default unchecked

.gitignore

@@ -19,6 +19,8 @@ target/
 *.sqlite-*
 .env
 .env.production
+.envrc
+.direnv/
 uploads/
 *.report.html
 favicon_io.zip

Cargo.toml

@@ -3,7 +3,7 @@
 [package]
 name = "kompress_eshop"
 version = "0.1.0"
-edition = "2021"
+edition = "2024"
 publish = false
 default-run = "kompress-eshop-cli"
 
@@ -16,14 +16,14 @@ loco-rs = { version = "0.16" }
 loco-rs = { workspace = true  }
 serde = { version = "1", features = ["derive"] }
 serde_json = { version = "1" }
-tokio = { version = "1.45", default-features = false, features = [
+tokio = { version = "1.52", default-features = false, features = [
   "rt-multi-thread",
 ] }
 async-trait = { version = "0.1" }
 axum = { version = "0.8", features = ["multipart"] }
 tracing = { version = "0.1" }
 tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
-regex = { version = "1.11" }
+regex = { version = "1.12" }
 migration = { path = "migration" }
 sea-orm = { version = "1.1", features = [
   "sqlx-sqlite",
@@ -35,7 +35,7 @@ chrono = { version = "0.4" }
 time = { version = "0.3" }
 dotenvy = { version = "0.15" }
 validator = { version = "0.20" }
-uuid = { version = "1.6", features = ["v4"] }
+uuid = { version = "1.23", features = ["v4"] }
 include_dir = { version = "0.7" }
 # outbound HTTP for carrier shipment APIs (Packeta / DPD / DHL)
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
@@ -45,6 +45,10 @@ unic-langid = { version = "0.9" }
 # /view engine
 axum-extra = { version = "0.10", features = ["form"] }
 bytes = { version = "1" }
+axum-casbin = "1.3.0"
+loco-oauth2 = "0.5.0"
+passwords = "3.1.16"
+tower-sessions = "0.14"
 
 [[bin]]
 name = "kompress-eshop-cli"
@@ -53,6 +57,6 @@ required-features = []
 
 [dev-dependencies]
 loco-rs = { workspace = true, features = ["testing"] }
-serial_test = { version = "3.1.1" }
+serial_test = { version = "3.5.0" }
 rstest = { version = "0.25" }
-insta = { version = "1.34", features = ["redactions", "yaml", "filters"] }
+insta = { version = "1.48", features = ["redactions", "yaml", "filters"] }

assets/i18n/en/main.ftl

@@ -57,12 +57,31 @@ album-by = by
 album-play-full = Play full album
 album-queue-all = queue all tracks in order
 album-no-tracks = no tracks yet
-login-title = Admin login
+login-title = Sign in
 login-error = Access denied - invalid email or password.
+login-error-unverified = Your account isn't verified yet. Check your email and click the verification link.
 login-root = root
-login-auth = Authenticate
+login-auth = Sign in
 login-email = Email
 login-password = Password
+login-no-account = Don't have an account?
+login-have-account = Already have an account?
+auth-or = or
+auth-google = Continue with Google
+nav-login = Sign in
+nav-register = Register
+nav-profile = My profile
+register-title = Create account
+register-name = Name
+register-submit = Create account
+register-error-exists = An account with this email already exists.
+register-error-invalid = Please check the details you entered and try again.
+verify-sent-title = Check your email
+verify-sent-body = We've sent a verification link to
+verify-ok-title = Account verified
+verify-ok-body = Your account is verified. You can now sign in.
+verify-fail-title = Verification failed
+verify-fail-body = This link is invalid or has expired.
 auth = Auth
 admin-session = Session
 readonly = readonly
@@ -238,8 +257,45 @@ country-de = Germany
 country-pl = Poland
 country-hu = Hungary
 checkout-note = Order note
+checkout-save-profile = Save this address to my profile
+account-type = Account type
+account-personal = Individual
+account-company = Company
+account-company-details = Company details
+company-name = Company name
+company-ico = Company ID (IČO)
+company-dic = Tax ID (DIČ)
+company-icdph = VAT ID (IČ DPH)
+field-optional = optional
 checkout-place-order = Place order
 checkout-summary = Order summary
+profile-title = My profile
+profile-intro = We'll use these details to prefill checkout.
+profile-saved = Profile saved.
+profile-save = Save profile
+profile-company-required = For a company account, please fill in company name, IČO and DIČ.
+profile-first-name = First name
+profile-last-name = Surname
+profile-edit = Edit profile
+profile-cancel = Cancel
+profile-not-set = Not set
+account-type-locked = Account type can't be changed after registration.
+checkout-create-account = Create an account from this order
+checkout-create-account-hint = We'll email you a link to set your password. This order will be linked to your account.
+order-account-created = We created an account for you. Check your email to set your password.
+set-password-title = Set your password
+set-password-intro = Choose a password to finish setting up your account.
+set-password-new = New password
+set-password-confirm = Confirm password
+set-password-submit = Set password
+set-password-invalid = This link is invalid or has expired.
+set-password-weak = Password must be at least 8 characters.
+set-password-mismatch = Passwords don't match.
+resend-verification-title = Resend verification email
+resend-verification-intro = Enter your email and we'll send a fresh verification link.
+resend-verification-submit = Resend
+resend-verification-done = If that email belongs to an unverified account, we've sent a new verification link. Check your inbox (and spam). You can request another in a minute.
+login-resend = Didn't get the verification email? Resend it
 order-confirmed-title = Thank you for your order!
 order-confirmed-sub = We have received your order.
 order-number = Order number

assets/i18n/sk/main.ftl

@@ -57,12 +57,31 @@ album-by = od
 album-play-full = Prehrať celý album
 album-queue-all = zoradiť všetky skladby v poradí
 album-no-tracks = zatiaľ žiadne skladby
-login-title = Prihlásenie admina
+login-title = Prihlásenie
 login-error = Prístup odmietnutý - nesprávny e-mail alebo heslo.
+login-error-unverified = Účet ešte nie je overený. Skontrolujte si e-mail a kliknite na overovací odkaz.
 login-root = root
 login-auth = Prihlásiť sa
 login-email = E-mail
 login-password = Heslo
+login-no-account = Nemáte účet?
+login-have-account = Už máte účet?
+auth-or = alebo
+auth-google = Pokračovať cez Google
+nav-login = Prihlásiť sa
+nav-register = Registrácia
+nav-profile = Môj profil
+register-title = Vytvoriť účet
+register-name = Meno
+register-submit = Zaregistrovať sa
+register-error-exists = Účet s týmto e-mailom už existuje.
+register-error-invalid = Skontrolujte zadané údaje a skúste to znova.
+verify-sent-title = Skontrolujte si e-mail
+verify-sent-body = Poslali sme overovací odkaz na adresu
+verify-ok-title = Účet overený
+verify-ok-body = Váš účet je overený. Teraz sa môžete prihlásiť.
+verify-fail-title = Overenie zlyhalo
+verify-fail-body = Tento odkaz je neplatný alebo mu vypršala platnosť.
 auth = Overenie
 admin-session = Relácia
 readonly = iba na čítanie
@@ -238,8 +257,45 @@ country-de = Nemecko
 country-pl = Poľsko
 country-hu = Maďarsko
 checkout-note = Poznámka k objednávke
+checkout-save-profile = Uložiť túto adresu do môjho profilu
+account-type = Typ účtu
+account-personal = Súkromná osoba
+account-company = Firma
+account-company-details = Firemné údaje
+company-name = Názov firmy
+company-ico = IČO
+company-dic = DIČ
+company-icdph = IČ DPH
+field-optional = nepovinné
 checkout-place-order = Odoslať objednávku
 checkout-summary = Súhrn objednávky
+profile-title = Môj profil
+profile-intro = Tieto údaje použijeme na predvyplnenie pokladne.
+profile-saved = Profil bol uložený.
+profile-save = Uložiť profil
+profile-company-required = Pri firemnom účte vyplňte názov firmy, IČO a DIČ.
+profile-first-name = Meno
+profile-last-name = Priezvisko
+profile-edit = Upraviť profil
+profile-cancel = Zrušiť
+profile-not-set = Neuvedené
+account-type-locked = Typ účtu sa po registrácii nedá zmeniť.
+checkout-create-account = Vytvoriť účet z tejto objednávky
+checkout-create-account-hint = Pošleme vám e-mail na nastavenie hesla. Objednávka sa priradí k vášmu účtu.
+order-account-created = Vytvorili sme vám účet. Skontrolujte si e-mail a nastavte si heslo.
+set-password-title = Nastavte si heslo
+set-password-intro = Zvoľte si heslo a dokončite vytvorenie účtu.
+set-password-new = Nové heslo
+set-password-confirm = Potvrďte heslo
+set-password-submit = Nastaviť heslo
+set-password-invalid = Odkaz je neplatný alebo vypršal.
+set-password-weak = Heslo musí mať aspoň 8 znakov.
+set-password-mismatch = Heslá sa nezhodujú.
+resend-verification-title = Znova odoslať overovací e-mail
+resend-verification-intro = Zadajte svoj e-mail a pošleme vám nový overovací odkaz.
+resend-verification-submit = Odoslať znova
+resend-verification-done = Ak k tomuto e-mailu patrí neoverený účet, poslali sme naň nový overovací odkaz. Skontrolujte si schránku aj priečinok so spamom. Ďalšiu žiadosť môžete odoslať o minútu.
+login-resend = Nedostali ste overovací e-mail? Poslať znova
 order-confirmed-title = Ďakujeme za objednávku!
 order-confirmed-sub = Vašu objednávku sme prijali.
 order-number = Číslo objednávky

assets/views/account/profile.html

@@ -0,0 +1,228 @@
+{% extends "base.html" %}
+{% import "macros/ui.html" as ui %}
+
+{% block title %}{{ t(key="profile-title", lang=lang | default(value='sk')) }}{% endblock title %}
+
+{% macro field(label, value) %}
+<div class="space-y-1.5">
+  <label class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ label }}</label>
+  {% if value %}
+  <p class="text-sm text-on-surface/80 dark:text-on-surface-dark/80">{{ value }}</p>
+  {% else %}
+  <p class="text-sm italic text-on-surface/50 dark:text-on-surface-dark/50">{{ t(key="profile-not-set", lang=lang | default(value='sk')) }}</p>
+  {% endif %}
+</div>
+{% endmacro field %}
+
+{% block content %}
+<div class="mx-auto max-w-2xl" x-data="{ editing: {% if error %}true{% else %}false{% endif %} }">
+  <h1 class="text-3xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="profile-title", lang=lang | default(value='sk')) }}</h1>
+  <p class="mt-2 text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="profile-intro", lang=lang | default(value='sk')) }}</p>
+
+  {% if saved %}
+  <div class="mt-4 rounded-radius border border-success bg-success/10 px-4 py-3 text-sm text-success" role="status">
+    {{ t(key="profile-saved", lang=lang | default(value='sk')) }}
+  </div>
+  {% endif %}
+  {% if error %}
+  {{ ui::alert_danger(message=t(key="profile-company-required", lang=lang | default(value='sk')), extra="mt-4") }}
+  {% endif %}
+
+  <!-- read-only view (default) -->
+  <div x-show="!editing" class="mt-6 space-y-6">
+    <fieldset class="space-y-2 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</legend>
+      <div class="flex items-center gap-2">
+        {% if account_type == "company" %}
+        {{ ui::badge(label=t(key="account-company", lang=lang | default(value='sk')), variant="primary") }}
+        {% else %}
+        {{ ui::badge(label=t(key="account-personal", lang=lang | default(value='sk')), variant="neutral") }}
+        {% endif %}
+        <span class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="account-type-locked", lang=lang | default(value='sk')) }}</span>
+      </div>
+    </fieldset>
+
+    {% if account_type == "company" %}
+    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-company-details", lang=lang | default(value='sk')) }}</legend>
+      {{ self::field(label=t(key="company-name", lang=lang | default(value='sk')), value=company_name) }}
+      <div class="grid gap-4 sm:grid-cols-3">
+        {{ self::field(label=t(key="company-ico", lang=lang | default(value='sk')), value=company_id) }}
+        {{ self::field(label=t(key="company-dic", lang=lang | default(value='sk')), value=tax_id) }}
+        {{ self::field(label=t(key="company-icdph", lang=lang | default(value='sk')), value=vat_id) }}
+      </div>
+    </fieldset>
+    {% endif %}
+
+    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-contact", lang=lang | default(value='sk')) }}</legend>
+      {{ self::field(label=t(key="checkout-name", lang=lang | default(value='sk')), value=name) }}
+      {{ self::field(label=t(key="checkout-email", lang=lang | default(value='sk')), value=email) }}
+      {% if phone %}
+      {% set phone_full = phone_prefix | default(value='') %}
+      {% set phone_full = phone_full ~ ' ' ~ phone %}
+      {{ self::field(label=t(key="checkout-phone", lang=lang | default(value='sk')), value=phone_full) }}
+      {% else %}
+      {{ self::field(label=t(key="checkout-phone", lang=lang | default(value='sk')), value='') }}
+      {% endif %}
+    </fieldset>
+
+    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-shipping", lang=lang | default(value='sk')) }}</legend>
+      {{ self::field(label=t(key="checkout-address", lang=lang | default(value='sk')), value=address) }}
+      <div class="grid gap-4 sm:grid-cols-3">
+        {{ self::field(label=t(key="checkout-city", lang=lang | default(value='sk')), value=city) }}
+        {{ self::field(label=t(key="checkout-zip", lang=lang | default(value='sk')), value=zip) }}
+        {{ self::field(label=t(key="checkout-country", lang=lang | default(value='sk')), value=country) }}
+      </div>
+    </fieldset>
+
+    {{ ui::button(label=t(key="profile-edit", lang=lang | default(value='sk')), type="button", size="px-6 py-2.5 text-sm", attrs='@click="editing = true"') }}
+  </div>
+
+  <!-- edit form -->
+  <form x-show="editing" x-cloak method="post" action="/account/profile" hx-boost="false" class="mt-6 space-y-6">
+    <!-- account type is fixed at registration and shown read-only -->
+    <fieldset class="space-y-2 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</legend>
+      <div class="flex items-center gap-2">
+        {% if account_type == "company" %}
+        {{ ui::badge(label=t(key="account-company", lang=lang | default(value='sk')), variant="primary") }}
+        {% else %}
+        {{ ui::badge(label=t(key="account-personal", lang=lang | default(value='sk')), variant="neutral") }}
+        {% endif %}
+        <span class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="account-type-locked", lang=lang | default(value='sk')) }}</span>
+      </div>
+    </fieldset>
+
+    {% if account_type == "company" %}
+    <!-- company billing details (company accounts only) -->
+    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-company-details", lang=lang | default(value='sk')) }}</legend>
+      <div class="space-y-1.5">
+        <label for="company_name" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-name", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
+        {{ ui::input(name="company_name", id="company_name", value=company_name | default(value=''), autocomplete="organization") }}
+      </div>
+      <div class="grid gap-4 sm:grid-cols-3">
+        <div class="space-y-1.5">
+          <label for="company_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-ico", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
+          {{ ui::input(name="company_id", id="company_id", value=company_id | default(value='')) }}
+        </div>
+        <div class="space-y-1.5">
+          <label for="tax_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-dic", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
+          {{ ui::input(name="tax_id", id="tax_id", value=tax_id | default(value='')) }}
+        </div>
+        <div class="space-y-1.5">
+          <label for="vat_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-icdph", lang=lang | default(value='sk')) }} <span class="text-on-surface/50 dark:text-on-surface-dark/50">({{ t(key="field-optional", lang=lang | default(value='sk')) }})</span></label>
+          {{ ui::input(name="vat_id", id="vat_id", value=vat_id | default(value='')) }}
+        </div>
+      </div>
+    </fieldset>
+    {% endif %}
+
+    <!-- contact (name/email are managed by the login) -->
+    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-contact", lang=lang | default(value='sk')) }}</legend>
+      <div class="grid gap-4 sm:grid-cols-2">
+        <div class="space-y-1.5">
+          <label for="first_name" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="profile-first-name", lang=lang | default(value='sk')) }}</label>
+          {{ ui::input(name="first_name", id="first_name", value=first_name | default(value=''), autocomplete="given-name") }}
+        </div>
+        <div class="space-y-1.5">
+          <label for="last_name" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="profile-last-name", lang=lang | default(value='sk')) }}</label>
+          {{ ui::input(name="last_name", id="last_name", value=last_name | default(value=''), autocomplete="family-name") }}
+        </div>
+      </div>
+      <div class="space-y-1.5">
+        <label class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-email", lang=lang | default(value='sk')) }}</label>
+        <p class="text-sm text-on-surface/80 dark:text-on-surface-dark/80">{{ email }}</p>
+      </div>
+      <div class="space-y-1.5">
+        <label for="phone" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-phone", lang=lang | default(value='sk')) }}</label>
+        <div class="flex gap-2">
+          <!-- editable combobox: type freely or pick from the dropdown -->
+          <div class="relative w-28 shrink-0" @click.outside="prefixOpen = false"
+            x-data="{ prefixOpen: false, prefix: '{{ phone_prefix | default(value='+421') }}', opts: [
+              { v: '+421', l: '🇸🇰 +421' }, { v: '+420', l: '🇨🇿 +420' },
+              { v: '+43', l: '🇦🇹 +43' }, { v: '+49', l: '🇩🇪 +49' },
+              { v: '+48', l: '🇵🇱 +48' }, { v: '+36', l: '🇭🇺 +36' },
+              { v: '+44', l: '🇬🇧 +44' }, { v: '+39', l: '🇮🇹 +39' }, { v: '+33', l: '🇫🇷 +33' }
+            ], get filtered() { return this.opts.filter(o => !this.prefix || o.v.includes(this.prefix)) } }">
+            <input name="phone_prefix" type="text" x-model="prefix" @focus="prefixOpen = true" @input="prefixOpen = true"
+              aria-label="{{ t(key='checkout-phone', lang=lang | default(value='sk')) }}" autocomplete="tel-country-code" inputmode="tel"
+              class="w-full rounded-radius border border-outline bg-surface py-2 pl-3 pr-7 text-sm text-on-surface focus:outline-2 focus:outline-primary dark:border-outline-dark dark:bg-surface-dark dark:text-on-surface-dark">
+            <button type="button" tabindex="-1" @click="prefixOpen = !prefixOpen"
+              class="absolute inset-y-0 right-0 flex w-7 items-center justify-center text-on-surface/60 dark:text-on-surface-dark/60">
+              <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor"
+                class="size-4 transition-transform" :class="prefixOpen && 'rotate-180'">
+                <path stroke-linecap="round" stroke-linejoin="round" d="m19.5 8.25-7.5 7.5-7.5-7.5" />
+              </svg>
+            </button>
+            <ul x-show="prefixOpen" x-cloak x-transition
+              class="absolute z-20 mt-1 max-h-56 w-full overflow-auto rounded-radius border border-outline bg-surface p-1 shadow-lg dark:border-outline-dark dark:bg-surface-dark-alt">
+              <template x-for="o in filtered" :key="o.v">
+                <li><button type="button" @click="prefix = o.v; prefixOpen = false" x-text="o.l"
+                  class="block w-full rounded-radius px-3 py-1.5 text-left text-sm text-on-surface transition hover:bg-surface-alt dark:text-on-surface-dark dark:hover:bg-surface-dark"></button></li>
+              </template>
+            </ul>
+          </div>
+          {{ ui::input(name="phone", id="phone", type="tel", value=phone | default(value=''), autocomplete="tel", placeholder="900 000 000", attrs='inputmode="tel"') }}
+        </div>
+      </div>
+    </fieldset>
+
+    <!-- default shipping address -->
+    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-shipping", lang=lang | default(value='sk')) }}</legend>
+      <div class="space-y-1.5">
+        <label for="address" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-address", lang=lang | default(value='sk')) }}</label>
+        {{ ui::input(name="address", id="address", value=address | default(value=''), autocomplete="street-address") }}
+      </div>
+      <div class="grid gap-4 sm:grid-cols-3">
+        <div class="space-y-1.5">
+          <label for="city" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-city", lang=lang | default(value='sk')) }}</label>
+          {{ ui::input(name="city", id="city", value=city | default(value=''), autocomplete="address-level2") }}
+        </div>
+        <div class="space-y-1.5">
+          <label for="zip" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-zip", lang=lang | default(value='sk')) }}</label>
+          {{ ui::input(name="zip", id="zip", value=zip | default(value=''), autocomplete="postal-code") }}
+        </div>
+        <div class="space-y-1.5">
+          <label for="country" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-country", lang=lang | default(value='sk')) }}</label>
+          <div class="relative" @click.outside="countryOpen = false"
+            x-data="{ countryOpen: false, country: '{{ country | default(value='') }}', opts: [
+              { v: '{{ t(key='country-sk', lang=lang | default(value='sk')) }}', l: '🇸🇰 {{ t(key='country-sk', lang=lang | default(value='sk')) }}' },
+              { v: '{{ t(key='country-cz', lang=lang | default(value='sk')) }}', l: '🇨🇿 {{ t(key='country-cz', lang=lang | default(value='sk')) }}' },
+              { v: '{{ t(key='country-at', lang=lang | default(value='sk')) }}', l: '🇦🇹 {{ t(key='country-at', lang=lang | default(value='sk')) }}' },
+              { v: '{{ t(key='country-de', lang=lang | default(value='sk')) }}', l: '🇩🇪 {{ t(key='country-de', lang=lang | default(value='sk')) }}' },
+              { v: '{{ t(key='country-pl', lang=lang | default(value='sk')) }}', l: '🇵🇱 {{ t(key='country-pl', lang=lang | default(value='sk')) }}' },
+              { v: '{{ t(key='country-hu', lang=lang | default(value='sk')) }}', l: '🇭🇺 {{ t(key='country-hu', lang=lang | default(value='sk')) }}' }
+            ], get filtered() { return this.opts.filter(o => !this.country || o.v.toLowerCase().includes(this.country.toLowerCase())) } }">
+            <input id="country" name="country" type="text" x-model="country" @focus="countryOpen = true" @input="countryOpen = true"
+              class="w-full rounded-radius border border-outline bg-surface py-2 pl-3 pr-8 text-sm text-on-surface focus:outline-2 focus:outline-primary dark:border-outline-dark dark:bg-surface-dark dark:text-on-surface-dark">
+            <button type="button" tabindex="-1" @click="countryOpen = !countryOpen"
+              class="absolute inset-y-0 right-0 flex w-8 items-center justify-center text-on-surface/60 dark:text-on-surface-dark/60">
+              <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor"
+                class="size-4 transition-transform" :class="countryOpen && 'rotate-180'">
+                <path stroke-linecap="round" stroke-linejoin="round" d="m19.5 8.25-7.5 7.5-7.5-7.5" />
+              </svg>
+            </button>
+            <ul x-show="countryOpen" x-cloak x-transition
+              class="absolute z-20 mt-1 max-h-56 w-full overflow-auto rounded-radius border border-outline bg-surface p-1 shadow-lg dark:border-outline-dark dark:bg-surface-dark-alt">
+              <template x-for="o in filtered" :key="o.v">
+                <li><button type="button" @click="country = o.v; countryOpen = false" x-text="o.l"
+                  class="block w-full rounded-radius px-3 py-1.5 text-left text-sm text-on-surface transition hover:bg-surface-alt dark:text-on-surface-dark dark:hover:bg-surface-dark"></button></li>
+              </template>
+            </ul>
+          </div>
+        </div>
+      </div>
+    </fieldset>
+
+    <div class="flex items-center gap-3">
+      {{ ui::button(label=t(key="profile-save", lang=lang | default(value='sk')), type="submit", size="px-6 py-2.5 text-sm") }}
+      {{ ui::button(label=t(key="profile-cancel", lang=lang | default(value='sk')), type="button", variant="outline-secondary", size="px-6 py-2.5 text-sm", attrs='@click="editing = false"') }}
+    </div>
+  </form>
+</div>
+{% endblock content %}

