default unchecked

profile name surname and save profile data
registration password match
2026-06-19 11:39:40 +02:00 · 2026-06-19 11:37:51 +02:00 · 2026-06-19 11:19:30 +02:00 · 2026-06-19 11:14:47 +02:00 · 2026-06-19 10:54:30 +02:00 · 2026-06-19 10:40:43 +02:00
51 changed files with 1893 additions and 441 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -19,6 +19,8 @@ target/
 *.sqlite-*
 .env
 .env.production
 .envrc
 .direnv/
 uploads/
 *.report.html
 favicon_io.zip
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -3,7 +3,7 @@
 [package]
 name = "kompress_eshop"
 version = "0.1.0"
-edition = "2021"
+edition = "2024"
 publish = false
 default-run = "kompress-eshop-cli"
@@ -16,14 +16,14 @@ loco-rs = { version = "0.16" }
 loco-rs = { workspace = true  }
 serde = { version = "1", features = ["derive"] }
 serde_json = { version = "1" }
-tokio = { version = "1.45", default-features = false, features = [
+tokio = { version = "1.52", default-features = false, features = [
  "rt-multi-thread",
 ] }
 async-trait = { version = "0.1" }
 axum = { version = "0.8", features = ["multipart"] }
 tracing = { version = "0.1" }
 tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
-regex = { version = "1.11" }
+regex = { version = "1.12" }
 migration = { path = "migration" }
 sea-orm = { version = "1.1", features = [
  "sqlx-sqlite",
@@ -35,7 +35,7 @@ chrono = { version = "0.4" }
 time = { version = "0.3" }
 dotenvy = { version = "0.15" }
 validator = { version = "0.20" }
-uuid = { version = "1.6", features = ["v4"] }
+uuid = { version = "1.23", features = ["v4"] }
 include_dir = { version = "0.7" }
 # outbound HTTP for carrier shipment APIs (Packeta / DPD / DHL)
 reqwest = { version = "0.12", default-features = false, features = ["json", "rustls-tls"] }
@@ -57,6 +57,6 @@ required-features = []
 [dev-dependencies]
 loco-rs = { workspace = true, features = ["testing"] }
-serial_test = { version = "3.1.1" }
+serial_test = { version = "3.5.0" }
 rstest = { version = "0.25" }
-insta = { version = "1.34", features = ["redactions", "yaml", "filters"] }
+insta = { version = "1.48", features = ["redactions", "yaml", "filters"] }
--- a/assets/i18n/en/main.ftl
+++ b/assets/i18n/en/main.ftl
@@ -70,6 +70,7 @@ auth-or = or
 auth-google = Continue with Google
 nav-login = Sign in
 nav-register = Register
 nav-profile = My profile
 register-title = Create account
 register-name = Name
 register-submit = Create account
@@ -256,8 +257,45 @@ country-de = Germany
 country-pl = Poland
 country-hu = Hungary
 checkout-note = Order note
 checkout-save-profile = Save this address to my profile
 account-type = Account type
 account-personal = Individual
 account-company = Company
 account-company-details = Company details
 company-name = Company name
 company-ico = Company ID (IČO)
 company-dic = Tax ID (DIČ)
 company-icdph = VAT ID (IČ DPH)
 field-optional = optional
 checkout-place-order = Place order
 checkout-summary = Order summary
 profile-title = My profile
 profile-intro = We'll use these details to prefill checkout.
 profile-saved = Profile saved.
 profile-save = Save profile
 profile-company-required = For a company account, please fill in company name, IČO and DIČ.
 profile-first-name = First name
 profile-last-name = Surname
 profile-edit = Edit profile
 profile-cancel = Cancel
 profile-not-set = Not set
 account-type-locked = Account type can't be changed after registration.
 checkout-create-account = Create an account from this order
 checkout-create-account-hint = We'll email you a link to set your password. This order will be linked to your account.
 order-account-created = We created an account for you. Check your email to set your password.
 set-password-title = Set your password
 set-password-intro = Choose a password to finish setting up your account.
 set-password-new = New password
 set-password-confirm = Confirm password
 set-password-submit = Set password
 set-password-invalid = This link is invalid or has expired.
 set-password-weak = Password must be at least 8 characters.
 set-password-mismatch = Passwords don't match.
 resend-verification-title = Resend verification email
 resend-verification-intro = Enter your email and we'll send a fresh verification link.
 resend-verification-submit = Resend
 resend-verification-done = If that email belongs to an unverified account, we've sent a new verification link. Check your inbox (and spam). You can request another in a minute.
 login-resend = Didn't get the verification email? Resend it
 order-confirmed-title = Thank you for your order!
 order-confirmed-sub = We have received your order.
 order-number = Order number
--- a/assets/i18n/sk/main.ftl
+++ b/assets/i18n/sk/main.ftl
@@ -70,6 +70,7 @@ auth-or = alebo
 auth-google = Pokračovať cez Google
 nav-login = Prihlásiť sa
 nav-register = Registrácia
 nav-profile = Môj profil
 register-title = Vytvoriť účet
 register-name = Meno
 register-submit = Zaregistrovať sa
@@ -256,8 +257,45 @@ country-de = Nemecko
 country-pl = Poľsko
 country-hu = Maďarsko
 checkout-note = Poznámka k objednávke
 checkout-save-profile = Uložiť túto adresu do môjho profilu
 account-type = Typ účtu
 account-personal = Súkromná osoba
 account-company = Firma
 account-company-details = Firemné údaje
 company-name = Názov firmy
 company-ico = IČO
 company-dic = DIČ
 company-icdph = IČ DPH
 field-optional = nepovinné
 checkout-place-order = Odoslať objednávku
 checkout-summary = Súhrn objednávky
 profile-title = Môj profil
 profile-intro = Tieto údaje použijeme na predvyplnenie pokladne.
 profile-saved = Profil bol uložený.
 profile-save = Uložiť profil
 profile-company-required = Pri firemnom účte vyplňte názov firmy, IČO a DIČ.
 profile-first-name = Meno
 profile-last-name = Priezvisko
 profile-edit = Upraviť profil
 profile-cancel = Zrušiť
 profile-not-set = Neuvedené
 account-type-locked = Typ účtu sa po registrácii nedá zmeniť.
 checkout-create-account = Vytvoriť účet z tejto objednávky
 checkout-create-account-hint = Pošleme vám e-mail na nastavenie hesla. Objednávka sa priradí k vášmu účtu.
 order-account-created = Vytvorili sme vám účet. Skontrolujte si e-mail a nastavte si heslo.
 set-password-title = Nastavte si heslo
 set-password-intro = Zvoľte si heslo a dokončite vytvorenie účtu.
 set-password-new = Nové heslo
 set-password-confirm = Potvrďte heslo
 set-password-submit = Nastaviť heslo
 set-password-invalid = Odkaz je neplatný alebo vypršal.
 set-password-weak = Heslo musí mať aspoň 8 znakov.
 set-password-mismatch = Heslá sa nezhodujú.
 resend-verification-title = Znova odoslať overovací e-mail
 resend-verification-intro = Zadajte svoj e-mail a pošleme vám nový overovací odkaz.
 resend-verification-submit = Odoslať znova
 resend-verification-done = Ak k tomuto e-mailu patrí neoverený účet, poslali sme naň nový overovací odkaz. Skontrolujte si schránku aj priečinok so spamom. Ďalšiu žiadosť môžete odoslať o minútu.
 login-resend = Nedostali ste overovací e-mail? Poslať znova
 order-confirmed-title = Ďakujeme za objednávku!
 order-confirmed-sub = Vašu objednávku sme prijali.
 order-number = Číslo objednávky
--- a/assets/static/css/app.css
+++ b/assets/static/css/app.css
--- a/assets/views/account/profile.html
+++ b/assets/views/account/profile.html
@@ -0,0 +1,228 @@
 {% extends "base.html" %}
 {% import "macros/ui.html" as ui %}
 {% block title %}{{ t(key="profile-title", lang=lang | default(value='sk')) }}{% endblock title %}
 {% macro field(label, value) %}
 <div class="space-y-1.5">
  <label class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ label }}</label>
  {% if value %}
  <p class="text-sm text-on-surface/80 dark:text-on-surface-dark/80">{{ value }}</p>
  {% else %}
  <p class="text-sm italic text-on-surface/50 dark:text-on-surface-dark/50">{{ t(key="profile-not-set", lang=lang | default(value='sk')) }}</p>
  {% endif %}
 </div>
 {% endmacro field %}
 {% block content %}
 <div class="mx-auto max-w-2xl" x-data="{ editing: {% if error %}true{% else %}false{% endif %} }">
  <h1 class="text-3xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="profile-title", lang=lang | default(value='sk')) }}</h1>
  <p class="mt-2 text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="profile-intro", lang=lang | default(value='sk')) }}</p>
  {% if saved %}
  <div class="mt-4 rounded-radius border border-success bg-success/10 px-4 py-3 text-sm text-success" role="status">
    {{ t(key="profile-saved", lang=lang | default(value='sk')) }}
  </div>
  {% endif %}
  {% if error %}
  {{ ui::alert_danger(message=t(key="profile-company-required", lang=lang | default(value='sk')), extra="mt-4") }}
  {% endif %}
  <!-- read-only view (default) -->
  <div x-show="!editing" class="mt-6 space-y-6">
    <fieldset class="space-y-2 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</legend>
      <div class="flex items-center gap-2">
        {% if account_type == "company" %}
        {{ ui::badge(label=t(key="account-company", lang=lang | default(value='sk')), variant="primary") }}
        {% else %}
        {{ ui::badge(label=t(key="account-personal", lang=lang | default(value='sk')), variant="neutral") }}
        {% endif %}
        <span class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="account-type-locked", lang=lang | default(value='sk')) }}</span>
      </div>
    </fieldset>
    {% if account_type == "company" %}
    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-company-details", lang=lang | default(value='sk')) }}</legend>
      {{ self::field(label=t(key="company-name", lang=lang | default(value='sk')), value=company_name) }}
      <div class="grid gap-4 sm:grid-cols-3">
        {{ self::field(label=t(key="company-ico", lang=lang | default(value='sk')), value=company_id) }}
        {{ self::field(label=t(key="company-dic", lang=lang | default(value='sk')), value=tax_id) }}
        {{ self::field(label=t(key="company-icdph", lang=lang | default(value='sk')), value=vat_id) }}
      </div>
    </fieldset>
    {% endif %}
    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-contact", lang=lang | default(value='sk')) }}</legend>
      {{ self::field(label=t(key="checkout-name", lang=lang | default(value='sk')), value=name) }}
      {{ self::field(label=t(key="checkout-email", lang=lang | default(value='sk')), value=email) }}
      {% if phone %}
      {% set phone_full = phone_prefix | default(value='') %}
      {% set phone_full = phone_full ~ ' ' ~ phone %}
      {{ self::field(label=t(key="checkout-phone", lang=lang | default(value='sk')), value=phone_full) }}
      {% else %}
      {{ self::field(label=t(key="checkout-phone", lang=lang | default(value='sk')), value='') }}
      {% endif %}
    </fieldset>
    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-shipping", lang=lang | default(value='sk')) }}</legend>
      {{ self::field(label=t(key="checkout-address", lang=lang | default(value='sk')), value=address) }}
      <div class="grid gap-4 sm:grid-cols-3">
        {{ self::field(label=t(key="checkout-city", lang=lang | default(value='sk')), value=city) }}
        {{ self::field(label=t(key="checkout-zip", lang=lang | default(value='sk')), value=zip) }}
        {{ self::field(label=t(key="checkout-country", lang=lang | default(value='sk')), value=country) }}
      </div>
    </fieldset>
    {{ ui::button(label=t(key="profile-edit", lang=lang | default(value='sk')), type="button", size="px-6 py-2.5 text-sm", attrs='@click="editing = true"') }}
  </div>
  <!-- edit form -->
  <form x-show="editing" x-cloak method="post" action="/account/profile" hx-boost="false" class="mt-6 space-y-6">
    <!-- account type is fixed at registration and shown read-only -->
    <fieldset class="space-y-2 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</legend>
      <div class="flex items-center gap-2">
        {% if account_type == "company" %}
        {{ ui::badge(label=t(key="account-company", lang=lang | default(value='sk')), variant="primary") }}
        {% else %}
        {{ ui::badge(label=t(key="account-personal", lang=lang | default(value='sk')), variant="neutral") }}
        {% endif %}
        <span class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="account-type-locked", lang=lang | default(value='sk')) }}</span>
      </div>
    </fieldset>
    {% if account_type == "company" %}
    <!-- company billing details (company accounts only) -->
    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-company-details", lang=lang | default(value='sk')) }}</legend>
      <div class="space-y-1.5">
        <label for="company_name" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-name", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
        {{ ui::input(name="company_name", id="company_name", value=company_name | default(value=''), autocomplete="organization") }}
      </div>
      <div class="grid gap-4 sm:grid-cols-3">
        <div class="space-y-1.5">
          <label for="company_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-ico", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
          {{ ui::input(name="company_id", id="company_id", value=company_id | default(value='')) }}
        </div>
        <div class="space-y-1.5">
          <label for="tax_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-dic", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
          {{ ui::input(name="tax_id", id="tax_id", value=tax_id | default(value='')) }}
        </div>
        <div class="space-y-1.5">
          <label for="vat_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-icdph", lang=lang | default(value='sk')) }} <span class="text-on-surface/50 dark:text-on-surface-dark/50">({{ t(key="field-optional", lang=lang | default(value='sk')) }})</span></label>
          {{ ui::input(name="vat_id", id="vat_id", value=vat_id | default(value='')) }}
        </div>
      </div>
    </fieldset>
    {% endif %}
    <!-- contact (name/email are managed by the login) -->
    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-contact", lang=lang | default(value='sk')) }}</legend>
      <div class="grid gap-4 sm:grid-cols-2">
        <div class="space-y-1.5">
          <label for="first_name" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="profile-first-name", lang=lang | default(value='sk')) }}</label>
          {{ ui::input(name="first_name", id="first_name", value=first_name | default(value=''), autocomplete="given-name") }}
