Stripped all CSRF token generation, injection, and validation since it
breaks behind Apache reverse proxy. Removed handlers/csrf.go, stripped
CSRFToken from PageData, removed validateCSRFToken from all POST handlers,
and cleaned up hidden inputs and JS CSRF references.
Added self-service password change at /password/ with current-password
verification and bcrypt update. New Password link in navbar.
Extended admin panel with user management: lists all users with join dates
and allows admins to delete other users (self-deletion blocked). Added
GetAllUsers() and DeleteUser() to models.
Co-authored-by: CommandCodeBot <noreply@commandcode.ai>
- Add loading spinners and disabled states for form submissions
- Implement client-side form validation with inline error messages
- Add Enter-to-submit functionality for single-line forms
- Implement relative timestamps (e.g., '2 hours ago')
- Add character counters for textareas
- Auto-resize textareas as users type
- Add toast notifications for success/error messages
- Improve form accessibility with autocomplete and max lengths
- Add password confirmation field to signup form
- Better error styling throughout the application
- A new `files` table to store metadata about uploaded files, including original name and hash.
- The `users` table is updated to reference a `pfp_file_id` from the new `files` table, removing the insecure `pfp_url` field.
- A new `/file` endpoint and handler (`handlers/file.go`) are created to serve files securely based on their ID, preventing direct file system access.
- Profile editing (`handlers/profile_edit.go` and `templates/pages/profile_edit.html`) is updated to handle file uploads instead of URL inputs.
- The chat feature (`models/chat.go` and `templates/pages/chat.html`) is updated to work with the new file ID system, ensuring avatars are displayed correctly.
Should also fix#68.
Joca