v0.5.0 - Optional Login Support & Beautiful Themes 🔐🎨 (#73)

* docs: Add implementation plan for optional login support in settings

Brainstorm document covering:
- Design decisions for optional single-user auth
- Impact analysis for existing installations (zero breaking changes)
- Hybrid approach using env vars and settings UI
- UI/UX mockups for Settings and Login pages
- Security considerations (bcrypt, sessions, lockout recovery)
- Phased implementation steps

* docs: Update login plan with SMTP prerequisite and password reset flow

Confirmed decisions:
- Login toggle in Settings page, default OFF
- SMTP must be configured before login can be enabled (for password recovery)
- Added password reset flow via email as primary lockout recovery
- Updated UI mockups with Forgot Password page

* docs: Add CLI password reset option for Docker deployments

New recovery features:
- --reset-password flag for interactive password reset
- --new-password flag for non-interactive/scripted reset
- --disable-auth flag to completely remove authentication

Usage examples for Docker:
  docker exec -it subtrackr /app/subtrackr --reset-password
  docker compose run --rm subtrackr --reset-password

* Add theming system and fix authentication conflicts

- Implement 5 beautiful themes: Default, Dark, Christmas, Midnight, Ocean
- Christmas theme includes festive snowfall animation
- Midnight theme features purple glow effects
- Remove old dark mode system to prevent theme conflicts
- Fix dark theme hover states for proper contrast
- Add theme persistence with localStorage and server storage
- Add screenshots for documentation (Christmas, Ocean, Login)
- Update README with themes gallery
- Exclude screenshots from Docker builds

* Update Go version to 1.24 for GitHub Actions compatibility

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: bscott

.dockerignore

@@ -7,6 +7,7 @@
 *.md
 docs/
 LICENSE
+screenshots/
 
 # Development files
 docker-compose.yml

Dockerfile

@@ -1,5 +1,5 @@
 # Build stage
-FROM golang:1.21 AS builder
+FROM golang:1.24 AS builder
 
 # Install build dependencies
 RUN apt-get update && apt-get install -y \

PLAN-login-settings.md

@@ -8,6 +8,38 @@ A self-hosted subscription management application built with Go and HTMX. Track
 
 ![SubTrackr Mobile View](mobile-screenshot.png)
 
+## 🎨 Themes
+
+Personalize your SubTrackr experience with 5 beautiful themes:
+
+<table>
+  <tr>
+    <td align="center">
+      <img src="screenshots/christmas.png" alt="Christmas Theme" width="600"/><br/>
+      <b>Christmas 🎄</b><br/>
+      Festive and jolly! (with snowfall animation)
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+      <img src="screenshots/ocean.png" alt="Ocean Theme" width="600"/><br/>
+      <b>Ocean</b><br/>
+      Cool and refreshing
+    </td>
+  </tr>
+  <tr>
+    <td align="center">
+      <img src="screenshots/login.png" alt="Login Page" width="600"/><br/>
+      <b>Optional Authentication</b><br/>
+      Secure your data with optional login support
+    </td>
+  </tr>
+</table>
+
+**Available themes:** Default (Light), Dark, Christmas 🎄, Midnight (Purple), Ocean (Cyan)
+
+Themes persist across all pages and are saved per user. Change themes anytime from Settings → Appearance.
+
 ![Version](https://img.shields.io/github/v/release/bscott/subtrackr?logo=github&label=version)
 ![Go Version](https://img.shields.io/badge/go-%3E%3D1.21-00ADD8)
 ![License](https://img.shields.io/badge/license-AGPL--3.0-green)
@@ -20,6 +52,7 @@ A self-hosted subscription management application built with Go and HTMX. Track
 - 📈 **Analytics**: Visualize spending by category and track savings
 - 🔔 **Email Notifications**: Get reminders before subscriptions renew
 - 📤 **Data Export**: Export your data as CSV, JSON, or iCal format
+- 🎨 **Beautiful Themes**: 5 stunning themes including a festive Christmas theme with snowfall animation
 - 🌍 **Multi-Currency Support**: Support for USD, EUR, GBP, JPY, RUB, SEK, PLN, and INR (with optional real-time conversion)
 - 🐳 **Docker Ready**: Easy deployment with Docker
 - 🔒 **Self-Hosted**: Your data stays on your server

