diff --git a/.env.example b/.env.example
index 6910cb0f..6e9627bb 100644
--- a/.env.example
+++ b/.env.example
@@ -33,4 +33,18 @@ THALIA_COVER_SEARCH_ENABLED=false # For research only. Do not use in production
# TLS / reverse proxy settings
# Forwarded headers are trusted only from matching IPs. "*" trusts all proxies.
-FORWARDED_ALLOW_IPS=*
\ No newline at end of file
+FORWARDED_ALLOW_IPS=*
+
+# Password reset email settings (SMTP)
+# For local development, use Mailpit: mail_server=mailpit mail_port=1025 mail_username="" mail_password="" mail_starttls=False mail_ssl_tls=False
+# In docker-compose: mail_server=mailpit mail_port=1025
+MAIL_SERVER=
+MAIL_PORT=587
+MAIL_USERNAME=
+MAIL_PASSWORD=
+MAIL_FROM=
+MAIL_FROM_NAME=LibrisLog
+MAIL_STARTTLS=True
+MAIL_SSL_TLS=False
+PUBLIC_APP_URL=http://localhost:5173
+PASSWORD_RESET_TOKEN_MAX_AGE=3600
\ No newline at end of file
diff --git a/backend/alembic/versions/784de5d2bf69_add_credentials_version_to_user.py b/backend/alembic/versions/784de5d2bf69_add_credentials_version_to_user.py
new file mode 100644
index 00000000..7a1dbd8d
--- /dev/null
+++ b/backend/alembic/versions/784de5d2bf69_add_credentials_version_to_user.py
@@ -0,0 +1,26 @@
+"""add_credentials_version_to_user
+
+Revision ID: 784de5d2bf69
+Revises: 1a2b3c4d5e6f
+Create Date: 2026-06-22 10:01:24.732359
+
+"""
+
+from typing import Sequence, Union
+
+from alembic import op
+import sqlalchemy as sa
+
+
+revision: str = "784de5d2bf69"
+down_revision: Union[str, Sequence[str], None] = "1a2b3c4d5e6f"
+branch_labels: Union[str, Sequence[str], None] = None
+depends_on: Union[str, Sequence[str], None] = None
+
+
+def upgrade() -> None:
+ op.add_column("user", sa.Column("credentials_version", sa.Integer(), nullable=False, server_default="0"))
+
+
+def downgrade() -> None:
+ op.drop_column("user", "credentials_version")
diff --git a/backend/app/auth.py b/backend/app/auth.py
index 2a5a39a3..e1fbc294 100644
--- a/backend/app/auth.py
+++ b/backend/app/auth.py
@@ -14,6 +14,8 @@
from passlib.context import CryptContext
from sqlmodel import Session, select
+from itsdangerous import URLSafeTimedSerializer
+
from app.config import settings
from app.database import get_session
from app.models import ApiKey, User, UserRole
@@ -140,6 +142,37 @@ def get_embed_token_prefix(token: str) -> str:
return token[:12]
+# --- Password reset token utilities ---
+
+_password_reset_serializer = URLSafeTimedSerializer(
+ secret_key=settings.api_key_encryption_key,
+ salt="password-reset",
+)
+
+
+def generate_password_reset_token(email: str, credentials_version: int = 0) -> str:
+ """Generate a signed, time-limited token for resetting a user's password."""
+ return _password_reset_serializer.dumps({
+ "email": email,
+ "credentials_version": credentials_version,
+ })
+
+
+def verify_password_reset_token(token: str, max_age: int = 3600) -> dict | None:
+ """Verify a password reset token and return the payload.
+
+ Returns a dict with 'email' and 'credentials_version' if the token is valid
+ and not expired, otherwise None.
+ """
+ try:
+ result = _password_reset_serializer.loads(token, max_age=max_age)
+ if isinstance(result, dict) and "email" in result and "credentials_version" in result:
+ return result
+ return None
+ except Exception:
+ return None
+
+
api_key_header = APIKeyHeader(name="X-API-Key", auto_error=False)
@@ -191,6 +224,13 @@ def require_user(
if user_id is not None:
user = session.get(User, user_id)
if user is not None:
+ session_cv = request.session.get("credentials_version", 0)
+ if user.credentials_version != session_cv:
+ request.session.clear()
+ raise HTTPException(
+ status_code=status.HTTP_401_UNAUTHORIZED,
+ detail="Session expired, please log in again",
+ )
if request.method in {"POST", "PUT", "PATCH", "DELETE"}:
csrf_token = request.session.get("csrf_token")
if not csrf_token or not x_csrf_token or x_csrf_token != csrf_token:
@@ -210,10 +250,11 @@ def require_admin(user: User = Depends(require_user)) -> User:
return user
-def start_browser_session(request: Request, user_id: int) -> None:
+def start_browser_session(request: Request, user_id: int, credentials_version: int = 0) -> None:
"""Start an authenticated browser session by storing user_id and a CSRF token."""
request.session["user_id"] = user_id
request.session["csrf_token"] = secrets.token_urlsafe(32)
+ request.session["credentials_version"] = credentials_version
def clear_browser_session(request: Request) -> None:
diff --git a/backend/app/config.py b/backend/app/config.py
index 708d4900..ebf8adeb 100644
--- a/backend/app/config.py
+++ b/backend/app/config.py
@@ -42,6 +42,16 @@ class Settings(BaseSettings):
hardcover_app_api_token: str = ""
thalia_cover_search_enabled: bool = False
embed_enabled: bool = True
+ mail_server: str = ""
+ mail_port: int = 587
+ mail_username: str = ""
+ mail_password: str = ""
+ mail_from: str = ""
+ mail_from_name: str = "LibrisLog"
+ mail_starttls: bool = True
+ mail_ssl_tls: bool = False
+ password_reset_token_max_age: int = 3600
+ public_app_url: str = "http://localhost:5173"
forwarded_allow_ips: str = "*"
@field_validator("api_key_encryption_key")
diff --git a/backend/app/email.py b/backend/app/email.py
new file mode 100644
index 00000000..4687e4ab
--- /dev/null
+++ b/backend/app/email.py
@@ -0,0 +1,46 @@
+"""Email sending utilities using fastapi-mail."""