assets/views/admin/base.html

@@ -95,7 +95,7 @@
         <a href="/" class="flex items-center gap-2 rounded-radius px-2 py-1.5 text-sm font-medium text-info underline-offset-2 transition hover:bg-info/5 focus:outline-hidden focus-visible:underline">
           {{ t(key="admin-exit", lang=lang | default(value='sk')) }}
         </a>
-        <form method="post" action="/admin/logout">
+        <form method="post" action="/logout">
           <button type="submit" class="flex w-full items-center gap-2 rounded-radius px-2 py-1.5 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-danger/5 focus:outline-hidden focus-visible:underline">
             {{ t(key="logout", lang=lang | default(value='sk')) }}
           </button>

assets/views/admin/login.html

@@ -1,49 +0,0 @@
-{% extends "base.html" %}
-{% import "macros/ui.html" as ui %}
-
-{% block title %}{{ t(key="login-title", lang=lang | default(value='sk')) }}{% endblock title %}
-
-{% block content %}
-<div class="mx-auto mt-8 max-w-sm">
-  <div
-    class="rounded-radius border border-outline bg-surface-alt shadow-sm dark:border-outline-dark dark:bg-surface-dark-alt">
-    <div
-      class="flex items-center justify-between border-b border-outline px-5 py-3 dark:border-outline-dark">
-      <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
-        {{ t(key="nav-admin", lang=lang | default(value='sk')) }}
-      </span>
-      {{ ui::badge(label=t(key="auth", lang=lang | default(value='sk')), variant="danger") }}
-    </div>
-
-    <div class="p-5">
-      <h1 class="text-xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">
-        {{ t(key="login-auth", lang=lang | default(value='sk')) }}
-      </h1>
-
-      {% if error %}
-      {{ ui::alert_danger(message=t(key="login-error", lang=lang | default(value='sk')), extra="mt-3") }}
-      {% endif %}
-
-      <form method="post" action="/admin/login" hx-boost="false" class="mt-4 flex flex-col gap-4">
-        <div class="flex flex-col gap-1">
-          <label for="email"
-            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
-            {{ t(key="login-email", lang=lang | default(value='sk')) }}
-          </label>
-          {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email", attrs="autofocus") }}
-        </div>
-
-        <div class="flex flex-col gap-1">
-          <label for="password"
-            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
-            {{ t(key="login-password", lang=lang | default(value='sk')) }}
-          </label>
-          {{ ui::input(name="password", id="password", type="password", required=true, autocomplete="current-password") }}
-        </div>
-
-        {{ ui::button(label=t(key="login-auth", lang=lang | default(value='sk')), type="submit", extra="mt-1 w-full") }}
-      </form>
-    </div>
-  </div>
-</div>
-{% endblock content %}

assets/views/admin/orders/show.html

@@ -52,6 +52,15 @@
         <p class="text-on-surface/80 dark:text-on-surface-dark/80">{{ order.email }}</p>
         {% if order.phone %}<p class="text-on-surface/80 dark:text-on-surface-dark/80">{{ order.phone }}</p>{% endif %}
       </div>
+      {% if order.account_type == "company" %}
+      <div>
+        <p class="text-xs uppercase tracking-wide text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="account-company-details", lang=lang | default(value='sk')) }}</p>
+        <p class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ order.company_name }}</p>
+        <p class="text-on-surface/80 dark:text-on-surface-dark/80">{{ t(key="company-ico", lang=lang | default(value='sk')) }}: {{ order.company_id }}</p>
+        <p class="text-on-surface/80 dark:text-on-surface-dark/80">{{ t(key="company-dic", lang=lang | default(value='sk')) }}: {{ order.tax_id }}</p>
+        {% if order.vat_id %}<p class="text-on-surface/80 dark:text-on-surface-dark/80">{{ t(key="company-icdph", lang=lang | default(value='sk')) }}: {{ order.vat_id }}</p>{% endif %}
+      </div>
+      {% endif %}
       <div>
         <p class="text-xs uppercase tracking-wide text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="checkout-shipping", lang=lang | default(value='sk')) }}</p>
         <p class="text-on-surface/80 dark:text-on-surface-dark/80">{{ order.address }}<br>{{ order.zip }} {{ order.city }}<br>{{ order.country }}</p>

assets/views/auth/login.html

@@ -0,0 +1,67 @@
+{% extends "base.html" %}
+{% import "macros/ui.html" as ui %}
+
+{% block title %}{{ t(key="login-title", lang=lang | default(value='sk')) }}{% endblock title %}
+
+{% block content %}
+<div class="mx-auto mt-8 max-w-sm">
+  <div
+    class="rounded-radius border border-outline bg-surface-alt shadow-sm dark:border-outline-dark dark:bg-surface-dark-alt">
+    <div
+      class="flex items-center justify-between border-b border-outline px-5 py-3 dark:border-outline-dark">
+      <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
+        {{ t(key="brand", lang=lang | default(value='sk')) }}
+      </span>
+      {{ ui::badge(label=t(key="auth", lang=lang | default(value='sk')), variant="primary") }}
+    </div>
+
+    <div class="p-5">
+      <h1 class="text-xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">
+        {{ t(key="login-title", lang=lang | default(value='sk')) }}
+      </h1>
+
+      {% if error == "unverified" %}
+      {{ ui::alert_danger(message=t(key="login-error-unverified", lang=lang | default(value='sk')), extra="mt-3") }}
+      <p class="mt-2 text-sm text-on-surface dark:text-on-surface-dark">
+        <a href="/resend-verification" class="font-medium text-primary underline-offset-2 hover:underline dark:text-primary-dark">{{ t(key="login-resend", lang=lang | default(value='sk')) }}</a>
+      </p>
+      {% elif error %}
+      {{ ui::alert_danger(message=t(key="login-error", lang=lang | default(value='sk')), extra="mt-3") }}
+      {% endif %}
+
+      <form method="post" action="/login" hx-boost="false" class="mt-4 flex flex-col gap-4">
+        <div class="flex flex-col gap-1">
+          <label for="email"
+            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
+            {{ t(key="login-email", lang=lang | default(value='sk')) }}
+          </label>
+          {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email", attrs="autofocus") }}
+        </div>
+
+        <div class="flex flex-col gap-1">
+          <label for="password"
+            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
+            {{ t(key="login-password", lang=lang | default(value='sk')) }}
+          </label>
+          {{ ui::input(name="password", id="password", type="password", required=true, autocomplete="current-password") }}
+        </div>
+
+        {{ ui::button(label=t(key="login-auth", lang=lang | default(value='sk')), type="submit", extra="mt-1 w-full") }}
+      </form>
+
+      <div class="mt-5 flex items-center gap-3 text-xs text-on-surface/50 dark:text-on-surface-dark/50">
+        <span class="h-px flex-1 bg-outline dark:bg-outline-dark"></span>
+        {{ t(key="auth-or", lang=lang | default(value='sk')) }}
+        <span class="h-px flex-1 bg-outline dark:bg-outline-dark"></span>
+      </div>
+      {{ ui::button(label=t(key="auth-google", lang=lang | default(value='sk')), href="/api/oauth2/google", variant="outline-secondary", attrs='hx-boost="false"', extra="mt-4 w-full", icon='<svg class="size-4" viewBox="0 0 48 48" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"><path fill="#FFC107" d="M43.611 20.083H42V20H24v8h11.303c-1.649 4.657-6.08 8-11.303 8-6.627 0-12-5.373-12-12s5.373-12 12-12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 12.955 4 4 12.955 4 24s8.955 20 20 20 20-8.955 20-20c0-1.341-.138-2.65-.389-3.917z"/><path fill="#FF3D00" d="m6.306 14.691 6.571 4.819C14.655 15.108 18.961 12 24 12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 16.318 4 9.656 8.337 6.306 14.691z"/><path fill="#4CAF50" d="M24 44c5.166 0 9.86-1.977 13.409-5.192l-6.19-5.238A11.91 11.91 0 0 1 24 36c-5.202 0-9.619-3.317-11.283-7.946l-6.522 5.025C9.505 39.556 16.227 44 24 44z"/><path fill="#1976D2" d="M43.611 20.083H42V20H24v8h11.303a12.04 12.04 0 0 1-4.087 5.571l.003-.002 6.19 5.238C36.971 39.205 44 34 44 24c0-1.341-.138-2.65-.389-3.917z"/></svg>') }}
+
+      <p class="mt-4 text-sm text-on-surface dark:text-on-surface-dark">
+        {{ t(key="login-no-account", lang=lang | default(value='sk')) }}
+        <a href="/register"
+          class="font-medium text-primary underline-offset-2 hover:underline dark:text-primary-dark">{{ t(key="nav-register", lang=lang | default(value='sk')) }}</a>
+      </p>
+    </div>
+  </div>
+</div>
+{% endblock content %}

assets/views/auth/register.html

@@ -0,0 +1,96 @@
+{% extends "base.html" %}
+{% import "macros/ui.html" as ui %}
+
+{% block title %}{{ t(key="register-title", lang=lang | default(value='sk')) }}{% endblock title %}
+
+{% block content %}
+<div class="mx-auto mt-8 max-w-sm">
+  <div
+    class="rounded-radius border border-outline bg-surface-alt shadow-sm dark:border-outline-dark dark:bg-surface-dark-alt">
+    <div
+      class="flex items-center justify-between border-b border-outline px-5 py-3 dark:border-outline-dark">
+      <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
+        {{ t(key="brand", lang=lang | default(value='sk')) }}
+      </span>
+      {{ ui::badge(label=t(key="auth", lang=lang | default(value='sk')), variant="primary") }}
+    </div>
+
+    <div class="p-5">
+      <h1 class="text-xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">
+        {{ t(key="register-title", lang=lang | default(value='sk')) }}
+      </h1>
+
+      {% if error == "exists" %}
+      {{ ui::alert_danger(message=t(key="register-error-exists", lang=lang | default(value='sk')), extra="mt-3") }}
+      {% elif error == "mismatch" %}
+      {{ ui::alert_danger(message=t(key="set-password-mismatch", lang=lang | default(value='sk')), extra="mt-3") }}
+      {% elif error == "weak" %}
+      {{ ui::alert_danger(message=t(key="set-password-weak", lang=lang | default(value='sk')), extra="mt-3") }}
+      {% elif error %}
+      {{ ui::alert_danger(message=t(key="register-error-invalid", lang=lang | default(value='sk')), extra="mt-3") }}
+      {% endif %}
+
+      <form method="post" action="/register" hx-boost="false" class="mt-4 flex flex-col gap-4"
+        x-data="{ password: '', confirm: '' }">
+        <div class="flex flex-col gap-1.5">
+          <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</span>
+          <div class="grid grid-cols-2 gap-2">
+            <label class="flex cursor-pointer items-center gap-2 rounded-radius border border-outline px-3 py-2 text-sm transition has-[:checked]:border-primary dark:border-outline-dark dark:has-[:checked]:border-primary-dark">
+              {{ ui::radio(name="account_type", value="personal", checked=true) }}
+              <span class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-personal", lang=lang | default(value='sk')) }}</span>
+            </label>
+            <label class="flex cursor-pointer items-center gap-2 rounded-radius border border-outline px-3 py-2 text-sm transition has-[:checked]:border-primary dark:border-outline-dark dark:has-[:checked]:border-primary-dark">
+              {{ ui::radio(name="account_type", value="company") }}
+              <span class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-company", lang=lang | default(value='sk')) }}</span>
+            </label>
+          </div>
+          <span class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="account-type-locked", lang=lang | default(value='sk')) }}</span>
+        </div>
+
+        <div class="flex flex-col gap-1">
+          <label for="email"
+            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
+            {{ t(key="login-email", lang=lang | default(value='sk')) }}
+          </label>
+          {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email", attrs="autofocus") }}
+        </div>
+
+        <div class="flex flex-col gap-1">
+          <label for="password"
+            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
+            {{ t(key="login-password", lang=lang | default(value='sk')) }}
+          </label>
+          {{ ui::input(name="password", id="password", type="password", required=true, autocomplete="new-password", attrs='x-model="password"') }}
+        </div>
+
+        <div class="flex flex-col gap-1">
+          <label for="password_confirm"
+            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
+            {{ t(key="set-password-confirm", lang=lang | default(value='sk')) }}
+          </label>
+          {{ ui::input(name="password_confirm", id="password_confirm", type="password", required=true, autocomplete="new-password", attrs='x-model="confirm"') }}
+          <span x-cloak x-show="confirm.length > 0 && password !== confirm"
+            class="text-xs text-danger dark:text-danger">
+            {{ t(key="set-password-mismatch", lang=lang | default(value='sk')) }}
+          </span>
+        </div>
+
+        {{ ui::button(label=t(key="register-submit", lang=lang | default(value='sk')), type="submit", extra="mt-1 w-full", attrs=':disabled="password !== confirm"') }}
+      </form>
+
+      <div class="mt-5 flex items-center gap-3 text-xs text-on-surface/50 dark:text-on-surface-dark/50">
+        <span class="h-px flex-1 bg-outline dark:bg-outline-dark"></span>
+        {{ t(key="auth-or", lang=lang | default(value='sk')) }}
+        <span class="h-px flex-1 bg-outline dark:bg-outline-dark"></span>
+      </div>
+      {{ ui::button(label=t(key="auth-google", lang=lang | default(value='sk')), href="/api/oauth2/google", variant="outline-secondary", attrs='hx-boost="false"', extra="mt-4 w-full", icon='<svg class="size-4" viewBox="0 0 48 48" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"><path fill="#FFC107" d="M43.611 20.083H42V20H24v8h11.303c-1.649 4.657-6.08 8-11.303 8-6.627 0-12-5.373-12-12s5.373-12 12-12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 12.955 4 4 12.955 4 24s8.955 20 20 20 20-8.955 20-20c0-1.341-.138-2.65-.389-3.917z"/><path fill="#FF3D00" d="m6.306 14.691 6.571 4.819C14.655 15.108 18.961 12 24 12c3.059 0 5.842 1.154 7.961 3.039l5.657-5.657C34.046 6.053 29.268 4 24 4 16.318 4 9.656 8.337 6.306 14.691z"/><path fill="#4CAF50" d="M24 44c5.166 0 9.86-1.977 13.409-5.192l-6.19-5.238A11.91 11.91 0 0 1 24 36c-5.202 0-9.619-3.317-11.283-7.946l-6.522 5.025C9.505 39.556 16.227 44 24 44z"/><path fill="#1976D2" d="M43.611 20.083H42V20H24v8h11.303a12.04 12.04 0 0 1-4.087 5.571l.003-.002 6.19 5.238C36.971 39.205 44 34 44 24c0-1.341-.138-2.65-.389-3.917z"/></svg>') }}
+
+      <p class="mt-4 text-sm text-on-surface dark:text-on-surface-dark">
+        {{ t(key="login-have-account", lang=lang | default(value='sk')) }}
+        <a href="/login"
+          class="font-medium text-primary underline-offset-2 hover:underline dark:text-primary-dark">{{ t(key="nav-login", lang=lang | default(value='sk')) }}</a>
+      </p>
+    </div>
+  </div>
+</div>
+{% endblock content %}

assets/views/auth/resend_verification.html

@@ -0,0 +1,37 @@
+{% extends "base.html" %}
+{% import "macros/ui.html" as ui %}
+
+{% block title %}{{ t(key="resend-verification-title", lang=lang | default(value='sk')) }}{% endblock title %}
+
+{% block content %}
+<div class="mx-auto mt-8 max-w-sm">
+  <div class="rounded-radius border border-outline bg-surface-alt shadow-sm dark:border-outline-dark dark:bg-surface-dark-alt">
+    <div class="flex items-center justify-between border-b border-outline px-5 py-3 dark:border-outline-dark">
+      <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="brand", lang=lang | default(value='sk')) }}</span>
+      {{ ui::badge(label=t(key="auth", lang=lang | default(value='sk')), variant="primary") }}
+    </div>
+
+    <div class="p-5">
+      <h1 class="text-xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="resend-verification-title", lang=lang | default(value='sk')) }}</h1>
+
+      {% if done %}
+      <div class="mt-3 rounded-radius border border-success bg-success/10 px-4 py-3 text-sm text-success" role="status">
+        {{ t(key="resend-verification-done", lang=lang | default(value='sk')) }}
+      </div>
+      <p class="mt-4 text-sm text-on-surface dark:text-on-surface-dark">
+        <a href="/login" class="font-medium text-primary underline-offset-2 hover:underline dark:text-primary-dark">{{ t(key="nav-login", lang=lang | default(value='sk')) }}</a>
+      </p>
+      {% else %}
+      <p class="mt-1 text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="resend-verification-intro", lang=lang | default(value='sk')) }}</p>
+      <form method="post" action="/resend-verification" hx-boost="false" class="mt-4 flex flex-col gap-4">
+        <div class="flex flex-col gap-1">
+          <label for="email" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="login-email", lang=lang | default(value='sk')) }}</label>
+          {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email", attrs="autofocus") }}
+        </div>
+        {{ ui::button(label=t(key="resend-verification-submit", lang=lang | default(value='sk')), type="submit", extra="mt-1 w-full") }}
+      </form>
+      {% endif %}
+    </div>
+  </div>
+</div>
+{% endblock content %}

