From 4d95fddb1b39a7174e09209c2a3fe7ca07ff022c Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 12:14:34 -0800
Subject: [PATCH 01/21] Fix cached session bug

---
 internal/auth/store.go | 1 +
 1 file changed, 1 insertion(+)

diff --git a/internal/auth/store.go b/internal/auth/store.go
index bff5e62..6525a1f 100644
--- a/internal/auth/store.go
+++ b/internal/auth/store.go
@@ -126,6 +126,7 @@ func (s *PGStore) Save(r *http.Request, w http.ResponseWriter, session *sessions
 	}
 
 	result := s.db.Where("token = ?", session.ID).Assign(models.Session{
+		UserID:    userID,
 		Data:      buf.Bytes(),
 		ExpiresAt: expiresAt,
 	}).FirstOrCreate(&dbSession)

From 4b8ab0a3cbdaf06185b443107c70717a4f469539 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 15:49:23 -0800
Subject: [PATCH 02/21] Update dependencies and Go version to fix CVEs

Fixes #10, Fixes #11, Fixes #12, Fixes #13, Fixes #35
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .forgejo/workflows/ci.yaml |  2 +-
 Dockerfile                 |  2 +-
 go.mod                     | 12 ++++++------
 go.sum                     |  9 +++++----
 4 files changed, 13 insertions(+), 12 deletions(-)

diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml
index b1ba779..e0c551c 100644
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@@ -15,7 +15,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.23'
+          go-version: '1.25'
 
       - name: Run tests
         run: go test ./...
diff --git a/Dockerfile b/Dockerfile
index 4c21b03..4baa8d4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -10,7 +10,7 @@ COPY internal/handlers/ internal/handlers/
 RUN npx @tailwindcss/cli -i web/static/css/input.css -o web/static/css/output.css --minify
 
 # Stage 2: Build Go binary
-FROM golang:1.23-alpine AS builder
+FROM golang:1.25-alpine AS builder
 WORKDIR /app
 COPY go.mod go.sum ./
 RUN go mod download
diff --git a/go.mod b/go.mod
index 02183d1..362ed64 100644
--- a/go.mod
+++ b/go.mod
@@ -1,16 +1,19 @@
 module github.com/mattnite/forgejo-tickets
 
-go 1.23.0
+go 1.25.3
 
 require (
 	github.com/gin-gonic/gin v1.11.0
-	github.com/golang-jwt/jwt/v5 v5.2.1
+	github.com/golang-jwt/jwt/v5 v5.2.2
 	github.com/google/uuid v1.6.0
-	github.com/gorilla/csrf v1.7.2
+	github.com/gorilla/csrf v1.7.3
 	github.com/gorilla/securecookie v1.1.2
 	github.com/gorilla/sessions v1.4.0
+	github.com/microcosm-cc/bluemonday v1.0.27
 	github.com/mrz1836/postmark v1.6.5
 	github.com/rs/zerolog v1.34.0
+	github.com/yuin/goldmark v1.7.16
+	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
 	golang.org/x/crypto v0.40.0
 	golang.org/x/oauth2 v0.25.0
 	gorm.io/driver/postgres v1.5.11
@@ -44,7 +47,6 @@ require (
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/microcosm-cc/bluemonday v1.0.27 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421 // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
@@ -52,8 +54,6 @@ require (
 	github.com/quic-go/quic-go v0.54.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.3.0 // indirect
-	github.com/yuin/goldmark v1.7.16 // indirect
-	github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc // indirect
 	go.uber.org/mock v0.5.0 // indirect
 	golang.org/x/arch v0.20.0 // indirect
 	golang.org/x/mod v0.25.0 // indirect
diff --git a/go.sum b/go.sum
index 73c2431..a030945 100644
--- a/go.sum
+++ b/go.sum
@@ -2,6 +2,7 @@ cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2Qx
 cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 github.com/alecthomas/chroma/v2 v2.2.0 h1:Aten8jfQwUqEdadVFFjNyjx7HTexhKP0XuqBG67mRDY=
 github.com/alecthomas/chroma/v2 v2.2.0/go.mod h1:vf4zrexSH54oEjJ7EdB65tGNHmH3pGZmVkgTP5RHvAs=
+github.com/alecthomas/repr v0.0.0-20220113201626-b1b626ac65ae h1:zzGwJfFlFGD94CyyYwCJeSuD32Gj9GTaSi5y9hoVzdY=
 github.com/alecthomas/repr v0.0.0-20220113201626-b1b626ac65ae/go.mod h1:2kn6fqh/zIyPLmm3ugklbEi5hg5wS435eygvNfaDQL8=
 github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk=
 github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4=
@@ -37,8 +38,8 @@ github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MG
 github.com/goccy/go-yaml v1.18.0 h1:8W7wMFS12Pcas7KU+VVkaiCng+kG8QiFeFwzFb+rwuw=
 github.com/goccy/go-yaml v1.18.0/go.mod h1:XBurs7gK8ATbW4ZPGKgcbrY1Br56PdM69F7LkFRi1kA=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
-github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
-github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -46,8 +47,8 @@ github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0=
 github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/gorilla/csrf v1.7.2 h1:oTUjx0vyf2T+wkrx09Trsev1TE+/EbDAeHtSTbtC2eI=
-github.com/gorilla/csrf v1.7.2/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
+github.com/gorilla/csrf v1.7.3 h1:BHWt6FTLZAb2HtWT5KDBf6qgpZzvtbp9QWDRKZMXJC0=
+github.com/gorilla/csrf v1.7.3/go.mod h1:F1Fj3KG23WYHE6gozCmBAezKookxbIvUJT+121wTuLk=
 github.com/gorilla/css v1.0.1 h1:ntNaBIghp6JmvWnxbZKANoLyuXTPZ4cAMlo6RyhlbO8=
 github.com/gorilla/css v1.0.1/go.mod h1:BvnYkspnSzMmwRK+b8/xgNPLiIuNZr6vbZBTPQ2A3b0=
 github.com/gorilla/securecookie v1.1.2 h1:YCIWL56dvtr73r6715mJs5ZvhtnY73hBvEF8kXD8ePA=

From e6cd175c92dbcab475a53425b0fe3520386fe454 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 15:50:18 -0800
Subject: [PATCH 03/21] Set Secure flag on session cookie for HTTPS

Fixes #9
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 cmd/server/main.go     | 3 ++-
 internal/auth/store.go | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 1f264ed..33771f4 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -5,6 +5,7 @@ import (
 	"net/http"
 	"os"
 	"os/signal"
+	"strings"
 	"syscall"
 	"time"
 
@@ -54,7 +55,7 @@ func main() {
 		log.Info().Str("bot_login", forgejoClient.BotLogin).Msg("forgejo bot login initialized")
 	}
 
-	sessionStore := auth.NewPGStore(db, []byte(cfg.SessionSecret))
+	sessionStore := auth.NewPGStore(db, strings.HasPrefix(cfg.BaseURL, "https"), []byte(cfg.SessionSecret))
 	authService := auth.NewService(db, sessionStore, emailClient)
 
 	ctx, cancel := context.WithCancel(context.Background())
diff --git a/internal/auth/store.go b/internal/auth/store.go
index 6525a1f..5f8ba26 100644
--- a/internal/auth/store.go
+++ b/internal/auth/store.go
@@ -28,7 +28,7 @@ type PGStore struct {
 	options *sessions.Options
 }
 
-func NewPGStore(db *gorm.DB, keyPairs ...[]byte) *PGStore {
+func NewPGStore(db *gorm.DB, secure bool, keyPairs ...[]byte) *PGStore {
 	return &PGStore{
 		db:     db,
 		codecs: securecookie.CodecsFromPairs(keyPairs...),
@@ -36,6 +36,7 @@ func NewPGStore(db *gorm.DB, keyPairs ...[]byte) *PGStore {
 			Path:     "/",
 			MaxAge:   sessionMaxAge,
 			HttpOnly: true,
+			Secure:   secure,
 			SameSite: http.SameSiteLaxMode,
 		},
 	}

From 4a0af136d55a13ba29cf4dd0b8d8cddea8bde6a7 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 15:53:31 -0800
Subject: [PATCH 04/21] Add CSRF protection to admin panel

