uffd/oauth2/templates/oauth2/logout.html → uffd/templates/oauth2/logout.html

@@ -11,9 +11,9 @@
 	</noscript>
 	<p>{{_('While you successfully logged out of the Single-Sign-On service, you may still be logged in on these services:')}}</p>
 	<ul>
-	{% for client in clients if client.logout_urls %}
-		<li class="client" data-urls='{{ client.logout_urls|tojson }}'>
-			{{ client.client_id }}
+	{% for client in clients if client.logout_uris %}
+		<li class="client" data-urls='{{ client.logout_uris_json }}'>
+			{{ client.service.name }}
 			<span class="status-active spinner-border spinner-border-sm d-none" role="status" aria-hidden="true"></span>
 			<i class="status-success fas fa-check d-none"></i>
 			<i class="status-failed fas fa-exclamation d-none"></i>
@@ -53,7 +53,6 @@ function logout_services() {
 			});
 		});
 		p = p.then(function () {
-			console.log('done', elem);
 			elem.find('.status-active').addClass('d-none');
 			elem.find('.status-success').removeClass('d-none');
 			elem.removeClass('client');
@@ -61,13 +60,11 @@ function logout_services() {
 		.catch(function (err) {
 			elem.find('.status-active').addClass('d-none');
 			elem.find('.status-failed').removeClass('d-none');
-			console.log(err);
 			throw err;
 		});
 		all_promises.push(p);
 	});
 	Promise.allSettled(all_promises).then(function (results) {
-		console.log(results);
 		for (result of results) {
 			if (result.status == 'rejected')
 				throw result.reason;

uffd/role/templates/role/show.html → uffd/templates/role/show.html

@@ -7,9 +7,9 @@
 </div>
 {% endif %}
 
-<form action="{{ url_for("role.update", roleid=role.id) }}" method="POST">
+<form action="{{ url_for("role.update", roleid=role.id) }}" method="POST" autocomplete="off">
 <div class="align-self-center">
-	<div class="float-sm-right pb-2">
+	<div class="clearfix pb-2"><div class="float-sm-right">
 		<button type="submit" class="btn btn-primary"><i class="fa fa-save" aria-hidden="true"></i> {{_("Save")}}</button>
 		<a href="{{ url_for("role.index") }}" class="btn btn-secondary">{{_("Cancel")}}</a>
 		{% if role.id %}
@@ -23,7 +23,7 @@
 			<a href="#" class="btn btn-secondary disabled">{{_("Set as default")}}</a>
 			<a href="#" class="btn btn-danger disabled"><i class="fa fa-trash" aria-hidden="true"></i> {{_("Delete")}}</a>
 		{% endif %}
-	</div>
+	</div></div>
 	<ul class="nav nav-tabs pt-2 border-0" id="tablist" role="tablist">
 		<li class="nav-item">
 			<a class="nav-link active" id="settings-tab" data-toggle="tab" href="#settings" role="tab" aria-controls="settings" aria-selected="true">{{_("Settings")}}</a>
@@ -55,7 +55,7 @@
 				<select class="form-control" id="moderator-group" name="moderator-group" {{ 'disabled' if role.locked }}>
 					<option value="" class="text-muted">{{_("No Moderator Group")}}</option>
 					{% for group in groups %}
-					<option value="{{ group.dn }}" {{ 'selected' if group == role.moderator_group }}>{{ group.name }}</option>
+					<option value="{{ group.id }}" {{ 'selected' if group == role.moderator_group }}>{{ group.name }}</option>
 					{% endfor %}
 				</select>
 			</div>
@@ -63,7 +63,7 @@
 				<span>{{_("Moderators")}}:</span>
 				<ul class="row">
 					{% for moderator in role.moderator_group.members %}
-					<li class="col-12 col-xs-6 col-sm-4 col-md-3 col-lg-2"><a href="{{ url_for("user.show", uid=moderator.uid) }}">{{ moderator.loginname }}</a></li>
+					<li class="col-12 col-xs-6 col-sm-4 col-md-3 col-lg-2"><a href="{{ url_for("user.show", id=moderator.id) }}">{{ moderator.loginname }}</a></li>
 					{% endfor %}
 				</ul>
 			</div>
@@ -71,7 +71,7 @@
 				<span>{{_("Members")}}:</span>
 				<ul class="row">
 				{% for member in role.members|sort(attribute='loginname') %}
-					<li class="col-12 col-xs-6 col-sm-4 col-md-3 col-lg-2"><a href="{{ url_for("user.show", uid=member.uid) }}">{{ member.loginname }}</a></li>
+					<li class="col-12 col-xs-6 col-sm-4 col-md-3 col-lg-2"><a href="{{ url_for("user.show", id=member.id) }}">{{ member.loginname }}</a></li>
 				{% endfor %}
 				</ul>
 			</div>
@@ -108,7 +108,7 @@
 							</td>
 							<td>
 								{% for group in r.groups_effective|sort(attribute='name') %}
-									<a href="{{ url_for("group.show", gid=group.gid) }}">{{ group.name }}</a>{{ ', ' if not loop.last }}
+									<a href="{{ url_for("group.show", id=group.id) }}">{{ group.name }}</a>{{ ', ' if not loop.last }}
 								{% endfor %}
 							</td>
 						</tr>
@@ -131,14 +131,14 @@
 					</thead>
 					<tbody>
 						{% for group in groups|sort(attribute="name") %}
-						<tr id="group-{{ group.gid }}">
+						<tr id="group-{{ group.id }}">
 							<td>
 								<div class="form-check">
-									<input class="form-check-input" type="checkbox" id="group-{{ group.gid }}-checkbox" name="group-{{ group.gid }}" value="1" aria-label="enabled" {% if group in role.groups %}checked{% endif %} {{ 'disabled' if role.locked }}>
+									<input class="form-check-input" type="checkbox" id="group-{{ group.id }}-checkbox" name="group-{{ group.id }}" value="1" aria-label="enabled" {% if group in role.groups %}checked{% endif %} {{ 'disabled' if role.locked }}>
 								</div>
 							</td>
 							<td>
-								<a href="{{ url_for("group.show", gid=group.gid) }}">
+								<a href="{{ url_for("group.show", id=group.id) }}">
 									{{ group.name }}
 								</a>
 							</td>
@@ -147,7 +147,7 @@
 							</td>
 							<td>
 								<div class="form-check">
-									<input class="form-check-input" type="checkbox" id="group-mfa-{{ group.gid }}-checkbox" name="group-mfa-{{ group.gid }}" value="1" aria-label="enabled" {% if group in role.groups and role.groups[group].requires_mfa %}checked{% endif %} {{ 'disabled' if role.locked }}>
+									<input class="form-check-input" type="checkbox" id="group-mfa-{{ group.id }}-checkbox" name="group-mfa-{{ group.id }}" value="1" aria-label="enabled" {% if group in role.groups and role.groups[group].requires_mfa %}checked{% endif %} {{ 'disabled' if role.locked }}>
 								</div>
 							</td>
 						</tr>