assets/views/auth/set_password.html

@@ -0,0 +1,47 @@
+{% extends "base.html" %}
+{% import "macros/ui.html" as ui %}
+
+{% block title %}{{ t(key="set-password-title", lang=lang | default(value='sk')) }}{% endblock title %}
+
+{% block content %}
+<div class="mx-auto mt-8 max-w-sm">
+  <div class="rounded-radius border border-outline bg-surface-alt shadow-sm dark:border-outline-dark dark:bg-surface-dark-alt">
+    <div class="flex items-center justify-between border-b border-outline px-5 py-3 dark:border-outline-dark">
+      <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="brand", lang=lang | default(value='sk')) }}</span>
+      {{ ui::badge(label=t(key="auth", lang=lang | default(value='sk')), variant="primary") }}
+    </div>
+
+    <div class="p-5">
+      <h1 class="text-xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="set-password-title", lang=lang | default(value='sk')) }}</h1>
+
+      {% if not valid %}
+      {{ ui::alert_danger(message=t(key="set-password-invalid", lang=lang | default(value='sk')), extra="mt-3") }}
+      <p class="mt-4 text-sm text-on-surface dark:text-on-surface-dark">
+        <a href="/login" class="font-medium text-primary underline-offset-2 hover:underline dark:text-primary-dark">{{ t(key="nav-login", lang=lang | default(value='sk')) }}</a>
+      </p>
+      {% else %}
+      <p class="mt-1 text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="set-password-intro", lang=lang | default(value='sk')) }}</p>
+
+      {% if error == "mismatch" %}
+      {{ ui::alert_danger(message=t(key="set-password-mismatch", lang=lang | default(value='sk')), extra="mt-3") }}
+      {% elif error == "weak" %}
+      {{ ui::alert_danger(message=t(key="set-password-weak", lang=lang | default(value='sk')), extra="mt-3") }}
+      {% endif %}
+
+      <form method="post" action="/set-password" hx-boost="false" class="mt-4 flex flex-col gap-4">
+        <input type="hidden" name="token" value="{{ token }}">
+        <div class="flex flex-col gap-1">
+          <label for="password" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="set-password-new", lang=lang | default(value='sk')) }}</label>
+          {{ ui::input(name="password", id="password", type="password", required=true, autocomplete="new-password", attrs="autofocus") }}
+        </div>
+        <div class="flex flex-col gap-1">
+          <label for="password_confirm" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="set-password-confirm", lang=lang | default(value='sk')) }}</label>
+          {{ ui::input(name="password_confirm", id="password_confirm", type="password", required=true, autocomplete="new-password") }}
+        </div>
+        {{ ui::button(label=t(key="set-password-submit", lang=lang | default(value='sk')), type="submit", extra="mt-1 w-full") }}
+      </form>
+      {% endif %}
+    </div>
+  </div>
+</div>
+{% endblock content %}

assets/views/auth/verified.html

@@ -0,0 +1,27 @@
+{% extends "base.html" %}
+{% import "macros/ui.html" as ui %}
+
+{% block title %}{% if ok %}{{ t(key="verify-ok-title", lang=lang | default(value='sk')) }}{% else %}{{ t(key="verify-fail-title", lang=lang | default(value='sk')) }}{% endif %}{% endblock title %}
+
+{% block content %}
+<div class="mx-auto mt-8 max-w-sm">
+  <div
+    class="rounded-radius border border-outline bg-surface-alt p-5 shadow-sm dark:border-outline-dark dark:bg-surface-dark-alt">
+    {% if ok %}
+    <h1 class="text-xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">
+      {{ t(key="verify-ok-title", lang=lang | default(value='sk')) }}
+    </h1>
+    <p class="mt-3 text-sm text-on-surface dark:text-on-surface-dark">
+      {{ t(key="verify-ok-body", lang=lang | default(value='sk')) }}
+    </p>
+    {{ ui::button(label=t(key="login-auth", lang=lang | default(value='sk')), href="/login", extra="mt-4 w-full") }}
+    {% else %}
+    <h1 class="text-xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">
+      {{ t(key="verify-fail-title", lang=lang | default(value='sk')) }}
+    </h1>
+    {{ ui::alert_danger(message=t(key="verify-fail-body", lang=lang | default(value='sk')), extra="mt-3") }}
+    {{ ui::button(label=t(key="nav-login", lang=lang | default(value='sk')), href="/login", variant="outline-primary", extra="mt-4 w-full") }}
+    {% endif %}
+  </div>
+</div>
+{% endblock content %}

assets/views/auth/verify_sent.html

@@ -0,0 +1,20 @@
+{% extends "base.html" %}
+{% import "macros/ui.html" as ui %}
+
+{% block title %}{{ t(key="verify-sent-title", lang=lang | default(value='sk')) }}{% endblock title %}
+
+{% block content %}
+<div class="mx-auto mt-8 max-w-sm">
+  <div
+    class="rounded-radius border border-outline bg-surface-alt p-5 shadow-sm dark:border-outline-dark dark:bg-surface-dark-alt">
+    <h1 class="text-xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">
+      {{ t(key="verify-sent-title", lang=lang | default(value='sk')) }}
+    </h1>
+    <p class="mt-3 text-sm text-on-surface dark:text-on-surface-dark">
+      {{ t(key="verify-sent-body", lang=lang | default(value='sk')) }}
+      <span class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ email }}</span>
+    </p>
+    {{ ui::button(label=t(key="nav-login", lang=lang | default(value='sk')), href="/login", variant="outline-primary", extra="mt-4 w-full") }}
+  </div>
+</div>
+{% endblock content %}

assets/views/base.html

@@ -81,12 +81,20 @@
           {% if logged_in_admin %}
           <li>{{ ui::nav_link(label=t(key="admin-title", lang=lang | default(value='sk')), href="/admin/dashboard", data_nav="/admin", variant="warning", attrs='hx-boost="false"') }}</li>
           <li>
-            <form method="post" action="/admin/logout" hx-boost="false">
+            <form method="post" action="/logout" hx-boost="false">
+              <button type="submit" class="text-sm font-medium text-danger underline-offset-2 transition hover:opacity-75 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
+            </form>
+          </li>
+          {% elif logged_in_customer %}
+          <li>{{ ui::nav_link(label=t(key="nav-profile", lang=lang | default(value='sk')), href="/account/profile", data_nav="/account") }}</li>
+          <li>
+            <form method="post" action="/logout" hx-boost="false">
               <button type="submit" class="text-sm font-medium text-danger underline-offset-2 transition hover:opacity-75 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
             </form>
           </li>
           {% else %}
-          <li>{{ ui::nav_link(label=t(key="nav-admin", lang=lang | default(value='sk')), href="/admin/login", data_nav="/admin/login") }}</li>
+          <li>{{ ui::nav_link(label=t(key="nav-login", lang=lang | default(value='sk')), href="/login", data_nav="/login") }}</li>
+          <li>{{ ui::nav_link(label=t(key="nav-register", lang=lang | default(value='sk')), href="/register", data_nav="/register") }}</li>
           {% endif %}
         </ul>
 
@@ -126,12 +134,20 @@
           {% if logged_in_admin %}
           <li><a href="/admin/dashboard" hx-boost="false" data-nav="/admin" class="block rounded-radius px-3 py-2 text-sm font-medium text-warning underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="admin-title", lang=lang | default(value='sk')) }}</a></li>
           <li>
-            <form method="post" action="/admin/logout" hx-boost="false">
+            <form method="post" action="/logout" hx-boost="false">
+              <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
+            </form>
+          </li>
+          {% elif logged_in_customer %}
+          <li><a href="/account/profile" data-nav="/account" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="nav-profile", lang=lang | default(value='sk')) }}</a></li>
+          <li>
+            <form method="post" action="/logout" hx-boost="false">
               <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
             </form>
           </li>
           {% else %}
-          <li><a href="/admin/login" data-nav="/admin/login" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="nav-admin", lang=lang | default(value='sk')) }}</a></li>
+          <li><a href="/login" data-nav="/login" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="nav-login", lang=lang | default(value='sk')) }}</a></li>
+          <li><a href="/register" data-nav="/register" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="nav-register", lang=lang | default(value='sk')) }}</a></li>
           {% endif %}
         </ul>
       </nav>

assets/views/macros/ui.html

@@ -82,6 +82,11 @@
 {# Compact danger alert (form/inline errors). Adapted from
    penguinui/alert/default-alert.html (danger variant), trimmed to a single line
    with the danger icon. #}
+{# Required-field marker: a red asterisk appended to a field label. #}
+{% macro req() -%}
+<span class="ml-0.5 text-danger" aria-hidden="true">*</span>
+{%- endmacro req %}
+
 {% macro alert_danger(message, extra="") -%}
 <div class="flex w-full items-center gap-2 overflow-hidden rounded-radius border border-danger bg-danger/10 px-3 py-2 text-sm text-danger {{ extra }}" role="alert">
   <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" class="size-5 shrink-0" aria-hidden="true">

assets/views/shop/checkout.html

@@ -11,6 +11,7 @@
 <form method="post" action="/checkout" hx-boost="false"
   x-data="{
     paymentMethod: '',
+    accountType: '{{ prefill_account_type | default(value='personal') }}',
     carrier: '',
     carrierPrice: 0,
     requiresPoint: false,
@@ -31,23 +32,73 @@
   class="mt-6 grid gap-8 lg:grid-cols-3">
 
   <div class="space-y-6 lg:col-span-2">
+    <!-- personal vs company. Fixed (read-only) for a logged-in account; a guest
+         picks it and the choice will type any account they create. -->
+    <fieldset class="space-y-3 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</legend>
+      {% if account_fixed %}
+      <div class="flex items-center gap-2">
+        {% if prefill_account_type == "company" %}
+        {{ ui::badge(label=t(key="account-company", lang=lang | default(value='sk')), variant="primary") }}
+        {% else %}
+        {{ ui::badge(label=t(key="account-personal", lang=lang | default(value='sk')), variant="neutral") }}
+        {% endif %}
+        <span class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="account-type-locked", lang=lang | default(value='sk')) }}</span>
+      </div>
+      {% else %}
+      <div class="grid gap-3 sm:grid-cols-2">
+        <label class="flex cursor-pointer items-center gap-3 rounded-radius border border-outline px-4 py-3 transition has-[:checked]:border-primary dark:border-outline-dark dark:has-[:checked]:border-primary-dark">
+          {{ ui::radio(name="account_type", value="personal", attrs='x-model="accountType"') }}
+          <span class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-personal", lang=lang | default(value='sk')) }}</span>
+        </label>
+        <label class="flex cursor-pointer items-center gap-3 rounded-radius border border-outline px-4 py-3 transition has-[:checked]:border-primary dark:border-outline-dark dark:has-[:checked]:border-primary-dark">
+          {{ ui::radio(name="account_type", value="company", attrs='x-model="accountType"') }}
+          <span class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-company", lang=lang | default(value='sk')) }}</span>
+        </label>
+      </div>
+      {% endif %}
+    </fieldset>
+
+    <!-- company billing details (company accounts only) -->
+    <fieldset x-show="accountType === 'company'" x-cloak class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-company-details", lang=lang | default(value='sk')) }}</legend>
+      <div class="space-y-1.5">
+        <label for="company_name" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-name", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
+        {{ ui::input(name="company_name", id="company_name", value=prefill_company_name | default(value=''), autocomplete="organization") }}
+      </div>
+      <div class="grid gap-4 sm:grid-cols-3">
+        <div class="space-y-1.5">
+          <label for="company_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-ico", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
+          {{ ui::input(name="company_id", id="company_id", value=prefill_company_id | default(value='')) }}
+        </div>
+        <div class="space-y-1.5">
+          <label for="tax_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-dic", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
+          {{ ui::input(name="tax_id", id="tax_id", value=prefill_tax_id | default(value='')) }}
+        </div>
+        <div class="space-y-1.5">
+          <label for="vat_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-icdph", lang=lang | default(value='sk')) }} <span class="text-on-surface/50 dark:text-on-surface-dark/50">({{ t(key="field-optional", lang=lang | default(value='sk')) }})</span></label>
+          {{ ui::input(name="vat_id", id="vat_id", value=prefill_vat_id | default(value='')) }}
+        </div>
+      </div>
+    </fieldset>
+
     <!-- contact -->
     <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
       <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-contact", lang=lang | default(value='sk')) }}</legend>
       <div class="space-y-1.5">
-        <label for="email" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-email", lang=lang | default(value='sk')) }}</label>
+        <label for="email" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-email", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
-        {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email") }}
+        {{ ui::input(name="email", id="email", type="email", value=prefill_email | default(value=''), required=true, autocomplete="email") }}
       </div>
       <div class="space-y-1.5">
-        <label for="customer_name" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-name", lang=lang | default(value='sk')) }}</label>
+        <label for="customer_name" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-name", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
-        {{ ui::input(name="customer_name", id="customer_name", required=true, autocomplete="name") }}
+        {{ ui::input(name="customer_name", id="customer_name", value=prefill_name | default(value=''), required=true, autocomplete="name") }}
       </div>
       <div class="space-y-1.5">
-        <label for="phone" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-phone", lang=lang | default(value='sk')) }}</label>
+        <label for="phone" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-phone", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
         <div class="flex gap-2">
           <!-- editable combobox: type freely or pick from the dropdown -->
           <div class="relative w-28 shrink-0" @click.outside="prefixOpen = false"
-            x-data="{ prefixOpen: false, prefix: '+421', opts: [
+            x-data="{ prefixOpen: false, prefix: '{{ prefill_phone_prefix | default(value='+421') }}', opts: [
               { v: '+421', l: '🇸🇰 +421' }, { v: '+420', l: '🇨🇿 +420' },
               { v: '+43', l: '🇦🇹 +43' }, { v: '+49', l: '🇩🇪 +49' },
               { v: '+48', l: '🇵🇱 +48' }, { v: '+36', l: '🇭🇺 +36' },
@@ -71,7 +122,7 @@
               </template>
             </ul>
           </div>
-          {{ ui::input(name="phone", id="phone", type="tel", required=true, autocomplete="tel", placeholder="900 000 000", attrs='inputmode="tel"') }}
+          {{ ui::input(name="phone", id="phone", type="tel", value=prefill_phone | default(value=''), required=true, autocomplete="tel", placeholder="900 000 000", attrs='inputmode="tel"') }}
         </div>
       </div>
     </fieldset>
@@ -80,22 +131,22 @@
     <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
       <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-shipping", lang=lang | default(value='sk')) }}</legend>
       <div class="space-y-1.5">
-        <label for="address" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-address", lang=lang | default(value='sk')) }}</label>
+        <label for="address" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-address", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
-        {{ ui::input(name="address", id="address", required=true, autocomplete="street-address") }}
+        {{ ui::input(name="address", id="address", value=prefill_address | default(value=''), required=true, autocomplete="street-address") }}
       </div>
       <div class="grid gap-4 sm:grid-cols-3">
         <div class="space-y-1.5">
-          <label for="city" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-city", lang=lang | default(value='sk')) }}</label>
+          <label for="city" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-city", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
-          {{ ui::input(name="city", id="city", required=true, autocomplete="address-level2") }}
+          {{ ui::input(name="city", id="city", value=prefill_city | default(value=''), required=true, autocomplete="address-level2") }}
         </div>
         <div class="space-y-1.5">
-          <label for="zip" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-zip", lang=lang | default(value='sk')) }}</label>
+          <label for="zip" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-zip", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
-          {{ ui::input(name="zip", id="zip", required=true, autocomplete="postal-code") }}
+          {{ ui::input(name="zip", id="zip", value=prefill_zip | default(value=''), required=true, autocomplete="postal-code") }}
         </div>
         <div class="space-y-1.5">
-          <label for="country" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-country", lang=lang | default(value='sk')) }}</label>
+          <label for="country" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-country", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
           <div class="relative" @click.outside="countryOpen = false"
-            x-data="{ countryOpen: false, country: '{{ t(key='country-sk', lang=lang | default(value='sk')) }}', opts: [
+            x-data="{ countryOpen: false, country: '{{ prefill_country | default(value=t(key='country-sk', lang=lang | default(value='sk'))) }}', opts: [
               { v: '{{ t(key='country-sk', lang=lang | default(value='sk')) }}', l: '🇸🇰 {{ t(key='country-sk', lang=lang | default(value='sk')) }}' },
               { v: '{{ t(key='country-cz', lang=lang | default(value='sk')) }}', l: '🇨🇿 {{ t(key='country-cz', lang=lang | default(value='sk')) }}' },
               { v: '{{ t(key='country-at', lang=lang | default(value='sk')) }}', l: '🇦🇹 {{ t(key='country-at', lang=lang | default(value='sk')) }}' },
@@ -126,7 +177,7 @@
 
     <!-- carrier -->
     <fieldset class="space-y-3 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
-      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-carrier", lang=lang | default(value='sk')) }}</legend>
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-carrier", lang=lang | default(value='sk')) }}{{ ui::req() }}</legend>
       {% for m in shipping_methods %}
       <label class="flex cursor-pointer items-center justify-between gap-3 rounded-radius border border-outline px-4 py-3 transition has-[:checked]:border-primary dark:border-outline-dark dark:has-[:checked]:border-primary-dark">
         <span class="flex items-center gap-3">
@@ -162,7 +213,7 @@
 
     <!-- payment -->
     <fieldset class="space-y-3 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
-      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-payment", lang=lang | default(value='sk')) }}</legend>
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-payment", lang=lang | default(value='sk')) }}{{ ui::req() }}</legend>
       <label class="flex cursor-pointer items-center gap-3 rounded-radius border border-outline px-4 py-3 transition has-[:checked]:border-primary dark:border-outline-dark dark:has-[:checked]:border-primary-dark">
         {{ ui::radio(name="payment_method", value="cod", attrs='required x-model="paymentMethod"') }}
         <span class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="payment-cod", lang=lang | default(value='sk')) }}</span>
@@ -177,6 +228,20 @@
       <label for="note" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-note", lang=lang | default(value='sk')) }}</label>
       {{ ui::textarea(name="note", id="note", rows="3") }}
     </div>
+
+    {% if logged_in_customer and not profile_filled %}
+    <!-- offered only when the profile has no saved address yet; if it was filled
+         in advance we leave it untouched -->
+    {{ ui::checkbox(name="save_profile", id="save_profile", label=t(key="checkout-save-profile", lang=lang | default(value='sk'))) }}
+    {% endif %}
+
+    {% if can_create_account %}
+    <!-- guests may turn this order into an account (typed by their choice above) -->
+    <div class="space-y-1.5 rounded-radius border border-outline bg-surface p-4 dark:border-outline-dark dark:bg-surface-dark-alt">
+      {{ ui::checkbox(name="create_account", id="create_account", label=t(key="checkout-create-account", lang=lang | default(value='sk'))) }}
+      <p class="pl-6 text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="checkout-create-account-hint", lang=lang | default(value='sk')) }}</p>
+    </div>
+    {% endif %}
   </div>
 
   <!-- summary -->

assets/views/shop/order_confirmed.html

@@ -15,6 +15,12 @@
     <p class="mt-1 text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="order-confirmed-sub", lang=lang | default(value='sk')) }}</p>
   </div>
 
+  {% if account_created %}
+  <div class="rounded-radius border border-primary/40 bg-primary/5 p-4 text-sm text-on-surface dark:border-primary-dark/40 dark:text-on-surface-dark" role="status">
+    {{ t(key="order-account-created", lang=lang | default(value='sk')) }}
+  </div>
+  {% endif %}
+
   <div class="rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
     <div class="flex flex-wrap justify-between gap-2 border-b border-outline pb-3 dark:border-outline-dark">
       <span class="text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="order-number", lang=lang | default(value='sk')) }}</span>

config/casbin/model.conf

@@ -0,0 +1,24 @@
+# Casbin access model for the storefront.
+#
+# Request is (subject, object, action) = (role, request-path, HTTP-method);
+# axum-casbin supplies path + method automatically and the subject comes from
+# our JWT-derived CasbinVals (see src/shared/rbac.rs).
+#
+# Deny-override: every request is allowed unless a matching policy line marks it
+# `deny`. That keeps the public storefront fully open and lets the policy file
+# carve out the protected `/admin/*` subtree for non-admins only.
+
+[request_definition]
+r = sub, obj, act
+
+[policy_definition]
+p = sub, obj, act, eft
+
+[role_definition]
+g = _, _
+
+[policy_effect]
+e = !some(where (p.eft == deny))
+
+[matchers]
+m = (r.sub == p.sub || g(r.sub, p.sub)) && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)

config/casbin/policy.csv

@@ -0,0 +1,25 @@
+# Authorization policy. Format: p, subject(role), object(path-pattern), action(method-regex), effect
+#
+# DECISION: this app intentionally runs with a SINGLE hardcoded admin (the user
+# whose email matches ADMIN_EMAIL in .env, via guard::is_admin / admin_seeder).
+# Everyone else is `customer` (logged in) or `anonymous` (not). There is no
+# stored `role` column yet. This is a deliberate choice for current scale, not a
+# limitation of the wiring — see src/shared/rbac.rs for the upgrade path.
+#
+# Deny everyone except admins under the admin subtree. `keyMatch` treats the
+# trailing `*` as "anything after /admin/", so /admin/dashboard, /admin/orders/5
+# etc. are all covered; the bare /admin entry point stays open so it can redirect
+# to /login. Admins match no deny rule and so are allowed through.
+#
+# To grow this: give users a real role, emit it as the subject in
+# src/shared/rbac.rs, then add `p` lines (allow/deny) and `g, <user>, <role>`
+# mappings here.
+p, customer, /admin/*, .*, deny
+p, anonymous, /admin/*, .*, deny
+# Admin-only endpoints that live outside the /admin/* subtree: the admin JSON
+# API and the image upload. Public image serving (/images/{filename}) is GET and
+# not matched here, so it stays open.
+p, customer, /api/admin/*, .*, deny
+p, anonymous, /api/admin/*, .*, deny
+p, customer, /images/upload, .*, deny
+p, anonymous, /images/upload, .*, deny

config/development.yaml

@@ -45,19 +45,24 @@ workers:
 
