From 936a519f45caf84fd7102a247bdfdcc93c57e12f Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 11:51:40 +0800
Subject: [PATCH 01/45] feat(session): store password for account backup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add password field to Session type so the backup modal can show
credentials later. The password is generated in doSignUp() and
was previously discarded after the API call.

Old sessions are backfilled with an empty string — the password
is lost but the token still works.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/lib/session.test.ts | 6 +++++-
 src/lib/session.ts      | 8 ++++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/src/lib/session.test.ts b/src/lib/session.test.ts
index de36fad7a..641278b99 100644
--- a/src/lib/session.test.ts
+++ b/src/lib/session.test.ts
@@ -20,11 +20,15 @@ async function createTestSession() {
 // pre-populated localStorage
 function seedStorage(data: {
 	username: string;
+	password?: string;
 	token: string;
 	savedPlaces: number[];
 	savedAreas?: number[];
 }) {
-	localStorage.setItem("btcmap_session", JSON.stringify(data));
+	localStorage.setItem(
+		"btcmap_session",
+		JSON.stringify({ password: "pw", ...data }),
+	);
 }
 
 describe("session store", () => {
diff --git a/src/lib/session.ts b/src/lib/session.ts
index 31ba7f30b..5521a9a7a 100644
--- a/src/lib/session.ts
+++ b/src/lib/session.ts
@@ -19,6 +19,7 @@ import api from "$lib/axios";
 // For real accounts, migrate to httpOnly cookies or similar.
 export type Session = {
 	username: string;
+	password: string;
 	token: string;
 	savedPlaces: number[];
 	savedAreas: number[];
@@ -43,6 +44,12 @@ function loadFromStorage(): Session | null {
 		if (!Array.isArray(parsed.savedAreas)) {
 			parsed.savedAreas = [];
 		}
+		// Backfill password for sessions created before backup was available.
+		// Empty string means the password is lost — the user can still use
+		// their current token but can't back up or log in on another device.
+		if (typeof parsed.password !== "string") {
+			parsed.password = "";
+		}
 		return parsed as Session;
 	} catch {
 		return null;
@@ -83,6 +90,7 @@ function createSessionStore() {
 
 		const session: Session = {
 			username,
+			password,
 			token,
 			savedPlaces: [],
 			savedAreas: [],

From 16821d00ce8c4dcf2e14c1108ecb8342b7c13514 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 11:57:47 +0800
Subject: [PATCH 02/45] feat(nav): add UserMenu dropdown replacing bookmark
 icon

Replace the bookmark link in the header with a user icon that opens
a dropdown menu with "My Saved" and "Log out". Uses svelte-outclick
for outside click handling (same as NavDropdownDesktop). Only visible
when the user has a session.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/Header.svelte   | 25 ++---------
 src/components/layout/UserMenu.svelte | 63 +++++++++++++++++++++++++++
 src/lib/i18n/locales/en.json          |  5 ++-
 3 files changed, 70 insertions(+), 23 deletions(-)
 create mode 100644 src/components/layout/UserMenu.svelte

diff --git a/src/components/layout/Header.svelte b/src/components/layout/Header.svelte
index 5727857e3..9813acc5c 100644
--- a/src/components/layout/Header.svelte
+++ b/src/components/layout/Header.svelte
@@ -1,12 +1,11 @@
 <script lang="ts">
-import Icon from "$components/Icon.svelte";
 import NavDropdownDesktop from "$components/layout/NavDropdownDesktop.svelte";
 import NavDropdownMobile from "$components/layout/NavDropdownMobile.svelte";
+import UserMenu from "$components/layout/UserMenu.svelte";
 import ThemeToggle from "$components/ThemeToggle.svelte";
 import { _ } from "$lib/i18n";
 import IconMobileNav from "$lib/icons/IconMobileNav.svelte";
 import type { MobileNavIconName } from "$lib/icons/types";
-import { session } from "$lib/session";
 import type { DropdownLink } from "$lib/types";
 
 import { afterNavigate } from "$app/navigation";
@@ -194,16 +193,7 @@ afterNavigate(() => {
 
 	<div class="flex items-center gap-3">
 		<ThemeToggle />
-		{#if $session}
-			<a
-				href="/saved"
-				class="text-white transition-opacity hover:opacity-80"
-				aria-label={$_("nav.saved")}
-				title={$_("nav.saved")}
-			>
-				<Icon type="material" icon="bookmark_filled" w="22" h="22" />
-			</a>
-		{/if}
+		<UserMenu />
 	</div>
 </header>
 
@@ -219,16 +209,7 @@ afterNavigate(() => {
 
 	<div class="flex items-center space-x-4">
 		<ThemeToggle />
-		{#if $session}
-			<a
-				href="/saved"
-				class="text-white transition-opacity hover:opacity-80"
-				aria-label={$_("nav.saved")}
-				title={$_("nav.saved")}
-			>
-				<Icon type="material" icon="bookmark_filled" w="22" h="22" />
-			</a>
-		{/if}
+		<UserMenu />
 
 		<!-- menu toggle -->
 		<button on:click={() => (showMobileMenu = !showMobileMenu)}>
diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
new file mode 100644
index 000000000..d130e5e92
--- /dev/null
+++ b/src/components/layout/UserMenu.svelte
@@ -0,0 +1,63 @@
+<script lang="ts">
+import OutClick from "svelte-outclick";
+
+import Icon from "$components/Icon.svelte";
+import { _ } from "$lib/i18n";
+import { session } from "$lib/session";
+
+import { afterNavigate } from "$app/navigation";
+
+let open = false;
+
+afterNavigate(() => {
+	open = false;
+});
+
+function handleLogout() {
+	session.clear();
+	open = false;
+}
+</script>
+
+{#if $session}
+	<div class="relative">
+		<button
+			id="user-menu-trigger"
+			on:click={() => (open = !open)}
+			class="text-white transition-opacity hover:opacity-80"
+			aria-label={$_("nav.account")}
+			aria-expanded={open}
+		>
+			<Icon type="material" icon="account_circle" w="24" h="24" />
+		</button>
+
+		{#if open}
+			<OutClick
+				excludeQuerySelectorAll="#user-menu-trigger"
+				on:outclick={() => (open = false)}
+			>
+				<div
+					class="absolute right-0 top-full z-50 mt-2 w-48 rounded-lg border border-gray-300 bg-white py-1 shadow-lg dark:border-white/20 dark:bg-dark"
+				>
+					<a
+						href="/saved"
+						class="flex items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
+					>
+						<Icon type="material" icon="bookmark" w="16" h="16" />
+						{$_("nav.mySaved")}
+					</a>
+
+					<hr class="my-1 border-gray-200 dark:border-white/10" />
+
+					<button
+						on:click={handleLogout}
+						class="flex w-full items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
+					>
+						<Icon type="material" icon="logout" w="16" h="16" />
+						{$_("nav.logout")}
+					</button>
+				</div>
+			</OutClick>
+		{/if}
+	</div>
+{/if}
diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index 86118cf2f..d4f6e601e 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -35,7 +35,10 @@
 		"taggingIssues": "Tagging Issues",
 		"communities": "Communities",
 		"countries": "Countries",
-		"saved": "Saved"
+		"saved": "Saved",
+		"mySaved": "My Saved",
+		"account": "Account",
+		"logout": "Log out"
 	},
 	"saved": {
 		"title": "My Saved",

From c069b07c77af156009bff1d92fcdc2505c43b178 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 12:05:29 +0800
Subject: [PATCH 03/45] fix: add password backfill test and aria-haspopup on
 UserMenu

- Add test for password backfill when loading old sessions without
  the password field (mirrors existing savedAreas backfill test)
- Add aria-haspopup="true" to UserMenu trigger button for screen
  readers (matches NavDropdownDesktop pattern)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/UserMenu.svelte |  1 +
 src/lib/session.test.ts               | 18 +++++++++++++++++-
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index d130e5e92..a02787eff 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -26,6 +26,7 @@ function handleLogout() {
 			on:click={() => (open = !open)}
 			class="text-white transition-opacity hover:opacity-80"
 			aria-label={$_("nav.account")}
+			aria-haspopup="true"
 			aria-expanded={open}
 		>
 			<Icon type="material" icon="account_circle" w="24" h="24" />
diff --git a/src/lib/session.test.ts b/src/lib/session.test.ts
index 641278b99..f69ebe70d 100644
--- a/src/lib/session.test.ts
+++ b/src/lib/session.test.ts
@@ -123,7 +123,6 @@ describe("session store", () => {
 
 	describe("loadFromStorage backfill", () => {
 		it("backfills savedAreas when missing from old session", async () => {
-			// Simulate an old session without savedAreas
 			localStorage.setItem(
 				"btcmap_session",
 				JSON.stringify({
@@ -140,6 +139,23 @@ describe("session store", () => {
 			expect(current?.savedPlaces).toEqual([1, 2]);
 		});
 
+		it("backfills password when missing from old session", async () => {
+			localStorage.setItem(
+				"btcmap_session",
+				JSON.stringify({
+					username: "old-user",
+					token: "old-tok",
+					savedPlaces: [1],
+					savedAreas: [],
+				}),
+			);
+			const session = await createTestSession();
+			session.init();
+
+			const current = get(session);
+			expect(current?.password).toBe("");
+		});
+
 		it("returns null for invalid data", async () => {
 			localStorage.setItem("btcmap_session", "not-json");
 			const session = await createTestSession();

From 201da3d86a1f912b59930193aca38ad89bdc8696 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 12:08:12 +0800
Subject: [PATCH 04/45] feat(nav): show UserMenu always with login/logout
 states

UserMenu is now always visible:
- Logged out: outline account icon, dropdown shows "Log in"
- Logged in: filled account icon, dropdown shows "My Saved" + "Log out"

Links to /login which will be built in the next step.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/Icon.svelte            |  1 +
 src/components/layout/UserMenu.svelte | 61 ++++++++++++++++-----------
 src/lib/i18n/locales/en.json          |  1 +
 3 files changed, 39 insertions(+), 24 deletions(-)

diff --git a/src/components/Icon.svelte b/src/components/Icon.svelte
index 869d4cf46..9efb1e632 100644
--- a/src/components/Icon.svelte
+++ b/src/components/Icon.svelte
@@ -21,6 +21,7 @@ const materialExceptions: Record<string, string> = {
 	close_round: "ic:round-close",
 	my_location: "material-symbols:my-location-rounded",
 	bookmark_filled: "ic:baseline-bookmark",
+	account_circle_filled: "ic:baseline-account-circle",
 };
 
 const faBrandIcons = ["x-twitter", "instagram", "facebook", "twitter"];
diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index a02787eff..d3800fc29 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -19,27 +19,32 @@ function handleLogout() {
 }
 </script>
 
-{#if $session}
-	<div class="relative">
-		<button
-			id="user-menu-trigger"
-			on:click={() => (open = !open)}
-			class="text-white transition-opacity hover:opacity-80"
-			aria-label={$_("nav.account")}
-			aria-haspopup="true"
-			aria-expanded={open}
-		>
-			<Icon type="material" icon="account_circle" w="24" h="24" />
-		</button>
+<div class="relative">
+	<button
+		id="user-menu-trigger"
+		on:click={() => (open = !open)}
+		class="text-white transition-opacity hover:opacity-80"
+		aria-label={$_("nav.account")}
+		aria-haspopup="true"
+		aria-expanded={open}
+	>
+		<Icon
+			type="material"
+			icon={$session ? 'account_circle_filled' : 'account_circle'}
+			w="24"
+			h="24"
+		/>
+	</button>
 
-		{#if open}
-			<OutClick
-				excludeQuerySelectorAll="#user-menu-trigger"
-				on:outclick={() => (open = false)}
+	{#if open}
+		<OutClick
+			excludeQuerySelectorAll="#user-menu-trigger"
+			on:outclick={() => (open = false)}
+		>
+			<div
+				class="absolute right-0 top-full z-50 mt-2 w-48 rounded-lg border border-gray-300 bg-white py-1 shadow-lg dark:border-white/20 dark:bg-dark"
 			>
-				<div
-					class="absolute right-0 top-full z-50 mt-2 w-48 rounded-lg border border-gray-300 bg-white py-1 shadow-lg dark:border-white/20 dark:bg-dark"
-				>
+				{#if $session}
 					<a
 						href="/saved"
 						class="flex items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
@@ -57,8 +62,16 @@ function handleLogout() {
 						<Icon type="material" icon="logout" w="16" h="16" />
 						{$_("nav.logout")}
 					</button>
-				</div>
-			</OutClick>
-		{/if}
-	</div>
-{/if}
+				{:else}
+					<a
+						href="/login"
+						class="flex items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
+					>
+						<Icon type="material" icon="login" w="16" h="16" />
+						{$_("nav.login")}
+					</a>
+				{/if}
+			</div>
+		</OutClick>
+	{/if}
+</div>
diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index d4f6e601e..23fff5597 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -38,6 +38,7 @@
 		"saved": "Saved",
 		"mySaved": "My Saved",
 		"account": "Account",
+		"login": "Log in",
 		"logout": "Log out"
 	},
 	"saved": {

From c15c60324acc6c430712acd156b4908329560b67 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 12:11:53 +0800
Subject: [PATCH 05/45] refactor(nav): remove logout, users always have an
 account
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Every user gets an auto-generated account on first save. "Log out"
made no sense — clicking Save again would just create another
throwaway. Account switching will be handled by the login flow
which replaces the current session.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/UserMenu.svelte | 15 ---------------
 1 file changed, 15 deletions(-)

diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index d3800fc29..665c21b5c 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -12,11 +12,6 @@ let open = false;
 afterNavigate(() => {
 	open = false;
 });
-
-function handleLogout() {
-	session.clear();
-	open = false;
-}
 </script>
 
 <div class="relative">
@@ -52,16 +47,6 @@ function handleLogout() {
 						<Icon type="material" icon="bookmark" w="16" h="16" />
 						{$_("nav.mySaved")}
 					</a>
-
-					<hr class="my-1 border-gray-200 dark:border-white/10" />
-
-					<button
-						on:click={handleLogout}
-						class="flex w-full items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
-					>
-						<Icon type="material" icon="logout" w="16" h="16" />
-						{$_("nav.logout")}
-					</button>
 				{:else}
 					<a
 						href="/login"

From 75f4ae3fe78d93cf7a519102cedc1be12a4f7d92 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 12:54:12 +0800
Subject: [PATCH 06/45] feat(auth): add login page and server route

- POST /api/session/login server route proxying token creation
- /login page with username + password form
- session.login() method to replace current session
- After login, fetches saved places/areas from server to populate store
- Redirects to /saved on success
- Error toast on invalid credentials or server error

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/lib/i18n/locales/en.json            |   9 ++
 src/lib/session.ts                      |  14 +++
 src/routes/api/session/login/+server.ts |  42 ++++++++
 src/routes/login/+page.svelte           | 123 ++++++++++++++++++++++++
 4 files changed, 188 insertions(+)
 create mode 100644 src/routes/api/session/login/+server.ts
 create mode 100644 src/routes/login/+page.svelte

diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index 23fff5597..c1eb2cf68 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -50,6 +50,15 @@
 		"noAreas": "No saved areas yet.",
 		"loadError": "Failed to load some saved items."
 	},
+	"login": {
+		"title": "Log in",
+		"username": "Username",
+		"password": "Password",
+		"submit": "Log in",
+		"loggingIn": "Logging in...",
+		"failed": "Invalid username or password.",
+		"error": "Something went wrong. Please try again."
+	},
 	"search": {
 		"placeholderWorldwide": "Search worldwide...",
 		"placeholderNearby": "Search nearby...",
diff --git a/src/lib/session.ts b/src/lib/session.ts
index 5521a9a7a..285891120 100644
--- a/src/lib/session.ts
+++ b/src/lib/session.ts
@@ -201,6 +201,20 @@ function createSessionStore() {
 			return result;
 		},
 
