From 365b5753419238bb96bc3f9b744d380ff20cbafc Mon Sep 17 00:00:00 2001
From: tobi <31960611+tsmethurst@users.noreply.github.com>
Date: Mon, 7 Apr 2025 16:14:41 +0200
Subject: [feature] add TOTP two-factor authentication (2FA) (#3960)

* [feature] add TOTP two-factor authentication (2FA)

* use byteutil.S2B to avoid allocations when comparing + generating password hashes

* don't bother with string conversion  for consts

* use io.ReadFull

* use MustGenerateSecret for backup codes

* rename util functions
---
 web/source/settings/views/user/account/email.tsx   | 123 +++++++
 web/source/settings/views/user/account/index.tsx   |  75 +++++
 .../settings/views/user/account/password.tsx       | 103 ++++++
 .../settings/views/user/account/twofactor.tsx      | 308 +++++++++++++++++
 web/source/settings/views/user/emailpassword.tsx   | 264 ---------------
 web/source/settings/views/user/menu.tsx            |  10 +-
 web/source/settings/views/user/migration.tsx       | 213 ------------
 web/source/settings/views/user/migration/index.tsx | 213 ++++++++++++
 web/source/settings/views/user/profile.tsx         | 371 --------------------
 web/source/settings/views/user/profile/profile.tsx | 375 +++++++++++++++++++++
 web/source/settings/views/user/router.tsx          |  14 +-
 11 files changed, 1209 insertions(+), 860 deletions(-)
 create mode 100644 web/source/settings/views/user/account/email.tsx
 create mode 100644 web/source/settings/views/user/account/index.tsx
 create mode 100644 web/source/settings/views/user/account/password.tsx
 create mode 100644 web/source/settings/views/user/account/twofactor.tsx
 delete mode 100644 web/source/settings/views/user/emailpassword.tsx
 delete mode 100644 web/source/settings/views/user/migration.tsx
 create mode 100644 web/source/settings/views/user/migration/index.tsx
 delete mode 100644 web/source/settings/views/user/profile.tsx
 create mode 100644 web/source/settings/views/user/profile/profile.tsx

(limited to 'web/source/settings/views')

diff --git a/web/source/settings/views/user/account/email.tsx b/web/source/settings/views/user/account/email.tsx
new file mode 100644
index 000000000..16cdebf66
--- /dev/null
+++ b/web/source/settings/views/user/account/email.tsx
@@ -0,0 +1,123 @@
+/*
+	GoToSocial
+	Copyright (C) GoToSocial Authors admin@gotosocial.org
+	SPDX-License-Identifier: AGPL-3.0-or-later
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import React from "react";
+import { useTextInput } from "../../../lib/form";
+import useFormSubmit from "../../../lib/form/submit";
+import { TextInput } from "../../../components/form/inputs";
+import MutationButton from "../../../components/form/mutation-button";
+import { useEmailChangeMutation } from "../../../lib/query/user";
+import { User } from "../../../lib/types/user";
+
+export default function EmailChange({user, oidcEnabled}: { user: User, oidcEnabled?: boolean }) {
+	const form = {
+		currentEmail: useTextInput("current_email", {
+			defaultValue: user.email,
+			nosubmit: true
+		}),
+		newEmail: useTextInput("new_email", {
+			validator: (value: string | undefined) => {
+				if (!value) {
+					return "";
+				}
+
+				if (value.toLowerCase() === user.email?.toLowerCase()) {
+					return "cannot change to your existing address";
+				}
+
+				if (value.toLowerCase() === user.unconfirmed_email?.toLowerCase()) {
+					return "you already have a pending email address change to this address";
+				}
+
+				return "";
+			},
+		}),
+		password: useTextInput("password"),
+	};
+	const [submitForm, result] = useFormSubmit(form, useEmailChangeMutation());
+
+	return (
+		<form className="change-email" onSubmit={submitForm}>
+			<div className="form-section-docs">
+				<h3>Change Email</h3>
+				{ oidcEnabled && <p>
+					This instance is running with OIDC as its authorization + identity provider.
+					<br/>
+					You can still change your email address using this settings panel,
+					but it will only affect which address GoToSocial uses to contact you,
+					not the email address you use to log in.
+					<br/>
+					To change the email address you use to log in, contact your OIDC provider.
+				</p> }
+				<a
+					href="https://docs.gotosocial.org/en/latest/user_guide/settings/#email-change"
+					target="_blank"
+					className="docslink"
+					rel="noreferrer"
+				>
+					Learn more about this (opens in a new tab)
+				</a>
+			</div>
+
+			{ (user.unconfirmed_email && user.unconfirmed_email !== user.email) && <>
+				<div className="info">
+					<i className="fa fa-fw fa-info-circle" aria-hidden="true"></i>
+					<b>
+						You currently have a pending email address
+						change to the address: {user.unconfirmed_email}
+						<br />
+						To confirm {user.unconfirmed_email} as your new
+						address for this account, please check your email inbox.
+					</b>
+				</div>
+			</> }
+
+			<TextInput
+				type="email"
+				name="current-email"
+				field={form.currentEmail}
+				label="Current email address"
+				autoComplete="none"
+				disabled={true}
+			/>
+
+			<TextInput
+				type="password"
+				name="password"
+				field={form.password}
+				label="Current password"
+				autoComplete="current-password"
+			/>
+
+			<TextInput
+				type="email"
+				name="new-email"
+				field={form.newEmail}
+				label="New email address"
+				autoComplete="none"
+			/>
+			
+			<MutationButton
+				disabled={!form.password || !form.newEmail || !form.newEmail.valid}
+				label="Change email address"
+				result={result}
+			/>
+		</form>
+	);
+}
diff --git a/web/source/settings/views/user/account/index.tsx b/web/source/settings/views/user/account/index.tsx
new file mode 100644
index 000000000..707181f3d
--- /dev/null
+++ b/web/source/settings/views/user/account/index.tsx
@@ -0,0 +1,75 @@
+/*
+	GoToSocial
+	Copyright (C) GoToSocial Authors admin@gotosocial.org
+	SPDX-License-Identifier: AGPL-3.0-or-later
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import React from "react";
+import EmailChange from "./email";
+import PasswordChange from "./password";
+import TwoFactor from "./twofactor";
+import { useInstanceV1Query } from "../../../lib/query/gts-api";
+import Loading from "../../../components/loading";
+import { useUserQuery } from "../../../lib/query/user";
+
+export default function Account() {
+	// Load instance data.
+	const {
+		data: instance,
+		isFetching: isFetchingInstance,
+		isLoading: isLoadingInstance
+	} = useInstanceV1Query();
+	
+	// Load user data.