 # Mailer Configuration.
 mailer:
-  # SMTP mailer configuration.
+  # SMTP mailer configuration. Defaults target a local catcher (MailHog/Mailpit
+  # on localhost:1025); set the SMTP_* env vars to point at a real server. The
+  # auth block is only emitted when SMTP_PASSWORD is provided, so the secret is
+  # never stored here — pass it in at launch (e.g. from `pass`).
   smtp:
     # Enable/Disable smtp mailer.
-    enable: true
+    enable: {{ get_env(name="SMTP_ENABLE", default="true") }}
     # SMTP server host. e.x localhost, smtp.gmail.com
-    host: localhost
+    host: "{{ get_env(name="SMTP_HOST", default="localhost") }}"
     # SMTP server port
-    port: 1025
+    port: {{ get_env(name="SMTP_PORT", default="1025") }}
     # Use secure connection (SSL/TLS).
-    secure: false
+    secure: {{ get_env(name="SMTP_SECURE", default="false") }}
-    # auth:
+{% if get_env(name="SMTP_PASSWORD", default="") != "" %}
-    #   user:
+    auth:
-    #   password:
+      user: "{{ get_env(name="SMTP_USER", default="") }}"
+      password: "{{ get_env(name="SMTP_PASSWORD", default="") }}"
+{% endif %}
     # Override the SMTP hello name (default is the machine's hostname)
     # hello_name:
 
@@ -125,3 +130,30 @@ settings:
   # Bank-transfer payment details shown on the order confirmation.
   bank_iban: {{ get_env(name="BANK_IBAN", default="SK00 0000 0000 0000 0000 0000") }}
   bank_account_name: {{ get_env(name="BANK_ACCOUNT_NAME", default="Kompress s.r.o.") }}
+
+# loco-oauth2: social login. Credentials come from .env (create them in the
+# Google Cloud console and register the redirect_url below as an authorized
+# redirect URI). Until OAUTH_CLIENT_ID/SECRET are set, the "Continue with
+# Google" button will fail at the consent screen — the rest of auth is unaffected.
+initializers:
+  oauth2:
+    # Key for the loco-oauth2 private cookie jar (>= 64 bytes). Override in prod.
+    secret_key: {{ get_env(name="OAUTH_PRIVATE_KEY", default="144, 76, 183, 1, 15, 184, 233, 174, 214, 251, 190, 186, 122, 61, 74, 84, 225, 110, 189, 115, 10, 251, 133, 128, 52, 46, 15, 66, 85, 1, 245, 73, 27, 113, 189, 15, 209, 205, 61, 100, 73, 31, 18, 58, 235, 105, 141, 36, 70, 92, 231, 151, 27, 32, 243, 117, 30, 244, 110, 89, 233, 196, 137, 130") }}
+    authorization_code:
+      - client_identifier: google
+        client_credentials:
+          client_id: {{ get_env(name="OAUTH_CLIENT_ID", default="oauth_client_id") }}
+          client_secret: {{ get_env(name="OAUTH_CLIENT_SECRET", default="oauth_client_secret") }}
+        url_config:
+          auth_url: {{ get_env(name="OAUTH_AUTH_URL", default="https://accounts.google.com/o/oauth2/auth") }}
+          token_url: {{ get_env(name="OAUTH_TOKEN_URL", default="https://www.googleapis.com/oauth2/v3/token") }}
+          redirect_url: {{ get_env(name="OAUTH_REDIRECT_URL", default="http://localhost:5150/api/oauth2/google/callback/cookie") }}
+          profile_url: {{ get_env(name="OAUTH_PROFILE_URL", default="https://openidconnect.googleapis.com/v1/userinfo") }}
+          scopes:
+            - "https://www.googleapis.com/auth/userinfo.email"
+            - "https://www.googleapis.com/auth/userinfo.profile"
+        cookie_config:
+          # After loco-oauth2 sets its session cookie it redirects here, where we
+          # mint our own auth_token cookie (see controllers/oauth2.rs::complete).
+          protected_url: {{ get_env(name="OAUTH_PROTECTED_URL", default="http://localhost:5150/api/oauth2/protected") }}
+        timeout_seconds: 600

config/production.yaml

@@ -55,3 +55,25 @@ auth:
 settings:
   admin_email: "{{ get_env(name="ADMIN_EMAIL", default="") }}"
   uploads_root: "{{ get_env(name="UPLOADS_ROOT", default="data/uploads") }}"
+
+# loco-oauth2 social login. All values must come from the environment in prod;
+# OAUTH_REDIRECT_URL / OAUTH_PROTECTED_URL must use the real public origin.
+initializers:
+  oauth2:
+    secret_key: "{{ get_env(name="OAUTH_PRIVATE_KEY") }}"
+    authorization_code:
+      - client_identifier: google
+        client_credentials:
+          client_id: "{{ get_env(name="OAUTH_CLIENT_ID") }}"
+          client_secret: "{{ get_env(name="OAUTH_CLIENT_SECRET") }}"
+        url_config:
+          auth_url: "{{ get_env(name="OAUTH_AUTH_URL", default="https://accounts.google.com/o/oauth2/auth") }}"
+          token_url: "{{ get_env(name="OAUTH_TOKEN_URL", default="https://www.googleapis.com/oauth2/v3/token") }}"
+          redirect_url: "{{ get_env(name="OAUTH_REDIRECT_URL") }}"
+          profile_url: "{{ get_env(name="OAUTH_PROFILE_URL", default="https://openidconnect.googleapis.com/v1/userinfo") }}"
+          scopes:
+            - "https://www.googleapis.com/auth/userinfo.email"
+            - "https://www.googleapis.com/auth/userinfo.profile"
+        cookie_config:
+          protected_url: "{{ get_env(name="OAUTH_PROTECTED_URL") }}"
+        timeout_seconds: 600

config/test.yaml

@@ -42,33 +42,58 @@ workers:
   
 
 # Mailer Configuration.
+# Defaults keep the whole suite on the in-memory stub mailer. The real-SMTP
+# smoke test (tests/mailer/smtp_send.rs) opts in by setting these env vars
+# before boot; nothing else in the suite sends real mail.
 mailer:
-  stub: true
+  stub: {{ get_env(name="MAILER_STUB", default="true") }}
   # SMTP mailer configuration.
   smtp:
     # Enable/Disable smtp mailer.
-    enable: true
+    enable: {{ get_env(name="SMTP_ENABLE", default="true") }}
     # SMTP server host. e.x localhost, smtp.gmail.com
-    host: localhost
+    host: "{{ get_env(name="SMTP_HOST", default="localhost") }}"
     # SMTP server port
-    port: 1025
+    port: {{ get_env(name="SMTP_PORT", default="1025") }}
     # Use secure connection (SSL/TLS).
-    secure: false
+    secure: {{ get_env(name="SMTP_SECURE", default="false") }}
-    # auth:
+    auth:
-    #   user:
+      user: "{{ get_env(name="SMTP_USER", default="") }}"
-    #   password:
+      password: "{{ get_env(name="SMTP_PASSWORD", default="") }}"
 
 # Initializers Configuration
-# initializers:
+# OAuth2StoreInitializer requires this block to boot (it builds the client store
-#  oauth2:
+# in after_routes). Static, non-secret placeholders: tests never perform a real
-#    authorization_code: # Authorization code grant type
+# OAuth2 handshake, they just need the store to construct successfully.
-#      - client_identifier: google # Identifier for the OAuth2 provider. Replace 'google' with your provider's name if different, must be unique within the oauth2 config.
+initializers:
-#        ... other fields
+  oauth2:
+    # Private-cookie key: a ", "-separated list of >=64 byte values (not a
+    # plain string). This is loco-oauth2's documented sample key; fine for tests.
+    secret_key: "144, 76, 183, 1, 15, 184, 233, 174, 214, 251, 190, 186, 122, 61, 74, 84, 225, 110, 189, 115, 10, 251, 133, 128, 52, 46, 15, 66, 85, 1, 245, 73, 27, 113, 189, 15, 209, 205, 61, 100, 73, 31, 18, 58, 235, 105, 141, 36, 70, 92, 231, 151, 27, 32, 243, 117, 30, 244, 110, 89, 233, 196, 137, 130"
+    authorization_code:
+      - client_identifier: google
+        client_credentials:
+          client_id: test-client-id
+          client_secret: test-client-secret
+        url_config:
+          auth_url: https://accounts.google.com/o/oauth2/auth
+          token_url: https://www.googleapis.com/oauth2/v3/token
+          redirect_url: http://localhost:5150/api/oauth2/google/callback
+          profile_url: https://openidconnect.googleapis.com/v1/userinfo
+          scopes:
+            - https://www.googleapis.com/auth/userinfo.email
+            - https://www.googleapis.com/auth/userinfo.profile
+        cookie_config:
+          protected_url: http://localhost:5150/
+        timeout_seconds: 600
 
 # Database Configuration
 database:
-  # Database connection URI
+  # Database connection URI. Pinned to the throwaway test DB and intentionally
-  uri: {{ get_env(name="DATABASE_URL", default="postgres://uni_loco_web_user:3@localhost:5432/kompress_eshop_test") }}
+  # NOT read from `DATABASE_URL`: the app loads `.env` on boot (app.rs
+  # `load_config`), and this config has `dangerously_recreate: true`, so honoring
+  # an env override here would let `cargo test` recreate the dev/prod database.
+  uri: "postgres://uni_loco_web_user:3@localhost:5432/kompress_eshop_test"
   # When enabled, the sql query will be logged.
   enable_logging: false
   # Set the timeout duration when acquiring a connection.

docs/integrations/google-oauth.md

@@ -0,0 +1,104 @@
+# Google OAuth2 sign-in
+
+"Continue with Google" on `/login` and `/register` is wired through
+[`loco-oauth2`](https://github.com/yinho999/loco-oauth2). The code is complete
+and compiles; this doc is the checklist to make the live flow work. Until the
+credentials below are set, the button reaches Google and fails at the consent
+screen — the rest of auth (password login, registration, verification) is
+unaffected.
+
+## How the flow works (for context)
+
+1. User clicks **Continue with Google** → `GET /api/oauth2/google` redirects to
+   Google's consent screen.
+2. Google redirects back to `GET /api/oauth2/google/callback/cookie`.
+   loco-oauth2 exchanges the code, fetches the profile, upserts the user
+   (`OAuth2UserTrait::upsert_with_oauth`), stores an `o_auth2_sessions` row, sets
+   its own private session cookie, and redirects to `protected_url`.
+3. `protected_url` = `GET /api/oauth2/protected` (our bridge,
+   `controllers/oauth2.rs::complete`). It mints **our** `auth_token` JWT cookie
+   and redirects: admins (email == `ADMIN_EMAIL`) → `/admin/dashboard`,
+   everyone else → `/`.
+
+From there the user is a normal logged-in user (same JWT cookie as a password
+login; the Casbin layer and guards treat them identically).
+
+## 1. Create Google OAuth credentials
+
+1. Go to <https://console.cloud.google.com/> → create/select a project.
+2. **APIs & Services → OAuth consent screen**: configure it (External), add the
+   `.../auth/userinfo.email` and `.../auth/userinfo.profile` scopes, and add
+   your Google account as a **test user** while the app is in "Testing".
+3. **APIs & Services → Credentials → Create Credentials → OAuth client ID**:
+   - Application type: **Web application**.
+   - **Authorized redirect URIs** — add exactly (must match the config's
+     `redirect_url`, no trailing slash):
+     - dev: `http://localhost:5150/api/oauth2/google/callback/cookie`
+     - prod: `https://YOUR_DOMAIN/api/oauth2/google/callback/cookie`
+4. Copy the generated **Client ID** and **Client secret**.
+
+## 2. Set environment variables (`.env`)
+
+Read by `config/development.yaml` → `initializers.oauth2` (and the prod
+equivalent). dotenvy loads `.env` on boot.
+
+```bash
+# Required
+OAUTH_CLIENT_ID=xxxxxxxx.apps.googleusercontent.com
+OAUTH_CLIENT_SECRET=xxxxxxxx
+
+# Required in PRODUCTION (dev has working defaults)
+OAUTH_PRIVATE_KEY="comma,separated,bytes >= 64 long"   # key for loco-oauth2's private cookie jar
+OAUTH_REDIRECT_URL=https://YOUR_DOMAIN/api/oauth2/google/callback/cookie
+OAUTH_PROTECTED_URL=https://YOUR_DOMAIN/api/oauth2/protected
+```
+
+Notes:
+- **dev** ships defaults for everything except `OAUTH_CLIENT_ID` /
+  `OAUTH_CLIENT_SECRET`, so locally you only need those two.
+- `OAUTH_PRIVATE_KEY` must be ≥ 64 bytes (the dev default is a sample key — do
+  **not** reuse it in production). Generate a fresh one, e.g.
+  `python3 -c "import os;print(','.join(str(b) for b in os.urandom(64)))"`.
+- `OAUTH_REDIRECT_URL` here and the Authorized redirect URI in the Google
+  console must be byte-for-byte identical.
+
+## 3. Run / test
+
+```bash
+nix develop -c cargo loco start   # MUST be inside nix develop (OpenSSL link, see memory)
+```
+
+- `auto_migrate: true` (dev) creates the `o_auth2_sessions` table on boot.
+- Open `http://localhost:5150/login` → **Continue with Google** → consent →
+  you should land back on `/` logged in (cart/nav reflect the session).
+
+## 4. Production checklist
+
+- [ ] Separate OAuth client (or at least the prod redirect URI) in Google.
+- [ ] OAuth consent screen **published** (not just "Testing"), or real users
+      get blocked.
+- [ ] `OAUTH_PRIVATE_KEY` set to a fresh ≥64-byte key (not the dev sample).
+- [ ] `OAUTH_REDIRECT_URL` / `OAUTH_PROTECTED_URL` use the real `https://` origin.
+- [ ] `server.host` / public origin correct so cookies + redirects resolve.
+
+## Troubleshooting
+
+| Symptom | Cause / fix |
+|---|---|
+| `redirect_uri_mismatch` at Google | Authorized redirect URI ≠ `OAUTH_REDIRECT_URL`. Make them identical (scheme, host, port, path, no trailing slash). |
+| 403 / "access blocked: app not verified" | Add your account as a test user, or publish the consent screen. |
+| `openssl-sys ... Could not find directory` at build | You ran `cargo` outside the dev shell. Use `nix develop -c cargo ...`. |
+| Callback 500 / "could not create oauth2 store" | `initializers.oauth2` missing/invalid, or `OAUTH_PRIVATE_KEY` < 64 bytes. |
+| Logged into Google but not into the app | The bridge (`/api/oauth2/protected`) didn't run — check `protected_url` (`OAUTH_PROTECTED_URL`) points at it. |
+
+## Where things live
+
+- Config: `config/development.yaml` / `config/production.yaml` →
+  `initializers.oauth2`
+- Client store + session initializers: `src/initializers/oauth2.rs`,
+  `src/initializers/oauth2_session.rs`
+- Routes + bridge handler: `src/controllers/oauth2.rs`
+- User upsert (random password per advisory LOC-2025-04): `src/models/users.rs`
+  (`OAuth2UserTrait`)
+- Session table: `src/models/o_auth2_sessions.rs` +
+  `migration/.../m20260618_000001_o_auth2_sessions.rs`

flake.nix

@@ -86,7 +86,10 @@
             buildInputs = [
               rust
               pkgs.pkg-config
+              # OpenSSL for crypto dependencies (loco-oauth2 -> oauth2/reqwest
+              # use native-tls); .dev provides headers + pkg-config metadata.
               pkgs.openssl
+              pkgs.openssl.dev
               pkgs.cmake
               pkgs.llvmPackages.clang
               pkgs.llvmPackages.libclang.lib

migration/Cargo.toml

@@ -13,7 +13,7 @@ loco-rs = { workspace = true }
 
 
 [dependencies.sea-orm-migration]
-version = "1.1.0"
+version = "1.1.20"
 features = [
   # Enable at least one `ASYNC_RUNTIME` and `DATABASE_DRIVER` feature if you want to run migration via CLI.
   # View the list of supported features at https://www.sea-ql.org/SeaORM/docs/install-and-config/database-and-async-runtime.

migration/src/lib.rs

@@ -30,6 +30,10 @@ mod m20260616_160000_add_parent_to_categories;
 mod m20260617_000001_add_carrier_to_shipping_methods;
 mod m20260617_000002_add_shipment_to_orders;
 mod m20260617_000003_add_phone_to_orders;
+mod m20260618_000001_o_auth2_sessions;
+mod m20260618_000002_customer_profiles;
+mod m20260618_000003_account_type;
+mod m20260618_000004_account_ownership;
 pub struct Migrator;
 
 #[async_trait::async_trait]
@@ -64,6 +68,10 @@ impl MigratorTrait for Migrator {
             Box::new(m20260617_000001_add_carrier_to_shipping_methods::Migration),
             Box::new(m20260617_000002_add_shipment_to_orders::Migration),
             Box::new(m20260617_000003_add_phone_to_orders::Migration),
+            Box::new(m20260618_000001_o_auth2_sessions::Migration),
+            Box::new(m20260618_000002_customer_profiles::Migration),
+            Box::new(m20260618_000003_account_type::Migration),
+            Box::new(m20260618_000004_account_ownership::Migration),
             // inject-above (do not remove this comment)
         ]
     }

migration/src/m20260618_000001_o_auth2_sessions.rs

@@ -0,0 +1,29 @@
+use loco_rs::schema::*;
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, m: &SchemaManager) -> Result<(), DbErr> {
+        // OAuth2 session store used by loco-oauth2 to correlate the provider's
+        // access token with a local user during the callback flow. `user` adds
+        // a user_id FK to the users table.
+        create_table(
+            m,
+            "o_auth2_sessions",
+            &[
+                ("id", ColType::PkAuto),
+                ("session_id", ColType::StringUniq),
+                ("expires_at", ColType::TimestampWithTimeZone),
+            ],
+            &[("user", "")],
+        )
+        .await
+    }
+
+    async fn down(&self, m: &SchemaManager) -> Result<(), DbErr> {
+        drop_table(m, "o_auth2_sessions").await
+    }
+}

migration/src/m20260618_000002_customer_profiles.rs

@@ -0,0 +1,44 @@
+use loco_rs::schema::*;
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, m: &SchemaManager) -> Result<(), DbErr> {
+        // One shipping/contact profile per customer, used to prefill the
+        // checkout form. `name`/`email` already live on `users`; this table
+        // holds only the address + phone fields. `user` adds a user_id FK; the
+        // unique index below makes the relationship 1:1.
+        create_table(
+            m,
+            "customer_profiles",
+            &[
+                ("id", ColType::PkAuto),
+                ("phone_prefix", ColType::StringNull),
+                ("phone", ColType::StringNull),
+                ("address", ColType::StringNull),
+                ("city", ColType::StringNull),
+                ("zip", ColType::StringNull),
+                ("country", ColType::StringNull),
+            ],
+            &[("user", "")],
+        )
+        .await?;
+
+        m.create_index(
+            Index::create()
+                .name("idx_customer_profiles_user_id_unique")
+                .table(Alias::new("customer_profiles"))
+                .col(Alias::new("user_id"))
+                .unique()
+                .to_owned(),
+        )
+        .await
+    }
+
+    async fn down(&self, m: &SchemaManager) -> Result<(), DbErr> {
+        drop_table(m, "customer_profiles").await
+    }
+}

migration/src/m20260618_000003_account_type.rs

@@ -0,0 +1,39 @@
+use loco_rs::schema::*;
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+// Personal vs company purchasing. `account_type` is "personal" or "company";
+// the company_* columns hold the Slovak invoicing identifiers (IČO, DIČ and the
+// optional VAT id IČ DPH) and are only filled for company accounts/orders.
+const COMPANY_COLUMNS: [&str; 4] = ["company_name", "company_id", "tax_id", "vat_id"];
+
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, m: &SchemaManager) -> Result<(), DbErr> {
+        for table in ["customer_profiles", "orders"] {
+            add_column(
+                m,
+                table,
+                "account_type",
+                ColType::StringWithDefault("personal".to_string()),
+            )
+            .await?;
+            for col in COMPANY_COLUMNS {
+                add_column(m, table, col, ColType::StringNull).await?;
+            }
+        }
+        Ok(())
+    }
+
+    async fn down(&self, m: &SchemaManager) -> Result<(), DbErr> {
+        for table in ["customer_profiles", "orders"] {
+            remove_column(m, table, "account_type").await?;
+            for col in COMPANY_COLUMNS {
+                remove_column(m, table, col).await?;
+            }
+        }
+        Ok(())
+    }
+}

migration/src/m20260618_000004_account_ownership.rs

@@ -0,0 +1,38 @@
+use loco_rs::schema::*;
+use sea_orm_migration::prelude::*;
+
+#[derive(DeriveMigrationName)]
+pub struct Migration;
+
+// Account type becomes a permanent property of the *user* (chosen at
+// registration, never switchable), so it moves off `customer_profiles`. Orders
+// gain a nullable `user_id` linking them to the account that placed them
+// (null for guest orders that didn't create an account).
+#[async_trait::async_trait]
+impl MigrationTrait for Migration {
+    async fn up(&self, m: &SchemaManager) -> Result<(), DbErr> {
+        add_column(
+            m,
+            "users",
+            "account_type",
+            ColType::StringWithDefault("personal".to_string()),
+        )
+        .await?;
+        add_column(m, "orders", "user_id", ColType::IntegerNull).await?;
+        remove_column(m, "customer_profiles", "account_type").await?;
+        Ok(())
+    }
+
+    async fn down(&self, m: &SchemaManager) -> Result<(), DbErr> {
+        add_column(
+            m,
+            "customer_profiles",
+            "account_type",
+            ColType::StringWithDefault("personal".to_string()),
+        )
+        .await?;
+        remove_column(m, "orders", "user_id").await?;
+        remove_column(m, "users", "account_type").await?;
+        Ok(())
+    }
+}

src/app.rs

@@ -17,8 +17,9 @@ use std::{path::Path, sync::Arc};
 #[allow(unused_imports)]
 use crate::{
     controllers::{
-        admin_categories, admin_dashboard, admin_form, admin_login, admin_orders,
+        account, admin_categories, admin_dashboard, admin_form, admin_orders,
-        admin_products, admin_shipping, auth, cart, checkout, home, i18n, media, shop,
+        admin_products, admin_shipping, auth, auth_pages, cart, checkout, home, i18n, media, oauth2,
+        shop,
     },
     initializers,
     models::_entities::users,
@@ -56,11 +57,27 @@ impl Hooks for App {
         environment.load()
     }
 