        </div>
        <div class="space-y-1.5">
          <label for="last_name" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="profile-last-name", lang=lang | default(value='sk')) }}</label>
          {{ ui::input(name="last_name", id="last_name", value=last_name | default(value=''), autocomplete="family-name") }}
        </div>
      </div>
      <div class="space-y-1.5">
        <label class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-email", lang=lang | default(value='sk')) }}</label>
        <p class="text-sm text-on-surface/80 dark:text-on-surface-dark/80">{{ email }}</p>
      </div>
      <div class="space-y-1.5">
        <label for="phone" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-phone", lang=lang | default(value='sk')) }}</label>
        <div class="flex gap-2">
          <!-- editable combobox: type freely or pick from the dropdown -->
          <div class="relative w-28 shrink-0" @click.outside="prefixOpen = false"
            x-data="{ prefixOpen: false, prefix: '{{ phone_prefix | default(value='+421') }}', opts: [
              { v: '+421', l: '🇸🇰 +421' }, { v: '+420', l: '🇨🇿 +420' },
              { v: '+43', l: '🇦🇹 +43' }, { v: '+49', l: '🇩🇪 +49' },
              { v: '+48', l: '🇵🇱 +48' }, { v: '+36', l: '🇭🇺 +36' },
              { v: '+44', l: '🇬🇧 +44' }, { v: '+39', l: '🇮🇹 +39' }, { v: '+33', l: '🇫🇷 +33' }
            ], get filtered() { return this.opts.filter(o => !this.prefix || o.v.includes(this.prefix)) } }">
            <input name="phone_prefix" type="text" x-model="prefix" @focus="prefixOpen = true" @input="prefixOpen = true"
              aria-label="{{ t(key='checkout-phone', lang=lang | default(value='sk')) }}" autocomplete="tel-country-code" inputmode="tel"
              class="w-full rounded-radius border border-outline bg-surface py-2 pl-3 pr-7 text-sm text-on-surface focus:outline-2 focus:outline-primary dark:border-outline-dark dark:bg-surface-dark dark:text-on-surface-dark">
            <button type="button" tabindex="-1" @click="prefixOpen = !prefixOpen"
              class="absolute inset-y-0 right-0 flex w-7 items-center justify-center text-on-surface/60 dark:text-on-surface-dark/60">
              <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor"
                class="size-4 transition-transform" :class="prefixOpen && 'rotate-180'">
                <path stroke-linecap="round" stroke-linejoin="round" d="m19.5 8.25-7.5 7.5-7.5-7.5" />
              </svg>
            </button>
            <ul x-show="prefixOpen" x-cloak x-transition
              class="absolute z-20 mt-1 max-h-56 w-full overflow-auto rounded-radius border border-outline bg-surface p-1 shadow-lg dark:border-outline-dark dark:bg-surface-dark-alt">
              <template x-for="o in filtered" :key="o.v">
                <li><button type="button" @click="prefix = o.v; prefixOpen = false" x-text="o.l"
                  class="block w-full rounded-radius px-3 py-1.5 text-left text-sm text-on-surface transition hover:bg-surface-alt dark:text-on-surface-dark dark:hover:bg-surface-dark"></button></li>
              </template>
            </ul>
          </div>
          {{ ui::input(name="phone", id="phone", type="tel", value=phone | default(value=''), autocomplete="tel", placeholder="900 000 000", attrs='inputmode="tel"') }}
        </div>
      </div>
    </fieldset>
    <!-- default shipping address -->
    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-shipping", lang=lang | default(value='sk')) }}</legend>
      <div class="space-y-1.5">
        <label for="address" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-address", lang=lang | default(value='sk')) }}</label>
        {{ ui::input(name="address", id="address", value=address | default(value=''), autocomplete="street-address") }}
      </div>
      <div class="grid gap-4 sm:grid-cols-3">
        <div class="space-y-1.5">
          <label for="city" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-city", lang=lang | default(value='sk')) }}</label>
          {{ ui::input(name="city", id="city", value=city | default(value=''), autocomplete="address-level2") }}
        </div>
        <div class="space-y-1.5">
          <label for="zip" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-zip", lang=lang | default(value='sk')) }}</label>
          {{ ui::input(name="zip", id="zip", value=zip | default(value=''), autocomplete="postal-code") }}
        </div>
        <div class="space-y-1.5">
          <label for="country" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-country", lang=lang | default(value='sk')) }}</label>
          <div class="relative" @click.outside="countryOpen = false"
            x-data="{ countryOpen: false, country: '{{ country | default(value='') }}', opts: [
              { v: '{{ t(key='country-sk', lang=lang | default(value='sk')) }}', l: '🇸🇰 {{ t(key='country-sk', lang=lang | default(value='sk')) }}' },
              { v: '{{ t(key='country-cz', lang=lang | default(value='sk')) }}', l: '🇨🇿 {{ t(key='country-cz', lang=lang | default(value='sk')) }}' },
              { v: '{{ t(key='country-at', lang=lang | default(value='sk')) }}', l: '🇦🇹 {{ t(key='country-at', lang=lang | default(value='sk')) }}' },
              { v: '{{ t(key='country-de', lang=lang | default(value='sk')) }}', l: '🇩🇪 {{ t(key='country-de', lang=lang | default(value='sk')) }}' },
              { v: '{{ t(key='country-pl', lang=lang | default(value='sk')) }}', l: '🇵🇱 {{ t(key='country-pl', lang=lang | default(value='sk')) }}' },
              { v: '{{ t(key='country-hu', lang=lang | default(value='sk')) }}', l: '🇭🇺 {{ t(key='country-hu', lang=lang | default(value='sk')) }}' }
            ], get filtered() { return this.opts.filter(o => !this.country || o.v.toLowerCase().includes(this.country.toLowerCase())) } }">
            <input id="country" name="country" type="text" x-model="country" @focus="countryOpen = true" @input="countryOpen = true"
              class="w-full rounded-radius border border-outline bg-surface py-2 pl-3 pr-8 text-sm text-on-surface focus:outline-2 focus:outline-primary dark:border-outline-dark dark:bg-surface-dark dark:text-on-surface-dark">
            <button type="button" tabindex="-1" @click="countryOpen = !countryOpen"
              class="absolute inset-y-0 right-0 flex w-8 items-center justify-center text-on-surface/60 dark:text-on-surface-dark/60">
              <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 24 24" stroke-width="2" stroke="currentColor"
                class="size-4 transition-transform" :class="countryOpen && 'rotate-180'">
                <path stroke-linecap="round" stroke-linejoin="round" d="m19.5 8.25-7.5 7.5-7.5-7.5" />
              </svg>
            </button>
            <ul x-show="countryOpen" x-cloak x-transition
              class="absolute z-20 mt-1 max-h-56 w-full overflow-auto rounded-radius border border-outline bg-surface p-1 shadow-lg dark:border-outline-dark dark:bg-surface-dark-alt">
              <template x-for="o in filtered" :key="o.v">
                <li><button type="button" @click="country = o.v; countryOpen = false" x-text="o.l"
                  class="block w-full rounded-radius px-3 py-1.5 text-left text-sm text-on-surface transition hover:bg-surface-alt dark:text-on-surface-dark dark:hover:bg-surface-dark"></button></li>
              </template>
            </ul>
          </div>
        </div>
      </div>
    </fieldset>
    <div class="flex items-center gap-3">
      {{ ui::button(label=t(key="profile-save", lang=lang | default(value='sk')), type="submit", size="px-6 py-2.5 text-sm") }}
      {{ ui::button(label=t(key="profile-cancel", lang=lang | default(value='sk')), type="button", variant="outline-secondary", size="px-6 py-2.5 text-sm", attrs='@click="editing = false"') }}
    </div>
  </form>
 </div>
 {% endblock content %}
--- a/assets/views/admin/orders/show.html
+++ b/assets/views/admin/orders/show.html
@@ -52,6 +52,15 @@
        <p class="text-on-surface/80 dark:text-on-surface-dark/80">{{ order.email }}</p>
        {% if order.phone %}<p class="text-on-surface/80 dark:text-on-surface-dark/80">{{ order.phone }}</p>{% endif %}
      </div>
      {% if order.account_type == "company" %}
      <div>
        <p class="text-xs uppercase tracking-wide text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="account-company-details", lang=lang | default(value='sk')) }}</p>
        <p class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ order.company_name }}</p>
        <p class="text-on-surface/80 dark:text-on-surface-dark/80">{{ t(key="company-ico", lang=lang | default(value='sk')) }}: {{ order.company_id }}</p>
        <p class="text-on-surface/80 dark:text-on-surface-dark/80">{{ t(key="company-dic", lang=lang | default(value='sk')) }}: {{ order.tax_id }}</p>
        {% if order.vat_id %}<p class="text-on-surface/80 dark:text-on-surface-dark/80">{{ t(key="company-icdph", lang=lang | default(value='sk')) }}: {{ order.vat_id }}</p>{% endif %}
      </div>
      {% endif %}
      <div>
        <p class="text-xs uppercase tracking-wide text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="checkout-shipping", lang=lang | default(value='sk')) }}</p>
        <p class="text-on-surface/80 dark:text-on-surface-dark/80">{{ order.address }}<br>{{ order.zip }} {{ order.city }}<br>{{ order.country }}</p>
--- a/assets/views/auth/login.html
+++ b/assets/views/auth/login.html
@@ -22,6 +22,9 @@
      {% if error == "unverified" %}
      {{ ui::alert_danger(message=t(key="login-error-unverified", lang=lang | default(value='sk')), extra="mt-3") }}
      <p class="mt-2 text-sm text-on-surface dark:text-on-surface-dark">
        <a href="/resend-verification" class="font-medium text-primary underline-offset-2 hover:underline dark:text-primary-dark">{{ t(key="login-resend", lang=lang | default(value='sk')) }}</a>
      </p>
      {% elif error %}
      {{ ui::alert_danger(message=t(key="login-error", lang=lang | default(value='sk')), extra="mt-3") }}
      {% endif %}
--- a/assets/views/auth/register.html
+++ b/assets/views/auth/register.html
@@ -22,17 +22,29 @@
      {% if error == "exists" %}
      {{ ui::alert_danger(message=t(key="register-error-exists", lang=lang | default(value='sk')), extra="mt-3") }}
      {% elif error == "mismatch" %}
      {{ ui::alert_danger(message=t(key="set-password-mismatch", lang=lang | default(value='sk')), extra="mt-3") }}
      {% elif error == "weak" %}
      {{ ui::alert_danger(message=t(key="set-password-weak", lang=lang | default(value='sk')), extra="mt-3") }}
      {% elif error %}
      {{ ui::alert_danger(message=t(key="register-error-invalid", lang=lang | default(value='sk')), extra="mt-3") }}
      {% endif %}
-      <form method="post" action="/register" hx-boost="false" class="mt-4 flex flex-col gap-4">
+      <form method="post" action="/register" hx-boost="false" class="mt-4 flex flex-col gap-4"
-        <div class="flex flex-col gap-1">
+        x-data="{ password: '', confirm: '' }">
-          <label for="name"
+        <div class="flex flex-col gap-1.5">
-            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
+          <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</span>
-            {{ t(key="register-name", lang=lang | default(value='sk')) }}
+          <div class="grid grid-cols-2 gap-2">
-          </label>
+            <label class="flex cursor-pointer items-center gap-2 rounded-radius border border-outline px-3 py-2 text-sm transition has-[:checked]:border-primary dark:border-outline-dark dark:has-[:checked]:border-primary-dark">
-          {{ ui::input(name="name", id="name", required=true, autocomplete="name", attrs="autofocus") }}
+              {{ ui::radio(name="account_type", value="personal", checked=true) }}
              <span class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-personal", lang=lang | default(value='sk')) }}</span>
            </label>
            <label class="flex cursor-pointer items-center gap-2 rounded-radius border border-outline px-3 py-2 text-sm transition has-[:checked]:border-primary dark:border-outline-dark dark:has-[:checked]:border-primary-dark">
              {{ ui::radio(name="account_type", value="company") }}
              <span class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-company", lang=lang | default(value='sk')) }}</span>
            </label>
          </div>
          <span class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="account-type-locked", lang=lang | default(value='sk')) }}</span>
        </div>
        <div class="flex flex-col gap-1">
@@ -40,7 +52,7 @@
            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
            {{ t(key="login-email", lang=lang | default(value='sk')) }}
          </label>
-          {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email") }}
+          {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email", attrs="autofocus") }}
        </div>
        <div class="flex flex-col gap-1">
@@ -48,10 +60,22 @@
            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
            {{ t(key="login-password", lang=lang | default(value='sk')) }}
          </label>
-          {{ ui::input(name="password", id="password", type="password", required=true, autocomplete="new-password") }}
+          {{ ui::input(name="password", id="password", type="password", required=true, autocomplete="new-password", attrs='x-model="password"') }}
        </div>
-        {{ ui::button(label=t(key="register-submit", lang=lang | default(value='sk')), type="submit", extra="mt-1 w-full") }}
+        <div class="flex flex-col gap-1">
          <label for="password_confirm"
            class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">
            {{ t(key="set-password-confirm", lang=lang | default(value='sk')) }}
          </label>
          {{ ui::input(name="password_confirm", id="password_confirm", type="password", required=true, autocomplete="new-password", attrs='x-model="confirm"') }}
          <span x-cloak x-show="confirm.length > 0 && password !== confirm"
            class="text-xs text-danger dark:text-danger">
            {{ t(key="set-password-mismatch", lang=lang | default(value='sk')) }}
          </span>
        </div>