+	const {
+		data: user,
+		isFetching: isFetchingUser,
+		isLoading: isLoadingUser
+	} = useUserQuery();
+
+	if (
+		(isFetchingInstance || isLoadingInstance) ||
+		(isFetchingUser || isLoadingUser)
+	) {
+		return <Loading />;
+	}
+
+	if (user === undefined) {
+		throw "could not fetch user";
+	}
+
+	if (instance === undefined) {
+		throw "could not fetch instance";
+	}
+	
+	return (
+		<>
+			<h1>Account Settings</h1>
+			<EmailChange
+				oidcEnabled={instance.configuration.oidc_enabled}
+				user={user}
+			/>
+			<PasswordChange
+				oidcEnabled={instance.configuration.oidc_enabled}
+			/>
+			<TwoFactor
+				oidcEnabled={instance.configuration.oidc_enabled}
+				twoFactorEnabledAt={user.two_factor_enabled_at}
+			/>
+		</>
+	);
+}
+
diff --git a/web/source/settings/views/user/account/password.tsx b/web/source/settings/views/user/account/password.tsx
new file mode 100644
index 000000000..a2f0eeb3b
--- /dev/null
+++ b/web/source/settings/views/user/account/password.tsx
@@ -0,0 +1,103 @@
+/*
+	GoToSocial
+	Copyright (C) GoToSocial Authors admin@gotosocial.org
+	SPDX-License-Identifier: AGPL-3.0-or-later
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import React from "react";
+import { useTextInput } from "../../../lib/form";
+import useFormSubmit from "../../../lib/form/submit";
+import { TextInput } from "../../../components/form/inputs";
+import MutationButton from "../../../components/form/mutation-button";
+import { usePasswordChangeMutation } from "../../../lib/query/user";
+
+export default function PasswordChange({ oidcEnabled }: { oidcEnabled?: boolean }) {
+	const form = {
+		oldPassword: useTextInput("old_password"),
+		newPassword: useTextInput("new_password", {
+			validator(val) {
+				if (val != "" && val == form.oldPassword.value) {
+					return "New password same as old password";
+				}
+				return "";
+			}
+		})
+	};
+
+	const verifyNewPassword = useTextInput("verifyNewPassword", {
+		validator(val) {
+			if (val != "" && val != form.newPassword.value) {
+				return "Passwords do not match";
+			}
+			return "";
+		}
+	});
+
+	const [submitForm, result] = useFormSubmit(form, usePasswordChangeMutation());
+
+	return (
+		<form className="change-password" onSubmit={submitForm}>
+			<div className="form-section-docs">
+				<h3>Change Password</h3>
+				{ oidcEnabled && <p>
+					This instance is running with OIDC as its authorization + identity provider.
+					<br/>
+					This means <strong>you cannot change your password using this settings panel</strong>.
+					<br/>
+					To change your password, you should instead contact your OIDC provider.
+				</p> }
+				<a
+					href="https://docs.gotosocial.org/en/latest/user_guide/settings/#password-change"
+					target="_blank"
+					className="docslink"
+					rel="noreferrer"
+				>
+					Learn more about this (opens in a new tab)
+				</a>
+			</div>
+			
+			<TextInput
+				type="password"
+				name="password"
+				field={form.oldPassword}
+				label="Current password"
+				autoComplete="current-password"
+				disabled={oidcEnabled}
+			/>
+			<TextInput
+				type="password"
+				name="newPassword"
+				field={form.newPassword}
+				label="New password"
+				autoComplete="new-password"
+				disabled={oidcEnabled}
+			/>
+			<TextInput
+				type="password"
+				name="confirmNewPassword"
+				field={verifyNewPassword}
+				label="Confirm new password"
+				autoComplete="new-password"
+				disabled={oidcEnabled}
+			/>
+			<MutationButton
+				label="Change password"
+				result={result}
+				disabled={oidcEnabled ?? false}
+			/>
+		</form>
+	);
+}
diff --git a/web/source/settings/views/user/account/twofactor.tsx b/web/source/settings/views/user/account/twofactor.tsx
new file mode 100644
index 000000000..217de6c04
--- /dev/null
+++ b/web/source/settings/views/user/account/twofactor.tsx
@@ -0,0 +1,308 @@
+/*
+	GoToSocial
+	Copyright (C) GoToSocial Authors admin@gotosocial.org
+	SPDX-License-Identifier: AGPL-3.0-or-later
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import React, { ReactNode, useEffect, useMemo, useState } from "react";
+import { TextInput } from "../../../components/form/inputs";
+import MutationButton from "../../../components/form/mutation-button";
+import useFormSubmit from "../../../lib/form/submit";
+import {
+	useTwoFactorQRCodeURIMutation,
+	useTwoFactorDisableMutation,
+	useTwoFactorEnableMutation,
+	useTwoFactorQRCodePngMutation,
+} from "../../../lib/query/user/twofactor";
+import { useTextInput } from "../../../lib/form";
+import Loading from "../../../components/loading";
+import { Error } from "../../../components/error";
+import { HighlightedCode } from "../../../components/highlightedcode";
+import { useDispatch } from "react-redux";
+import { gtsApi } from "../../../lib/query/gts-api";
+
+interface TwoFactorProps {
+	twoFactorEnabledAt?: string,
+	oidcEnabled?: boolean,
+}
+
+export default function TwoFactor({ twoFactorEnabledAt, oidcEnabled }: TwoFactorProps) {
+	switch (true) {
+		case oidcEnabled:
+			// Can't enable if OIDC is in place.
+			return <CannotEnable />;
+		case twoFactorEnabledAt !== undefined:
+			// Already enabled. Show the disable form.
+			return <DisableForm twoFactorEnabledAt={twoFactorEnabledAt as string} />;	
+		default:
+			// Not enabled. Show the enable form.
+			return <EnableForm />;
+	}
+}
+
+function CannotEnable() {
+	return (
+		<form>
+			<TwoFactorHeader
+				blurb={
+					<p>
+						OIDC is enabled for your instance. To enable 2FA, you must use your
+						instance's OIDC provider instead. Poke your admin for more information.
+					</p>
+				}
+			/>
+		</form>
+	);
+}
+
+function EnableForm() {
+	const form = { code: useTextInput("code") };
+	const [ recoveryCodes, setRecoveryCodes ] = useState<string>();
+	const dispatch = useDispatch();
+
+	// Prepare trigger to submit the code and enable 2FA.
+	// If the enable call is a success, set the recovery
+	// codes state to a nice newline-separated text.
+	const [submitForm, result] = useFormSubmit(form, useTwoFactorEnableMutation(), {
+		changedOnly: true,
+		onFinish: (res) => {
+			const codes = res.data as string[];
+			if (!codes) {
+				return;
+			}
+			setRecoveryCodes(codes.join("\n"));
+		},
+	});
+
+	// When the component is unmounted, clear the user
+	// cache if 2FA was just enabled. This will prevent
+	// the recovery codes from being shown again.
+	useEffect(() => {
+		return () => {
+			if (recoveryCodes) {
+				dispatch(gtsApi.util.invalidateTags(["User"]));
+			}
+		};
+	}, [recoveryCodes, dispatch]);
+
+	return (
+		<form className="2fa-enable-form" onSubmit={submitForm}>
+			<TwoFactorHeader
+				blurb={
+					<p>
+						You can use this form to enable 2FA for your account.
+						<br/>
+						In your authenticator app, either scan the QR code, or copy
+						the 2FA secret manually, and then enter a 2FA code to verify.
+					</p>
+				}
+			/>
+			{/*
+				If the enable call was successful then recovery
+				codes will now be set. Display these to the user.
+
+				If the call hasn't been made yet, show the
+				form to enable 2FA as normal.
+			*/}
+			{ recoveryCodes
+				? <>
+					<p>
+						<b>Two-factor authentication is now enabled for your account!</b>
+						<br/>From now on, you will need to provide a code from your authenticator app whenever you want to sign in.
+						<br/>If you lose access to your authenticator app, you may also sign in by providing one of the below one-time recovery codes instead of a 2FA code.
+						<br/>Once you have used a recovery code once, you will not be able to use it again!
+						<br/><strong>You will not be shown these codes again, so copy them now into a safe place! Treat them like passwords!</strong>
+					</p>
+					<details>
+						<summary>Show / hide codes</summary>
+						<HighlightedCode
+							code={recoveryCodes}
+							lang="text"
+						/>
+					</details>
+				</> 
+				: <>
+					<CodePng />
+					<Secret />
+					<TextInput
+						name="code"
+						field={form.code}
+						label="2FA code from your authenticator app (6 numbers)"
+						autoComplete="off"
+						disabled={false}
+						maxLength={6}
+						minLength={6}
+						pattern="^\d{6}$"
+						readOnly={false}
+					/>
+					<MutationButton
+						label="Enable 2FA"
+						result={result}
+						disabled={false}
+					/>
+				</>
+			}
+		</form>
+	);
+}
+
+// Load and show QR code png only when
+// the "Show QR Code" button is clicked.