README.md

@@ -1,6 +1,9 @@
 package main
 
 import (
+	"crypto/subtle"
+	"flag"
+	"fmt"
 	"html/template"
 	"log"
 	"math"
@@ -12,12 +15,20 @@ import (
 	"subtrackr/internal/middleware"
 	"subtrackr/internal/repository"
 	"subtrackr/internal/service"
+	"syscall"
 	"time"
 
 	"github.com/gin-gonic/gin"
+	"golang.org/x/term"
 )
 
 func main() {
+	// CLI flags
+	resetPassword := flag.Bool("reset-password", false, "Reset admin password (interactive or with --new-password)")
+	newPassword := flag.String("new-password", "", "New password for admin (non-interactive, use with --reset-password)")
+	disableAuth := flag.Bool("disable-auth", false, "Disable authentication and remove credentials")
+	flag.Parse()
+
 	// Load configuration
 	cfg := config.Load()
 
@@ -47,10 +58,29 @@ func main() {
 	emailService := service.NewEmailService(settingsService)
 	logoService := service.NewLogoService()
 
+	// Handle CLI commands (run before starting HTTP server)
+	if *disableAuth {
+		handleDisableAuth(settingsService)
+		return
+	}
+
+	if *resetPassword {
+		handleResetPassword(settingsService, *newPassword)
+		return
+	}
+
+	// Initialize session service (get or generate session secret)
+	sessionSecret, err := settingsService.GetOrGenerateSessionSecret()
+	if err != nil {
+		log.Fatal("Failed to initialize session secret:", err)
+	}
+	sessionService := service.NewSessionService(sessionSecret)
+
 	// Initialize handlers
 	subscriptionHandler := handlers.NewSubscriptionHandler(subscriptionService, settingsService, currencyService, emailService, logoService)
 	settingsHandler := handlers.NewSettingsHandler(settingsService)
 	categoryHandler := handlers.NewCategoryHandler(categoryService)
+	authHandler := handlers.NewAuthHandler(settingsService, sessionService, emailService)
 
 	// Setup Gin router
 	if cfg.Environment == "production" {
@@ -126,8 +156,11 @@ func main() {
 		})
 	})
 
+	// Apply auth middleware
+	router.Use(middleware.AuthMiddleware(settingsService, sessionService))
+
 	// Routes
-	setupRoutes(router, subscriptionHandler, settingsHandler, settingsService, categoryHandler)
+	setupRoutes(router, subscriptionHandler, settingsHandler, settingsService, categoryHandler, authHandler)
 
 	// Seed sample data if database is empty
 	// Commented out - no sample data by default
@@ -201,6 +234,15 @@ func loadTemplates() *template.Template {
 		"templates/smtp-message.html",
 		"templates/form-errors.html",
 		"templates/error.html",
+		"templates/login.html",
+		"templates/login-error.html",
+		"templates/forgot-password.html",
+		"templates/forgot-password-error.html",
+		"templates/forgot-password-success.html",
+		"templates/reset-password.html",
+		"templates/reset-password-error.html",
+		"templates/reset-password-success.html",
+		"templates/auth-message.html",
 	}
 
 	var parsedCount int
@@ -250,7 +292,12 @@ func loadTemplates() *template.Template {
 	return tmpl
 }
 