        {{ ui::button(label=t(key="register-submit", lang=lang | default(value='sk')), type="submit", extra="mt-1 w-full", attrs=':disabled="password !== confirm"') }}
      </form>
      <div class="mt-5 flex items-center gap-3 text-xs text-on-surface/50 dark:text-on-surface-dark/50">
--- a/assets/views/auth/resend_verification.html
+++ b/assets/views/auth/resend_verification.html
@@ -0,0 +1,37 @@
 {% extends "base.html" %}
 {% import "macros/ui.html" as ui %}
 {% block title %}{{ t(key="resend-verification-title", lang=lang | default(value='sk')) }}{% endblock title %}
 {% block content %}
 <div class="mx-auto mt-8 max-w-sm">
  <div class="rounded-radius border border-outline bg-surface-alt shadow-sm dark:border-outline-dark dark:bg-surface-dark-alt">
    <div class="flex items-center justify-between border-b border-outline px-5 py-3 dark:border-outline-dark">
      <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="brand", lang=lang | default(value='sk')) }}</span>
      {{ ui::badge(label=t(key="auth", lang=lang | default(value='sk')), variant="primary") }}
    </div>
    <div class="p-5">
      <h1 class="text-xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="resend-verification-title", lang=lang | default(value='sk')) }}</h1>
      {% if done %}
      <div class="mt-3 rounded-radius border border-success bg-success/10 px-4 py-3 text-sm text-success" role="status">
        {{ t(key="resend-verification-done", lang=lang | default(value='sk')) }}
      </div>
      <p class="mt-4 text-sm text-on-surface dark:text-on-surface-dark">
        <a href="/login" class="font-medium text-primary underline-offset-2 hover:underline dark:text-primary-dark">{{ t(key="nav-login", lang=lang | default(value='sk')) }}</a>
      </p>
      {% else %}
      <p class="mt-1 text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="resend-verification-intro", lang=lang | default(value='sk')) }}</p>
      <form method="post" action="/resend-verification" hx-boost="false" class="mt-4 flex flex-col gap-4">
        <div class="flex flex-col gap-1">
          <label for="email" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="login-email", lang=lang | default(value='sk')) }}</label>
          {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email", attrs="autofocus") }}
        </div>
        {{ ui::button(label=t(key="resend-verification-submit", lang=lang | default(value='sk')), type="submit", extra="mt-1 w-full") }}
      </form>
      {% endif %}
    </div>
  </div>
 </div>
 {% endblock content %}
--- a/assets/views/auth/set_password.html
+++ b/assets/views/auth/set_password.html
@@ -0,0 +1,47 @@
 {% extends "base.html" %}
 {% import "macros/ui.html" as ui %}
 {% block title %}{{ t(key="set-password-title", lang=lang | default(value='sk')) }}{% endblock title %}
 {% block content %}
 <div class="mx-auto mt-8 max-w-sm">
  <div class="rounded-radius border border-outline bg-surface-alt shadow-sm dark:border-outline-dark dark:bg-surface-dark-alt">
    <div class="flex items-center justify-between border-b border-outline px-5 py-3 dark:border-outline-dark">
      <span class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="brand", lang=lang | default(value='sk')) }}</span>
      {{ ui::badge(label=t(key="auth", lang=lang | default(value='sk')), variant="primary") }}
    </div>
    <div class="p-5">
      <h1 class="text-xl font-bold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="set-password-title", lang=lang | default(value='sk')) }}</h1>
      {% if not valid %}
      {{ ui::alert_danger(message=t(key="set-password-invalid", lang=lang | default(value='sk')), extra="mt-3") }}
      <p class="mt-4 text-sm text-on-surface dark:text-on-surface-dark">
        <a href="/login" class="font-medium text-primary underline-offset-2 hover:underline dark:text-primary-dark">{{ t(key="nav-login", lang=lang | default(value='sk')) }}</a>
      </p>
      {% else %}
      <p class="mt-1 text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="set-password-intro", lang=lang | default(value='sk')) }}</p>
      {% if error == "mismatch" %}
      {{ ui::alert_danger(message=t(key="set-password-mismatch", lang=lang | default(value='sk')), extra="mt-3") }}
      {% elif error == "weak" %}
      {{ ui::alert_danger(message=t(key="set-password-weak", lang=lang | default(value='sk')), extra="mt-3") }}
      {% endif %}
      <form method="post" action="/set-password" hx-boost="false" class="mt-4 flex flex-col gap-4">
        <input type="hidden" name="token" value="{{ token }}">
        <div class="flex flex-col gap-1">
          <label for="password" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="set-password-new", lang=lang | default(value='sk')) }}</label>
          {{ ui::input(name="password", id="password", type="password", required=true, autocomplete="new-password", attrs="autofocus") }}
        </div>
        <div class="flex flex-col gap-1">
          <label for="password_confirm" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="set-password-confirm", lang=lang | default(value='sk')) }}</label>
          {{ ui::input(name="password_confirm", id="password_confirm", type="password", required=true, autocomplete="new-password") }}
        </div>
        {{ ui::button(label=t(key="set-password-submit", lang=lang | default(value='sk')), type="submit", extra="mt-1 w-full") }}
      </form>
      {% endif %}
    </div>
  </div>
 </div>
 {% endblock content %}
--- a/assets/views/base.html
+++ b/assets/views/base.html
@@ -85,6 +85,13 @@
              <button type="submit" class="text-sm font-medium text-danger underline-offset-2 transition hover:opacity-75 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
            </form>
          </li>
          {% elif logged_in_customer %}
          <li>{{ ui::nav_link(label=t(key="nav-profile", lang=lang | default(value='sk')), href="/account/profile", data_nav="/account") }}</li>
          <li>
            <form method="post" action="/logout" hx-boost="false">
              <button type="submit" class="text-sm font-medium text-danger underline-offset-2 transition hover:opacity-75 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
            </form>
          </li>
          {% else %}
          <li>{{ ui::nav_link(label=t(key="nav-login", lang=lang | default(value='sk')), href="/login", data_nav="/login") }}</li>
          <li>{{ ui::nav_link(label=t(key="nav-register", lang=lang | default(value='sk')), href="/register", data_nav="/register") }}</li>
@@ -131,6 +138,13 @@
              <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
            </form>
          </li>
          {% elif logged_in_customer %}
          <li><a href="/account/profile" data-nav="/account" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="nav-profile", lang=lang | default(value='sk')) }}</a></li>
          <li>
            <form method="post" action="/logout" hx-boost="false">
              <button type="submit" class="block w-full rounded-radius px-3 py-2 text-left text-sm font-medium text-danger underline-offset-2 transition hover:bg-primary/5 focus:outline-hidden focus-visible:underline">{{ t(key="logout", lang=lang | default(value='sk')) }}</button>
            </form>
          </li>
          {% else %}
          <li><a href="/login" data-nav="/login" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="nav-login", lang=lang | default(value='sk')) }}</a></li>
          <li><a href="/register" data-nav="/register" class="block rounded-radius px-3 py-2 text-sm font-medium text-on-surface underline-offset-2 transition hover:bg-primary/5 hover:text-primary focus:outline-hidden focus-visible:underline aria-[current=page]:font-semibold aria-[current=page]:bg-primary/10 aria-[current=page]:text-primary dark:text-on-surface-dark dark:hover:text-primary-dark dark:aria-[current=page]:text-primary-dark">{{ t(key="nav-register", lang=lang | default(value='sk')) }}</a></li>
--- a/assets/views/macros/ui.html
+++ b/assets/views/macros/ui.html
@@ -82,6 +82,11 @@
 {# Compact danger alert (form/inline errors). Adapted from
   penguinui/alert/default-alert.html (danger variant), trimmed to a single line
   with the danger icon. #}
 {# Required-field marker: a red asterisk appended to a field label. #}
 {% macro req() -%}
 <span class="ml-0.5 text-danger" aria-hidden="true">*</span>
 {%- endmacro req %}
 {% macro alert_danger(message, extra="") -%}
 <div class="flex w-full items-center gap-2 overflow-hidden rounded-radius border border-danger bg-danger/10 px-3 py-2 text-sm text-danger {{ extra }}" role="alert">
  <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20" fill="currentColor" class="size-5 shrink-0" aria-hidden="true">
--- a/assets/views/shop/checkout.html
+++ b/assets/views/shop/checkout.html
@@ -11,6 +11,7 @@
 <form method="post" action="/checkout" hx-boost="false"
  x-data="{
    paymentMethod: '',
    accountType: '{{ prefill_account_type | default(value='personal') }}',
    carrier: '',
    carrierPrice: 0,
    requiresPoint: false,
@@ -31,23 +32,73 @@
  class="mt-6 grid gap-8 lg:grid-cols-3">
  <div class="space-y-6 lg:col-span-2">
    <!-- personal vs company. Fixed (read-only) for a logged-in account; a guest
         picks it and the choice will type any account they create. -->
    <fieldset class="space-y-3 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-type", lang=lang | default(value='sk')) }}</legend>
      {% if account_fixed %}
      <div class="flex items-center gap-2">
        {% if prefill_account_type == "company" %}
        {{ ui::badge(label=t(key="account-company", lang=lang | default(value='sk')), variant="primary") }}
        {% else %}
        {{ ui::badge(label=t(key="account-personal", lang=lang | default(value='sk')), variant="neutral") }}
        {% endif %}
        <span class="text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="account-type-locked", lang=lang | default(value='sk')) }}</span>
      </div>
      {% else %}
      <div class="grid gap-3 sm:grid-cols-2">
        <label class="flex cursor-pointer items-center gap-3 rounded-radius border border-outline px-4 py-3 transition has-[:checked]:border-primary dark:border-outline-dark dark:has-[:checked]:border-primary-dark">
          {{ ui::radio(name="account_type", value="personal", attrs='x-model="accountType"') }}
          <span class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-personal", lang=lang | default(value='sk')) }}</span>
        </label>
        <label class="flex cursor-pointer items-center gap-3 rounded-radius border border-outline px-4 py-3 transition has-[:checked]:border-primary dark:border-outline-dark dark:has-[:checked]:border-primary-dark">
          {{ ui::radio(name="account_type", value="company", attrs='x-model="accountType"') }}
          <span class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-company", lang=lang | default(value='sk')) }}</span>
        </label>
      </div>
      {% endif %}
    </fieldset>
    <!-- company billing details (company accounts only) -->
    <fieldset x-show="accountType === 'company'" x-cloak class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="account-company-details", lang=lang | default(value='sk')) }}</legend>
      <div class="space-y-1.5">
        <label for="company_name" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-name", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
        {{ ui::input(name="company_name", id="company_name", value=prefill_company_name | default(value=''), autocomplete="organization") }}
      </div>
      <div class="grid gap-4 sm:grid-cols-3">
        <div class="space-y-1.5">
          <label for="company_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-ico", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
          {{ ui::input(name="company_id", id="company_id", value=prefill_company_id | default(value='')) }}
        </div>
        <div class="space-y-1.5">
          <label for="tax_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-dic", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
          {{ ui::input(name="tax_id", id="tax_id", value=prefill_tax_id | default(value='')) }}
        </div>
        <div class="space-y-1.5">
          <label for="vat_id" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="company-icdph", lang=lang | default(value='sk')) }} <span class="text-on-surface/50 dark:text-on-surface-dark/50">({{ t(key="field-optional", lang=lang | default(value='sk')) }})</span></label>
          {{ ui::input(name="vat_id", id="vat_id", value=prefill_vat_id | default(value='')) }}
        </div>
      </div>
    </fieldset>
    <!-- contact -->
    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-contact", lang=lang | default(value='sk')) }}</legend>
      <div class="space-y-1.5">
-        <label for="email" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-email", lang=lang | default(value='sk')) }}</label>
+        <label for="email" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-email", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
-        {{ ui::input(name="email", id="email", type="email", required=true, autocomplete="email") }}
+        {{ ui::input(name="email", id="email", type="email", value=prefill_email | default(value=''), required=true, autocomplete="email") }}
      </div>
      <div class="space-y-1.5">
-        <label for="customer_name" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-name", lang=lang | default(value='sk')) }}</label>
+        <label for="customer_name" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-name", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
-        {{ ui::input(name="customer_name", id="customer_name", required=true, autocomplete="name") }}
+        {{ ui::input(name="customer_name", id="customer_name", value=prefill_name | default(value=''), required=true, autocomplete="name") }}
      </div>
      <div class="space-y-1.5">
-        <label for="phone" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-phone", lang=lang | default(value='sk')) }}</label>
+        <label for="phone" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-phone", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
        <div class="flex gap-2">
          <!-- editable combobox: type freely or pick from the dropdown -->
          <div class="relative w-28 shrink-0" @click.outside="prefixOpen = false"