+		// Replace the current session with a different account (login flow).
+		// Saved items are populated separately after login.
+		login: (username: string, password: string, token: string) => {
+			const session: Session = {
+				username,
+				password,
+				token,
+				savedPlaces: [],
+				savedAreas: [],
+			};
+			saveToStorage(session);
+			set(session);
+		},
+
 		// Clear the session (logout / forget account). No recovery.
 		clear: () => {
 			saveToStorage(null);
diff --git a/src/routes/api/session/login/+server.ts b/src/routes/api/session/login/+server.ts
new file mode 100644
index 000000000..1e74e8a21
--- /dev/null
+++ b/src/routes/api/session/login/+server.ts
@@ -0,0 +1,42 @@
+import { error, json } from "@sveltejs/kit";
+
+import api from "$lib/axios";
+
+import type { RequestHandler } from "./$types";
+
+// POST /api/session/login
+// Authenticates with username + password and returns a Bearer token.
+// Proxies POST /v4/users/{username}/tokens to avoid CORS preflight issues.
+export const POST: RequestHandler = async ({ request }) => {
+	const body = await request.json();
+	const { username, password } = body;
+
+	if (!username || typeof username !== "string") {
+		error(400, "Missing required parameter: username");
+	}
+	if (!password || typeof password !== "string") {
+		error(400, "Missing required parameter: password");
+	}
+
+	const tokenRes = await api
+		.post(
+			`https://api.btcmap.org/v4/users/${encodeURIComponent(username)}/tokens`,
+			{},
+			{ headers: { Authorization: `Bearer ${password}` } },
+		)
+		.catch((err) => {
+			const status = err?.response?.status;
+			if (status === 401 || status === 403) {
+				error(401, "Invalid username or password");
+			}
+			console.error("Failed to create token:", err?.response?.data ?? err);
+			error(502, "Failed to log in");
+		});
+
+	const token = tokenRes.data?.token;
+	if (typeof token !== "string") {
+		error(502, "Token creation returned no token");
+	}
+
+	return json({ token });
+};
diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
new file mode 100644
index 000000000..48ffb340b
--- /dev/null
+++ b/src/routes/login/+page.svelte
@@ -0,0 +1,123 @@
+<script lang="ts">
+import { onMount } from "svelte";
+
+import api from "$lib/axios";
+import { _ } from "$lib/i18n";
+import { session } from "$lib/session";
+import { errToast } from "$lib/utils";
+
+import { goto } from "$app/navigation";
+
+let username = "";
+let password = "";
+let loading = false;
+
+onMount(() => {
+	session.init();
+});
+
+async function handleSubmit() {
+	if (!username.trim() || !password.trim()) return;
+	loading = true;
+
+	try {
+		const res = await api.post("/api/session/login", {
+			username: username.trim(),
+			password: password.trim(),
+		});
+
+		const token = res.data?.token;
+		if (typeof token !== "string") {
+			throw new Error("Login did not return a token");
+		}
+
+		// Replace current session with the logged-in account.
+		// Fetch saved items from the server to populate the store.
+		session.login(username.trim(), password.trim(), token);
+
+		// Load saved items from server
+		const headers = { Authorization: `Bearer ${token}` };
+		const [placesRes, areasRes] = await Promise.allSettled([
+			api.get("/api/session/saved-places", { headers }),
+			api.get("/api/session/saved-areas", { headers }),
+		]);
+
+		if (
+			placesRes.status === "fulfilled" &&
+			Array.isArray(placesRes.value.data)
+		) {
+			const ids = placesRes.value.data.map((p: { id: number }) => p.id);
+			session.setSavedPlaces(ids);
+		}
+		if (areasRes.status === "fulfilled" && Array.isArray(areasRes.value.data)) {
+			const ids = areasRes.value.data.map((a: { id: number }) => a.id);
+			session.setSavedAreas(ids);
+		}
+
+		goto("/saved");
+	} catch (err) {
+		const message =
+			(err as { response?: { status?: number } })?.response?.status === 401
+				? $_("login.failed")
+				: $_("login.error");
+		errToast(message);
+		console.error("Login failed", err);
+	} finally {
+		loading = false;
+	}
+}
+</script>
+
+<svelte:head>
+	<title>{$_("login.title")} | BTC Map</title>
+</svelte:head>
+
+<div class="my-10 flex justify-center md:my-20">
+	<div class="w-full max-w-sm space-y-6">
+		<h1 class="text-center text-3xl font-semibold text-primary dark:text-white">
+			{$_("login.title")}
+		</h1>
+
+		<form on:submit|preventDefault={handleSubmit} class="space-y-4">
+			<div>
+				<label
+					for="username"
+					class="mb-1 block text-sm font-semibold text-primary dark:text-white"
+				>
+					{$_("login.username")}
+				</label>
+				<input
+					id="username"
+					type="text"
+					bind:value={username}
+					autocomplete="username"
+					class="w-full rounded-lg border border-gray-300 bg-white px-3 py-2 text-primary dark:border-white/20 dark:bg-dark dark:text-white"
+				/>
+			</div>
+
+			<div>
+				<label
+					for="password"
+					class="mb-1 block text-sm font-semibold text-primary dark:text-white"
+				>
+					{$_("login.password")}
+				</label>
+				<input
+					id="password"
+					type="password"
+					bind:value={password}
+					autocomplete="current-password"
+					class="w-full rounded-lg border border-gray-300 bg-white px-3 py-2 text-primary dark:border-white/20 dark:bg-dark dark:text-white"
+				/>
+			</div>
+
+			<button
+				type="submit"
+				disabled={loading || !username.trim() || !password.trim()}
+				class="w-full rounded-lg bg-link px-4 py-2 font-semibold text-white transition-colors hover:bg-hover disabled:opacity-50"
+			>
+				{loading ? $_("login.loggingIn") : $_("login.submit")}
+			</button>
+		</form>
+	</div>
+</div>

From 8045aebd19d0af8cfd8a719539f0350c272b96d1 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:00:30 +0800
Subject: [PATCH 07/45] feat(nav): add "Switch account" to logged-in user menu

Since every user always has an account (auto-generated on first
save), they need a way to switch to a different account without
a logout step. Links to /login which replaces the current session.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/UserMenu.svelte | 8 ++++++++
 src/lib/i18n/locales/en.json          | 1 +
 2 files changed, 9 insertions(+)

diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index 665c21b5c..efb7b6a98 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -47,6 +47,14 @@ afterNavigate(() => {
 						<Icon type="material" icon="bookmark" w="16" h="16" />
 						{$_("nav.mySaved")}
 					</a>
+
+					<a
+						href="/login"
+						class="flex items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
+					>
+						<Icon type="material" icon="swap_horiz" w="16" h="16" />
+						{$_("nav.switchAccount")}
+					</a>
 				{:else}
 					<a
 						href="/login"
diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index c1eb2cf68..4b86be7f7 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -39,6 +39,7 @@
 		"mySaved": "My Saved",
 		"account": "Account",
 		"login": "Log in",
+		"switchAccount": "Switch account",
 		"logout": "Log out"
 	},
 	"saved": {

From 6a6f945db635ffbb0b35461a2da6ccf990a33ea1 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:05:13 +0800
Subject: [PATCH 08/45] feat(nav): show username as tooltip on account icon

Hovering the user icon now shows the account username (e.g.
"glossy-wealth-1878") via the title attribute. Shows "Account"
when not logged in.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/UserMenu.svelte | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index efb7b6a98..90293be6c 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -19,7 +19,8 @@ afterNavigate(() => {
 		id="user-menu-trigger"
 		on:click={() => (open = !open)}
 		class="text-white transition-opacity hover:opacity-80"
-		aria-label={$_("nav.account")}
+		aria-label={$session?.username ?? $_("nav.account")}
+		title={$session?.username ?? $_("nav.account")}
 		aria-haspopup="true"
 		aria-expanded={open}
 	>

From b1df7bc82113cb75059522802119d00e52e1cc0c Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:11:15 +0800
Subject: [PATCH 09/45] feat(save): show toast on first account creation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When a user clicks Save for the first time and the throwaway
account is silently created, show a success toast: "Account
created — your saved places are stored on this device."

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/SaveButton.svelte | 3 ++-
 src/lib/i18n/locales/en.json     | 3 +++
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/components/SaveButton.svelte b/src/components/SaveButton.svelte
index fb7d77a28..7eda3ffc1 100644
--- a/src/components/SaveButton.svelte
+++ b/src/components/SaveButton.svelte
@@ -3,7 +3,7 @@ import Icon from "$components/Icon.svelte";
 import api from "$lib/axios";
 import { _ } from "$lib/i18n";
 import { session } from "$lib/session";
-import { errToast } from "$lib/utils";
+import { errToast, successToast } from "$lib/utils";
 
 // The numeric ID of the item to save/unsave.
 export let id: number;
@@ -56,6 +56,7 @@ async function toggle() {
 		let current = previousSession;
 		if (!current) {
 			current = await session.signUp();
+			successToast($_("save.accountCreated"));
 		}
 
 		const nextSaved =
diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index 4b86be7f7..badd5afb2 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -60,6 +60,9 @@
 		"failed": "Invalid username or password.",
 		"error": "Something went wrong. Please try again."
 	},
+	"save": {
+		"accountCreated": "Account created — your saved places are stored on this device."
+	},
 	"search": {
 		"placeholderWorldwide": "Search worldwide...",
 		"placeholderNearby": "Search nearby...",

From bb11dc60e8fc01f3f4541168b47e715161f239cb Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:14:12 +0800
Subject: [PATCH 10/45] fix(nav): match user icon button size to theme toggle

Theme toggle is h-10 w-10. User menu trigger was unsized, causing
visual misalignment. Match the dimensions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/UserMenu.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index 90293be6c..c5c453d71 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -18,7 +18,7 @@ afterNavigate(() => {
 	<button
 		id="user-menu-trigger"
 		on:click={() => (open = !open)}
-		class="text-white transition-opacity hover:opacity-80"
+		class="flex h-10 w-10 items-center justify-center text-white transition-opacity hover:opacity-80"
 		aria-label={$session?.username ?? $_("nav.account")}
 		title={$session?.username ?? $_("nav.account")}
 		aria-haspopup="true"

From e62dfd82391510ed3fa93b34e9018802f6152ff3 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:17:04 +0800
Subject: [PATCH 11/45] fix(session): hydrate session immediately instead of in
 onMount

session.init() is a synchronous localStorage read but was deferred
to onMount, causing a visible 2-second delay before the user icon
rendered. Move it to the module level with a browser guard so it
runs during script evaluation, before the first render.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/+layout.svelte | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/routes/+layout.svelte b/src/routes/+layout.svelte
index 3e95a028b..3d95b0f4a 100644
--- a/src/routes/+layout.svelte
+++ b/src/routes/+layout.svelte
@@ -14,6 +14,10 @@ import { elementsSync } from "$lib/sync/places";
 import { theme } from "$lib/theme";
 
 import { browser, dev } from "$app/environment";
+
+// Hydrate session immediately (synchronous localStorage read) so the
+// UserMenu icon renders in the correct state without waiting for onMount.
+if (browser) session.init();
 import "leaflet.locatecontrol/dist/L.Control.Locate.min.css";
 import "leaflet.markercluster/dist/MarkerCluster.Default.css";
 import "leaflet.markercluster/dist/MarkerCluster.css";
@@ -71,9 +75,6 @@ onMount(async () => {
 	// Initialize theme from SSR/data attribute or localStorage
 	theme.init();
 
-	// Restore saved session (throwaway account + saved places) from localStorage
-	session.init();
-
 	// Track browser language for translation insights
 	trackBrowserLanguage();
 

From f78a7df5e3be8e2070e1be86e0e5a373f7998c8a Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:18:17 +0800
Subject: [PATCH 12/45] Revert "fix(session): hydrate session immediately
 instead of in onMount"

This reverts commit e62dfd82391510ed3fa93b34e9018802f6152ff3.
---
 src/routes/+layout.svelte | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/routes/+layout.svelte b/src/routes/+layout.svelte
index 3d95b0f4a..3e95a028b 100644
--- a/src/routes/+layout.svelte
+++ b/src/routes/+layout.svelte
@@ -14,10 +14,6 @@ import { elementsSync } from "$lib/sync/places";
 import { theme } from "$lib/theme";
 
 import { browser, dev } from "$app/environment";
-
-// Hydrate session immediately (synchronous localStorage read) so the
-// UserMenu icon renders in the correct state without waiting for onMount.
-if (browser) session.init();
 import "leaflet.locatecontrol/dist/L.Control.Locate.min.css";
 import "leaflet.markercluster/dist/MarkerCluster.Default.css";
 import "leaflet.markercluster/dist/MarkerCluster.css";
@@ -75,6 +71,9 @@ onMount(async () => {
 	// Initialize theme from SSR/data attribute or localStorage
 	theme.init();
 
+	// Restore saved session (throwaway account + saved places) from localStorage
+	session.init();
+
 	// Track browser language for translation insights
 	trackBrowserLanguage();
 

From e4a53284ce74d82364c5a2a813df55b2026b2c46 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:26:50 +0800
Subject: [PATCH 13/45] fix: confirm before switch account, remove dead logout
 key

- "Switch account" now shows a confirmation dialog warning that
  the current saved places will be replaced
- Remove unused nav.logout i18n key
- Update security comment in session.ts to acknowledge password
  storage in localStorage alongside the token

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/UserMenu.svelte | 15 ++++++++++-----
 src/lib/i18n/locales/en.json          |  2 +-
 src/lib/session.ts                    | 16 +++++++++-------
 3 files changed, 20 insertions(+), 13 deletions(-)

diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index c5c453d71..ed2df4b60 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -5,7 +5,7 @@ import Icon from "$components/Icon.svelte";
 import { _ } from "$lib/i18n";
 import { session } from "$lib/session";
 
-import { afterNavigate } from "$app/navigation";
+import { afterNavigate, goto } from "$app/navigation";
 
 let open = false;
 
@@ -49,13 +49,18 @@ afterNavigate(() => {
 						{$_("nav.mySaved")}
 					</a>
 
-					<a
-						href="/login"
-						class="flex items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
+					<button
+						on:click={() => {
+							if (confirm($_("nav.switchAccountConfirm"))) {
+								open = false;
+								goto("/login");
+							}
+						}}
+						class="flex w-full items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
 					>
 						<Icon type="material" icon="swap_horiz" w="16" h="16" />
 						{$_("nav.switchAccount")}
-					</a>
+					</button>
 				{:else}
 					<a
 						href="/login"
diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index badd5afb2..3e5b583ee 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -40,7 +40,7 @@
 		"account": "Account",
 		"login": "Log in",
 		"switchAccount": "Switch account",
-		"logout": "Log out"
+		"switchAccountConfirm": "Switching accounts will replace your current saved places. Make sure you've backed up your credentials. Continue?"
 	},
 	"saved": {
 		"title": "My Saved",
diff --git a/src/lib/session.ts b/src/lib/session.ts
index 285891120..8522a23ff 100644
--- a/src/lib/session.ts
+++ b/src/lib/session.ts
@@ -10,13 +10,15 @@ import api from "$lib/axios";
 // they lose access to their saved items. A backup flow (set password, link
 // Nostr) will be added later.
 //
-// SECURITY — localStorage token blast radius:
-// Storing the Bearer token in localStorage is acceptable here ONLY because
-// the account is a throwaway with no recoverable data or PII. The token
-// grants access to its own saved_places/saved_areas and nothing else.
-// DO NOT reuse this pattern for real user accounts with durable data,
-// payment info, or elevated roles — an XSS would exfiltrate the token.
-// For real accounts, migrate to httpOnly cookies or similar.
+// SECURITY — localStorage blast radius:
+// Both the Bearer token AND the password are stored in localStorage.
+// The password is kept so the backup modal can show it to the user.
+// An XSS could exfiltrate both — the token grants API access, and
+// the password can create new tokens (effectively the same access).
+// This is acceptable for throwaway accounts with only saved_places/
+// saved_areas data. DO NOT reuse this pattern for real user accounts
+// with durable data, payment info, or elevated roles. For real
+// accounts, migrate to httpOnly cookies or similar.
 export type Session = {
 	username: string;
 	password: string;