uffd/rolemod/templates/rolemod/show.html → uffd/templates/rolemod/show.html

@@ -4,9 +4,7 @@
 
 <form method="POST" action="{{ url_for("rolemod.update", role_id=role.id) }}">
 	<div class="float-sm-right pb-2">
-		{% if config['ENABLE_INVITE'] %}
 		<a href="{{ url_for("invite.new", **{"role-%d"%role.id: 1}) }}" class="btn btn-primary mr-2"><i class="fa fa-link" aria-hidden="true"></i> {{_('Invite Members')}}</a>
-		{% endif %}
 		<button type="submit" class="btn btn-primary"><i class="fa fa-save" aria-hidden="true"></i> {{_('Save')}}</button>
 		<a href="{{ url_for("rolemod.index") }}" class="btn btn-secondary">{{_('Cancel')}}</a>
 	</div>
@@ -52,7 +50,7 @@
 						<tr>
 							<td>{{ member.displayname }} ({{ member.loginname }})</td>
 							<td class="text-right">
-								<a class="btn btn-danger py-0" href="{{ url_for('rolemod.delete_member', role_id=role.id, member_dn=member.dn) }}">{{_('Remove')}}</a>
+								<a class="btn btn-danger py-0" href="{{ url_for('rolemod.delete_member', role_id=role.id, member_id=member.id) }}">{{_('Remove')}}</a>
 							</td>
 						</tr>
 						{% endfor %}

uffd/mfa/templates/mfa/disable.html → uffd/templates/selfservice/disable_mfa.html

@@ -7,7 +7,7 @@
 	You can later generate new recovery codes and setup your applications and devices again.")}}
 </p>
 
-<form class="form" action="{{ url_for('mfa.disable_confirm') }}" method="POST">
+<form class="form" action="{{ url_for('selfservice.disable_mfa_confirm') }}" method="POST">
 	<button type="submit" class="btn btn-danger btn-block">{{_("Disable two-factor authentication")}}</button>
 </form>
 

uffd/selfservice/templates/selfservice/forgot_password.html → uffd/templates/selfservice/forgot_password.html

@@ -7,14 +7,14 @@
 	</div>
 	<div class="form-group col-12">
 		<label for="user-loginname">{{_("Login Name")}}</label>
-		<input type="text" class="form-control" id="user-loginname" name="loginname" required="required" tabindex = "1">
+		<input type="text" autocomplete="username" class="form-control" id="user-loginname" name="loginname" required="required" tabindex="1">
 	</div>
 	<div class="form-group col-12">
 		<label for="user-mail">{{_("Mail Address")}}</label>
-		<input type="text" class="form-control" id="user-mail" name="mail" required="required" tabindex = "2">
+		<input type="email" autocomplete="email" class="form-control" id="user-mail" name="mail" required="required" tabindex="2">
 	</div>
 	<div class="form-group col-12">
-		<button type="submit" class="btn btn-primary btn-block" tabindex = "3">{{_("Send password reset mail")}}</button>
+		<button type="submit" class="btn btn-primary btn-block" tabindex="3">{{_("Send password reset mail")}}</button>
 	</div>
 </form>
 {% endblock %}

uffd/selfservice/templates/selfservice/mailverification.mail.txt → uffd/templates/selfservice/mailverification.mail.txt

 Hi {{ user.displayname }},
 
 you have requested to change your mail address. To confirm the change, please visit the following url:
-{{ url_for('selfservice.token_mail', token=token, _external=True) }}
+{{ url_for('selfservice.verify_email', email_id=email.id, secret=secret, _external=True) }}
 
 **The link is valid for 48h**

uffd/selfservice/templates/selfservice/newuser.mail.txt → uffd/templates/selfservice/newuser.mail.txt

@@ -4,7 +4,7 @@ welcome to the {{ config.ORGANISATION_NAME }} infrastructure! An account was cre
 
 Please visit the following url to set your password:
 
-{{ url_for('selfservice.token_password', token=token, _external=True) }}
+{{ url_for('selfservice.token_password', token_id=token.id, token=token.token, _external=True) }}
 
 **The link is valid for 48h**
 

uffd/selfservice/templates/selfservice/passwordreset.mail.txt → uffd/templates/selfservice/passwordreset.mail.txt

 Hi {{ user.displayname }},
 
 you have requested a password reset. To reset your password, visit the following url:
-{{ url_for('selfservice.token_password', token=token, _external=True) }}
+{{ url_for('selfservice.token_password', token_id=token.id, token=token.token, _external=True) }}
 
 **The link is valid for 48h**
 

uffd/selfservice/templates/selfservice/self.html → uffd/templates/selfservice/self.html