Fixes #14

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 cmd/server/main.go                            |  1 +
 internal/handlers/admin/routes.go             | 53 +++++++++++--------
 web/templates/pages/admin/repos/edit.html     |  1 +
 web/templates/pages/admin/repos/new.html      |  1 +
 web/templates/pages/admin/tickets/detail.html |  1 +
 web/templates/pages/admin/users/detail.html   |  1 +
 web/templates/pages/admin/users/new.html      |  1 +
 web/templates/pages/admin/users/pending.html  |  2 +
 8 files changed, 40 insertions(+), 21 deletions(-)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 1f264ed..06685cb 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -76,6 +76,7 @@ func main() {
 		DB:            db,
 		Renderer:      renderer,
 		Auth:          authService,
+		SessionStore:  sessionStore,
 		EmailClient:   emailClient,
 		ForgejoClient: forgejoClient,
 		Config:        cfg,
diff --git a/internal/handlers/admin/routes.go b/internal/handlers/admin/routes.go
index 1785be9..0d8d0cd 100644
--- a/internal/handlers/admin/routes.go
+++ b/internal/handlers/admin/routes.go
@@ -1,6 +1,8 @@
 package admin
 
 import (
+	"strings"
+
 	"github.com/gin-gonic/gin"
 	"github.com/mattnite/forgejo-tickets/internal/auth"
 	"github.com/mattnite/forgejo-tickets/internal/config"
@@ -15,6 +17,7 @@ type Dependencies struct {
 	DB            *gorm.DB
 	Renderer      *templates.Renderer
 	Auth          *auth.Service
+	SessionStore  *auth.PGStore
 	EmailClient   *email.Client
 	ForgejoClient *forgejo.Client
 	Config        *config.Config
@@ -30,30 +33,38 @@ func NewRouter(deps Dependencies) *gin.Engine {
 	tsAuth := &TailscaleAuth{allowedUsers: deps.Config.TailscaleAllowedUsers}
 	r.Use(tsAuth.Middleware)
 
-	dashboardHandler := &DashboardHandler{deps: deps}
-	r.GET("/", dashboardHandler.Index)
+	csrfSecret := []byte(deps.Config.SessionSecret)
+	isSecure := strings.HasPrefix(deps.Config.BaseURL, "https")
+	csrfMiddleware := middleware.CSRF(csrfSecret, isSecure)
 
-	userHandler := &UserHandler{deps: deps}
-	r.GET("/users", userHandler.List)
-	r.GET("/users/pending", userHandler.PendingList)
-	r.GET("/users/new", userHandler.NewForm)
-	r.GET("/users/:id", userHandler.Detail)
-	r.POST("/users", userHandler.Create)
-	r.POST("/users/:id/approve", userHandler.Approve)
-	r.POST("/users/:id/reject", userHandler.Reject)
-	r.POST("/users/:id/repos", userHandler.UpdateRepos)
+	csrf := r.Group("/")
+	csrf.Use(csrfMiddleware)
+	{
+		dashboardHandler := &DashboardHandler{deps: deps}
+		csrf.GET("/", dashboardHandler.Index)
 
-	ticketHandler := &TicketHandler{deps: deps}
-	r.GET("/tickets", ticketHandler.List)
-	r.GET("/tickets/:id", ticketHandler.Detail)
-	r.POST("/tickets/:id/status", ticketHandler.UpdateStatus)
+		userHandler := &UserHandler{deps: deps}
+		csrf.GET("/users", userHandler.List)
+		csrf.GET("/users/pending", userHandler.PendingList)
+		csrf.GET("/users/new", userHandler.NewForm)
+		csrf.GET("/users/:id", userHandler.Detail)
+		csrf.POST("/users", userHandler.Create)
+		csrf.POST("/users/:id/approve", userHandler.Approve)
+		csrf.POST("/users/:id/reject", userHandler.Reject)
+		csrf.POST("/users/:id/repos", userHandler.UpdateRepos)
 
-	repoHandler := &RepoHandler{deps: deps}
-	r.GET("/repos", repoHandler.List)
-	r.GET("/repos/new", repoHandler.NewForm)
-	r.POST("/repos", repoHandler.Create)
-	r.GET("/repos/:id/edit", repoHandler.EditForm)
-	r.POST("/repos/:id", repoHandler.Update)
+		ticketHandler := &TicketHandler{deps: deps}
+		csrf.GET("/tickets", ticketHandler.List)
+		csrf.GET("/tickets/:id", ticketHandler.Detail)
+		csrf.POST("/tickets/:id/status", ticketHandler.UpdateStatus)
+
+		repoHandler := &RepoHandler{deps: deps}
+		csrf.GET("/repos", repoHandler.List)
+		csrf.GET("/repos/new", repoHandler.NewForm)
+		csrf.POST("/repos", repoHandler.Create)
+		csrf.GET("/repos/:id/edit", repoHandler.EditForm)
+		csrf.POST("/repos/:id", repoHandler.Update)
+	}
 
 	return r
 }
diff --git a/web/templates/pages/admin/repos/edit.html b/web/templates/pages/admin/repos/edit.html
index c353ed3..ff508ef 100644
--- a/web/templates/pages/admin/repos/edit.html
+++ b/web/templates/pages/admin/repos/edit.html
@@ -64,6 +64,7 @@
     {{end}}
 
     <form method="POST" action="/repos/{{.Repo.ID}}" class="space-y-6 bg-white p-6 rounded-lg shadow ring-1 ring-gray-200">
+        <input type="hidden" name="gorilla.csrf.Token" value="{{$.CSRFToken}}">
         <div>
             <label for="name" class="block text-sm font-medium text-gray-700">Display Name</label>
             <input type="text" name="name" id="name" required value="{{.Repo.Name}}"
diff --git a/web/templates/pages/admin/repos/new.html b/web/templates/pages/admin/repos/new.html
index 6e30f7e..937bf63 100644
--- a/web/templates/pages/admin/repos/new.html
+++ b/web/templates/pages/admin/repos/new.html
@@ -17,6 +17,7 @@
     {{end}}
 
     <form method="POST" action="/repos" class="space-y-6 bg-white p-6 rounded-lg shadow ring-1 ring-gray-200">
+        <input type="hidden" name="gorilla.csrf.Token" value="{{.CSRFToken}}">
         <div>
             <label for="name" class="block text-sm font-medium text-gray-700">Display Name</label>
             <input type="text" name="name" id="name" required placeholder="Billing App"
diff --git a/web/templates/pages/admin/tickets/detail.html b/web/templates/pages/admin/tickets/detail.html
index d1ff8cf..2f99838 100644
--- a/web/templates/pages/admin/tickets/detail.html
+++ b/web/templates/pages/admin/tickets/detail.html
@@ -60,6 +60,7 @@
     <!-- Status Update -->
     <div class="mt-6 pt-4 border-t border-gray-200">
         <form method="POST" action="/tickets/{{.Ticket.ID}}/status" class="flex items-center gap-3">
+            <input type="hidden" name="gorilla.csrf.Token" value="{{$.CSRFToken}}">
             <label for="status" class="text-sm font-medium text-gray-700">Update Status:</label>
             <select name="status" id="status" class="rounded-md border border-gray-300 px-3 py-1.5 text-sm focus:border-blue-500 focus:outline-none focus:ring-1 focus:ring-blue-500">
                 <option value="open" {{if eq (print .Ticket.Status) "open"}}selected{{end}}>Open</option>
diff --git a/web/templates/pages/admin/users/detail.html b/web/templates/pages/admin/users/detail.html
index e2d3139..fd8f1e3 100644
--- a/web/templates/pages/admin/users/detail.html
+++ b/web/templates/pages/admin/users/detail.html
@@ -31,6 +31,7 @@
 <h2 class="text-lg font-semibold text-gray-900 mb-4">Project Access</h2>
 {{if .AllRepos}}
 <form method="POST" action="/users/{{.User.ID}}/repos" class="bg-white p-6 rounded-lg shadow ring-1 ring-gray-200 mb-8">
+    <input type="hidden" name="gorilla.csrf.Token" value="{{$.CSRFToken}}">
     <div class="space-y-2">
         {{range .AllRepos}}
         <label class="flex items-center gap-2">
diff --git a/web/templates/pages/admin/users/new.html b/web/templates/pages/admin/users/new.html
index fc0d051..9eb0923 100644
--- a/web/templates/pages/admin/users/new.html
+++ b/web/templates/pages/admin/users/new.html
@@ -18,6 +18,7 @@
     {{end}}
 