From 66986a6d76913c01b7a92e073638f3c1d8448901 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:31:54 +0800
Subject: [PATCH 14/45] feat(auth): add BackupModal and remove switch account
 confirm
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- BackupModal shows username + password with copy buttons and
  show/hide toggle. Accessible from "Back up account" in UserMenu.
- Old accounts without a stored password show "Not available"
- Remove switch account confirmation — if the user knows their
  credentials (just logged in), switching is safe
- Remove dead switchAccountConfirm i18n key

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/auth/BackupModal.svelte | 120 +++++++++++++++++++++++++
 src/components/layout/UserMenu.svelte  |  26 ++++--
 src/lib/i18n/locales/en.json           |  13 ++-
 3 files changed, 152 insertions(+), 7 deletions(-)
 create mode 100644 src/components/auth/BackupModal.svelte

diff --git a/src/components/auth/BackupModal.svelte b/src/components/auth/BackupModal.svelte
new file mode 100644
index 000000000..72ff560b9
--- /dev/null
+++ b/src/components/auth/BackupModal.svelte
@@ -0,0 +1,120 @@
+<script lang="ts">
+import { createEventDispatcher } from "svelte";
+
+import Icon from "$components/Icon.svelte";
+import { _ } from "$lib/i18n";
+import { session } from "$lib/session";
+import { successToast } from "$lib/utils";
+
+const dispatch = createEventDispatcher();
+
+let showPassword = false;
+
+async function copyToClipboard(text: string, label: string) {
+	try {
+		await navigator.clipboard.writeText(text);
+		successToast(`${label} copied`);
+	} catch {
+		// Fallback for older browsers
+		const input = document.createElement("input");
+		input.value = text;
+		document.body.appendChild(input);
+		input.select();
+		document.execCommand("copy");
+		document.body.removeChild(input);
+		successToast(`${label} copied`);
+	}
+}
+</script>
+
+<!-- svelte-ignore a11y-click-events-have-key-events -->
+<!-- svelte-ignore a11y-no-static-element-interactions -->
+<div
+	class="fixed inset-0 z-[100] flex items-center justify-center bg-black/50"
+	on:click|self={() => dispatch("close")}
+>
+	<div class="mx-4 w-full max-w-sm rounded-xl bg-white p-6 shadow-xl dark:bg-dark">
+		<div class="mb-4 flex items-center justify-between">
+			<h2 class="text-xl font-semibold text-primary dark:text-white">
+				{$_("backup.title")}
+			</h2>
+			<button
+				on:click={() => dispatch("close")}
+				class="text-body transition-colors hover:text-primary dark:text-white/50 dark:hover:text-white"
+			>
+				<Icon type="material" icon="close" w="20" h="20" />
+			</button>
+		</div>
+
+		<p class="mb-4 text-sm text-body dark:text-white/70">
+			{$_("backup.description")}
+		</p>
+
+		{#if $session}
+			<div class="space-y-3">
+				<div>
+					<label for="backup-username" class="mb-1 block text-xs font-semibold text-body dark:text-white/70">
+						{$_("backup.username")}
+					</label>
+					<div class="flex items-center gap-2">
+						<input
+							id="backup-username"
+							type="text"
+							readonly
+							value={$session.username}
+							class="w-full rounded-lg border border-gray-300 bg-gray-50 px-3 py-2 text-sm text-primary dark:border-white/20 dark:bg-white/5 dark:text-white"
+						/>
+						<button
+							on:click={() => copyToClipboard($session?.username ?? "", $_("backup.username"))}
+							class="shrink-0 rounded-lg border border-gray-300 p-2 transition-colors hover:bg-gray-100 dark:border-white/20 dark:hover:bg-white/10"
+							title={$_("backup.copy")}
+						>
+							<Icon type="material" icon="content_copy" w="16" h="16" class="text-primary dark:text-white" />
+						</button>
+					</div>
+				</div>
+
+				<div>
+					<label for="backup-password" class="mb-1 block text-xs font-semibold text-body dark:text-white/70">
+						{$_("backup.password")}
+					</label>
+					<div class="flex items-center gap-2">
+						<input
+							id="backup-password"
+							type={showPassword ? "text" : "password"}
+							readonly
+							value={$session.password || $_("backup.unavailable")}
+							class="w-full rounded-lg border border-gray-300 bg-gray-50 px-3 py-2 text-sm text-primary dark:border-white/20 dark:bg-white/5 dark:text-white"
+						/>
+						<button
+							on:click={() => (showPassword = !showPassword)}
+							class="shrink-0 rounded-lg border border-gray-300 p-2 transition-colors hover:bg-gray-100 dark:border-white/20 dark:hover:bg-white/10"
+							title={showPassword ? $_("backup.hide") : $_("backup.show")}
+						>
+							<Icon
+								type="material"
+								icon={showPassword ? "visibility_off" : "visibility"}
+								w="16"
+								h="16"
+								class="text-primary dark:text-white"
+							/>
+						</button>
+						{#if $session.password}
+							<button
+								on:click={() => copyToClipboard($session?.password ?? "", $_("backup.password"))}
+								class="shrink-0 rounded-lg border border-gray-300 p-2 transition-colors hover:bg-gray-100 dark:border-white/20 dark:hover:bg-white/10"
+								title={$_("backup.copy")}
+							>
+								<Icon type="material" icon="content_copy" w="16" h="16" class="text-primary dark:text-white" />
+							</button>
+						{/if}
+					</div>
+				</div>
+			</div>
+
+			<p class="mt-4 text-xs text-body dark:text-white/50">
+				{$_("backup.warning")}
+			</p>
+		{/if}
+	</div>
+</div>
diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index ed2df4b60..7fac8f45b 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -1,13 +1,15 @@
 <script lang="ts">
 import OutClick from "svelte-outclick";
 
+import BackupModal from "$components/auth/BackupModal.svelte";
 import Icon from "$components/Icon.svelte";
 import { _ } from "$lib/i18n";
 import { session } from "$lib/session";
 
-import { afterNavigate, goto } from "$app/navigation";
+import { afterNavigate } from "$app/navigation";
 
 let open = false;
+let showBackup = false;
 
 afterNavigate(() => {
 	open = false;
@@ -51,16 +53,24 @@ afterNavigate(() => {
 
 					<button
 						on:click={() => {
-							if (confirm($_("nav.switchAccountConfirm"))) {
-								open = false;
-								goto("/login");
-							}
+							open = false;
+							showBackup = true;
 						}}
 						class="flex w-full items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
+					>
+						<Icon type="material" icon="key" w="16" h="16" />
+						{$_("nav.backupAccount")}
+					</button>
+
+					<hr class="my-1 border-gray-200 dark:border-white/10" />
+
+					<a
+						href="/login"
+						class="flex items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
 					>
 						<Icon type="material" icon="swap_horiz" w="16" h="16" />
 						{$_("nav.switchAccount")}
-					</button>
+					</a>
 				{:else}
 					<a
 						href="/login"
@@ -74,3 +84,7 @@ afterNavigate(() => {
 		</OutClick>
 	{/if}
 </div>
+
+{#if showBackup}
+	<BackupModal on:close={() => (showBackup = false)} />
+{/if}
diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index 3e5b583ee..0a32196be 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -40,7 +40,7 @@
 		"account": "Account",
 		"login": "Log in",
 		"switchAccount": "Switch account",
-		"switchAccountConfirm": "Switching accounts will replace your current saved places. Make sure you've backed up your credentials. Continue?"
+		"backupAccount": "Back up account"
 	},
 	"saved": {
 		"title": "My Saved",
@@ -60,6 +60,17 @@
 		"failed": "Invalid username or password.",
 		"error": "Something went wrong. Please try again."
 	},
+	"backup": {
+		"title": "Back up account",
+		"description": "Save these credentials to log in on another device.",
+		"username": "Username",
+		"password": "Password",
+		"copy": "Copy",
+		"show": "Show password",
+		"hide": "Hide password",
+		"unavailable": "Not available (old account)",
+		"warning": "These credentials are the only way to recover your saved places."
+	},
 	"save": {
 		"accountCreated": "Account created — your saved places are stored on this device."
 	},

From d6497b7a1f252b3f1500ab2f3717be246f0ee68a Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:34:06 +0800
Subject: [PATCH 15/45] feat(auth): only show backup for auto-generated
 accounts
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add autoGenerated flag to Session type. Set true in signUp(),
false in login(). UserMenu only shows "Back up account" when the
account was auto-generated — users who logged in with known
credentials don't need to back them up.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/UserMenu.svelte | 22 ++++++++++++----------
 src/lib/session.test.ts               |  2 +-
 src/lib/session.ts                    |  8 ++++++++
 3 files changed, 21 insertions(+), 11 deletions(-)

diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index 7fac8f45b..1973d8015 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -51,16 +51,18 @@ afterNavigate(() => {
 						{$_("nav.mySaved")}
 					</a>
 
-					<button
-						on:click={() => {
-							open = false;
-							showBackup = true;
-						}}
-						class="flex w-full items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
-					>
-						<Icon type="material" icon="key" w="16" h="16" />
-						{$_("nav.backupAccount")}
-					</button>
+					{#if $session.autoGenerated}
+						<button
+							on:click={() => {
+								open = false;
+								showBackup = true;
+							}}
+							class="flex w-full items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
+						>
+							<Icon type="material" icon="key" w="16" h="16" />
+							{$_("nav.backupAccount")}
+						</button>
+					{/if}
 
 					<hr class="my-1 border-gray-200 dark:border-white/10" />
 
diff --git a/src/lib/session.test.ts b/src/lib/session.test.ts
index f69ebe70d..031ad350d 100644
--- a/src/lib/session.test.ts
+++ b/src/lib/session.test.ts
@@ -27,7 +27,7 @@ function seedStorage(data: {
 }) {
 	localStorage.setItem(
 		"btcmap_session",
-		JSON.stringify({ password: "pw", ...data }),
+		JSON.stringify({ password: "pw", autoGenerated: true, ...data }),
 	);
 }
 
diff --git a/src/lib/session.ts b/src/lib/session.ts
index 8522a23ff..a9ae5779c 100644
--- a/src/lib/session.ts
+++ b/src/lib/session.ts
@@ -25,6 +25,7 @@ export type Session = {
 	token: string;
 	savedPlaces: number[];
 	savedAreas: number[];
+	autoGenerated: boolean;
 };
 
 const STORAGE_KEY = "btcmap_session";
@@ -52,6 +53,11 @@ function loadFromStorage(): Session | null {
 		if (typeof parsed.password !== "string") {
 			parsed.password = "";
 		}
+		// Backfill autoGenerated for old sessions — assume auto-generated
+		// since the login flow didn't exist when they were created.
+		if (typeof parsed.autoGenerated !== "boolean") {
+			parsed.autoGenerated = true;
+		}
 		return parsed as Session;
 	} catch {
 		return null;
@@ -96,6 +102,7 @@ function createSessionStore() {
 			token,
 			savedPlaces: [],
 			savedAreas: [],
+			autoGenerated: true,
 		};
 		saveToStorage(session);
 		set(session);
@@ -212,6 +219,7 @@ function createSessionStore() {
 				token,
 				savedPlaces: [],
 				savedAreas: [],
+				autoGenerated: false,
 			};
 			saveToStorage(session);
 			set(session);

From 3c4d8dda0f4675b31301b81ed8a84fa2bd7232e6 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:35:54 +0800
Subject: [PATCH 16/45] fix(auth): don't store password in localStorage for
 known accounts

When logging in with known credentials, the user already has their
password. No reason to keep it in localStorage where an XSS could
exfiltrate it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/login/+page.svelte | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
index 48ffb340b..25d35ab2f 100644
--- a/src/routes/login/+page.svelte
+++ b/src/routes/login/+page.svelte
@@ -32,8 +32,8 @@ async function handleSubmit() {
 		}
 
 		// Replace current session with the logged-in account.
-		// Fetch saved items from the server to populate the store.
-		session.login(username.trim(), password.trim(), token);
+		// Don't store the password — the user already knows it.
+		session.login(username.trim(), "", token);
 
 		// Load saved items from server
 		const headers = { Authorization: `Bearer ${token}` };

From 0860faf4d958a303cfb35a669672baf775485e1a Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:40:24 +0800
Subject: [PATCH 17/45] fix(saved): show empty state instead of redirecting to
 /map
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Redirecting anonymous users to /map was confusing — they had no
idea why they landed there. Now /saved just shows the empty state
message regardless of session status.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/saved/+page.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/saved/+page.svelte b/src/routes/saved/+page.svelte
index 4b859e31c..bb9cd4004 100644
--- a/src/routes/saved/+page.svelte
+++ b/src/routes/saved/+page.svelte
@@ -38,7 +38,7 @@ onMount(async () => {
 	session.init();
 
 	if (!$session) {
-		goto("/map");
+		loading = false;
 		return;
 	}
 

From 64364bf619fd38b1c9eeb51f0d9dc2abcd294610 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:40:57 +0800
Subject: [PATCH 18/45] fix(saved): redirect to /login instead of showing empty
 state

If the user visits /saved without an account, redirect to /login
where they can log in with existing credentials or learn they
need to save something first.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/saved/+page.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/saved/+page.svelte b/src/routes/saved/+page.svelte
index bb9cd4004..d54473a5a 100644
--- a/src/routes/saved/+page.svelte
+++ b/src/routes/saved/+page.svelte
@@ -38,7 +38,7 @@ onMount(async () => {
 	session.init();
 
 	if (!$session) {
-		loading = false;
+		goto("/login");
 		return;
 	}
 

From 766371ce760fe74918c1149e80f470cc2f4feb4b Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:44:54 +0800
Subject: [PATCH 19/45] fix(auth): add input length validation on login server
 route

Reject oversized username (>100) or password (>200) before
forwarding to the upstream API.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/api/session/login/+server.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/routes/api/session/login/+server.ts b/src/routes/api/session/login/+server.ts
index 1e74e8a21..7e6907035 100644
--- a/src/routes/api/session/login/+server.ts
+++ b/src/routes/api/session/login/+server.ts
@@ -11,11 +11,11 @@ export const POST: RequestHandler = async ({ request }) => {
 	const body = await request.json();
 	const { username, password } = body;
 
-	if (!username || typeof username !== "string") {
-		error(400, "Missing required parameter: username");
+	if (!username || typeof username !== "string" || username.length > 100) {
+		error(400, "Missing or invalid username");
 	}
-	if (!password || typeof password !== "string") {
-		error(400, "Missing required parameter: password");
+	if (!password || typeof password !== "string" || password.length > 200) {
+		error(400, "Missing or invalid password");
 	}
 
 	const tokenRes = await api

From b81fc870574db629007ae7e41a9a975a21b0322b Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 13:51:47 +0800
Subject: [PATCH 20/45] feat(login): add link to developer portal for account
 creation

Users who want a custom username can create an account on
developer.btcmap.org, then log in on the main site. Added
"Don't have an account? Create one here" below the login form.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/lib/i18n/locales/en.json  |  4 +++-
 src/routes/login/+page.svelte | 12 ++++++++++++
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index 0a32196be..eec60c563 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -58,7 +58,9 @@
 		"submit": "Log in",
 		"loggingIn": "Logging in...",
 		"failed": "Invalid username or password.",
-		"error": "Something went wrong. Please try again."
+		"error": "Something went wrong. Please try again.",
+		"noAccount": "Don't have an account?",
+		"createAccount": "Create one here"
 	},
 	"backup": {
 		"title": "Back up account",
diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
index 25d35ab2f..cd24a78e3 100644
--- a/src/routes/login/+page.svelte
+++ b/src/routes/login/+page.svelte
@@ -119,5 +119,17 @@ async function handleSubmit() {
 				{loading ? $_("login.loggingIn") : $_("login.submit")}
 			</button>
 		</form>
+
+		<p class="text-center text-sm text-body dark:text-white/70">
+			{$_("login.noAccount")}
+			<a
+				href="https://developer.btcmap.org"
+				target="_blank"
+				rel="noopener noreferrer"
+				class="text-link transition-colors hover:text-hover"
+			>
+				{$_("login.createAccount")}
+			</a>
+		</p>
 	</div>
 </div>