+function CodePng() {
+	const [
+		getPng, {
+			isUninitialized,
+			isLoading,
+			isSuccess,
+			data,
+			error,
+			reset,
+		}
+	] = useTwoFactorQRCodePngMutation();
+	
+	const [ content, setContent ] = useState<ReactNode>();
+	useEffect(() => {
+		if (isLoading) {
+			setContent(<Loading />);
+		} else if (isSuccess && data) {
+			setContent(<img src={data} height="256" width="256" />);
+		} else {
+			setContent(<Error error={error} />);
+		}
+	}, [isLoading, isSuccess, data, error]);
+	
+	return (
+		<>
+			{ isUninitialized
+				? <button
+					disabled={false}
+					onClick={(e) => {
+						e.preventDefault();
+						getPng();
+					}}
+				>Show QR Code</button>
+				: <button
+					disabled={false}
+					onClick={(e) => {
+						e.preventDefault();
+						reset();
+						setContent(null);
+					}}
+				>Hide QR Code</button>
+			}
+			{ content }
+		</>
+	);
+}
+
+// Get 2fa secret from server and
+// load it into clipboard on click.
+function Secret() {
+	const [
+		getURI,
+		{
+			isUninitialized,
+			isSuccess,
+			data,
+			error,
+			reset,
+		},
+	] = useTwoFactorQRCodeURIMutation();
+	
+	const [ buttonContents, setButtonContents ] = useState<ReactNode>();
+	useEffect(() => {
+		if (isUninitialized) {
+			setButtonContents("Copy 2FA secret to clipboard");
+		} else if (isSuccess && data) {
+			const url = new URL(data);
+			const secret = url.searchParams.get("secret");
+			if (!secret) {
+				throw "null secret";
+			}
+			navigator.clipboard.writeText(secret);
+			setButtonContents("Copied!");
+			setTimeout(() => { reset(); }, 3000);
+		} else {
+			setButtonContents(<Error error={error} />);
+		}
+	}, [isUninitialized, isSuccess, data, reset, error]);
+	
+	return (
+		<button
+			disabled={false}
+			onClick={(e) => {
+				e.preventDefault();
+				getURI();
+			}}
+		>{buttonContents}</button>
+	);
+}
+
+function DisableForm({ twoFactorEnabledAt }: { twoFactorEnabledAt: string }) {
+	const enabledAt = useMemo(() => {
+		const enabledAt = new Date(twoFactorEnabledAt);
+		return <time dateTime={twoFactorEnabledAt}>{enabledAt.toDateString()}</time>;
+	}, [twoFactorEnabledAt]);
+	
+	const form = {
+		password: useTextInput("password"),
+	};
+
+	const [submitForm, result] = useFormSubmit(form, useTwoFactorDisableMutation());
+	return (
+		<form className="2fa-disable-form" onSubmit={submitForm}>
+			<TwoFactorHeader
+				blurb={
+					<p>
+						Two-factor auth is enabled for your account, since <b>{enabledAt}</b>.
+						<br/>To disable 2FA, supply your password for verification and click "Disable 2FA".
+					</p>
+				}
+			/>
+			<TextInput
+				type="password"
+				name="password"
+				field={form.password}
+				label="Current password"
+				autoComplete="current-password"
+				disabled={false}
+			/>
+			<MutationButton
+				label="Disable 2FA"
+				result={result}
+				disabled={false}
+				className="danger"
+			/>
+		</form>
+	);
+}
+
+function TwoFactorHeader({ blurb }: { blurb: ReactNode }) {
+	return (
+		<div className="form-section-docs">
+			<h3>Two-Factor Authentication</h3>
+			{blurb}
+			<a
+				href="https://docs.gotosocial.org/en/latest/user_guide/settings/#two-factor"
+				target="_blank"
+				className="docslink"
+				rel="noreferrer"
+			>
+				Learn more about this (opens in a new tab)
+			</a>
+		</div>
+	);
+}
diff --git a/web/source/settings/views/user/emailpassword.tsx b/web/source/settings/views/user/emailpassword.tsx
deleted file mode 100644
index 32df0e39d..000000000
--- a/web/source/settings/views/user/emailpassword.tsx
+++ /dev/null
@@ -1,264 +0,0 @@
-/*
-	GoToSocial
-	Copyright (C) GoToSocial Authors admin@gotosocial.org
-	SPDX-License-Identifier: AGPL-3.0-or-later
-
-	This program is free software: you can redistribute it and/or modify
-	it under the terms of the GNU Affero General Public License as published by
-	the Free Software Foundation, either version 3 of the License, or
-	(at your option) any later version.
-
-	This program is distributed in the hope that it will be useful,
-	but WITHOUT ANY WARRANTY; without even the implied warranty of
-	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-	GNU Affero General Public License for more details.
-
-	You should have received a copy of the GNU Affero General Public License
-	along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-import React from "react";
-import { useTextInput } from "../../lib/form";
-import useFormSubmit from "../../lib/form/submit";
-import { TextInput } from "../../components/form/inputs";
-import MutationButton from "../../components/form/mutation-button";
-import { useEmailChangeMutation, usePasswordChangeMutation, useUserQuery } from "../../lib/query/user";
-import Loading from "../../components/loading";
-import { User } from "../../lib/types/user";
-import { useInstanceV1Query } from "../../lib/query/gts-api";
-
-export default function EmailPassword() {
-	return (
-		<>
-			<h1>Email & Password Settings</h1>
-			<EmailChange />
-			<PasswordChange />
-		</>
-	);
-}
-
-function PasswordChange() {
-	// Load instance data.
-	const {
-		data: instance,
-		isFetching: isFetchingInstance,
-		isLoading: isLoadingInstance
-	} = useInstanceV1Query();
-	if (isFetchingInstance || isLoadingInstance) {
-		return <Loading />;
-	}
-
-	if (instance === undefined) {
-		throw "could not fetch instance";
-	}
-
-	return <PasswordChangeForm oidcEnabled={instance.configuration.oidc_enabled} />;
-}
-
-function PasswordChangeForm({ oidcEnabled }: { oidcEnabled?: boolean }) {
-	const form = {
-		oldPassword: useTextInput("old_password"),
-		newPassword: useTextInput("new_password", {
-			validator(val) {
-				if (val != "" && val == form.oldPassword.value) {
-					return "New password same as old password";
-				}
-				return "";
-			}
-		})
-	};
-
-	const verifyNewPassword = useTextInput("verifyNewPassword", {
-		validator(val) {
-			if (val != "" && val != form.newPassword.value) {
-				return "Passwords do not match";
-			}
-			return "";
-		}
-	});
-
-	const [submitForm, result] = useFormSubmit(form, usePasswordChangeMutation());
-
-	return (
-		<form className="change-password" onSubmit={submitForm}>
-			<div className="form-section-docs">
-				<h3>Change Password</h3>
-				{ oidcEnabled && <p>
-					This instance is running with OIDC as its authorization + identity provider.
-					<br/>
-					This means <strong>you cannot change your password using this settings panel</strong>.
-					<br/>
-					To change your password, you should instead contact your OIDC provider.
-				</p> }
-				<a
-					href="https://docs.gotosocial.org/en/latest/user_guide/settings/#password-change"
-					target="_blank"
-					className="docslink"
-					rel="noreferrer"
-				>
-					Learn more about this (opens in a new tab)
-				</a>
-			</div>
-			
-			<TextInput
-				type="password"
-				name="password"
-				field={form.oldPassword}
-				label="Current password"
-				autoComplete="current-password"
-				disabled={oidcEnabled}
-			/>
-			<TextInput
-				type="password"
-				name="newPassword"
-				field={form.newPassword}
-				label="New password"
-				autoComplete="new-password"
-				disabled={oidcEnabled}
-			/>
-			<TextInput
-				type="password"
-				name="confirmNewPassword"
-				field={verifyNewPassword}
-				label="Confirm new password"
-				autoComplete="new-password"
-				disabled={oidcEnabled}
-			/>
-			<MutationButton
-				label="Change password"
-				result={result}
-				disabled={oidcEnabled ?? false}
-			/>
-		</form>
-	);
-}
-
-function EmailChange() {
-	// Load instance data.
