name="position", id="position", type="number", value=v_pos, placeholder=t(key='position-auto', lang=lang | default(value='sk'))) }}
    <p class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="position-hint", lang=lang | default(value='sk')) }}</p>
  </div>
  {{ ui::checkbox(name="published", id="published", label=t(key="published", lang=lang | default(value='sk')), checked=v_pub) }}
  <div class="flex gap-3 pt-2">
--- a/assets/views/admin/catalog/discount_form.html
+++ b/assets/views/admin/catalog/discount_form.html
@@ -0,0 +1,97 @@
 {% extends "admin/base.html" %}
 {% import "macros/ui.html" as ui %}
 {% block title %}{{ t(key="set-discount", lang=lang | default(value='sk')) }}{% endblock title %}
 {% block crumb %}{{ t(key="admin-discounts", lang=lang | default(value='sk')) }}{% endblock crumb %}
 {% block content %}
 <div class="flex items-center justify-between gap-3">
  <h1 class="text-2xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">{{ product.name }}</h1>
  {{ ui::button(variant="outline-secondary", label=t(key="cancel", lang=lang | default(value='sk')), href="/admin/catalog/discounts", size="px-3 py-2 text-sm") }}
 </div>
 <form method="post" action="/admin/catalog/discounts/{{ product.id }}"
  x-data="{
    mode: '{{ mode }}',
    fixed: '{{ fixed }}',
    percent: '{{ percent }}',
    regular: {{ product.regular_cents }},
    num(v) { let n = parseFloat(String(v).replace(',', '.')); return isFinite(n) ? n : null; },
    get afterCents() {
      if (this.mode === 'percent') {
        let p = this.num(this.percent); if (p === null) return null;
        return this.regular - Math.round(this.regular * p / 100);
      }
      let f = this.num(this.fixed); if (f === null) return null;
      return Math.round(f * 100);
    },
    money(c) { return (c / 100).toFixed(2); },
    get valid() { let a = this.afterCents; return a !== null && a > 0 && a < this.regular; },
    get percentOff() { let a = this.afterCents; return (a === null || this.regular <= 0) ? null : Math.round((this.regular - a) / this.regular * 100); }
  }"
  class="mt-6 max-w-md space-y-5 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
  {{ ui::csrf_field() }}
  {% if error %}
  {{ ui::alert_danger(message=t(key=error, lang=lang | default(value='sk'))) }}
  {% endif %}
  <div class="flex items-center justify-between gap-3 rounded-radius bg-surface-alt px-4 py-3 dark:bg-surface-dark/40">
    <span class="text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="price", lang=lang | default(value='sk')) }}</span>
    <span class="font-semibold tabular-nums text-on-surface-strong dark:text-on-surface-dark-strong">{{ product.regular_price }} {{ product.currency }}</span>
  </div>
  <!-- mode toggle -->
  <div class="grid grid-cols-2 gap-2">
    <label class="flex cursor-pointer items-center justify-center gap-2 rounded-radius border px-3 py-2 text-sm transition"
      :class="mode === 'fixed' ? 'border-primary bg-primary/10 text-on-surface-strong dark:border-primary-dark dark:bg-primary-dark/10 dark:text-on-surface-dark-strong' : 'border-outline text-on-surface dark:border-outline-dark dark:text-on-surface-dark'">
      <input type="radio" name="mode" value="fixed" x-model="mode" class="sr-only">
      {{ t(key="discount-mode-fixed", lang=lang | default(value='sk')) }}
    </label>
    <label class="flex cursor-pointer items-center justify-center gap-2 rounded-radius border px-3 py-2 text-sm transition"
      :class="mode === 'percent' ? 'border-primary bg-primary/10 text-on-surface-strong dark:border-primary-dark dark:bg-primary-dark/10 dark:text-on-surface-dark-strong' : 'border-outline text-on-surface dark:border-outline-dark dark:text-on-surface-dark'">
      <input type="radio" name="mode" value="percent" x-model="mode" class="sr-only">
      {{ t(key="discount-mode-percent", lang=lang | default(value='sk')) }}
    </label>
  </div>
  <!-- fixed price input -->
  <div class="space-y-1.5" x-show="mode === 'fixed'">
    <label for="sale_price" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="sale-price", lang=lang | default(value='sk')) }}</label>
    {{ ui::input(name="sale_price", id="sale_price", value=fixed, placeholder="0.00", attrs='inputmode="decimal" x-model="fixed"') }}
  </div>
  <!-- percentage input -->
  <div class="space-y-1.5" x-show="mode === 'percent'">
    <label for="percent" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="discount-percent", lang=lang | default(value='sk')) }}</label>
    {{ ui::input(name="percent", id="percent", value=percent, placeholder="0", attrs='inputmode="decimal" min="0" max="100" x-model="percent"') }}
  </div>
  <!-- live preview -->
  <div x-show="afterCents !== null" x-cloak
    class="space-y-2 rounded-radius border border-outline bg-surface-alt px-4 py-3 dark:border-outline-dark dark:bg-surface-dark/40">
    <div class="flex items-center justify-between gap-3 text-sm">
      <span class="text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="discount-preview-before", lang=lang | default(value='sk')) }}</span>
      <span class="tabular-nums text-on-surface/60 line-through dark:text-on-surface-dark/60"><span x-text="money(regular)"></span> {{ product.currency }}</span>
    </div>
    <div class="flex items-center justify-between gap-3">
      <span class="text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="discount-preview-after", lang=lang | default(value='sk')) }}</span>
      <span class="text-lg font-semibold tabular-nums" :class="valid ? 'text-danger' : 'text-on-surface/40 dark:text-on-surface-dark/40'">
        <span x-text="money(afterCents)"></span> {{ product.currency }}
      </span>
    </div>
    <div x-show="valid" class="flex items-center justify-between gap-3 text-xs text-on-surface/60 dark:text-on-surface-dark/60">
      <span>{{ t(key="discount-preview-save", lang=lang | default(value='sk')) }}</span>
      <span class="tabular-nums"><span x-text="money(regular - afterCents)"></span> {{ product.currency }} (−<span x-text="percentOff"></span>%)</span>
    </div>
    <p x-show="!valid" class="text-xs text-danger">{{ t(key="discount-below-regular", lang=lang | default(value='sk')) }}</p>
  </div>
  <div class="flex flex-wrap gap-3 pt-2">
    {{ ui::button(label=t(key="save", lang=lang | default(value='sk')), type="submit") }}
    {% if product.on_sale %}
    {{ ui::button(variant="outline-danger", label=t(key="remove-discount", lang=lang | default(value='sk')), type="submit", attrs='formaction="/admin/catalog/discounts/' ~ product.id ~ '/remove"') }}
    {% endif %}
  </div>
 </form>
 {% endblock content %}
--- a/assets/views/admin/catalog/discounts.html
+++ b/assets/views/admin/catalog/discounts.html
@@ -0,0 +1,70 @@
 {% extends "admin/base.html" %}
 {% import "macros/ui.html" as ui %}
 {% block title %}{{ t(key="admin-discounts", lang=lang | default(value='sk')) }}{% endblock title %}
 {% block crumb %}{{ t(key="admin-discounts", lang=lang | default(value='sk')) }}{% endblock crumb %}
 {% block content %}
 <div class="flex flex-wrap items-end justify-between gap-3">
  <div>
    <h1 class="text-2xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="admin-discounts", lang=lang | default(value='sk')) }}</h1>
    <p class="text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="admin-discounts-desc", lang=lang | default(value='sk')) }}</p>
  </div>
 </div>
 <div class="mt-6 {{ ui::table_wrap_cls() }}">
  {% if products | length > 0 %}
  <table class="{{ ui::table_cls() }}">
    <thead class="{{ ui::thead_cls() }}">
      <tr>
        {{ ui::th(label=t(key="product", lang=lang | default(value='sk'))) }}
        {{ ui::th(label=t(key="price", lang=lang | default(value='sk'))) }}
        {{ ui::th(label=t(key="sale-price", lang=lang | default(value='sk'))) }}
        {{ ui::th(label=t(key="status", lang=lang | default(value='sk'))) }}
        {{ ui::th(label=t(key="actions", lang=lang | default(value='sk')), align="text-right") }}
      </tr>
    </thead>
    <tbody class="{{ ui::tbody_cls() }}">
      {% for product in products %}
      <tr class="{{ ui::row_cls() }}">