+
+import logging
+
+from fastapi_mail import ConnectionConfig, FastMail, MessageSchema, MessageType
+
+from app.config import settings
+from app.i18n import translate
+
+logger = logging.getLogger(__name__)
+
+
+def _connection_config() -> ConnectionConfig:
+ return ConnectionConfig(
+ MAIL_USERNAME=settings.mail_username,
+ MAIL_PASSWORD=settings.mail_password,
+ MAIL_FROM=settings.mail_from,
+ MAIL_PORT=settings.mail_port,
+ MAIL_SERVER=settings.mail_server,
+ MAIL_FROM_NAME=settings.mail_from_name,
+ MAIL_STARTTLS=settings.mail_starttls,
+ MAIL_SSL_TLS=settings.mail_ssl_tls,
+ USE_CREDENTIALS=bool(settings.mail_username) and bool(settings.mail_password),
+ VALIDATE_CERTS=True,
+ )
+
+
+async def send_password_reset_email(recipient: str, reset_url: str, locale: str = "en") -> None:
+ conf = _connection_config()
+ duration_minutes = settings.password_reset_token_max_age // 60
+ message = MessageSchema(
+ subject=translate("email.passwordResetSubject", locale=locale),
+ recipients=[recipient],
+ body=translate(
+ "email.passwordResetBody",
+ locale=locale,
+ duration_minutes=str(duration_minutes),
+ reset_url=reset_url,
+ ),
+ subtype=MessageType.html,
+ )
+ fm = FastMail(conf)
+ try:
+ await fm.send_message(message)
+ except Exception:
+ logger.exception("Failed to send password reset email to %s", recipient)
diff --git a/backend/app/i18n/__init__.py b/backend/app/i18n/__init__.py
new file mode 100644
index 00000000..a0b18508
--- /dev/null
+++ b/backend/app/i18n/__init__.py
@@ -0,0 +1,32 @@
+"""Simple backend i18n using locale JSON files."""
+
+import json
+from functools import lru_cache
+from pathlib import Path
+
+
+@lru_cache(maxsize=32)
+def _load_translations(locale: str) -> dict:
+ i18n_dir = Path(__file__).resolve().parent
+ path = i18n_dir / f"{locale}.json"
+ if not path.exists():
+ path = i18n_dir / "en.json"
+ with open(path, encoding="utf-8") as f:
+ return json.load(f)
+
+
+def translate(key: str, locale: str = "en", **kwargs: str) -> str:
+ """Resolve a dot-separated key in the locale JSON and interpolate {placeholders}."""
+ translations = _load_translations(locale)
+ parts = key.split(".")
+ value: object = translations
+ for part in parts:
+ if isinstance(value, dict):
+ value = value.get(part, "")
+ else:
+ value = ""
+ if not isinstance(value, str):
+ value = ""
+ if kwargs:
+ value = value.format(**kwargs)
+ return value
diff --git a/backend/app/i18n/de.json b/backend/app/i18n/de.json
index 8bf72d56..30ef7d52 100644
--- a/backend/app/i18n/de.json
+++ b/backend/app/i18n/de.json
@@ -8,5 +8,9 @@
"pages": "Seiten",
"avg_pages": "Seiten/Buch"
}
+ },
+ "email": {
+ "passwordResetSubject": "Passwort zurücksetzen – LibrisLog",
+ "passwordResetBody": "\n\nDu hast das Zurücksetzen deines Passworts für dein LibrisLog-Konto beantragt.
\nKlicke auf den Link unten, um dein Passwort zurückzusetzen. Dieser Link ist {duration_minutes} Minuten gültig.
\n{reset_url}
\nFalls du dies nicht angefordert hast, ignoriere bitte diese E-Mail.
\n\n"
}
}
diff --git a/backend/app/i18n/en.json b/backend/app/i18n/en.json
index 12651e10..2bf70410 100644
--- a/backend/app/i18n/en.json
+++ b/backend/app/i18n/en.json
@@ -8,5 +8,9 @@
"pages": "Pages",
"avg_pages": "Avg/Book"
}
+ },
+ "email": {
+ "passwordResetSubject": "Password Reset – LibrisLog",
+ "passwordResetBody": "\n\nYou have requested a password reset for your LibrisLog account.
\nClick the link below to reset your password. This link is valid for {duration_minutes} minutes.
\n{reset_url}
\nIf you did not request this, please ignore this email.
\n\n"
}
}
diff --git a/backend/app/i18n/es.json b/backend/app/i18n/es.json
index 87048454..edc47b8e 100644
--- a/backend/app/i18n/es.json
+++ b/backend/app/i18n/es.json
@@ -8,5 +8,9 @@
"pages": "Páginas",
"avg_pages": "Páginas/Libro"
}
+ },
+ "email": {
+ "passwordResetSubject": "Restablecer contraseña – LibrisLog",
+ "passwordResetBody": "\n\nHas solicitado un restablecimiento de contraseña para tu cuenta de LibrisLog.