     <form method="POST" action="/users" class="space-y-6 bg-white p-6 rounded-lg shadow ring-1 ring-gray-200">
+        <input type="hidden" name="gorilla.csrf.Token" value="{{.CSRFToken}}">
         <div>
             <label for="name" class="block text-sm font-medium text-gray-700">Name</label>
             <input type="text" name="name" id="name" required
diff --git a/web/templates/pages/admin/users/pending.html b/web/templates/pages/admin/users/pending.html
index 0d9547d..0e826c6 100644
--- a/web/templates/pages/admin/users/pending.html
+++ b/web/templates/pages/admin/users/pending.html
@@ -27,9 +27,11 @@
                 <td class="px-4 py-3 text-right">
                     <div class="flex justify-end gap-2">
                         <form method="POST" action="/users/{{.ID}}/approve">
+                            <input type="hidden" name="gorilla.csrf.Token" value="{{$.CSRFToken}}">
                             <button type="submit" class="rounded-md bg-green-600 px-3 py-1.5 text-xs font-semibold text-white shadow hover:bg-green-500">Approve</button>
                         </form>
                         <form method="POST" action="/users/{{.ID}}/reject" onsubmit="return confirm('Are you sure you want to reject this request? The account will be deleted.')">
+                            <input type="hidden" name="gorilla.csrf.Token" value="{{$.CSRFToken}}">
                             <button type="submit" class="rounded-md bg-red-600 px-3 py-1.5 text-xs font-semibold text-white shadow hover:bg-red-500">Reject</button>
                         </form>
                     </div>

From 9b2a812d95aa101daf9060c6d6411c59ccf08a16 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 15:55:34 -0800
Subject: [PATCH 05/21] Add rate limiting to authentication endpoints

Fixes #15

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/handlers/public/routes.go |  9 ++--
 internal/middleware/ratelimit.go   | 86 ++++++++++++++++++++++++++++++
 2 files changed, 92 insertions(+), 3 deletions(-)
 create mode 100644 internal/middleware/ratelimit.go

diff --git a/internal/handlers/public/routes.go b/internal/handlers/public/routes.go
index 81514d6..1aa6cc7 100644
--- a/internal/handlers/public/routes.go
+++ b/internal/handlers/public/routes.go
@@ -3,6 +3,7 @@ package public
 import (
 	"net/http"
 	"strings"
+	"time"
 
 	"github.com/gin-gonic/gin"
 	"github.com/mattnite/forgejo-tickets/internal/auth"
@@ -48,6 +49,8 @@ func NewRouter(deps Dependencies) *gin.Engine {
 	ssoHandler := &SSOHandler{deps: deps}
 	r.GET("/sso/:slug", ssoHandler.HandleSSO)
 
+	authRateLimiter := middleware.NewRateLimiter(10, 1*time.Minute)
+
 	csrf := r.Group("/")
 	csrf.Use(csrfMiddleware)
 	{
@@ -56,13 +59,13 @@ func NewRouter(deps Dependencies) *gin.Engine {
 
 		authHandler := &AuthHandler{deps: deps}
 		csrf.GET("/login", authHandler.LoginForm)
-		csrf.POST("/login", authHandler.Login)
+		csrf.POST("/login", authRateLimiter.Middleware(), authHandler.Login)
 		csrf.GET("/register", authHandler.RegisterForm)
-		csrf.POST("/register", authHandler.Register)
+		csrf.POST("/register", authRateLimiter.Middleware(), authHandler.Register)
 		csrf.POST("/logout", authHandler.Logout)
 		csrf.GET("/verify-email", authHandler.VerifyEmail)
 		csrf.GET("/forgot-password", authHandler.ForgotPasswordForm)
-		csrf.POST("/forgot-password", authHandler.ForgotPassword)
+		csrf.POST("/forgot-password", authRateLimiter.Middleware(), authHandler.ForgotPassword)
 		csrf.GET("/reset-password", authHandler.ResetPasswordForm)
 		csrf.POST("/reset-password", authHandler.ResetPassword)
 
diff --git a/internal/middleware/ratelimit.go b/internal/middleware/ratelimit.go
new file mode 100644
index 0000000..da1c670
--- /dev/null
+++ b/internal/middleware/ratelimit.go
@@ -0,0 +1,86 @@
+package middleware
+
+import (
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/gin-gonic/gin"
+)
+
+type ipRecord struct {
+	mu        sync.Mutex
+	timestamps []time.Time
+}
+
+// RateLimiter holds the per-IP rate limiting state.
+type RateLimiter struct {
+	ips    sync.Map // map[string]*ipRecord
+	limit  int
+	window time.Duration
+}
+
+// NewRateLimiter creates a rate limiter that allows `limit` requests per `window` per IP.
+func NewRateLimiter(limit int, window time.Duration) *RateLimiter {
+	rl := &RateLimiter{
+		limit:  limit,
+		window: window,
+	}
+	// Periodically clean up stale entries
+	go rl.cleanup()
+	return rl
+}
+
+// cleanup removes entries that have no recent timestamps every 5 minutes.
+func (rl *RateLimiter) cleanup() {
+	ticker := time.NewTicker(5 * time.Minute)
+	for range ticker.C {
+		now := time.Now()
+		rl.ips.Range(func(key, value any) bool {
+			rec := value.(*ipRecord)
+			rec.mu.Lock()
+			if len(rec.timestamps) == 0 || now.Sub(rec.timestamps[len(rec.timestamps)-1]) > rl.window {
+				rec.mu.Unlock()
+				rl.ips.Delete(key)
+			} else {
+				rec.mu.Unlock()
+			}
+			return true
+		})
+	}
+}
+
+// Middleware returns a Gin middleware that enforces the rate limit.
+func (rl *RateLimiter) Middleware() gin.HandlerFunc {
+	return func(c *gin.Context) {
+		ip := c.ClientIP()
+
+		val, _ := rl.ips.LoadOrStore(ip, &ipRecord{})
+		rec := val.(*ipRecord)
+
+		rec.mu.Lock()
+		now := time.Now()
+		cutoff := now.Add(-rl.window)
+
+		// Remove timestamps outside the sliding window
+		valid := 0
+		for _, t := range rec.timestamps {
+			if t.After(cutoff) {
+				rec.timestamps[valid] = t
+				valid++
+			}
+		}
+		rec.timestamps = rec.timestamps[:valid]
+
+		if len(rec.timestamps) >= rl.limit {
+			rec.mu.Unlock()
+			c.AbortWithStatus(http.StatusTooManyRequests)
+			return
+		}
+
+		rec.timestamps = append(rec.timestamps, now)
+		rec.mu.Unlock()
+
+		c.Next()
+	}
+}

From ace0c06362c4bbb8b34f30c740e9e2a947217013 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 15:59:54 -0800
Subject: [PATCH 06/21] Sanitize Content-Disposition filename in downloads

Fixes #17

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/handlers/public/tickets.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/internal/handlers/public/tickets.go b/internal/handlers/public/tickets.go
index de704bb..a8ebfcc 100644
--- a/internal/handlers/public/tickets.go
+++ b/internal/handlers/public/tickets.go
@@ -2,6 +2,7 @@ package public
 
 import (
 	"io"
+	"mime"
 	"net/http"
 	"sort"
 	"strconv"
@@ -531,7 +532,7 @@ func (h *TicketHandler) proxyAssetDownload(c *gin.Context, assetURL, filename st
 		contentType = "application/octet-stream"
 	}
 	c.Header("Content-Type", contentType)
-	c.Header("Content-Disposition", "attachment; filename=\""+filename+"\"")
+	c.Header("Content-Disposition", mime.FormatMediaType("attachment", map[string]string{"filename": filename}))
 	if cl := resp.Header.Get("Content-Length"); cl != "" {
 		c.Header("Content-Length", cl)
 	}

From bcc912077dbf716a6acd00e71885036e47c3f043 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:00:56 -0800
Subject: [PATCH 07/21] Add security response headers