-            x-data="{ prefixOpen: false, prefix: '+421', opts: [
+            x-data="{ prefixOpen: false, prefix: '{{ prefill_phone_prefix | default(value='+421') }}', opts: [
              { v: '+421', l: '🇸🇰 +421' }, { v: '+420', l: '🇨🇿 +420' },
              { v: '+43', l: '🇦🇹 +43' }, { v: '+49', l: '🇩🇪 +49' },
              { v: '+48', l: '🇵🇱 +48' }, { v: '+36', l: '🇭🇺 +36' },
@@ -71,7 +122,7 @@
              </template>
            </ul>
          </div>
-          {{ ui::input(name="phone", id="phone", type="tel", required=true, autocomplete="tel", placeholder="900 000 000", attrs='inputmode="tel"') }}
+          {{ ui::input(name="phone", id="phone", type="tel", value=prefill_phone | default(value=''), required=true, autocomplete="tel", placeholder="900 000 000", attrs='inputmode="tel"') }}
        </div>
      </div>
    </fieldset>
@@ -80,22 +131,22 @@
    <fieldset class="space-y-4 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-shipping", lang=lang | default(value='sk')) }}</legend>
      <div class="space-y-1.5">
-        <label for="address" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-address", lang=lang | default(value='sk')) }}</label>
+        <label for="address" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-address", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
-        {{ ui::input(name="address", id="address", required=true, autocomplete="street-address") }}
+        {{ ui::input(name="address", id="address", value=prefill_address | default(value=''), required=true, autocomplete="street-address") }}
      </div>
      <div class="grid gap-4 sm:grid-cols-3">
        <div class="space-y-1.5">
-          <label for="city" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-city", lang=lang | default(value='sk')) }}</label>
+          <label for="city" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-city", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
-          {{ ui::input(name="city", id="city", required=true, autocomplete="address-level2") }}
+          {{ ui::input(name="city", id="city", value=prefill_city | default(value=''), required=true, autocomplete="address-level2") }}
        </div>
        <div class="space-y-1.5">
-          <label for="zip" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-zip", lang=lang | default(value='sk')) }}</label>
+          <label for="zip" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-zip", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
-          {{ ui::input(name="zip", id="zip", required=true, autocomplete="postal-code") }}
+          {{ ui::input(name="zip", id="zip", value=prefill_zip | default(value=''), required=true, autocomplete="postal-code") }}
        </div>
        <div class="space-y-1.5">
-          <label for="country" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-country", lang=lang | default(value='sk')) }}</label>
+          <label for="country" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-country", lang=lang | default(value='sk')) }}{{ ui::req() }}</label>
          <div class="relative" @click.outside="countryOpen = false"
-            x-data="{ countryOpen: false, country: '{{ t(key='country-sk', lang=lang | default(value='sk')) }}', opts: [
+            x-data="{ countryOpen: false, country: '{{ prefill_country | default(value=t(key='country-sk', lang=lang | default(value='sk'))) }}', opts: [
              { v: '{{ t(key='country-sk', lang=lang | default(value='sk')) }}', l: '🇸🇰 {{ t(key='country-sk', lang=lang | default(value='sk')) }}' },
              { v: '{{ t(key='country-cz', lang=lang | default(value='sk')) }}', l: '🇨🇿 {{ t(key='country-cz', lang=lang | default(value='sk')) }}' },
              { v: '{{ t(key='country-at', lang=lang | default(value='sk')) }}', l: '🇦🇹 {{ t(key='country-at', lang=lang | default(value='sk')) }}' },
@@ -126,7 +177,7 @@
    <!-- carrier -->
    <fieldset class="space-y-3 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
-      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-carrier", lang=lang | default(value='sk')) }}</legend>
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-carrier", lang=lang | default(value='sk')) }}{{ ui::req() }}</legend>
      {% for m in shipping_methods %}
      <label class="flex cursor-pointer items-center justify-between gap-3 rounded-radius border border-outline px-4 py-3 transition has-[:checked]:border-primary dark:border-outline-dark dark:has-[:checked]:border-primary-dark">
        <span class="flex items-center gap-3">
@@ -162,7 +213,7 @@
    <!-- payment -->
    <fieldset class="space-y-3 rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
-      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-payment", lang=lang | default(value='sk')) }}</legend>
+      <legend class="px-1 text-sm font-semibold text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-payment", lang=lang | default(value='sk')) }}{{ ui::req() }}</legend>
      <label class="flex cursor-pointer items-center gap-3 rounded-radius border border-outline px-4 py-3 transition has-[:checked]:border-primary dark:border-outline-dark dark:has-[:checked]:border-primary-dark">
        {{ ui::radio(name="payment_method", value="cod", attrs='required x-model="paymentMethod"') }}
        <span class="font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="payment-cod", lang=lang | default(value='sk')) }}</span>
@@ -177,6 +228,20 @@
      <label for="note" class="text-sm font-medium text-on-surface-strong dark:text-on-surface-dark-strong">{{ t(key="checkout-note", lang=lang | default(value='sk')) }}</label>
      {{ ui::textarea(name="note", id="note", rows="3") }}
    </div>
    {% if logged_in_customer and not profile_filled %}
    <!-- offered only when the profile has no saved address yet; if it was filled
         in advance we leave it untouched -->
    {{ ui::checkbox(name="save_profile", id="save_profile", label=t(key="checkout-save-profile", lang=lang | default(value='sk'))) }}
    {% endif %}
    {% if can_create_account %}
    <!-- guests may turn this order into an account (typed by their choice above) -->
    <div class="space-y-1.5 rounded-radius border border-outline bg-surface p-4 dark:border-outline-dark dark:bg-surface-dark-alt">
      {{ ui::checkbox(name="create_account", id="create_account", label=t(key="checkout-create-account", lang=lang | default(value='sk'))) }}
      <p class="pl-6 text-xs text-on-surface/60 dark:text-on-surface-dark/60">{{ t(key="checkout-create-account-hint", lang=lang | default(value='sk')) }}</p>
    </div>
    {% endif %}
  </div>
  <!-- summary -->
--- a/assets/views/shop/order_confirmed.html
+++ b/assets/views/shop/order_confirmed.html
@@ -15,6 +15,12 @@
    <p class="mt-1 text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="order-confirmed-sub", lang=lang | default(value='sk')) }}</p>
  </div>
  {% if account_created %}
  <div class="rounded-radius border border-primary/40 bg-primary/5 p-4 text-sm text-on-surface dark:border-primary-dark/40 dark:text-on-surface-dark" role="status">
    {{ t(key="order-account-created", lang=lang | default(value='sk')) }}
  </div>
  {% endif %}
  <div class="rounded-radius border border-outline bg-surface p-6 dark:border-outline-dark dark:bg-surface-dark-alt">
    <div class="flex flex-wrap justify-between gap-2 border-b border-outline pb-3 dark:border-outline-dark">
      <span class="text-sm text-on-surface/70 dark:text-on-surface-dark/70">{{ t(key="order-number", lang=lang | default(value='sk')) }}</span>
--- a/config/development.yaml
+++ b/config/development.yaml
@@ -45,19 +45,24 @@ workers:
 # Mailer Configuration.
 mailer:
-  # SMTP mailer configuration.
+  # SMTP mailer configuration. Defaults target a local catcher (MailHog/Mailpit
  # on localhost:1025); set the SMTP_* env vars to point at a real server. The
  # auth block is only emitted when SMTP_PASSWORD is provided, so the secret is
  # never stored here — pass it in at launch (e.g. from `pass`).
  smtp:
    # Enable/Disable smtp mailer.
-    enable: true
+    enable: {{ get_env(name="SMTP_ENABLE", default="true") }}
    # SMTP server host. e.x localhost, smtp.gmail.com
-    host: localhost
+    host: "{{ get_env(name="SMTP_HOST", default="localhost") }}"
    # SMTP server port
-    port: 1025
+    port: {{ get_env(name="SMTP_PORT", default="1025") }}
    # Use secure connection (SSL/TLS).
-    secure: false
+    secure: {{ get_env(name="SMTP_SECURE", default="false") }}
-    # auth:
+{% if get_env(name="SMTP_PASSWORD", default="") != "" %}
-    #   user:
+    auth:
-    #   password:
+      user: "{{ get_env(name="SMTP_USER", default="") }}"
      password: "{{ get_env(name="SMTP_PASSWORD", default="") }}"
 {% endif %}
    # Override the SMTP hello name (default is the machine's hostname)
    # hello_name:
--- a/config/test.yaml
+++ b/config/test.yaml
@@ -42,33 +42,58 @@ workers:
 # Mailer Configuration.
 # Defaults keep the whole suite on the in-memory stub mailer. The real-SMTP
 # smoke test (tests/mailer/smtp_send.rs) opts in by setting these env vars
 # before boot; nothing else in the suite sends real mail.
 mailer:
-  stub: true
+  stub: {{ get_env(name="MAILER_STUB", default="true") }}
  # SMTP mailer configuration.
  smtp:
    # Enable/Disable smtp mailer.
-    enable: true
+    enable: {{ get_env(name="SMTP_ENABLE", default="true") }}
    # SMTP server host. e.x localhost, smtp.gmail.com
-    host: localhost
+    host: "{{ get_env(name="SMTP_HOST", default="localhost") }}"
    # SMTP server port
-    port: 1025
+    port: {{ get_env(name="SMTP_PORT", default="1025") }}
    # Use secure connection (SSL/TLS).
-    secure: false
+    secure: {{ get_env(name="SMTP_SECURE", default="false") }}
-    # auth:
+    auth:
-    #   user:
+      user: "{{ get_env(name="SMTP_USER", default="") }}"
-    #   password:
+      password: "{{ get_env(name="SMTP_PASSWORD", default="") }}"
 # Initializers Configuration
-# initializers:
+# OAuth2StoreInitializer requires this block to boot (it builds the client store
-#  oauth2:
+# in after_routes). Static, non-secret placeholders: tests never perform a real
-#    authorization_code: # Authorization code grant type
+# OAuth2 handshake, they just need the store to construct successfully.
-#      - client_identifier: google # Identifier for the OAuth2 provider. Replace 'google' with your provider's name if different, must be unique within the oauth2 config.
+initializers:
-#        ... other fields
+  oauth2:
    # Private-cookie key: a ", "-separated list of >=64 byte values (not a
    # plain string). This is loco-oauth2's documented sample key; fine for tests.
    secret_key: "144, 76, 183, 1, 15, 184, 233, 174, 214, 251, 190, 186, 122, 61, 74, 84, 225, 110, 189, 115, 10, 251, 133, 128, 52, 46, 15, 66, 85, 1, 245, 73, 27, 113, 189, 15, 209, 205, 61, 100, 73, 31, 18, 58, 235, 105, 141, 36, 70, 92, 231, 151, 27, 32, 243, 117, 30, 244, 110, 89, 233, 196, 137, 130"
    authorization_code:
      - client_identifier: google
        client_credentials:
          client_id: test-client-id
          client_secret: test-client-secret
        url_config:
          auth_url: https://accounts.google.com/o/oauth2/auth
          token_url: https://www.googleapis.com/oauth2/v3/token
          redirect_url: http://localhost:5150/api/oauth2/google/callback
          profile_url: https://openidconnect.googleapis.com/v1/userinfo
          scopes:
            - https://www.googleapis.com/auth/userinfo.email
            - https://www.googleapis.com/auth/userinfo.profile
        cookie_config:
          protected_url: http://localhost:5150/
        timeout_seconds: 600
 # Database Configuration
 database:
-  # Database connection URI
+  # Database connection URI. Pinned to the throwaway test DB and intentionally
-  uri: {{ get_env(name="DATABASE_URL", default="postgres://uni_loco_web_user:3@localhost:5432/kompress_eshop_test") }}
+  # NOT read from `DATABASE_URL`: the app loads `.env` on boot (app.rs
  # `load_config`), and this config has `dangerously_recreate: true`, so honoring
  # an env override here would let `cargo test` recreate the dev/prod database.
  uri: "postgres://uni_loco_web_user:3@localhost:5432/kompress_eshop_test"
  # When enabled, the sql query will be logged.
  enable_logging: false
  # Set the timeout duration when acquiring a connection.
--- a/migration/Cargo.toml
+++ b/migration/Cargo.toml
@@ -13,7 +13,7 @@ loco-rs = { workspace = true }
 [dependencies.sea-orm-migration]
-version = "1.1.0"
+version = "1.1.20"
 features = [
  # Enable at least one `ASYNC_RUNTIME` and `DATABASE_DRIVER` feature if you want to run migration via CLI.
  # View the list of supported features at https://www.sea-ql.org/SeaORM/docs/install-and-config/database-and-async-runtime.
--- a/migration/src/lib.rs
+++ b/migration/src/lib.rs
@@ -31,6 +31,9 @@ mod m20260617_000001_add_carrier_to_shipping_methods;
 mod m20260617_000002_add_shipment_to_orders;
 mod m20260617_000003_add_phone_to_orders;
 mod m20260618_000001_o_auth2_sessions;
 mod m20260618_000002_customer_profiles;
 mod m20260618_000003_account_type;
 mod m20260618_000004_account_ownership;
 pub struct Migrator;
 #[async_trait::async_trait]
@@ -66,6 +69,9 @@ impl MigratorTrait for Migrator {
            Box::new(m20260617_000002_add_shipment_to_orders::Migration),
            Box::new(m20260617_000003_add_phone_to_orders::Migration),
            Box::new(m20260618_000001_o_auth2_sessions::Migration),
            Box::new(m20260618_000002_customer_profiles::Migration),
            Box::new(m20260618_000003_account_type::Migration),
            Box::new(m20260618_000004_account_ownership::Migration),
            // inject-above (do not remove this comment)
        ]
    }
--- a/migration/src/m20260618_000002_customer_profiles.rs
+++ b/migration/src/m20260618_000002_customer_profiles.rs
@@ -0,0 +1,44 @@
 use loco_rs::schema::*;
 use sea_orm_migration::prelude::*;
 #[derive(DeriveMigrationName)]
 pub struct Migration;
 #[async_trait::async_trait]
 impl MigrationTrait for Migration {
    async fn up(&self, m: &SchemaManager) -> Result<(), DbErr> {
        // One shipping/contact profile per customer, used to prefill the
        // checkout form. `name`/`email` already live on `users`; this table
        // holds only the address + phone fields. `user` adds a user_id FK; the
        // unique index below makes the relationship 1:1.