        <td class="px-4 py-3">
          <div class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ product.name }}</div>
        </td>
        <td class="px-4 py-3 tabular-nums">{{ product.regular_price }} {{ product.currency }}</td>
        <td class="px-4 py-3 tabular-nums">
          {% if product.on_sale %}
          <span class="font-medium text-danger">{{ product.sale_price }} {{ product.currency }}</span>
          <span class="ml-1 text-xs text-on-surface/60 dark:text-on-surface-dark/60">(−{{ product.percent_off }}%)</span>
          {% else %}
          <span class="text-on-surface/40 dark:text-on-surface-dark/40">—</span>
          {% endif %}
        </td>
        <td class="px-4 py-3">
          {% if product.on_sale %}
          {{ ui::badge(label=t(key="on-sale", lang=lang | default(value='sk')), variant="danger") }}
          {% else %}
          {{ ui::badge(label=t(key="no-discount", lang=lang | default(value='sk')), variant="neutral") }}
          {% endif %}
        </td>
        <td class="px-4 py-3">
          <div class="flex flex-wrap justify-end gap-2">
            {{ ui::button(variant="outline-secondary", label=t(key="set-discount", lang=lang | default(value='sk')), href="/admin/catalog/discounts/" ~ product.id ~ "/edit", size="px-3 py-1.5 text-xs") }}
            {% if product.on_sale %}
            <form method="post" action="/admin/catalog/discounts/{{ product.id }}/remove">
              {{ ui::csrf_field() }}
              {{ ui::button(variant="outline-danger", label=t(key="remove-discount", lang=lang | default(value='sk')), type="submit", size="px-3 py-1.5 text-xs") }}
            </form>
            {% endif %}
          </div>
        </td>
      </tr>
      {% endfor %}
    </tbody>
  </table>
  {% else %}
  <div class="flex flex-col items-center gap-3 px-4 py-16 text-center">
    <p class="text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="admin-no-products", lang=lang | default(value='sk')) }}</p>
  </div>
  {% endif %}
 </div>
 {% endblock content %}
--- a/assets/views/admin/catalog/product_form.html
+++ b/assets/views/admin/catalog/product_form.html
@@ -15,11 +15,12 @@
 <form method="post" enctype="multipart/form-data"
  action="{% if product %}/admin/catalog/products/{{ product.id }}{% else %}/admin/catalog/products{% endif %}"
  class="mt-6 space-y-5 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
  {{ ui::csrf_field() }}
  {% if product %}
-    {% set v_name = product.name %}{% set v_price = product.price %}{% set v_currency = product.currency %}{% set v_stock = product.stock %}{% set v_sku = product.sku | default(value="") %}{% set v_slug = product.slug %}{% set v_desc = product.description | default(value="") %}{% set v_pub = product.published %}
+    {% set v_name = product.name %}{% set v_price = product.price %}{% set v_currency = product.currency %}{% set v_stock = product.stock %}{% set v_sku = product.sku | default(value="") %}{% set v_desc = product.description | default(value="") %}{% set v_pub = product.published %}
  {% else %}
-    {% set v_name = "" %}{% set v_price = "" %}{% set v_currency = "EUR" %}{% set v_stock = 0 %}{% set v_sku = "" %}{% set v_slug = "" %}{% set v_desc = "" %}{% set v_pub = false %}
+    {% set v_name = "" %}{% set v_price = "" %}{% set v_currency = "EUR" %}{% set v_stock = 0 %}{% set v_sku = "" %}{% set v_desc = "" %}{% set v_pub = false %}
  {% endif %}
  <div class="space-y-1.5">
@@ -63,11 +64,6 @@
    </div>
  </div>
  <div class="space-y-1.5">
    <label for="slug" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="slug", lang=lang | default(value='sk')) }}</label>
    {{ ui::input(name="slug", id="slug", value=v_slug, placeholder=t(key='slug-auto', lang=lang | default(value='sk'))) }}
  </div>
  <div class="space-y-1.5">
    <label for="description" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="description", lang=lang | default(value='sk')) }}</label>
    {{ ui::textarea(name="description", id="description", rows="5", value=v_desc) }}
--- a/assets/views/admin/catalog/products.html
+++ b/assets/views/admin/catalog/products.html
@@ -41,7 +41,14 @@
            </div>
          </div>
        </td>
-        <td class="px-4 py-3 tabular-nums">{{ product.price }} {{ product.currency }}</td>
+        <td class="px-4 py-3 tabular-nums">
          {% if product.on_sale %}
          <span class="font-medium text-danger">{{ product.price }} {{ product.currency }}</span>
          <span class="text-xs text-on-surface/50 line-through dark:text-on-surface-dark/50">{{ product.regular_price }}</span>
          {% else %}
          {{ product.price }} {{ product.currency }}
          {% endif %}
        </td>
        <td class="px-4 py-3 tabular-nums">{{ product.stock }}</td>
        <td class="px-4 py-3">
          {% if product.published %}
@@ -53,9 +60,11 @@
        <td class="px-4 py-3">
          <div class="flex flex-wrap justify-end gap-2">
            {{ ui::button(variant="outline-secondary", label=t(key="edit", lang=lang | default(value='sk')), href="/admin/catalog/products/" ~ product.id ~ "/edit", size="px-3 py-1.5 text-xs") }}
            {{ ui::button(variant="outline-secondary", label=t(key="discount", lang=lang | default(value='sk')), href="/admin/catalog/discounts/" ~ product.id ~ "/edit", size="px-3 py-1.5 text-xs") }}
            {{ ui::button(variant="outline-secondary", label=t(key="view", lang=lang | default(value='sk')), href="/shop/" ~ product.slug, size="px-3 py-1.5 text-xs") }}
            <form method="post" action="/admin/catalog/products/{{ product.id }}/delete"
              onsubmit="return confirm('{{ t(key="confirm-delete", lang=lang | default(value='sk')) }}')">
  {{ ui::csrf_field() }}
              {{ ui::button(variant="outline-danger", label=t(key="delete", lang=lang | default(value='sk')), type="submit", size="px-3 py-1.5 text-xs") }}
            </form>
          </div>
--- a/assets/views/admin/orders/show.html
+++ b/assets/views/admin/orders/show.html
@@ -110,6 +110,7 @@
      <p class="text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="order-send-hint", lang=lang | default(value='sk')) }}</p>
      <form method="post" action="/admin/orders/{{ order.id }}/ship"
        onsubmit="return confirm('{{ t(key="order-send-confirm", lang=lang | default(value='sk')) }}')">
  {{ ui::csrf_field() }}
        {% set carrier_up = carrier | upper %}
        {% set ship_label = t(key="order-send-to-carrier", lang=lang | default(value='sk')) ~ " " ~ carrier_up %}
        {{ ui::button(label=ship_label, type="submit", extra="w-full") }}
@@ -118,6 +119,7 @@
    </div>
    <form method="post" action="/admin/orders/{{ order.id }}/status" class="space-y-3 rounded-radius border border-outline bg-surface p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
  {{ ui::csrf_field() }}
      <label for="status" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="order-status", lang=lang | default(value='sk')) }}</label>
      <div class="relative">
        <select id="status" name="status"
--- a/assets/views/admin/shipping/index.html
+++ b/assets/views/admin/shipping/index.html
@@ -14,6 +14,7 @@
  {% for method in methods %}
  <form method="post" action="/admin/shipping/{{ method.id }}"
    class="flex flex-wrap items-end gap-4 rounded-radius border border-outline bg-surface p-5 dark:border-outline-dark dark:bg-surface-dark-alt">
  {{ ui::csrf_field() }}
    <div class="min-w-40">
      <p class="font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ method.name }}</p>
      <p class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ method.carrier | upper }}{% if method.requires_pickup_point %} · {{ t(key="checkout-pickup-point", lang=lang | default(value='sk')) }}{% endif %}</p>
--- a/assets/views/auth/login.html
+++ b/assets/views/auth/login.html
@@ -30,6 +30,7 @@
      {% endif %}
      <form method="post" action="/login" hx-boost="false" class="mt-4 flex flex-col gap-4">
        {{ ui::csrf_field() }}
        <div class="flex flex-col gap-1">
          <label for="email"
            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