@@ -12,8 +12,8 @@
 <div class="row">
 	<div class="col-12 col-md-5">
 		<h5>{{_("Profile")}}</h5>
-		<p>{{_("Your profile information is used by all services that are integrated into the Single-Sign-On. Your e-mail address is also used for password recovery.")}}</p>
-		<p>{{_("Changes may take serveral minutes to be visible in all services.")}}</p>
+		<p>{{_("Your profile information is used by all services that are integrated into the Single-Sign-On.")}}</p>
+		<p>{{_("Changes may take several minutes to be visible in all services.")}}</p>
 	</div>
 	<div class="col-12 col-md-7">
 		<form class="form" action="{{ url_for("selfservice.update_profile") }}" method="POST">
@@ -25,14 +25,106 @@
 				<label>{{_("Display Name")}}</label>
 				<input type="text" class="form-control" id="user-displayname" name="displayname" value="{{ user.displayname }}">
 			</div>
+			<button type="submit" class="btn btn-primary btn-block">{{_("Update Profile")}}</button>
+		</form>
+	</div>
+</div>
+
+<hr>
+
+<div class="row">
+	<div class="col-12 col-md-5">
+		<h5>{{_("E-Mail Addresses")}}</h5>
+		<p>{{_("Add and delete addresses associated with your account. You will need to verify new addresses by opening a link set to them.")}}</p>
+	</div>
+	<div class="col-12 col-md-7">
+    <form method="POST" action="{{ url_for('selfservice.add_email') }}" class="form mb-2">
+      <div class="row m-0">
+        <label class="sr-only" for="new-email-address">{{_("Email")}}</label>
+        <input type="email" autocomplete="email" class="form-control mb-2 col-12 col-lg-auto mr-2" style="width: 20em;" id="new-email-address" name="address" placeholder="{{_("New E-Mail Address")}}" required>
+        <button type="submit" class="btn btn-primary mb-2 col">{{_("Add address")}}</button>
+      </div>
+    </form>
+		<table class="table mb-0">
+			<tbody>
+				{% for email in user.all_emails|sort(attribute='id') %}
+				<tr>
+					<td class="pl-0">
+						{{ email.address }}
+						{% if email == user.primary_email %}
+						<span class="badge badge-primary">{{ _('primary') }}</span>
+						{% elif not email.verified  %}
+						<span class="badge badge-danger">{{ _('unverified') }}</span>
+						{% endif %}
+					</td>
+					<td class="pt-2 pb-1 pr-0">
+						<form method="POST" action="{{ url_for('selfservice.delete_email', email_id=email.id) }}" onsubmit='return confirm({{_("Are you sure?")|tojson|e}});'>
+							<button type="submit" class="btn btn-sm btn-danger float-right ml-1 mb-1"{% if email == user.primary_email %} disabled title="{{ _('Cannot delete primary e-mail address') }}"{% endif %}>{{_("Delete")}}</button>
+						</form>
+						{% if not email.verified  %}
+						<a href="{{ url_for('selfservice.retry_email_verification', email_id=email.id) }}" class="btn btn-sm btn-primary float-right mb-1">{{_("Retry verification")}}</a>
+						{% endif %}
+					</td>
+				</tr>
+				{% endfor %}
+			</tbody>
+		</table>
+	</div>
+</div>
+
+<hr>
+
+{% set service_users_with_email_prefs = user.service_users|selectattr('has_email_preferences')|list %}
+{% set collapse_email_prefs = service_users_with_email_prefs|length > 2 %}
+<div class="row">
+	<div class="col-12 col-md-5">
+		<h5>{{_("E-Mail Preferences")}}</h5>
+		<p>
+			{{ _("Choose your primary e-mail address and the address password recovery e-mails will be sent to.") }}
+			{% if service_users_with_email_prefs %}
+			{{ _("You can also select different addresses for different services.") }}
+			{% endif %}
+		</p>
+		<p>{{ _("Adresses must be verified before you can select them here.") }}</p>
+	</div>
+	<div class="col-12 col-md-7">
+		<form class="form" action="{{ url_for("selfservice.update_email_preferences") }}" method="POST">
 			<div class="form-group">
-				<label>{{_("E-Mail Address")}}</label>
-				<input type="email" class="form-control" id="user-mail" name="mail" value="{{ user.mail }}" required>
-				<small class="form-text text-muted">
-					{{_("We will send you a confirmation mail to this address if you change it")}}
-				</small>
+				<label>{{_("Primary Address")}}</label>
+				<select name="primary_email" class="form-control">
+					{% for email in user.all_emails if email.verified %}
+					<option value="{{ email.id }}" {{ 'selected' if email == user.primary_email }}>{{ email.address }}</option>
+					{% endfor %}
+				</select>
 			</div>
-			<button type="submit" class="btn btn-primary btn-block">{{_("Update Profile")}}</button>
+			<div class="form-group">
+				<label>{{_("Address for Password Reset E-Mails")}}</label>
+				<select name="recovery_email" class="form-control">
+					<option value="primary" {{ 'selected' if not user.recovery_email }}>{{ _('Use primary address') }}</option>
+					{% for email in user.all_emails if email.verified %}
+					<option value="{{ email.id }}" {{ 'selected' if email == user.recovery_email }}>{{ email.address }}</option>
+					{% endfor %}
+				</select>
+			</div>
+			{% for service_user in service_users_with_email_prefs %}
+			{% if collapse_email_prefs and loop.index == 2 %}
+			<div id="collapsed-email-prefs">
+			{% endif %}
+			<div class="form-group">
+				<label>{{ _('Address for Service "%(name)s"', name=service_user.service.name) }}</label>
+				<select name="service_{{ service_user.service.id }}_email" class="form-control">
+					<option value="primary" {{ 'selected' if not service_user.service_email }}>{{ _('Use primary address') }}</option>
+					{% for email in user.all_emails if email.verified %}
+					<option value="{{ email.id }}" {{ 'selected' if email == service_user.service_email }}>{{ email.address }}</option>
+					{% endfor %}
+				</select>
+			</div>
+			{% endfor %}
+			{% if collapse_email_prefs %}
+			</div>
+			<button type="button" class="btn btn-sm btn-link pl-0 mb-1 showmore" data-target="#collapsed-email-prefs" style="display: none;" aria-expanded="false" aria-controls="collapsed-email-prefs">{{ _("Show more settings ...") }}</button>
+			{% endif %}
+			<button type="submit" class="btn btn-primary btn-block">{{_("Update E-Mail Preferences")}}</button>
 		</form>
 	</div>
 </div>
@@ -47,13 +139,13 @@
 	<div class="col-12 col-md-7">
 		<form class="form" action="{{ url_for("selfservice.change_password") }}" method="POST">
 			<div class="form-group">
-				<input type="password" class="form-control" id="user-password1" name="password1" placeholder="{{_("New Password")}}" minlength={{ User.PASSWORD_MINLEN }} maxlength={{ User.PASSWORD_MAXLEN }} pattern="{{ User.PASSWORD_REGEX }}" required>
+				<input type="password" autocomplete="new-password" class="form-control" id="user-password1" name="password1" placeholder="{{_("New Password")}}" minlength={{ User.PASSWORD_MINLEN }} maxlength={{ User.PASSWORD_MAXLEN }} pattern="{{ User.PASSWORD_REGEX }}" required>
 				<small class="form-text text-muted">
 					{{ User.PASSWORD_DESCRIPTION|safe }}
 				</small>
 			</div>
 			<div class="form-group">
-				<input type="password" class="form-control" id="user-password2" name="password2" placeholder="{{_("Repeat Password")}}" required>
+				<input type="password" autocomplete="new-password" class="form-control" id="user-password2" name="password2" placeholder="{{_("Repeat Password")}}" required>
 			</div>
 			<button type="submit" class="btn btn-primary btn-block">{{_("Change Password")}}</button>
 		</form>
@@ -75,7 +167,56 @@
 			{{ _("Two-factor authentication is currently <strong>disabled</strong>.")|safe }}
 			{% endif %}
 		</p>
-		<a class="btn btn-primary btn-block" href="{{ url_for('mfa.setup') }}">{{_("Manage two-factor authentication")}}</a>
+		<a class="btn btn-primary btn-block" href="{{ url_for('selfservice.setup_mfa') }}">{{_("Manage two-factor authentication")}}</a>
+	</div>
+</div>
+
+<hr>
+
+<div class="row mt-3">
+	<div class="col-12 col-md-5">
+		<h5>{{_("Active Sessions")}}</h5>
+		<p>{{_("Your active login sessions on this device and other devices.")}}</p>
+		<p>{{_("Revoke a session to log yourself out on another device. Note that this is limited to the Single-Sign-On session and <b>does not affect login sessions on services.</b>")}}</p>
+	</div>
+	<div class="col-12 col-md-7">
+		<table class="table">
+			<thead>
+				<tr>
+					<th scope="col">{{_("Last used")}}</th>
+					<th scope="col">{{_("Device")}}</th>
+					<th scope="col"></th>
+				</tr>
+			</thead>
+			<tbody>
+				<tr>
+					<td>{{_("Just now")}}</td>
+					<td>{{ request.session.user_agent_browser }} on {{ request.session.user_agent_platform }} ({{ request.session.ip_address }})</td>
+					<td></td>
+				</tr>
+				{% for session in user.sessions|sort(attribute='last_used', reverse=True) if not session.expired and session != request.session %}
+				<tr>
+					<td>
+						{% set last_used_rel = session.last_used - datetime.utcnow() %}
+						{% if -last_used_rel.total_seconds() <= 60 %}
+						{{_("Just now")}}
+						{% else %}
+						{{ last_used_rel|timedeltaformat(add_direction=True, granularity='minute') }}
+						{% endif %}
+					</td>
+					<td>{{ session.user_agent_browser }} on {{ session.user_agent_platform }} ({{ session.ip_address }})</td>
+					<td>
+						{% if session != request.session %}
+						<form action="{{ url_for("selfservice.revoke_session", session_id=session.id) }}" method="POST" onsubmit='return confirm({{_("Are you sure?")|tojson|e}});'>
+							<button type="submit" class="btn btn-sm btn-danger float-right">{{_("Revoke")}}</button>
+						</form>
+						{% endif %}
+					</td>
+				</tr>
+				{% endfor %}
+			</tbody>
+		</table>
+
 	</div>
 </div>
 