        create_table(
            m,
            "customer_profiles",
            &[
                ("id", ColType::PkAuto),
                ("phone_prefix", ColType::StringNull),
                ("phone", ColType::StringNull),
                ("address", ColType::StringNull),
                ("city", ColType::StringNull),
                ("zip", ColType::StringNull),
                ("country", ColType::StringNull),
            ],
            &[("user", "")],
        )
        .await?;
        m.create_index(
            Index::create()
                .name("idx_customer_profiles_user_id_unique")
                .table(Alias::new("customer_profiles"))
                .col(Alias::new("user_id"))
                .unique()
                .to_owned(),
        )
        .await
    }
    async fn down(&self, m: &SchemaManager) -> Result<(), DbErr> {
        drop_table(m, "customer_profiles").await
    }
 }
--- a/migration/src/m20260618_000003_account_type.rs
+++ b/migration/src/m20260618_000003_account_type.rs
@@ -0,0 +1,39 @@
 use loco_rs::schema::*;
 use sea_orm_migration::prelude::*;
 #[derive(DeriveMigrationName)]
 pub struct Migration;
 // Personal vs company purchasing. `account_type` is "personal" or "company";
 // the company_* columns hold the Slovak invoicing identifiers (IČO, DIČ and the
 // optional VAT id IČ DPH) and are only filled for company accounts/orders.
 const COMPANY_COLUMNS: [&str; 4] = ["company_name", "company_id", "tax_id", "vat_id"];
 #[async_trait::async_trait]
 impl MigrationTrait for Migration {
    async fn up(&self, m: &SchemaManager) -> Result<(), DbErr> {
        for table in ["customer_profiles", "orders"] {
            add_column(
                m,
                table,
                "account_type",
                ColType::StringWithDefault("personal".to_string()),
            )
            .await?;
            for col in COMPANY_COLUMNS {
                add_column(m, table, col, ColType::StringNull).await?;
            }
        }
        Ok(())
    }
    async fn down(&self, m: &SchemaManager) -> Result<(), DbErr> {
        for table in ["customer_profiles", "orders"] {
            remove_column(m, table, "account_type").await?;
            for col in COMPANY_COLUMNS {
                remove_column(m, table, col).await?;
            }
        }
        Ok(())
    }
 }
--- a/migration/src/m20260618_000004_account_ownership.rs
+++ b/migration/src/m20260618_000004_account_ownership.rs
@@ -0,0 +1,38 @@
 use loco_rs::schema::*;
 use sea_orm_migration::prelude::*;
 #[derive(DeriveMigrationName)]
 pub struct Migration;
 // Account type becomes a permanent property of the *user* (chosen at
 // registration, never switchable), so it moves off `customer_profiles`. Orders
 // gain a nullable `user_id` linking them to the account that placed them
 // (null for guest orders that didn't create an account).
 #[async_trait::async_trait]
 impl MigrationTrait for Migration {
    async fn up(&self, m: &SchemaManager) -> Result<(), DbErr> {
        add_column(
            m,
            "users",
            "account_type",
            ColType::StringWithDefault("personal".to_string()),
        )
        .await?;
        add_column(m, "orders", "user_id", ColType::IntegerNull).await?;
        remove_column(m, "customer_profiles", "account_type").await?;
        Ok(())
    }
    async fn down(&self, m: &SchemaManager) -> Result<(), DbErr> {
        add_column(
            m,
            "customer_profiles",
            "account_type",
            ColType::StringWithDefault("personal".to_string()),
        )
        .await?;
        remove_column(m, "orders", "user_id").await?;
        remove_column(m, "users", "account_type").await?;
        Ok(())
    }
 }
--- a/src/app.rs
+++ b/src/app.rs
@@ -17,7 +17,7 @@ use std::{path::Path, sync::Arc};
 #[allow(unused_imports)]
 use crate::{
    controllers::{
-        admin_categories, admin_dashboard, admin_form, admin_orders,
+        account, admin_categories, admin_dashboard, admin_form, admin_orders,
        admin_products, admin_shipping, auth, auth_pages, cart, checkout, home, i18n, media, oauth2,
        shop,
    },
@@ -91,6 +91,7 @@ impl Hooks for App {
            // cross-cutting
            .add_route(auth::routes())
            .add_route(auth_pages::routes())
            .add_route(account::routes())
            .add_route(oauth2::routes())
            .add_route(i18n::routes())
            .add_route(media::routes())
--- a/src/controllers/account.rs
+++ b/src/controllers/account.rs
@@ -0,0 +1,200 @@
 //! Customer account area. Currently just the shipping/contact profile, whose
 //! fields prefill the checkout form. Gated to authenticated non-admin users:
 //! anonymous visitors are bounced to `/login`. Admins have their own area and
 //! are sent to the dashboard.
 //!
 //! The account *type* (personal vs company) is fixed at registration and lives
 //! on the user — it is shown here read-only and can never be changed. The
 //! profile only edits the type-specific details (company identity + address).
 use axum_extra::extract::cookie::CookieJar;
 use loco_rs::prelude::*;
 use serde::Deserialize;
 use serde_json::json;
 use crate::{
    controllers::i18n::current_lang,
    models::{
        customer_profiles::{self, ProfileFields},
        users,
    },
    shared::guard,
 };
 #[derive(Debug, Deserialize)]
 struct ProfileForm {
    first_name: Option<String>,
    last_name: Option<String>,
    company_name: Option<String>,
    company_id: Option<String>,
    tax_id: Option<String>,
    vat_id: Option<String>,
    phone_prefix: Option<String>,
    phone: Option<String>,
    address: Option<String>,
    city: Option<String>,
    zip: Option<String>,
    country: Option<String>,
 }
 fn trimmed(value: Option<&str>) -> Option<String> {
    value.map(str::trim).filter(|v| !v.is_empty()).map(String::from)
 }
 /// Split a stored full name into (first name, surname). The surname is
 /// everything after the first whitespace, so multi-word surnames round-trip.
 fn split_name(name: &str) -> (String, String) {
    match name.trim().split_once(char::is_whitespace) {
        Some((first, rest)) => (first.to_string(), rest.trim().to_string()),
        None => (name.trim().to_string(), String::new()),
    }
 }
 /// Recombine the two name fields into the single stored `name`. Returns `None`
 /// when the result is too short to be a valid name (the user can't blank it out).
 fn full_name_from_form(form: &ProfileForm) -> Option<String> {
    let first = form.first_name.as_deref().unwrap_or("").trim();
    let last = form.last_name.as_deref().unwrap_or("").trim();
    let full = format!("{first} {last}").trim().to_string();
    (full.chars().count() >= 2).then_some(full)
 }
 /// Build the persisted fields from the submitted form. Company identifiers are
 /// only kept for company accounts (a personal account can never carry them).
 fn fields_from_form(form: &ProfileForm, is_company: bool) -> ProfileFields {
    let company = |v: Option<&str>| if is_company { trimmed(v) } else { None };
    ProfileFields {
        company_name: company(form.company_name.as_deref()),
        company_id: company(form.company_id.as_deref()),
        tax_id: company(form.tax_id.as_deref()),
        vat_id: company(form.vat_id.as_deref()),
        phone_prefix: trimmed(form.phone_prefix.as_deref()),
        phone: trimmed(form.phone.as_deref()),
        address: trimmed(form.address.as_deref()),
        city: trimmed(form.city.as_deref()),
        zip: trimmed(form.zip.as_deref()),
        country: trimmed(form.country.as_deref()),
    }
 }
 /// The profile fields held by a saved profile, for re-prefilling the form.
 fn fields_of(profile: Option<&customer_profiles::Model>) -> ProfileFields {
    match profile {
        Some(p) => ProfileFields {
            company_name: p.company_name.clone(),
            company_id: p.company_id.clone(),
            tax_id: p.tax_id.clone(),
            vat_id: p.vat_id.clone(),
            phone_prefix: p.phone_prefix.clone(),
            phone: p.phone.clone(),
            address: p.address.clone(),
            city: p.city.clone(),
            zip: p.zip.clone(),
            country: p.country.clone(),
        },
        None => ProfileFields::default(),
    }
 }
 /// A company account must carry its invoicing identity (company name + IČO +
 /// DIČ; IČ DPH stays optional). Personal accounts have no such requirement.
 fn company_fields_missing(fields: &ProfileFields) -> bool {
    fields.company_name.is_none() || fields.company_id.is_none() || fields.tax_id.is_none()
 }
 /// Render the profile form for `user`, prefilled from `fields`. `saved` shows
 /// the success banner; `error` shows the company-required validation message.
 fn profile_view(
    v: &TeraView,
    jar: &CookieJar,
    user: &users::Model,
    fields: &ProfileFields,
    saved: bool,
    error: bool,
 ) -> Result<Response> {
    let (first_name, last_name) = split_name(&user.name);
    format::view(
        v,
        "account/profile.html",
        json!({
            "logged_in_admin": false,
            "logged_in_customer": true,
            "saved": saved,
            "error": error,
            "name": user.name,
            "first_name": first_name,
            "last_name": last_name,
            "email": user.email,
            "account_type": user.account_type,
            "company_name": fields.company_name,
            "company_id": fields.company_id,
            "tax_id": fields.tax_id,
            "vat_id": fields.vat_id,
            "phone_prefix": fields.phone_prefix,
            "phone": fields.phone,
            "address": fields.address,
            "city": fields.city,
            "zip": fields.zip,
            "country": fields.country,
            "lang": current_lang(jar),
        }),
    )
 }
 #[debug_handler]
 async fn profile_page(
    jar: CookieJar,
    ViewEngine(v): ViewEngine<TeraView>,
    State(ctx): State<AppContext>,
 ) -> Result<Response> {
    let Some(user) = guard::current_user(&ctx, &jar).await else {
        return format::redirect("/login");
    };
    if guard::is_admin(&ctx, &user) {
        return format::redirect("/admin/dashboard");
    }
    let profile = customer_profiles::Model::find_for_user(&ctx.db, user.id).await?;
    profile_view(&v, &jar, &user, &fields_of(profile.as_ref()), false, false)
 }
 #[debug_handler]
 async fn save_profile(
    jar: CookieJar,
    ViewEngine(v): ViewEngine<TeraView>,
    State(ctx): State<AppContext>,
    Form(form): Form<ProfileForm>,
 ) -> Result<Response> {
    let Some(user) = guard::current_user(&ctx, &jar).await else {
        return format::redirect("/login");
    };
    if guard::is_admin(&ctx, &user) {
        return format::redirect("/admin/dashboard");
    }
    // Apply the edited name to a working copy so it's reflected on both the
    // success and re-rendered-error views. A blank/too-short name is ignored —
    // the field can't be cleared.
    let mut user = user;
    let new_name = full_name_from_form(&form).filter(|n| *n != user.name);
    if let Some(name) = new_name.clone() {
        user.name = name;
    }
    let fields = fields_from_form(&form, user.is_company());
    // A company account's profile is rejected (and re-shown with the entered
    // values) until it carries its required identifiers.
    if user.is_company() && company_fields_missing(&fields) {
        return profile_view(&v, &jar, &user, &fields, false, true);
    }
    if let Some(name) = new_name {
        let mut active = user.clone().into_active_model();
        active.name = ActiveValue::set(name);
        active.update(&ctx.db).await?;
    }
    customer_profiles::Model::upsert(&ctx.db, user.id, fields.clone()).await?;
    profile_view(&v, &jar, &user, &fields, true, false)
 }
 pub fn routes() -> Routes {
    Routes::new()
        .add("/account/profile", get(profile_page))
        .add("/account/profile", post(save_profile))
 }
--- a/src/controllers/auth_pages.rs
+++ b/src/controllers/auth_pages.rs
@@ -106,13 +106,50 @@ async fn register_page(
    register_view(&v, &jar, None)
 }
 /// Registration form. The name is no longer collected from the user — it is
 /// derived from the email — and the password is entered twice to guard against
 /// typos.
 #[derive(Debug, serde::Deserialize)]
 struct RegisterForm {
    email: String,
    password: String,
    password_confirm: String,
    #[serde(default)]
    account_type: Option<String>,
 }
 /// Derive a display name from an email address (its local part), falling back to
 /// the full address when the local part is too short for the name validator.
 fn name_from_email(email: &str) -> String {
    let local = email.split('@').next().unwrap_or("").trim();
    if local.chars().count() >= 2 {
        local.to_string()
    } else {
        email.trim().to_string()
    }
 }
 #[debug_handler]
 async fn register(
    jar: CookieJar,
    ViewEngine(v): ViewEngine<TeraView>,
    State(ctx): State<AppContext>,
-    Form(params): Form<RegisterParams>,
+    Form(form): Form<RegisterForm>,
 ) -> Result<Response> {
    if form.password != form.password_confirm {
        return register_view(&v, &jar, Some("mismatch"));
    }
    if form.password.len() < 8 {
        return register_view(&v, &jar, Some("weak"));
    }
    let params = RegisterParams {
        name: name_from_email(&form.email),
        email: form.email,
        password: form.password,
        account_type: form.account_type,
    };
    let user = match users::Model::create_with_password(&ctx.db, &params).await {
        Ok(user) => user,
        Err(ModelError::EntityAlreadyExists {}) => {
@@ -185,6 +222,127 @@ fn verified_view(v: &TeraView, jar: &CookieJar, ok: bool) -> Result<Response> {
    )
 }
 /// Resend the email-verification link. Throttled per account (see
 /// [`users::Model::verification_resend_wait_secs`]) so it can't be used to spam
 /// an inbox, and always returns the same neutral message so it can't be used to
 /// probe which addresses are registered.
 #[derive(Debug, serde::Deserialize)]
 struct ResendVerificationForm {
    email: String,
 }
 fn resend_verification_view(v: &TeraView, jar: &CookieJar, done: bool) -> Result<Response> {
    format::view(
        v,
        "auth/resend_verification.html",
        json!({
            "done": done,
            "logged_in_admin": false,
            "lang": current_lang(jar),
        }),
    )
 }
 #[debug_handler]
 async fn resend_verification_page(
    jar: CookieJar,
    ViewEngine(v): ViewEngine<TeraView>,
 ) -> Result<Response> {
    resend_verification_view(&v, &jar, false)
 }
 #[debug_handler]
 async fn resend_verification(
    jar: CookieJar,
    ViewEngine(v): ViewEngine<TeraView>,
    State(ctx): State<AppContext>,
    Form(form): Form<ResendVerificationForm>,
 ) -> Result<Response> {
    // Resend only for a real, still-unverified account that is past its cooldown.