--- a/assets/views/auth/login_totp.html
+++ b/assets/views/auth/login_totp.html
@@ -28,6 +28,7 @@
      {% endif %}
      <form method="post" action="/login/totp" hx-boost="false" class="mt-4 flex flex-col gap-4">
  {{ ui::csrf_field() }}
        <div class="flex flex-col gap-1">
          <label for="code"
            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
--- a/assets/views/auth/register.html
+++ b/assets/views/auth/register.html
@@ -32,6 +32,7 @@
      <form method="post" action="/register" hx-boost="false" class="mt-4 flex flex-col gap-4"
        x-data="{ password: '', confirm: '' }">
  {{ ui::csrf_field() }}
        <div class="flex flex-col gap-1.5">
          <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</span>
          <div class="grid grid-cols-2 gap-2">
--- a/assets/views/auth/resend_verification.html
+++ b/assets/views/auth/resend_verification.html
@@ -24,6 +24,7 @@
      {% else %}
      <p class="mt-1 text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="resend-verification-intro", lang=lang | default(value='sk')) }}</p>
      <form method="post" action="/resend-verification" hx-boost="false" class="mt-4 flex flex-col gap-4">
  {{ ui::csrf_field() }}
        <div class="flex flex-col gap-1">
          <label for="email" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="login-email", lang=lang | default(value='sk')) }}</label>
          {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email", attrs="autofocus") }}
--- a/assets/views/auth/set_password.html
+++ b/assets/views/auth/set_password.html
@@ -29,6 +29,7 @@
      {% endif %}
      <form method="post" action="/set-password" hx-boost="false" class="mt-4 flex flex-col gap-4">
  {{ ui::csrf_field() }}
        <input type="hidden" name="token" value="{{ token }}">
        <div class="flex flex-col gap-1">
          <label for="password" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="set-password-new", lang=lang | default(value='sk')) }}</label>
--- a/assets/views/base.html
+++ b/assets/views/base.html
@@ -69,6 +69,7 @@
    <script defer src="/static/vendor/alpine/alpinejs-3.14.9.min.js"></script>
  </head>
  <body hx-boost="true"
    hx-headers='{"X-CSRF-Token": "{{ csrf_token() }}"}'
    x-data="{ cats: false, lg: window.matchMedia('(min-width: 1024px)').matches }"
    x-init="window.matchMedia('(min-width: 1024px)').addEventListener('change', e => lg = e.matches)"
    class="min-h-screen bg-surface text-on-surface antialiased dark:bg-surface-dark dark:text-on-surface-dark">
@@ -91,6 +92,7 @@
          <li>{{ ui::nav_link(label=t(key="admin-title", lang=lang | default(value='sk')), href="/admin/dashboard", data_nav="/admin", variant="warning", attrs='hx-boost="false"') }}</li>
          <li>
            <form method="post" action="/logout" hx-boost="false">
  {{ ui::csrf_field() }}
              <button type="submit" class="text-sm font-medium text-danger underline-offset-2 transition hover:opacity-75 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
            </form>
          </li>
@@ -163,6 +165,7 @@
          <li><a href="/admin/dashboard" hx-boost="false" data-nav="/admin" class="block rounded-radius px-3 py-2 text-sm font-medium text-warning underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="admin-title", lang=lang | default(value='sk')) }}</a></li>
          <li>
            <form method="post" action="/logout" hx-boost="false">
  {{ ui::csrf_field() }}
              <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
            </form>
          </li>
@@ -170,6 +173,7 @@
          <li><a href="/account/profile" data-nav="/account" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="nav-profile", lang=lang | default(value='sk')) }}</a></li>
          <li>
            <form method="post" action="/logout" hx-boost="false">
  {{ ui::csrf_field() }}
              <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
            </form>
          </li>
@@ -199,6 +203,7 @@
          <li><a href="/account/security" data-nav="/account/security" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="security-title", lang=lang | default(value='sk')) }}</a></li>
        </ul>
        <form method="post" action="/logout" hx-boost="false" class="mt-4 border-t border-outline pt-3 dark:border-outline-dark">
  {{ ui::csrf_field() }}
          <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
        </form>
      </aside>
--- a/assets/views/macros/ui.html
+++ b/assets/views/macros/ui.html
@@ -29,6 +29,13 @@
       outline : outline-primary | outline-secondary | outline-alternate | outline-danger
       ghost   : ghost-primary | ghost-secondary | ghost-danger #}
 {# CSRF hidden field for native (non-htmx) <form method="post"> submits. htmx
   requests instead inherit the X-CSRF-Token header from <body hx-headers>.
   `csrf_token()` is a global Tera function bound per-request by shared::csrf. #}
 {% macro csrf_field() -%}
 <input type="hidden" name="_csrf" value="{{ csrf_token() }}">
 {%- endmacro %}
 {% macro button(label, variant="primary", type="button", href="", attrs="", extra="", icon="", size="px-4 py-2 text-sm") -%}
 {%- if variant == "secondary" -%}{% set cls = "border border-secondary bg-secondary text-on-secondary focus-visible:outline-secondary dark:border-secondary-dark dark:bg-secondary-dark dark:text-on-secondary-dark dark:focus-visible:outline-secondary-dark" -%}
 {%- elif variant == "danger" -%}{% set cls = "border border-danger bg-danger text-on-danger focus-visible:outline-danger dark:bg-danger dark:border-danger dark:text-on-danger dark:focus-visible:outline-danger" -%}
@@ -120,7 +127,7 @@
 {# Text/email/number/password input. #}
 {% macro input(name, type="text", id="", value="", placeholder="", required=false, autocomplete="", attrs="", extra="", width="w-full") -%}
-<input {% if id %}id="{{ id }}" {% endif %}name="{{ name }}" type="{{ type }}"{% if value != "" %} value="{{ value }}"{% endif %}{% if placeholder %} placeholder="{{ placeholder }}"{% endif %}{% if required %} required{% endif %}{% if autocomplete %} autocomplete="{{ autocomplete }}"{% endif %} class="{{ width }} rounded-radius border border-outline bg-surface-alt px-2 py-2 text-sm text-on-surface focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-primary disabled:cursor-not-allowed disabled:opacity-75 dark:border-outline-dark dark:bg-surface-dark-alt/50 dark:text-on-surface-dark dark:focus-visible:outline-primary-dark {{ extra }}" {{ attrs | safe }}/>
+<input {% if id %}id="{{ id }}" {% endif %}name="{{ name }}" type="{{ type }}"{% if value is number or value != "" %} value="{{ value }}"{% endif %}{% if placeholder %} placeholder="{{ placeholder }}"{% endif %}{% if required %} required{% endif %}{% if autocomplete %} autocomplete="{{ autocomplete }}"{% endif %} class="{{ width }} rounded-radius border border-outline bg-surface-alt px-2 py-2 text-sm text-on-surface focus-visible:outline-2 focus-visible:outline-offset-2 focus-visible:outline-primary disabled:cursor-not-allowed disabled:opacity-75 dark:border-outline-dark dark:bg-surface-dark-alt/50 dark:text-on-surface-dark dark:focus-visible:outline-primary-dark {{ extra }}" {{ attrs | safe }}/>
 {%- endmacro input %}
 {% macro textarea(name, id="", value="", rows="3", placeholder="", required=false, attrs="", extra="") -%}
--- a/assets/views/partials/profile_menu.html
+++ b/assets/views/partials/profile_menu.html
@@ -68,7 +68,8 @@
    </div>
    <!-- logout -->
    <div class="flex flex-col py-1.5">
-      <form method="post" action="/logout" hx-boost="false"><button type="submit" role="menuitem" class="flex w-full items-center gap-2 bg-surface-alt px-4 py-2 text-left text-sm text-on-surface hover:bg-surface-dark-alt/5 hover:text-on-surface-strong focus-visible:bg-surface-dark-alt/10 focus-visible:text-on-surface-strong focus-visible:outline-hidden dark:bg-surface-dark-alt dark:text-on-surface-dark dark:hover:bg-surface-alt/5 dark:hover:text-on-surface-dark-strong dark:focus-visible:bg-surface-alt/10 dark:focus-visible:text-on-surface-dark-strong">