-	const {
-		data: instance,
-		isFetching: isFetchingInstance,
-		isLoading: isLoadingInstance
-	} = useInstanceV1Query();
-	
-	// Load user data.
-	const {
-		data: user,
-		isFetching: isFetchingUser,
-		isLoading: isLoadingUser
-	} = useUserQuery();
-
-	if (
-		(isFetchingInstance || isLoadingInstance) ||
-		(isFetchingUser || isLoadingUser)
-	) {
-		return <Loading />;
-	}
-
-	if (user === undefined) {
-		throw "could not fetch user";
-	}
-
-	if (instance === undefined) {
-		throw "could not fetch instance";
-	}
-
-	return <EmailChangeForm user={user} oidcEnabled={instance.configuration.oidc_enabled} />;
-}
-
-function EmailChangeForm({user, oidcEnabled}: { user: User, oidcEnabled?: boolean }) {
-	const form = {
-		currentEmail: useTextInput("current_email", {
-			defaultValue: user.email,
-			nosubmit: true
-		}),
-		newEmail: useTextInput("new_email", {
-			validator: (value: string | undefined) => {
-				if (!value) {
-					return "";
-				}
-
-				if (value.toLowerCase() === user.email?.toLowerCase()) {
-					return "cannot change to your existing address";
-				}
-
-				if (value.toLowerCase() === user.unconfirmed_email?.toLowerCase()) {
-					return "you already have a pending email address change to this address";
-				}
-
-				return "";
-			},
-		}),
-		password: useTextInput("password"),
-	};
-	const [submitForm, result] = useFormSubmit(form, useEmailChangeMutation());
-
-	return (
-		<form className="change-email" onSubmit={submitForm}>
-			<div className="form-section-docs">
-				<h3>Change Email</h3>
-				{ oidcEnabled && <p>
-					This instance is running with OIDC as its authorization + identity provider.
-					<br/>
-					You can still change your email address using this settings panel,
-					but it will only affect which address GoToSocial uses to contact you,
-					not the email address you use to log in.
-					<br/>
-					To change the email address you use to log in, contact your OIDC provider.
-				</p> }
-				<a
-					href="https://docs.gotosocial.org/en/latest/user_guide/settings/#email-change"
-					target="_blank"
-					className="docslink"
-					rel="noreferrer"
-				>
-					Learn more about this (opens in a new tab)
-				</a>
-			</div>
-
-			{ (user.unconfirmed_email && user.unconfirmed_email !== user.email) && <>
-				<div className="info">
-					<i className="fa fa-fw fa-info-circle" aria-hidden="true"></i>
-					<b>
-						You currently have a pending email address
-						change to the address: {user.unconfirmed_email}
-						<br />
-						To confirm {user.unconfirmed_email} as your new
-						address for this account, please check your email inbox.
-					</b>
-				</div>
-			</> }
-
-			<TextInput
-				type="email"
-				name="current-email"
-				field={form.currentEmail}
-				label="Current email address"
-				autoComplete="none"
-				disabled={true}
-			/>
-
-			<TextInput
-				type="password"
-				name="password"
-				field={form.password}
-				label="Current password"
-				autoComplete="current-password"
-			/>
-
-			<TextInput
-				type="email"
-				name="new-email"
-				field={form.newEmail}
-				label="New email address"
-				autoComplete="none"
-			/>
-			
-			<MutationButton
-				disabled={!form.password || !form.newEmail || !form.newEmail.valid}
-				label="Change email address"
-				result={result}
-			/>
-		</form>
-	);
-}
\ No newline at end of file
diff --git a/web/source/settings/views/user/menu.tsx b/web/source/settings/views/user/menu.tsx
index bf4c2a7ac..4127aa8f0 100644
--- a/web/source/settings/views/user/menu.tsx
+++ b/web/source/settings/views/user/menu.tsx
@@ -38,6 +38,11 @@ export default function UserMenu() {
 				itemUrl="profile"
 				icon="fa-user"
 			/>
+			<MenuItem
+				name="Account"
+				itemUrl="account"
+				icon="fa-user-secret"
+			/>
 			<MenuItem
 				name="Posts"
 				itemUrl="posts"
@@ -48,11 +53,6 @@ export default function UserMenu() {
 				itemUrl="interaction_requests"
 				icon="fa-commenting-o"
 			/>
-			<MenuItem
-				name="Email & Password"
-				itemUrl="emailpassword"
-				icon="fa-user-secret"
-			/>
 			<MenuItem
 				name="Migration"
 				itemUrl="migration"
diff --git a/web/source/settings/views/user/migration.tsx b/web/source/settings/views/user/migration.tsx
deleted file mode 100644
index cf71ecfb0..000000000
--- a/web/source/settings/views/user/migration.tsx
+++ /dev/null
@@ -1,213 +0,0 @@
-/*
-	GoToSocial
-	Copyright (C) GoToSocial Authors admin@gotosocial.org
-	SPDX-License-Identifier: AGPL-3.0-or-later
-
-	This program is free software: you can redistribute it and/or modify
-	it under the terms of the GNU Affero General Public License as published by
-	the Free Software Foundation, either version 3 of the License, or
-	(at your option) any later version.
-
-	This program is distributed in the hope that it will be useful,
-	but WITHOUT ANY WARRANTY; without even the implied warranty of
-	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-	GNU Affero General Public License for more details.
-
-	You should have received a copy of the GNU Affero General Public License
-	along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-import React from "react";
-
-import FormWithData from "../../lib/form/form-with-data";
-
-import { useVerifyCredentialsQuery } from "../../lib/query/login";
-import { useArrayInput, useTextInput } from "../../lib/form";
-import { TextInput } from "../../components/form/inputs";
-import useFormSubmit from "../../lib/form/submit";
-import MutationButton from "../../components/form/mutation-button";
-import { useAliasAccountMutation, useMoveAccountMutation } from "../../lib/query/user";
-import { FormContext, useWithFormContext } from "../../lib/form/context";
-import { store } from "../../redux/store";
-
-export default function UserMigration() {
-	return (
-		<FormWithData
-			dataQuery={useVerifyCredentialsQuery}
-			DataForm={UserMigrationForm}
-		/>
-	);
-}
-
-function UserMigrationForm({ data: profile }) {
-	return (
-		<>
-			<h2>Account Migration Settings</h2>
-			<p>
-				The following settings allow you to <strong>alias</strong> your account to
-				another account elsewhere, or to <strong>move</strong> to another account.
-			</p>
-			<p>
-				Account <strong>aliasing</strong> is harmless and reversible; you can
-				set and unset up to five account aliases as many times as you wish.
-			</p>
-			<p>
-				The account <strong>move</strong> action, on the other
-				hand, has serious and irreversible consequences.
-			</p>
-			<p>
-				For more information on account migration, please see <a href="https://docs.gotosocial.org/en/latest/user_guide/settings/#migration" target="_blank" className="docslink" rel="noreferrer">the documentation</a>.