From de4aa686414cac8577285affb713cddaf0435bb2 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 14:03:27 +0800
Subject: [PATCH 21/45] fix(backup): add Escape key handling, remove deprecated
 copy fallback
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Close BackupModal on Escape key press
- Remove document.execCommand("copy") fallback — navigator.clipboard
  is the standard API and works on all modern browsers over HTTPS

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/auth/BackupModal.svelte | 17 ++++-------------
 1 file changed, 4 insertions(+), 13 deletions(-)

diff --git a/src/components/auth/BackupModal.svelte b/src/components/auth/BackupModal.svelte
index 72ff560b9..fdf15ea1b 100644
--- a/src/components/auth/BackupModal.svelte
+++ b/src/components/auth/BackupModal.svelte
@@ -11,22 +11,13 @@ const dispatch = createEventDispatcher();
 let showPassword = false;
 
 async function copyToClipboard(text: string, label: string) {
-	try {
-		await navigator.clipboard.writeText(text);
-		successToast(`${label} copied`);
-	} catch {
-		// Fallback for older browsers
-		const input = document.createElement("input");
-		input.value = text;
-		document.body.appendChild(input);
-		input.select();
-		document.execCommand("copy");
-		document.body.removeChild(input);
-		successToast(`${label} copied`);
-	}
+	await navigator.clipboard.writeText(text);
+	successToast(`${label} copied`);
 }
 </script>
 
+<svelte:window on:keydown={(e) => e.key === "Escape" && dispatch("close")} />
+
 <!-- svelte-ignore a11y-click-events-have-key-events -->
 <!-- svelte-ignore a11y-no-static-element-interactions -->
 <div

From 9beafbc1faceb0be390327b9a09909cf284f9be1 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 14:15:58 +0800
Subject: [PATCH 22/45] fix(nav): replace "Switch account" with "Log out"
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Users start with no account, so "Switch account" was confusing —
it implies multiple accounts. "Log out" is clearer: it means
"forget this session." If they want a different account, they
log out first, then log in.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/UserMenu.svelte | 15 +++++++++------
 src/lib/i18n/locales/en.json          |  2 +-
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index 1973d8015..c67dff490 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -66,13 +66,16 @@ afterNavigate(() => {
 
 					<hr class="my-1 border-gray-200 dark:border-white/10" />
 
-					<a
-						href="/login"
-						class="flex items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
+					<button
+						on:click={() => {
+							session.clear();
+							open = false;
+						}}
+						class="flex w-full items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
 					>
-						<Icon type="material" icon="swap_horiz" w="16" h="16" />
-						{$_("nav.switchAccount")}
-					</a>
+						<Icon type="material" icon="logout" w="16" h="16" />
+						{$_("nav.logout")}
+					</button>
 				{:else}
 					<a
 						href="/login"
diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index eec60c563..ce17eccbd 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -39,7 +39,7 @@
 		"mySaved": "My Saved",
 		"account": "Account",
 		"login": "Log in",
-		"switchAccount": "Switch account",
+		"logout": "Log out",
 		"backupAccount": "Back up account"
 	},
 	"saved": {

From a9abb2cf1136f25c2c4c02f81b7ea68593635c20 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 14:20:52 +0800
Subject: [PATCH 23/45] fix(nav): use unique IDs for UserMenu trigger buttons

Header renders UserMenu twice (desktop + mobile), producing
duplicate DOM IDs. Use a random suffix per instance so each
trigger has a unique ID and the OutClick exclusion works correctly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/UserMenu.svelte | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index c67dff490..6646fee69 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -10,6 +10,7 @@ import { afterNavigate } from "$app/navigation";
 
 let open = false;
 let showBackup = false;
+const triggerId = `user-menu-trigger-${Math.random().toString(36).slice(2, 8)}`;
 
 afterNavigate(() => {
 	open = false;
@@ -18,7 +19,7 @@ afterNavigate(() => {
 
 <div class="relative">
 	<button
-		id="user-menu-trigger"
+		id={triggerId}
 		on:click={() => (open = !open)}
 		class="flex h-10 w-10 items-center justify-center text-white transition-opacity hover:opacity-80"
 		aria-label={$session?.username ?? $_("nav.account")}
@@ -36,7 +37,7 @@ afterNavigate(() => {
 
 	{#if open}
 		<OutClick
-			excludeQuerySelectorAll="#user-menu-trigger"
+			excludeQuerySelectorAll={`#${triggerId}`}
 			on:outclick={() => (open = false)}
 		>
 			<div

From e69ea5a02b793b752c4ce84c9618df132d4be664 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 14:23:50 +0800
Subject: [PATCH 24/45] fix(backup): handle clipboard errors and use i18n for
 copy toast
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Wrap clipboard.writeText in try/catch to prevent unhandled
  rejections (console.error only, no error toast — failure is
  extremely unlikely on HTTPS)
- Replace hardcoded "copied" string with i18n key backup.copied

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/auth/BackupModal.svelte | 14 +++++++++-----
 src/lib/i18n/locales/en.json           |  3 ++-
 2 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/src/components/auth/BackupModal.svelte b/src/components/auth/BackupModal.svelte
index fdf15ea1b..b6518d077 100644
--- a/src/components/auth/BackupModal.svelte
+++ b/src/components/auth/BackupModal.svelte
@@ -10,9 +10,13 @@ const dispatch = createEventDispatcher();
 
 let showPassword = false;
 
-async function copyToClipboard(text: string, label: string) {
-	await navigator.clipboard.writeText(text);
-	successToast(`${label} copied`);
+async function copyToClipboard(text: string) {
+	try {
+		await navigator.clipboard.writeText(text);
+		successToast($_("backup.copied"));
+	} catch (err) {
+		console.error("Clipboard write failed", err);
+	}
 }
 </script>
 
@@ -56,7 +60,7 @@ async function copyToClipboard(text: string, label: string) {
 							class="w-full rounded-lg border border-gray-300 bg-gray-50 px-3 py-2 text-sm text-primary dark:border-white/20 dark:bg-white/5 dark:text-white"
 						/>
 						<button
-							on:click={() => copyToClipboard($session?.username ?? "", $_("backup.username"))}
+							on:click={() => copyToClipboard($session?.username ?? "")}
 							class="shrink-0 rounded-lg border border-gray-300 p-2 transition-colors hover:bg-gray-100 dark:border-white/20 dark:hover:bg-white/10"
 							title={$_("backup.copy")}
 						>
@@ -92,7 +96,7 @@ async function copyToClipboard(text: string, label: string) {
 						</button>
 						{#if $session.password}
 							<button
-								on:click={() => copyToClipboard($session?.password ?? "", $_("backup.password"))}
+								on:click={() => copyToClipboard($session?.password ?? "")}
 								class="shrink-0 rounded-lg border border-gray-300 p-2 transition-colors hover:bg-gray-100 dark:border-white/20 dark:hover:bg-white/10"
 								title={$_("backup.copy")}
 							>
diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index ce17eccbd..9db7be1f6 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -71,7 +71,8 @@
 		"show": "Show password",
 		"hide": "Hide password",
 		"unavailable": "Not available (old account)",
-		"warning": "These credentials are the only way to recover your saved places."
+		"warning": "These credentials are the only way to recover your saved places.",
+		"copied": "Copied to clipboard"
 	},
 	"save": {
 		"accountCreated": "Account created — your saved places are stored on this device."

From 1d6d4b2bc65e0f000eeea79a5ff89dcb4fb759c3 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 14:29:04 +0800
Subject: [PATCH 25/45] docs(session): clarify password storage differs by
 account type

The security comment said both token and password are stored, but
manual logins intentionally store an empty password. Clarify that
password persistence only applies to auto-generated sessions.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/lib/session.ts | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/src/lib/session.ts b/src/lib/session.ts
index a9ae5779c..7be66fd29 100644
--- a/src/lib/session.ts
+++ b/src/lib/session.ts
@@ -11,12 +11,13 @@ import api from "$lib/axios";
 // Nostr) will be added later.
 //
 // SECURITY — localStorage blast radius:
-// Both the Bearer token AND the password are stored in localStorage.
-// The password is kept so the backup modal can show it to the user.
-// An XSS could exfiltrate both — the token grants API access, and
-// the password can create new tokens (effectively the same access).
-// This is acceptable for throwaway accounts with only saved_places/
-// saved_areas data. DO NOT reuse this pattern for real user accounts
+// The Bearer token is always stored in localStorage. The password is
+// stored only for auto-generated accounts (so the backup modal can
+// show it). Manual logins store an empty password — the user already
+// knows their credentials. An XSS could exfiltrate the token (and
+// the password for auto-generated accounts). This is acceptable for
+// throwaway accounts with only saved_places/saved_areas data.
+// DO NOT reuse this pattern for real user accounts
 // with durable data, payment info, or elevated roles. For real
 // accounts, migrate to httpOnly cookies or similar.
 export type Session = {

From a20c35e54c85376a8847ded62f261d51761f2a70 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 14:34:17 +0800
Subject: [PATCH 26/45] fix(auth): don't trim passwords, sanitize error logs
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Stop trimming password input — spaces may be valid characters
  in credentials. Username is still trimmed (no valid username
  has leading/trailing spaces).
- Sanitize console.error in login server route and client page
  to only log the HTTP status code, not the full error object
  which may contain request headers with credentials.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/api/session/login/+server.ts |  2 +-
 src/routes/login/+page.svelte           | 12 ++++++++----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/src/routes/api/session/login/+server.ts b/src/routes/api/session/login/+server.ts
index 7e6907035..02a5dbac9 100644
--- a/src/routes/api/session/login/+server.ts
+++ b/src/routes/api/session/login/+server.ts
@@ -29,7 +29,7 @@ export const POST: RequestHandler = async ({ request }) => {
 			if (status === 401 || status === 403) {
 				error(401, "Invalid username or password");
 			}
-			console.error("Failed to create token:", err?.response?.data ?? err);
+			console.error("Failed to create token:", err?.response?.status);
 			error(502, "Failed to log in");
 		});
 
diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
index cd24a78e3..b17126e58 100644
--- a/src/routes/login/+page.svelte
+++ b/src/routes/login/+page.svelte
@@ -17,13 +17,13 @@ onMount(() => {
 });
 
 async function handleSubmit() {
-	if (!username.trim() || !password.trim()) return;
+	if (!username.trim() || !password) return;
 	loading = true;
 
 	try {
 		const res = await api.post("/api/session/login", {
 			username: username.trim(),
-			password: password.trim(),
+			password,
 		});
 
 		const token = res.data?.token;
@@ -61,7 +61,11 @@ async function handleSubmit() {
 				? $_("login.failed")
 				: $_("login.error");
 		errToast(message);
-		console.error("Login failed", err);
+		console.error(
+			"Login failed:",
+			(err as { response?: { status?: number } })?.response?.status ??
+				"unknown",
+		);
 	} finally {
 		loading = false;
 	}
@@ -113,7 +117,7 @@ async function handleSubmit() {
 
 			<button
 				type="submit"
-				disabled={loading || !username.trim() || !password.trim()}
+				disabled={loading || !username.trim() || !password}
 				class="w-full rounded-lg bg-link px-4 py-2 font-semibold text-white transition-colors hover:bg-hover disabled:opacity-50"
 			>
 				{loading ? $_("login.loggingIn") : $_("login.submit")}

From fcd4e93f5e9ebee96c614ffe1736aea5fa376776 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 14:36:33 +0800
Subject: [PATCH 27/45] fix(nav): add type=button to UserMenu action buttons

Prevents unintended form submits if the component is ever
rendered inside a form element.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/UserMenu.svelte | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index 6646fee69..bf84c7133 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -19,6 +19,7 @@ afterNavigate(() => {
 
 <div class="relative">
 	<button
+		type="button"
 		id={triggerId}
 		on:click={() => (open = !open)}
 		class="flex h-10 w-10 items-center justify-center text-white transition-opacity hover:opacity-80"
@@ -54,6 +55,7 @@ afterNavigate(() => {
 
 					{#if $session.autoGenerated}
 						<button
+							type="button"
 							on:click={() => {
 								open = false;
 								showBackup = true;
@@ -68,6 +70,7 @@ afterNavigate(() => {
 					<hr class="my-1 border-gray-200 dark:border-white/10" />
 
 					<button
+						type="button"
 						on:click={() => {
 							session.clear();
 							open = false;

From 074f7e0b42fa8f88bf1424624bb8eb6d2a18c0db Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 14:43:46 +0800
Subject: [PATCH 28/45] fix(backup): replace a11y ignores with
 role=presentation, add type=button
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Use role=presentation on the backdrop overlay instead of suppressing
a11y warnings. The backdrop is decorative — keyboard interaction is
handled via svelte:window Escape handler. Add type=button to the
close button.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/auth/BackupModal.svelte | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/components/auth/BackupModal.svelte b/src/components/auth/BackupModal.svelte
index b6518d077..19ec8ac76 100644
--- a/src/components/auth/BackupModal.svelte
+++ b/src/components/auth/BackupModal.svelte
@@ -22,9 +22,8 @@ async function copyToClipboard(text: string) {
 
 <svelte:window on:keydown={(e) => e.key === "Escape" && dispatch("close")} />
 
-<!-- svelte-ignore a11y-click-events-have-key-events -->
-<!-- svelte-ignore a11y-no-static-element-interactions -->
 <div
+	role="presentation"
 	class="fixed inset-0 z-[100] flex items-center justify-center bg-black/50"
 	on:click|self={() => dispatch("close")}
 >
@@ -34,6 +33,7 @@ async function copyToClipboard(text: string) {
 				{$_("backup.title")}
 			</h2>
 			<button
+				type="button"
 				on:click={() => dispatch("close")}
 				class="text-body transition-colors hover:text-primary dark:text-white/50 dark:hover:text-white"
 			>

From 1d357ca415bc675302508ec857b607467ae66ffd Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 14:50:26 +0800
Subject: [PATCH 29/45] fix(nav): use deterministic IDs for UserMenu instances

Replace Math.random() trigger ID with a prop-based ID to avoid
SSR/client hydration mismatches. Header passes distinct IDs for
desktop and mobile instances.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/Header.svelte   | 4 ++--
 src/components/layout/UserMenu.svelte | 4 +++-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/src/components/layout/Header.svelte b/src/components/layout/Header.svelte
index 9813acc5c..5cdd3e9ae 100644
--- a/src/components/layout/Header.svelte
+++ b/src/components/layout/Header.svelte
@@ -193,7 +193,7 @@ afterNavigate(() => {
 
 	<div class="flex items-center gap-3">
 		<ThemeToggle />
-		<UserMenu />
+		<UserMenu id="user-menu-desktop" />
 	</div>
 </header>
 
@@ -209,7 +209,7 @@ afterNavigate(() => {
 
 	<div class="flex items-center space-x-4">
 		<ThemeToggle />
-		<UserMenu />
+		<UserMenu id="user-menu-mobile" />
 
 		<!-- menu toggle -->
 		<button on:click={() => (showMobileMenu = !showMobileMenu)}>
diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index bf84c7133..2e62aa2af 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -8,9 +8,11 @@ import { session } from "$lib/session";
 
 import { afterNavigate } from "$app/navigation";
 
+export let id = "user-menu";
+
 let open = false;
 let showBackup = false;
-const triggerId = `user-menu-trigger-${Math.random().toString(36).slice(2, 8)}`;
+$: triggerId = `${id}-trigger`;
 
 afterNavigate(() => {
 	open = false;

From 5b570451ca8305d567a70d7dc2acbfbc24c05ff9 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sat, 11 Apr 2026 14:56:04 +0800
Subject: [PATCH 30/45] refactor(routes): move /saved to /user/saved