@@ -86,15 +227,12 @@
 		<h5>{{_("Roles")}}</h5>
 		<p>{{_("Aside from a set of base permissions, your roles determine the permissions of your account.")}}</p>
 		{% if config['SERVICES'] %}
-		<p>{{_("See <a href=\"%(services_url)s\">Services</a> for an overview of your current permissions.", services_url=url_for('services.index'))}}</p>
+		<p>{{_("See <a href=\"%(services_url)s\">Services</a> for an overview of your current permissions.", services_url=url_for('service.overview'))}}</p>
 		{% endif %}
 	</div>
 	<div class="col-12 col-md-7">
-		{% if config['ENABLE_INVITE'] %}
 		<p>{{_("Administrators and role moderators can invite you to new roles.")}}</p>
-		{% else %}
-		<p>{{_("Administrators can add new roles to your account.")}}</p>
-		{% endif %}
+
 		<table class="table">
 			<thead>
 				<tr>
@@ -113,11 +251,9 @@
 					</td>
 					<td>{{ role.description }}</td>
 					<td>
-						{% if config['ENABLE_ROLESELFSERVICE'] %}
 						<form action="{{ url_for("selfservice.leave_role", roleid=role.id) }}" method="POST" onsubmit='return confirm({{_("Are you sure?")|tojson|e}});'>
 							<button type="submit" class="btn btn-sm btn-danger float-right">{{_("Leave")}}</button>
 						</form>
-						{% endif %}
 					</td>
 				</tr>
 				{% endfor %}
@@ -128,7 +264,20 @@
 				{% endif %}
 			</tbody>
 		</table>
+
 	</div>
 </div>
 