Fixes #18

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/handlers/admin/routes.go  |  1 +
 internal/handlers/public/routes.go |  1 +
 internal/middleware/middleware.go  | 12 ++++++++++++
 3 files changed, 14 insertions(+)

diff --git a/internal/handlers/admin/routes.go b/internal/handlers/admin/routes.go
index 0d8d0cd..d214d15 100644
--- a/internal/handlers/admin/routes.go
+++ b/internal/handlers/admin/routes.go
@@ -29,6 +29,7 @@ func NewRouter(deps Dependencies) *gin.Engine {
 	r.Use(middleware.RequestID)
 	r.Use(middleware.Logging)
 	r.Use(middleware.Recovery)
+	r.Use(middleware.SecurityHeaders(strings.HasPrefix(deps.Config.BaseURL, "https")))
 
 	tsAuth := &TailscaleAuth{allowedUsers: deps.Config.TailscaleAllowedUsers}
 	r.Use(tsAuth.Middleware)
diff --git a/internal/handlers/public/routes.go b/internal/handlers/public/routes.go
index 1aa6cc7..f704936 100644
--- a/internal/handlers/public/routes.go
+++ b/internal/handlers/public/routes.go
@@ -31,6 +31,7 @@ func NewRouter(deps Dependencies) *gin.Engine {
 	r.Use(middleware.RequestID)
 	r.Use(middleware.Logging)
 	r.Use(middleware.Recovery)
+	r.Use(middleware.SecurityHeaders(strings.HasPrefix(deps.Config.BaseURL, "https")))
 	r.Use(deps.Auth.SessionMiddleware)
 
 	csrfSecret := []byte(deps.Config.SessionSecret)
diff --git a/internal/middleware/middleware.go b/internal/middleware/middleware.go
index 7fc3d03..48378a1 100644
--- a/internal/middleware/middleware.go
+++ b/internal/middleware/middleware.go
@@ -44,3 +44,15 @@ func Recovery(c *gin.Context) {
 	}()
 	c.Next()
 }
+
+func SecurityHeaders(secure bool) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		c.Header("X-Content-Type-Options", "nosniff")
+		c.Header("X-Frame-Options", "DENY")
+		c.Header("Referrer-Policy", "strict-origin-when-cross-origin")
+		if secure {
+			c.Header("Strict-Transport-Security", "max-age=63072000; includeSubDomains")
+		}
+		c.Next()
+	}
+}

From 244e530d4ab03f75d2fa07d4fa38908786cee11a Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:02:01 -0800
Subject: [PATCH 08/21] Escape user-supplied values in HTML email templates

Fixes #19

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/email/templates.go | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/internal/email/templates.go b/internal/email/templates.go
index 4d36510..5f7bfe6 100644
--- a/internal/email/templates.go
+++ b/internal/email/templates.go
@@ -1,6 +1,9 @@
 package email
 
-import "fmt"
+import (
+	"fmt"
+	"html"
+)
 
 func emailWrapper(content string) string {
 	return fmt.Sprintf(`<!DOCTYPE html>
@@ -24,7 +27,7 @@ func renderVerificationEmail(name, verifyURL string) string {
 </p>
 <p>Or copy and paste this link into your browser:</p>
 <p style="word-break: break-all; color: #2563eb;">%s</p>
-<p>This link expires in 24 hours.</p>`, name, verifyURL, verifyURL))
+<p>This link expires in 24 hours.</p>`, html.EscapeString(name), verifyURL, verifyURL))
 }
 
 func renderPasswordResetEmail(name, resetURL string) string {
@@ -37,7 +40,7 @@ func renderPasswordResetEmail(name, resetURL string) string {
 </p>
 <p>Or copy and paste this link into your browser:</p>
 <p style="word-break: break-all; color: #2563eb;">%s</p>
-<p>This link expires in 1 hour. If you didn't request this, please ignore this email.</p>`, name, resetURL, resetURL))
+<p>This link expires in 1 hour. If you didn't request this, please ignore this email.</p>`, html.EscapeString(name), resetURL, resetURL))
 }
 
 func renderTicketClosedEmail(name, ticketTitle, ticketURL string) string {
@@ -48,7 +51,7 @@ func renderTicketClosedEmail(name, ticketTitle, ticketURL string) string {
 <p style="margin: 30px 0;">
   <a href="%s" style="background: #2563eb; color: #fff; padding: 12px 24px; text-decoration: none; border-radius: 6px; font-weight: 500;">View Ticket</a>
 </p>
-<p>If you believe the issue is not fully resolved, you can add a comment on the ticket page.</p>`, name, ticketTitle, ticketURL))
+<p>If you believe the issue is not fully resolved, you can add a comment on the ticket page.</p>`, html.EscapeString(name), html.EscapeString(ticketTitle), ticketURL))
 }
 
 func renderTicketReplyEmail(name, ticketTitle, ticketURL string) string {
@@ -58,7 +61,7 @@ func renderTicketReplyEmail(name, ticketTitle, ticketURL string) string {
 <p>There is a new reply on your ticket <strong>"%s"</strong>.</p>
 <p style="margin: 30px 0;">
   <a href="%s" style="background: #2563eb; color: #fff; padding: 12px 24px; text-decoration: none; border-radius: 6px; font-weight: 500;">View Ticket</a>
-</p>`, name, ticketTitle, ticketURL))
+</p>`, html.EscapeString(name), html.EscapeString(ticketTitle), ticketURL))
 }
 
 func renderAccountApprovedEmail(name, loginURL string) string {
@@ -68,7 +71,7 @@ func renderAccountApprovedEmail(name, loginURL string) string {
 <p>Your account request has been approved. You can now log in and start creating tickets.</p>
 <p style="margin: 30px 0;">
   <a href="%s" style="background: #2563eb; color: #fff; padding: 12px 24px; text-decoration: none; border-radius: 6px; font-weight: 500;">Log In</a>
-</p>`, name, loginURL))
+</p>`, html.EscapeString(name), loginURL))
 }
 
 func renderWelcomeEmail(name, email, tempPassword, loginURL string) string {
@@ -83,5 +86,5 @@ func renderWelcomeEmail(name, email, tempPassword, loginURL string) string {
 <p style="margin: 30px 0;">
   <a href="%s" style="background: #2563eb; color: #fff; padding: 12px 24px; text-decoration: none; border-radius: 6px; font-weight: 500;">Log In</a>
 </p>
-<p>Please change your password after logging in.</p>`, name, email, tempPassword, loginURL))
+<p>Please change your password after logging in.</p>`, html.EscapeString(name), html.EscapeString(email), html.EscapeString(tempPassword), loginURL))
 }

From 1af9d67525c92f0f635c15a2b49facc76b62b9d2 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:03:05 -0800
Subject: [PATCH 09/21] Require minimum 32-byte SESSION_SECRET

Fixes #20
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/config/config.go      |  4 ++--
 internal/config/config_test.go | 18 +++++++++---------
 2 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/internal/config/config.go b/internal/config/config.go
index e86b0a9..5602a91 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -77,8 +77,8 @@ func Load() (*Config, error) {
 	if cfg.DatabaseURL == "" {
 		return nil, fmt.Errorf("DATABASE_URL is required")
 	}
-	if cfg.SessionSecret == "" {
-		return nil, fmt.Errorf("SESSION_SECRET is required")
+	if len(cfg.SessionSecret) < 32 {
+		return nil, fmt.Errorf("SESSION_SECRET must be at least 32 characters")
 	}
 
 	return cfg, nil
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index e59d1f8..e22ff99 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -25,7 +25,7 @@ func clearConfigEnv(t *testing.T) {
 
 func TestLoad_MissingDatabaseURL(t *testing.T) {
 	clearConfigEnv(t)
-	t.Setenv("SESSION_SECRET", "secret-value")
+	t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch")
 	// DATABASE_URL is not set
 
 	_, err := Load()
@@ -49,7 +49,7 @@ func TestLoad_MissingSessionSecret(t *testing.T) {
 		t.Fatal("expected error when SESSION_SECRET is missing, got nil")
 	}
 
-	expected := "SESSION_SECRET is required"
+	expected := "SESSION_SECRET must be at least 32 characters"
 	if err.Error() != expected {
 		t.Errorf("expected error %q, got %q", expected, err.Error())
 	}
@@ -58,7 +58,7 @@ func TestLoad_MissingSessionSecret(t *testing.T) {
 func TestLoad_Success(t *testing.T) {
 	clearConfigEnv(t)
 	t.Setenv("DATABASE_URL", "postgres://localhost/test")
-	t.Setenv("SESSION_SECRET", "my-secret")
+	t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch")
 
 	cfg, err := Load()
 	if err != nil {
@@ -68,15 +68,15 @@ func TestLoad_Success(t *testing.T) {
 	if cfg.DatabaseURL != "postgres://localhost/test" {
 		t.Errorf("expected DatabaseURL %q, got %q", "postgres://localhost/test", cfg.DatabaseURL)
 	}
-	if cfg.SessionSecret != "my-secret" {
-		t.Errorf("expected SessionSecret %q, got %q", "my-secret", cfg.SessionSecret)
+	if cfg.SessionSecret != "test-session-secret-that-is-32ch" {
+		t.Errorf("expected SessionSecret %q, got %q", "test-session-secret-that-is-32ch", cfg.SessionSecret)
 	}
 }
 
 func TestLoad_DefaultValues(t *testing.T) {
 	clearConfigEnv(t)
 	t.Setenv("DATABASE_URL", "postgres://localhost/test")
-	t.Setenv("SESSION_SECRET", "my-secret")
+	t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch")
 