    // Anything else (unknown email, already verified, too soon) silently does
    // nothing — the response is identical either way.
    if let Ok(user) = users::Model::find_by_email(&ctx.db, form.email.trim()).await {
        if user.email_verified_at.is_none() && user.verification_resend_wait_secs() == 0 {
            match user.into_active_model().set_email_verification_sent(&ctx.db).await {
                Ok(user) => {
                    if let Err(err) = AuthMailer::send_welcome(&ctx, &user).await {
                        tracing::error!(error = %err, "failed to resend verification email");
                    }
                }
                Err(err) => tracing::error!(error = %err, "failed to refresh verification token"),
            }
        } else {
            tracing::info!("verification resend skipped (already verified or within cooldown)");
        }
    }
    resend_verification_view(&v, &jar, true)
 }
 /// Set-password form for accounts created during checkout (and any account that
 /// has a valid reset token). Reuses the password-reset token machinery.
 #[derive(Debug, serde::Deserialize)]
 struct SetPasswordForm {
    token: String,
    password: String,
    password_confirm: String,
 }
 fn set_password_view(
    v: &TeraView,
    jar: &CookieJar,
    token: &str,
    valid: bool,
    error: Option<&str>,
 ) -> Result<Response> {
    format::view(
        v,
        "auth/set_password.html",
        json!({
            "token": token,
            "valid": valid,
            "error": error,
            "logged_in_admin": false,
            "lang": current_lang(jar),
        }),
    )
 }
 #[debug_handler]
 async fn set_password_page(
    jar: CookieJar,
    ViewEngine(v): ViewEngine<TeraView>,
    State(ctx): State<AppContext>,
    Path(token): Path<String>,
 ) -> Result<Response> {
    let valid = users::Model::find_by_reset_token(&ctx.db, &token).await.is_ok();
    set_password_view(&v, &jar, &token, valid, None)
 }
 #[debug_handler]
 async fn set_password(
    jar: CookieJar,
    ViewEngine(v): ViewEngine<TeraView>,
    State(ctx): State<AppContext>,
    Form(form): Form<SetPasswordForm>,
 ) -> Result<Response> {
    let Ok(user) = users::Model::find_by_reset_token(&ctx.db, &form.token).await else {
        return set_password_view(&v, &jar, &form.token, false, None);
    };
    if form.password != form.password_confirm {
        return set_password_view(&v, &jar, &form.token, true, Some("mismatch"));
    }
    if form.password.len() < 8 {
        return set_password_view(&v, &jar, &form.token, true, Some("weak"));
    }
    // Setting the password through an emailed link also proves email ownership,
    // so the account is marked verified here.
    let user = user.into_active_model().reset_password(&ctx.db, &form.password).await?;
    if user.email_verified_at.is_none() {
        user.into_active_model().verified(&ctx.db).await?;
    }
    format::redirect("/login")
 }
 #[debug_handler]
 async fn logout() -> Result<Response> {
    format::render()
@@ -211,6 +369,10 @@ pub fn routes() -> Routes {
        .add("/register", get(register_page))
        .add("/register", post(register))
        .add("/verify/{token}", get(verify))
        .add("/resend-verification", get(resend_verification_page))
        .add("/resend-verification", post(resend_verification))
        .add("/set-password/{token}", get(set_password_page))
        .add("/set-password", post(set_password))
        .add("/logout", post(logout))
        .add("/admin", get(admin_entry))
 }
--- a/src/controllers/cart.rs
+++ b/src/controllers/cart.rs
@@ -1,4 +1,4 @@
-use crate::{controllers::i18n::current_lang, shared::money::format_price, models::products};
+use crate::{controllers::i18n::current_lang, shared::{guard, money::format_price}, models::products};
 use axum::{
    http::{HeaderMap, StatusCode},
    response::Redirect,
@@ -234,6 +234,7 @@ async fn show(
    // Drop any now-invalid lines from the cookie so the badge stays accurate.
    let rebuilt = serialize_cart(&valid);
    let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
    let response = format::view(
        &v,
        "shop/cart.html",
@@ -241,6 +242,8 @@ async fn show(
            "items": lines,
            "total": format_price(total),
            "currency": currency,
            "logged_in_admin": logged_in_admin,
            "logged_in_customer": logged_in_customer,
            "lang": current_lang(&jar),
        }),
    )?;
--- a/src/controllers/checkout.rs
+++ b/src/controllers/checkout.rs
@@ -1,6 +1,7 @@
 //! Public checkout flow: the checkout form, placing an order, and the order
 //! confirmation page.
 use axum::extract::Query;
 use axum_extra::extract::cookie::{Cookie, CookieJar, SameSite};
 use loco_rs::prelude::*;
 use sea_orm::{ColumnTrait, EntityTrait, QueryFilter, QueryOrder};
@@ -10,9 +11,14 @@ use time::Duration as TimeDuration;
 use crate::{
    controllers::cart::{resolve_cart, CART_COOKIE},
-    models::{order_items, orders, shipping_methods},
+    mailers::auth::AuthMailer,
    models::{
        customer_profiles::{self, ProfileFields},
        order_items, orders, shipping_methods,
        users::{self, normalize_account_type},
    },
    controllers::i18n::current_lang,
-    shared::{money::format_price, settings},
+    shared::{guard, money::format_price, settings},
    views::checkout as view,
 };
@@ -24,6 +30,11 @@ struct CheckoutForm {
    phone_prefix: String,
    phone: String,
    customer_name: String,
    account_type: Option<String>,
    company_name: Option<String>,
    company_id: Option<String>,
    tax_id: Option<String>,
    vat_id: Option<String>,
    address: String,
    city: String,
    zip: String,
@@ -33,6 +44,10 @@ struct CheckoutForm {
    carrier_code: String,
    pickup_point_id: Option<String>,
    pickup_point_name: Option<String>,
    // Present (as "on") only when a logged-in customer ticks "save my address".
    save_profile: Option<String>,
    // Present only when a guest ticks "create an account from this order".
    create_account: Option<String>,
 }
 fn trimmed(value: &str) -> Option<String> {
@@ -86,6 +101,25 @@ async fn checkout_page(
        })
        .collect();
    // Prefill the form for a logged-in customer: contact name/email come from
    // the user account, the address/phone from their saved profile (if any).
    let user = guard::current_user(&ctx, &jar).await;
    let is_admin = user.as_ref().is_some_and(|u| guard::is_admin(&ctx, u));
    let is_customer = user.is_some() && !is_admin;
    let profile = match (&user, is_customer) {
        (Some(u), true) => customer_profiles::Model::find_for_user(&ctx.db, u.id).await?,
        _ => None,
    };
    let p = |get: fn(&customer_profiles::Model) -> Option<String>| {
        profile.as_ref().and_then(get)
    };
    // Whether the customer already has a shipping address on file. When they do,
    // the "save this address to my profile" opt-in is pointless (the profile was
    // filled in advance), so it's hidden and the existing profile is left alone.
    let profile_filled = profile
        .as_ref()
        .is_some_and(|pr| pr.address.is_some() && pr.city.is_some() && pr.zip.is_some());
    format::view(
        &v,
        "shop/checkout.html",
@@ -96,6 +130,26 @@ async fn checkout_page(
            "currency": currency,
            "shipping_methods": methods,
            "packeta_api_key": settings::get(&ctx, "packeta_api_key").unwrap_or(""),
            "logged_in_admin": is_admin,
            "logged_in_customer": is_customer,
            "profile_filled": profile_filled,
            // A logged-in customer's account type is fixed; only guests pick it
            // and may opt to create an account from the order.
            "account_fixed": is_customer,
            "can_create_account": user.is_none(),
            "prefill_email": user.as_ref().filter(|_| is_customer).map(|u| u.email.clone()),
            "prefill_name": user.as_ref().filter(|_| is_customer).map(|u| u.name.clone()),
            "prefill_account_type": user.as_ref().filter(|_| is_customer).map_or("personal", |u| u.account_type.as_str()),
            "prefill_company_name": p(|x| x.company_name.clone()),
            "prefill_company_id": p(|x| x.company_id.clone()),
            "prefill_tax_id": p(|x| x.tax_id.clone()),
            "prefill_vat_id": p(|x| x.vat_id.clone()),
            "prefill_phone_prefix": p(|x| x.phone_prefix.clone()),
            "prefill_phone": p(|x| x.phone.clone()),
            "prefill_address": p(|x| x.address.clone()),
            "prefill_city": p(|x| x.city.clone()),
            "prefill_zip": p(|x| x.zip.clone()),
            "prefill_country": p(|x| x.country.clone()),
            "lang": current_lang(&jar),
        }),
    )
@@ -119,7 +173,7 @@ async fn place_order(
        trimmed(&form.phone).ok_or_else(|| Error::BadRequest("phone is required".to_string()))?;
    let phone = match trimmed(&form.phone_prefix) {
        Some(prefix) => format!("{prefix} {number}"),
-        None => number,
+        None => number.clone(),
    };
    // Contact and shipping-address fields are mandatory (also enforced in the
@@ -133,6 +187,31 @@ async fn place_order(
    let zip = require(&form.zip, "zip")?;
    let country = require(&form.country, "country")?;
    // The account type is fixed for a logged-in customer (taken from their
    // account, never the form); a guest picks it on the form. Admins are treated
    // as guests here.
    let current_user = guard::current_user(&ctx, &jar).await;
    let logged_in_customer = current_user
        .as_ref()
        .filter(|u| !guard::is_admin(&ctx, u));
    let account_type = match logged_in_customer {
        Some(u) => u.account_type.clone(),
        None => normalize_account_type(form.account_type.as_deref()),
    };
    // Company purchases must carry the invoicing identifiers (IČO + DIČ
    // required, IČ DPH optional). Personal orders carry none.
    let (company_name, company_id, tax_id, vat_id) = if account_type == "company" {
        (
            Some(require(form.company_name.as_deref().unwrap_or(""), "company name")?),
            Some(require(form.company_id.as_deref().unwrap_or(""), "IČO")?),
            Some(require(form.tax_id.as_deref().unwrap_or(""), "DIČ")?),
            form.vat_id.as_deref().and_then(trimmed),
        )
    } else {
        (None, None, None, None)
    };
    if !PAYMENT_METHODS.contains(&form.payment_method.as_str()) {
        return Err(Error::BadRequest("invalid payment method".to_string()));
    }
@@ -157,6 +236,74 @@ async fn place_order(
        (None, None)
    };
    // The address/contact captured here, ready to seed a profile (for the
    // logged-in "save my address" opt-in or a freshly created guest account).
    let entered_profile = || ProfileFields {
        company_name: company_name.clone(),
        company_id: company_id.clone(),
        tax_id: tax_id.clone(),
        vat_id: vat_id.clone(),
        phone_prefix: trimmed(&form.phone_prefix),
        phone: Some(number.clone()),
        address: Some(address.clone()),
        city: Some(city.clone()),
        zip: Some(zip.clone()),
        country: Some(country.clone()),
    };
    // Resolve the account that will own this order. A logged-in customer always
    // owns their orders. A guest may opt to create an account from the order;
    // the new account's type matches what they bought as, its profile is seeded
    // from the entered details, and a "set your password" link is emailed. If
    // the email already belongs to an account we silently fall back to a guest
    // order (no hijacking an existing account).
    let mut order_user_id = logged_in_customer.map(|u| u.id);
    let mut account_created = false;
    if order_user_id.is_none() && form.create_account.is_some() {
        match users::Model::create_guest_account(&ctx.db, &email, &customer_name, &account_type)
            .await
        {
            Ok(new_user) => {
                if let Err(err) =
                    customer_profiles::Model::upsert(&ctx.db, new_user.id, entered_profile()).await
                {
                    tracing::error!(error = %err, user_id = new_user.id, "failed to seed guest profile");
                }
                let user_id = new_user.id;
                match new_user.into_active_model().set_forgot_password_sent(&ctx.db).await {
                    Ok(user) => {
                        if let Err(err) = AuthMailer::send_set_password(&ctx, &user).await {
                            tracing::error!(error = %err, "failed to send set-password email");
                        }
                        order_user_id = Some(user_id);
                        account_created = true;
                    }
                    Err(err) => {
                        tracing::error!(error = %err, "failed to issue set-password token");
                        order_user_id = Some(user_id);
                    }
                }
            }
            Err(ModelError::EntityAlreadyExists {}) => {
                tracing::info!(email = %email, "checkout account-create skipped: email already registered");
            }
            Err(err) => tracing::error!(error = %err, "failed to create checkout account"),
        }
    }
    // If a logged-in customer opted in, persist this address to their profile so
    // the next checkout is prefilled. Best-effort: a failure here is logged but
    // must not block the order.
    if form.save_profile.is_some() {
        if let Some(user) = logged_in_customer {
            if let Err(err) =
                customer_profiles::Model::upsert(&ctx.db, user.id, entered_profile()).await
            {
                tracing::error!(error = %err, user_id = user.id, "failed to save checkout profile");
            }
        }
    }
    let order = orders::place(
        &ctx,
        &valid,
@@ -164,6 +311,12 @@ async fn place_order(
            email,
            phone,
            customer_name: Some(customer_name),
            user_id: order_user_id,
            account_type,
            company_name,
            company_id,
            tax_id,
            vat_id,
            address: Some(address),
            city: Some(city),
            zip: Some(zip),
@@ -177,9 +330,14 @@ async fn place_order(
    )
    .await?;
    let target = if account_created {
        format!("/orders/{}?account_created=1", order.order_number)
    } else {
        format!("/orders/{}", order.order_number)
    };
    format::render()
        .cookies(&[cleared_cart_cookie()])?