+<script>
+$(".showmore").each(function () {
+	$(this).show()
+	$($(this).data("target")).hide()
+})
+$(".showmore").on("click", function () {
+	$(this).slideUp(200)
+	$(this).prop("ariaExpanded", true)
+	$($(this).data("target")).slideDown()
+})
+</script>
+
 {% endblock %}

uffd/selfservice/templates/selfservice/set_password.html → uffd/templates/selfservice/set_password.html

 {% extends 'base_narrow.html' %}
 
 {% block body %}
-<form action="{{ url_for("selfservice.token_password", token=token) }}" method="POST" onInput="password2.setCustomValidity(password1.value != password2.value ? 'Passwords do not match.' : '') ">
+<form action="{{ url_for("selfservice.token_password", token_id=token.id, token=token.token) }}" method="POST" onInput="password2.setCustomValidity(password1.value != password2.value ? 'Passwords do not match.' : '') ">
 	<div class="col-12">
 		<h2 class="text-center">{{_("Reset password")}}</h2>
 	</div>
 	<div class="form-group col-12">
 		<label for="user-password1">{{_("New Password")}}</label>
-		<input type="password" class="form-control" id="user-password1" name="password1" tabindex="2" minlength={{ User.PASSWORD_MINLEN }} maxlength={{ User.PASSWORD_MAXLEN }} pattern="{{ User.PASSWORD_REGEX }}" required>
+		<input type="password" autocomplete="new-password" class="form-control" id="user-password1" name="password1" tabindex="2" minlength={{ User.PASSWORD_MINLEN }} maxlength={{ User.PASSWORD_MAXLEN }} pattern="{{ User.PASSWORD_REGEX }}" required>
 		<small class="form-text text-muted">
 			{{ User.PASSWORD_DESCRIPTION|safe }}
 		</small>
 	</div>
 	<div class="form-group col-12">
 		<label for="user-password2">{{_("Repeat Password")}}</label>
-		<input type="password" class="form-control" id="user-password2" name="password2" tabindex="3" required>
+		<input type="password" autocomplete="new-password" class="form-control" id="user-password2" name="password2" tabindex="3" required>
 	</div>
 	<div class="form-group col-12">
-		<button type="submit" class="btn btn-primary btn-block" tabindex = "3">{{_("Set password")}}</button>
+		<button type="submit" class="btn btn-primary btn-block" tabindex="3">{{_("Set password")}}</button>
 	</div>
 </form>
 {% endblock %}

uffd/mfa/templates/mfa/setup.html → uffd/templates/selfservice/setup_mfa.html

@@ -28,11 +28,11 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 {% if mfa_setup or mfa_enabled %}
 <div class="clearfix">
 	{% if mfa_enabled %}
-	<form class="form float-right" action="{{ url_for('mfa.disable') }}">
+	<form class="form float-right" action="{{ url_for('selfservice.disable_mfa') }}">
 		<button type="submit" class="btn btn-danger mb-2">{{_("Disable two-factor authentication")}}</button>
 	</form>
 	{% else %}
-	<form class="form float-right" action="{{ url_for('mfa.disable_confirm') }}" method="POST">
+	<form class="form float-right" action="{{ url_for('selfservice.disable_mfa_confirm') }}" method="POST">
 		<button type="submit" class="btn btn-light mb-2">{{_("Reset two-factor configuration")}}</button>
 	</form>
 	{% endif %}
@@ -56,7 +56,7 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 	</div>
 
 	<div class="col-12 col-md-7">
-		<form class="form" action="{{ url_for('mfa.setup_recovery') }}" method="POST">
+		<form class="form" action="{{ url_for('selfservice.setup_mfa_recovery') }}" method="POST">
 			{% if mfa_init %}
 			<button type="submit" class="btn btn-primary mb-2 col">
 				{{_("Generate recovery codes to enable two-factor authentication")}}
@@ -93,7 +93,7 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 	</div>
 