 	cfg, err := Load()
 	if err != nil {
@@ -100,7 +100,7 @@ func TestLoad_DefaultValues(t *testing.T) {
 func TestLoad_OverrideDefaults(t *testing.T) {
 	clearConfigEnv(t)
 	t.Setenv("DATABASE_URL", "postgres://localhost/test")
-	t.Setenv("SESSION_SECRET", "my-secret")
+	t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch")
 	t.Setenv("PUBLIC_ADDR", ":9090")
 	t.Setenv("ADMIN_ADDR", ":9091")
 	t.Setenv("BASE_URL", "https://example.com")
@@ -124,7 +124,7 @@ func TestLoad_OverrideDefaults(t *testing.T) {
 func TestLoad_TailscaleAllowedUsers(t *testing.T) {
 	clearConfigEnv(t)
 	t.Setenv("DATABASE_URL", "postgres://localhost/test")
-	t.Setenv("SESSION_SECRET", "my-secret")
+	t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch")
 	t.Setenv("TAILSCALE_ALLOWED_USERS", "alice@example.com, bob@example.com , charlie@example.com")
 
 	cfg, err := Load()
@@ -147,7 +147,7 @@ func TestLoad_TailscaleAllowedUsers(t *testing.T) {
 func TestLoad_EmptyTailscaleAllowedUsers(t *testing.T) {
 	clearConfigEnv(t)
 	t.Setenv("DATABASE_URL", "postgres://localhost/test")
-	t.Setenv("SESSION_SECRET", "my-secret")
+	t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch")
 	// TAILSCALE_ALLOWED_USERS not set
 
 	cfg, err := Load()

From f4049d301548fb94bdeba83af10e1e916be34f92 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:03:43 -0800
Subject: [PATCH 10/21] Limit webhook body size to 1MB

Fixes #21
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/forgejo/webhook.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/forgejo/webhook.go b/internal/forgejo/webhook.go
index 75fd0a1..3f3f307 100644
--- a/internal/forgejo/webhook.go
+++ b/internal/forgejo/webhook.go
@@ -39,7 +39,7 @@ func VerifyWebhookSignature(r *http.Request, secret string) ([]byte, error) {
 		return nil, fmt.Errorf("missing X-Forgejo-Signature header")
 	}
 
-	body, err := io.ReadAll(r.Body)
+	body, err := io.ReadAll(io.LimitReader(r.Body, 1<<20))
 	if err != nil {
 		return nil, fmt.Errorf("read body: %w", err)
 	}

From b6c15e4d5c79337305b3e373ff714c0f474b7963 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:04:08 -0800
Subject: [PATCH 11/21] Add logging for SSO user creation

Fixes #22
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/handlers/public/sso.go | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/internal/handlers/public/sso.go b/internal/handlers/public/sso.go
index 940a315..5adbb47 100644
--- a/internal/handlers/public/sso.go
+++ b/internal/handlers/public/sso.go
@@ -98,7 +98,11 @@ func (h *SSOHandler) HandleSSO(c *gin.Context) {
 				c.String(http.StatusInternalServerError, "failed to create user")
 				return
 			}
+		} else {
+			log.Info().Str("email", email).Str("name", name).Str("repo", slug).Msg("SSO: created new user")
 		}
+	} else {
+		log.Info().Str("email", email).Str("repo", slug).Msg("SSO: existing user logged in")
 	}
 
 	// Update existing user if needed

From c24f712cb6ac4f38006abde55b61d4649235a963 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:05:33 -0800
Subject: [PATCH 12/21] Remove dummy user_id from OAuth state sessions

Use a simple signed cookie for OAuth state instead of PGStore,
which required a dummy user_id placeholder to satisfy the session
store's save logic.

Fixes #24
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/handlers/public/oauth.go | 54 ++++++++++++++++++++-----------
 1 file changed, 36 insertions(+), 18 deletions(-)

diff --git a/internal/handlers/public/oauth.go b/internal/handlers/public/oauth.go
index 839f4b0..bb903fe 100644
--- a/internal/handlers/public/oauth.go
+++ b/internal/handlers/public/oauth.go
@@ -53,12 +53,16 @@ func (h *OAuthHandler) Login(c *gin.Context) {
 	}
 
 	state := generateState()
-	session, _ := h.deps.SessionStore.Get(c.Request, "oauth_state")
-	session.Values["state"] = state
-	session.Values["user_id"] = "00000000-0000-0000-0000-000000000000" // placeholder for save
-	if err := session.Save(c.Request, c.Writer); err != nil {
-		log.Error().Err(err).Msg("save oauth state error")
-	}
+	isSecure := strings.HasPrefix(h.deps.Config.BaseURL, "https")
+	http.SetCookie(c.Writer, &http.Cookie{
+		Name:     "oauth_state",
+		Value:    state,
+		Path:     "/",
+		MaxAge:   600, // 10 minutes
+		HttpOnly: true,
+		Secure:   isSecure,
+		SameSite: http.SameSiteLaxMode,
+	})
 
 	url := provider.Config.AuthCodeURL(state, oauth2.AccessTypeOffline)
 	c.Redirect(http.StatusTemporaryRedirect, url)
@@ -73,12 +77,17 @@ func (h *OAuthHandler) Callback(c *gin.Context) {
 	}
 
 	// Verify state
-	session, _ := h.deps.SessionStore.Get(c.Request, "oauth_state")
-	expectedState, _ := session.Values["state"].(string)
-	if c.Query("state") != expectedState {
+	stateCookie, err := c.Request.Cookie("oauth_state")
+	if err != nil || c.Query("state") != stateCookie.Value {
 		c.String(http.StatusBadRequest, "Invalid state parameter")
 		return
 	}
+	// Clear the state cookie
+	http.SetCookie(c.Writer, &http.Cookie{
+		Name:   "oauth_state",
+		Path:   "/",
+		MaxAge: -1,
+	})
 
 	code := c.Query("code")
 	token, err := provider.Config.Exchange(c.Request.Context(), code)
@@ -137,12 +146,16 @@ func (h *OAuthHandler) appleLogin(c *gin.Context) {
 	}
 
 	state := generateState()
-	session, _ := h.deps.SessionStore.Get(c.Request, "oauth_state")
-	session.Values["state"] = state
-	session.Values["user_id"] = "00000000-0000-0000-0000-000000000000"
-	if err := session.Save(c.Request, c.Writer); err != nil {
-		log.Error().Err(err).Msg("save oauth state error")
-	}
+	isSecure := strings.HasPrefix(h.deps.Config.BaseURL, "https")
+	http.SetCookie(c.Writer, &http.Cookie{
+		Name:     "oauth_state",
+		Value:    state,
+		Path:     "/",
+		MaxAge:   600, // 10 minutes
+		HttpOnly: true,
+		Secure:   isSecure,
+		SameSite: http.SameSiteNoneMode, // Apple uses form_post cross-origin
+	})
 
 	url := appleProvider.Config.AuthCodeURL(state, oauth2.AccessTypeOffline, auth.AppleAuthCodeOption())
 	c.Redirect(http.StatusTemporaryRedirect, url)
@@ -164,12 +177,17 @@ func (h *OAuthHandler) AppleCallback(c *gin.Context) {
 	code := c.PostForm("code")
 	state := c.PostForm("state")
 
-	session, _ := h.deps.SessionStore.Get(c.Request, "oauth_state")
-	expectedState, _ := session.Values["state"].(string)
-	if state != expectedState {
+	stateCookie, err := c.Request.Cookie("oauth_state")
+	if err != nil || state != stateCookie.Value {
 		c.String(http.StatusBadRequest, "Invalid state parameter")
 		return
 	}
+	// Clear the state cookie
+	http.SetCookie(c.Writer, &http.Cookie{
+		Name:   "oauth_state",
+		Path:   "/",
+		MaxAge: -1,
+	})
 
 	token, err := appleProvider.ExchangeCode(c.Request.Context(), code)
 	if err != nil {

From d780a3403a5dfa8f483c441dd4b59a81d5465ed5 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:06:41 -0800
Subject: [PATCH 13/21] Verify Apple ID token signature against JWKS