Group authenticated user pages under /user/ to establish a clear
URL pattern for future user features (profile, feed, settings).
Login stays at /login since it's a public entry point.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/layout/UserMenu.svelte    | 2 +-
 src/routes/login/+page.svelte            | 2 +-
 src/routes/{ => user}/saved/+page.svelte | 0
 3 files changed, 2 insertions(+), 2 deletions(-)
 rename src/routes/{ => user}/saved/+page.svelte (100%)

diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index 2e62aa2af..3cd62347b 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -48,7 +48,7 @@ afterNavigate(() => {
 			>
 				{#if $session}
 					<a
-						href="/saved"
+						href="/user/saved"
 						class="flex items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
 					>
 						<Icon type="material" icon="bookmark" w="16" h="16" />
diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
index b17126e58..d13d39885 100644
--- a/src/routes/login/+page.svelte
+++ b/src/routes/login/+page.svelte
@@ -54,7 +54,7 @@ async function handleSubmit() {
 			session.setSavedAreas(ids);
 		}
 
-		goto("/saved");
+		goto("/user/saved");
 	} catch (err) {
 		const message =
 			(err as { response?: { status?: number } })?.response?.status === 401
diff --git a/src/routes/saved/+page.svelte b/src/routes/user/saved/+page.svelte
similarity index 100%
rename from src/routes/saved/+page.svelte
rename to src/routes/user/saved/+page.svelte

From 1334b2d69b0b88cca72691b1f5eb71c1a6e79d11 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sun, 12 Apr 2026 13:27:03 +0800
Subject: [PATCH 31/45] style(icon): use bookmark with checkmark for saved
 state
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Switch from filled bookmark (ic:baseline-bookmark) to bookmark
with checkmark (ic:baseline-bookmark-added) for the saved state.
Aligns with the Android app's icon pattern — the checkmark is a
more explicit signal than fill alone.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/components/Icon.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/components/Icon.svelte b/src/components/Icon.svelte
index 9efb1e632..e72ad138a 100644
--- a/src/components/Icon.svelte
+++ b/src/components/Icon.svelte
@@ -20,7 +20,7 @@ const materialExceptions: Record<string, string> = {
 	currency_bitcoin: "material-symbols:currency-bitcoin",
 	close_round: "ic:round-close",
 	my_location: "material-symbols:my-location-rounded",
-	bookmark_filled: "ic:baseline-bookmark",
+	bookmark_filled: "ic:baseline-bookmark-added",
 	account_circle_filled: "ic:baseline-account-circle",
 };
 

From 8b3b806699a420cad0e28a24c47a3053abd4cdb1 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Mon, 13 Apr 2026 10:29:12 +0800
Subject: [PATCH 32/45] chore: add nostr-tools for NIP-07/nsec signing

Needed for the upcoming "Sign in with Nostr" flow on the login page.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 package.json   |   1 +
 pnpm-lock.yaml | 104 +++++++++++++++++++++++++++++++++++++++++--------
 2 files changed, 89 insertions(+), 16 deletions(-)

diff --git a/package.json b/package.json
index 38d9ec185..b6f6c523a 100644
--- a/package.json
+++ b/package.json
@@ -60,6 +60,7 @@
 		"localforage": "^1.10.0",
 		"maplibre-gl": "^4.7.1",
 		"marked": "^18.0.0",
+		"nostr-tools": "^2.23.3",
 		"opening_hours": "^3.12.0",
 		"qrcode": "^1.5.4",
 		"svelte-i18n": "^4.0.1",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 3b1fa8944..b8b7e1e8a 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -74,6 +74,9 @@ importers:
       marked:
         specifier: ^18.0.0
         version: 18.0.0
+      nostr-tools:
+        specifier: ^2.23.3
+        version: 2.23.3(typescript@5.9.3)
       opening_hours:
         specifier: ^3.12.0
         version: 3.12.0(typescript@5.9.3)
@@ -146,7 +149,7 @@ importers:
         version: 1.5.6
       jsdom:
         specifier: ^29.0.2
-        version: 29.0.2
+        version: 29.0.2(@noble/hashes@2.0.1)
       lint-staged:
         specifier: ^16.4.0
         version: 16.4.0
@@ -173,7 +176,7 @@ importers:
         version: 5.4.21(@types/node@22.19.17)(lightningcss@1.32.0)
       vitest:
         specifier: ^3.2.4
-        version: 3.2.4(@types/node@22.19.17)(jiti@2.6.1)(jsdom@29.0.2)(lightningcss@1.32.0)(yaml@2.8.2)
+        version: 3.2.4(@types/node@22.19.17)(jiti@2.6.1)(jsdom@29.0.2(@noble/hashes@2.0.1))(lightningcss@1.32.0)(yaml@2.8.2)
 
 packages:
 
@@ -970,6 +973,18 @@ packages:
     resolution: {integrity: sha512-AzBy3095fTFPjDjmWpR2w6HVRAZJ6hQZUCwk5Plz6EyfnfuQW1odeW5i2Ai47Y6TBA2hQnC+azscjBSALpaWgw==}
     hasBin: true
 
+  '@noble/ciphers@2.1.1':
+    resolution: {integrity: sha512-bysYuiVfhxNJuldNXlFEitTVdNnYUc+XNJZd7Qm2a5j1vZHgY+fazadNFWFaMK/2vye0JVlxV3gHmC0WDfAOQw==}
+    engines: {node: '>= 20.19.0'}
+
+  '@noble/curves@2.0.1':
+    resolution: {integrity: sha512-vs1Az2OOTBiP4q0pwjW5aF0xp9n4MxVrmkFBxc6EKZc6ddYx5gaZiAsZoq0uRRXWbi3AT/sBqn05eRPtn1JCPw==}
+    engines: {node: '>= 20.19.0'}
+
+  '@noble/hashes@2.0.1':
+    resolution: {integrity: sha512-XlOlEbQcE9fmuXxrVTXCTlG2nlRXa9Rj3rr5Ue/+tX+nmkgbX720YHh0VR3hBF9xDvwnb8D2shVGOwNx+ulArw==}
+    engines: {node: '>= 20.19.0'}
+
   '@playwright/test@1.59.1':
     resolution: {integrity: sha512-PG6q63nQg5c9rIi4/Z5lR5IVF7yU5MqmKaPOe0HSc0O2cX1fPi96sUQu5j7eo4gKCkB2AnNGoWt7y4/Xx3Kcqg==}
     engines: {node: '>=18'}
@@ -1106,6 +1121,15 @@ packages:
     cpu: [x64]
     os: [win32]
 
+  '@scure/base@2.0.0':
+    resolution: {integrity: sha512-3E1kpuZginKkek01ovG8krQ0Z44E3DHPjc5S2rjJw9lZn3KSQOs8S7wqikF/AH7iRanHypj85uGyxk0XAyC37w==}
+
+  '@scure/bip32@2.0.1':
+    resolution: {integrity: sha512-4Md1NI5BzoVP+bhyJaY3K6yMesEFzNS1sE/cP+9nuvE7p/b0kx9XbpDHHFl8dHtufcbdHRUUQdRqLIPHN/s7yA==}
+
+  '@scure/bip39@2.0.1':
+    resolution: {integrity: sha512-PsxdFj/d2AcJcZDX1FXN3dDgitDDTmwf78rKZq1a6c1P1Nan1X/Sxc7667zU3U+AN60g7SxxP0YCVw2H/hBycg==}
+
   '@standard-schema/spec@1.1.0':
     resolution: {integrity: sha512-l2aFy5jALhniG5HgqrD6jXLi/rUWrKvqN/qJx6yoJsgKhblVd+iqqU4RCXavm/jPityDo5TCvKMnpjKnOriy0w==}
 
@@ -2027,6 +2051,17 @@ packages:
   next-tick@1.1.0:
     resolution: {integrity: sha512-CXdUiJembsNjuToQvxayPZF9Vqht7hewsvy2sOWafLvi2awflj9mOC6bHIg50orX8IJvWKY9wYQ/zB2kogPslQ==}
 
+  nostr-tools@2.23.3:
+    resolution: {integrity: sha512-AALyt9k8xPdF4UV2mlLJ2mgCn4kpTB0DZ8t2r6wjdUh6anfx2cTVBsHUlo9U0EY/cKC5wcNyiMAmRJV5OVEalA==}
+    peerDependencies:
+      typescript: '>=5.0.0'
+    peerDependenciesMeta:
+      typescript:
+        optional: true
+
+  nostr-wasm@0.1.0:
+    resolution: {integrity: sha512-78BTryCLcLYv96ONU8Ws3Q1JzjlAt+43pWQhIl86xZmWeegYCNLPml7yQ+gG3vR6V5h4XGj+TxO+SS5dsThQIA==}
+
   onetime@7.0.0:
     resolution: {integrity: sha512-VXJjc87FScF88uafS3JllDgvAm+c/Slfz06lorj2uAY34rlUu0Nt+v8wreiImcrgAjjIHp1rXpTDlLOGw29WwQ==}
     engines: {node: '>=18'}
@@ -2952,7 +2987,9 @@ snapshots:
   '@esbuild/win32-x64@0.27.4':
     optional: true
 
-  '@exodus/bytes@1.15.0': {}
+  '@exodus/bytes@1.15.0(@noble/hashes@2.0.1)':
+    optionalDependencies:
+      '@noble/hashes': 2.0.1
 
   '@formatjs/ecma402-abstract@2.3.6':
     dependencies:
@@ -3045,6 +3082,14 @@ snapshots:
       rw: 1.3.3
       tinyqueue: 3.0.0
 
+  '@noble/ciphers@2.1.1': {}
+
+  '@noble/curves@2.0.1':
+    dependencies:
+      '@noble/hashes': 2.0.1
+
+  '@noble/hashes@2.0.1': {}
+
   '@playwright/test@1.59.1':
     dependencies:
       playwright: 1.59.1
@@ -3128,6 +3173,19 @@ snapshots:
   '@rollup/rollup-win32-x64-msvc@4.59.0':
     optional: true
 
+  '@scure/base@2.0.0': {}
+
+  '@scure/bip32@2.0.1':
+    dependencies:
+      '@noble/curves': 2.0.1
+      '@noble/hashes': 2.0.1
+      '@scure/base': 2.0.0
+
+  '@scure/bip39@2.0.1':
+    dependencies:
+      '@noble/hashes': 2.0.1
+      '@scure/base': 2.0.0
+
   '@standard-schema/spec@1.1.0': {}
 
   '@sveltejs/acorn-typescript@1.0.9(acorn@8.16.0)':
@@ -3518,10 +3576,10 @@ snapshots:
       es5-ext: 0.10.64
       type: 2.7.3
 
-  data-urls@7.0.0:
+  data-urls@7.0.0(@noble/hashes@2.0.1):
     dependencies:
       whatwg-mimetype: 5.0.0
-      whatwg-url: 16.0.1
+      whatwg-url: 16.0.1(@noble/hashes@2.0.1)
     transitivePeerDependencies:
       - '@noble/hashes'
 
@@ -3837,9 +3895,9 @@ snapshots:
     dependencies:
       function-bind: 1.1.2
 
-  html-encoding-sniffer@6.0.0:
+  html-encoding-sniffer@6.0.0(@noble/hashes@2.0.1):
     dependencies:
-      '@exodus/bytes': 1.15.0
+      '@exodus/bytes': 1.15.0(@noble/hashes@2.0.1)
     transitivePeerDependencies:
       - '@noble/hashes'
 
@@ -3894,17 +3952,17 @@ snapshots:
 
   js-tokens@9.0.1: {}
 
-  jsdom@29.0.2:
+  jsdom@29.0.2(@noble/hashes@2.0.1):
     dependencies:
       '@asamuzakjp/css-color': 5.1.8
       '@asamuzakjp/dom-selector': 7.0.8
       '@bramus/specificity': 2.4.2
       '@csstools/css-syntax-patches-for-csstree': 1.1.2(css-tree@3.2.1)
-      '@exodus/bytes': 1.15.0
+      '@exodus/bytes': 1.15.0(@noble/hashes@2.0.1)
       css-tree: 3.2.1
-      data-urls: 7.0.0
+      data-urls: 7.0.0(@noble/hashes@2.0.1)
       decimal.js: 10.6.0
-      html-encoding-sniffer: 6.0.0
+      html-encoding-sniffer: 6.0.0(@noble/hashes@2.0.1)
       is-potential-custom-element-name: 1.0.1
       lru-cache: 11.3.2
       parse5: 8.0.0
@@ -3915,7 +3973,7 @@ snapshots:
       w3c-xmlserializer: 5.0.0
       webidl-conversions: 8.0.1
       whatwg-mimetype: 5.0.0
-      whatwg-url: 16.0.1
+      whatwg-url: 16.0.1(@noble/hashes@2.0.1)
       xml-name-validator: 5.0.0
     transitivePeerDependencies:
       - '@noble/hashes'
@@ -4111,6 +4169,20 @@ snapshots:
 
   next-tick@1.1.0: {}
 
+  nostr-tools@2.23.3(typescript@5.9.3):
+    dependencies:
+      '@noble/ciphers': 2.1.1
+      '@noble/curves': 2.0.1
+      '@noble/hashes': 2.0.1
+      '@scure/base': 2.0.0
+      '@scure/bip32': 2.0.1
+      '@scure/bip39': 2.0.1
+      nostr-wasm: 0.1.0
+    optionalDependencies:
+      typescript: 5.9.3
+
+  nostr-wasm@0.1.0: {}
+
   onetime@7.0.0:
     dependencies:
       mimic-function: 5.0.1
@@ -4499,7 +4571,7 @@ snapshots:
     optionalDependencies:
       vite: 5.4.21(@types/node@22.19.17)(lightningcss@1.32.0)
 
-  vitest@3.2.4(@types/node@22.19.17)(jiti@2.6.1)(jsdom@29.0.2)(lightningcss@1.32.0)(yaml@2.8.2):
+  vitest@3.2.4(@types/node@22.19.17)(jiti@2.6.1)(jsdom@29.0.2(@noble/hashes@2.0.1))(lightningcss@1.32.0)(yaml@2.8.2):
     dependencies:
       '@types/chai': 5.2.3
       '@vitest/expect': 3.2.4
@@ -4526,7 +4598,7 @@ snapshots:
       why-is-node-running: 2.3.0
     optionalDependencies:
       '@types/node': 22.19.17
-      jsdom: 29.0.2
+      jsdom: 29.0.2(@noble/hashes@2.0.1)
     transitivePeerDependencies:
       - jiti
       - less
@@ -4555,9 +4627,9 @@ snapshots:
 
   whatwg-mimetype@5.0.0: {}
 
-  whatwg-url@16.0.1:
+  whatwg-url@16.0.1(@noble/hashes@2.0.1):
     dependencies:
-      '@exodus/bytes': 1.15.0
+      '@exodus/bytes': 1.15.0(@noble/hashes@2.0.1)
       tr46: 6.0.0
       webidl-conversions: 8.0.1
     transitivePeerDependencies:

From 21015567e6e4a2254fd1adb041104001379fb915 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Mon, 13 Apr 2026 10:31:05 +0800
Subject: [PATCH 33/45] feat(auth): add /api/session/nostr proxy route for
 Nostr sign-in

Server route that proxies signed NIP-98 events to POST /v4/auth/nostr
and returns a Bearer token + username. Same CORS-avoidance pattern as
the existing /api/session/login and signup routes.