+      <form method="post" action="/logout" hx-boost="false">
  <input type="hidden" name="_csrf" value="{{ csrf_token() }}"><button type="submit" role="menuitem" class="flex w-full items-center gap-2 bg-surface-alt px-4 py-2 text-left text-sm text-on-surface hover:bg-surface-dark-alt/5 hover:text-on-surface-strong focus-visible:bg-surface-dark-alt/10 focus-visible:text-on-surface-strong focus-visible:outline-hidden dark:bg-surface-dark-alt dark:text-on-surface-dark dark:hover:bg-surface-alt/5 dark:hover:text-on-surface-dark-strong dark:focus-visible:bg-surface-alt/10 dark:focus-visible:text-on-surface-dark-strong">
        <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" aria-hidden="true" fill="currentColor" class="size-4 shrink-0"><path fill-rule="evenodd" d="M7.5 3.75A1.5 1.5 0 006 5.25v13.5a1.5 1.5 0 001.5 1.5h6a1.5 1.5 0 001.5-1.5V15a.75.75 0 011.5 0v3.75a3 3 0 01-3 3h-6a3 3 0 01-3-3V5.25a3 3 0 013-3h6a3 3 0 013 3V9A.75.75 0 0115 9V5.25a1.5 1.5 0 00-1.5-1.5h-6zm10.72 4.72a.75.75 0 011.06 0l3 3a.75.75 0 010 1.06l-3 3a.75.75 0 11-1.06-1.06l1.72-1.72H9a.75.75 0 010-1.5h10.94l-1.72-1.72a.75.75 0 010-1.06z" clip-rule="evenodd"/></svg>
        {{ t(key="logout", lang=lang | default(value='sk')) }}
      </button></form>
--- a/assets/views/partials/settings_dropdown.html
+++ b/assets/views/partials/settings_dropdown.html
@@ -20,6 +20,7 @@
  class="absolute right-0 mt-2 flex w-56 flex-col overflow-hidden rounded-radius border border-outline bg-surface-alt py-1 shadow-lg dark:border-outline-dark dark:bg-surface-dark-alt"
  role="menu">
  <form method="post" action="/lang" hx-boost="false">
  <input type="hidden" name="_csrf" value="{{ csrf_token() }}">
    <p class="px-4 py-1.5 text-xs font-semibold uppercase tracking-wide text-on-surface/60 dark:text-on-surface-dark/60">
      {{ t(key="settings-language", lang=lang | default(value='sk')) }}
    </p>
--- a/assets/views/shop/_card.html
+++ b/assets/views/shop/_card.html
@@ -17,7 +17,14 @@
      <!-- Header: Title & Price -->
      <div class="flex justify-between gap-4">
        <h3 class="text-lg font-bold text-on-surface-strong dark:text-on-surface-dark-strong">{{ product.name }}</h3>
        {% if product.on_sale %}
        <span class="flex flex-col items-end whitespace-nowrap leading-tight">
          <span class="text-sm text-on-surface/50 line-through dark:text-on-surface-dark/50">{{ product.regular_price }} {{ product.currency }}</span>
          <span class="text-xl font-semibold text-danger"><span class="sr-only">Price</span>{{ product.price }} {{ product.currency }}</span>
        </span>
        {% else %}
        <span class="whitespace-nowrap text-xl"><span class="sr-only">Price</span>{{ product.price }} {{ product.currency }}</span>
        {% endif %}
      </div>
    </div>
  </a>
@@ -26,6 +33,7 @@
    <p class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="in-stock", lang=lang | default(value='sk')) }}: {{ product.stock }}</p>
    <form method="post" action="/cart/add" hx-post="/cart/add" hx-swap="none"
      hx-on::after-request="if (event.detail.successful) toast('{{ t(key='cart-added', lang=lang | default(value='sk')) }}')">
  <input type="hidden" name="_csrf" value="{{ csrf_token() }}">
      <input type="hidden" name="product_id" value="{{ product.id }}">
      <input type="hidden" name="quantity" value="1">
      {{ ui::button(label=t(key="add-to-cart", lang=lang | default(value='sk')), type="submit", extra="w-full", icon='<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 16 16" fill="currentColor" aria-hidden="true" class="size-3.5"><path fill-rule="evenodd" d="M5 4a3 3 0 0 1 6 0v1h.643a1.5 1.5 0 0 1 1.492 1.35l.7 7A1.5 1.5 0 0 1 12.342 15H3.657a1.5 1.5 0 0 1-1.492-1.65l.7-7A1.5 1.5 0 0 1 4.357 5H5V4Zm4.5 0v1h-3V4a1.5 1.5 0 0 1 3 0Zm-3 3.75a.75.75 0 0 0-1.5 0v1a3 3 0 1 0 6 0v-1a.75.75 0 0 0-1.5 0v1a1.5 1.5 0 1 1-3 0v-1Z" clip-rule="evenodd" /></svg>') }}
--- a/assets/views/shop/_cart_body.html
+++ b/assets/views/shop/_cart_body.html
@@ -27,6 +27,7 @@
             reverting to the previous quantity if the customer cancels. #}
          <form method="post" action="/cart/update"
            hx-post="/cart/update" hx-trigger="cartchange" hx-target="#cart-body" hx-swap="innerHTML">
  {{ ui::csrf_field() }}
            <input type="hidden" name="product_id" value="{{ item.id }}">
            <input type="number" name="quantity" min="0" max="{{ item.stock }}" value="{{ item.quantity }}"
              @change="
@@ -43,6 +44,7 @@
        <td class="px-4 py-3 text-right">
          <form method="post" action="/cart/remove"
            hx-post="/cart/remove" hx-target="#cart-body" hx-swap="innerHTML">
  {{ ui::csrf_field() }}
            <input type="hidden" name="product_id" value="{{ item.id }}">
            {{ ui::button(variant="ghost-danger", label=t(key="cart-remove", lang=lang | default(value='sk')), type="submit", size="px-2 py-1 text-xs") }}
          </form>
--- a/assets/views/shop/checkout.html
+++ b/assets/views/shop/checkout.html
@@ -30,6 +30,7 @@
    }
  }"
  class="mt-6 grid gap-8 lg:grid-cols-3">
  {{ ui::csrf_field() }}
  <div class="space-y-6 lg:col-span-2">
    <!-- personal vs company. Fixed (read-only) for a logged-in account; a guest
--- a/assets/views/shop/show.html
+++ b/assets/views/shop/show.html
@@ -54,7 +54,14 @@
    <a href="/category/{{ category.slug }}" class="text-sm font-medium text-primary dark:text-primary-dark">{{ category.name }}</a>
    {% endif %}
    <h1 class="text-3xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">{{ product.name }}</h1>
    {% if product.on_sale %}
    <div class="flex items-baseline gap-3">
      <p class="text-2xl font-semibold text-danger">{{ product.price }} {{ product.currency }}</p>
      <p class="text-lg text-on-surface/50 line-through dark:text-on-surface-dark/50">{{ product.regular_price }} {{ product.currency }}</p>
    </div>
    {% else %}
    <p class="text-2xl font-semibold text-primary dark:text-primary-dark">{{ product.price }} {{ product.currency }}</p>
    {% endif %}
    {% if product.description %}
    <div class="whitespace-pre-line leading-relaxed text-on-surface/80 dark:text-on-surface-dark/80">{{ product.description }}</div>
@@ -63,6 +70,7 @@
    {% if product.stock > 0 %}
    <form method="post" action="/cart/add" hx-post="/cart/add" hx-swap="none" class="flex flex-wrap items-end gap-3"
      hx-on::after-request="if (event.detail.successful) toast('{{ t(key='cart-added', lang=lang | default(value='sk')) }}')">
  {{ ui::csrf_field() }}
      <input type="hidden" name="product_id" value="{{ product.id }}">
      <div class="space-y-1.5">
        <label for="quantity" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="quantity", lang=lang | default(value='sk')) }}</label>
--- a/migration/src/lib.rs
+++ b/migration/src/lib.rs
@@ -35,6 +35,7 @@ mod m20260618_000002_customer_profiles;
 mod m20260618_000003_account_type;
 mod m20260618_000004_account_ownership;
 mod m20260620_000001_add_totp_to_users;
 mod m20260621_000001_add_sale_price_to_products;
 pub struct Migrator;
 #[async_trait::async_trait]
@@ -74,6 +75,7 @@ impl MigratorTrait for Migrator {
            Box::new(m20260618_000003_account_type::Migration),
            Box::new(m20260618_000004_account_ownership::Migration),
            Box::new(m20260620_000001_add_totp_to_users::Migration),
            Box::new(m20260621_000001_add_sale_price_to_products::Migration),
            // inject-above (do not remove this comment)
        ]
    }
--- a/migration/src/m20260621_000001_add_sale_price_to_products.rs
+++ b/migration/src/m20260621_000001_add_sale_price_to_products.rs
@@ -0,0 +1,19 @@
 use loco_rs::schema::*;
 use sea_orm_migration::prelude::*;
 #[derive(DeriveMigrationName)]
 pub struct Migration;
 #[async_trait::async_trait]
 impl MigrationTrait for Migration {
    async fn up(&self, m: &SchemaManager) -> Result<(), DbErr> {
        // Optional discounted price in minor units. When set (and below
        // `price_cents`) the product is on sale; the regular price is shown
        // struck through and this is the effective price everywhere.