\nHaz clic en el enlace de abajo para restablecer tu contraseña. Este enlace es válido por {duration_minutes} minutos.
\n{reset_url}
\nSi no solicitaste esto, ignora este correo electrónico.
\n\n"
}
}
diff --git a/backend/app/i18n/fr.json b/backend/app/i18n/fr.json
index 21bb30b2..d1bdee09 100644
--- a/backend/app/i18n/fr.json
+++ b/backend/app/i18n/fr.json
@@ -8,5 +8,9 @@
"pages": "Pages",
"avg_pages": "Pages/Livre"
}
+ },
+ "email": {
+ "passwordResetSubject": "Réinitialisation du mot de passe – LibrisLog",
+ "passwordResetBody": "\n\nVous avez demandé une réinitialisation de mot de passe pour votre compte LibrisLog.
\nCliquez sur le lien ci-dessous pour réinitialiser votre mot de passe. Ce lien est valable {duration_minutes} minutes.
\n{reset_url}
\nSi vous n'avez pas demandé cela, veuillez ignorer cet e-mail.
\n\n"
}
}
diff --git a/backend/app/i18n/zh.json b/backend/app/i18n/zh.json
index c757466a..1ade7c15 100644
--- a/backend/app/i18n/zh.json
+++ b/backend/app/i18n/zh.json
@@ -8,5 +8,9 @@
"pages": "页数",
"avg_pages": "每本页数"
}
+ },
+ "email": {
+ "passwordResetSubject": "密码重置 – LibrisLog",
+ "passwordResetBody": "\n\n您已请求重置 LibrisLog 帐户的密码。
\n点击下面的链接重置您的密码。此链接有效期为 {duration_minutes} 分钟。
\n{reset_url}
\n如果您没有请求此操作,请忽略此邮件。
\n\n"
}
}
diff --git a/backend/app/main.py b/backend/app/main.py
index 5674e95a..79638caa 100644
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -66,6 +66,12 @@ async def lifespan(app: FastAPI):
Path(settings.import_temp_dir).mkdir(parents=True, exist_ok=True)
cleanup_temp_files()
+ if not settings.mail_server.strip() or not settings.mail_from.strip():
+ logger.warning(
+ "MAIL_SERVER or MAIL_FROM is not configured — password reset emails will not be sent. "
+ "See .env.example for mail setup instructions."
+ )
+
maintenance_task = asyncio.create_task(_periodic_maintenance())
yield
maintenance_task.cancel()
diff --git a/backend/app/models.py b/backend/app/models.py
index 6668665f..ade3412a 100644
--- a/backend/app/models.py
+++ b/backend/app/models.py
@@ -127,6 +127,10 @@ class User(SQLModel, table=True):
email: str = Field(index=True, unique=True)
role: UserRole = Field(default=UserRole.user, index=True)
hashed_password: str
+ credentials_version: int = Field(
+ default=0,
+ sa_column=Column(sa.Integer, default=0, nullable=False)
+ )
created_at: datetime = Field(
default_factory=utcnow,
sa_column=Column(UtcDateTime, default=utcnow)
diff --git a/backend/app/routers/auth.py b/backend/app/routers/auth.py
index 3ac97f87..de90bea0 100644
--- a/backend/app/routers/auth.py
+++ b/backend/app/routers/auth.py
@@ -1,19 +1,30 @@
-"""Authentication endpoints — login, logout, setup, session, and CSRF."""
+"""Authentication endpoints — login, logout, setup, session, CSRF, and password reset."""
-from fastapi import APIRouter, Depends, HTTPException, Request, status
+from fastapi import APIRouter, BackgroundTasks, Depends, HTTPException, Request, status
from sqlmodel import Session, select
from app.auth import (
clear_browser_session,
ensure_password_complexity,
+ generate_password_reset_token,
get_password_hash,
require_user,
start_browser_session,
+ verify_password_reset_token,
verify_password,
)
+from app.config import settings
from app.database import get_session
+from app.email import send_password_reset_email
from app.models import User, UserRole, UserSettings
-from app.schemas import SetupRequest, UserLogin, UserRead
+from app.schemas import (
+ ForgotPasswordRequest,
+ ResetPasswordRequest,
+ SetupRequest,
+ UserLogin,
+ UserRead,
+)
+from app.time_utils import utcnow
router = APIRouter(prefix="/api/auth", tags=["auth"])
@@ -56,7 +67,7 @@ def setup(
session.add(UserSettings(user_id=user.id, language="en"))
session.commit()
- start_browser_session(http_request, user.id)
+ start_browser_session(http_request, user.id, user.credentials_version)
return {"user": UserRead.model_validate(user)}
@@ -71,7 +82,7 @@ def login(
if not user or not verify_password(credentials.password, user.hashed_password):
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Incorrect email or password")
- start_browser_session(http_request, user.id)
+ start_browser_session(http_request, user.id, user.credentials_version)
return {"user": UserRead.model_validate(user)}
@@ -95,3 +106,48 @@ def csrf_token(request: Request) -> dict:
if not token:
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Not authenticated")
return {"csrf_token": token}
+
+
+@router.post("/forgot-password", status_code=status.HTTP_200_OK)
+async def forgot_password(
+ body: ForgotPasswordRequest,
+ background_tasks: BackgroundTasks,
+ session: Session = Depends(get_session),
+) -> dict:
+ """Send a password reset email to the user.
+
+ Always returns 200 to prevent user enumeration.