-			</p>
-			<AliasForm data={profile} />
-			<MoveForm data={profile} />
-		</>
-	);
-}
-
-function AliasForm({ data: profile }) {
-	const form = {
-		alsoKnownAs: useArrayInput("also_known_as_uris", {
-			source: profile,
-			valueSelector: (p) => (
-				p.source?.also_known_as_uris
-					? p.source?.also_known_as_uris.map(entry => [entry])
-					: []
-			),
-			length: 5,
-		}),
-	};
-
-	const [submitForm, result] = useFormSubmit(form, useAliasAccountMutation());
-	
-	return (
-		<form className="user-migration-alias" onSubmit={submitForm}>
-			<div className="form-section-docs">
-				<h3>Alias Account</h3>
-				<a
-					href="https://docs.gotosocial.org/en/latest/user_guide/migration"
-					target="_blank"
-					className="docslink"
-					rel="noreferrer"
-				>
-					Learn more about account migration (opens in a new tab)
-				</a>
-			</div>
-			<AlsoKnownAsURIs
-				field={form.alsoKnownAs}
-			/>
-			<MutationButton
-				disabled={false}
-				label="Save account aliases"
-				result={result}
-			/>
-		</form>
-	);
-}
-
-function AlsoKnownAsURIs({ field: formField }) {	
-	return (
-		<div className="aliases">
-			<FormContext.Provider value={formField.ctx}>
-				{formField.value.map((data, i) => (
-					<AlsoKnownAsURI
-						key={i}
-						index={i}
-						data={data}
-					/>
-				))}
-			</FormContext.Provider>
-		</div>
-	);
-}
-
-function AlsoKnownAsURI({ index, data }) {	
-	const name = `${index}`;
-	const form = useWithFormContext(index, {
-		alsoKnownAsURI: useTextInput(
-			name,
-			// Only one field per entry.
-			{ defaultValue: data[0] ?? "" },
-		),
-	}); 
-
-	return (
-		<TextInput
-			label={`Alias #${index+1}`}
-			field={form.alsoKnownAsURI}
-			placeholder={`https://example.org/users/my_other_account_${index+1}`}
-			type="url"
-			pattern="(http|https):\/\/.+"
-		/>
-	);
-}
-
-function MoveForm({ data: profile }) {
-	let urlStr = store.getState().login.instanceUrl ?? "";
-	let url = new URL(urlStr);
-	
-	const form = {
-		movedToURI: useTextInput("moved_to_uri", {
-			source: profile,
-			valueSelector: (p) => p.moved?.url },
-		),
-		password: useTextInput("password"),
-	};
-
-	const [submitForm, result] = useFormSubmit(form, useMoveAccountMutation(), {
-		changedOnly: false,
-	});
-	
-	return (
-		<form className="user-migration-move" onSubmit={submitForm}>
-			<div className="form-section-docs">
-				<h3>Move Account</h3>
-				<p>
-						For a move to be successful, you must have already set an alias from the
-						target account back to the account you're moving from (ie., this account),
-						using the settings panel of the instance on which the target account resides.
-						To do this, provide the following details to the other instance: 
-				</p>
-				<dl className="migration-details">
-					<div>
-						<dt>Account handle/username:</dt>
-						<dd>@{profile.acct}@{url.host}</dd>
-					</div>
-					<div>
-						<dt>Account URI:</dt>
-						<dd>{urlStr}/users/{profile.username}</dd>
-					</div>
-				</dl>
-				<br/>
-				<a
-					href="https://docs.gotosocial.org/en/latest/user_guide/migration"
-					target="_blank"
-					className="docslink"
-					rel="noreferrer"
-				>
-					Learn more about account migration (opens in a new tab)
-				</a>
-			</div>
-			<TextInput
-				disabled={false}
-				field={form.movedToURI}
-				label="Move target URI"
-				placeholder="https://example.org/users/my_new_account"
-				type="url"
-				pattern="(http|https):\/\/.+"
-			/>
-			<TextInput
-				disabled={false}
-				type="password"
-				autoComplete="current-password"
-				name="password"
-				field={form.password}
-				label="Current account password"
-			/>
-			<MutationButton
-				disabled={false}
-				label="Confirm account move"
-				result={result}
-			/>
-		</form>
-	);
-}
diff --git a/web/source/settings/views/user/migration/index.tsx b/web/source/settings/views/user/migration/index.tsx
new file mode 100644
index 000000000..d2bbbdf12
--- /dev/null
+++ b/web/source/settings/views/user/migration/index.tsx
@@ -0,0 +1,213 @@
+/*
+	GoToSocial
+	Copyright (C) GoToSocial Authors admin@gotosocial.org
+	SPDX-License-Identifier: AGPL-3.0-or-later
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import React from "react";
+
+import FormWithData from "../../../lib/form/form-with-data";
+
+import { useVerifyCredentialsQuery } from "../../../lib/query/login";
+import { useArrayInput, useTextInput } from "../../../lib/form";
+import { TextInput } from "../../../components/form/inputs";
+import useFormSubmit from "../../../lib/form/submit";
+import MutationButton from "../../../components/form/mutation-button";
+import { useAliasAccountMutation, useMoveAccountMutation } from "../../../lib/query/user";
+import { FormContext, useWithFormContext } from "../../../lib/form/context";
+import { store } from "../../../redux/store";
+
+export default function Migration() {
+	return (
+		<FormWithData
+			dataQuery={useVerifyCredentialsQuery}
+			DataForm={MigrationForm}
+		/>
+	);
+}
+
+function MigrationForm({ data: profile }) {
+	return (
+		<>
+			<h2>Account Migration Settings</h2>
+			<p>
+				The following settings allow you to <strong>alias</strong> your account to
+				another account elsewhere, or to <strong>move</strong> to another account.
+			</p>
+			<p>
+				Account <strong>aliasing</strong> is harmless and reversible; you can
+				set and unset up to five account aliases as many times as you wish.
+			</p>
+			<p>
+				The account <strong>move</strong> action, on the other
+				hand, has serious and irreversible consequences.
+			</p>
+			<p>
+				For more information on account migration, please see <a href="https://docs.gotosocial.org/en/latest/user_guide/settings/#migration" target="_blank" className="docslink" rel="noreferrer">the documentation</a>.
+			</p>
+			<AliasForm data={profile} />
+			<MoveForm data={profile} />
+		</>
+	);
+}
+
+function AliasForm({ data: profile }) {
+	const form = {
+		alsoKnownAs: useArrayInput("also_known_as_uris", {
+			source: profile,
+			valueSelector: (p) => (
+				p.source?.also_known_as_uris
+					? p.source?.also_known_as_uris.map(entry => [entry])
+					: []
+			),
+			length: 5,
+		}),
+	};
+
+	const [submitForm, result] = useFormSubmit(form, useAliasAccountMutation());
+	
+	return (
+		<form className="user-migration-alias" onSubmit={submitForm}>
+			<div className="form-section-docs">
+				<h3>Alias Account</h3>
+				<a
+					href="https://docs.gotosocial.org/en/latest/user_guide/migration"
+					target="_blank"
+					className="docslink"
+					rel="noreferrer"
+				>
+					Learn more about account migration (opens in a new tab)
+				</a>
+			</div>
+			<AlsoKnownAsURIs
+				field={form.alsoKnownAs}
+			/>
+			<MutationButton
+				disabled={false}
+				label="Save account aliases"
+				result={result}
+			/>
+		</form>
+	);
+}
+
+function AlsoKnownAsURIs({ field: formField }) {	
+	return (
+		<div className="aliases">
+			<FormContext.Provider value={formField.ctx}>
+				{formField.value.map((data, i) => (
+					<AlsoKnownAsURI
+						key={i}
+						index={i}
+						data={data}
+					/>
+				))}
+			</FormContext.Provider>
+		</div>
+	);
+}
+
+function AlsoKnownAsURI({ index, data }) {	
+	const name = `${index}`;
+	const form = useWithFormContext(index, {
+		alsoKnownAsURI: useTextInput(
+			name,
+			// Only one field per entry.
+			{ defaultValue: data[0] ?? "" },
+		),
+	}); 
+
+	return (
+		<TextInput
+			label={`Alias #${index+1}`}
+			field={form.alsoKnownAsURI}
+			placeholder={`https://example.org/users/my_other_account_${index+1}`}
+			type="url"
+			pattern="(http|https):\/\/.+"
+		/>
+	);
+}
+
+function MoveForm({ data: profile }) {
+	let urlStr = store.getState().login.instanceUrl ?? "";
+	let url = new URL(urlStr);
+	
+	const form = {
+		movedToURI: useTextInput("moved_to_uri", {
+			source: profile,
+			valueSelector: (p) => p.moved?.url },
+		),
+		password: useTextInput("password"),
+	};
+
+	const [submitForm, result] = useFormSubmit(form, useMoveAccountMutation(), {
+		changedOnly: false,
+	});
+	
+	return (
+		<form className="user-migration-move" onSubmit={submitForm}>
+			<div className="form-section-docs">
+				<h3>Move Account</h3>
+				<p>
+						For a move to be successful, you must have already set an alias from the
+						target account back to the account you're moving from (ie., this account),
+						using the settings panel of the instance on which the target account resides.