        add_column(m, "products", "sale_price_cents", ColType::BigIntegerNull).await
    }
    async fn down(&self, m: &SchemaManager) -> Result<(), DbErr> {
        remove_column(m, "products", "sale_price_cents").await
    }
 }
--- a/src/app.rs
+++ b/src/app.rs
@@ -17,7 +17,7 @@ use std::{path::Path, sync::Arc};
 #[allow(unused_imports)]
 use crate::{
    controllers::{
-        account, admin_categories, admin_dashboard, admin_form, admin_orders,
+        account, admin_categories, admin_dashboard, admin_discounts, admin_form, admin_orders,
        admin_products, admin_shipping, auth, auth_pages, cart, checkout, home, i18n, media, oauth2,
        shop,
    },
@@ -68,6 +68,12 @@ impl Hooks for App {
            .layer(axum::middleware::from_fn_with_state(
                ctx.clone(),
                crate::shared::rbac::inject_subject,
            ))
            // CSRF runs outermost so it validates the double-submit token before
            // any handler sees the request and stamps the cookie on safe ones.
            .layer(axum::middleware::from_fn_with_state(
                ctx.clone(),
                crate::shared::csrf::protect,
            )))
    }
@@ -98,6 +104,7 @@ impl Hooks for App {
            // admin
            .add_route(admin_dashboard::routes())
            .add_route(admin_products::routes())
            .add_route(admin_discounts::routes())
            .add_route(admin_categories::routes())
            .add_route(admin_orders::routes())
            .add_route(admin_shipping::routes())
--- a/src/controllers/admin_categories.rs
+++ b/src/controllers/admin_categories.rs
@@ -49,10 +49,6 @@ async fn parse_category_fields(
        .text("name")
        .ok_or_else(|| Error::BadRequest("category name is required".to_string()))?;
    let description = form.text("description");
    let position = form
        .text("position")
        .and_then(|s| s.parse::<i32>().ok())
        .unwrap_or(0);
    let published = form.checked("published");
    // Resolve the chosen parent, rejecting cycles: a category may not be its
@@ -81,6 +77,28 @@ async fn parse_category_fields(
        None => None,
    };
    // Position is optional: an explicit value sorts the category among its
    // siblings, but a blank field appends it to the end of its parent's group
    // (one past the current max), so new categories land last instead of first.
    let position = match form.text("position").and_then(|s| s.parse::<i32>().ok()) {
        Some(explicit) => explicit,
        None => {
            let mut query = categories::Entity::find();
            query = match parent_id {
                Some(pid) => query.filter(categories::Column::ParentId.eq(pid)),
                None => query.filter(categories::Column::ParentId.is_null()),
            };
            query
                .all(&ctx.db)
                .await?
                .iter()
                .filter(|c| Some(c.id) != current_id)
                .map(|c| c.position)
                .max()
                .map_or(0, |max| max + 1)
        }
    };
    let desired = form
        .text("slug")
        .map(|s| slugify(&s))
--- a/src/controllers/admin_discounts.rs
+++ b/src/controllers/admin_discounts.rs
@@ -0,0 +1,246 @@
 //! Admin management of per-product discounts.
 //!
 //! Discounts live on the product (`sale_price_cents`) but are set here, in a
 //! place of their own, rather than on the product editor: an admin picks a
 //! product, enters a discounted price, and the storefront then shows it on sale.
 //! Editing a product never touches its discount, and vice versa.
 use axum_extra::extract::cookie::CookieJar;
 use loco_rs::prelude::*;
 use sea_orm::{ActiveModelTrait, EntityTrait, QueryOrder, Set};
 use serde::Deserialize;
 use serde_json::json;
 use crate::{
    controllers::i18n::current_lang,
    models::products,
    shared::{
        guard,
        money::{format_price, parse_price_to_cents},
    },
 };
 #[derive(Debug, Deserialize)]
 struct DiscountForm {
    /// "fixed" (enter the new price) or "percent" (enter % off). Defaults to
    /// fixed for older/JSON callers.
    mode: Option<String>,
    sale_price: Option<String>,
    percent: Option<String>,
 }
 /// Parse a percentage typed as "20", "20.5" or "20,5" into an `f64`.
 fn parse_percent(value: &str) -> Option<f64> {
    let parsed: f64 = value.trim().replace(',', ".").parse().ok()?;
    parsed.is_finite().then_some(parsed)
 }
 /// Resolve a percentage off the regular price into a fixed sale price in cents.
 /// Rounds the discount amount to the nearest cent.
 fn percent_to_sale_cents(regular_cents: i64, percent: f64) -> i64 {
    let off = (regular_cents as f64 * percent / 100.0).round() as i64;
    regular_cents - off
 }
 async fn product_by_id(ctx: &AppContext, id: i32) -> Result<products::Model> {
    products::Entity::find_by_id(id)
        .one(&ctx.db)
        .await?
        .ok_or_else(|| Error::NotFound)
 }
 /// Percent off the regular price, rounded to a whole number. `0` when there is
 /// no positive regular price to discount from.
 fn percent_off(regular_cents: i64, sale_cents: i64) -> i64 {
    if regular_cents <= 0 {
        return 0;
    }
    let off = (regular_cents - sale_cents) as f64 / regular_cents as f64 * 100.0;
    off.round() as i64
 }
 /// Row shape for the discounts list.
 fn list_row(product: &products::Model) -> serde_json::Value {
    json!({
        "id": product.id,
        "name": product.name,
        "slug": product.slug,
        "currency": product.currency,
        "regular_price": format_price(product.price_cents),
        "on_sale": product.on_sale(),
        "sale_price": product.sale_price_cents.map(format_price),
        "percent_off": product.sale_price_cents.map(|sale| percent_off(product.price_cents, sale)),
    })
 }
 #[debug_handler]
 async fn index(
    auth: auth::JWT,
    jar: CookieJar,
    ViewEngine(v): ViewEngine<TeraView>,
    State(ctx): State<AppContext>,
 ) -> Result<Response> {
    guard::current_admin(auth, &ctx).await?;
    let list = products::Entity::find()
        .order_by_asc(products::Column::Name)
        .all(&ctx.db)
        .await?;
    let rows: Vec<serde_json::Value> = list.iter().map(list_row).collect();
    format::view(
        &v,
        "admin/catalog/discounts.html",
        json!({ "products": rows, "lang": current_lang(&jar) }),
    )
 }
 /// What to pre-fill the form with: the chosen input mode and the raw values for
 /// each field, so a rejected submit (or a re-edit) shows what the admin had.