The v4/auth/nostr endpoint is not yet live; this route returns 502 until
the API ships it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/api/session/nostr/+server.ts | 37 +++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 src/routes/api/session/nostr/+server.ts

diff --git a/src/routes/api/session/nostr/+server.ts b/src/routes/api/session/nostr/+server.ts
new file mode 100644
index 000000000..ab5fffa74
--- /dev/null
+++ b/src/routes/api/session/nostr/+server.ts
@@ -0,0 +1,37 @@
+import { error, json } from "@sveltejs/kit";
+
+import api from "$lib/axios";
+
+import type { RequestHandler } from "./$types";
+
+// POST /api/session/nostr
+// Exchanges a signed NIP-98 event (kind 27235) for a BTC Map Bearer token.
+// Proxies POST /v4/auth/nostr to avoid browser CORS preflight issues.
+// If the npub is unknown, the API creates a new account linked to that pubkey.
+export const POST: RequestHandler = async ({ request }) => {
+	const body = await request.json();
+	const { signed_event } = body;
+
+	if (!signed_event || typeof signed_event !== "object") {
+		error(400, "Missing or invalid signed_event");
+	}
+
+	const res = await api
+		.post("https://api.btcmap.org/v4/auth/nostr", { signed_event })
+		.catch((err) => {
+			const status = err?.response?.status;
+			if (status === 401 || status === 403) {
+				error(401, "Invalid Nostr signature");
+			}
+			console.error("Failed to exchange Nostr event:", status);
+			error(502, "Failed to authenticate with Nostr");
+		});
+
+	const token = res.data?.token;
+	const username = res.data?.username;
+	if (typeof token !== "string" || typeof username !== "string") {
+		error(502, "Nostr auth returned invalid response");
+	}
+
+	return json({ token, username });
+};

From 39ca6da18f67ea24765f74d5965dcd9904f9bec8 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Mon, 13 Apr 2026 10:40:23 +0800
Subject: [PATCH 34/45] feat(auth): add NIP-07 Nostr extension sign-in on
 /login #903

Shows a "Sign in with Nostr extension" button on /login when window.nostr
is detected (Alby, nos2x, etc.). Signs a NIP-98 kind 27235 event and
posts it to the new /api/session/nostr proxy, exchanging it for a Bearer
token.

nsec paste fallback for mobile comes in a follow-up commit.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/lib/i18n/locales/en.json  |  7 +++-
 src/lib/nostr.ts              | 53 ++++++++++++++++++++++++
 src/routes/login/+page.svelte | 77 +++++++++++++++++++++++++++++++++++
 3 files changed, 136 insertions(+), 1 deletion(-)
 create mode 100644 src/lib/nostr.ts

diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index 9db7be1f6..cefea12f0 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -60,7 +60,12 @@
 		"failed": "Invalid username or password.",
 		"error": "Something went wrong. Please try again.",
 		"noAccount": "Don't have an account?",
-		"createAccount": "Create one here"
+		"createAccount": "Create one here",
+		"or": "or",
+		"nostrExtension": "Sign in with Nostr extension",
+		"nostrSigning": "Waiting for signature...",
+		"nostrFailed": "Nostr signature was rejected.",
+		"nostrError": "Something went wrong signing in with Nostr."
 	},
 	"backup": {
 		"title": "Back up account",
diff --git a/src/lib/nostr.ts b/src/lib/nostr.ts
new file mode 100644
index 000000000..823edc3cb
--- /dev/null
+++ b/src/lib/nostr.ts
@@ -0,0 +1,53 @@
+import type { EventTemplate, VerifiedEvent } from "nostr-tools/pure";
+import { finalizeEvent } from "nostr-tools/pure";
+
+// URL the API verifies in the NIP-98 event's "u" tag. Must match what the
+// server sees, including scheme and no trailing slash.
+export const NOSTR_AUTH_URL = "https://api.btcmap.org/v4/auth/nostr";
+
+// NIP-07 extension interface (window.nostr) — minimal subset we use.
+// Extensions like Alby, nos2x inject this on page load.
+type NostrExtension = {
+	getPublicKey: () => Promise<string>;
+	signEvent: (event: EventTemplate) => Promise<VerifiedEvent>;
+};
+
+declare global {
+	interface Window {
+		nostr?: NostrExtension;
+	}
+}
+
+// Detect a NIP-07-compatible browser extension. Returns null on SSR.
+export function getNostrExtension(): NostrExtension | null {
+	if (typeof window === "undefined") return null;
+	return window.nostr ?? null;
+}
+
+// Build the unsigned NIP-98 event template for POST /v4/auth/nostr.
+// kind 27235, with "u" (url) and "method" tags per the spec.
+function buildAuthTemplate(): EventTemplate {
+	return {
+		kind: 27235,
+		created_at: Math.floor(Date.now() / 1000),
+		tags: [
+			["u", NOSTR_AUTH_URL],
+			["method", "POST"],
+		],
+		content: "",
+	};
+}
+
+// Sign via a NIP-07 browser extension. Throws if no extension is present or
+// the user rejects the signature request.
+export async function signAuthWithExtension(): Promise<VerifiedEvent> {
+	const ext = getNostrExtension();
+	if (!ext) throw new Error("No Nostr extension detected");
+	return ext.signEvent(buildAuthTemplate());
+}
+
+// Sign locally with a raw secret key (hex or nsec-decoded Uint8Array). The
+// key is used once and discarded — never stored.
+export function signAuthWithSecretKey(secretKey: Uint8Array): VerifiedEvent {
+	return finalizeEvent(buildAuthTemplate(), secretKey);
+}
diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
index d13d39885..370db1d43 100644
--- a/src/routes/login/+page.svelte
+++ b/src/routes/login/+page.svelte
@@ -3,6 +3,7 @@ import { onMount } from "svelte";
 
 import api from "$lib/axios";
 import { _ } from "$lib/i18n";
+import { getNostrExtension, signAuthWithExtension } from "$lib/nostr";
 import { session } from "$lib/session";
 import { errToast } from "$lib/utils";
 
@@ -11,11 +12,70 @@ import { goto } from "$app/navigation";
 let username = "";
 let password = "";
 let loading = false;
+let nostrLoading = false;
+let hasNostrExtension = false;
 
 onMount(() => {
 	session.init();
+	// Extensions inject window.nostr before page load, but give them a tick in
+	// case of slow injection. Re-check once to avoid a hidden button on first
+	// paint when the extension is present.
+	hasNostrExtension = getNostrExtension() !== null;
+	if (!hasNostrExtension) {
+		setTimeout(() => {
+			hasNostrExtension = getNostrExtension() !== null;
+		}, 300);
+	}
 });
 
+async function loginWithNostr() {
+	nostrLoading = true;
+	try {
+		const signedEvent = await signAuthWithExtension();
+
+		const res = await api.post("/api/session/nostr", {
+			signed_event: signedEvent,
+		});
+
+		const token = res.data?.token;
+		const apiUsername = res.data?.username;
+		if (typeof token !== "string" || typeof apiUsername !== "string") {
+			throw new Error("Nostr auth did not return a token");
+		}
+
+		session.login(apiUsername, "", token);
+
+		const headers = { Authorization: `Bearer ${token}` };
+		const [placesRes, areasRes] = await Promise.allSettled([
+			api.get("/api/session/saved-places", { headers }),
+			api.get("/api/session/saved-areas", { headers }),
+		]);
+
+		if (
+			placesRes.status === "fulfilled" &&
+			Array.isArray(placesRes.value.data)
+		) {
+			const ids = placesRes.value.data.map((p: { id: number }) => p.id);
+			session.setSavedPlaces(ids);
+		}
+		if (areasRes.status === "fulfilled" && Array.isArray(areasRes.value.data)) {
+			const ids = areasRes.value.data.map((a: { id: number }) => a.id);
+			session.setSavedAreas(ids);
+		}
+
+		goto("/user/saved");
+	} catch (err) {
+		const status = (err as { response?: { status?: number } })?.response
+			?.status;
+		const message =
+			status === 401 ? $_("login.nostrFailed") : $_("login.nostrError");
+		errToast(message);
+		console.error("Nostr login failed:", status ?? "unknown");
+	} finally {
+		nostrLoading = false;
+	}
+}
+
 async function handleSubmit() {
 	if (!username.trim() || !password) return;
 	loading = true;
@@ -82,6 +142,23 @@ async function handleSubmit() {
 			{$_("login.title")}
 		</h1>
 
+		{#if hasNostrExtension}
+			<button
+				type="button"
+				on:click={loginWithNostr}
+				disabled={nostrLoading || loading}
+				class="w-full rounded-lg bg-purple-600 px-4 py-2 font-semibold text-white transition-colors hover:bg-purple-700 disabled:opacity-50"
+			>
+				{nostrLoading ? $_("login.nostrSigning") : $_("login.nostrExtension")}
+			</button>
+
+			<div class="flex items-center gap-3">
+				<div class="h-px flex-1 bg-gray-300 dark:bg-white/20"></div>
+				<span class="text-xs text-body dark:text-white/50">{$_("login.or")}</span>
+				<div class="h-px flex-1 bg-gray-300 dark:bg-white/20"></div>
+			</div>
+		{/if}
+
 		<form on:submit|preventDefault={handleSubmit} class="space-y-4">
 			<div>
 				<label

From 4f06ec39b7cae3337f5d4df95d95c9365472fdcd Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Mon, 13 Apr 2026 10:43:28 +0800
Subject: [PATCH 35/45] feat(auth): add nsec paste fallback for Nostr sign-in
 on mobile #903
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When a user doesn't have a NIP-07 extension (common on mobile), they
can paste their nsec key. The key is used once locally to sign a NIP-98
event, then zeroed and never persisted or sent over the network.

The toggle is shown alongside the extension button — on mobile it
becomes the primary path since window.nostr is usually absent.

Follows the Primal mobile-web pattern.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/lib/i18n/locales/en.json  |   7 +-
 src/lib/nostr.ts              |  13 +++
 src/routes/login/+page.svelte | 162 +++++++++++++++++++++++++---------
 3 files changed, 140 insertions(+), 42 deletions(-)

diff --git a/src/lib/i18n/locales/en.json b/src/lib/i18n/locales/en.json
index cefea12f0..d99f50604 100644
--- a/src/lib/i18n/locales/en.json
+++ b/src/lib/i18n/locales/en.json
@@ -65,7 +65,12 @@
 		"nostrExtension": "Sign in with Nostr extension",
 		"nostrSigning": "Waiting for signature...",
 		"nostrFailed": "Nostr signature was rejected.",
-		"nostrError": "Something went wrong signing in with Nostr."
+		"nostrError": "Something went wrong signing in with Nostr.",
+		"nsecToggle": "Sign in with a private key",
+		"nsecLabel": "Private key (nsec)",
+		"nsecSubmit": "Sign in with private key",
+		"nsecWarning": "Your key is used locally to sign a login event and is never stored or sent to any server. Prefer a Nostr extension if you have one.",
+		"nsecInvalid": "That doesn't look like a valid nsec key."
 	},
 	"backup": {
 		"title": "Back up account",
diff --git a/src/lib/nostr.ts b/src/lib/nostr.ts
index 823edc3cb..09b307afb 100644
--- a/src/lib/nostr.ts
+++ b/src/lib/nostr.ts
@@ -1,3 +1,4 @@
+import { decode } from "nostr-tools/nip19";
 import type { EventTemplate, VerifiedEvent } from "nostr-tools/pure";
 import { finalizeEvent } from "nostr-tools/pure";
 
@@ -51,3 +52,15 @@ export async function signAuthWithExtension(): Promise<VerifiedEvent> {
 export function signAuthWithSecretKey(secretKey: Uint8Array): VerifiedEvent {
 	return finalizeEvent(buildAuthTemplate(), secretKey);
 }
+
+// Decode a bech32 nsec... string into its 32-byte secret key. Throws on any
+// non-nsec input (npub, invalid bech32, wrong length) — callers surface a
+// generic "invalid key" message rather than leaking details.
+export function decodeNsec(nsec: string): Uint8Array {
+	const trimmed = nsec.trim();
+	const decoded = decode(trimmed);
+	if (decoded.type !== "nsec") {
+		throw new Error("Not an nsec");
+	}
+	return decoded.data;
+}
diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
index 370db1d43..f7ae15d34 100644
--- a/src/routes/login/+page.svelte
+++ b/src/routes/login/+page.svelte
@@ -1,9 +1,15 @@
 <script lang="ts">
+import type { VerifiedEvent } from "nostr-tools/pure";
 import { onMount } from "svelte";
 
 import api from "$lib/axios";
 import { _ } from "$lib/i18n";
-import { getNostrExtension, signAuthWithExtension } from "$lib/nostr";
+import {
+	decodeNsec,
+	getNostrExtension,
+	signAuthWithExtension,
+	signAuthWithSecretKey,
+} from "$lib/nostr";
 import { session } from "$lib/session";
 import { errToast } from "$lib/utils";
 
@@ -14,6 +20,9 @@ let password = "";
 let loading = false;
 let nostrLoading = false;
 let hasNostrExtension = false;
+let showNsecInput = false;
+let nsec = "";
+let nsecLoading = false;
 
 onMount(() => {
 	session.init();
@@ -28,42 +37,42 @@ onMount(() => {
 	}
 });
 
-async function loginWithNostr() {
-	nostrLoading = true;
-	try {
-		const signedEvent = await signAuthWithExtension();
+async function exchangeSignedEvent(signedEvent: VerifiedEvent) {
+	const res = await api.post("/api/session/nostr", {
+		signed_event: signedEvent,
+	});
 
-		const res = await api.post("/api/session/nostr", {
-			signed_event: signedEvent,
-		});
+	const token = res.data?.token;
+	const apiUsername = res.data?.username;
+	if (typeof token !== "string" || typeof apiUsername !== "string") {
+		throw new Error("Nostr auth did not return a token");
+	}
 
-		const token = res.data?.token;
-		const apiUsername = res.data?.username;
-		if (typeof token !== "string" || typeof apiUsername !== "string") {
-			throw new Error("Nostr auth did not return a token");
-		}
+	session.login(apiUsername, "", token);
 
-		session.login(apiUsername, "", token);
+	const headers = { Authorization: `Bearer ${token}` };
+	const [placesRes, areasRes] = await Promise.allSettled([
+		api.get("/api/session/saved-places", { headers }),
+		api.get("/api/session/saved-areas", { headers }),
+	]);
 
-		const headers = { Authorization: `Bearer ${token}` };
-		const [placesRes, areasRes] = await Promise.allSettled([
-			api.get("/api/session/saved-places", { headers }),
-			api.get("/api/session/saved-areas", { headers }),
-		]);
+	if (placesRes.status === "fulfilled" && Array.isArray(placesRes.value.data)) {
+		const ids = placesRes.value.data.map((p: { id: number }) => p.id);
+		session.setSavedPlaces(ids);
+	}
+	if (areasRes.status === "fulfilled" && Array.isArray(areasRes.value.data)) {
+		const ids = areasRes.value.data.map((a: { id: number }) => a.id);
+		session.setSavedAreas(ids);
+	}
 
-		if (
-			placesRes.status === "fulfilled" &&
-			Array.isArray(placesRes.value.data)
-		) {
-			const ids = placesRes.value.data.map((p: { id: number }) => p.id);
-			session.setSavedPlaces(ids);
-		}
-		if (areasRes.status === "fulfilled" && Array.isArray(areasRes.value.data)) {
-			const ids = areasRes.value.data.map((a: { id: number }) => a.id);
-			session.setSavedAreas(ids);
-		}
+	goto("/user/saved");
+}
 
-		goto("/user/saved");
+async function loginWithNostr() {
+	nostrLoading = true;
+	try {
+		const signedEvent = await signAuthWithExtension();
+		await exchangeSignedEvent(signedEvent);
 	} catch (err) {
 		const status = (err as { response?: { status?: number } })?.response
 			?.status;
@@ -76,6 +85,35 @@ async function loginWithNostr() {
 	}
 }
 
+async function loginWithNsec() {
+	if (!nsec.trim()) return;
+	nsecLoading = true;
+	let secretKey: Uint8Array | null = null;
+	try {
+		secretKey = decodeNsec(nsec);
+		const signedEvent = signAuthWithSecretKey(secretKey);
+		// Clear the textarea now — the signed event is already built.
+		nsec = "";
+		await exchangeSignedEvent(signedEvent);
+	} catch (err) {
+		const status = (err as { response?: { status?: number } })?.response
+			?.status;
+		const isDecodeError = !status && !(err as { response?: unknown })?.response;
+		const message = isDecodeError
+			? $_("login.nsecInvalid")
+			: status === 401
+				? $_("login.nostrFailed")
+				: $_("login.nostrError");
+		errToast(message);
+		console.error("Nsec login failed:", status ?? "decode");
+	} finally {
+		// Best-effort zeroing. V8 may have copies elsewhere, but this covers the
+		// primary reference.
+		if (secretKey) secretKey.fill(0);
+		nsecLoading = false;
+	}
+}
+
 async function handleSubmit() {
 	if (!username.trim() || !password) return;
 	loading = true;
@@ -142,22 +180,64 @@ async function handleSubmit() {
 			{$_("login.title")}
 		</h1>
 
