v0.1.5a: self-service password reset and email verification
What's New
Password reset by email
- Lost passwords are now self-service: the login page links to a reset form, and a single-use reset link (valid for one hour) is emailed to the account address
- Responses are identical whether or not the email matches an account, so addresses cannot be probed; requests are rate limited per IP
- Tokens are stored only as SHA-256 hashes, are single-use, and a completed reset retires every other outstanding reset link and signs the account out of all devices
- The admin panel reset remains available and unchanged
Email confirmation at signup (soft verify)
- New accounts receive a confirmation email with a 24 hour link; a banner reminds unconfirmed users with a one-click resend (rate limited, with a per-account cooldown)
- Nothing is gated on confirmation: every feature keeps working while unconfirmed
- Accounts that existed before this release are treated as already confirmed
- Signup now validates the email address format on the server
Transactional email infrastructure
- New internal/mail package sends through the Resend HTTP API from a configurable MAIL_FROM address
- Entirely optional: with RESEND_API_KEY unset, the mailer disables itself and both flows degrade gracefully (no errors, sends are logged and skipped)
Admin tools
- Superadmin "Check/Run Scrapers" button fetches every scraped source synchronously and renders a per-source report, covering the scrapers Force Data Refresh skips
- The admin dashboard's long tab row is now a grouped sidebar (Site Config, Users & Moderation, Community, Localization, Raids, System) with a single dropdown on phones
Smaller improvements
- Shiny search: searching any member of an evolution family returns the whole line
- Built-in bug report labels are fully protected from edits, matching the existing delete protection
- Translation persistence hardening and Platinum trainer avatars
- deploy.ps1 upload retries now report when a retry succeeds instead of recovering silently
- Migrate tool: the v0.1.4a baseline mapping was corrected (it shipped through section 41, the map said 40)
Upgrading from v0.1.4a
One new database section (42: transactional email). With a tracked install:
go run ./cmd/migrate -status # see applied vs pending
go run ./cmd/migrate # applies section 42First time using the migrate tool on an untracked install:
go run ./cmd/migrate -from v0.1.4a # baseline at your version, then apply the restOr apply migrate.sql section 42 manually. Then redeploy the binary and templates as usual.
Optional new environment variables: RESEND_API_KEY and MAIL_FROM enable transactional email (see the Configuration wiki page). Leave them unset and password reset and signup confirmation simply skip sending. BASE_URL controls the origin used in emailed links and defaults to the production site.
Fresh install
Run schema.sql only. It already reflects every migration through section 42 and seeds the migration history. Do not also run migrate.sql.
Documentation
- Accounts and Roles (new Email confirmation and Password reset sections)
- Configuration (transactional email variables)
- Database Guide (section 42, email_tokens)
- Deployment
- Getting Started