 #[derive(Default)]
 struct FormPrefill {
    mode: String,
    fixed: String,
    percent: String,
 }
 /// Render the single-product discount form, optionally with a validation error.
 fn render_form(
    v: &TeraView,
    jar: &CookieJar,
    product: &products::Model,
    prefill: &FormPrefill,
    error: Option<&str>,
 ) -> Result<Response> {
    let mode = if prefill.mode == "percent" { "percent" } else { "fixed" };
    format::view(
        v,
        "admin/catalog/discount_form.html",
        json!({
            "product": {
                "id": product.id,
                "name": product.name,
                "currency": product.currency,
                "regular_price": format_price(product.price_cents),
                "regular_cents": product.price_cents,
                "on_sale": product.on_sale(),
                "sale_price": product.sale_price_cents.map(format_price),
            },
            "mode": mode,
            "fixed": prefill.fixed,
            "percent": prefill.percent,
            "error": error,
            "lang": current_lang(jar),
        }),
    )
 }
 #[debug_handler]
 async fn edit(
    auth: auth::JWT,
    jar: CookieJar,
    ViewEngine(v): ViewEngine<TeraView>,
    Path(id): Path<i32>,
    State(ctx): State<AppContext>,
 ) -> Result<Response> {
    guard::current_admin(auth, &ctx).await?;
    let product = product_by_id(&ctx, id).await?;
    // Re-editing always opens in fixed mode showing the current sale price.
    let prefill = FormPrefill {
        mode: "fixed".to_string(),
        fixed: product.sale_price_cents.map(format_price).unwrap_or_default(),
        percent: String::new(),
    };
    render_form(&v, &jar, &product, &prefill, None)
 }
 #[debug_handler]
 async fn update(
    auth: auth::JWT,
    jar: CookieJar,
    ViewEngine(v): ViewEngine<TeraView>,
    Path(id): Path<i32>,
    State(ctx): State<AppContext>,
    Form(form): Form<DiscountForm>,
 ) -> Result<Response> {
    guard::current_admin(auth, &ctx).await?;
    let product = product_by_id(&ctx, id).await?;
    let mode = match form.mode.as_deref() {
        Some("percent") => "percent",
        _ => "fixed",
    };
    let fixed = form.sale_price.unwrap_or_default().trim().to_string();
    let percent = form.percent.unwrap_or_default().trim().to_string();
    // Whatever the mode, both raw inputs are echoed back on error so neither tab
    // loses what was typed.
    let prefill = FormPrefill {
        mode: mode.to_string(),
        fixed: fixed.clone(),
        percent: percent.clone(),
    };
    let render_err = |key: &str| render_form(&v, &jar, &product, &prefill, Some(key));
    // Resolve the entered discount into a fixed sale price in cents. An empty
    // input in the active mode clears the discount (same as the Remove action).
    let sale_cents = if mode == "percent" {
        if percent.is_empty() {
            return clear_discount(&ctx, product).await;
        }
        let pct = match parse_percent(&percent) {
            Some(pct) => pct,
            None => return render_err("discount-invalid"),
        };
        if pct <= 0.0 || pct >= 100.0 {
            return render_err("discount-percent-range");
        }
        percent_to_sale_cents(product.price_cents, pct)
    } else {
        if fixed.is_empty() {
            return clear_discount(&ctx, product).await;
        }
        match parse_price_to_cents(&fixed) {
            Ok(cents) => cents,
            Err(_) => return render_err("discount-invalid"),
        }
    };
    // A discount must be a positive price strictly below the regular price —
    // otherwise it isn't a discount.
    if sale_cents <= 0 {
        return render_err("discount-must-be-positive");
    }
    if sale_cents >= product.price_cents {
        return render_err("discount-below-regular");
    }
    let mut active = product.into_active_model();
    active.sale_price_cents = Set(Some(sale_cents));
    active.update(&ctx.db).await?;
    format::redirect("/admin/catalog/discounts")
 }
 async fn clear_discount(ctx: &AppContext, product: products::Model) -> Result<Response> {
    let mut active = product.into_active_model();
    active.sale_price_cents = Set(None);
    active.update(&ctx.db).await?;
    format::redirect("/admin/catalog/discounts")
 }
 #[debug_handler]
 async fn remove(
    auth: auth::JWT,
    Path(id): Path<i32>,
    State(ctx): State<AppContext>,
 ) -> Result<Response> {
    guard::current_admin(auth, &ctx).await?;
    let product = product_by_id(&ctx, id).await?;
    clear_discount(&ctx, product).await
 }
 pub fn routes() -> Routes {
    Routes::new()
        .add("/admin/catalog/discounts", get(index))
        .add("/admin/catalog/discounts/{id}/edit", get(edit))
        .add("/admin/catalog/discounts/{id}", post(update))
        .add("/admin/catalog/discounts/{id}/remove", post(remove))
 }
--- a/src/controllers/cart.rs
+++ b/src/controllers/cart.rs
@@ -201,14 +201,15 @@ pub(crate) async fn resolve_cart(
        if qty == 0 {
            continue;
        }
-        let line_total = product.price_cents * i64::from(qty);
+        let unit_price = product.effective_price_cents();
        let line_total = unit_price * i64::from(qty);
        total += line_total;
        valid.push((product.id, qty));
        lines.push(json!({
            "id": product.id,
            "name": product.name,
            "slug": product.slug,
-            "price": format_price(product.price_cents),
+            "price": format_price(unit_price),
            "currency": product.currency,
            "quantity": qty,
            "stock": product.stock,
--- a/src/controllers/mod.rs
+++ b/src/controllers/mod.rs
@@ -4,6 +4,7 @@ pub mod auth_pages;
 pub mod oauth2;
 pub mod admin_categories;
 pub mod admin_dashboard;
 pub mod admin_discounts;
 pub mod admin_form;
 pub mod admin_orders;
 pub mod admin_products;
--- a/src/initializers/view_engine.rs
+++ b/src/initializers/view_engine.rs
@@ -6,6 +6,7 @@ use loco_rs::{
    controller::views::{engines, ViewEngine},
    Error, Result,
 };
 use std::collections::HashMap;
 use tracing::info;
 const I18N_DIR: &str = "assets/i18n";
@@ -23,7 +24,9 @@ impl Initializer for ViewEngineInitializer {
    }
    async fn after_routes(&self, router: AxumRouter, _ctx: &AppContext) -> Result<AxumRouter> {
-        let tera_engine = if std::path::Path::new(I18N_DIR).exists() {
+        // Load locales only if present; `t` is registered conditionally below so
        // the single post-process closure covers both cases.
        let locales = if std::path::Path::new(I18N_DIR).exists() {
            let arc = std::sync::Arc::new(
                ArcLoader::builder(&I18N_DIR, unic_langid::langid!("sk"))
                    .shared_resources(Some(&[I18N_SHARED.into()]))
@@ -32,15 +35,28 @@ impl Initializer for ViewEngineInitializer {
                    .map_err(|e| Error::string(&e.to_string()))?,
            );
            info!("locales loaded");
-
+            Some(arc)
            engines::TeraView::build()?.post_process(move |tera| {
                tera.register_function("t", FluentLoader::new(arc.clone()));
                Ok(())
            })?
        } else {
-            engines::TeraView::build()?
