Merge branch 'dev'

* dev: (75 commits)
  Optionally enable Cross-Origin Resource Sharing via flag
  Move notices into dedicated section at the top of the page; show notice when device access revoked successfully
  Switch from godep to govendor; update dependencies
  Extract client version from X-Client-Version header and store with auth token
  Clean up web auth tokens immediately after they expire
  Show note with app download link if not devices are connected
  Allow query string in redirect parameter to auth request endpoint
  Confirm delete store within dashboard instead of using separate page
  Remove unused delete-store-success template
  Define csp directives as a template block so they can be customized for specific pages
  Remove activate auth token success page for api token; Log in and redirect to dashboard instead
  Various changes to improve extensibility
  Make message field of BadRequest exported so it can be used from other packages
  Use time.Ticker for StorageCleaner scheduling
  Implement static and root routes as Handler structs
  Rafactor way endpoints are registered
  Move handler, middleware functions out of server struct and into own file
  Clean out old auth requests every 24 hrs
  Add 'Created' field to Account
  Replace Storage::List method with Storage::Iterator method that returns an iterator instead of a string slice
  ...

Author: MaKleSoft

.gitignore

@@ -1 +1,2 @@
 padlock-cloud
+db

Godeps/Godeps.json

@@ -62,7 +62,7 @@ server:
   port: 5555
   tls_cert: cert.crt
   tls_key: cert.key
-  host: cloud.padlock.io
+  base_url: https://cloud.padlock.io
 leveldb:
   path: path/to/db
 email:
@@ -77,7 +77,7 @@ log:
 ```
 
 **NOTE**: If you are using a config file, all other flags and environment
-variables will be ingored.
+variables will be ignored.
 
 ## Security Considerations
 
@@ -90,7 +90,7 @@ through plain http. You should make sure that in this case the server does
 **not** listen on a public port and that any reverse proxies that handle
 outgoing connections are protected via TLS.
 
-### Link spoofing and the --host option
+### Link spoofing and the --base-url option
 
 Padlock Cloud frequently uses confirmation links for things like activating
 authentication tokens, confirmation for deleting an account etc. They usually
@@ -103,24 +103,23 @@ https://hostname:port/activate/?v=1&t=cdB6iEdL4o5PfhLey30Rrg
 
 These links are sent out to a users email address and serve as a form of
 authentication. Only users that actually have control over the email account
-accociated with their Padlock Cloud account may access the correponding data.
+associated with their Padlock Cloud account may access the corresponding data.
 
-Now the `hostname` and `port` portion of the url will obviously differ based on
+Now the `hostname` and `port` portion of the URL will obviously differ based on
 the environment. By default, the app will simply use the value provided by the
 `Host` header of the incoming request. But the `Host` header can easily be
 faked and unless the server is running behind a reverse proxy that sets the it
-to the correct value, this opens the app up to a vulnerabilty we call 'link
-spoofing'. Let's say an attacker sends an authentiation request to our server
+to the correct value, this opens the app up to a vulnerability we call 'link
+spoofing'. Let's say an attacker sends an authentication request to our server
 using a targets email address, but changes the `Host` header to a server that
 he controls. The email that is sent to the target will now contain a link that
 points to the attackers server instead of our own and once the user clicks the
 link the attacker is in possession of the activation token which can in turn be
 used to activate the authentication token he already has.  There is a simple
-solution for this: Explicitly provide a hostname and port to be used for link
-generation when starting up the server. The `runserver` command provides the
-`--host` flag for this. This is a string that contains the hostname and
-optionally a port, e.g. `example.com:3000` or simply `example.com`. it is
-recommended to use this option in production environments at all times!
+solution for this: Explicitly provide a base URL to be used for constructing
+links when starting up the server. The `runserver` command provides the
+`--base-url` flag for this. It is recommended to use this option in production
+environments at all times!
 
 ## Troubleshooting
 

Godeps/Readme

@@ -0,0 +1,184 @@
+body {
+    padding: 0;
+    margin: 0;
+    font-family: "Clear Sans", "Helvetica Neue", Helvetica, sans-serif;
+    font-size: 18px;
+    color: #333;
+    font-weight: 300;
+    -webkit-tap-highlight-color: transparent;
+}
+
+body, input, button {
+    -webkit-font-smoothing: antialiased;
+}
+
+input:not([type="checkbox"]), button {
+    -webkit-appearance: none;
+    -moz-appearance: none;
+    border-radius: 0;
+    font-size: inherit;
+    font-family: inherit;
+    padding: 10px 15px;
+    background: #fff;
+    border: solid 1px #ccc;
+    min-width: 0;
+}
+
+input[type="checkbox"] {
+    vertical-align: middle;
+    cursor: pointer;
+}
+
+button {
+    border: none;
+    background: #59c6ff;
+    color: #fff;
+    cursor: pointer;
+    white-space: nowrap;
+    overflow: hidden;
+    text-overflow: ellipsis;
+}
+
+button.light {
+    background: none;
+    color: #59c6ff;
+    padding: 0;
+    margin: 5px 0 0 2px;
+}
+
+*:focus {
+    outline: none;
+}
+
+h1 {
+    font-size: 250%;
+    font-weight: 100;
+    margin: 20px 0;
+}
+
+h2 {
+    font-size: 120%;
+    font-weight: 400;
+}
+
+h3 {
+    font-size: 110%;
+    font-weight: 400;
+}
+
+a {
+    color: #59c6ff;
+    text-decoration: none;
+    font-weight: 400;
+}
+
+button:hover, a:hover {
+    opacity: 0.7;
+}
+
+section {
+    padding: 0 40px;
+    margin: 40px 0;
+    clear: both;
+}
+
+footer {
+    display: block;
+    padding: 10px;
+    text-align: center;
+    font-size: 80%;
+    border-top: solid 1px #ccc;
+}
+
+footer .copyright {
+    color: #ccc;
+}
+
+footer a {
+    margin: 0 5px;
+}
+
+ul {
+    list-style: none;
+    margin: 0;
+    padding: 0;
+}
+
+th {
+    text-align: left;
+    vertical-align: top;
+    width: 150px;
+}
+
+svg.icon {
+    fill: currentColor;
+    stroke: currentColor;
+}
+
+header {
+    background: #ffffff;
+    position: fixed;
+    top: 0;
+    width: 100%;
+    z-index: 1;
+    padding: 0 10px;
+    box-sizing: border-box;
+    border-bottom: solid 1px #ccc;
+}
+
+header .inner {
+    height: 50px;
+    width: 100%;
+    margin: 0 auto;
+}
+
+header .inner, header .home, header nav, header nav ul {
+    display: flex;
+    align-items: center;
+}
+
+header nav ul li {
+    display: inline-block;
+    margin-left: 10px;
+}
+
+header .logo {
+    width: 35px;
+    height: 35px;
+    margin-right: 10px;
+    margin-left: 3px;
+}
+
+header .spacer {
+    flex: 1;
+}
+
+main {
+    margin: 80px auto;
+}
+
+header .inner, main {
+    max-width: 800px;
+}
+
+.account-email {
+    font-size: 90%;
+    font-weight: bold;
+}
+
+.note {
+    background: rgba(89, 198, 255, 0.1);
+    padding: 20px;
+    border: solid 1px #59c6ff;
+}
+
+@media (max-width: 500px) {
+    header .home .type {
+        display: none;
+    }
+
+    section {
+        padding-left: 20px;
+        padding-right: 20px;
+    }
+}