+    /// Attach the Casbin authorization layer on top of all routes. Order
+    /// matters: `inject_subject` is the outermost layer so it runs first and
+    /// stamps the JWT-derived role onto the request before the inner
+    /// `CasbinAxumLayer` enforces the policy. See `shared::rbac`.
+    async fn after_routes(router: axum::Router, ctx: &AppContext) -> Result<axum::Router> {
+        let casbin = crate::shared::rbac::layer().await?;
+        Ok(router
+            .layer(casbin)
+            .layer(axum::middleware::from_fn_with_state(
+                ctx.clone(),
+                crate::shared::rbac::inject_subject,
+            )))
+    }
+
     async fn initializers(_ctx: &AppContext) -> Result<Vec<Box<dyn Initializer>>> {
         Ok(vec![
             Box::new(initializers::view_engine::ViewEngineInitializer),
             Box::new(initializers::admin_seeder::AdminSeeder),
             Box::new(initializers::shipping_seeder::ShippingSeeder),
+            Box::new(initializers::oauth2::OAuth2StoreInitializer),
+            Box::new(initializers::oauth2_session::OAuth2SessionInitializer),
         ])
     }
 
@@ -73,11 +90,13 @@ impl Hooks for App {
             .add_route(checkout::routes())
             // cross-cutting
             .add_route(auth::routes())
+            .add_route(auth_pages::routes())
+            .add_route(account::routes())
+            .add_route(oauth2::routes())
             .add_route(i18n::routes())
             .add_route(media::routes())
             // admin
             .add_route(admin_dashboard::routes())
-            .add_route(admin_login::routes())
             .add_route(admin_products::routes())
             .add_route(admin_categories::routes())
             .add_route(admin_orders::routes())

src/controllers/account.rs

@@ -0,0 +1,200 @@
+//! Customer account area. Currently just the shipping/contact profile, whose
+//! fields prefill the checkout form. Gated to authenticated non-admin users:
+//! anonymous visitors are bounced to `/login`. Admins have their own area and
+//! are sent to the dashboard.
+//!
+//! The account *type* (personal vs company) is fixed at registration and lives
+//! on the user — it is shown here read-only and can never be changed. The
+//! profile only edits the type-specific details (company identity + address).
+
+use axum_extra::extract::cookie::CookieJar;
+use loco_rs::prelude::*;
+use serde::Deserialize;
+use serde_json::json;
+
+use crate::{
+    controllers::i18n::current_lang,
+    models::{
+        customer_profiles::{self, ProfileFields},
+        users,
+    },
+    shared::guard,
+};
+
+#[derive(Debug, Deserialize)]
+struct ProfileForm {
+    first_name: Option<String>,
+    last_name: Option<String>,
+    company_name: Option<String>,
+    company_id: Option<String>,
+    tax_id: Option<String>,
+    vat_id: Option<String>,
+    phone_prefix: Option<String>,
+    phone: Option<String>,
+    address: Option<String>,
+    city: Option<String>,
+    zip: Option<String>,
+    country: Option<String>,
+}
+
+fn trimmed(value: Option<&str>) -> Option<String> {
+    value.map(str::trim).filter(|v| !v.is_empty()).map(String::from)
+}
+
+/// Split a stored full name into (first name, surname). The surname is
+/// everything after the first whitespace, so multi-word surnames round-trip.
+fn split_name(name: &str) -> (String, String) {
+    match name.trim().split_once(char::is_whitespace) {
+        Some((first, rest)) => (first.to_string(), rest.trim().to_string()),
+        None => (name.trim().to_string(), String::new()),
+    }
+}
+
+/// Recombine the two name fields into the single stored `name`. Returns `None`
+/// when the result is too short to be a valid name (the user can't blank it out).
+fn full_name_from_form(form: &ProfileForm) -> Option<String> {
+    let first = form.first_name.as_deref().unwrap_or("").trim();
+    let last = form.last_name.as_deref().unwrap_or("").trim();
+    let full = format!("{first} {last}").trim().to_string();
+    (full.chars().count() >= 2).then_some(full)
+}
+
+/// Build the persisted fields from the submitted form. Company identifiers are
+/// only kept for company accounts (a personal account can never carry them).
+fn fields_from_form(form: &ProfileForm, is_company: bool) -> ProfileFields {
+    let company = |v: Option<&str>| if is_company { trimmed(v) } else { None };
+    ProfileFields {
+        company_name: company(form.company_name.as_deref()),
+        company_id: company(form.company_id.as_deref()),
+        tax_id: company(form.tax_id.as_deref()),
+        vat_id: company(form.vat_id.as_deref()),
+        phone_prefix: trimmed(form.phone_prefix.as_deref()),
+        phone: trimmed(form.phone.as_deref()),
+        address: trimmed(form.address.as_deref()),
+        city: trimmed(form.city.as_deref()),
+        zip: trimmed(form.zip.as_deref()),
+        country: trimmed(form.country.as_deref()),
+    }
+}
+
+/// The profile fields held by a saved profile, for re-prefilling the form.
+fn fields_of(profile: Option<&customer_profiles::Model>) -> ProfileFields {
+    match profile {
+        Some(p) => ProfileFields {
+            company_name: p.company_name.clone(),
+            company_id: p.company_id.clone(),
+            tax_id: p.tax_id.clone(),
+            vat_id: p.vat_id.clone(),
+            phone_prefix: p.phone_prefix.clone(),
+            phone: p.phone.clone(),
+            address: p.address.clone(),
+            city: p.city.clone(),
+            zip: p.zip.clone(),
+            country: p.country.clone(),
+        },
+        None => ProfileFields::default(),
+    }
+}
+
+/// A company account must carry its invoicing identity (company name + IČO +
+/// DIČ; IČ DPH stays optional). Personal accounts have no such requirement.
+fn company_fields_missing(fields: &ProfileFields) -> bool {
+    fields.company_name.is_none() || fields.company_id.is_none() || fields.tax_id.is_none()
+}
+
+/// Render the profile form for `user`, prefilled from `fields`. `saved` shows
+/// the success banner; `error` shows the company-required validation message.
+fn profile_view(
+    v: &TeraView,
+    jar: &CookieJar,
+    user: &users::Model,
+    fields: &ProfileFields,
+    saved: bool,
+    error: bool,
+) -> Result<Response> {
+    let (first_name, last_name) = split_name(&user.name);
+    format::view(
+        v,
+        "account/profile.html",
+        json!({
+            "logged_in_admin": false,
+            "logged_in_customer": true,
+            "saved": saved,
+            "error": error,
+            "name": user.name,
+            "first_name": first_name,
+            "last_name": last_name,
+            "email": user.email,
+            "account_type": user.account_type,
+            "company_name": fields.company_name,
+            "company_id": fields.company_id,
+            "tax_id": fields.tax_id,
+            "vat_id": fields.vat_id,
+            "phone_prefix": fields.phone_prefix,
+            "phone": fields.phone,
+            "address": fields.address,
+            "city": fields.city,
+            "zip": fields.zip,
+            "country": fields.country,
+            "lang": current_lang(jar),
+        }),
+    )
+}
+
+#[debug_handler]
+async fn profile_page(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+) -> Result<Response> {
+    let Some(user) = guard::current_user(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+    if guard::is_admin(&ctx, &user) {
+        return format::redirect("/admin/dashboard");
+    }
+    let profile = customer_profiles::Model::find_for_user(&ctx.db, user.id).await?;
+    profile_view(&v, &jar, &user, &fields_of(profile.as_ref()), false, false)
+}
+
+#[debug_handler]
+async fn save_profile(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Form(form): Form<ProfileForm>,
+) -> Result<Response> {
+    let Some(user) = guard::current_user(&ctx, &jar).await else {
+        return format::redirect("/login");
+    };
+    if guard::is_admin(&ctx, &user) {
+        return format::redirect("/admin/dashboard");
+    }
+    // Apply the edited name to a working copy so it's reflected on both the
+    // success and re-rendered-error views. A blank/too-short name is ignored —
+    // the field can't be cleared.
+    let mut user = user;
+    let new_name = full_name_from_form(&form).filter(|n| *n != user.name);
+    if let Some(name) = new_name.clone() {
+        user.name = name;
+    }
+    let fields = fields_from_form(&form, user.is_company());
+    // A company account's profile is rejected (and re-shown with the entered
+    // values) until it carries its required identifiers.
+    if user.is_company() && company_fields_missing(&fields) {
+        return profile_view(&v, &jar, &user, &fields, false, true);
+    }
+    if let Some(name) = new_name {
+        let mut active = user.clone().into_active_model();
+        active.name = ActiveValue::set(name);
+        active.update(&ctx.db).await?;
+    }
+    customer_profiles::Model::upsert(&ctx.db, user.id, fields.clone()).await?;
+    profile_view(&v, &jar, &user, &fields, true, false)
+}
+
+pub fn routes() -> Routes {
+    Routes::new()
+        .add("/account/profile", get(profile_page))
+        .add("/account/profile", post(save_profile))
+}

src/controllers/admin_login.rs

@@ -1,86 +0,0 @@
-//! Cookie-based admin login/logout pages (separate from the JSON `/api/auth`
-//! flow used by the SPA/API).
-
-use axum_extra::extract::cookie::CookieJar;
-use loco_rs::prelude::*;
-use serde_json::json;
-
-use crate::{
-    controllers::auth as auth_controller,
-    models::users::{self, LoginParams},
-    controllers::i18n::current_lang,
-    shared::guard,
-};
-
-fn login_error(v: &TeraView, jar: &CookieJar) -> Result<Response> {
-    format::view(
-        v,
-        "admin/login.html",
-        json!({
-            "error": "Invalid credentials",
-            "logged_in_admin": false,
-            "lang": current_lang(jar),
-        }),
-    )
-}
-
-#[debug_handler]
-async fn login_page(
-    jar: CookieJar,
-    ViewEngine(v): ViewEngine<TeraView>,
-    State(ctx): State<AppContext>,
-) -> Result<Response> {
-    if guard::logged_in(&ctx, &jar).await {
-        return format::redirect("/admin/dashboard");
-    }
-
-    format::view(
-        &v,
-        "admin/login.html",
-        json!({
-            "error": null,
-            "logged_in_admin": false,
-            "lang": current_lang(&jar),
-        }),
-    )
-}
-
-#[debug_handler]
-async fn login(
-    jar: CookieJar,
-    ViewEngine(v): ViewEngine<TeraView>,
-    State(ctx): State<AppContext>,
-    Form(params): Form<LoginParams>,
-) -> Result<Response> {
-    let Ok(user) = users::Model::find_by_email(&ctx.db, &params.email).await else {
-        return login_error(&v, &jar);
-    };
-
-    if !user.verify_password(&params.password) || !guard::is_admin(&ctx, &user) {
-        return login_error(&v, &jar);
-    }
-
-    let jwt_secret = ctx.config.get_jwt_config()?;
-    let token = user
-        .generate_jwt(&jwt_secret.secret, jwt_secret.expiration)
-        .or_else(|_| unauthorized("unauthorized!"))?;
-
-    format::render()
-        .cookies(&[auth_controller::auth_cookie(&token, jwt_secret.expiration)])?
-        .redirect("/admin/dashboard")
-}
-
-#[debug_handler]
-async fn logout() -> Result<Response> {
-    format::render()
-        .cookies(&[auth_controller::clear_auth_cookie()])?
-        .redirect("/admin/login")
-}
-
-pub fn routes() -> Routes {
-    Routes::new()
-        .add("/admin", get(login_page))
-        .add("/admin/login", get(login_page))
-        .add("/admin/login", post(login))
-        .add("/admin/logout", post(logout))
-}

src/controllers/auth_pages.rs

@@ -0,0 +1,378 @@
+//! Cookie-based HTML auth pages (login, registration, email verification) for
+//! all users. There is no role column — an "admin" is simply the user whose
+//! email matches `settings.admin_email` (see [`guard::is_admin`]). On login,
+//! admins are redirected to the admin dashboard and everyone else to the
+//! storefront; both share the same `auth_token` cookie that the admin handlers
+//! already validate. This is the unified replacement for the former
+//! admin-only `/admin/login`. The JSON `/api/auth` flow in `auth.rs` is
+//! separate and untouched.
+
+use axum_extra::extract::cookie::CookieJar;
+use loco_rs::prelude::*;
+use serde_json::json;
+
+use crate::{
+    controllers::auth as auth_controller,
+    controllers::i18n::current_lang,
+    mailers::auth::AuthMailer,
+    models::users::{self, LoginParams, RegisterParams},
+    shared::guard,
+};
+
+/// Where a freshly-authenticated `user` should land.
+fn home_for(ctx: &AppContext, user: &users::Model) -> &'static str {
+    if guard::is_admin(ctx, user) {
+        "/admin/dashboard"
+    } else {
+        "/"
+    }
+}
+
+fn login_view(v: &TeraView, jar: &CookieJar, error: Option<&str>) -> Result<Response> {
+    format::view(
+        v,
+        "auth/login.html",
+        json!({
+            "error": error,
+            "logged_in_admin": false,
+            "lang": current_lang(jar),
+        }),
+    )
+}
+
+fn register_view(v: &TeraView, jar: &CookieJar, error: Option<&str>) -> Result<Response> {
+    format::view(
+        v,
+        "auth/register.html",
+        json!({
+            "error": error,
+            "logged_in_admin": false,
+            "lang": current_lang(jar),
+        }),
+    )
+}
+
+#[debug_handler]
+async fn login_page(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+) -> Result<Response> {
+    if let Some(user) = guard::current_user(&ctx, &jar).await {
+        return format::redirect(home_for(&ctx, &user));
+    }
+    login_view(&v, &jar, None)
+}
+
+#[debug_handler]
+async fn login(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Form(params): Form<LoginParams>,
+) -> Result<Response> {
+    let Ok(user) = users::Model::find_by_email(&ctx.db, &params.email).await else {
+        return login_view(&v, &jar, Some("invalid"));
+    };
+
+    if !user.verify_password(&params.password) {
+        return login_view(&v, &jar, Some("invalid"));
+    }
+
+    // Registration requires email verification before the account can sign in.
+    if user.email_verified_at.is_none() {
+        return login_view(&v, &jar, Some("unverified"));
+    }
+
+    let jwt_secret = ctx.config.get_jwt_config()?;
+    let token = user
+        .generate_jwt(&jwt_secret.secret, jwt_secret.expiration)
+        .or_else(|_| unauthorized("unauthorized!"))?;
+
+    format::render()
+        .cookies(&[auth_controller::auth_cookie(&token, jwt_secret.expiration)])?
+        .redirect(home_for(&ctx, &user))
+}
+
+#[debug_handler]
+async fn register_page(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+) -> Result<Response> {
+    if let Some(user) = guard::current_user(&ctx, &jar).await {
+        return format::redirect(home_for(&ctx, &user));
+    }
+    register_view(&v, &jar, None)
+}
+
+/// Registration form. The name is no longer collected from the user — it is
+/// derived from the email — and the password is entered twice to guard against
+/// typos.
+#[derive(Debug, serde::Deserialize)]
+struct RegisterForm {
+    email: String,
+    password: String,
+    password_confirm: String,
+    #[serde(default)]
+    account_type: Option<String>,
+}
+
+/// Derive a display name from an email address (its local part), falling back to
+/// the full address when the local part is too short for the name validator.
+fn name_from_email(email: &str) -> String {
+    let local = email.split('@').next().unwrap_or("").trim();
+    if local.chars().count() >= 2 {
+        local.to_string()
+    } else {
+        email.trim().to_string()
+    }
+}
+
+#[debug_handler]
+async fn register(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Form(form): Form<RegisterForm>,
+) -> Result<Response> {
+    if form.password != form.password_confirm {
+        return register_view(&v, &jar, Some("mismatch"));
+    }
+    if form.password.len() < 8 {
+        return register_view(&v, &jar, Some("weak"));
+    }
+
+    let params = RegisterParams {
+        name: name_from_email(&form.email),
+        email: form.email,
+        password: form.password,
+        account_type: form.account_type,
+    };
+
+    let user = match users::Model::create_with_password(&ctx.db, &params).await {
+        Ok(user) => user,
+        Err(ModelError::EntityAlreadyExists {}) => {
+            return register_view(&v, &jar, Some("exists"));
+        }
+        Err(err) => {
+            // Most commonly a validation failure (name too short / invalid email).
+            tracing::info!(
+                message = err.to_string(),
+                user_email = &params.email,
+                "could not register user",
+            );
+            return register_view(&v, &jar, Some("invalid"));
+        }
+    };
+
+    let user = user
+        .into_active_model()
+        .set_email_verification_sent(&ctx.db)
+        .await?;
+
+    // The account already exists; a failed email send shouldn't 500 the page —
+    // log it and let the user fall back to resend-verification.
+    if let Err(err) = AuthMailer::send_welcome(&ctx, &user).await {
+        tracing::error!(
+            error = err.to_string(),
+            user_email = &user.email,
+            "failed to send verification email",
+        );
+    }
+
+    format::view(
+        &v,
+        "auth/verify_sent.html",
+        json!({
+            "email": user.email,
+            "logged_in_admin": false,
+            "lang": current_lang(&jar),
+        }),
+    )
+}
+
+#[debug_handler]
+async fn verify(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Path(token): Path<String>,
+) -> Result<Response> {
+    let Ok(user) = users::Model::find_by_verification_token(&ctx.db, &token).await else {
+        return verified_view(&v, &jar, false);
+    };
+
+    if user.email_verified_at.is_none() {
+        user.into_active_model().verified(&ctx.db).await?;
+    }
+
+    verified_view(&v, &jar, true)
+}
+
+fn verified_view(v: &TeraView, jar: &CookieJar, ok: bool) -> Result<Response> {
+    format::view(
+        v,
+        "auth/verified.html",
+        json!({
+            "ok": ok,
+            "logged_in_admin": false,
+            "lang": current_lang(jar),
+        }),
+    )
+}
+
+/// Resend the email-verification link. Throttled per account (see
+/// [`users::Model::verification_resend_wait_secs`]) so it can't be used to spam
+/// an inbox, and always returns the same neutral message so it can't be used to
+/// probe which addresses are registered.
+#[derive(Debug, serde::Deserialize)]
+struct ResendVerificationForm {
+    email: String,
+}
+
+fn resend_verification_view(v: &TeraView, jar: &CookieJar, done: bool) -> Result<Response> {
+    format::view(
+        v,
+        "auth/resend_verification.html",
+        json!({
+            "done": done,
+            "logged_in_admin": false,
+            "lang": current_lang(jar),
+        }),
+    )
+}
+
+#[debug_handler]
+async fn resend_verification_page(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+) -> Result<Response> {
+    resend_verification_view(&v, &jar, false)
+}
+
+#[debug_handler]
+async fn resend_verification(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Form(form): Form<ResendVerificationForm>,
+) -> Result<Response> {
+    // Resend only for a real, still-unverified account that is past its cooldown.
+    // Anything else (unknown email, already verified, too soon) silently does
+    // nothing — the response is identical either way.
+    if let Ok(user) = users::Model::find_by_email(&ctx.db, form.email.trim()).await {
+        if user.email_verified_at.is_none() && user.verification_resend_wait_secs() == 0 {
+            match user.into_active_model().set_email_verification_sent(&ctx.db).await {
+                Ok(user) => {
+                    if let Err(err) = AuthMailer::send_welcome(&ctx, &user).await {
+                        tracing::error!(error = %err, "failed to resend verification email");
+                    }
+                }
+                Err(err) => tracing::error!(error = %err, "failed to refresh verification token"),
+            }
+        } else {
+            tracing::info!("verification resend skipped (already verified or within cooldown)");
+        }
+    }
+    resend_verification_view(&v, &jar, true)
+}
+
+/// Set-password form for accounts created during checkout (and any account that
+/// has a valid reset token). Reuses the password-reset token machinery.
+#[derive(Debug, serde::Deserialize)]
+struct SetPasswordForm {
+    token: String,
+    password: String,
+    password_confirm: String,
+}
+
+fn set_password_view(
+    v: &TeraView,
+    jar: &CookieJar,
+    token: &str,
+    valid: bool,
+    error: Option<&str>,
+) -> Result<Response> {
+    format::view(
+        v,
+        "auth/set_password.html",
+        json!({
+            "token": token,
+            "valid": valid,
+            "error": error,
+            "logged_in_admin": false,
+            "lang": current_lang(jar),
+        }),
+    )
+}
+
+#[debug_handler]
+async fn set_password_page(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Path(token): Path<String>,
+) -> Result<Response> {
+    let valid = users::Model::find_by_reset_token(&ctx.db, &token).await.is_ok();
+    set_password_view(&v, &jar, &token, valid, None)
+}
+
+#[debug_handler]
+async fn set_password(
+    jar: CookieJar,
+    ViewEngine(v): ViewEngine<TeraView>,
+    State(ctx): State<AppContext>,
+    Form(form): Form<SetPasswordForm>,
+) -> Result<Response> {
+    let Ok(user) = users::Model::find_by_reset_token(&ctx.db, &form.token).await else {
+        return set_password_view(&v, &jar, &form.token, false, None);
+    };
+    if form.password != form.password_confirm {
+        return set_password_view(&v, &jar, &form.token, true, Some("mismatch"));
+    }
+    if form.password.len() < 8 {
+        return set_password_view(&v, &jar, &form.token, true, Some("weak"));
+    }
+    // Setting the password through an emailed link also proves email ownership,
+    // so the account is marked verified here.
+    let user = user.into_active_model().reset_password(&ctx.db, &form.password).await?;
+    if user.email_verified_at.is_none() {
+        user.into_active_model().verified(&ctx.db).await?;
+    }
+    format::redirect("/login")
+}
+
+#[debug_handler]
+async fn logout() -> Result<Response> {
+    format::render()
+        .cookies(&[auth_controller::clear_auth_cookie()])?
+        .redirect("/login")
+}
+
+/// Backwards-compatible entry point: `/admin` sends admins to their dashboard
+/// and everyone else to the unified login.
+#[debug_handler]
+async fn admin_entry(jar: CookieJar, State(ctx): State<AppContext>) -> Result<Response> {
+    if let Some(user) = guard::current_user(&ctx, &jar).await {
+        if guard::is_admin(&ctx, &user) {
+            return format::redirect("/admin/dashboard");
+        }
+    }
+    format::redirect("/login")
+}
+
+pub fn routes() -> Routes {
+    Routes::new()
+        .add("/login", get(login_page))
+        .add("/login", post(login))
+        .add("/register", get(register_page))
+        .add("/register", post(register))
+        .add("/verify/{token}", get(verify))
+        .add("/resend-verification", get(resend_verification_page))
+        .add("/resend-verification", post(resend_verification))
+        .add("/set-password/{token}", get(set_password_page))
+        .add("/set-password", post(set_password))
+        .add("/logout", post(logout))
+        .add("/admin", get(admin_entry))
+}