+            None
        };
        let tera_engine = engines::TeraView::build()?.post_process(move |tera| {
            if let Some(arc) = &locales {
                tera.register_function("t", FluentLoader::new(arc.clone()));
            }
            // `csrf_token()`: the in-flight request's CSRF token (bound by
            // `shared::csrf::protect`), rendered into `<body hx-headers>` and
            // `ui::csrf_field()`. Inlined so its `tera::Error` return is inferred
            // from `register_function` — we never name a `tera` type, keeping it
            // off our direct deps and pinned to loco's.
            tera.register_function("csrf_token", |_args: &HashMap<String, serde_json::Value>| {
                Ok(serde_json::Value::String(
                    crate::shared::csrf::current_token().unwrap_or_default(),
                ))
            });
            Ok(())
        })?;
        Ok(router.layer(Extension(ViewEngine::from(tera_engine))))
    }
 }
--- a/src/models/_entities/products.rs
+++ b/src/models/_entities/products.rs
@@ -16,6 +16,7 @@ pub struct Model {
    #[sea_orm(column_type = "Text", nullable)]
    pub description: Option<String>,
    pub price_cents: i64,
    pub sale_price_cents: Option<i64>,
    pub currency: String,
    pub sku: Option<String>,
    pub stock: i32,
--- a/src/models/orders.rs
+++ b/src/models/orders.rs
@@ -61,13 +61,15 @@ pub async fn place(ctx: &AppContext, items: &[(i32, i32)], details: Checkout) ->
            )));
        }
        currency = product.currency.clone();
-        subtotal += product.price_cents * i64::from(*qty);
+        // Snapshot the effective price (honouring any active discount).
        let unit_price_cents = product.effective_price_cents();
        subtotal += unit_price_cents * i64::from(*qty);
        let mut active = product.clone().into_active_model();
        active.stock = Set(product.stock - *qty);
        active.update(&txn).await?;
-        snapshots.push((product.id, product.name, product.price_cents, *qty));
+        snapshots.push((product.id, product.name, unit_price_cents, *qty));
    }
    let order = ActiveModel {
--- a/src/models/products.rs
+++ b/src/models/products.rs
@@ -19,7 +19,25 @@ impl ActiveModelBehavior for ActiveModel {
 }
 // implement your read-oriented logic here
-impl Model {}
+impl Model {
    /// Whether a discount is currently active: a sale price is set and is
    /// strictly below the regular price.
    #[must_use]
    pub fn on_sale(&self) -> bool {
        matches!(self.sale_price_cents, Some(sale) if sale < self.price_cents)
    }
    /// The price actually charged: the sale price when [`Model::on_sale`],
    /// otherwise the regular price.
    #[must_use]
    pub fn effective_price_cents(&self) -> i64 {
        if self.on_sale() {
            self.sale_price_cents.unwrap_or(self.price_cents)
        } else {
            self.price_cents
        }
    }
 }
 // implement your write-oriented logic here
 impl ActiveModel {}
--- a/src/shared/csrf.rs
+++ b/src/shared/csrf.rs
@@ -0,0 +1,304 @@
 //! Stateless CSRF protection (signed double-submit cookie).
 //!
 //! Authentication is cookie-based (the `auth_token` JWT cookie, see
 //! [`crate::shared::guard`]), so any state-changing request the browser can be
 //! tricked into making carries the victim's credentials. `SameSite=Lax` on the
 //! auth cookie already blocks the cross-site *form* POST case; this layer is the
 //! defense-in-depth on top of it.
 //!
 //! ## How it works
 //! On every safe request we ensure the browser holds a `csrf_token` cookie whose
 //! value is `<random>.<hmac>` — the HMAC is keyed by the app's JWT secret, so the
 //! server can recognise its own tokens without storing any per-session state
 //! (no session table, survives restarts and multiple instances). On every unsafe
 //! request ([`protect`]) the same token must be echoed back, either as the
 //! `X-CSRF-Token` header (htmx requests) or a `_csrf` form field (native
 //! `<form>` submits, which cannot set a custom header). Because a cross-origin
 //! attacker can neither read the cookie nor forge a valid signature, they cannot
 //! produce a matching echo.
 //!
 //! The browser side lives in the two base templates (`base.html`,
 //! `admin/base.html`): an `htmx:configRequest` hook adds the header and a
 //! `submit` hook injects the hidden `_csrf` field.
 //!
 //! `/api/*` is exempt: that subtree is the token-authenticated JSON API and the
 //! OAuth2 callback, neither of which is driven by the browser session cookie.
 use axum::{
    body::{to_bytes, Body},
    extract::{Request, State},
    http::{header, Method, StatusCode},
    middleware::Next,
    response::{IntoResponse, Response},
 };
 use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
 use bytes::Bytes;
 use hmac::{Hmac, Mac};
 use loco_rs::prelude::*;
 use sha2::Sha256;
 use subtle::ConstantTimeEq;
 use time::Duration as TimeDuration;
 use uuid::Uuid;
 /// Cookie that holds the signed token. Deliberately *not* `HttpOnly`: the page
 /// JS has to read it to echo it back in the header / hidden field.
 pub const CSRF_COOKIE: &str = "csrf_token";
 /// Header carrying the echoed token on htmx (and any scripted) requests.
 pub const CSRF_HEADER: &str = "x-csrf-token";
 /// Hidden form field carrying the echoed token on native `<form>` submits.
 pub const CSRF_FIELD: &str = "_csrf";
 /// Cookie lifetime. Long enough to outlast a normal browsing session; the token
 /// only needs to be stable, not short-lived (it is not a credential on its own).
 const COOKIE_MAX_AGE_SECS: i64 = 60 * 60 * 24 * 14;
 /// Upper bound on a body we will buffer to find the `_csrf` field. Covers the
 /// largest native multipart submit (a 10 MiB image upload plus the other
 /// fields); anything bigger is rejected rather than buffered.
 const MAX_BODY_BYTES: usize = 16 * 1024 * 1024;
 tokio::task_local! {
    /// CSRF token bound to the in-flight request. [`protect`] sets it so the
    /// `csrf_token()` Tera function can render it into pages (the `hx-headers`
    /// on `<body>` and the `ui::csrf_field()` hidden input) without every
    /// controller having to thread it through the view context.
    static REQUEST_TOKEN: String;
 }
 /// The CSRF token for the current request task, if one is bound. Returns `None`
 /// outside a request (e.g. a mailer rendering a template). Used by the
 /// `csrf_token()` Tera function registered in the view engine.
 #[must_use]
 pub fn current_token() -> Option<String> {
    REQUEST_TOKEN.try_with(String::clone).ok()
 }
 type HmacSha256 = Hmac<Sha256>;
 fn to_hex(bytes: &[u8]) -> String {
    let mut s = String::with_capacity(bytes.len() * 2);
    for b in bytes {
        s.push_str(&format!("{b:02x}"));
    }
    s
 }
 /// HMAC-SHA256 of the random part, keyed by the app secret.
 fn sign(secret: &str, random: &str) -> String {
    let mut mac =
        HmacSha256::new_from_slice(secret.as_bytes()).expect("HMAC accepts a key of any length");
    mac.update(random.as_bytes());
    to_hex(&mac.finalize().into_bytes())
 }
 /// Mint a fresh `<random>.<hmac>` token.
 pub fn make_token(secret: &str) -> String {
    let random = Uuid::new_v4().simple().to_string();
    let sig = sign(secret, &random);
    format!("{random}.{sig}")
 }
 /// True when `token` is well-formed and its signature is the one this server
 /// would produce — i.e. it is one of *our* tokens, not an attacker-injected one.
 fn signature_valid(secret: &str, token: &str) -> bool {
    let Some((random, sig)) = token.split_once('.') else {
        return false;
    };
    let expected = sign(secret, random);
    expected.as_bytes().ct_eq(sig.as_bytes()).into()
 }
 /// Constant-time equality of two full tokens (the double-submit comparison).
 fn tokens_match(a: &str, b: &str) -> bool {
    a.as_bytes().ct_eq(b.as_bytes()).into()
 }
 fn issue_cookie(token: String) -> Cookie<'static> {
    Cookie::build((CSRF_COOKIE, token))
        .path("/")
        .http_only(false)
        .same_site(SameSite::Lax)
        .max_age(TimeDuration::seconds(COOKIE_MAX_AGE_SECS))
        .build()
 }
 fn forbidden(reason: &str) -> Response {
    tracing::debug!(reason, "CSRF check rejected request");
    (StatusCode::FORBIDDEN, "CSRF validation failed").into_response()
 }
 /// Attach the given token to an outgoing response as the `csrf_token` cookie.
 fn attach_cookie(res: &mut Response, token: &str) {
    let cookie = issue_cookie(token.to_string());
    if let Ok(value) = cookie.encoded().to_string().parse() {
        res.headers_mut().append(header::SET_COOKIE, value);
    }
 }
 /// Pull the `_csrf` value out of an `application/x-www-form-urlencoded` body.