-		{#if hasNostrExtension}
-			<button
-				type="button"
-				on:click={loginWithNostr}
-				disabled={nostrLoading || loading}
-				class="w-full rounded-lg bg-purple-600 px-4 py-2 font-semibold text-white transition-colors hover:bg-purple-700 disabled:opacity-50"
-			>
-				{nostrLoading ? $_("login.nostrSigning") : $_("login.nostrExtension")}
-			</button>
+		<div class="space-y-3">
+			{#if hasNostrExtension}
+				<button
+					type="button"
+					on:click={loginWithNostr}
+					disabled={nostrLoading || nsecLoading || loading}
+					class="w-full rounded-lg bg-purple-600 px-4 py-2 font-semibold text-white transition-colors hover:bg-purple-700 disabled:opacity-50"
+				>
+					{nostrLoading ? $_("login.nostrSigning") : $_("login.nostrExtension")}
+				</button>
+			{/if}
+
+			{#if showNsecInput}
+				<form on:submit|preventDefault={loginWithNsec} class="space-y-2">
+					<label
+						for="nsec"
+						class="block text-sm font-semibold text-primary dark:text-white"
+					>
+						{$_("login.nsecLabel")}
+					</label>
+					<input
+						id="nsec"
+						type="password"
+						bind:value={nsec}
+						placeholder="nsec1..."
+						autocomplete="off"
+						autocorrect="off"
+						autocapitalize="off"
+						spellcheck="false"
+						class="w-full rounded-lg border border-gray-300 bg-white px-3 py-2 font-mono text-sm text-primary dark:border-white/20 dark:bg-dark dark:text-white"
+					/>
+					<p class="text-xs text-body dark:text-white/50">
+						{$_("login.nsecWarning")}
+					</p>
+					<button
+						type="submit"
+						disabled={nsecLoading || !nsec.trim()}
+						class="w-full rounded-lg bg-purple-600 px-4 py-2 font-semibold text-white transition-colors hover:bg-purple-700 disabled:opacity-50"
+					>
+						{nsecLoading ? $_("login.nostrSigning") : $_("login.nsecSubmit")}
+					</button>
+				</form>
+			{:else}
+				<button
+					type="button"
+					on:click={() => (showNsecInput = true)}
+					class="w-full text-center text-sm text-link transition-colors hover:text-hover"
+				>
+					{$_("login.nsecToggle")}
+				</button>
+			{/if}
 
 			<div class="flex items-center gap-3">
 				<div class="h-px flex-1 bg-gray-300 dark:bg-white/20"></div>
 				<span class="text-xs text-body dark:text-white/50">{$_("login.or")}</span>
 				<div class="h-px flex-1 bg-gray-300 dark:bg-white/20"></div>
 			</div>
-		{/if}
+		</div>
 
 		<form on:submit|preventDefault={handleSubmit} class="space-y-4">
 			<div>

From 98b1438ee7a6f63fa6793439d8a13b9b5dab2842 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Mon, 13 Apr 2026 11:18:55 +0800
Subject: [PATCH 36/45] refactor(session): extract loadSavedItemsFromServer
 helper #903

Replaces duplicate Promise.allSettled hydration blocks in the two /login
code paths (username+password and Nostr) with a single session method.
Next login path (backup code, OAuth, etc.) gets it for free.

Addresses Copilot review comment on PR #911.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/lib/session.ts            | 39 +++++++++++++++++++++++++++++++++++
 src/routes/login/+page.svelte | 38 ++--------------------------------
 2 files changed, 41 insertions(+), 36 deletions(-)

diff --git a/src/lib/session.ts b/src/lib/session.ts
index 7be66fd29..55dcd8dcb 100644
--- a/src/lib/session.ts
+++ b/src/lib/session.ts
@@ -226,6 +226,45 @@ function createSessionStore() {
 			set(session);
 		},
 
+		// Fetch saved places + areas from the server and hydrate the store.
+		// Best-effort: partial failures are logged, not thrown. Call after
+		// login() so there's an active session to populate.
+		loadSavedItemsFromServer: async (token: string): Promise<void> => {
+			const headers = { Authorization: `Bearer ${token}` };
+			const [placesRes, areasRes] = await Promise.allSettled([
+				api.get("/api/session/saved-places", { headers }),
+				api.get("/api/session/saved-areas", { headers }),
+			]);
+
+			const applyIds = (ids: number[], key: "savedPlaces" | "savedAreas") => {
+				update((current) => {
+					if (!current) return current;
+					const next = { ...current, [key]: ids };
+					saveToStorage(next);
+					return next;
+				});
+			};
+
+			if (
+				placesRes.status === "fulfilled" &&
+				Array.isArray(placesRes.value.data)
+			) {
+				applyIds(
+					placesRes.value.data.map((p: { id: number }) => p.id),
+					"savedPlaces",
+				);
+			}
+			if (
+				areasRes.status === "fulfilled" &&
+				Array.isArray(areasRes.value.data)
+			) {
+				applyIds(
+					areasRes.value.data.map((a: { id: number }) => a.id),
+					"savedAreas",
+				);
+			}
+		},
+
 		// Clear the session (logout / forget account). No recovery.
 		clear: () => {
 			saveToStorage(null);
diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
index f7ae15d34..335c3cf52 100644
--- a/src/routes/login/+page.svelte
+++ b/src/routes/login/+page.svelte
@@ -49,22 +49,7 @@ async function exchangeSignedEvent(signedEvent: VerifiedEvent) {
 	}
 
 	session.login(apiUsername, "", token);
-
-	const headers = { Authorization: `Bearer ${token}` };
-	const [placesRes, areasRes] = await Promise.allSettled([
-		api.get("/api/session/saved-places", { headers }),
-		api.get("/api/session/saved-areas", { headers }),
-	]);
-
-	if (placesRes.status === "fulfilled" && Array.isArray(placesRes.value.data)) {
-		const ids = placesRes.value.data.map((p: { id: number }) => p.id);
-		session.setSavedPlaces(ids);
-	}
-	if (areasRes.status === "fulfilled" && Array.isArray(areasRes.value.data)) {
-		const ids = areasRes.value.data.map((a: { id: number }) => a.id);
-		session.setSavedAreas(ids);
-	}
-
+	await session.loadSavedItemsFromServer(token);
 	goto("/user/saved");
 }
 
@@ -132,26 +117,7 @@ async function handleSubmit() {
 		// Replace current session with the logged-in account.
 		// Don't store the password — the user already knows it.
 		session.login(username.trim(), "", token);
-
-		// Load saved items from server
-		const headers = { Authorization: `Bearer ${token}` };
-		const [placesRes, areasRes] = await Promise.allSettled([
-			api.get("/api/session/saved-places", { headers }),
-			api.get("/api/session/saved-areas", { headers }),
-		]);
-
-		if (
-			placesRes.status === "fulfilled" &&
-			Array.isArray(placesRes.value.data)
-		) {
-			const ids = placesRes.value.data.map((p: { id: number }) => p.id);
-			session.setSavedPlaces(ids);
-		}
-		if (areasRes.status === "fulfilled" && Array.isArray(areasRes.value.data)) {
-			const ids = areasRes.value.data.map((a: { id: number }) => a.id);
-			session.setSavedAreas(ids);
-		}
-
+		await session.loadSavedItemsFromServer(token);
 		goto("/user/saved");
 	} catch (err) {
 		const message =

From 77e919f092b338fbcf31fe2d37da10e67cdcbca6 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Mon, 13 Apr 2026 11:19:35 +0800
Subject: [PATCH 37/45] fix(auth): classify nsec decode vs transport errors
 separately #903
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previously, any error without err.response was treated as a decode error.
Network, CORS, or timeout failures have no .response either, so transport
problems were surfaced as "invalid nsec" — misleading to the user.

Split into two phases:
- Phase 1 (sync decode + sign): any throw → "invalid nsec"
- Phase 2 (async exchange): uses the same 401-vs-generic classifier as the
  extension login path

Addresses Copilot review comment on PR #911.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/login/+page.svelte | 28 +++++++++++++++++++---------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
index 335c3cf52..c3aa1e104 100644
--- a/src/routes/login/+page.svelte
+++ b/src/routes/login/+page.svelte
@@ -74,23 +74,33 @@ async function loginWithNsec() {
 	if (!nsec.trim()) return;
 	nsecLoading = true;
 	let secretKey: Uint8Array | null = null;
+
+	// Phase 1: decode + sign (sync, only fails on malformed key). A failure
+	// here is unambiguous, so the error message can be specific.
+	let signedEvent: VerifiedEvent;
 	try {
 		secretKey = decodeNsec(nsec);
-		const signedEvent = signAuthWithSecretKey(secretKey);
-		// Clear the textarea now — the signed event is already built.
+		signedEvent = signAuthWithSecretKey(secretKey);
 		nsec = "";
+	} catch {
+		errToast($_("login.nsecInvalid"));
+		console.error("Nsec decode failed");
+		if (secretKey) secretKey.fill(0);
+		nsecLoading = false;
+		return;
+	}
+
+	// Phase 2: network exchange. Reuses the same 401-vs-generic classifier as
+	// loginWithNostr so transport errors don't get misreported as "invalid nsec".
+	try {
 		await exchangeSignedEvent(signedEvent);
 	} catch (err) {
 		const status = (err as { response?: { status?: number } })?.response
 			?.status;
-		const isDecodeError = !status && !(err as { response?: unknown })?.response;
-		const message = isDecodeError
-			? $_("login.nsecInvalid")
-			: status === 401
-				? $_("login.nostrFailed")
-				: $_("login.nostrError");
+		const message =
+			status === 401 ? $_("login.nostrFailed") : $_("login.nostrError");
 		errToast(message);
-		console.error("Nsec login failed:", status ?? "decode");
+		console.error("Nsec login failed:", status ?? "unknown");
 	} finally {
 		// Best-effort zeroing. V8 may have copies elsewhere, but this covers the
 		// primary reference.

From f131db3137e644467f279cfe60e4eadd3a1b7046 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Mon, 13 Apr 2026 11:20:01 +0800
Subject: [PATCH 38/45] fix(auth): clear Nostr extension-detect timeout on
 unmount #903

Return a cleanup function from onMount so the 300ms re-check doesn't
fire after the component is destroyed. Prevents a set-after-unmount if
the user navigates away quickly.

Addresses Copilot review comment on PR #911.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/login/+page.svelte | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
index c3aa1e104..9b7a7c39b 100644
--- a/src/routes/login/+page.svelte
+++ b/src/routes/login/+page.svelte
@@ -30,11 +30,13 @@ onMount(() => {
 	// case of slow injection. Re-check once to avoid a hidden button on first
 	// paint when the extension is present.
 	hasNostrExtension = getNostrExtension() !== null;
-	if (!hasNostrExtension) {
-		setTimeout(() => {
-			hasNostrExtension = getNostrExtension() !== null;
-		}, 300);
-	}
+	if (hasNostrExtension) return;
+	const t = setTimeout(() => {
+		hasNostrExtension = getNostrExtension() !== null;
+	}, 300);
+	// Svelte runs the returned function on component destroy — prevents a
+	// set-after-unmount if the user navigates away within 300ms.
+	return () => clearTimeout(t);
 });
 
 async function exchangeSignedEvent(signedEvent: VerifiedEvent) {

From bb4da85d63a013f0f18988d97d8cf045ed7b45d6 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Mon, 13 Apr 2026 11:20:41 +0800
Subject: [PATCH 39/45] refactor(auth): share NOSTR_AUTH_URL between client and
 server route #903

The client signs a NIP-98 event with NOSTR_AUTH_URL in the "u" tag; the
proxy route POSTs to that same URL. Hardcoding it in both places risks
silent signature-verification failures if one drifts (e.g. staging URL).

Single source of truth in $lib/nostr.

Addresses Copilot review comment on PR #911.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/api/session/nostr/+server.ts | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/routes/api/session/nostr/+server.ts b/src/routes/api/session/nostr/+server.ts
index ab5fffa74..6cbafc09b 100644
--- a/src/routes/api/session/nostr/+server.ts
+++ b/src/routes/api/session/nostr/+server.ts
@@ -1,6 +1,7 @@
 import { error, json } from "@sveltejs/kit";
 
 import api from "$lib/axios";
+import { NOSTR_AUTH_URL } from "$lib/nostr";
 
 import type { RequestHandler } from "./$types";
 
@@ -16,16 +17,14 @@ export const POST: RequestHandler = async ({ request }) => {
 		error(400, "Missing or invalid signed_event");
 	}
 
-	const res = await api
-		.post("https://api.btcmap.org/v4/auth/nostr", { signed_event })
-		.catch((err) => {
-			const status = err?.response?.status;
-			if (status === 401 || status === 403) {
-				error(401, "Invalid Nostr signature");
-			}
-			console.error("Failed to exchange Nostr event:", status);
-			error(502, "Failed to authenticate with Nostr");
-		});
+	const res = await api.post(NOSTR_AUTH_URL, { signed_event }).catch((err) => {
+		const status = err?.response?.status;
+		if (status === 401 || status === 403) {
+			error(401, "Invalid Nostr signature");
+		}
+		console.error("Failed to exchange Nostr event:", status);
+		error(502, "Failed to authenticate with Nostr");
+	});
 
 	const token = res.data?.token;
 	const username = res.data?.username;

From a8f8649a5e264e42a9b9456bac15146218afdfc0 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Mon, 13 Apr 2026 11:38:38 +0800
Subject: [PATCH 40/45] fix(auth): cap /api/session/nostr request body to 4 KB
 #903

Reject bodies with Content-Length > 4096 bytes before parsing. A valid
NIP-98 event is ~400 B; 4 KB leaves headroom without accepting obvious
junk. Prevents accidental misuse of the proxy as a parser for large
payloads. Deliberate DoS still needs upstream rate limiting.

Addresses the one Medium finding from the branch security review.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/api/session/nostr/+server.ts | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/routes/api/session/nostr/+server.ts b/src/routes/api/session/nostr/+server.ts
index 6cbafc09b..b0ae91dcc 100644
--- a/src/routes/api/session/nostr/+server.ts
+++ b/src/routes/api/session/nostr/+server.ts
@@ -5,11 +5,20 @@ import { NOSTR_AUTH_URL } from "$lib/nostr";
 
 import type { RequestHandler } from "./$types";
 
+// A signed NIP-98 event is ~400 bytes. 4 KB leaves generous headroom for
+// unusual tag sets while rejecting obvious junk bodies before we try to parse.
+const MAX_BODY_BYTES = 4096;
+
 // POST /api/session/nostr
 // Exchanges a signed NIP-98 event (kind 27235) for a BTC Map Bearer token.
 // Proxies POST /v4/auth/nostr to avoid browser CORS preflight issues.
 // If the npub is unknown, the API creates a new account linked to that pubkey.
 export const POST: RequestHandler = async ({ request }) => {
+	const contentLength = Number(request.headers.get("content-length"));
+	if (!Number.isFinite(contentLength) || contentLength > MAX_BODY_BYTES) {
+		error(413, "Request body too large");
+	}
+
 	const body = await request.json();
 	const { signed_event } = body;
 

From 4850c6166a370df1c73590f355ac1623d02a3e6c Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Mon, 13 Apr 2026 11:38:57 +0800
Subject: [PATCH 41/45] fix(auth): use autocomplete=new-password on nsec input
 #903

"off" is widely ignored by password managers on type=password inputs.
"new-password" is the documented hint Chrome and Safari respect to
suppress save/fill prompts. Reduces the chance a user's nsec is
silently stored by a password manager.