-        .redirect(&format!("/orders/{}", order.order_number))
+        .redirect(&target)
 }
 #[debug_handler]
@@ -187,6 +345,7 @@ async fn order_confirmation(
    jar: CookieJar,
    ViewEngine(v): ViewEngine<TeraView>,
    Path(order_number): Path<String>,
    Query(params): Query<std::collections::HashMap<String, String>>,
    State(ctx): State<AppContext>,
 ) -> Result<Response> {
    let order = orders::Entity::find()
@@ -198,6 +357,8 @@ async fn order_confirmation(
        .filter(order_items::Column::OrderId.eq(order.id))
        .all(&ctx.db)
        .await?;
    let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
    let account_created = params.contains_key("account_created");
    format::view(
        &v,
@@ -209,6 +370,9 @@ async fn order_confirmation(
                settings::get(&ctx, "bank_account_name").unwrap_or(""),
            ),
            "items": view::items(&items),
            "logged_in_admin": logged_in_admin,
            "logged_in_customer": logged_in_customer,
            "account_created": account_created,
            "lang": current_lang(&jar),
        }),
    )
--- a/src/controllers/home.rs
+++ b/src/controllers/home.rs
@@ -13,13 +13,15 @@ async fn index(
    State(ctx): State<AppContext>,
 ) -> Result<Response> {
    let products = shop::featured_products(&ctx, 8).await?;
    let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
    format::view(
        &v,
        "home/index.html",
        json!({
            "products": products,
-            "logged_in_admin": guard::logged_in(&ctx, &jar).await,
+            "logged_in_admin": logged_in_admin,
            "logged_in_customer": logged_in_customer,
            "lang": current_lang(&jar),
        }),
    )
--- a/src/controllers/mod.rs
+++ b/src/controllers/mod.rs
@@ -1,3 +1,4 @@
 pub mod account;
 pub mod auth;
 pub mod auth_pages;
 pub mod oauth2;
--- a/src/controllers/shop.rs
+++ b/src/controllers/shop.rs
@@ -69,12 +69,14 @@ async fn index(
        .all(&ctx.db)
        .await?;
    let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
    format::view(
        &v,
        "shop/index.html",
        json!({
            "products": product_rows(&ctx, list).await?,
-            "logged_in_admin": guard::logged_in(&ctx, &jar).await,
+            "logged_in_admin": logged_in_admin,
            "logged_in_customer": logged_in_customer,
            "lang": current_lang(&jar),
        }),
    )
@@ -108,6 +110,7 @@ async fn show(
        None => None,
    };
    let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
    format::view(
        &v,
        "shop/show.html",
@@ -115,7 +118,8 @@ async fn show(
            "product": view::product_card(&product, None, category.as_ref().map(|c| c.name.clone())),
            "images": images.iter().map(|i| i.image_id.clone()).collect::<Vec<_>>(),
            "category": category,
-            "logged_in_admin": guard::logged_in(&ctx, &jar).await,
+            "logged_in_admin": logged_in_admin,
            "logged_in_customer": logged_in_customer,
            "lang": current_lang(&jar),
        }),
    )
@@ -151,6 +155,7 @@ async fn category(
        .all(&ctx.db)
        .await?;
    let (logged_in_admin, logged_in_customer) = guard::chrome(&ctx, &jar).await;
    format::view(
        &v,
        "shop/category.html",
@@ -159,7 +164,8 @@ async fn category(
            "breadcrumbs": breadcrumbs,
            "children": children,
            "products": product_rows(&ctx, list).await?,
-            "logged_in_admin": guard::logged_in(&ctx, &jar).await,
+            "logged_in_admin": logged_in_admin,
            "logged_in_customer": logged_in_customer,
            "lang": current_lang(&jar),
        }),
    )
--- a/src/initializers/admin_seeder.rs
+++ b/src/initializers/admin_seeder.rs
@@ -43,6 +43,7 @@ impl Initializer for AdminSeeder {
                    email: email.clone(),
                    password,
                    name,
                    account_type: None,
                },
            )
            .await?;
--- a/src/mailers/auth.rs
+++ b/src/mailers/auth.rs
@@ -9,10 +9,21 @@ use crate::models::users;
 static welcome: Dir<'_> = include_dir!("src/mailers/auth/welcome");
 static forgot: Dir<'_> = include_dir!("src/mailers/auth/forgot");
 static magic_link: Dir<'_> = include_dir!("src/mailers/auth/magic_link");
 static set_password: Dir<'_> = include_dir!("src/mailers/auth/set_password");
 #[allow(clippy::module_name_repetitions)]
 pub struct AuthMailer {}
-impl Mailer for AuthMailer {}
+impl Mailer for AuthMailer {
    /// Override the framework default (`System <system@example.com>`), which any
    /// real MX rejects (`example.com` is nullMX). Must be a sender the SMTP
    /// account is allowed to send as.
    fn opts() -> mailer::MailerOpts {
        mailer::MailerOpts {
            from: "Kompress <info@kompress.sk>".to_string(),
            ..Default::default()
        }
    }
 }
 impl AuthMailer {
    /// Sending welcome email the the given user
    ///
@@ -62,6 +73,31 @@ impl AuthMailer {
        Ok(())
    }
    /// Sends a "set your password" email to a checkout-created account. Reuses
    /// the reset token; the link lands on the HTML `/set-password/{token}` page.
    ///
    /// # Errors
    ///
    /// When email sending is failed
    pub async fn send_set_password(ctx: &AppContext, user: &users::Model) -> Result<()> {
        Self::mail_template(
            ctx,
            &set_password,
            mailer::Args {
                to: user.email.to_string(),
                locals: json!({
                  "name": user.name,
                  "resetToken": user.reset_token,
                  "domain": ctx.config.server.full_url()
                }),
                ..Default::default()
            },
        )
        .await?;
        Ok(())
    }
    /// Sends a magic link authentication email to the user.
    ///
    /// # Errors
--- a/src/mailers/auth/set_password/html.t
+++ b/src/mailers/auth/set_password/html.t
@@ -0,0 +1,10 @@
 <html>
 <body>
  Hey {{name}},
  Thanks for your order! We created an account for you. Set your password to finish, then you can track your orders:
  <a href="{{domain}}/set-password/{{resetToken}}">Set your password</a>
  If you didn't place this order, you can ignore this email.
 </body>
 </html>
--- a/src/mailers/auth/set_password/subject.t
+++ b/src/mailers/auth/set_password/subject.t
@@ -0,0 +1 @@
 Set your password
--- a/src/mailers/auth/set_password/text.t
+++ b/src/mailers/auth/set_password/text.t
@@ -0,0 +1,7 @@
 Hey {{name}},
 Thanks for your order! We created an account for you. Set your password to finish, then you can track your orders:
 {{domain}}/set-password/{{resetToken}}
 If you didn't place this order, you can ignore this email.
--- a/src/models/_entities/customer_profiles.rs
+++ b/src/models/_entities/customer_profiles.rs
@@ -0,0 +1,44 @@
 //! `SeaORM` Entity for customer shipping/contact profiles. Hand-written to match
 //! the `customer_profiles` migration (1:1 with `users` via a unique `user_id`).
 use sea_orm::entity::prelude::*;
 use serde::{Deserialize, Serialize};
 #[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq, Serialize, Deserialize)]
 #[sea_orm(table_name = "customer_profiles")]
 pub struct Model {
    pub created_at: DateTimeWithTimeZone,
    pub updated_at: DateTimeWithTimeZone,
    #[sea_orm(primary_key)]
    pub id: i32,
    #[sea_orm(unique)]
    pub user_id: i32,
    pub company_name: Option<String>,
    pub company_id: Option<String>,
    pub tax_id: Option<String>,
    pub vat_id: Option<String>,
    pub phone_prefix: Option<String>,
    pub phone: Option<String>,
    pub address: Option<String>,
    pub city: Option<String>,
    pub zip: Option<String>,
    pub country: Option<String>,
 }
 #[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
 pub enum Relation {
    #[sea_orm(
        belongs_to = "super::users::Entity",
        from = "Column::UserId",
        to = "super::users::Column::Id",
        on_update = "Cascade",
        on_delete = "Cascade"
    )]
    Users,
 }
 impl Related<super::users::Entity> for Entity {
    fn to() -> RelationDef {
        Relation::Users.def()
    }
 }
--- a/src/models/_entities/mod.rs
+++ b/src/models/_entities/mod.rs
@@ -4,6 +4,7 @@ pub mod prelude;
 pub mod audit_logs;
 pub mod categories;
 pub mod customer_profiles;
 pub mod o_auth2_sessions;
 pub mod order_items;
 pub mod orders;
--- a/src/models/_entities/orders.rs
+++ b/src/models/_entities/orders.rs
@@ -18,6 +18,12 @@ pub struct Model {
    pub status: String,
    pub total_cents: i64,
    pub currency: String,
    pub user_id: Option<i32>,
    pub account_type: String,
    pub company_name: Option<String>,
    pub company_id: Option<String>,
    pub tax_id: Option<String>,
    pub vat_id: Option<String>,
    pub address: Option<String>,
    pub city: Option<String>,
    pub zip: Option<String>,
--- a/src/models/_entities/prelude.rs
+++ b/src/models/_entities/prelude.rs
@@ -2,6 +2,7 @@
 pub use super::audit_logs::Entity as AuditLogs;
 pub use super::categories::Entity as Categories;
 pub use super::customer_profiles::Entity as CustomerProfiles;
 pub use super::o_auth2_sessions::Entity as OAuth2Sessions;
 pub use super::order_items::Entity as OrderItems;
 pub use super::orders::Entity as Orders;
--- a/src/models/_entities/users.rs
+++ b/src/models/_entities/users.rs
@@ -25,6 +25,7 @@ pub struct Model {
    pub magic_link_token: Option<String>,
    pub magic_link_expiration: Option<DateTimeWithTimeZone>,
    pub theme: String,
    pub account_type: String,
 }
 #[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
--- a/src/models/customer_profiles.rs
+++ b/src/models/customer_profiles.rs
@@ -0,0 +1,73 @@
 //! Per-customer shipping/contact profile: the address + phone fields used to
 //! prefill checkout. One row per user (unique `user_id`); `name`/`email` are
 //! read from `users`, never duplicated here.
 pub use crate::models::_entities::customer_profiles::{ActiveModel, Column, Entity, Model};
 use sea_orm::entity::prelude::*;
 use sea_orm::{ActiveValue, IntoActiveModel, QueryFilter, TryIntoModel};
 pub type CustomerProfiles = Entity;
 /// The editable profile fields, shared by the profile page and the checkout
 /// "save my address" path. The `company_*` fields are only meaningful for
 /// company accounts (account type now lives on `users`, fixed at registration).
 #[derive(Debug, Default, Clone)]
 pub struct ProfileFields {
    pub company_name: Option<String>,
    pub company_id: Option<String>,
    pub tax_id: Option<String>,
    pub vat_id: Option<String>,
    pub phone_prefix: Option<String>,
    pub phone: Option<String>,
    pub address: Option<String>,
    pub city: Option<String>,
    pub zip: Option<String>,
    pub country: Option<String>,
 }
 #[async_trait::async_trait]
 impl ActiveModelBehavior for ActiveModel {
    async fn before_save<C>(self, _db: &C, _insert: bool) -> std::result::Result<Self, DbErr>
    where
        C: ConnectionTrait,
    {
        Ok(self)
    }
 }
 impl Model {
    /// The profile for `user_id`, if one exists.
    pub async fn find_for_user(db: &DatabaseConnection, user_id: i32) -> Result<Option<Self>, DbErr> {
        Entity::find()
            .filter(Column::UserId.eq(user_id))
            .one(db)
            .await
    }
    /// Insert or update the profile for `user_id` with `fields`, returning the
    /// persisted row. The unique `user_id` index keeps this 1:1.
    pub async fn upsert(
        db: &DatabaseConnection,
        user_id: i32,
        fields: ProfileFields,
    ) -> Result<Self, DbErr> {
        let mut active = match Self::find_for_user(db, user_id).await? {
            Some(existing) => existing.into_active_model(),
            None => ActiveModel {
                user_id: ActiveValue::set(user_id),
                ..Default::default()
            },
        };
        active.company_name = ActiveValue::set(fields.company_name);
        active.company_id = ActiveValue::set(fields.company_id);
        active.tax_id = ActiveValue::set(fields.tax_id);
        active.vat_id = ActiveValue::set(fields.vat_id);
        active.phone_prefix = ActiveValue::set(fields.phone_prefix);
        active.phone = ActiveValue::set(fields.phone);
        active.address = ActiveValue::set(fields.address);
        active.city = ActiveValue::set(fields.city);
        active.zip = ActiveValue::set(fields.zip);
        active.country = ActiveValue::set(fields.country);
        active.save(db).await?.try_into_model()
    }
 }
--- a/src/models/mod.rs
+++ b/src/models/mod.rs
@@ -8,6 +8,7 @@ pub mod _entities;
 pub mod audit_logs;
 pub mod categories;
 pub mod customer_profiles;
 pub mod o_auth2_sessions;
 pub mod order_items;
 pub mod orders;
--- a/src/models/orders.rs
+++ b/src/models/orders.rs
@@ -14,6 +14,14 @@ pub struct Checkout {
    pub email: String,
    pub phone: String,
    pub customer_name: Option<String>,
    /// The account that owns this order, if any (a logged-in buyer or a guest
    /// who created an account during checkout). `None` for pure guest orders.
    pub user_id: Option<i32>,
    pub account_type: String,
    pub company_name: Option<String>,
    pub company_id: Option<String>,
    pub tax_id: Option<String>,
    pub vat_id: Option<String>,
    pub address: Option<String>,
    pub city: Option<String>,
    pub zip: Option<String>,
@@ -70,6 +78,12 @@ pub async fn place(ctx: &AppContext, items: &[(i32, i32)], details: Checkout) ->
        status: Set("pending".to_string()),
        total_cents: Set(subtotal + details.method.price_cents),
        currency: Set(currency),
        user_id: Set(details.user_id),
        account_type: Set(details.account_type),
        company_name: Set(details.company_name),
        company_id: Set(details.company_id),
        tax_id: Set(details.tax_id),
        vat_id: Set(details.vat_id),
        address: Set(details.address),
        city: Set(details.city),
        zip: Set(details.zip),
--- a/src/models/users.rs
+++ b/src/models/users.rs
@@ -13,6 +13,9 @@ pub use crate::models::_entities::users::{self, ActiveModel, Entity, Model};
 pub const MAGIC_LINK_LENGTH: i8 = 32;
 pub const MAGIC_LINK_EXPIRATION_MIN: i8 = 5;
 /// Minimum gap between verification-email resends for one account, in seconds.
 pub const VERIFICATION_RESEND_COOLDOWN_SECS: i64 = 60;
 #[derive(Debug, Deserialize, Serialize)]
 pub struct LoginParams {
    pub email: String,
@@ -24,6 +27,21 @@ pub struct RegisterParams {
    pub email: String,
    pub password: String,
    pub name: String,
    /// "personal" or "company"; permanent for the account. Optional on the wire
    /// (older/JSON callers omit it) and normalized via [`normalize_account_type`].