 	<div class="col-12 col-md-7">
-		<form class="form mb-2" action="{{ url_for('mfa.setup_totp') }}">
+		<form class="form mb-2" action="{{ url_for('selfservice.setup_mfa_totp') }}" autocomplete="off">
 			<div class="row m-0">
 				<label class="sr-only" for="totp-name">{{_("Name")}}</label>
 				<input type="text" name="name" class="form-control mb-2 col-12 col-lg-auto mr-2" style="width: 15em;" id="totp-name" placeholder="{{_("Name")}}" required {{ 'disabled' if mfa_init }}>
@@ -113,8 +113,8 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 				{% for method in request.user.mfa_totp_methods %}
 				<tr>
 					<td>{{ method.name }}</td>
-					<td>{{ method.created.strftime('%b %d, %Y') }}</td>
-					<td><a class="btn btn-sm btn-danger float-right" href="{{ url_for('mfa.delete_totp', id=method.id) }}">{{_("Delete")}}</a></td>
+					<td>{{ method.created|dateformat }}</td>
+					<td><a class="btn btn-sm btn-danger float-right" href="{{ url_for('selfservice.delete_mfa_totp', id=method.id) }}">{{_("Delete")}}</a></td>
 				</tr>
 				{% endfor %}
 				{% if not request.user.mfa_totp_methods %}
@@ -152,7 +152,7 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 			</div>
 		</noscript>
 		<div id="webauthn-alert" class="alert alert-warning d-none" role="alert"></div>
-		<form id="webauthn-form" class="form mb-2">
+		<form id="webauthn-form" autocomplete="off" class="form mb-2">
 			<div class="row m-0">
 				<label class="sr-only" for="webauthn-name">{{_("Name")}}</label>
 				<input type="text" class="form-control mb-2 col-12 col-lg-auto mr-2" style="width: 15em;" id="webauthn-name" placeholder="{{_("Name")}}" required disabled>
@@ -175,8 +175,8 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 				{% for method in request.user.mfa_webauthn_methods %}
 				<tr>
 					<td>{{ method.name }}</td>
-					<td>{{ method.created.strftime('%b %d, %Y') }}</td>
-					<td><a class="btn btn-sm btn-danger float-right" href="{{ url_for('mfa.delete_webauthn', id=method.id) }}">{{_("Delete")}}</a></td>
+					<td>{{ method.created|dateformat }}</td>
+					<td><a class="btn btn-sm btn-danger float-right" href="{{ url_for('selfservice.delete_mfa_webauthn', id=method.id) }}">{{_("Delete")}}</a></td>
 				</tr>
 				{% endfor %}
 				{% if not request.user.mfa_webauthn_methods %}
@@ -196,21 +196,21 @@ mfa_enabled: The user has setup at least one two-factor method. Two-factor authe
 $('#webauthn-form').on('submit', function(e) {
 	$('#webauthn-alert').addClass('d-none');
 	$('#webauthn-spinner').removeClass('d-none');
-	$('#webauthn-btn-text').text('Contacting server');
+	$('#webauthn-btn-text').text({{ _('Contacting server')|tojson }});
 	$('#webauthn-btn').prop('disabled', true);
-	fetch({{ url_for('mfa.setup_webauthn_begin')|tojson }}, {
+	fetch({{ url_for('selfservice.setup_mfa_webauthn_begin')|tojson }}, {
 		method: 'POST',
 	}).then(function(response) {
 		if (response.ok)
 			return response.arrayBuffer();
 		if (response.status == 403)
-			throw new Error('You need to generate recovery codes first');
-		throw new Error('Server error');
+			throw new Error({{ _('You need to generate recovery codes first')|tojson }});
+		throw new Error({{ _('Server error')|tojson }});
 	}).then(CBOR.decode).then(function(options) {
-		$('#webauthn-btn-text').text('Waiting for response from your device');
+		$('#webauthn-btn-text').text({{ _('Waiting for device')|tojson }});
 		return navigator.credentials.create(options);
 	}).then(function(attestation) {
-		return fetch({{ url_for('mfa.setup_webauthn_complete')|tojson }}, {
+		return fetch({{ url_for('selfservice.setup_mfa_webauthn_complete')|tojson }}, {
 			method: 'POST',
 			headers: {'Content-Type': 'application/cbor'},
 			body: CBOR.encode({
@@ -222,34 +222,34 @@ $('#webauthn-form').on('submit', function(e) {
 	}).then(function(response) {
 		if (response.ok) {
 			$('#webauthn-spinner').addClass('d-none');
-			$('#webauthn-btn-text').text('Success');
-			window.location = {{ url_for('mfa.setup')|tojson }};
+			$('#webauthn-btn-text').text({{ _('Success')|tojson }});
+			window.location = {{ url_for('selfservice.setup_mfa')|tojson }};
 		} else {
-			throw new Error('Response from authenticator rejected');
+			throw new Error({{ _('Invalid response from device')|tojson }});
 		}
 	}, function(err) {
 		console.log(err);
 		/* various webauthn errors */
 		if (err.name == 'NotAllowedError')
-			$('#webauthn-alert').text('Registration timed out, was aborted or not allowed');
+			$('#webauthn-alert').text({{ _('Registration timed out, was aborted or not allowed')|tojson }});
 		else if (err.name == 'InvalidStateError')
-			$('#webauthn-alert').text('You attempted to register a device that is already registered');
+			$('#webauthn-alert').text({{ _('Device already registered')|tojson }});
 		else if (err.name == 'AbortError')
-			$('#webauthn-alert').text('Registration was aborted');
+			$('#webauthn-alert').text({{ _('Registration was aborted')|tojson }});
 		else if (err.name == 'NotSupportedError')
-			$('#webauthn-alert').text('U2F and FIDO2 devices are not supported by your browser');
+			$('#webauthn-alert').text({{ _('U2F and FIDO2 devices are not supported by your browser')|tojson }});
 		/* errors from fetch() */
 		else if (err.name == 'TypeError')
-			$('#webauthn-alert').text('Could not connect to server');
+			$('#webauthn-alert').text({{ _('Could not connect to server')|tojson }});
 		/* our own errors */
 		else if (err.name == 'Error')
 			$('#webauthn-alert').text(err.message);
 		/* fallback */
 		else
-			$('#webauthn-alert').text('Registration failed ('+err+')');
+			$('#webauthn-alert').text({{ _('Registration failed')|tojson }}+' ('+err+')');
 		$('#webauthn-alert').removeClass('d-none');
 		$('#webauthn-spinner').addClass('d-none');
-		$('#webauthn-btn-text').text('Retry registration');
+		$('#webauthn-btn-text').text({{ _('Retry registration')|tojson }});
 		$('#webauthn-btn').prop('disabled', false);
 	});
 	return false;
@@ -261,7 +261,7 @@ if (typeof(PublicKeyCredential) != "undefined") {
 	$('#webauthn-name').prop('disabled', false);
 	{% endif %}
 } else {
-	$('#webauthn-alert').text('U2F and FIDO2 devices are not supported by your browser');
+	$('#webauthn-alert').text({{ _('U2F and FIDO2 devices are not supported by your browser')|tojson }});
 	$('#webauthn-alert').removeClass('d-none');
 }
 

uffd/mfa/templates/mfa/setup_recovery.html → uffd/templates/selfservice/setup_mfa_recovery.html

@@ -12,7 +12,7 @@
 <div class="text-monospace">
 	<ul>
 	{% for method in methods %}
-		<li>{{ method.code }}</li>
+		<li>{{ method.code_value }}</li>
 	{% endfor %}
 	</ul>
 </div>
@@ -23,8 +23,8 @@
 </p>
 