+						To do this, provide the following details to the other instance: 
+				</p>
+				<dl className="migration-details">
+					<div>
+						<dt>Account handle/username:</dt>
+						<dd>@{profile.acct}@{url.host}</dd>
+					</div>
+					<div>
+						<dt>Account URI:</dt>
+						<dd>{urlStr}/users/{profile.username}</dd>
+					</div>
+				</dl>
+				<br/>
+				<a
+					href="https://docs.gotosocial.org/en/latest/user_guide/migration"
+					target="_blank"
+					className="docslink"
+					rel="noreferrer"
+				>
+					Learn more about account migration (opens in a new tab)
+				</a>
+			</div>
+			<TextInput
+				disabled={false}
+				field={form.movedToURI}
+				label="Move target URI"
+				placeholder="https://example.org/users/my_new_account"
+				type="url"
+				pattern="(http|https):\/\/.+"
+			/>
+			<TextInput
+				disabled={false}
+				type="password"
+				autoComplete="current-password"
+				name="password"
+				field={form.password}
+				label="Current account password"
+			/>
+			<MutationButton
+				disabled={false}
+				label="Confirm account move"
+				result={result}
+			/>
+		</form>
+	);
+}
diff --git a/web/source/settings/views/user/profile.tsx b/web/source/settings/views/user/profile.tsx
deleted file mode 100644
index d6fcbf56d..000000000
--- a/web/source/settings/views/user/profile.tsx
+++ /dev/null
@@ -1,371 +0,0 @@
-/*
-	GoToSocial
-	Copyright (C) GoToSocial Authors admin@gotosocial.org
-	SPDX-License-Identifier: AGPL-3.0-or-later
-
-	This program is free software: you can redistribute it and/or modify
-	it under the terms of the GNU Affero General Public License as published by
-	the Free Software Foundation, either version 3 of the License, or
-	(at your option) any later version.
-
-	This program is distributed in the hope that it will be useful,
-	but WITHOUT ANY WARRANTY; without even the implied warranty of
-	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-	GNU Affero General Public License for more details.
-
-	You should have received a copy of the GNU Affero General Public License
-	along with this program.  If not, see <http://www.gnu.org/licenses/>.
-*/
-
-import React, { useMemo, useState } from "react";
-
-import {
-	useTextInput,
-	useFileInput,
-	useBoolInput,
-	useFieldArrayInput,
-} from "../../lib/form";
-
-import useFormSubmit from "../../lib/form/submit";
-import { useWithFormContext, FormContext } from "../../lib/form/context";
-
-import {
-	TextInput,
-	TextArea,
-	FileInput,
-	Checkbox,
-	Select
-} from "../../components/form/inputs";
-
-import FormWithData from "../../lib/form/form-with-data";
-import FakeProfile from "../../components/profile";
-import MutationButton from "../../components/form/mutation-button";
-
-import { useAccountThemesQuery, useDeleteAvatarMutation, useDeleteHeaderMutation } from "../../lib/query/user";
-import { useUpdateCredentialsMutation } from "../../lib/query/user";
-import { useVerifyCredentialsQuery } from "../../lib/query/login";
-import { useInstanceV1Query } from "../../lib/query/gts-api";
-import { Account } from "../../lib/types/account";
-
-export default function UserProfile() {
-	return (
-		<FormWithData
-			dataQuery={useVerifyCredentialsQuery}
-			DataForm={UserProfileForm}
-		/>
-	);
-}
-
-interface UserProfileFormProps {
-	data: Account;
-}
-
-function UserProfileForm({ data: profile }: UserProfileFormProps) {
-	const { data: instance } = useInstanceV1Query();
-	const instanceConfig = React.useMemo(() => {
-		return {
-			allowCustomCSS: instance?.configuration?.accounts?.allow_custom_css === true,
-			maxPinnedFields: instance?.configuration?.accounts?.max_profile_fields ?? 6
-		};
-	}, [instance]);
-	
-	// Parse out available theme options into nice format.
-	const { data: themes } = useAccountThemesQuery();
-	const themeOptions = useMemo(() => {
-		let themeOptions = [
-			<option key="" value="">
-				Default
-			</option>
-		];
-
-		themes?.forEach((theme) => {
-			const value = theme.file_name;
-			let text = theme.title;
-			if (theme.description) {
-				text += " - " + theme.description;
-			}
-			themeOptions.push(
-				<option key={value} value={value}>
-					{text}
-				</option>
-			);
-		});
-
-		return themeOptions;
-	}, [themes]);
-
-	const form = {
-		avatar: useFileInput("avatar", { withPreview: true }),
-		avatarDescription: useTextInput("avatar_description", { source: profile }),
-		header: useFileInput("header", { withPreview: true }),
-		headerDescription: useTextInput("header_description", { source: profile }),
-		displayName: useTextInput("display_name", { source: profile }),
-		note: useTextInput("note", { source: profile, valueSelector: (p) => p.source?.note }),
-		bot: useBoolInput("bot", { source: profile }),
-		locked: useBoolInput("locked", { source: profile }),
-		discoverable: useBoolInput("discoverable", { source: profile}),
-		enableRSS: useBoolInput("enable_rss", { source: profile }),
-		hideCollections: useBoolInput("hide_collections", { source: profile }),
-		webVisibility: useTextInput("web_visibility", { source: profile, valueSelector: (p: Account) => p.source?.web_visibility }),
-		webLayout: useTextInput("web_layout", { source: profile, valueSelector: (p: Account) => p.source?.web_layout }),
-		fields: useFieldArrayInput("fields_attributes", {
-			defaultValue: profile?.source?.fields,
-			length: instanceConfig.maxPinnedFields
-		}),
-		customCSS: useTextInput("custom_css", { source: profile, nosubmit: !instanceConfig.allowCustomCSS }),
-		theme: useTextInput("theme", { source: profile }),
-	};
-
-	const [ noHeader, setNoHeader ] = useState(!profile.header_media_id);
-	const [ deleteHeader, deleteHeaderRes ] = useDeleteHeaderMutation();
-	const [ noAvatar, setNoAvatar ] = useState(!profile.avatar_media_id);
-	const [ deleteAvatar, deleteAvatarRes ] = useDeleteAvatarMutation();
-
-	const [submitForm, result] = useFormSubmit(form, useUpdateCredentialsMutation(), {
-		changedOnly: true,
-		onFinish: (res) => {
-			if ('data' in res) {
-				form.avatar.reset();
-				form.header.reset();
-				setNoAvatar(!res.data.avatar_media_id);
-				setNoHeader(!res.data.header_media_id);
-			}
-		}
-	});
-
-	return (
-		<form className="user-profile" onSubmit={submitForm}>
-			<h1>Profile</h1>
-			<div className="overview">
-				<FakeProfile
-					avatar={form.avatar.previewValue ?? profile.avatar}
-					header={form.header.previewValue ?? profile.header}
-					display_name={form.displayName.value ?? profile.username}
-					bot={profile.bot}
-					username={profile.username}
-					role={profile.role}
-				/>
-
-				<fieldset className="file-input-with-image-description">
-					<legend>Header</legend>
-					<FileInput
-						label="Upload file"
-						field={form.header}
-						accept="image/png, image/jpeg, image/webp, image/gif"
-					/>
-					<TextInput
-						field={form.headerDescription}
-						label="Image description; only settable if not using default header"
-						placeholder="A green field with pink flowers."