    #[serde(default)]
    pub account_type: Option<String>,
 }
 /// Normalize an account type to one of the two permanent values, defaulting to
 /// "personal" for anything missing or unexpected. An account's type is chosen
 /// once at registration and never changes.
 #[must_use]
 pub fn normalize_account_type(value: Option<&str>) -> String {
    match value.map(str::trim) {
        Some("company") => "company".to_string(),
        _ => "personal".to_string(),
    }
 }
 #[derive(Debug, Validate, Deserialize)]
@@ -216,6 +234,29 @@ impl Model {
        hash::verify_password(password, &self.password)
    }
    /// Whether this is a company account (vs a personal one). Fixed at
    /// registration.
    #[must_use]
    pub fn is_company(&self) -> bool {
        self.account_type == "company"
    }
    /// Seconds the user must still wait before another verification email may be
    /// sent — 0 means a resend is allowed now. Throttling resends off the last
    /// `email_verification_sent_at` keeps the endpoint from being an easy way to
    /// spam someone's inbox.
    #[must_use]
    pub fn verification_resend_wait_secs(&self) -> i64 {
        match self.email_verification_sent_at {
            Some(sent) => {
                let elapsed =
                    (chrono::Utc::now() - sent.with_timezone(&chrono::Utc)).num_seconds();
                (VERIFICATION_RESEND_COOLDOWN_SECS - elapsed).max(0)
            }
            None => 0,
        }
    }
    /// Asynchronously creates a user with a password and saves it to the
    /// database.
    ///
@@ -247,6 +288,7 @@ impl Model {
            email: ActiveValue::set(params.email.to_string()),
            password: ActiveValue::set(password_hash),
            name: ActiveValue::set(params.name.to_string()),
            account_type: ActiveValue::set(normalize_account_type(params.account_type.as_deref())),
            ..Default::default()
        }
        .insert(&txn)
@@ -257,6 +299,41 @@ impl Model {
        Ok(user)
    }
    /// Creates an account on behalf of a checkout guest. The user never picks a
    /// password here (a strong random one satisfies the NOT NULL column, as in
    /// the OAuth path); they receive a "set your password" link by email. Errors
    /// with [`ModelError::EntityAlreadyExists`] if the email is already taken.
    ///
    /// # Errors
    ///
    /// When the email already exists or the insert fails.
    pub async fn create_guest_account(
        db: &DatabaseConnection,
        email: &str,
        name: &str,
        account_type: &str,
    ) -> ModelResult<Self> {
        let password = PasswordGenerator::new()
            .length(16)
            .numbers(true)
            .lowercase_letters(true)
            .uppercase_letters(true)
            .symbols(true)
            .strict(true)
            .generate_one()
            .map_err(|e| ModelError::Any(e.into()))?;
        Self::create_with_password(
            db,
            &RegisterParams {
                email: email.to_string(),
                password,
                name: name.to_string(),
                account_type: Some(account_type.to_string()),
            },
        )
        .await
    }
    /// Creates a JWT
    ///
    /// # Errors
--- a/src/shared/guard.rs
+++ b/src/shared/guard.rs
@@ -45,3 +45,14 @@ pub async fn logged_in(ctx: &AppContext, jar: &CookieJar) -> bool {
        None => false,
    }
 }
 /// Nav chrome flags for storefront pages, in one DB lookup: returns
 /// `(logged_in_admin, logged_in_customer)`. A customer is any authenticated
 /// non-admin user. Both are `false` for anonymous visitors.
 pub async fn chrome(ctx: &AppContext, jar: &CookieJar) -> (bool, bool) {
    match current_user(ctx, jar).await {
        Some(user) if is_admin(ctx, &user) => (true, false),
        Some(_) => (false, true),
        None => (false, false),
    }
 }
--- a/src/views/checkout.rs
+++ b/src/views/checkout.rs
@@ -30,6 +30,11 @@ pub fn detail(order: &orders::Model, bank_iban: &str, bank_account_name: &str) -
        "email": order.email,
        "phone": order.phone,
        "customer_name": order.customer_name,
        "account_type": order.account_type,
        "company_name": order.company_name,
        "company_id": order.company_id,
        "tax_id": order.tax_id,
        "vat_id": order.vat_id,
        "status": order.status,
        "subtotal": format_price(order.total_cents - order.shipping_cents),
        "shipping": format_price(order.shipping_cents),
--- a/tests/mailer/mod.rs
+++ b/tests/mailer/mod.rs
@@ -0,0 +1 @@
 mod smtp_send;
--- a/tests/mailer/smtp_send.rs
+++ b/tests/mailer/smtp_send.rs
@@ -0,0 +1,104 @@
 //! Real-SMTP smoke test.
 //!
 //! Sends an actual email through the live SMTP server using the real
 //! `AuthMailer` pipeline (config -> Loco mailer -> templates -> SMTP). The test
 //! PASSES when the SMTP server accepts the message (the send returns `Ok`);
 //! confirm real delivery by checking the recipient's inbox.
 //!
 //! It is `#[ignore]`d so it never runs in CI or a normal `cargo test` (it opens
 //! a real network connection, uses real credentials, and sends a real email).
 //! Run it explicitly, inside `nix develop` so `SMTP_PASSWORD` is present:
 //!
 //! ```sh
 //! nix develop -c cargo test --test mod -- --ignored mailer::smtp_send
 //! # optional: choose the recipient (defaults to the address below)
 //! MAILER_TEST_TO=you@example.com \
 //!   nix develop -c cargo test --test mod -- --ignored mailer::smtp_send
 //! ```
 use kompress_eshop::{
    app::App,
    mailers::auth::AuthMailer,
    models::users::{Model, RegisterParams},
 };
 use loco_rs::testing::prelude::*;
 use sea_orm::IntoActiveModel;
 use serial_test::serial;
 // Non-secret production SMTP settings (mirror `.env`). The password is
 // intentionally NOT here: it is supplied at runtime via `SMTP_PASSWORD`
 // (direnv -> `pass`), and never committed.
 // Dial the name the TLS cert is actually valid for. `smtp.kompress.sk` is a
 // DNS alias for the same server (213.215.124.101) but the cert only lists
 // smtp.euronet.sk, so connecting via the alias fails certificate validation.
 const SMTP_HOST: &str = "smtp.euronet.sk";
 const SMTP_PORT: &str = "587";
 const SMTP_USER: &str = "kompres";
 const SMTP_SECURE: &str = "true";
 // Where the test email is sent. Override with `MAILER_TEST_TO`.
 const DEFAULT_RECIPIENT: &str = "filippriec@tutanota.com";
 #[tokio::test]
 #[serial]
 #[ignore = "sends a real email via live SMTP; run explicitly with --ignored"]
 async fn sends_real_email() {
    // The actual secret must come from the environment (direnv -> `pass`).
    // Fail loudly with guidance rather than silently sending nothing.
    let password = std::env::var("SMTP_PASSWORD").unwrap_or_default();
    assert!(
        !password.is_empty(),
        "SMTP_PASSWORD is not set. Run inside `nix develop` so direnv loads it from `pass`."
    );
    let recipient =
        std::env::var("MAILER_TEST_TO").unwrap_or_else(|_| DEFAULT_RECIPIENT.to_string());
    // Flip the booted context onto the real SMTP transport. `config/test.yaml`
    // reads these via `get_env` at boot. We deliberately do NOT load `.env`
    // here: it carries `DATABASE_URL`, and `test.yaml` has
    // `dangerously_recreate: true`, so loading it would recreate the real DB.
    // Leaving `DATABASE_URL` untouched keeps boot on the throwaway test DB.
    //
    // SAFETY: edition 2024 marks `set_var` as unsafe. This test is `#[serial]`,
    // so no other test mutates the process environment concurrently.
    unsafe {
        std::env::set_var("MAILER_STUB", "false");
        std::env::set_var("SMTP_ENABLE", "true");
        std::env::set_var("SMTP_HOST", SMTP_HOST);
        std::env::set_var("SMTP_PORT", SMTP_PORT);
        std::env::set_var("SMTP_USER", SMTP_USER);
        std::env::set_var("SMTP_SECURE", SMTP_SECURE);
    }
    let boot = boot_test::<App>()
        .await
        .expect("Failed to boot test application");
    // A real user whose address is the recipient, so `send_welcome` targets it.
    let user = Model::create_with_password(
        &boot.app_context.db,
        &RegisterParams {
            email: recipient.clone(),
            password: "smtp-smoke-test".to_string(),
            name: "SMTP smoke test".to_string(),
            account_type: Some("personal".to_string()),
        },
    )
    .await
    .expect("failed to create test user");
    // Give the welcome email a realistic verification token/link.
    user.into_active_model()
        .set_email_verification_sent(&boot.app_context.db)
        .await
        .expect("failed to set email verification token");
    let user = Model::find_by_email(&boot.app_context.db, &recipient)
        .await
        .expect("failed to reload test user");
    // The assertion: the live SMTP server must accept the message.
    AuthMailer::send_welcome(&boot.app_context, &user)
        .await
        .unwrap_or_else(|e| panic!("real SMTP send to {recipient} failed: {e:?}"));
 }
--- a/tests/mod.rs
+++ b/tests/mod.rs
@@ -1,3 +1,4 @@
 mod mailer;
 mod models;
 mod requests;
 mod tasks;
--- a/tests/models/users.rs
+++ b/tests/models/users.rs
@@ -50,6 +50,7 @@ async fn can_create_with_password() {
        email: "test@framework.com".to_string(),
        password: "1234".to_string(),
        name: "framework".to_string(),
        account_type: Some("personal".to_string()),
    };
    let res = Model::create_with_password(&boot.app_context.db, &params).await;
@@ -78,6 +79,7 @@ async fn handle_create_with_password_with_duplicate() {
            email: "user1@example.com".to_string(),
            password: "1234".to_string(),
            name: "framework".to_string(),
            account_type: Some("personal".to_string()),
        },
    )
    .await;
Author	SHA1	Message	Date
Priec	e51eda9a8c	default unchecked Some checks failed CI / Check Style (push) Has been cancelled Details CI / Run Clippy (push) Has been cancelled Details CI / Run Tests (push) Has been cancelled Details	2026-06-19 11:39:40 +02:00
Priec	12e00a782d	profile name surname and save profile data	2026-06-19 11:37:51 +02:00
Priec	5278988842	registration password match	2026-06-19 11:19:30 +02:00
Priec	e70743996b	register form fields	2026-06-19 11:14:47 +02:00
Priec	11762728c9	mail sent over test working fully now Some checks failed CI / Check Style (push) Has been cancelled Details CI / Run Clippy (push) Has been cancelled Details CI / Run Tests (push) Has been cancelled Details	2026-06-19 10:54:30 +02:00
Priec	ebb208baba	not working smtp test	2026-06-19 10:40:43 +02:00
Priec	7cba3d9eba	resend verification mail	2026-06-19 01:05:18 +02:00
Priec	35e2b6edc9	hide .env credentials Some checks failed CI / Check Style (push) Has been cancelled Details CI / Run Clippy (push) Has been cancelled Details CI / Run Tests (push) Has been cancelled Details	2026-06-19 00:35:48 +02:00
Priec	f3daa27ce7	account type is permanent and password registration is now working at checkout Some checks failed CI / Check Style (push) Has been cancelled Details CI / Run Clippy (push) Has been cancelled Details CI / Run Tests (push) Has been cancelled Details	2026-06-18 22:10:17 +02:00
Priec	46cc2459bd	required Some checks failed CI / Check Style (push) Has been cancelled Details CI / Run Clippy (push) Has been cancelled Details CI / Run Tests (push) Has been cancelled Details	2026-06-18 21:38:32 +02:00
Priec	996358be87	company or personal Some checks failed CI / Check Style (push) Has been cancelled Details CI / Run Clippy (push) Has been cancelled Details CI / Run Tests (push) Has been cancelled Details	2026-06-18 21:27:15 +02:00
Priec	c6624e1b3d	profile of a new registered users	2026-06-18 21:11:48 +02:00
Priec	b9c1277876	upgrades that are harmless	2026-06-18 20:38:47 +02:00