 <div class="btn-toolbar">
-	<a class="ml-auto mb-2 btn btn-primary d-print-none" href="{{ url_for('mfa.setup') }}">Continue</a>
-	<a class="ml-2 mb-2 btn btn-light d-print-none" href="{{ methods|map(attribute='code')|join('\n')|datauri }}" download="uffd-recovery-codes">
+	<a class="ml-auto mb-2 btn btn-primary d-print-none" href="{{ url_for('selfservice.setup_mfa') }}">{{_("Continue")}}</a>
+	<a class="ml-2 mb-2 btn btn-light d-print-none" href="{{ methods|map(attribute='code_value')|join('\n')|datauri }}" download="uffd-recovery-codes">
 		{{_("Download codes")}}
 	</a>
 	<button class="ml-2 mb-2 btn btn-light d-print-none" type="button" onClick="window.print()">{{_("Print codes")}}</button>

uffd/mfa/templates/mfa/setup_totp.html → uffd/templates/selfservice/setup_mfa_totp.html

@@ -32,9 +32,9 @@
 	</div>
 </div>
 
-<form action="{{ url_for('mfa.setup_totp_finish', name=name) }}" method="POST" class="form">
+<form action="{{ url_for('selfservice.setup_mfa_totp_finish', name=name) }}" method="POST" autocomplete="off" class="form">
 	<div class="row m-0">
-		<input type="text" name="code" class="form-control mb-2 mr-2 col-auto col-md" id="code" placeholder="Code" required autofocus>
+		<input type="text" name="code" class="form-control mb-2 mr-2 col-auto col-md" id="code" placeholder="{{_('Code')}}" required autofocus>
 		<button type="submit" class="btn btn-primary mb-2 col col-md-auto">{{_("Verify and complete setup")}}</button>
 	</div>
 </form>

uffd/templates/service/api.html

+{% extends 'base.html' %}
+
+{% block body %}
+<div class="row">
+	<form action="{{ url_for('service.api_submit', service_id=service.id, id=client.id) }}" method="POST" autocomplete="off" class="form col-12 px-0">
+
+		<div class="form-group col">
+			<p class="text-right">
+				<a href="{{ url_for('service.show', id=service.id) }}" class="btn btn-secondary">{{ _('Cancel') }}</a>
+				{% if client.id %}
+				<a class="btn btn-danger" href="{{ url_for('service.api_delete', service_id=service.id, id=client.id) }}" onClick='return confirm({{_("Are you sure?")|tojson}});'>
+					<i class="fa fa-trash" aria-hidden="true"></i> {{_('Delete')}}
+				</a>
+				{% endif %}
+				<button type="submit" class="btn btn-primary"><i class="fa fa-save" aria-hidden="true"></i> {{ _('Save') }}</button>
+			</p>
+		</div>
+
+		<div class="form-group col">
+			<label for="client-auth-username">{{ _('Authentication Username') }}</label>
+			<input type="text" class="form-control" id="client-auth-username" name="auth_username" value="{{ client.auth_username or '' }}" required>
+		</div>
+
+		<div class="form-group col">
+			<label for="client-auth-password">{{ _('Authentication Password') }}</label>
+			{% if client.id %}
+			<input type="password" autocomplete="new-password" class="form-control" id="client-auth-password" name="auth_password" placeholder="●●●●●●●●">
+			{% else %}
+			<input type="password" autocomplete="new-password" class="form-control" id="client-auth-password" name="auth_password" required>
+			{% endif %}
+		</div>
+
+		<div class="form-group col">
+			<h6>{{ _('Permissions') }}</h6>
+			<div class="form-check">
+				<input class="form-check-input" type="checkbox" id="client-perm-users" name="perm_users" value="1" aria-label="enabled" {{ 'checked' if client.perm_users }}>
+				<label class="form-check-label" for="client-perm-users"><b>users</b>: {{_('Access user and group data')}}</label>
+			</div>
+			<div class="form-check">
+				<input class="form-check-input" type="checkbox" id="client-perm-checkpassword" name="perm_checkpassword" value="1" aria-label="enabled" {{ 'checked' if client.perm_checkpassword }}>
+				<label class="form-check-label" for="client-perm-checkpassword"><b>checkpassword</b>: {{_('Verify user passwords')}}</label>
+			</div>
+			<div class="form-check">
+				<input class="form-check-input" type="checkbox" id="client-perm-mail-aliases" name="perm_mail_aliases" value="1" aria-label="enabled" {{ 'checked' if client.perm_mail_aliases }}>
+				<label class="form-check-label" for="client-perm-mail-aliases"><b>mail_aliases</b>: {{_('Access mail aliases')}}</label>
+			</div>
+			<div class="form-check">
+				<input class="form-check-input" type="checkbox" id="client-perm-remailer" name="perm_remailer" value="1" aria-label="enabled" {{ 'checked' if client.perm_remailer }}>
+				<label class="form-check-label" for="client-perm-remailer"><b>remailer</b>: {{_('Resolve remailer addresses')}}</label>
+				{% if not remailer.configured %}
+				<i class="fas fa-exclamation-triangle text-warning" data-toggle="tooltip" data-placement="top" title="{{ _('This option has no effect: Remailer config options are unset') }}"></i>
+				{% endif %}
+			</div>
+			<div class="form-check">
+				<input class="form-check-input" type="checkbox" id="client-perm-metrics" name="perm_metrics" value="1" aria-label="enabled" {{ 'checked' if client.perm_metrics }}>
+				<label class="form-check-label" for="client-perm-metrics"><b>metrics</b>: {{_('Access uffd metrics')}}</label>
+			</div>
+		</div>
+
+	</form>
+</div>
+
+<script>
+$(function () {
+  $('[data-toggle="tooltip"]').tooltip()
+})
+</script>
+{% endblock %}