src/controllers/cart.rs

@@ -1,4 +1,4 @@
-use crate::{controllers::i18n::current_lang, shared::money::format_price, models::products};
+use crate::{controllers::i18n::current_lang, shared::{guard, money::format_price}, models::products};
 use axum::{
     http::{HeaderMap, StatusCode},
     response::Redirect,
@@ -234,6 +234,7 @@ async fn show(
 
     // Drop any now-invalid lines from the cookie so the badge stays accurate.
     let rebuilt = serialize_cart(&valid);
+    let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
     let response = format::view(
         &v,
         "shop/cart.html",
@@ -241,6 +242,8 @@ async fn show(
             "items": lines,
             "total": format_price(total),
             "currency": currency,
+            "logged_in_admin": logged_in_admin,
+            "logged_in_customer": logged_in_customer,
             "lang": current_lang(&jar),
         }),
     )?;

src/controllers/checkout.rs

@@ -1,6 +1,7 @@
 //! Public checkout flow: the checkout form, placing an order, and the order
 //! confirmation page.
 
+use axum::extract::Query;
 use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
 use loco_rs::prelude::*;
 use sea_orm::{ColumnTrait, EntityTrait, QueryFilter, QueryOrder};
@@ -10,9 +11,14 @@ use time::Duration as TimeDuration;
 
 use crate::{
     controllers::cart::{resolve_cart, CART_COOKIE},
-    models::{order_items, orders, shipping_methods},
+    mailers::auth::AuthMailer,
+    models::{
+        customer_profiles::{self, ProfileFields},
+        order_items, orders, shipping_methods,
+        users::{self, normalize_account_type},
+    },
     controllers::i18n::current_lang,
-    shared::{money::format_price, settings},
+    shared::{guard, money::format_price, settings},
     views::checkout as view,
 };
 
@@ -24,6 +30,11 @@ struct CheckoutForm {
     phone_prefix: String,
     phone: String,
     customer_name: String,
+    account_type: Option<String>,
+    company_name: Option<String>,
+    company_id: Option<String>,
+    tax_id: Option<String>,
+    vat_id: Option<String>,
     address: String,
     city: String,
     zip: String,
@@ -33,6 +44,10 @@ struct CheckoutForm {
     carrier_code: String,
     pickup_point_id: Option<String>,
     pickup_point_name: Option<String>,
+    // Present (as "on") only when a logged-in customer ticks "save my address".
+    save_profile: Option<String>,
+    // Present only when a guest ticks "create an account from this order".
+    create_account: Option<String>,
 }
 
 fn trimmed(value: &str) -> Option<String> {
@@ -86,6 +101,25 @@ async fn checkout_page(
         })
         .collect();
 
+    // Prefill the form for a logged-in customer: contact name/email come from
+    // the user account, the address/phone from their saved profile (if any).
+    let user = guard::current_user(&ctx, &jar).await;
+    let is_admin = user.as_ref().is_some_and(|u| guard::is_admin(&ctx, u));
+    let is_customer = user.is_some() && !is_admin;
+    let profile = match (&user, is_customer) {
+        (Some(u), true) => customer_profiles::Model::find_for_user(&ctx.db, u.id).await?,
+        _ => None,
+    };
+    let p = |get: fn(&customer_profiles::Model) -> Option<String>| {
+        profile.as_ref().and_then(get)
+    };
+    // Whether the customer already has a shipping address on file. When they do,
+    // the "save this address to my profile" opt-in is pointless (the profile was
+    // filled in advance), so it's hidden and the existing profile is left alone.
+    let profile_filled = profile
+        .as_ref()
+        .is_some_and(|pr| pr.address.is_some() && pr.city.is_some() && pr.zip.is_some());
+
     format::view(
         &v,
         "shop/checkout.html",
@@ -96,6 +130,26 @@ async fn checkout_page(
             "currency": currency,
             "shipping_methods": methods,
             "packeta_api_key": settings::get(&ctx, "packeta_api_key").unwrap_or(""),
+            "logged_in_admin": is_admin,
+            "logged_in_customer": is_customer,
+            "profile_filled": profile_filled,
+            // A logged-in customer's account type is fixed; only guests pick it
+            // and may opt to create an account from the order.
+            "account_fixed": is_customer,
+            "can_create_account": user.is_none(),
+            "prefill_email": user.as_ref().filter(|_| is_customer).map(|u| u.email.clone()),
+            "prefill_name": user.as_ref().filter(|_| is_customer).map(|u| u.name.clone()),
+            "prefill_account_type": user.as_ref().filter(|_| is_customer).map_or("personal", |u| u.account_type.as_str()),
+            "prefill_company_name": p(|x| x.company_name.clone()),
+            "prefill_company_id": p(|x| x.company_id.clone()),
+            "prefill_tax_id": p(|x| x.tax_id.clone()),
+            "prefill_vat_id": p(|x| x.vat_id.clone()),
+            "prefill_phone_prefix": p(|x| x.phone_prefix.clone()),
+            "prefill_phone": p(|x| x.phone.clone()),
+            "prefill_address": p(|x| x.address.clone()),
+            "prefill_city": p(|x| x.city.clone()),
+            "prefill_zip": p(|x| x.zip.clone()),
+            "prefill_country": p(|x| x.country.clone()),
             "lang": current_lang(&jar),
         }),
     )
@@ -119,7 +173,7 @@ async fn place_order(
         trimmed(&form.phone).ok_or_else(|| Error::BadRequest("phone is required".to_string()))?;
     let phone = match trimmed(&form.phone_prefix) {
         Some(prefix) => format!("{prefix} {number}"),
-        None => number,
+        None => number.clone(),
     };
 
     // Contact and shipping-address fields are mandatory (also enforced in the
@@ -133,6 +187,31 @@ async fn place_order(
     let zip = require(&form.zip, "zip")?;
     let country = require(&form.country, "country")?;
 
+    // The account type is fixed for a logged-in customer (taken from their
+    // account, never the form); a guest picks it on the form. Admins are treated
+    // as guests here.
+    let current_user = guard::current_user(&ctx, &jar).await;
+    let logged_in_customer = current_user
+        .as_ref()
+        .filter(|u| !guard::is_admin(&ctx, u));
+    let account_type = match logged_in_customer {
+        Some(u) => u.account_type.clone(),
+        None => normalize_account_type(form.account_type.as_deref()),
+    };
+
+    // Company purchases must carry the invoicing identifiers (IČO + DIČ
+    // required, IČ DPH optional). Personal orders carry none.
+    let (company_name, company_id, tax_id, vat_id) = if account_type == "company" {
+        (
+            Some(require(form.company_name.as_deref().unwrap_or(""), "company name")?),
+            Some(require(form.company_id.as_deref().unwrap_or(""), "IČO")?),
+            Some(require(form.tax_id.as_deref().unwrap_or(""), "DIČ")?),
+            form.vat_id.as_deref().and_then(trimmed),
+        )
+    } else {
+        (None, None, None, None)
+    };
+
     if !PAYMENT_METHODS.contains(&form.payment_method.as_str()) {
         return Err(Error::BadRequest("invalid payment method".to_string()));
     }
@@ -157,6 +236,74 @@ async fn place_order(
         (None, None)
     };
 
+    // The address/contact captured here, ready to seed a profile (for the
+    // logged-in "save my address" opt-in or a freshly created guest account).
+    let entered_profile = || ProfileFields {
+        company_name: company_name.clone(),
+        company_id: company_id.clone(),
+        tax_id: tax_id.clone(),
+        vat_id: vat_id.clone(),
+        phone_prefix: trimmed(&form.phone_prefix),
+        phone: Some(number.clone()),
+        address: Some(address.clone()),
+        city: Some(city.clone()),
+        zip: Some(zip.clone()),
+        country: Some(country.clone()),
+    };
+
+    // Resolve the account that will own this order. A logged-in customer always
+    // owns their orders. A guest may opt to create an account from the order;
+    // the new account's type matches what they bought as, its profile is seeded
+    // from the entered details, and a "set your password" link is emailed. If
+    // the email already belongs to an account we silently fall back to a guest
+    // order (no hijacking an existing account).
+    let mut order_user_id = logged_in_customer.map(|u| u.id);
+    let mut account_created = false;
+    if order_user_id.is_none() && form.create_account.is_some() {
+        match users::Model::create_guest_account(&ctx.db, &email, &customer_name, &account_type)
+            .await
+        {
+            Ok(new_user) => {
+                if let Err(err) =
+                    customer_profiles::Model::upsert(&ctx.db, new_user.id, entered_profile()).await
+                {
+                    tracing::error!(error = %err, user_id = new_user.id, "failed to seed guest profile");
+                }
+                let user_id = new_user.id;
+                match new_user.into_active_model().set_forgot_password_sent(&ctx.db).await {
+                    Ok(user) => {
+                        if let Err(err) = AuthMailer::send_set_password(&ctx, &user).await {
+                            tracing::error!(error = %err, "failed to send set-password email");
+                        }
+                        order_user_id = Some(user_id);
+                        account_created = true;
+                    }
+                    Err(err) => {
+                        tracing::error!(error = %err, "failed to issue set-password token");
+                        order_user_id = Some(user_id);
+                    }
+                }
+            }
+            Err(ModelError::EntityAlreadyExists {}) => {
+                tracing::info!(email = %email, "checkout account-create skipped: email already registered");
+            }
+            Err(err) => tracing::error!(error = %err, "failed to create checkout account"),
+        }
+    }
+
+    // If a logged-in customer opted in, persist this address to their profile so
+    // the next checkout is prefilled. Best-effort: a failure here is logged but
+    // must not block the order.
+    if form.save_profile.is_some() {
+        if let Some(user) = logged_in_customer {
+            if let Err(err) =
+                customer_profiles::Model::upsert(&ctx.db, user.id, entered_profile()).await
+            {
+                tracing::error!(error = %err, user_id = user.id, "failed to save checkout profile");
+            }
+        }
+    }
+
     let order = orders::place(
         &ctx,
         &valid,
@@ -164,6 +311,12 @@ async fn place_order(
             email,
             phone,
             customer_name: Some(customer_name),
+            user_id: order_user_id,
+            account_type,
+            company_name,
+            company_id,
+            tax_id,
+            vat_id,
             address: Some(address),
             city: Some(city),
             zip: Some(zip),
@@ -177,9 +330,14 @@ async fn place_order(
     )
     .await?;
 
+    let target = if account_created {
+        format!("/orders/{}?account_created=1", order.order_number)
+    } else {
+        format!("/orders/{}", order.order_number)
+    };
     format::render()
         .cookies(&[cleared_cart_cookie()])?
-        .redirect(&format!("/orders/{}", order.order_number))
+        .redirect(&target)
 }
 
 #[debug_handler]
@@ -187,6 +345,7 @@ async fn order_confirmation(
     jar: CookieJar,
     ViewEngine(v): ViewEngine<TeraView>,
     Path(order_number): Path<String>,
+    Query(params): Query<std::collections::HashMap<String, String>>,
     State(ctx): State<AppContext>,
 ) -> Result<Response> {
     let order = orders::Entity::find()
@@ -198,6 +357,8 @@ async fn order_confirmation(
         .filter(order_items::Column::OrderId.eq(order.id))
         .all(&ctx.db)
         .await?;
+    let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
+    let account_created = params.contains_key("account_created");
 
     format::view(
         &v,
@@ -209,6 +370,9 @@ async fn order_confirmation(
                 settings::get(&ctx, "bank_account_name").unwrap_or(""),
             ),
             "items": view::items(&items),
+            "logged_in_admin": logged_in_admin,
+            "logged_in_customer": logged_in_customer,
+            "account_created": account_created,
             "lang": current_lang(&jar),
         }),
     )

src/controllers/home.rs

@@ -13,13 +13,15 @@ async fn index(
     State(ctx): State<AppContext>,
 ) -> Result<Response> {
     let products = shop::featured_products(&ctx, 8).await?;
+    let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
 
     format::view(
         &v,
         "home/index.html",
         json!({
             "products": products,
-            "logged_in_admin": guard::logged_in(&ctx, &jar).await,
+            "logged_in_admin": logged_in_admin,
+            "logged_in_customer": logged_in_customer,
             "lang": current_lang(&jar),
         }),
     )

src/controllers/mod.rs

@@ -1,8 +1,10 @@
+pub mod account;
 pub mod auth;
+pub mod auth_pages;
+pub mod oauth2;
 pub mod admin_categories;
 pub mod admin_dashboard;
 pub mod admin_form;
-pub mod admin_login;
 pub mod admin_orders;
 pub mod admin_products;
 pub mod admin_shipping;

src/controllers/oauth2.rs

@@ -0,0 +1,56 @@
+//! HTML OAuth2 (Google) sign-in.
+//!
+//! The provider round-trip is handled by loco-oauth2's built-in authorize +
+//! cookie-callback handlers. The callback upserts the user, stores an OAuth2
+//! session, sets loco-oauth2's *private* session cookie, and redirects to the
+//! configured `protected_url` — which is our [`complete`] handler. There we
+//! trade the OAuth2 session for OUR Loco `auth_token` JWT cookie, so the rest of
+//! the app (the Casbin layer, `guard`, the unified `/login`) treats a Google
+//! user exactly like a password login. Admins (matching `ADMIN_EMAIL`) land on
+//! the dashboard, everyone else on the storefront.
+
+use loco_oauth2::controllers::{
+    middleware::OAuth2CookieUser,
+    oauth2::{google_authorization_url, google_callback_cookie},
+};
+use loco_rs::prelude::*;
+
+use crate::{
+    controllers::auth as auth_controller,
+    models::{o_auth2_sessions, users, users::OAuth2UserProfile},
+    shared::guard,
+};
+
+type GoogleCookieUser = OAuth2CookieUser<OAuth2UserProfile, users::Model, o_auth2_sessions::Model>;
+
+/// Bridge from loco-oauth2's session cookie to our own auth cookie.
+#[debug_handler]
+async fn complete(State(ctx): State<AppContext>, user: GoogleCookieUser) -> Result<Response> {
+    let user: &users::Model = user.as_ref();
+    let jwt_secret = ctx.config.get_jwt_config()?;
+    let token = user
+        .generate_jwt(&jwt_secret.secret, jwt_secret.expiration)
+        .or_else(|_| unauthorized("unauthorized!"))?;
+    let dest = if guard::is_admin(&ctx, user) {
+        "/admin/dashboard"
+    } else {
+        "/"
+    };
+    format::render()
+        .cookies(&[auth_controller::auth_cookie(&token, jwt_secret.expiration)])?
+        .redirect(dest)
+}
+
+pub fn routes() -> Routes {
+    Routes::new()
+        .prefix("api/oauth2")
+        // Redirects the browser to Google's consent screen.
+        .add("/google", get(google_authorization_url))
+        // Google redirects back here; loco-oauth2 exchanges the code, upserts
+        // the user, and redirects to `protected_url` (/api/oauth2/protected).
+        .add(
+            "/google/callback/cookie",
+            get(google_callback_cookie::<OAuth2UserProfile, users::Model, o_auth2_sessions::Model>),
+        )
+        .add("/protected", get(complete))
+}

src/controllers/shop.rs

@@ -69,12 +69,14 @@ async fn index(
         .all(&ctx.db)
         .await?;
 
+    let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
     format::view(
         &v,
         "shop/index.html",
         json!({
             "products": product_rows(&ctx, list).await?,
-            "logged_in_admin": guard::logged_in(&ctx, &jar).await,
+            "logged_in_admin": logged_in_admin,
+            "logged_in_customer": logged_in_customer,
             "lang": current_lang(&jar),
         }),
     )
@@ -108,6 +110,7 @@ async fn show(
         None => None,
     };
 
+    let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
     format::view(
         &v,
         "shop/show.html",
@@ -115,7 +118,8 @@ async fn show(
             "product": view::product_card(&product, None, category.as_ref().map(|c| c.name.clone())),
             "images": images.iter().map(|i| i.image_id.clone()).collect::<Vec<_>>(),
             "category": category,
-            "logged_in_admin": guard::logged_in(&ctx, &jar).await,
+            "logged_in_admin": logged_in_admin,
+            "logged_in_customer": logged_in_customer,
             "lang": current_lang(&jar),
         }),
     )
@@ -151,6 +155,7 @@ async fn category(
         .all(&ctx.db)
         .await?;
 