-func setupRoutes(router *gin.Engine, handler *handlers.SubscriptionHandler, settingsHandler *handlers.SettingsHandler, settingsService *service.SettingsService, categoryHandler *handlers.CategoryHandler) {
+func setupRoutes(router *gin.Engine, handler *handlers.SubscriptionHandler, settingsHandler *handlers.SettingsHandler, settingsService *service.SettingsService, categoryHandler *handlers.CategoryHandler, authHandler *handlers.AuthHandler) {
+	// Auth routes (public)
+	router.GET("/login", authHandler.ShowLoginPage)
+	router.GET("/forgot-password", authHandler.ShowForgotPasswordPage)
+	router.GET("/reset-password", authHandler.ShowResetPasswordPage)
+
 	// Web routes
 	router.GET("/", handler.Dashboard)
 	router.GET("/dashboard", handler.Dashboard)
@@ -306,6 +353,21 @@ func setupRoutes(router *gin.Engine, handler *handlers.SubscriptionHandler, sett
 		api.POST("/categories", categoryHandler.CreateCategory)
 		api.PUT("/categories/:id", categoryHandler.UpdateCategory)
 		api.DELETE("/categories/:id", categoryHandler.DeleteCategory)
+
+		// Auth routes
+		api.POST("/auth/login", authHandler.Login)
+		api.GET("/auth/logout", authHandler.Logout)
+		api.POST("/auth/forgot-password", authHandler.ForgotPassword)
+		api.POST("/auth/reset-password", authHandler.ResetPassword)
+
+		// Auth settings routes
+		api.POST("/settings/auth/setup", settingsHandler.SetupAuth)
+		api.POST("/settings/auth/disable", settingsHandler.DisableAuth)
+		api.GET("/settings/auth/status", settingsHandler.GetAuthStatus)
+
+		// Theme settings routes
+		api.GET("/settings/theme", settingsHandler.GetTheme)
+		api.POST("/settings/theme", settingsHandler.SetTheme)
 	}
 
 	// Public API routes (require API key authentication)
@@ -413,3 +475,59 @@ func checkAndSendRenewalReminders(subscriptionService *service.SubscriptionServi
 
 	log.Printf("Renewal reminder check complete: %d sent, %d failed", sentCount, failedCount)
 }
+
+// handleResetPassword handles the --reset-password CLI command
+func handleResetPassword(settingsService *service.SettingsService, newPassword string) {
+	var password string
+
+	if newPassword != "" {
+		// Non-interactive mode
+		password = newPassword
+	} else {
+		// Interactive mode - prompt for password
+		fmt.Print("Enter new admin password: ")
+		passwordBytes, err := term.ReadPassword(int(syscall.Stdin))
+		if err != nil {
+			log.Fatal("Failed to read password:", err)
+		}
+		fmt.Println()
+
+		fmt.Print("Confirm password: ")
+		confirmBytes, err := term.ReadPassword(int(syscall.Stdin))
+		if err != nil {
+			log.Fatal("Failed to read confirmation:", err)
+		}
+		fmt.Println()
+
+		// Use constant-time comparison to prevent timing attacks
+		if subtle.ConstantTimeCompare(passwordBytes, confirmBytes) != 1 {
+			log.Fatal("Passwords do not match")
+		}
+
+		password = string(passwordBytes)
+	}
+
+	// Validate password length
+	if len(password) < 8 {
+		log.Fatal("Password must be at least 8 characters long")
+	}
+
+	// Update password
+	if err := settingsService.SetAuthPassword(password); err != nil {
+		log.Fatal("Failed to update password:", err)
+	}
+
+	fmt.Println("✓ Admin password reset successfully")
+	os.Exit(0)
+}
+
+// handleDisableAuth handles the --disable-auth CLI command
+func handleDisableAuth(settingsService *service.SettingsService) {
+	if err := settingsService.DisableAuth(); err != nil {
+		log.Fatal("Failed to disable authentication:", err)
+	}
+
+	fmt.Println("✓ Authentication disabled successfully")
+	fmt.Println("  Note: Credentials are preserved and can be re-enabled from Settings")
+	os.Exit(0)
+}