Fixes #25

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/auth/apple.go | 64 ++++++++++++++++++++++++++++++++++++++----
 1 file changed, 59 insertions(+), 5 deletions(-)

diff --git a/internal/auth/apple.go b/internal/auth/apple.go
index cbf8e1d..6138ad8 100644
--- a/internal/auth/apple.go
+++ b/internal/auth/apple.go
@@ -2,11 +2,15 @@ package auth
 
 import (
 	"context"
+	"crypto/rsa"
 	"crypto/x509"
+	"encoding/base64"
 	"encoding/json"
 	"encoding/pem"
 	"fmt"
 	"io"
+	"math/big"
+	"net/http"
 	"os"
 	"time"
 
@@ -81,11 +85,61 @@ func (p *AppleProvider) getUserInfo(ctx context.Context, token *oauth2.Token) (*
 		return nil, fmt.Errorf("missing id_token")
 	}
 
-	// Parse without verification since we already got the token from Apple
-	parser := jwt.NewParser(jwt.WithoutClaimsValidation())
-	parsed, _, err := parser.ParseUnverified(idToken, jwt.MapClaims{})
+	// Fetch Apple's JWKS
+	resp, err := http.Get("https://appleid.apple.com/auth/keys")
 	if err != nil {
-		return nil, fmt.Errorf("parse id_token: %w", err)
+		return nil, fmt.Errorf("fetch apple JWKS: %w", err)
+	}
+	defer resp.Body.Close()
+
+	var jwks struct {
+		Keys []struct {
+			Kty string `json:"kty"`
+			Kid string `json:"kid"`
+			Use string `json:"use"`
+			Alg string `json:"alg"`
+			N   string `json:"n"`
+			E   string `json:"e"`
+		} `json:"keys"`
+	}
+	if err := json.NewDecoder(resp.Body).Decode(&jwks); err != nil {
+		return nil, fmt.Errorf("decode apple JWKS: %w", err)
+	}
+
+	// Parse and verify the token
+	parsed, err := jwt.Parse(idToken, func(t *jwt.Token) (interface{}, error) {
+		kid, ok := t.Header["kid"].(string)
+		if !ok {
+			return nil, fmt.Errorf("missing kid header")
+		}
+
+		for _, key := range jwks.Keys {
+			if key.Kid == kid {
+				// Decode RSA public key from JWK
+				nBytes, err := base64.RawURLEncoding.DecodeString(key.N)
+				if err != nil {
+					return nil, fmt.Errorf("decode key N: %w", err)
+				}
+				eBytes, err := base64.RawURLEncoding.DecodeString(key.E)
+				if err != nil {
+					return nil, fmt.Errorf("decode key E: %w", err)
+				}
+
+				e := 0
+				for _, b := range eBytes {
+					e = e*256 + int(b)
+				}
+
+				return &rsa.PublicKey{
+					N: new(big.Int).SetBytes(nBytes),
+					E: e,
+				}, nil
+			}
+		}
+		return nil, fmt.Errorf("key %s not found in JWKS", kid)
+	})
+	if err != nil {
+		return nil, fmt.Errorf("verify id_token: %w", err)
 	}
 
 	claims, ok := parsed.Claims.(jwt.MapClaims)
@@ -99,7 +153,7 @@ func (p *AppleProvider) getUserInfo(ctx context.Context, token *oauth2.Token) (*
 	return &OAuthUserInfo{
 		ProviderUserID: sub,
 		Email:          email,
-		Name:           email, // Apple may not provide name in id_token
+		Name:           email,
 	}, nil
 }
 

From c56b8030109a4047b0c6686bfc4eafe748ac07f9 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:07:31 -0800
Subject: [PATCH 14/21] Validate proxy download URL host to prevent SSRF

Fixes #26
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/forgejo/client.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/internal/forgejo/client.go b/internal/forgejo/client.go
index 14b5a6a..69dd7fe 100644
--- a/internal/forgejo/client.go
+++ b/internal/forgejo/client.go
@@ -868,7 +868,20 @@ func (c *Client) GetAttachmentURL(apiURL string) (string, error) {
 }
 
 // ProxyDownload fetches a file from the given Forgejo URL with authentication and streams it back.
+// The URL host must match the configured Forgejo base URL to prevent SSRF.
 func (c *Client) ProxyDownload(downloadURL string) (*http.Response, error) {
+	parsed, err := url.Parse(downloadURL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid download URL: %w", err)
+	}
+	base, err := url.Parse(c.baseURL)
+	if err != nil {
+		return nil, fmt.Errorf("invalid base URL: %w", err)
+	}
+	if parsed.Host != base.Host {
+		return nil, fmt.Errorf("download URL host %q does not match Forgejo host %q", parsed.Host, base.Host)
+	}
+
 	httpReq, err := http.NewRequest("GET", downloadURL, nil)
 	if err != nil {
 		return nil, err

From 576187298872ccf1b13b654f4b42e1d7d7e6f1ec Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:12:25 -0800
Subject: [PATCH 15/21] Pin Mermaid.js version with SRI integrity hash

Fixes #27
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 web/templates/layouts/base.html | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/web/templates/layouts/base.html b/web/templates/layouts/base.html
index debf7f3..d22cc0a 100644
--- a/web/templates/layouts/base.html
+++ b/web/templates/layouts/base.html
@@ -15,11 +15,17 @@
         </main>
     </div>
     <span class="hidden ring-blue-400 bg-blue-50 border-blue-400 hover:text-red-500"></span>
-    <script type="module">
+    <script>
       if (document.querySelector('pre.mermaid')) {
-        const { default: mermaid } = await import('https://cdn.jsdelivr.net/npm/mermaid@11/dist/mermaid.esm.min.mjs');
-        mermaid.initialize({ startOnLoad: false, theme: 'default' });
-        await mermaid.run();
+        var s = document.createElement('script');
+        s.src = 'https://cdn.jsdelivr.net/npm/mermaid@11.4.1/dist/mermaid.min.js';
+        s.integrity = 'sha384-rbtjAdnIQE/aQJGEgXrVUlMibdfTSa4PQju4HDhN3sR2PmaKFzhEafuePsl9H/9I';
+        s.crossOrigin = 'anonymous';
+        s.onload = function() {
+          mermaid.initialize({ startOnLoad: false, theme: 'default' });
+          mermaid.run();
+        };
+        document.body.appendChild(s);
       }
     </script>
 </body>

From f839444d3b59ff19547cfedaf073944664688198 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:12:47 -0800
Subject: [PATCH 16/21] Disable static file directory listing

Fixes #28
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/handlers/public/routes.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/handlers/public/routes.go b/internal/handlers/public/routes.go
index 1aa6cc7..e67f8fa 100644
--- a/internal/handlers/public/routes.go
+++ b/internal/handlers/public/routes.go
@@ -41,7 +41,7 @@ func NewRouter(deps Dependencies) *gin.Engine {
 		c.String(http.StatusOK, "ok")
 	})
 
-	r.Static("/static", "web/static")
+	r.StaticFS("/static", gin.Dir("web/static", false))
 
 	webhookHandler := &WebhookHandler{deps: deps}
 	r.POST("/webhooks/forgejo/:repoSlug", webhookHandler.HandleForgejoWebhook)

From b8ff9df7ca921c2e9fea74941d1366dff6772b22 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:13:02 -0800
Subject: [PATCH 17/21] Add server binary to .gitignore

Fixes #29
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .gitignore | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitignore b/.gitignore
index 63c9b33..a5c70b8 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,5 +1,6 @@
 # Binary
 forgejo-tickets
+server
 
 # Environment
 .env

From cba9b5c408461972f39ea74e89f042e21e7f4a60 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:14:01 -0800
Subject: [PATCH 18/21] Add password complexity requirements

Require at least one uppercase letter, one lowercase letter, and one
digit in addition to the existing 8-character minimum.