+ """
+ user = session.exec(select(User).where(User.email == body.email)).first()
+ if user and settings.mail_server:
+ token = generate_password_reset_token(body.email, user.credentials_version)
+ reset_url = f"{settings.public_app_url}/reset-password?token={token}"
+ background_tasks.add_task(send_password_reset_email, body.email, reset_url, body.locale)
+ return {"message": "If the email is registered, a reset link has been sent"}
+
+
+@router.post("/reset-password", status_code=status.HTTP_200_OK)
+def reset_password(
+ body: ResetPasswordRequest,
+ session: Session = Depends(get_session),
+) -> dict:
+ """Reset a user's password using a valid reset token."""
+ payload = verify_password_reset_token(body.token, max_age=settings.password_reset_token_max_age)
+ if not payload:
+ raise HTTPException(
+ status_code=status.HTTP_400_BAD_REQUEST,
+ detail="Invalid or expired reset token",
+ )
+ user = session.exec(select(User).where(User.email == payload["email"])).first()
+ if not user or user.credentials_version != payload["credentials_version"]:
+ raise HTTPException(
+ status_code=status.HTTP_400_BAD_REQUEST,
+ detail="Invalid or expired reset token",
+ )
+ ensure_password_complexity(body.password)
+ user.hashed_password = get_password_hash(body.password)
+ user.credentials_version += 1
+ user.updated_at = utcnow()
+ session.add(user)
+ session.commit()
+ return {"message": "Password has been reset successfully"}
diff --git a/backend/app/routers/import_.py b/backend/app/routers/import_.py
index 3a9fc932..3690966e 100644
--- a/backend/app/routers/import_.py
+++ b/backend/app/routers/import_.py
@@ -133,7 +133,7 @@ async def import_book(
# Attempt to download and cache the cover locally; fall back to external URL.
cover_url = c.cover_url
if cover_url:
- async with httpx.AsyncClient(timeout=15.0) as client:
+ async with httpx.AsyncClient(timeout=15.0, follow_redirects=True) as client:
filename = await download_cover(cover_url, settings.covers_dir, client, current_user.id)
if filename:
cover_url = f"/api/covers/{filename}"
diff --git a/backend/app/routers/oidc.py b/backend/app/routers/oidc.py
index c65ab975..fde68a4c 100644
--- a/backend/app/routers/oidc.py
+++ b/backend/app/routers/oidc.py
@@ -143,7 +143,7 @@ async def oidc_callback(
logger.error("OIDC link points to missing user: link_id=%s user_id=%s", link.id, link.user_id)
return _frontend_warning_redirect("Linked user account no longer exists")
- start_browser_session(request, user.id)
+ start_browser_session(request, user.id, user.credentials_version)
return _frontend_success_redirect()
diff --git a/backend/app/schemas.py b/backend/app/schemas.py
index 96c3b018..e44ec19c 100644
--- a/backend/app/schemas.py
+++ b/backend/app/schemas.py
@@ -266,6 +266,18 @@ class UserLogin(SQLModel):
password: str
+class ForgotPasswordRequest(SQLModel):
+ """Request body to request a password reset email."""
+ email: str
+ locale: str = "en"
+
+
+class ResetPasswordRequest(SQLModel):
+ """Request body to reset a password using a token."""
+ token: str
+ password: str
+
+
class SetupRequest(SQLModel):
"""Initial admin setup request body."""
firstname: str
diff --git a/backend/app/services/cover_import.py b/backend/app/services/cover_import.py
index b3ce7c8d..27d7db16 100644
--- a/backend/app/services/cover_import.py
+++ b/backend/app/services/cover_import.py
@@ -88,5 +88,5 @@ async def import_cover_from_url(
Returns:
The local filename on success, or None on failure.
"""
- async with httpx.AsyncClient(timeout=timeout_seconds, follow_redirects=False) as client:
+ async with httpx.AsyncClient(timeout=timeout_seconds, follow_redirects=True) as client:
return await download_cover(url, covers_dir, client, user_id)
diff --git a/backend/app/services/data_import.py b/backend/app/services/data_import.py
index 2516669e..6605a245 100644
--- a/backend/app/services/data_import.py
+++ b/backend/app/services/data_import.py
@@ -682,7 +682,7 @@ async def execute_import(
transform_cache = _build_transform_cache(mapping)
- async with httpx.AsyncClient(timeout=15.0) as client:
+ async with httpx.AsyncClient(timeout=15.0, follow_redirects=True) as client:
for idx, row in enumerate(rows, start=1):
try:
row_transform_errors: list[str] = []
diff --git a/backend/pyproject.toml b/backend/pyproject.toml
index 4cd6ad4d..cb66ec5a 100644
--- a/backend/pyproject.toml
+++ b/backend/pyproject.toml
@@ -9,6 +9,7 @@ dependencies = [
"cachetools>=5.3.3",
"cryptography>=46.0.3",
"curl-cffi>=0.15.0",
+ "fastapi-mail>=1.4.2",
"fastapi>=0.136.1",
"httpx>=0.28.1",
"itsdangerous>=2.2.0",
diff --git a/docker-compose.dev.yml b/docker-compose.dev.yml
index 75300431..3c2f0221 100644
--- a/docker-compose.dev.yml
+++ b/docker-compose.dev.yml
@@ -15,6 +15,9 @@ services:
REQUESTS_CA_BUNDLE: /etc/ssl/certs/ca-certificates.crt # only needed if you use custom certificates in you environment
SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt # only needed if you use custom certificates in you environment
restart: unless-stopped
+ depends_on:
+ mailpit:
+ condition: service_started
frontend:
build:
@@ -26,3 +29,10 @@ services:
ports:
- "8001:80"
restart: unless-stopped
+
+ mailpit:
+ image: axllent/mailpit:latest
+ ports:
+ - "1025:1025"
+ - "8025:8025"
+ restart: unless-stopped
diff --git a/docs/api/index.md b/docs/api/index.md
index 4848d730..53b8bee5 100644
--- a/docs/api/index.md
+++ b/docs/api/index.md
@@ -103,6 +103,42 @@ curl -X POST \
| GET | `/api/import/search/stream` | Stream search progress |
| POST | `/api/import` | Import a candidate |
+### Authentication
+
+| Method | Endpoint | Description |
+|--------|----------|-------------|
+| POST | `/api/auth/setup` | Create first admin (only when no admin exists) |
+| POST | `/api/auth/login` | Log in with email and password |
+| POST | `/api/auth/logout` | Log out (clear session) |
+| GET | `/api/auth/me` | Get current user |
+| GET | `/api/auth/csrf` | Get CSRF token |
+| POST | `/api/auth/forgot-password` | Request a password reset email (always returns 200) |
+| POST | `/api/auth/reset-password` | Reset password using a token from the reset email |
+
+::: details Password Reset Endpoints
+These endpoints do not require an API key or session — they are public.