+    let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
     format::view(
         &v,
         "shop/category.html",
@@ -159,7 +164,8 @@ async fn category(
             "breadcrumbs": breadcrumbs,
             "children": children,
             "products": product_rows(&ctx, list).await?,
-            "logged_in_admin": guard::logged_in(&ctx, &jar).await,
+            "logged_in_admin": logged_in_admin,
+            "logged_in_customer": logged_in_customer,
             "lang": current_lang(&jar),
         }),
     )

src/initializers/admin_seeder.rs

@@ -1,4 +1,5 @@
 use async_trait::async_trait;
+use chrono::offset::Local;
 use loco_rs::prelude::*;
 use loco_rs::hash;
 use sea_orm::{ActiveModelTrait, IntoActiveModel, Set};
@@ -30,18 +31,26 @@ impl Initializer for AdminSeeder {
             let mut am = user.into_active_model();
             am.password = Set(hash);
             am.name = Set(name);
+            // The admin signs in through the same /login flow as everyone else,
+            // which requires a verified email — keep the seeded admin verified.
+            am.email_verified_at = Set(Some(Local::now().into()));
             am.update(&ctx.db).await?;
             tracing::info!(admin = %email, "admin password synced from .env");
         } else {
-            users::Model::create_with_password(
+            let user = users::Model::create_with_password(
                 &ctx.db,
                 &RegisterParams {
                     email: email.clone(),
                     password,
                     name,
+                    account_type: None,
                 },
             )
             .await?;
+            // Auto-verify so the seeded admin can log in without an email round-trip.
+            let mut am = user.into_active_model();
+            am.email_verified_at = Set(Some(Local::now().into()));
+            am.update(&ctx.db).await?;
             tracing::info!(admin = %email, "admin user seeded");
         }
 

src/initializers/mod.rs

@@ -1,3 +1,5 @@
 pub mod admin_seeder;
+pub mod oauth2;
+pub mod oauth2_session;
 pub mod shipping_seeder;
 pub mod view_engine;

src/initializers/oauth2.rs

@@ -0,0 +1,36 @@
+//! Builds the loco-oauth2 client store from `initializers.oauth2` config and
+//! injects it as an Axum extension so the oauth2 controllers can reach it.
+
+use axum::{Extension, Router as AxumRouter};
+use loco_oauth2::{config::Config as OAuth2Config, OAuth2ClientStore};
+use loco_rs::prelude::*;
+
+pub struct OAuth2StoreInitializer;
+
+#[async_trait]
+impl Initializer for OAuth2StoreInitializer {
+    fn name(&self) -> String {
+        "oauth2-store".to_string()
+    }
+
+    async fn after_routes(&self, router: AxumRouter, ctx: &AppContext) -> Result<AxumRouter> {
+        let settings = ctx.config.initializers.clone().ok_or_else(|| {
+            Error::Message("Initializers config not configured for OAuth2".to_string())
+        })?;
+        let oauth2_config_value = settings
+            .get("oauth2")
+            .ok_or_else(|| {
+                Error::Message("oauth2 config not found in initializers configuration".to_string())
+            })?
+            .clone();
+        let oauth2_config: OAuth2Config = oauth2_config_value.try_into().map_err(|e| {
+            tracing::error!(error = ?e, "could not convert oauth2 config from yaml");
+            Error::Message("could not convert oauth2 config from yaml".to_string())
+        })?;
+        let oauth2_store = OAuth2ClientStore::new(oauth2_config).map_err(|e| {
+            tracing::error!(error = ?e, "could not create oauth2 store from config");
+            Error::Message("could not create oauth2 store from config".to_string())
+        })?;
+        Ok(router.layer(Extension(oauth2_store)))
+    }
+}

src/initializers/oauth2_session.rs

@@ -0,0 +1,25 @@
+//! tower-sessions layer that loco-oauth2 uses to hold the short-lived CSRF /
+//! PKCE state between the authorize redirect and the provider callback. An
+//! in-memory store is sufficient since the state only needs to survive the
+//! round-trip to the provider.
+
+use axum::Router as AxumRouter;
+use loco_rs::prelude::*;
+use tower_sessions::{cookie::time::Duration, Expiry, MemoryStore, SessionManagerLayer};
+
+pub struct OAuth2SessionInitializer;
+
+#[async_trait]
+impl Initializer for OAuth2SessionInitializer {
+    fn name(&self) -> String {
+        "oauth2-session".to_string()
+    }
+
+    async fn after_routes(&self, router: AxumRouter, _ctx: &AppContext) -> Result<AxumRouter> {
+        let session_store = MemoryStore::default();
+        let session_layer = SessionManagerLayer::new(session_store)
+            .with_secure(false)
+            .with_expiry(Expiry::OnInactivity(Duration::minutes(10)));
+        Ok(router.layer(session_layer))
+    }
+}

src/mailers/auth.rs

@@ -9,10 +9,21 @@ use crate::models::users;
 static welcome: Dir<'_> = include_dir!("src/mailers/auth/welcome");
 static forgot: Dir<'_> = include_dir!("src/mailers/auth/forgot");
 static magic_link: Dir<'_> = include_dir!("src/mailers/auth/magic_link");
+static set_password: Dir<'_> = include_dir!("src/mailers/auth/set_password");
 
 #[allow(clippy::module_name_repetitions)]
 pub struct AuthMailer {}
-impl Mailer for AuthMailer {}
+impl Mailer for AuthMailer {
+    /// Override the framework default (`System <system@example.com>`), which any
+    /// real MX rejects (`example.com` is nullMX). Must be a sender the SMTP
+    /// account is allowed to send as.
+    fn opts() -> mailer::MailerOpts {
+        mailer::MailerOpts {
+            from: "Kompress <info@kompress.sk>".to_string(),
+            ..Default::default()
+        }
+    }
+}
 impl AuthMailer {
     /// Sending welcome email the the given user
     ///
@@ -62,6 +73,31 @@ impl AuthMailer {
         Ok(())
     }
 
+    /// Sends a "set your password" email to a checkout-created account. Reuses
+    /// the reset token; the link lands on the HTML `/set-password/{token}` page.
+    ///
+    /// # Errors
+    ///
+    /// When email sending is failed
+    pub async fn send_set_password(ctx: &AppContext, user: &users::Model) -> Result<()> {
+        Self::mail_template(
+            ctx,
+            &set_password,
+            mailer::Args {
+                to: user.email.to_string(),
+                locals: json!({
+                  "name": user.name,
+                  "resetToken": user.reset_token,
+                  "domain": ctx.config.server.full_url()
+                }),
+                ..Default::default()
+            },
+        )
+        .await?;
+
+        Ok(())
+    }
+
     /// Sends a magic link authentication email to the user.
     ///
     /// # Errors

src/mailers/auth/set_password/html.t

@@ -0,0 +1,10 @@
+<html>
+
+<body>
+  Hey {{name}},
+  Thanks for your order! We created an account for you. Set your password to finish, then you can track your orders:
+  <a href="{{domain}}/set-password/{{resetToken}}">Set your password</a>
+  If you didn't place this order, you can ignore this email.
+</body>
+
+</html>

src/mailers/auth/set_password/subject.t

@@ -0,0 +1 @@
+Set your password

src/mailers/auth/set_password/text.t

@@ -0,0 +1,7 @@
+Hey {{name}},
+
+Thanks for your order! We created an account for you. Set your password to finish, then you can track your orders:
+
+{{domain}}/set-password/{{resetToken}}
+
+If you didn't place this order, you can ignore this email.

src/mailers/auth/welcome/html.t

@@ -4,7 +4,7 @@
   Dear {{name}},
   Welcome to Loco! You can now log in to your account.
   Before you get started, please verify your account by clicking the link below:
-  <a href="{{domain}}/api/auth/verify/{{verifyToken}}">
+  <a href="{{domain}}/verify/{{verifyToken}}">
     Verify Your Account
   </a>
   <p>Best regards,<br>The Loco Team</p>

src/mailers/auth/welcome/text.t

@@ -1,4 +1,4 @@
 Welcome {{name}}, you can now log in.
   Verify your account with the link below:
 
-  {{domain}}/api/auth/verify/{{verifyToken}}
+  {{domain}}/verify/{{verifyToken}}

src/models/_entities/customer_profiles.rs

@@ -0,0 +1,44 @@
+//! `SeaORM` Entity for customer shipping/contact profiles. Hand-written to match
+//! the `customer_profiles` migration (1:1 with `users` via a unique `user_id`).
+
+use sea_orm::entity::prelude::*;
+use serde::{Deserialize, Serialize};
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq, Serialize, Deserialize)]
+#[sea_orm(table_name = "customer_profiles")]
+pub struct Model {
+    pub created_at: DateTimeWithTimeZone,
+    pub updated_at: DateTimeWithTimeZone,
+    #[sea_orm(primary_key)]
+    pub id: i32,
+    #[sea_orm(unique)]
+    pub user_id: i32,
+    pub company_name: Option<String>,
+    pub company_id: Option<String>,
+    pub tax_id: Option<String>,
+    pub vat_id: Option<String>,
+    pub phone_prefix: Option<String>,
+    pub phone: Option<String>,
+    pub address: Option<String>,
+    pub city: Option<String>,
+    pub zip: Option<String>,
+    pub country: Option<String>,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::users::Entity",
+        from = "Column::UserId",
+        to = "super::users::Column::Id",
+        on_update = "Cascade",
+        on_delete = "Cascade"
+    )]
+    Users,
+}
+
+impl Related<super::users::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Users.def()
+    }
+}

src/models/_entities/mod.rs

@@ -4,6 +4,8 @@ pub mod prelude;
 
 pub mod audit_logs;
 pub mod categories;
+pub mod customer_profiles;
+pub mod o_auth2_sessions;
 pub mod order_items;
 pub mod orders;
 pub mod product_images;

src/models/_entities/o_auth2_sessions.rs

@@ -0,0 +1,36 @@
+//! `SeaORM` Entity for loco-oauth2 sessions. Hand-written to match the
+//! `o_auth2_sessions` migration (the rest of `_entities/` is codegen; this table
+//! is owned by the loco-oauth2 integration).
+
+use sea_orm::entity::prelude::*;
+use serde::{Deserialize, Serialize};
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq, Serialize, Deserialize)]
+#[sea_orm(table_name = "o_auth2_sessions")]
+pub struct Model {
+    pub created_at: DateTimeUtc,
+    pub updated_at: DateTimeUtc,
+    #[sea_orm(primary_key)]
+    pub id: i32,
+    pub session_id: String,
+    pub expires_at: DateTimeUtc,
+    pub user_id: i32,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::users::Entity",
+        from = "Column::UserId",
+        to = "super::users::Column::Id",
+        on_update = "Cascade",
+        on_delete = "Cascade"
+    )]
+    Users,
+}
+
+impl Related<super::users::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Users.def()
+    }
+}

src/models/_entities/orders.rs

@@ -18,6 +18,12 @@ pub struct Model {
     pub status: String,
     pub total_cents: i64,
     pub currency: String,
+    pub user_id: Option<i32>,
+    pub account_type: String,
+    pub company_name: Option<String>,
+    pub company_id: Option<String>,
+    pub tax_id: Option<String>,
+    pub vat_id: Option<String>,
     pub address: Option<String>,
     pub city: Option<String>,
     pub zip: Option<String>,

src/models/_entities/prelude.rs

@@ -2,6 +2,8 @@
 
 pub use super::audit_logs::Entity as AuditLogs;
 pub use super::categories::Entity as Categories;
+pub use super::customer_profiles::Entity as CustomerProfiles;
+pub use super::o_auth2_sessions::Entity as OAuth2Sessions;
 pub use super::order_items::Entity as OrderItems;
 pub use super::orders::Entity as Orders;
 pub use super::product_images::Entity as ProductImages;

src/models/_entities/users.rs

@@ -25,6 +25,7 @@ pub struct Model {
     pub magic_link_token: Option<String>,
     pub magic_link_expiration: Option<DateTimeWithTimeZone>,
     pub theme: String,
+    pub account_type: String,
 }
 
 #[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]

src/models/customer_profiles.rs

@@ -0,0 +1,73 @@
+//! Per-customer shipping/contact profile: the address + phone fields used to
+//! prefill checkout. One row per user (unique `user_id`); `name`/`email` are
+//! read from `users`, never duplicated here.
+
+pub use crate::models::_entities::customer_profiles::{ActiveModel, Column, Entity, Model};
+use sea_orm::entity::prelude::*;
+use sea_orm::{ActiveValue, IntoActiveModel, QueryFilter, TryIntoModel};
+
+pub type CustomerProfiles = Entity;
+
+/// The editable profile fields, shared by the profile page and the checkout
+/// "save my address" path. The `company_*` fields are only meaningful for
+/// company accounts (account type now lives on `users`, fixed at registration).
+#[derive(Debug, Default, Clone)]
+pub struct ProfileFields {
+    pub company_name: Option<String>,
+    pub company_id: Option<String>,
+    pub tax_id: Option<String>,
+    pub vat_id: Option<String>,
+    pub phone_prefix: Option<String>,
+    pub phone: Option<String>,
+    pub address: Option<String>,
+    pub city: Option<String>,
+    pub zip: Option<String>,
+    pub country: Option<String>,
+}
+
+#[async_trait::async_trait]
+impl ActiveModelBehavior for ActiveModel {
+    async fn before_save<C>(self, _db: &C, _insert: bool) -> std::result::Result<Self, DbErr>
+    where
+        C: ConnectionTrait,
+    {
+        Ok(self)
+    }
+}
+
+impl Model {
+    /// The profile for `user_id`, if one exists.
+    pub async fn find_for_user(db: &DatabaseConnection, user_id: i32) -> Result<Option<Self>, DbErr> {
+        Entity::find()
+            .filter(Column::UserId.eq(user_id))
+            .one(db)
+            .await
+    }
+
+    /// Insert or update the profile for `user_id` with `fields`, returning the
+    /// persisted row. The unique `user_id` index keeps this 1:1.
+    pub async fn upsert(
+        db: &DatabaseConnection,
+        user_id: i32,
+        fields: ProfileFields,
+    ) -> Result<Self, DbErr> {
+        let mut active = match Self::find_for_user(db, user_id).await? {
+            Some(existing) => existing.into_active_model(),
+            None => ActiveModel {
+                user_id: ActiveValue::set(user_id),
+                ..Default::default()
+            },
+        };
+        active.company_name = ActiveValue::set(fields.company_name);
+        active.company_id = ActiveValue::set(fields.company_id);
+        active.tax_id = ActiveValue::set(fields.tax_id);
+        active.vat_id = ActiveValue::set(fields.vat_id);
+        active.phone_prefix = ActiveValue::set(fields.phone_prefix);
+        active.phone = ActiveValue::set(fields.phone);
+        active.address = ActiveValue::set(fields.address);
+        active.city = ActiveValue::set(fields.city);
+        active.zip = ActiveValue::set(fields.zip);
+        active.country = ActiveValue::set(fields.country);
+        active.save(db).await?.try_into_model()
+    }
+}

src/models/mod.rs

@@ -8,6 +8,8 @@ pub mod _entities;
 
 pub mod audit_logs;
 pub mod categories;
+pub mod customer_profiles;
+pub mod o_auth2_sessions;
 pub mod order_items;
 pub mod orders;
 pub mod product_images;

src/models/o_auth2_sessions.rs

@@ -0,0 +1,79 @@
+pub use super::_entities::o_auth2_sessions::{ActiveModel, Column, Entity, Model};
+use crate::models::{o_auth2_sessions, users};
+use async_trait::async_trait;
+use chrono::Utc;
+use loco_oauth2::base_oauth2::{basic::BasicTokenResponse, TokenResponse};
+use loco_oauth2::models::oauth2_sessions::OAuth2SessionsTrait;
+use loco_rs::prelude::*;
+use sea_orm::entity::prelude::*;
+
+pub type OAuth2Sessions = Entity;
+
+#[async_trait::async_trait]
+impl ActiveModelBehavior for ActiveModel {
+    async fn before_save<C>(self, _db: &C, insert: bool) -> std::result::Result<Self, DbErr>
+    where
+        C: ConnectionTrait,
+    {
+        if !insert && self.updated_at.is_unchanged() {
+            let mut this = self;
+            this.updated_at = sea_orm::ActiveValue::Set(Utc::now());
+            Ok(this)
+        } else {
+            Ok(self)
+        }
+    }
+}
+
+#[async_trait]
+impl OAuth2SessionsTrait<users::Model> for Model {
+    /// Whether the session identified by `session_id` has expired.
+    async fn is_expired(db: &DatabaseConnection, session_id: &str) -> ModelResult<bool> {
+        let session = o_auth2_sessions::Entity::find()
+            .filter(o_auth2_sessions::Column::SessionId.eq(session_id))
+            .one(db)
+            .await?
+            .ok_or_else(|| ModelError::EntityNotFound)?;
+        Ok(session.expires_at < Utc::now())
+    }
+
+    /// Create or refresh the session row for `user` from the provider token.
+    async fn upsert_with_oauth2(
+        db: &DatabaseConnection,
+        token: &BasicTokenResponse,
+        user: &users::Model,
+    ) -> ModelResult<Self> {
+        let txn = db.begin().await?;
+        let session_id = token.access_token().secret().clone();
+        let expires_at = Utc::now()
+            + token
+                .expires_in()
+                .unwrap_or(std::time::Duration::from_secs(3600));
+
+        let session = match o_auth2_sessions::Entity::find()
+            .filter(o_auth2_sessions::Column::UserId.eq(user.id))
+            .one(&txn)
+            .await?
+        {
+            Some(session) => {
+                let mut session: o_auth2_sessions::ActiveModel = session.into();
+                session.session_id = ActiveValue::set(session_id);
+                session.expires_at = ActiveValue::set(expires_at);
+                session.updated_at = ActiveValue::set(Utc::now());
+                session.update(&txn).await?
+            }
+            None => {
+                o_auth2_sessions::ActiveModel {
+                    session_id: ActiveValue::set(session_id),
+                    expires_at: ActiveValue::set(expires_at),
+                    user_id: ActiveValue::set(user.id),
+                    ..Default::default()
+                }
+                .insert(&txn)
+                .await?
+            }
+        };
+        txn.commit().await?;
+        Ok(session)
+    }
+}

src/models/orders.rs

@@ -14,6 +14,14 @@ pub struct Checkout {
     pub email: String,
     pub phone: String,
     pub customer_name: Option<String>,
+    /// The account that owns this order, if any (a logged-in buyer or a guest
+    /// who created an account during checkout). `None` for pure guest orders.
+    pub user_id: Option<i32>,
+    pub account_type: String,
+    pub company_name: Option<String>,
+    pub company_id: Option<String>,
+    pub tax_id: Option<String>,
+    pub vat_id: Option<String>,
     pub address: Option<String>,
     pub city: Option<String>,
     pub zip: Option<String>,
@@ -70,6 +78,12 @@ pub async fn place(ctx: &AppContext, items: &[(i32, i32)], details: Checkout) ->
         status: Set("pending".to_string()),
         total_cents: Set(subtotal + details.method.price_cents),
         currency: Set(currency),
+        user_id: Set(details.user_id),
+        account_type: Set(details.account_type),
+        company_name: Set(details.company_name),
+        company_id: Set(details.company_id),
+        tax_id: Set(details.tax_id),
+        vat_id: Set(details.vat_id),
         address: Set(details.address),
         city: Set(details.city),
         zip: Set(details.zip),

src/models/users.rs

@@ -1,15 +1,21 @@
 use async_trait::async_trait;
 use chrono::{offset::Local, Duration};
+use loco_oauth2::models::users::OAuth2UserTrait;
 use loco_rs::{auth::jwt, hash, prelude::*};
+use passwords::PasswordGenerator;
 use serde::{Deserialize, Serialize};
 use serde_json::Map;
 use uuid::Uuid;
 
+use crate::models::_entities::o_auth2_sessions;
 pub use crate::models::_entities::users::{self, ActiveModel, Entity, Model};
 
 pub const MAGIC_LINK_LENGTH: i8 = 32;
 pub const MAGIC_LINK_EXPIRATION_MIN: i8 = 5;
 
+/// Minimum gap between verification-email resends for one account, in seconds.
+pub const VERIFICATION_RESEND_COOLDOWN_SECS: i64 = 60;
+
 #[derive(Debug, Deserialize, Serialize)]
 pub struct LoginParams {
     pub email: String,
@@ -21,6 +27,21 @@ pub struct RegisterParams {
     pub email: String,
     pub password: String,
     pub name: String,
+    /// "personal" or "company"; permanent for the account. Optional on the wire
+    /// (older/JSON callers omit it) and normalized via [`normalize_account_type`].
+    #[serde(default)]
+    pub account_type: Option<String>,
+}
+
+/// Normalize an account type to one of the two permanent values, defaulting to
+/// "personal" for anything missing or unexpected. An account's type is chosen
+/// once at registration and never changes.
+#[must_use]
+pub fn normalize_account_type(value: Option<&str>) -> String {
+    match value.map(str::trim) {
+        Some("company") => "company".to_string(),
+        _ => "personal".to_string(),
+    }
 }
 