Fixes #31
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/handlers/public/auth.go | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

diff --git a/internal/handlers/public/auth.go b/internal/handlers/public/auth.go
index d61a06b..6a245b1 100644
--- a/internal/handlers/public/auth.go
+++ b/internal/handlers/public/auth.go
@@ -4,6 +4,7 @@ import (
 	"net/http"
 	"net/url"
 	"strings"
+	"unicode"
 
 	"github.com/gin-gonic/gin"
 	"github.com/mattnite/forgejo-tickets/internal/auth"
@@ -11,6 +12,28 @@ import (
 	"github.com/rs/zerolog/log"
 )
 
+// validatePassword checks password complexity requirements.
+func validatePassword(password string) string {
+	if len(password) < 8 {
+		return "Password must be at least 8 characters"
+	}
+	var hasUpper, hasLower, hasDigit bool
+	for _, r := range password {
+		switch {
+		case unicode.IsUpper(r):
+			hasUpper = true
+		case unicode.IsLower(r):
+			hasLower = true
+		case unicode.IsDigit(r):
+			hasDigit = true
+		}
+	}
+	if !hasUpper || !hasLower || !hasDigit {
+		return "Password must contain at least one uppercase letter, one lowercase letter, and one digit"
+	}
+	return ""
+}
+
 type AuthHandler struct {
 	deps Dependencies
 }
@@ -85,8 +108,8 @@ func (h *AuthHandler) Register(c *gin.Context) {
 		return
 	}
 
-	if len(password) < 8 {
-		data["Error"] = "Password must be at least 8 characters"
+	if errMsg := validatePassword(password); errMsg != "" {
+		data["Error"] = errMsg
 		h.deps.Renderer.Render(c.Writer, c.Request, "register", data)
 		return
 	}
@@ -189,10 +212,10 @@ func (h *AuthHandler) ResetPassword(c *gin.Context) {
 		return
 	}
 
-	if len(password) < 8 {
+	if errMsg := validatePassword(password); errMsg != "" {
 		h.deps.Renderer.Render(c.Writer, c.Request, "reset-password", map[string]interface{}{
 			"Token": token,
-			"Error": "Password must be at least 8 characters",
+			"Error": errMsg,
 		})
 		return
 	}

From f258429557499aee98bea1b5e9682d7c27a19f1a Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:15:02 -0800
Subject: [PATCH 19/21] Add account lockout after failed login attempts

Fixes #32

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/auth/auth.go | 43 ++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 40 insertions(+), 3 deletions(-)

diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index 9d27c2f..c2bced6 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -4,6 +4,8 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"sync"
+	"time"
 
 	"github.com/google/uuid"
 	"github.com/mattnite/forgejo-tickets/internal/email"
@@ -12,10 +14,21 @@ import (
 	"gorm.io/gorm"
 )
 
+const (
+	maxLoginAttempts = 5
+	lockoutDuration  = 15 * time.Minute
+)
+
+type loginAttempt struct {
+	count    int
+	lastFail time.Time
+}
+
 type Service struct {
-	db    *gorm.DB
-	store *PGStore
-	email *email.Client
+	db            *gorm.DB
+	store         *PGStore
+	email         *email.Client
+	loginAttempts sync.Map
 }
 
 func NewService(db *gorm.DB, store *PGStore, emailClient *email.Client) *Service {
@@ -48,8 +61,21 @@ func (s *Service) Register(ctx context.Context, emailAddr, password, name string
 }
 
 func (s *Service) Login(ctx context.Context, emailAddr, password string) (*models.User, error) {
+	// Check if the account is locked due to too many failed attempts
+	if val, ok := s.loginAttempts.Load(emailAddr); ok {
+		attempt := val.(*loginAttempt)
+		if attempt.count >= maxLoginAttempts && time.Since(attempt.lastFail) < lockoutDuration {
+			return nil, fmt.Errorf("account temporarily locked, try again later")
+		}
+		// Reset if the lockout window has expired
+		if time.Since(attempt.lastFail) >= lockoutDuration {
+			s.loginAttempts.Delete(emailAddr)
+		}
+	}
+
 	var user models.User
 	if err := s.db.WithContext(ctx).Where("email = ?", emailAddr).First(&user).Error; err != nil {
+		s.recordFailedAttempt(emailAddr)
 		return nil, fmt.Errorf("invalid email or password")
 	}
 
@@ -58,6 +84,7 @@ func (s *Service) Login(ctx context.Context, emailAddr, password string) (*model
 	}
 
 	if err := bcrypt.CompareHashAndPassword([]byte(*user.PasswordHash), []byte(password)); err != nil {
+		s.recordFailedAttempt(emailAddr)
 		return nil, fmt.Errorf("invalid email or password")
 	}
 
@@ -69,9 +96,19 @@ func (s *Service) Login(ctx context.Context, emailAddr, password string) (*model
 		return nil, fmt.Errorf("your account is pending admin approval")
 	}
 
+	// Clear failed attempts on successful login
+	s.loginAttempts.Delete(emailAddr)
+
 	return &user, nil
 }
 
+func (s *Service) recordFailedAttempt(emailAddr string) {
+	val, _ := s.loginAttempts.LoadOrStore(emailAddr, &loginAttempt{})
+	attempt := val.(*loginAttempt)
+	attempt.count++
+	attempt.lastFail = time.Now()
+}
+
 func (s *Service) CreateSession(r *http.Request, w http.ResponseWriter, userID uuid.UUID) error {
 	session, err := s.store.Get(r, sessionCookieName)
 	if err != nil {

From 8603b0bfb50e7dad9121f36b8ad09a7346d41767 Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:19:06 -0800
Subject: [PATCH 20/21] Use session-based flash messages instead of query
 params

Fixes #33

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 internal/handlers/admin/users.go  | 23 +++++-----------
 internal/handlers/public/auth.go  | 23 +++++-----------
 internal/handlers/public/oauth.go | 16 ++++-------
 internal/middleware/flash.go      | 46 +++++++++++++++++++++++++++++++
 internal/templates/render.go      |  9 ++----
 5 files changed, 68 insertions(+), 49 deletions(-)
 create mode 100644 internal/middleware/flash.go

diff --git a/internal/handlers/admin/users.go b/internal/handlers/admin/users.go
index d7328cf..3ccc7a5 100644
--- a/internal/handlers/admin/users.go
+++ b/internal/handlers/admin/users.go
@@ -4,12 +4,12 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"net/http"
-	"net/url"
 	"strings"
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
 	"github.com/mattnite/forgejo-tickets/internal/forgejo"
+	"github.com/mattnite/forgejo-tickets/internal/middleware"
 	"github.com/mattnite/forgejo-tickets/internal/models"
 	"github.com/rs/zerolog/log"
 )
@@ -202,11 +202,8 @@ func (h *UserHandler) Approve(c *gin.Context) {
 		log.Error().Err(err).Msg("send approval email error")
 	}
 
-	redirectURL := "/users/pending?" + url.Values{
-		"flash":      {"User " + user.Email + " has been approved"},
-		"flash_type": {"success"},
-	}.Encode()
-	c.Redirect(http.StatusSeeOther, redirectURL)
+	middleware.SetFlash(c, "success", "User "+user.Email+" has been approved")
+	c.Redirect(http.StatusSeeOther, "/users/pending")
 }
 
 func (h *UserHandler) Reject(c *gin.Context) {
@@ -222,11 +219,8 @@ func (h *UserHandler) Reject(c *gin.Context) {
 		return
 	}
 
-	redirectURL := "/users/pending?" + url.Values{
-		"flash":      {"User request has been rejected"},
-		"flash_type": {"success"},
-	}.Encode()
-	c.Redirect(http.StatusSeeOther, redirectURL)
+	middleware.SetFlash(c, "success", "User request has been rejected")
+	c.Redirect(http.StatusSeeOther, "/users/pending")
 }
 
 func (h *UserHandler) UpdateRepos(c *gin.Context) {
@@ -257,9 +251,6 @@ func (h *UserHandler) UpdateRepos(c *gin.Context) {
 		h.deps.DB.Create(&models.UserRepo{UserID: userID, RepoID: repoID})
 	}
 
-	redirectURL := "/users/" + userID.String() + "?" + url.Values{
-		"flash":      {"Project assignments updated"},
-		"flash_type": {"success"},
-	}.Encode()
-	c.Redirect(http.StatusSeeOther, redirectURL)
+	middleware.SetFlash(c, "success", "Project assignments updated")
+	c.Redirect(http.StatusSeeOther, "/users/"+userID.String())
 }
diff --git a/internal/handlers/public/auth.go b/internal/handlers/public/auth.go
index d61a06b..1e029f2 100644
--- a/internal/handlers/public/auth.go
+++ b/internal/handlers/public/auth.go
@@ -2,11 +2,11 @@ package public
 
 import (
 	"net/http"
-	"net/url"
 	"strings"
 
 	"github.com/gin-gonic/gin"
 	"github.com/mattnite/forgejo-tickets/internal/auth"
+	"github.com/mattnite/forgejo-tickets/internal/middleware"
 	"github.com/mattnite/forgejo-tickets/internal/models"
 	"github.com/rs/zerolog/log"
 )
@@ -111,11 +111,8 @@ func (h *AuthHandler) Register(c *gin.Context) {
 		}
 	}
 