+
+**Forgot Password**
+
+```bash
+curl -X POST http://localhost:8000/api/auth/forgot-password \
+ -H "Content-Type: application/json" \
+ -d '{"email": "user@example.com", "locale": "en"}'
+```
+
+Always returns `200` with `{"message": "If the email is registered, a reset link has been sent"}` to prevent user enumeration. The `locale` field is optional (defaults to `en`) and controls the email language.
+
+**Reset Password**
+
+```bash
+curl -X POST http://localhost:8000/api/auth/reset-password \
+ -H "Content-Type: application/json" \
+ -d '{"token": "token-from-email", "password": "new-secure-password"}'
+```
+
+Returns `200` on success, `400` if the token is invalid/expired or the password doesn't meet complexity requirements. After a successful reset, all existing sessions for that user are invalidated.
+:::
+
## Error Handling
The API returns standard HTTP status codes:
diff --git a/docs/guide/configuration.md b/docs/guide/configuration.md
index b5078d83..d8292eb4 100644
--- a/docs/guide/configuration.md
+++ b/docs/guide/configuration.md
@@ -30,6 +30,39 @@ All configuration is done via environment variables in a `.env` file at the proj
| `OIDC_CLIENT_SECRET` | OIDC client secret |
| `OIDC_WELL_KNOWN_URL` | OIDC well-known configuration URL |
+## Password Reset / Email (Optional)
+
+Password reset is optional. If mail is not configured, the "Forgot password?" link on the login page still appears, but no reset email is sent. A warning is logged at startup when mail is not configured.
+
+| Variable | Description | Default |
+|----------|-------------|---------|
+| `MAIL_SERVER` | SMTP server hostname (e.g. `smtp.gmail.com`). Leave empty to disable password reset emails. | — |
+| `MAIL_PORT` | SMTP server port | `587` |
+| `MAIL_USERNAME` | SMTP username (leave empty for unauthenticated relay) | — |
+| `MAIL_PASSWORD` | SMTP password | — |
+| `MAIL_FROM` | Sender email address | — |
+| `MAIL_FROM_NAME` | Sender display name | `LibrisLog` |
+| `MAIL_STARTTLS` | Use STARTTLS (`True`/`False`) | `True` |
+| `MAIL_SSL_TLS` | Use implicit SSL/TLS (`True`/`False`) | `False` |
+| `PUBLIC_APP_URL` | Public URL of the frontend (used to build the reset link in emails) | `http://localhost:5173` |
+| `PASSWORD_RESET_TOKEN_MAX_AGE` | Reset token validity in seconds | `3600` (1 hour) |
+
+::: tip Local Development
+For local development, use [Mailpit](https://github.com/axllent/mailpit) (included in `docker-compose.dev.yml`):
+
+```bash
+MAIL_SERVER=localhost
+MAIL_PORT=1025
+MAIL_STARTTLS=False
+MAIL_SSL_TLS=False
+MAIL_USERNAME=
+MAIL_PASSWORD=
+MAIL_FROM=noreply@localhost
+```
+
+The Mailpit web UI is available at http://localhost:8025 to inspect sent emails.
+:::
+
## Book Import Sources
| Variable | Description |
@@ -99,4 +132,16 @@ DASHBOARD_QUOTE_CACHE_TTL=86400
PUBLIC_DEFAULT_LOCALE=en
MAX_IMPORT_FILE_SIZE_MB=100
MAX_IMPORT_ROW_COUNT=10000
+
+# Password reset (optional — leave empty to disable)
+MAIL_SERVER=
+MAIL_PORT=587
+MAIL_USERNAME=
+MAIL_PASSWORD=
+MAIL_FROM=
+MAIL_FROM_NAME=LibrisLog
+MAIL_STARTTLS=True
+MAIL_SSL_TLS=False
+PUBLIC_APP_URL=http://localhost:5173
+PASSWORD_RESET_TOKEN_MAX_AGE=3600
```
\ No newline at end of file
diff --git a/docs/guide/developer-setup.md b/docs/guide/developer-setup.md
index 2f7e2bbd..9f76e08d 100644
--- a/docs/guide/developer-setup.md
+++ b/docs/guide/developer-setup.md
@@ -12,6 +12,27 @@ docker compose -f docker-compose.dev.yml up -d --build
This builds fresh images using your local checkout. The `docker-compose.dev.yml` file mirrors the default compose file but uses `build:` directives instead of pulling pre-built images.