-						autoCapitalize="sentences"
-						disabled={noHeader && !form.header.value}
-					/>
-					<MutationButton
-						className="delete-header-button"
-						label="Delete header"
-						disabled={noHeader}
-						result={deleteHeaderRes}
-						onClick={(e) => {
-							e.preventDefault();
-							deleteHeader().then(res => {
-								if ('data' in res) {
-									setNoHeader(true);
-								}
-							});
-						}}
-					/>
-				</fieldset>
-				
-				<fieldset className="file-input-with-image-description">
-					<legend>Avatar</legend>
-					<FileInput
-						label="Upload file (1:1 images look best)"
-						field={form.avatar}
-						accept="image/png, image/jpeg, image/webp, image/gif"
-					/>
-					<TextInput
-						field={form.avatarDescription}
-						label="Image description; only settable if not using default avatar"
-						placeholder="A cute drawing of a smiling sloth."
-						autoCapitalize="sentences"
-						disabled={noAvatar && !form.avatar.value}
-					/>
-					<MutationButton
-						className="delete-avatar-button"
-						label="Delete avatar"
-						disabled={noAvatar}
-						result={deleteAvatarRes}
-						onClick={(e) => {
-							e.preventDefault();
-							deleteAvatar().then(res => {
-								if ('data' in res) {
-									setNoAvatar(true);
-								}
-							});
-						}}
-					/>
-				</fieldset>
-
-				<span>After choosing theme or layout and saving, <a href={profile.url} target="_blank">open your profile</a> and refresh to see changes.</span>
-
-				<Select
-					label="Theme for the web view of your profile"
-					field={form.theme}
-					options={<>{themeOptions}</>}
-				/>
-
-				<Select
-					field={form.webLayout}
-					label="Layout for the web view of your profile"
-					options={
-						<>
-							<option value="microblog">Classic microblog layout (show recent + pinned posts; media shown alongside its parent post)</option>
-							<option value="gallery">'Gram-style gallery layout (show recent + pinned media; parent posts still accessible by link)</option>
-						</>
-					}
-				/>
-			</div>
-
-			<div className="form-section-docs">
-				<h3>Basic Information</h3>
-				<a
-					href="https://docs.gotosocial.org/en/latest/user_guide/settings/#basic-information"
-					target="_blank"
-					className="docslink"
-					rel="noreferrer"
-				>
-					Learn more about these settings (opens in a new tab)
-				</a>
-			</div>
-			<Checkbox
-				field={form.bot}
-				label="Mark as bot account; this indicates to other users that this is an automated account"
-			/>
-			<TextInput
-				field={form.displayName}
-				label="Display name"
-				placeholder="A GoToSocial User"
-				autoCapitalize="words"
-				spellCheck="false"
-			/>
-			<TextArea
-				field={form.note}
-				label="Bio"
-				placeholder="Just trying out GoToSocial, my pronouns are they/them and I like sloths."
-				autoCapitalize="sentences"
-				rows={8}
-			/>
-			<fieldset>
-				<legend>Profile fields</legend>
-				<ProfileFields
-					field={form.fields}
-				/>
-			</fieldset>
-
-			<div className="form-section-docs">
-				<h3>Visibility and privacy</h3>
-				<a
-					href="https://docs.gotosocial.org/en/latest/user_guide/settings/#visibility-and-privacy"
-					target="_blank"
-					className="docslink"
-					rel="noreferrer"
-				>
-					Learn more about these settings (opens in a new tab)
-				</a>
-			</div>
-			<Select
-				field={form.webVisibility}
-				label="Visibility level of posts to show on your profile, and in your RSS feed (if enabled)."
-				options={
-					<>
-						<option value="public">Show Public posts only (the GoToSocial default)</option>
-						<option value="unlisted">Show Public and Unlisted posts (the Mastodon default)</option>
-						<option value="none">Show no posts</option>
-					</>
-				}
-			/>
-			<Checkbox
-				field={form.locked}
-				label="Manually approve follow requests."
-			/>
-			<Checkbox
-				field={form.discoverable}
-				label="Mark account as discoverable by search engines and directories."
-			/>
-			<Checkbox
-				field={form.enableRSS}
-				label="Enable RSS feed of posts."
-			/>
-			<Checkbox
-				field={form.hideCollections}
-				label="Hide who you follow / are followed by."
-			/>
-
-			<div className="form-section-docs">
-				<h3>Advanced</h3>
-				<a
-					href="https://docs.gotosocial.org/en/latest/user_guide/settings/#advanced"
-					target="_blank"
-					className="docslink"
-					rel="noreferrer"
-				>
-					Learn more about these settings (opens in a new tab)
-				</a>
-			</div>
-			<TextArea
-				field={form.customCSS}
-				label={`Custom CSS` + (!instanceConfig.allowCustomCSS ? ` (not enabled on this instance)` : ``)}
-				className="monospace"
-				rows={8}
-				disabled={!instanceConfig.allowCustomCSS}
-				autoCapitalize="none"
-				spellCheck="false"
-			/>
-			<MutationButton
-				disabled={false}
-				label="Save profile info"
-				result={result}
-			/>
-		</form>
-	);
-}
-
-function ProfileFields({ field: formField }) {
-	return (
-		<div className="fields">
-			<FormContext.Provider value={formField.ctx}>
-				{formField.value.map((data, i) => (
-					<Field
-						key={i}
-						index={i}
-						data={data}
-					/>
-				))}
-			</FormContext.Provider>
-		</div>
-	);
-}
-
-function Field({ index, data }) {
-	const form = useWithFormContext(index, {
-		name: useTextInput("name", { defaultValue: data.name }),
-		value: useTextInput("value", { defaultValue: data.value })
-	});
-
-	return (
-		<div className="entry">
-			<TextInput
-				field={form.name}
-				placeholder="Name"
-				autoCapitalize="none"
-				spellCheck="false"
-			/>
-			<TextInput
-				field={form.value}
-				placeholder="Value"
-				autoCapitalize="none"
-				spellCheck="false"
-			/>
-		</div>
-	);
-}
diff --git a/web/source/settings/views/user/profile/profile.tsx b/web/source/settings/views/user/profile/profile.tsx
new file mode 100644
index 000000000..6f99a17db
--- /dev/null
+++ b/web/source/settings/views/user/profile/profile.tsx
@@ -0,0 +1,375 @@
+/*
+	GoToSocial
+	Copyright (C) GoToSocial Authors admin@gotosocial.org
+	SPDX-License-Identifier: AGPL-3.0-or-later
+
+	This program is free software: you can redistribute it and/or modify
+	it under the terms of the GNU Affero General Public License as published by
+	the Free Software Foundation, either version 3 of the License, or
+	(at your option) any later version.
+
+	This program is distributed in the hope that it will be useful,
+	but WITHOUT ANY WARRANTY; without even the implied warranty of
+	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+	GNU Affero General Public License for more details.
+
+	You should have received a copy of the GNU Affero General Public License
+	along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+import React, { useMemo, useState } from "react";
+
+import {
+	useTextInput,
+	useFileInput,
+	useBoolInput,
+	useFieldArrayInput,
+} from "../../../lib/form";
+
+import useFormSubmit from "../../../lib/form/submit";
+import { useWithFormContext, FormContext } from "../../../lib/form/context";
+
+import {
+	TextInput,
+	TextArea,
+	FileInput,
+	Checkbox,
+	Select
+} from "../../../components/form/inputs";
+
+import FormWithData from "../../../lib/form/form-with-data";
+import FakeProfile from "../../../components/profile";
+import MutationButton from "../../../components/form/mutation-button";
+
+import {
+	useAccountThemesQuery,
+	useDeleteAvatarMutation,
+	useDeleteHeaderMutation,
+} from "../../../lib/query/user";
+import { useUpdateCredentialsMutation } from "../../../lib/query/user";
+import { useVerifyCredentialsQuery } from "../../../lib/query/login";
+import { useInstanceV1Query } from "../../../lib/query/gts-api";
+import { Account } from "../../../lib/types/account";
+
+export default function Profile() {
+	return (
+		<FormWithData
+			dataQuery={useVerifyCredentialsQuery}
+			DataForm={ProfileForm}
+		/>
+	);
+}
+
+interface ProfileFormProps {
+	data: Account;
+}
+
+function ProfileForm({ data: profile }: ProfileFormProps) {
+	const { data: instance } = useInstanceV1Query();
+	const instanceConfig = React.useMemo(() => {
+		return {
+			allowCustomCSS: instance?.configuration?.accounts?.allow_custom_css === true,
+			maxPinnedFields: instance?.configuration?.accounts?.max_profile_fields ?? 6
+		};
+	}, [instance]);
+	
+	// Parse out available theme options into nice format.
