Marius Mutu
38259f3cfd
Pass current path as ?next= when bouncing unauthenticated requests to /echo/login; after successful auth, JS reads and validates the param (must start with /echo/, not /echo/login) before redirecting. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
289 lines
9.8 KiB
HTML
289 lines
9.8 KiB
HTML
<!DOCTYPE html>
|
|
<html lang="ro">
|
|
<head>
|
|
<meta charset="UTF-8">
|
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
|
<link rel="icon" type="image/svg+xml" href="/echo/favicon.svg">
|
|
<title>Echo — Autentificare</title>
|
|
<link rel="stylesheet" href="/echo/static/tokens.css">
|
|
<style>
|
|
*, *::before, *::after { box-sizing: border-box; }
|
|
|
|
html, body {
|
|
margin: 0;
|
|
padding: 0;
|
|
height: 100%;
|
|
}
|
|
|
|
body {
|
|
background: var(--bg-base, #13131a);
|
|
color: var(--text-primary);
|
|
font-family: var(--font-sans);
|
|
font-size: var(--text-base);
|
|
line-height: 1.5;
|
|
display: flex;
|
|
align-items: center;
|
|
justify-content: center;
|
|
min-height: 100vh;
|
|
padding: var(--space-6) var(--space-4);
|
|
-webkit-font-smoothing: antialiased;
|
|
-moz-osx-font-smoothing: grayscale;
|
|
}
|
|
|
|
.login-shell {
|
|
display: flex;
|
|
flex-direction: column;
|
|
align-items: center;
|
|
gap: var(--space-5);
|
|
width: min(380px, 100% - 48px);
|
|
}
|
|
|
|
.monogram {
|
|
font-family: var(--font-sans);
|
|
font-weight: 700;
|
|
font-size: 56px;
|
|
line-height: 1;
|
|
letter-spacing: -0.02em;
|
|
color: var(--accent);
|
|
user-select: none;
|
|
}
|
|
|
|
.login-card {
|
|
width: 100%;
|
|
background: var(--bg-surface);
|
|
border: 1px solid var(--border);
|
|
border-radius: var(--radius-md);
|
|
padding: var(--space-6);
|
|
box-shadow: var(--shadow-md);
|
|
}
|
|
|
|
.login-title {
|
|
margin: 0 0 var(--space-1) 0;
|
|
font-size: var(--text-lg);
|
|
font-weight: 600;
|
|
color: var(--text-primary);
|
|
text-align: center;
|
|
}
|
|
|
|
.login-subtitle {
|
|
margin: 0 0 var(--space-5) 0;
|
|
font-size: var(--text-sm);
|
|
color: var(--text-muted);
|
|
text-align: center;
|
|
}
|
|
|
|
.form-field {
|
|
display: flex;
|
|
flex-direction: column;
|
|
gap: var(--space-2);
|
|
}
|
|
|
|
.form-label {
|
|
font-size: var(--text-sm);
|
|
font-weight: 500;
|
|
color: var(--text-secondary);
|
|
}
|
|
|
|
.form-input {
|
|
width: 100%;
|
|
padding: var(--space-3) var(--space-4);
|
|
background: var(--bg-elevated);
|
|
border: 1px solid var(--border);
|
|
border-radius: var(--radius-sm);
|
|
color: var(--text-primary);
|
|
font-family: var(--font-sans);
|
|
font-size: var(--text-base);
|
|
transition: border-color var(--transition-fast), box-shadow var(--transition-fast);
|
|
-webkit-appearance: none;
|
|
appearance: none;
|
|
}
|
|
|
|
.form-input::placeholder {
|
|
color: var(--text-muted);
|
|
opacity: 0.6;
|
|
}
|
|
|
|
.form-input:focus {
|
|
outline: none;
|
|
border-color: var(--border-focus);
|
|
box-shadow: 0 0 0 3px var(--accent-subtle);
|
|
}
|
|
|
|
.form-input.is-invalid {
|
|
border-color: var(--error);
|
|
box-shadow: 0 0 0 3px rgba(239, 68, 68, 0.18);
|
|
}
|
|
|
|
.form-error {
|
|
min-height: 1.25em;
|
|
margin-top: var(--space-2);
|
|
font-size: var(--text-sm);
|
|
color: var(--error);
|
|
visibility: hidden;
|
|
}
|
|
|
|
.form-error.is-visible {
|
|
visibility: visible;
|
|
}
|
|
|
|
.submit-btn {
|
|
width: 100%;
|
|
margin-top: var(--space-5);
|
|
padding: var(--space-3) var(--space-4);
|
|
background: var(--accent);
|
|
color: #ffffff;
|
|
border: 1px solid var(--accent);
|
|
border-radius: var(--radius-sm);
|
|
font-family: var(--font-sans);
|
|
font-size: var(--text-base);
|
|
font-weight: 600;
|
|
cursor: pointer;
|
|
transition: background-color var(--transition-fast), border-color var(--transition-fast), opacity var(--transition-fast);
|
|
}
|
|
|
|
.submit-btn:hover:not(:disabled) {
|
|
background: var(--accent-hover);
|
|
border-color: var(--accent-hover);
|
|
}
|
|
|
|
.submit-btn:focus-visible {
|
|
outline: none;
|
|
box-shadow: 0 0 0 3px var(--accent-subtle);
|
|
}
|
|
|
|
.submit-btn:disabled {
|
|