Addresses a Low finding from the branch security review.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/routes/login/+page.svelte | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/routes/login/+page.svelte b/src/routes/login/+page.svelte
index 9b7a7c39b..b2666055c 100644
--- a/src/routes/login/+page.svelte
+++ b/src/routes/login/+page.svelte
@@ -183,7 +183,7 @@ async function handleSubmit() {
 						type="password"
 						bind:value={nsec}
 						placeholder="nsec1..."
-						autocomplete="off"
+						autocomplete="new-password"
 						autocorrect="off"
 						autocapitalize="off"
 						spellcheck="false"

From 63e48c925417d31558e6ef73e65a240c09131d7c Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sun, 10 May 2026 11:34:26 +0200
Subject: [PATCH 42/45] feat(auth): parameterize NOSTR_AUTH_URL via
 VITE_API_BASE_URL #903
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The signed NIP-98 event's `u` tag must exactly match the URL the API
reconstructs and verifies. Hardcoding api.btcmap.org makes local
dev impossible — running btcmap-api on http://127.0.0.1:8000 and
signing for api.btcmap.org would always fail the URL-match check.

Read VITE_API_BASE_URL with the production endpoint as the default,
strip any trailing slash, then derive NOSTR_AUTH_URL from it. The
SvelteKit proxy that forwards to the API uses the same constant, so
both the signed event and the API hop stay aligned with whatever the
env var points at.

For local dev: set VITE_API_BASE_URL=http://127.0.0.1:8000 in .env.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/lib/nostr.ts | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/src/lib/nostr.ts b/src/lib/nostr.ts
index 09b307afb..91a18dd84 100644
--- a/src/lib/nostr.ts
+++ b/src/lib/nostr.ts
@@ -3,8 +3,13 @@ import type { EventTemplate, VerifiedEvent } from "nostr-tools/pure";
 import { finalizeEvent } from "nostr-tools/pure";
 
 // URL the API verifies in the NIP-98 event's "u" tag. Must match what the
-// server sees, including scheme and no trailing slash.
-export const NOSTR_AUTH_URL = "https://api.btcmap.org/v4/auth/nostr";
+// server sees, including scheme and no trailing slash. Defaults to the
+// production API; override with VITE_API_BASE_URL in .env for local dev
+// against a checked-out btcmap-api (typically http://127.0.0.1:8000).
+const API_BASE_URL = (
+	import.meta.env.VITE_API_BASE_URL || "https://api.btcmap.org"
+).replace(/\/+$/, "");
+export const NOSTR_AUTH_URL = `${API_BASE_URL}/v4/auth/nostr`;
 
 // NIP-07 extension interface (window.nostr) — minimal subset we use.
 // Extensions like Alby, nos2x inject this on page load.

From 50fa521799e81ced40cf797ffc1d9515851a5a39 Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sun, 10 May 2026 11:34:37 +0200
Subject: [PATCH 43/45] refactor(auth): use canonical NIP-98 Authorization
 header to API #903
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The /v4/auth/nostr API extractor reads the signed event from the
canonical Authorization: Nostr <base64(event)> header, not from the
request body. This was a transport mismatch — the proxy was sending
{signed_event} as JSON body, which the API wouldn't see.

Switch the API hop to base64-encode the signed event JSON and put it
in the Authorization header, with no body. The browser-side contract
of this route is unchanged: the client still POSTs {signed_event} to
/api/session/nostr, the SvelteKit server route does the reshape.

The 4 KB content-length cap on the incoming body still applies, since
the {signed_event} envelope from the browser is what's bounded.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/routes/api/session/nostr/+server.ts | 31 ++++++++++++++++++-------
 1 file changed, 22 insertions(+), 9 deletions(-)

diff --git a/src/routes/api/session/nostr/+server.ts b/src/routes/api/session/nostr/+server.ts
index b0ae91dcc..18697579d 100644
--- a/src/routes/api/session/nostr/+server.ts
+++ b/src/routes/api/session/nostr/+server.ts
@@ -11,8 +11,13 @@ const MAX_BODY_BYTES = 4096;
 
 // POST /api/session/nostr
 // Exchanges a signed NIP-98 event (kind 27235) for a BTC Map Bearer token.
-// Proxies POST /v4/auth/nostr to avoid browser CORS preflight issues.
+// Proxies to POST /v4/auth/nostr to avoid browser CORS preflight issues.
 // If the npub is unknown, the API creates a new account linked to that pubkey.
+//
+// Browser-side contract is unchanged: the client posts {signed_event} as
+// JSON to this route. The hop to btcmap-api uses the canonical NIP-98
+// Authorization: Nostr <base64(event)> header (no body), per the spec and
+// what the API extractor expects.
 export const POST: RequestHandler = async ({ request }) => {
 	const contentLength = Number(request.headers.get("content-length"));
 	if (!Number.isFinite(contentLength) || contentLength > MAX_BODY_BYTES) {
@@ -26,14 +31,22 @@ export const POST: RequestHandler = async ({ request }) => {
 		error(400, "Missing or invalid signed_event");
 	}
 
-	const res = await api.post(NOSTR_AUTH_URL, { signed_event }).catch((err) => {
-		const status = err?.response?.status;
-		if (status === 401 || status === 403) {
-			error(401, "Invalid Nostr signature");
-		}
-		console.error("Failed to exchange Nostr event:", status);
-		error(502, "Failed to authenticate with Nostr");
-	});
+	const eventB64 = Buffer.from(JSON.stringify(signed_event), "utf-8").toString(
+		"base64",
+	);
+
+	const res = await api
+		.post(NOSTR_AUTH_URL, undefined, {
+			headers: { Authorization: `Nostr ${eventB64}` },
+		})
+		.catch((err) => {
+			const status = err?.response?.status;
+			if (status === 401 || status === 403) {
+				error(401, "Invalid Nostr signature");
+			}
+			console.error("Failed to exchange Nostr event:", status);
+			error(502, "Failed to authenticate with Nostr");
+		});
 
 	const token = res.data?.token;
 	const username = res.data?.username;

From f6c6d5d1b743c865d6447dacb8897951160a028f Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sun, 10 May 2026 11:49:46 +0200
Subject: [PATCH 44/45] refactor(api): route all SvelteKit session proxies
 through \$lib/api-base #903
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds src/lib/api-base.ts (cherry-picked verbatim from main, where it
already exists in this exact form for the same reason) so every
SvelteKit server-route proxy in src/routes/api/session/* resolves the
btcmap-api base URL the same way:

  VITE_API_BASE_URL > 'https://api.btcmap.org' (default), trailing-/
  stripped.

Without this, /user/saved was failing locally with 401: a token minted
against the local API at http://127.0.0.1:8000 doesn't authenticate
against api.btcmap.org, but the saved-places / saved-areas proxies
were pointing at production regardless of VITE_API_BASE_URL.

Affected proxies, all hardcoded api.btcmap.org before:
- POST /api/session/login
- POST /api/session/signup
- GET/PUT /api/session/saved-places
- GET/PUT /api/session/saved-areas

Also drops the inline VITE_API_BASE_URL read introduced in 63e48c92 from
src/lib/nostr.ts in favour of the shared constant — same end value, just
de-duped.

Out of scope here: the rest of the codebase still has ~25 hardcoded
api.btcmap.org references in map sync, merchant/area page loaders, etc.
Those will surface separately if local-dev coverage is broadened, and
should rebase cleanly once #911 lands on top of current main.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/lib/api-base.ts                            | 14 ++++++++++++++
 src/lib/nostr.ts                               | 11 ++++-------
 src/routes/api/session/login/+server.ts        |  3 ++-
 src/routes/api/session/saved-areas/+server.ts  |  5 +++--
 src/routes/api/session/saved-places/+server.ts |  5 +++--
 src/routes/api/session/signup/+server.ts       |  5 +++--
 6 files changed, 29 insertions(+), 14 deletions(-)
 create mode 100644 src/lib/api-base.ts

diff --git a/src/lib/api-base.ts b/src/lib/api-base.ts
new file mode 100644
index 000000000..d22e86626
--- /dev/null
+++ b/src/lib/api-base.ts
@@ -0,0 +1,14 @@
+// Resolved API base URL. Defaults to the production endpoint; override via
+// VITE_API_BASE_URL in .env for local development.
+//
+// Client-side: relative paths like "/btcmap-api-proxy" work fine — the
+// browser resolves them against the current origin, hitting the Vite dev
+// proxy. SvelteKit's event.fetch in +page.server.ts load functions also
+// handles relative URLs.
+//
+// Server-side (axios in +server.ts, module-level SSR code): relative paths
+// fail because Node has no browser origin. For these callers, set an
+// absolute URL instead (e.g. "http://127.0.0.1:8000").
+export const API_BASE: string = (
+	import.meta.env.VITE_API_BASE_URL || "https://api.btcmap.org"
+).replace(/\/+$/, "");
diff --git a/src/lib/nostr.ts b/src/lib/nostr.ts
index 91a18dd84..315bc39fc 100644
--- a/src/lib/nostr.ts
+++ b/src/lib/nostr.ts
@@ -2,14 +2,11 @@ import { decode } from "nostr-tools/nip19";
 import type { EventTemplate, VerifiedEvent } from "nostr-tools/pure";
 import { finalizeEvent } from "nostr-tools/pure";
 
+import { API_BASE } from "$lib/api-base";
+
 // URL the API verifies in the NIP-98 event's "u" tag. Must match what the
-// server sees, including scheme and no trailing slash. Defaults to the
-// production API; override with VITE_API_BASE_URL in .env for local dev
-// against a checked-out btcmap-api (typically http://127.0.0.1:8000).
-const API_BASE_URL = (
-	import.meta.env.VITE_API_BASE_URL || "https://api.btcmap.org"
-).replace(/\/+$/, "");
-export const NOSTR_AUTH_URL = `${API_BASE_URL}/v4/auth/nostr`;
+// server sees, including scheme and no trailing slash.
+export const NOSTR_AUTH_URL = `${API_BASE}/v4/auth/nostr`;
 
 // NIP-07 extension interface (window.nostr) — minimal subset we use.
 // Extensions like Alby, nos2x inject this on page load.
diff --git a/src/routes/api/session/login/+server.ts b/src/routes/api/session/login/+server.ts
index 02a5dbac9..c86055375 100644
--- a/src/routes/api/session/login/+server.ts
+++ b/src/routes/api/session/login/+server.ts
@@ -1,5 +1,6 @@
 import { error, json } from "@sveltejs/kit";
 
+import { API_BASE } from "$lib/api-base";
 import api from "$lib/axios";
 
 import type { RequestHandler } from "./$types";
@@ -20,7 +21,7 @@ export const POST: RequestHandler = async ({ request }) => {
 
 	const tokenRes = await api
 		.post(
-			`https://api.btcmap.org/v4/users/${encodeURIComponent(username)}/tokens`,
+			`${API_BASE}/v4/users/${encodeURIComponent(username)}/tokens`,
 			{},
 			{ headers: { Authorization: `Bearer ${password}` } },
 		)
diff --git a/src/routes/api/session/saved-areas/+server.ts b/src/routes/api/session/saved-areas/+server.ts
index ba17023dd..f32577a6d 100644
--- a/src/routes/api/session/saved-areas/+server.ts
+++ b/src/routes/api/session/saved-areas/+server.ts
@@ -1,5 +1,6 @@
 import { error, json } from "@sveltejs/kit";
 
+import { API_BASE } from "$lib/api-base";
 import api from "$lib/axios";
 
 import type { RequestHandler } from "./$types";
@@ -13,7 +14,7 @@ export const GET: RequestHandler = async ({ request }) => {
 	}
 
 	const res = await api
-		.get("https://api.btcmap.org/v4/areas/saved", {
+		.get(`${API_BASE}/v4/areas/saved`, {
 			headers: { Authorization: token },
 		})
 		.catch((err) => {
@@ -39,7 +40,7 @@ export const PUT: RequestHandler = async ({ request }) => {
 	}
 
 	const res = await api
-		.put("https://api.btcmap.org/v4/areas/saved", ids, {
+		.put(`${API_BASE}/v4/areas/saved`, ids, {
 			headers: { Authorization: token },
 		})
 		.catch((err) => {
diff --git a/src/routes/api/session/saved-places/+server.ts b/src/routes/api/session/saved-places/+server.ts
index 9f5911ab0..f88084344 100644
--- a/src/routes/api/session/saved-places/+server.ts
+++ b/src/routes/api/session/saved-places/+server.ts
@@ -1,5 +1,6 @@
 import { error, json } from "@sveltejs/kit";
 
+import { API_BASE } from "$lib/api-base";
 import api from "$lib/axios";
 
 import type { RequestHandler } from "./$types";
@@ -13,7 +14,7 @@ export const GET: RequestHandler = async ({ request }) => {
 	}
 
 	const res = await api
-		.get("https://api.btcmap.org/v4/places/saved", {
+		.get(`${API_BASE}/v4/places/saved`, {
 			headers: { Authorization: token },
 		})
 		.catch((err) => {
@@ -42,7 +43,7 @@ export const PUT: RequestHandler = async ({ request }) => {
 	}
 
 	const res = await api
-		.put("https://api.btcmap.org/v4/places/saved", ids, {
+		.put(`${API_BASE}/v4/places/saved`, ids, {
 			headers: { Authorization: token },
 		})
 		.catch((err) => {
diff --git a/src/routes/api/session/signup/+server.ts b/src/routes/api/session/signup/+server.ts
index 11326a625..1b514b346 100644
--- a/src/routes/api/session/signup/+server.ts
+++ b/src/routes/api/session/signup/+server.ts
@@ -1,5 +1,6 @@
 import { error, json } from "@sveltejs/kit";
 
+import { API_BASE } from "$lib/api-base";
 import api from "$lib/axios";
 
 import type { RequestHandler } from "./$types";
@@ -19,7 +20,7 @@ export const POST: RequestHandler = async ({ request }) => {
 
 	// Step 1: Create user
 	const userRes = await api
-		.post("https://api.btcmap.org/v4/users", { password })
+		.post(`${API_BASE}/v4/users`, { password })
 		.catch((err) => {
 			console.error("Failed to create user:", err?.response?.data ?? err);
 			error(502, "Failed to create account");
@@ -33,7 +34,7 @@ export const POST: RequestHandler = async ({ request }) => {
 	// Step 2: Create token (password is sent as Bearer for this endpoint)
 	const tokenRes = await api
 		.post(
-			`https://api.btcmap.org/v4/users/${encodeURIComponent(username)}/tokens`,
+			`${API_BASE}/v4/users/${encodeURIComponent(username)}/tokens`,
 			{},
 			{ headers: { Authorization: `Bearer ${password}` } },
 		)

From dbd18e9b69ebd62ea4d20b4a5ef7be61af0adddf Mon Sep 17 00:00:00 2001
From: escapedcat <github@htmlcss.de>
Date: Sun, 10 May 2026 11:51:06 +0200
Subject: [PATCH 45/45] fix(nav): redirect to /login after logout #903
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Without an explicit navigation, clicking Logout from /user/saved
cleared the session in localStorage but kept the user on the same
page. The page only checks for a session in onMount, so it kept
rendering the post-login UI — and any subsequent saved-* fetch
fired without a token and surfaced as "Failed to load some saved
items".

After session.clear(), goto('/login') so the user lands on a
clean state and can sign back in if they want.
---
 src/components/layout/UserMenu.svelte | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/components/layout/UserMenu.svelte b/src/components/layout/UserMenu.svelte
index 3cd62347b..7578d29d4 100644
--- a/src/components/layout/UserMenu.svelte
+++ b/src/components/layout/UserMenu.svelte
@@ -6,7 +6,7 @@ import Icon from "$components/Icon.svelte";
 import { _ } from "$lib/i18n";
 import { session } from "$lib/session";
 
-import { afterNavigate } from "$app/navigation";
+import { afterNavigate, goto } from "$app/navigation";
 
 export let id = "user-menu";
 
@@ -76,6 +76,11 @@ afterNavigate(() => {
 						on:click={() => {
 							session.clear();
 							open = false;
+							// Authenticated pages (e.g. /user/saved) only check
+							// for a session in onMount, so without an explicit
+							// nav they keep showing the post-login UI in a
+							// broken state after the token is wiped.
+							goto("/login");
 						}}
 						class="flex w-full items-center gap-2 px-4 py-2 text-sm text-primary transition-colors hover:bg-gray-100 dark:text-white dark:hover:bg-white/10"
 					>