uffd/templates/service/index.html

+{% extends 'base.html' %}
+
+{% block body %}
+<div class="row">
+	<div class="col">
+		<p class="text-right">
+			<a class="btn btn-primary" href="{{ url_for('service.show') }}">
+				<i class="fa fa-plus" aria-hidden="true"></i> {{_("New")}}
+			</a>
+		</p>
+		<table class="table table-striped table-sm">
+			<thead>
+				<tr>
+					<th scope="col">{{ _('Name') }}</th>
+				</tr>
+			</thead>
+			<tbody>
+				{% for service in services|sort(attribute="name") %}
+				<tr>
+					<td>
+						<a href="{{ url_for("service.show", id=service.id) }}">
+							{{ service.name }}
+						</a>
+					</td>
+				</tr>
+				{% endfor %}
+			</tbody>
+		</table>
+	</div>
+</div>
+{% endblock %}

uffd/templates/service/oauth2.html

+{% extends 'base.html' %}
+
+{% block body %}
+<div class="row">
+	<form action="{{ url_for('service.oauth2_submit', service_id=service.id, db_id=client.db_id) }}" method="POST" autocomplete="off" class="form col-12 px-0">
+
+		<div class="form-group col">
+			<p class="text-right">
+				<a href="{{ url_for('service.show', id=service.id) }}" class="btn btn-secondary">{{ _('Cancel') }}</a>
+				{% if client.db_id %}
+				<a class="btn btn-danger" href="{{ url_for('service.oauth2_delete', service_id=service.id, db_id=client.db_id) }}" onClick='return confirm({{_("Are you sure?")|tojson}});'>
+					<i class="fa fa-trash" aria-hidden="true"></i> {{_('Delete')}}
+				</a>
+				{% endif %}
+				<button type="submit" class="btn btn-primary"><i class="fa fa-save" aria-hidden="true"></i> {{ _('Save') }}</button>
+			</p>
+		</div>
+
+		<div class="form-group col">
+			<label for="client-client-id">{{ _('Client ID') }}</label>
+			<input type="text" class="form-control" id="client-client-id" name="client_id" value="{{ client.client_id or '' }}" required>
+		</div>
+
+		<div class="form-group col">
+			<label for="client-client-secret">{{ _('Client Secret') }}</label>
+			{% if client.db_id %}
+			<input type="password" autocomplete="new-password" class="form-control" id="client-client-secret" name="client_secret" placeholder="●●●●●●●●">
+			{% else %}
+			<input type="password" autocomplete="new-password" class="form-control" id="client-client-secret" name="client_secret" required>
+			{% endif %}
+		</div>
+
+		<div class="form-group col">
+			<label for="client-redirect-uris">{{ _('Redirect URIs') }}</label>
+			<textarea rows="3" class="form-control" id="client-redirect-uris" name="redirect_uris">{{ client.redirect_uris|join('\n') }}</textarea>
+			<small class="form-text text-muted">
+				{{ _('One URI per line') }}
+			</small>
+		</div>
+
+		<div class="form-group col">
+			<label for="client-logout-uris">{{ _('Logout URIs') }}</label>
+			<textarea rows="3" class="form-control" id="client-logout-uris" name="logout_uris" placeholder="GET https://example.com/logout">
+{%- for logout_uri in client.logout_uris %}
+{{ logout_uri.method }} {{ logout_uri.uri }}{{ '\n' if not loop.last }}
+{%- endfor %}
+</textarea>
+			<small class="form-text text-muted">
+				{{ _('One URI per line, prefixed with space-separated method (GET/POST)') }}
+			</small>
+		</div>
+
+	</form>
+</div>
+{% endblock %}

uffd/services/templates/services/overview.html → uffd/templates/service/overview.html

@@ -4,8 +4,19 @@
 
 {% set iconstyle = 'style="width: 1.8em;"'|safe %}
 
-{% if not user %}
-<div class="alert alert-warning" role="alert">{{_("Some services may not be publicly listed! Log in to see all services you have access to.")}}</div>
+{% if not request.user %}
+<div class="alert alert-warning" role="alert">
+    <div class="row">
+        <div class="col-12 col-md-9 col-lg-10 col-xl-10">
+            {{ _("Some services may not be publicly listed! Log in to see all services you have access to.") }}
+        </div>
+        <div class="col-12 col-md-3 col-lg-2 col-xl-2 text-center text-md-right text-lg-right text-xl-right">
+            <a class="btn btn-primary" href="{{ url_for("session.login", ref=request.full_path) }}">
+                <i class="fa fa-sign-in-alt" aria-hidden="true"></i> {{ _("Login") }}
+            </a>
+        </div>
+    </div>
+</div>
 {% endif %}
 
 {% if banner %}
@@ -22,7 +33,7 @@
       <div class="card-body">
 				{% if service.logo_url %}
 					{% if service.url and service.has_access %}<a href="{{ service.url }}" class="text-reset">{% endif %}
-						<img alt="Logo for {{ service.title }}" src="{{ service.logo_url }}" style="width: 100%; height: 10em; object-fit: contain; {{ 'filter: grayscale(100%);' if not service.has_access }}">
+						<img alt="{{ _("Logo for %(service_title)s", service_title=service.title) }}" src="{{ service.logo_url }}" style="width: 100%; height: 10em; object-fit: contain; {{ 'filter: grayscale(100%);' if not service.has_access }}">
 					{% if service.url and service.has_access %}</a>{% endif %}
 				{% endif %}
         <h5 class="card-title">
@@ -59,6 +70,12 @@
   </div>
 {% endmacro %}
 
+{% if request.user and request.user.is_in_group(config['ACL_ADMIN_GROUP']) %}
+<div class="text-right mt-2">
+	<a href="{{ url_for('service.index') }}" class="btn btn-primary">{{ _('Manage OAuth2 and API clients') }}</a>
+</div>
+{% endif %}
+
 <div class="row row-cols-1 row-cols-md-2 row-cols-lg-3 row-cols-xl-4 mt-2">
 	{% for service in services if service.has_access %}
 		{{ service_card(service) }}