-	redirectURL := "/login?" + url.Values{
-		"flash":      {"Account requested! Please check your email to verify your address. After verification, an admin will review your request."},
-		"flash_type": {"success"},
-	}.Encode()
-	c.Redirect(http.StatusSeeOther, redirectURL)
+	middleware.SetFlash(c, "success", "Account requested! Please check your email to verify your address. After verification, an admin will review your request.")
+	c.Redirect(http.StatusSeeOther, "/login")
 }
 
 func (h *AuthHandler) Logout(c *gin.Context) {
@@ -138,11 +135,8 @@ func (h *AuthHandler) VerifyEmail(c *gin.Context) {
 		return
 	}
 
-	redirectURL := "/login?" + url.Values{
-		"flash":      {"Email verified successfully. Your account is pending admin approval."},
-		"flash_type": {"success"},
-	}.Encode()
-	c.Redirect(http.StatusSeeOther, redirectURL)
+	middleware.SetFlash(c, "success", "Email verified successfully. Your account is pending admin approval.")
+	c.Redirect(http.StatusSeeOther, "/login")
 }
 
 func (h *AuthHandler) ForgotPasswordForm(c *gin.Context) {
@@ -206,9 +200,6 @@ func (h *AuthHandler) ResetPassword(c *gin.Context) {
 		return
 	}
 
-	redirectURL := "/login?" + url.Values{
-		"flash":      {"Password reset successfully. You can now log in."},
-		"flash_type": {"success"},
-	}.Encode()
-	c.Redirect(http.StatusSeeOther, redirectURL)
+	middleware.SetFlash(c, "success", "Password reset successfully. You can now log in.")
+	c.Redirect(http.StatusSeeOther, "/login")
 }
diff --git a/internal/handlers/public/oauth.go b/internal/handlers/public/oauth.go
index 839f4b0..af83a01 100644
--- a/internal/handlers/public/oauth.go
+++ b/internal/handlers/public/oauth.go
@@ -4,11 +4,11 @@ import (
 	"crypto/rand"
 	"encoding/hex"
 	"net/http"
-	"net/url"
 	"strings"
 
 	"github.com/gin-gonic/gin"
 	"github.com/mattnite/forgejo-tickets/internal/auth"
+	"github.com/mattnite/forgejo-tickets/internal/middleware"
 	"github.com/rs/zerolog/log"
 	"golang.org/x/oauth2"
 )
@@ -98,11 +98,8 @@ func (h *OAuthHandler) Callback(c *gin.Context) {
 	user, err := h.deps.Auth.FindOrCreateOAuthUser(c.Request.Context(), provider.Name, info)
 	if err != nil {
 		if strings.Contains(err.Error(), "pending admin approval") {
-			redirectURL := "/login?" + url.Values{
-				"flash":      {err.Error()},
-				"flash_type": {"info"},
-			}.Encode()
-			c.Redirect(http.StatusSeeOther, redirectURL)
+			middleware.SetFlash(c, "info", err.Error())
+			c.Redirect(http.StatusSeeOther, "/login")
 			return
 		}
 		log.Error().Err(err).Msg("find or create oauth user error")
@@ -196,11 +193,8 @@ func (h *OAuthHandler) AppleCallback(c *gin.Context) {
 	user, err := h.deps.Auth.FindOrCreateOAuthUser(c.Request.Context(), "apple", info)
 	if err != nil {
 		if strings.Contains(err.Error(), "pending admin approval") {
-			redirectURL := "/login?" + url.Values{
-				"flash":      {err.Error()},
-				"flash_type": {"info"},
-			}.Encode()
-			c.Redirect(http.StatusSeeOther, redirectURL)
+			middleware.SetFlash(c, "info", err.Error())
+			c.Redirect(http.StatusSeeOther, "/login")
 			return
 		}
 		log.Error().Err(err).Msg("find or create apple user error")
diff --git a/internal/middleware/flash.go b/internal/middleware/flash.go
new file mode 100644
index 0000000..fd3167c
--- /dev/null
+++ b/internal/middleware/flash.go
@@ -0,0 +1,46 @@
+package middleware
+
+import (
+	"encoding/base64"
+	"net/http"
+	"strings"
+
+	"github.com/gin-gonic/gin"
+)
+
+// SetFlash sets a flash message cookie that will be consumed on the next render.
+func SetFlash(c *gin.Context, flashType, message string) {
+	// Encode as "type:message" in base64 to avoid cookie value issues
+	value := base64.StdEncoding.EncodeToString([]byte(flashType + ":" + message))
+	http.SetCookie(c.Writer, &http.Cookie{
+		Name:     "flash",
+		Value:    value,
+		Path:     "/",
+		MaxAge:   60,
+		HttpOnly: true,
+		SameSite: http.SameSiteLaxMode,
+	})
+}
+
+// GetFlash reads and clears the flash message cookie.
+func GetFlash(r *http.Request, w http.ResponseWriter) (flashType, message string) {
+	cookie, err := r.Cookie("flash")
+	if err != nil || cookie.Value == "" {
+		return "", ""
+	}
+	// Clear the cookie
+	http.SetCookie(w, &http.Cookie{
+		Name:   "flash",
+		Path:   "/",
+		MaxAge: -1,
+	})
+	data, err := base64.StdEncoding.DecodeString(cookie.Value)
+	if err != nil {
+		return "", ""
+	}
+	parts := strings.SplitN(string(data), ":", 2)
+	if len(parts) != 2 {
+		return "", ""
+	}
+	return parts[0], parts[1]
+}
diff --git a/internal/templates/render.go b/internal/templates/render.go
index f9872c7..3e1d1e7 100644
--- a/internal/templates/render.go
+++ b/internal/templates/render.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/gorilla/csrf"
 	"github.com/mattnite/forgejo-tickets/internal/auth"
+	"github.com/mattnite/forgejo-tickets/internal/middleware"
 	"github.com/mattnite/forgejo-tickets/internal/models"
 )
 
@@ -103,12 +104,8 @@ func (r *Renderer) Render(w http.ResponseWriter, req *http.Request, name string,
 		Data:      data,
 	}
 
-	if msg := req.URL.Query().Get("flash"); msg != "" {
-		flashType := req.URL.Query().Get("flash_type")
-		if flashType == "" {
-			flashType = "info"
-		}
-		pd.Flash = &Flash{Type: flashType, Message: msg}
+	if flashType, flashMsg := middleware.GetFlash(req, w); flashMsg != "" {
+		pd.Flash = &Flash{Type: flashType, Message: flashMsg}
 	}
 
 	var buf bytes.Buffer

From 9449b271f54607f05a06d87547de4685db3a409a Mon Sep 17 00:00:00 2001
From: Matthew Knight <mattnite@proton.me>
Date: Tue, 17 Feb 2026 16:20:24 -0800
Subject: [PATCH 21/21] Add periodic cleanup for expired email tokens

Fixes #34
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 cmd/server/main.go      |  1 +
 internal/auth/tokens.go | 18 ++++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/cmd/server/main.go b/cmd/server/main.go
index 313a976..ae49668 100644
--- a/cmd/server/main.go
+++ b/cmd/server/main.go
@@ -62,6 +62,7 @@ func main() {
 	defer cancel()
 
 	go sessionStore.Cleanup(ctx, 30*time.Minute)
+	go authService.CleanupExpiredTokens(ctx, 1*time.Hour)
 
 	publicRouter := publichandlers.NewRouter(publichandlers.Dependencies{
 		DB:            db,
diff --git a/internal/auth/tokens.go b/internal/auth/tokens.go
index ec8a438..a4f0c59 100644
--- a/internal/auth/tokens.go
+++ b/internal/auth/tokens.go
@@ -10,6 +10,7 @@ import (
 
 	"github.com/google/uuid"
 	"github.com/mattnite/forgejo-tickets/internal/models"
+	"github.com/rs/zerolog/log"
 	"golang.org/x/crypto/bcrypt"
 )
 
@@ -85,6 +86,23 @@ func (s *Service) redeemToken(ctx context.Context, plainToken string, tokenType
 	return &user, nil
 }
 
+// CleanupExpiredTokens periodically deletes expired and used email tokens.
+func (s *Service) CleanupExpiredTokens(ctx context.Context, interval time.Duration) {
+	ticker := time.NewTicker(interval)
+	defer ticker.Stop()
+	for {
+		select {
+		case <-ctx.Done():
+			return
+		case <-ticker.C:
+			result := s.db.Where("expires_at <= ? OR used_at IS NOT NULL", time.Now()).Delete(&models.EmailToken{})
+			if result.Error != nil {
+				log.Error().Err(result.Error).Msg("email token cleanup error")
+			}
+		}
+	}
+}
+
 func hashToken(plainToken string) string {
 	h := sha256.Sum256([]byte(plainToken))
 	return hex.EncodeToString(h[:])