+### Mailpit (Email Testing)
+
+The dev compose file includes a [Mailpit](https://github.com/axllent/mailpit) service for testing password reset emails locally:
+
+- **SMTP**: `localhost:1025` (or `mailpit:1025` from within Docker)
+- **Web UI**: http://localhost:8025
+
+To enable password reset emails in dev, add these to your `.env`:
+
+```bash
+MAIL_SERVER=localhost
+MAIL_PORT=1025
+MAIL_STARTTLS=False
+MAIL_SSL_TLS=False
+MAIL_FROM=noreply@localhost
+MAIL_USERNAME=
+MAIL_PASSWORD=
+```
+
+If mail is not configured, a warning is logged at startup and the "Forgot password?" link on the login page will not send emails.
+
### Build Arguments
When building, you can override these arguments:
diff --git a/docs/guide/using-librislog/profile.md b/docs/guide/using-librislog/profile.md
index 02fa02b5..1655bfd8 100644
--- a/docs/guide/using-librislog/profile.md
+++ b/docs/guide/using-librislog/profile.md
@@ -8,6 +8,12 @@ The profile page is your personal settings hub. Access it by clicking your avata
Update your first name, last name, or password. The password field is optional — leave it blank to keep your current password. A password strength indicator and complexity requirements are shown below the input.
+::: tip Forgot your password?
+If you have forgotten your password and mail is configured, click the **"Forgot password?"** link on the login page. Enter your email address and a reset link will be sent to you. The link is valid for one hour and can only be used once. After a successful reset, all existing sessions are invalidated and you will need to log in again.
+
+This feature requires SMTP settings to be configured — see [Configuration](/guide/configuration#password-reset-email-optional).
+:::
+
## Language
Switch the UI language between available locales. The change applies immediately after saving.
diff --git a/frontend/src/lib/api.ts b/frontend/src/lib/api.ts
index 9378fd44..53c89443 100644
--- a/frontend/src/lib/api.ts
+++ b/frontend/src/lib/api.ts
@@ -130,6 +130,20 @@ export const api = {
logout(): Promise<{ message: string }> {
return request<{ message: string }>('/auth/logout', { method: 'POST' });
+ },
+
+ forgotPassword(data: { email: string; locale?: string }): Promise<{ message: string }> {
+ return request<{ message: string }>('/auth/forgot-password', {
+ method: 'POST',
+ body: JSON.stringify(data)
+ });
+ },
+
+ resetPassword(data: { token: string; password: string }): Promise<{ message: string }> {
+ return request<{ message: string }>('/auth/reset-password', {
+ method: 'POST',
+ body: JSON.stringify(data)
+ });
}
},
diff --git a/frontend/src/lib/chartjs/register.ts b/frontend/src/lib/chartjs/register.ts
index eaf87a62..c28b11e0 100644
--- a/frontend/src/lib/chartjs/register.ts
+++ b/frontend/src/lib/chartjs/register.ts
@@ -1,5 +1,6 @@
import {
- Chart as ChartJS,
+ Chart,
+ _adapters,
Title,
Tooltip,
Legend,
@@ -7,12 +8,13 @@ import {
LineElement,
PointElement,
CategoryScale,
- LinearScale
+ LinearScale,
+ TimeScale
} from 'chart.js';
import zoomPlugin from 'chartjs-plugin-zoom';
import { MatrixController, MatrixElement } from 'chartjs-chart-matrix';
-ChartJS.register(
+Chart.register(
Title,
Tooltip,
Legend,
@@ -21,9 +23,62 @@ ChartJS.register(
PointElement,
CategoryScale,
LinearScale,
+ TimeScale,
zoomPlugin,
MatrixController,
MatrixElement
);
-export { ChartJS };
+import dayjs from 'dayjs';
+import utc from 'dayjs/plugin/utc';
+import customParseFormat from 'dayjs/plugin/customParseFormat';
+import advancedFormat from 'dayjs/plugin/advancedFormat';
+import localizedFormat from 'dayjs/plugin/localizedFormat';
+import quarterOfYear from 'dayjs/plugin/quarterOfYear';
+import weekday from 'dayjs/plugin/weekday';
+
+dayjs.extend(utc);
+dayjs.extend(customParseFormat);
+dayjs.extend(advancedFormat);
+dayjs.extend(localizedFormat);
+dayjs.extend(quarterOfYear);
+dayjs.extend(weekday);
+
+const FORMATS: Record = {
+ datetime: 'MMM D, YYYY, h:mm:ss a',
+ millisecond: 'h:mm:ss.SSS a',
+ second: 'h:mm:ss a',
+ minute: 'h:mm a',
+ hour: 'hA',
+ day: 'MMM D',
+ week: 'll',
+ month: 'MMM YYYY',
+ quarter: '[Q]Q - YYYY',
+ year: 'YYYY'
+};
+
+_adapters._date.override({
+ _create: (time: number | string | Date) => dayjs.utc(time).valueOf(),
+ formats: () => FORMATS,
+ parse: (value: unknown, format?: string) => {
+ if (value === null || value === undefined) return null;
+ if (typeof value === 'string' && format) {
+ const d = dayjs.utc(value, format);
+ return d.isValid() ? d.valueOf() : null;
+ }
+ const d = dayjs.utc(value as string | number | Date);
+ return d.isValid() ? d.valueOf() : null;
+ },
+ format: (time: unknown, format: string) => dayjs.utc(time as number).format(format),
+ add: (time: unknown, amount: number, unit: string) => dayjs.utc(time as number).add(amount, unit as dayjs.ManipulateType).valueOf(),
+ diff: (max: unknown, min: unknown, unit: string) => dayjs.utc(max as number).diff(dayjs.utc(min as number), unit as dayjs.OpUnitType),
+ startOf: (time: unknown, unit: string, weekday?: number) => {
+ if (unit === 'isoWeek') {
+ return (dayjs.utc(time as number) as unknown as { weekday: (w: number) => { valueOf: () => number } }).weekday(weekday ?? 1).valueOf();