opacity: 0.65;
|
|
cursor: not-allowed;
|
|
}
|
|
|
|
@media (max-width: 480px) {
|
|
.login-card { padding: var(--space-5); }
|
|
.monogram { font-size: 48px; }
|
|
}
|
|
</style>
|
|
</head>
|
|
<body>
|
|
<main class="login-shell">
|
|
<div class="monogram" aria-hidden="true">E</div>
|
|
<section class="login-card">
|
|
<h1 class="login-title">Echo Dashboard</h1>
|
|
<p class="login-subtitle">Autentificare</p>
|
|
<form id="login-form" method="post" action="/echo/api/auth/login" novalidate>
|
|
<div class="form-field">
|
|
<label class="form-label" for="token-input">Token de acces</label>
|
|
<input
|
|
id="token-input"
|
|
name="token"
|
|
type="password"
|
|
autocomplete="current-password"
|
|
autocapitalize="off"
|
|
autocorrect="off"
|
|
spellcheck="false"
|
|
aria-label="Token de acces"
|
|
aria-describedby="form-error"
|
|
required>
|
|
<div id="form-error" class="form-error" role="alert" aria-live="polite"></div>
|
|
</div>
|
|
<button id="submit-btn" type="submit" class="submit-btn">Intră</button>
|
|
</form>
|
|
</section>
|
|
</main>
|
|
|
|
<script>
|
|
(function () {
|
|
'use strict';
|
|
|
|
var form = document.getElementById('login-form');
|
|
var input = document.getElementById('token-input');
|
|
var btn = document.getElementById('submit-btn');
|
|
var errorEl = document.getElementById('form-error');
|
|
|
|
var DEFAULT_LABEL = 'Intră';
|
|
var SUBMITTING_LABEL = 'Se autentifică...';
|
|
var RETRY_LABEL = 'Reîncearcă';
|
|
|
|
// Auto-focus input on load (skip on touch devices to avoid keyboard pop)
|
|
window.addEventListener('DOMContentLoaded', function () {
|
|
if (!('ontouchstart' in window)) {
|
|
try { input.focus(); } catch (e) { /* ignore */ }
|
|
}
|
|
});
|
|
|
|
// Clear error styling as soon as the user edits the field
|
|
input.addEventListener('input', function () {
|
|
if (input.classList.contains('is-invalid')) {
|
|
input.classList.remove('is-invalid');
|
|
errorEl.textContent = '';
|
|
errorEl.classList.remove('is-visible');
|
|
}
|
|
});
|
|
|
|
form.addEventListener('submit', function (ev) {
|
|
ev.preventDefault();
|
|
|
|
var token = input.value.trim();
|
|
if (!token) {
|
|
input.classList.add('is-invalid');
|
|
errorEl.textContent = 'Token invalid';
|
|
errorEl.classList.add('is-visible');
|
|
input.focus();
|
|
return;
|
|
}
|
|
|
|
// Submitting state
|
|
btn.disabled = true;
|
|
btn.textContent = SUBMITTING_LABEL;
|
|
input.classList.remove('is-invalid');
|
|
errorEl.textContent = '';
|
|
errorEl.classList.remove('is-visible');
|
|
|
|
var body = 'token=' + encodeURIComponent(token);
|
|
|
|
fetch('/echo/api/auth/login', {
|
|
method: 'POST',
|
|
headers: {
|
|
'Content-Type': 'application/x-www-form-urlencoded',
|
|
'Accept': 'application/json, text/html'
|
|
},
|
|
body: body,
|
|
credentials: 'same-origin',
|
|
redirect: 'follow'
|
|
}).then(function (res) {
|
|
// Browsers auto-follow 302, so a successful login surfaces
|
|
// here as a 2xx (workspace.html) or an opaqueredirect.
|
|
if (res.ok || res.type === 'opaqueredirect' || res.redirected) {
|
|
// Redirect back to the page the user originally wanted,
|
|
// passed as ?next= by the server. Validate it's a safe
|
|
// relative /echo/ path to prevent open-redirect attacks.
|
|
var params = new URLSearchParams(window.location.search);
|
|
var next = params.get('next') || '';
|
|
var dest = (next && /^\/echo\/[^/]/.test(next) && next.indexOf('/echo/login') !== 0)
|
|
? next
|
|
: '/echo/workspace.html';
|
|
window.location.assign(dest);
|
|
return;
|
|
}
|
|
if (res.status === 401) {
|
|
showInvalid();
|
|
return;
|
|
}
|
|
// Any other status — treat as a generic failure
|
|
showInvalid();
|
|
}).catch(function () {
|
|
showInvalid();
|
|
});
|
|
});
|
|
|
|
function showInvalid() {
|
|
input.classList.add('is-invalid');
|
|
errorEl.textContent = 'Token invalid';
|
|
errorEl.classList.add('is-visible');
|
|
btn.disabled = false;
|
|
btn.textContent = RETRY_LABEL;
|
|
try { input.focus(); input.select(); } catch (e) { /* ignore */ }
|
|
}
|
|
})();
|
|
</script>
|
|
</body>
|
|
</html>
|