 fn field_from_urlencoded(bytes: &[u8]) -> Option<String> {
    form_urlencoded::parse(bytes)
        .find(|(k, _)| k == CSRF_FIELD)
        .map(|(_, v)| v.into_owned())
 }
 /// Pull the `_csrf` value out of a `multipart/form-data` body. Parses a *copy*
 /// of the buffered bytes purely to read the field; the original bytes are still
 /// forwarded to the handler unchanged.
 async fn field_from_multipart(content_type: &str, bytes: Bytes) -> Option<String> {
    let boundary = multer::parse_boundary(content_type).ok()?;
    let stream = futures_util::stream::once(async move { Ok::<_, std::io::Error>(bytes) });
    let mut multipart = multer::Multipart::new(stream, boundary);
    while let Ok(Some(field)) = multipart.next_field().await {
        if field.name() == Some(CSRF_FIELD) {
            return field.text().await.ok();
        }
    }
    None
 }
 /// CSRF enforcement middleware. Safe methods get a token cookie (minted if
 /// missing); unsafe methods must echo a valid, matching token. See the module
 /// docs for the full scheme.
 pub async fn protect(
    State(ctx): State<AppContext>,
    jar: CookieJar,
    req: Request,
    next: Next,
 ) -> Response {
    // The token is keyed by the JWT secret. If no secret is configured we cannot
    // validate, so fail open rather than 403 the whole site — the same secret is
    // already required for auth to work at all.
    let Ok(jwt) = ctx.config.get_jwt_config() else {
        return next.run(req).await;
    };
    let secret = jwt.secret.clone();
    // The token the browser currently holds, accepted only if untampered.
    let cookie_token = jar
        .get(CSRF_COOKIE)
        .map(|c| c.value().to_string())
        .filter(|t| signature_valid(&secret, t));
    let is_safe = matches!(
        *req.method(),
        Method::GET | Method::HEAD | Method::OPTIONS | Method::TRACE
    );
    // Token-auth JSON API + OAuth2 callback: not browser-cookie-driven.
    let exempt = req.uri().path().starts_with("/api/");
    if is_safe || exempt {
        // Bind a token for the page to render even on the very first visit, and
        // persist that same token in the cookie so the later submit matches.
        let token = cookie_token.clone().unwrap_or_else(|| make_token(&secret));
        let mut res = REQUEST_TOKEN.scope(token.clone(), next.run(req)).await;
        if cookie_token.is_none() {
            attach_cookie(&mut res, &token);
        }
        return res;
    }
    // ---- unsafe, non-exempt: require a valid double-submit ----
    let Some(expected) = cookie_token else {
        return forbidden("missing or tampered CSRF cookie");
    };
    // htmx and other scripted requests send the token as a header; prefer it so
    // we never have to touch the body.
    let header_token = req
        .headers()
        .get(CSRF_HEADER)
        .and_then(|v| v.to_str().ok())
        .map(str::to_string);
    if let Some(header_token) = header_token {
        if tokens_match(&header_token, &expected) {
            return REQUEST_TOKEN.scope(expected, next.run(req)).await;
        }
        return forbidden("CSRF header did not match cookie");
    }
    // Native <form> submit: the token is a `_csrf` body field. Buffer the body,
    // read the field from a copy, then forward the original bytes untouched.
    let content_type = req
        .headers()
        .get(header::CONTENT_TYPE)
        .and_then(|v| v.to_str().ok())
        .unwrap_or("")
        .to_string();
    let (parts, body) = req.into_parts();
    let Ok(bytes) = to_bytes(body, MAX_BODY_BYTES).await else {
        return forbidden("request body too large to validate CSRF");
    };
    let submitted = if content_type.starts_with("application/x-www-form-urlencoded") {
        field_from_urlencoded(&bytes)
    } else if content_type.starts_with("multipart/form-data") {
        field_from_multipart(&content_type, bytes.clone()).await
    } else {
        None
    };
    let valid = submitted
        .as_deref()
        .is_some_and(|t| tokens_match(t, &expected));
    if !valid {
        return forbidden("missing or non-matching CSRF form field");
    }
    let req = Request::from_parts(parts, Body::from(bytes));
    REQUEST_TOKEN.scope(expected, next.run(req)).await
 }
 #[cfg(test)]
 mod tests {
    use super::*;
    const SECRET: &str = "test-secret";
    #[test]
    fn fresh_token_validates() {
        let token = make_token(SECRET);
        assert!(signature_valid(SECRET, &token));
    }
    #[test]
    fn tampered_or_foreign_token_rejected() {
        let token = make_token(SECRET);
        // Flip the random part but keep the old signature.
        let (_, sig) = token.split_once('.').unwrap();
        let forged = format!("{}.{sig}", Uuid::new_v4().simple());
        assert!(!signature_valid(SECRET, &forged));
        // A token minted under a different secret is not ours.
        assert!(!signature_valid(SECRET, &make_token("other-secret")));
        // Malformed input never validates.
        assert!(!signature_valid(SECRET, "no-dot-here"));
    }
    #[test]
    fn double_submit_compare() {
        let token = make_token(SECRET);
        assert!(tokens_match(&token, &token.clone()));
        assert!(!tokens_match(&token, &make_token(SECRET)));
    }
    #[test]
    fn extract_field_from_urlencoded() {
        let body = b"email=a%40b.com&_csrf=abc.def&password=x";
        assert_eq!(field_from_urlencoded(body), Some("abc.def".to_string()));
        assert_eq!(field_from_urlencoded(b"email=x"), None);
    }
    #[tokio::test]
    async fn extract_field_from_multipart() {
        let boundary = "X-BOUNDARY";
        let content_type = format!("multipart/form-data; boundary={boundary}");
        let body = format!(
            "--{b}\r\nContent-Disposition: form-data; name=\"name\"\r\n\r\nWidget\r\n\
             --{b}\r\nContent-Disposition: form-data; name=\"_csrf\"\r\n\r\nabc.def\r\n\
             --{b}--\r\n",
            b = boundary
        );
        let got = field_from_multipart(&content_type, Bytes::from(body)).await;
        assert_eq!(got, Some("abc.def".to_string()));
    }
 }
--- a/src/shared/mod.rs
+++ b/src/shared/mod.rs
@@ -1,5 +1,6 @@
 //! Cross-cutting helpers used across feature slices.
 pub mod csrf;
 pub mod guard;
 pub mod money;
 pub mod rbac;
--- a/src/views/shop.rs
+++ b/src/views/shop.rs
@@ -17,7 +17,9 @@ pub fn product_card(
        "name": product.name,
        "slug": product.slug,
        "description": product.description,
-        "price": format_price(product.price_cents),
+        "price": format_price(product.effective_price_cents()),
        "on_sale": product.on_sale(),
        "regular_price": format_price(product.price_cents),
        "currency": product.currency,
        "sku": product.sku,
        "stock": product.stock,
Author	SHA1	Message	Date
Priec	ed566b5347	percentage discounts Some checks failed CI / Check Style (push) Has been cancelled Details CI / Run Clippy (push) Has been cancelled Details CI / Run Tests (push) Has been cancelled Details	2026-06-21 22:41:30 +02:00
Priec	9ce1cb97f0	discounts	2026-06-21 22:33:47 +02:00
Priec	2ee87fbdd7	category creation fixed now Some checks failed CI / Check Style (push) Has been cancelled Details CI / Run Clippy (push) Has been cancelled Details CI / Run Tests (push) Has been cancelled Details	2026-06-21 20:38:28 +02:00
Priec	c9eb47860d	properly working csrf at checkout fixed now Some checks failed CI / Check Style (push) Has been cancelled Details CI / Run Clippy (push) Has been cancelled Details CI / Run Tests (push) Has been cancelled Details	2026-06-21 20:19:58 +02:00
Priec	8dc153efcc	removed redundancy	2026-06-21 20:09:57 +02:00
Priec	db6b609937	custom JS removed in favor of proper CSRF implementation	2026-06-21 18:22:21 +02:00
Priec	86888b3877	csrf implemented	2026-06-21 17:40:21 +02:00