+ }
+ return dayjs.utc(time as number).startOf(unit as dayjs.OpUnitType).valueOf();
+ },
+ endOf: (time: unknown, unit: string) => dayjs.utc(time as number).endOf(unit as dayjs.OpUnitType).valueOf(),
+} as unknown as Parameters[0]);
+
+export { Chart as ChartJS };
diff --git a/frontend/src/lib/components/BookDetailDialog.svelte b/frontend/src/lib/components/BookDetailDialog.svelte
index 21929b5f..241399ca 100644
--- a/frontend/src/lib/components/BookDetailDialog.svelte
+++ b/frontend/src/lib/components/BookDetailDialog.svelte
@@ -224,11 +224,11 @@
});
const lineChartData = $derived.by(() => {
- if (uniqueDays.length < 1) return { labels: [] as string[], data: [] as number[] };
+ if (uniqueDays.length < 1) return { data: [] as Array<{ x: number; y: number }> };
const oldestEntry = uniqueDays[0];
const useStartDate = !!book?.date_started && formatDate(book.date_started, tz) < formatDate(oldestEntry.created_at, tz);
const rawStart = useStartDate ? book.date_started : (book?.date_added ?? null);
- if (!rawStart) return { labels: [] as string[], data: [] as number[] };
+ if (!rawStart) return { data: [] as Array<{ x: number; y: number }> };
const virtualEntry: ReadingProgressEntry = {
id: 0,
book_id: book?.id ?? 0,
@@ -238,8 +238,7 @@
};
const entries = [virtualEntry, ...uniqueDays];
return {
- labels: entries.map((e) => formatDate(e.created_at, tz)),
- data: entries.map((e) => e.page),
+ data: entries.map((e) => ({ x: new Date(e.created_at).getTime(), y: e.page })),
};
});
@@ -255,11 +254,11 @@
const lineChartConfig = $derived.by>(() => {
void _themeSignal;
return {
- labels: lineChartData.labels,
datasets: [
{
label: $_('book.currentPage'),
data: lineChartData.data,
+ parsing: false,
borderColor: getDaisyColorRgb('primary'),
backgroundColor: getDaisyColorRgb('primary'),
tension: 0.4,
@@ -286,6 +285,11 @@
},
scales: {
x: {
+ type: 'time',
+ time: {
+ displayFormats: { day: 'MMM D' },
+ tooltipFormat: 'YYYY-MM-DD HH:mm',
+ },
grid: { display: false },
ticks: {
maxTicksLimit: 6,
@@ -307,6 +311,30 @@
};
});
+ // ── Android back button: close drawer instead of navigating away ──────────
+ let _pushed = false;
+ let _popClosed = false;
+
+ $effect(() => {
+ if (open) {
+ history.pushState(null, '');
+ _pushed = true;
+ _popClosed = false;
+
+ const onPop = () => {
+ _popClosed = true;
+ open = false;
+ };
+ window.addEventListener('popstate', onPop);
+ return () => {
+ window.removeEventListener('popstate', onPop);
+ if (_pushed && !_popClosed) history.back();
+ _pushed = false;
+ _popClosed = false;
+ };
+ }
+ });
+
$effect(() => {
if (open && book) {
confirmDelete = false;
diff --git a/frontend/src/lib/components/BookDrawer.svelte b/frontend/src/lib/components/BookDrawer.svelte
index 7efd59e3..2563f33a 100644
--- a/frontend/src/lib/components/BookDrawer.svelte
+++ b/frontend/src/lib/components/BookDrawer.svelte
@@ -60,6 +60,30 @@
let date_finished = $state('');
let cover_url = $state(null);
+ // ── Android back button: close drawer instead of navigating away ──────────
+ let _pushed = false;
+ let _popClosed = false;
+
+ $effect(() => {
+ if (open) {
+ history.pushState(null, '');
+ _pushed = true;
+ _popClosed = false;
+
+ const onPop = () => {
+ _popClosed = true;
+ open = false;
+ };
+ window.addEventListener('popstate', onPop);
+ return () => {
+ window.removeEventListener('popstate', onPop);
+ if (_pushed && !_popClosed) history.back();
+ _pushed = false;
+ _popClosed = false;
+ };
+ }
+ });
+
$effect(() => {
if (book) {
title = book.title;
diff --git a/frontend/src/lib/components/SuggestionInput.svelte b/frontend/src/lib/components/SuggestionInput.svelte
index 54356ff1..0b412fb8 100644
--- a/frontend/src/lib/components/SuggestionInput.svelte
+++ b/frontend/src/lib/components/SuggestionInput.svelte
@@ -5,6 +5,8 @@
placeholder = '',
name = '',
disabled = false,
+ ariaLabel = '',
+ inputClass = 'input input-bordered w-full',
fetchSuggestions = async (_q: string): Promise => []
}: {
value?: string;
@@ -12,6 +14,8 @@
placeholder?: string;
name?: string;
disabled?: boolean;
+ ariaLabel?: string;
+ inputClass?: string;
fetchSuggestions?: (query: string) => Promise;
} = $props();
@@ -119,7 +123,7 @@
| undefined;
let updateInfo: UpdateInfo | null = $state(null);
- const isPublicAuthRoute = $derived(
- $page.url.pathname.startsWith('/setup') ||
- $page.url.pathname.startsWith('/login') ||
- $page.url.pathname.startsWith('/auth/oidc')
- );
+
+ function _isPublicAuthRoute(pathname: string): boolean {
+ return (
+ pathname.startsWith('/setup') ||
+ pathname.startsWith('/login') ||
+ pathname.startsWith('/reset-password') ||
+ pathname.startsWith('/auth/oidc')
+ );
+ }
+
+ const isPublicAuthRoute = $derived(_isPublicAuthRoute($page.url.pathname));
const showAppChrome = $derived(!isPublicAuthRoute && $currentUser !== null);
// Expose a way for pages to trigger open
@@ -71,17 +77,16 @@
await setupI18n();
i18nReady = true;
- // Wait for backend on login/setup/oidc routes so the page doesn't
+ // Wait for backend on public auth routes so the page doesn't
// render before the server is ready (e.g. OIDC config fetch).