 #[derive(Debug, Validate, Deserialize)]
@@ -213,6 +234,29 @@ impl Model {
         hash::verify_password(password, &self.password)
     }
 
+    /// Whether this is a company account (vs a personal one). Fixed at
+    /// registration.
+    #[must_use]
+    pub fn is_company(&self) -> bool {
+        self.account_type == "company"
+    }
+
+    /// Seconds the user must still wait before another verification email may be
+    /// sent — 0 means a resend is allowed now. Throttling resends off the last
+    /// `email_verification_sent_at` keeps the endpoint from being an easy way to
+    /// spam someone's inbox.
+    #[must_use]
+    pub fn verification_resend_wait_secs(&self) -> i64 {
+        match self.email_verification_sent_at {
+            Some(sent) => {
+                let elapsed =
+                    (chrono::Utc::now() - sent.with_timezone(&chrono::Utc)).num_seconds();
+                (VERIFICATION_RESEND_COOLDOWN_SECS - elapsed).max(0)
+            }
+            None => 0,
+        }
+    }
+
     /// Asynchronously creates a user with a password and saves it to the
     /// database.
     ///
@@ -244,6 +288,7 @@ impl Model {
             email: ActiveValue::set(params.email.to_string()),
             password: ActiveValue::set(password_hash),
             name: ActiveValue::set(params.name.to_string()),
+            account_type: ActiveValue::set(normalize_account_type(params.account_type.as_deref())),
             ..Default::default()
         }
         .insert(&txn)
@@ -254,6 +299,41 @@ impl Model {
         Ok(user)
     }
 
+    /// Creates an account on behalf of a checkout guest. The user never picks a
+    /// password here (a strong random one satisfies the NOT NULL column, as in
+    /// the OAuth path); they receive a "set your password" link by email. Errors
+    /// with [`ModelError::EntityAlreadyExists`] if the email is already taken.
+    ///
+    /// # Errors
+    ///
+    /// When the email already exists or the insert fails.
+    pub async fn create_guest_account(
+        db: &DatabaseConnection,
+        email: &str,
+        name: &str,
+        account_type: &str,
+    ) -> ModelResult<Self> {
+        let password = PasswordGenerator::new()
+            .length(16)
+            .numbers(true)
+            .lowercase_letters(true)
+            .uppercase_letters(true)
+            .symbols(true)
+            .strict(true)
+            .generate_one()
+            .map_err(|e| ModelError::Any(e.into()))?;
+        Self::create_with_password(
+            db,
+            &RegisterParams {
+                email: email.to_string(),
+                password,
+                name: name.to_string(),
+                account_type: Some(account_type.to_string()),
+            },
+        )
+        .await
+    }
+
     /// Creates a JWT
     ///
     /// # Errors
@@ -367,3 +447,93 @@ impl ActiveModel {
         self.update(db).await.map_err(ModelError::from)
     }
 }
+
+/// Google OpenID Connect user profile (the fields our scopes request).
+/// <https://developers.google.com/identity/openid-connect/openid-connect#obtainuserinfo>
+#[derive(Serialize, Deserialize, Clone, Debug)]
+pub struct OAuth2UserProfile {
+    pub email: String,
+    pub name: String,
+    pub sub: String,
+    pub email_verified: bool,
+    pub given_name: Option<String>,
+    pub family_name: Option<String>,
+    pub picture: Option<String>,
+    pub locale: Option<String>,
+}
+
+#[async_trait]
+impl OAuth2UserTrait<OAuth2UserProfile> for Model {
+    /// Resolve the user behind an active OAuth2 session id.
+    async fn find_by_oauth2_session_id(
+        db: &DatabaseConnection,
+        session_id: &str,
+    ) -> ModelResult<Self> {
+        let session = o_auth2_sessions::Entity::find()
+            .filter(o_auth2_sessions::Column::SessionId.eq(session_id))
+            .one(db)
+            .await?
+            .ok_or_else(|| ModelError::EntityNotFound)?;
+        users::Entity::find_by_id(session.user_id)
+            .one(db)
+            .await?
+            .ok_or_else(|| ModelError::EntityNotFound)
+    }
+
+    /// Find-or-create the local user for a verified OAuth2 profile.
+    ///
+    /// Per security advisory LOC-2025-04, OAuth2-created accounts get a strong
+    /// RANDOM password (never the provider `sub`) — they sign in via the
+    /// provider, and the random secret just satisfies the NOT NULL column.
+    /// Google has already verified the email, so we mark it verified.
+    async fn upsert_with_oauth(
+        db: &DatabaseConnection,
+        profile: &OAuth2UserProfile,
+    ) -> ModelResult<Self> {
+        let txn = db.begin().await?;
+        let user = match users::Entity::find()
+            .filter(users::Column::Email.eq(&profile.email))
+            .one(&txn)
+            .await?
+        {
+            Some(user) => user,
+            None => {
+                let password = PasswordGenerator::new()
+                    .length(16)
+                    .numbers(true)
+                    .lowercase_letters(true)
+                    .uppercase_letters(true)
+                    .symbols(true)
+                    .exclude_similar_characters(true)
+                    .strict(true)
+                    .generate_one()
+                    .map_err(|e| ModelError::Any(e.into()))?;
+                let password_hash =
+                    hash::hash_password(&password).map_err(|e| ModelError::Any(e.into()))?;
+                users::ActiveModel {
+                    email: ActiveValue::set(profile.email.to_string()),
+                    name: ActiveValue::set(profile.name.to_string()),
+                    email_verified_at: ActiveValue::set(Some(Local::now().into())),
+                    password: ActiveValue::set(password_hash),
+                    ..Default::default()
+                }
+                .insert(&txn)
+                .await
+                .map_err(|e| {
+                    tracing::error!(error = %e, "failed to create OAuth2 user");
+                    ModelError::Any(e.into())
+                })?
+            }
+        };
+        txn.commit().await?;
+        Ok(user)
+    }
+
+    /// Required by the trait; mirrors the inherent [`Model::generate_jwt`]
+    /// (inlined to avoid the inherent/trait name clash).
+    fn generate_jwt(&self, secret: &str, expiration: &u64) -> ModelResult<String> {
+        jwt::JWT::new(secret)
+            .generate_token(*expiration, self.pid.to_string(), Map::new())
+            .map_err(ModelError::from)
+    }
+}

src/shared/guard.rs

@@ -23,21 +23,36 @@ pub async fn current_admin(auth: auth::JWT, ctx: &AppContext) -> Result<users::M
     Ok(user)
 }
 
+/// Soft auth for public pages: returns the user behind a valid auth cookie, or
+/// `None`. Never errors — used to decide chrome and post-login redirects, not
+/// to gate protected handlers (use [`current_admin`] for that).
+pub async fn current_user(ctx: &AppContext, jar: &CookieJar) -> Option<users::Model> {
+    let cookie = jar.get(AUTH_COOKIE)?;
+    let jwt_config = ctx.config.get_jwt_config().ok()?;
+    let claims = loco_rs::auth::jwt::JWT::new(&jwt_config.secret)
+        .validate(cookie.value())
+        .ok()?;
+    users::Model::find_by_pid(&ctx.db, &claims.claims.pid)
+        .await
+        .ok()
+}
+
 /// Soft check for public pages: does the request carry a valid admin auth
 /// cookie? Never errors — used only to decide whether to show admin chrome.
 pub async fn logged_in(ctx: &AppContext, jar: &CookieJar) -> bool {
-    let Some(cookie) = jar.get(AUTH_COOKIE) else {
+    match current_user(ctx, jar).await {
-        return false;
+        Some(user) => is_admin(ctx, &user),
-    };
+        None => false,
-    let Ok(jwt_config) = ctx.config.get_jwt_config() else {
+    }
-        return false;
+}
-    };
+
-    let Ok(claims) = loco_rs::auth::jwt::JWT::new(&jwt_config.secret).validate(cookie.value())
+/// Nav chrome flags for storefront pages, in one DB lookup: returns
-    else {
+/// `(logged_in_admin, logged_in_customer)`. A customer is any authenticated
-        return false;
+/// non-admin user. Both are `false` for anonymous visitors.
-    };
+pub async fn chrome(ctx: &AppContext, jar: &CookieJar) -> (bool, bool) {
-    let Ok(user) = users::Model::find_by_pid(&ctx.db, &claims.claims.pid).await else {
+    match current_user(ctx, jar).await {
-        return false;
+        Some(user) if is_admin(ctx, &user) => (true, false),
-    };
+        Some(_) => (false, true),
-    is_admin(ctx, &user)
+        None => (false, false),
+    }
 }

src/shared/mod.rs

@@ -2,5 +2,6 @@
 
 pub mod guard;
 pub mod money;
+pub mod rbac;
 pub mod settings;
 pub mod slug;

src/shared/rbac.rs

@@ -0,0 +1,129 @@
+//! Casbin-based authorization layer.
+//!
+//! Authentication stays with Loco's JWT cookie (see [`crate::shared::guard`]);
+//! Casbin only answers "is this subject allowed on this path?". At request time
+//! [`inject_subject`] resolves the caller's role from the JWT and stamps it onto
+//! the request as `CasbinVals`, then [`CasbinAxumLayer`] enforces the policy in
+//! `config/casbin/{model.conf,policy.csv}`.
+//!
+//! The model is deny-override: everything is allowed by default and the policy
+//! only *denies* non-admins under `/admin/*`. The per-handler
+//! [`guard::current_admin`] checks stay in place as defense in depth.
+//!
+//! DECISION — single hardcoded admin: there is intentionally no stored `role`.
+//! The one admin is the user whose email matches `ADMIN_EMAIL` in `.env`
+//! (granted in `admin_seeder`, detected by [`guard::is_admin`]); every other
+//! authenticated user is `customer` and the rest are `anonymous`. This is a
+//! deliberate fit for the current scale, not a constraint of the design.
+//!
+//! Upgrade path when more roles are needed (each step is localized): add a
+//! `role` column to `users` (migration), set it on register/seed, read
+//! `user.role` in [`inject_subject`] instead of the `is_admin` check below, and
+//! add `p`/`g` lines to `config/casbin/policy.csv`. The enforcement layer,
+//! `after_routes` wiring, and tests are unaffected by that change.
+
+use axum::{
+    extract::{Request, State},
+    middleware::Next,
+    response::Response,
+};
+use axum_casbin::{
+    casbin::{DefaultModel, FileAdapter},
+    CasbinAxumLayer, CasbinVals,
+};
+use axum_extra::extract::cookie::CookieJar;
+use loco_rs::prelude::*;
+
+use crate::shared::guard;
+
+const MODEL_PATH: &str = "config/casbin/model.conf";
+const POLICY_PATH: &str = "config/casbin/policy.csv";
+
+/// Build the Casbin enforcement layer from the on-disk model + policy.
+pub async fn layer() -> Result<CasbinAxumLayer> {
+    let model = DefaultModel::from_file(MODEL_PATH)
+        .await
+        .map_err(|e| Error::Message(format!("casbin model load failed: {e}")))?;
+    let adapter = FileAdapter::new(POLICY_PATH);
+    CasbinAxumLayer::new(model, adapter)
+        .await
+        .map_err(|e| Error::Message(format!("casbin enforcer init failed: {e}")))
+}
+
+/// Resolve the caller's role from the Loco JWT cookie and attach it as the
+/// Casbin subject. Always sets *some* subject (anonymous requests included) so
+/// the enforcer never sees an empty value.
+pub async fn inject_subject(
+    State(ctx): State<AppContext>,
+    jar: CookieJar,
+    mut req: Request,
+    next: Next,
+) -> Response {
+    let subject = match guard::current_user(&ctx, &jar).await {
+        Some(user) if guard::is_admin(&ctx, &user) => "admin",
+        Some(_) => "customer",
+        None => "anonymous",
+    };
+    req.extensions_mut().insert(CasbinVals {
+        subject: subject.to_string(),
+        domain: None,
+    });
+    next.run(req).await
+}
+
+#[cfg(test)]
+mod tests {
+    use axum_casbin::casbin::{CoreApi, DefaultModel, Enforcer, FileAdapter};
+
+    async fn enforcer() -> Enforcer {
+        let model = DefaultModel::from_file(super::MODEL_PATH).await.unwrap();
+        let adapter = FileAdapter::new(super::POLICY_PATH);
+        Enforcer::new(model, adapter).await.unwrap()
+    }
+
+    async fn allowed(e: &Enforcer, sub: &str, obj: &str, act: &str) -> bool {
+        e.enforce((sub, obj, act)).unwrap()
+    }
+
+    #[tokio::test]
+    async fn admin_subtree_is_admin_only() {
+        let e = enforcer().await;
+
+        // Admins reach the protected subtree (any method, nested paths).
+        assert!(allowed(&e, "admin", "/admin/dashboard", "GET").await);
+        assert!(allowed(&e, "admin", "/admin/orders/5", "POST").await);
+
+        // Customers and anonymous are denied there.
+        assert!(!allowed(&e, "customer", "/admin/dashboard", "GET").await);
+        assert!(!allowed(&e, "customer", "/admin/orders/5", "POST").await);
+        assert!(!allowed(&e, "anonymous", "/admin/products", "GET").await);
+    }
+
+    #[tokio::test]
+    async fn admin_only_endpoints_outside_admin_subtree() {
+        let e = enforcer().await;
+
+        // Admin JSON API and image upload are admin-only.
+        assert!(allowed(&e, "admin", "/api/admin/dashboard", "GET").await);
+        assert!(allowed(&e, "admin", "/images/upload", "POST").await);
+        assert!(!allowed(&e, "customer", "/api/admin/dashboard", "GET").await);
+        assert!(!allowed(&e, "anonymous", "/images/upload", "POST").await);
+
+        // Public image serving stays open for everyone.
+        assert!(allowed(&e, "anonymous", "/images/logo.png", "GET").await);
+        assert!(allowed(&e, "customer", "/images/logo.png", "GET").await);
+    }
+
+    #[tokio::test]
+    async fn storefront_is_open_to_everyone() {
+        let e = enforcer().await;
+
+        for sub in ["admin", "customer", "anonymous"] {
+            assert!(allowed(&e, sub, "/", "GET").await);
+            assert!(allowed(&e, sub, "/shop", "GET").await);
+            assert!(allowed(&e, sub, "/login", "POST").await);
+            // The bare /admin entry stays open so it can redirect to /login.
+            assert!(allowed(&e, sub, "/admin", "GET").await);
+        }
+    }
+}

src/views/checkout.rs

@@ -30,6 +30,11 @@ pub fn detail(order: &orders::Model, bank_iban: &str, bank_account_name: &str) -
         "email": order.email,
         "phone": order.phone,
         "customer_name": order.customer_name,
+        "account_type": order.account_type,
+        "company_name": order.company_name,
+        "company_id": order.company_id,
+        "tax_id": order.tax_id,
+        "vat_id": order.vat_id,
         "status": order.status,
         "subtotal": format_price(order.total_cents - order.shipping_cents),
         "shipping": format_price(order.shipping_cents),

tests/mailer/mod.rs

@@ -0,0 +1 @@
+mod smtp_send;

tests/mailer/smtp_send.rs

@@ -0,0 +1,104 @@
+//! Real-SMTP smoke test.
+//!
+//! Sends an actual email through the live SMTP server using the real
+//! `AuthMailer` pipeline (config -> Loco mailer -> templates -> SMTP). The test
+//! PASSES when the SMTP server accepts the message (the send returns `Ok`);
+//! confirm real delivery by checking the recipient's inbox.
+//!
+//! It is `#[ignore]`d so it never runs in CI or a normal `cargo test` (it opens
+//! a real network connection, uses real credentials, and sends a real email).
+//! Run it explicitly, inside `nix develop` so `SMTP_PASSWORD` is present:
+//!
+//! ```sh
+//! nix develop -c cargo test --test mod -- --ignored mailer::smtp_send
+//! # optional: choose the recipient (defaults to the address below)
+//! MAILER_TEST_TO=you@example.com \
+//!   nix develop -c cargo test --test mod -- --ignored mailer::smtp_send
+//! ```
+
+use kompress_eshop::{
+    app::App,
+    mailers::auth::AuthMailer,
+    models::users::{Model, RegisterParams},
+};
+use loco_rs::testing::prelude::*;
+use sea_orm::IntoActiveModel;
+use serial_test::serial;
+
+// Non-secret production SMTP settings (mirror `.env`). The password is
+// intentionally NOT here: it is supplied at runtime via `SMTP_PASSWORD`
+// (direnv -> `pass`), and never committed.
+// Dial the name the TLS cert is actually valid for. `smtp.kompress.sk` is a
+// DNS alias for the same server (213.215.124.101) but the cert only lists
+// smtp.euronet.sk, so connecting via the alias fails certificate validation.
+const SMTP_HOST: &str = "smtp.euronet.sk";
+const SMTP_PORT: &str = "587";
+const SMTP_USER: &str = "kompres";
+const SMTP_SECURE: &str = "true";
+
+// Where the test email is sent. Override with `MAILER_TEST_TO`.
+const DEFAULT_RECIPIENT: &str = "filippriec@tutanota.com";
+
+#[tokio::test]
+#[serial]
+#[ignore = "sends a real email via live SMTP; run explicitly with --ignored"]
+async fn sends_real_email() {
+    // The actual secret must come from the environment (direnv -> `pass`).
+    // Fail loudly with guidance rather than silently sending nothing.
+    let password = std::env::var("SMTP_PASSWORD").unwrap_or_default();
+    assert!(
+        !password.is_empty(),
+        "SMTP_PASSWORD is not set. Run inside `nix develop` so direnv loads it from `pass`."
+    );
+
+    let recipient =
+        std::env::var("MAILER_TEST_TO").unwrap_or_else(|_| DEFAULT_RECIPIENT.to_string());
+
+    // Flip the booted context onto the real SMTP transport. `config/test.yaml`
+    // reads these via `get_env` at boot. We deliberately do NOT load `.env`
+    // here: it carries `DATABASE_URL`, and `test.yaml` has
+    // `dangerously_recreate: true`, so loading it would recreate the real DB.
+    // Leaving `DATABASE_URL` untouched keeps boot on the throwaway test DB.
+    //
+    // SAFETY: edition 2024 marks `set_var` as unsafe. This test is `#[serial]`,
+    // so no other test mutates the process environment concurrently.
+    unsafe {
+        std::env::set_var("MAILER_STUB", "false");
+        std::env::set_var("SMTP_ENABLE", "true");
+        std::env::set_var("SMTP_HOST", SMTP_HOST);
+        std::env::set_var("SMTP_PORT", SMTP_PORT);
+        std::env::set_var("SMTP_USER", SMTP_USER);
+        std::env::set_var("SMTP_SECURE", SMTP_SECURE);
+    }
+
+    let boot = boot_test::<App>()
+        .await
+        .expect("Failed to boot test application");
+
+    // A real user whose address is the recipient, so `send_welcome` targets it.
+    let user = Model::create_with_password(
+        &boot.app_context.db,
+        &RegisterParams {
+            email: recipient.clone(),
+            password: "smtp-smoke-test".to_string(),
+            name: "SMTP smoke test".to_string(),
+            account_type: Some("personal".to_string()),
+        },
+    )
+    .await
+    .expect("failed to create test user");
+
+    // Give the welcome email a realistic verification token/link.
+    user.into_active_model()
+        .set_email_verification_sent(&boot.app_context.db)
+        .await
+        .expect("failed to set email verification token");
+    let user = Model::find_by_email(&boot.app_context.db, &recipient)
+        .await
+        .expect("failed to reload test user");
+
+    // The assertion: the live SMTP server must accept the message.
+    AuthMailer::send_welcome(&boot.app_context, &user)
+        .await
+        .unwrap_or_else(|e| panic!("real SMTP send to {recipient} failed: {e:?}"));
+}

tests/mod.rs

@@ -1,3 +1,4 @@
+mod mailer;
 mod models;
 mod requests;
 mod tasks;

tests/models/users.rs

@@ -50,6 +50,7 @@ async fn can_create_with_password() {
         email: "test@framework.com".to_string(),
         password: "1234".to_string(),
         name: "framework".to_string(),
+        account_type: Some("personal".to_string()),
     };
 
     let res = Model::create_with_password(&boot.app_context.db, &params).await;
@@ -78,6 +79,7 @@ async fn handle_create_with_password_with_duplicate() {
             email: "user1@example.com".to_string(),
             password: "1234".to_string(),
             name: "framework".to_string(),
+            account_type: Some("personal".to_string()),
         },
     )
     .await;