cmd/server/main.go

@@ -1,11 +1,14 @@
 module subtrackr
 
-go 1.21
+go 1.24.0
 
 require (
 	github.com/dromara/carbon/v2 v2.6.11
 	github.com/gin-gonic/gin v1.9.1
+	github.com/gorilla/sessions v1.4.0
 	github.com/stretchr/testify v1.11.1
+	golang.org/x/crypto v0.46.0
+	golang.org/x/term v0.38.0
 	gorm.io/driver/sqlite v1.5.4
 	gorm.io/gorm v1.25.5
 )
@@ -20,6 +23,7 @@ require (
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.14.0 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
+	github.com/gorilla/securecookie v1.1.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
@@ -34,10 +38,9 @@ require (
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.11 // indirect
 	golang.org/x/arch v0.3.0 // indirect
-	golang.org/x/crypto v0.9.0 // indirect
-	golang.org/x/net v0.10.0 // indirect
-	golang.org/x/sys v0.8.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sys v0.39.0 // indirect
+	golang.org/x/text v0.32.0 // indirect
 	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.mod

@@ -29,6 +29,12 @@ github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaS
 github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
+github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=
+github.com/gorilla/securecookie v1.1.2/go.mod h1:NfCASbcHqRSY+3a8tlWJwsQap2VX5pwzwo4h3eOamfo=
+github.com/gorilla/sessions v1.4.0 h1:kpIYOp/oi6MG/p5PgxApU8srsSw9tuFbt46Lt7auzqQ=
+github.com/gorilla/sessions v1.4.0/go.mod h1:FLWm50oby91+hl7p/wRxDth9bWSuk0qVL2emc7lT5ik=
 github.com/jinzhu/inflection v1.0.0 h1:K317FqzuhWc8YvSVlFMCCUb36O/S9MCKRDI7QkRKD/E=
 github.com/jinzhu/inflection v1.0.0/go.mod h1:h+uFLlag+Qp1Va5pdKtLDYj+kHp5pxUVkryuEj+Srlc=
 github.com/jinzhu/now v1.1.5 h1:/o9tlHleP7gOFmsnYNz3RGnqzefHA47wQpKrrdTIwXQ=
@@ -72,16 +78,18 @@ github.com/ugorji/go/codec v1.2.11/go.mod h1:UNopzCgEMSXjBc6AOMqYvWC1ktqTAfzJZUZ
 golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
 golang.org/x/arch v0.3.0 h1:02VY4/ZcO/gBOH6PUaoiptASxtXU10jazRCP865E97k=
 golang.org/x/arch v0.3.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
-golang.org/x/crypto v0.9.0 h1:LF6fAI+IutBocDJ2OT0Q1g8plpYljMZ4+lty+dsqw3g=
-golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0=
-golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
-golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/crypto v0.46.0 h1:cKRW/pmt1pKAfetfu+RCEvjvZkA9RimPbh7bhFjGVBU=
+golang.org/x/crypto v0.46.0/go.mod h1:Evb/oLKmMraqjZ2iQTwDwvCtJkczlDuTmdJXoZVzqU0=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.8.0 h1:EBmGv8NaZBZTWvrbjNoL6HVt+IVy3QDQpJs7VRIw3tU=
-golang.org/x/sys v0.8.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/text v0.9.0 h1:2sjJmO8cDvYveuX97RDLsxlyUxLl+GHoLxBiRdHllBE=
-golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
+golang.org/x/sys v0.39.0 h1:CvCKL8MeisomCi6qNZ+wbb0DN9E5AATixKsvNtMoMFk=
+golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/term v0.38.0 h1:PQ5pkm/rLO6HnxFR7N2lJHOZX6Kez5Y1gDSJla6jo7Q=
+golang.org/x/term v0.38.0/go.mod h1:bSEAKrOT1W+VSu9TSCMtoGEOUcKxOKgl3LE5QEF/xVg=
+golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU=
+golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=