const path = $page.url.pathname;
- if (path.startsWith('/login') || path.startsWith('/setup') || path.startsWith('/auth/oidc')) {
+ const isPublic = _isPublicAuthRoute(path);
+ if (isPublic) {
await waitForBackend();
}
backendReady = true;
const isSetupRoute = path.startsWith('/setup');
const isLoginRoute = path.startsWith('/login');
- const isOidcCallbackRoute = path.startsWith('/auth/oidc');
- const publicAuthRoute = isSetupRoute || isLoginRoute || isOidcCallbackRoute;
try {
const setup = await api.auth.setupRequired();
@@ -120,7 +125,7 @@
}
}
- if (!setup.required && !publicAuthRoute) {
+ if (!setup.required && !isPublic) {
try {
const me = await api.auth.me();
currentUser.set(me);
@@ -148,7 +153,7 @@
}
}
} catch {
- if (!publicAuthRoute) {
+ if (!isPublic) {
csrfToken.set(null);
window.location.href = '/login';
return;
diff --git a/frontend/src/routes/data-hygiene/+page.svelte b/frontend/src/routes/data-hygiene/+page.svelte
index 31e7dfe8..82494e00 100644
--- a/frontend/src/routes/data-hygiene/+page.svelte
+++ b/frontend/src/routes/data-hygiene/+page.svelte
@@ -7,6 +7,7 @@
import Alert from '$lib/components/Alert.svelte';
import BookDetailDialog from '$lib/components/BookDetailDialog.svelte';
import BookDrawer from '$lib/components/BookDrawer.svelte';
+ import SuggestionInput from '$lib/components/SuggestionInput.svelte';
import { LoaderCircle, X } from '@lucide/svelte';
import type { Book, HygieneAttribute, HygieneMissingBook } from '$lib/types';
@@ -450,6 +451,24 @@
placeholder={$_('dataHygiene.batchValuePlaceholder')}
aria-label={$_('dataHygiene.batchValueLabel')}
/>
+ {:else if batchField === 'author'}
+
api.books.suggestions.authors(q)}
+ />
+ {:else if batchField === 'publisher'}
+ api.books.suggestions.publishers(q)}
+ />
{:else}
{/if}
diff --git a/frontend/src/routes/login/+page.svelte b/frontend/src/routes/login/+page.svelte
index f7b18387..ae3b58a7 100644
--- a/frontend/src/routes/login/+page.svelte
+++ b/frontend/src/routes/login/+page.svelte
@@ -46,6 +46,12 @@
setLocale(next);
}
+ let forgotEmail = $state('');
+ let forgotLoading = $state(false);
+ let forgotSent = $state(false);
+ let forgotError = $state('');
+ let forgotDialog: HTMLDialogElement | undefined = $state();
+
async function submit() {
error = '';
loading = true;
@@ -87,6 +93,27 @@
}
}
+ async function forgotSubmit() {
+ forgotError = '';
+ forgotSent = false;
+ forgotLoading = true;
+ try {
+ await api.auth.forgotPassword({ email: forgotEmail, locale: selectedLanguage });
+ forgotSent = true;
+ } catch (e: unknown) {
+ forgotError = e instanceof Error ? e.message : $_('auth.forgotError');
+ } finally {
+ forgotLoading = false;
+ }
+ }
+
+ function openForgotDialog() {
+ forgotEmail = email;
+ forgotSent = false;
+ forgotError = '';
+ forgotDialog?.showModal();
+ }
+
function startOidcLogin() {
window.location.href = api.oidc.loginUrl();
}
@@ -144,6 +171,11 @@
disabled={loading}
/>
+
+
+
@@ -157,3 +189,46 @@
+
+
diff --git a/frontend/src/routes/reset-password/+page.svelte b/frontend/src/routes/reset-password/+page.svelte
new file mode 100644
index 00000000..82ccf87a
--- /dev/null
+++ b/frontend/src/routes/reset-password/+page.svelte
@@ -0,0 +1,90 @@
+
+
+
+
+
+ {#if noToken}
+
+ {$_('auth.resetPasswordMissingToken')}
+
+
+ {:else if success}
+
+ {$_('auth.resetPasswordSuccess')}
+
+
+ {:else}
+
{$_('auth.resetPasswordTitle')}
+
{$_('auth.resetPasswordInstruction')}
+ {#if error}
+
(error = '')}>
+ {error}
+
+ {/if}
+
+ {/if}
+
+
+