+	const { data: themes } = useAccountThemesQuery();
+	const themeOptions = useMemo(() => {
+		let themeOptions = [
+			<option key="" value="">
+				Default
+			</option>
+		];
+
+		themes?.forEach((theme) => {
+			const value = theme.file_name;
+			let text = theme.title;
+			if (theme.description) {
+				text += " - " + theme.description;
+			}
+			themeOptions.push(
+				<option key={value} value={value}>
+					{text}
+				</option>
+			);
+		});
+
+		return themeOptions;
+	}, [themes]);
+
+	const form = {
+		avatar: useFileInput("avatar", { withPreview: true }),
+		avatarDescription: useTextInput("avatar_description", { source: profile }),
+		header: useFileInput("header", { withPreview: true }),
+		headerDescription: useTextInput("header_description", { source: profile }),
+		displayName: useTextInput("display_name", { source: profile }),
+		note: useTextInput("note", { source: profile, valueSelector: (p) => p.source?.note }),
+		bot: useBoolInput("bot", { source: profile }),
+		locked: useBoolInput("locked", { source: profile }),
+		discoverable: useBoolInput("discoverable", { source: profile}),
+		enableRSS: useBoolInput("enable_rss", { source: profile }),
+		hideCollections: useBoolInput("hide_collections", { source: profile }),
+		webVisibility: useTextInput("web_visibility", { source: profile, valueSelector: (p: Account) => p.source?.web_visibility }),
+		webLayout: useTextInput("web_layout", { source: profile, valueSelector: (p: Account) => p.source?.web_layout }),
+		fields: useFieldArrayInput("fields_attributes", {
+			defaultValue: profile?.source?.fields,
+			length: instanceConfig.maxPinnedFields
+		}),
+		customCSS: useTextInput("custom_css", { source: profile, nosubmit: !instanceConfig.allowCustomCSS }),
+		theme: useTextInput("theme", { source: profile }),
+	};
+
+	const [ noHeader, setNoHeader ] = useState(!profile.header_media_id);
+	const [ deleteHeader, deleteHeaderRes ] = useDeleteHeaderMutation();
+	const [ noAvatar, setNoAvatar ] = useState(!profile.avatar_media_id);
+	const [ deleteAvatar, deleteAvatarRes ] = useDeleteAvatarMutation();
+
+	const [submitForm, result] = useFormSubmit(form, useUpdateCredentialsMutation(), {
+		changedOnly: true,
+		onFinish: (res) => {
+			if ('data' in res) {
+				form.avatar.reset();
+				form.header.reset();
+				setNoAvatar(!res.data.avatar_media_id);
+				setNoHeader(!res.data.header_media_id);
+			}
+		}
+	});
+
+	return (
+		<form className="user-profile" onSubmit={submitForm}>
+			<h1>Profile</h1>
+			<div className="overview">
+				<FakeProfile
+					avatar={form.avatar.previewValue ?? profile.avatar}
+					header={form.header.previewValue ?? profile.header}
+					display_name={form.displayName.value ?? profile.username}
+					bot={profile.bot}
+					username={profile.username}
+					role={profile.role}
+				/>
+
+				<fieldset className="file-input-with-image-description">
+					<legend>Header</legend>
+					<FileInput
+						label="Upload file"
+						field={form.header}
+						accept="image/png, image/jpeg, image/webp, image/gif"
+					/>
+					<TextInput
+						field={form.headerDescription}
+						label="Image description; only settable if not using default header"
+						placeholder="A green field with pink flowers."
+						autoCapitalize="sentences"
+						disabled={noHeader && !form.header.value}
+					/>
+					<MutationButton
+						className="delete-header-button"
+						label="Delete header"
+						disabled={noHeader}
+						result={deleteHeaderRes}
+						onClick={(e) => {
+							e.preventDefault();
+							deleteHeader().then(res => {
+								if ('data' in res) {
+									setNoHeader(true);
+								}
+							});
+						}}
+					/>
+				</fieldset>
+				
+				<fieldset className="file-input-with-image-description">
+					<legend>Avatar</legend>
+					<FileInput
+						label="Upload file (1:1 images look best)"
+						field={form.avatar}
+						accept="image/png, image/jpeg, image/webp, image/gif"
+					/>
+					<TextInput
+						field={form.avatarDescription}
+						label="Image description; only settable if not using default avatar"
+						placeholder="A cute drawing of a smiling sloth."
+						autoCapitalize="sentences"
+						disabled={noAvatar && !form.avatar.value}
+					/>
+					<MutationButton
+						className="delete-avatar-button"
+						label="Delete avatar"
+						disabled={noAvatar}
+						result={deleteAvatarRes}
+						onClick={(e) => {
+							e.preventDefault();
+							deleteAvatar().then(res => {
+								if ('data' in res) {
+									setNoAvatar(true);
+								}
+							});
+						}}
+					/>
+				</fieldset>
+
+				<span>After choosing theme or layout and saving, <a href={profile.url} target="_blank">open your profile</a> and refresh to see changes.</span>
+
+				<Select
+					label="Theme for the web view of your profile"
+					field={form.theme}
+					options={<>{themeOptions}</>}
+				/>
+
+				<Select
+					field={form.webLayout}
+					label="Layout for the web view of your profile"
+					options={
+						<>
+							<option value="microblog">Classic microblog layout (show recent + pinned posts; media shown alongside its parent post)</option>
+							<option value="gallery">'Gram-style gallery layout (show recent + pinned media; parent posts still accessible by link)</option>
+						</>
+					}
+				/>
+			</div>
+
+			<div className="form-section-docs">
+				<h3>Basic Information</h3>
+				<a
+					href="https://docs.gotosocial.org/en/latest/user_guide/settings/#basic-information"
+					target="_blank"
+					className="docslink"
+					rel="noreferrer"
+				>
+					Learn more about these settings (opens in a new tab)
+				</a>
+			</div>
+			<Checkbox
+				field={form.bot}
+				label="Mark as bot account; this indicates to other users that this is an automated account"
+			/>
+			<TextInput
+				field={form.displayName}
+				label="Display name"
+				placeholder="A GoToSocial User"
+				autoCapitalize="words"
+				spellCheck="false"
+			/>
+			<TextArea
+				field={form.note}
+				label="Bio"
+				placeholder="Just trying out GoToSocial, my pronouns are they/them and I like sloths."
+				autoCapitalize="sentences"
+				rows={8}
+			/>
+			<fieldset>
+				<legend>Profile fields</legend>
+				<ProfileFields
+					field={form.fields}
+				/>
+			</fieldset>
+
+			<div className="form-section-docs">
+				<h3>Visibility and privacy</h3>
+				<a
+					href="https://docs.gotosocial.org/en/latest/user_guide/settings/#visibility-and-privacy"
+					target="_blank"
+					className="docslink"
+					rel="noreferrer"
+				>
+					Learn more about these settings (opens in a new tab)
+				</a>
+			</div>
+			<Select
+				field={form.webVisibility}
+				label="Visibility level of posts to show on your profile, and in your RSS feed (if enabled)."
+				options={
+					<>
+						<option value="public">Show Public posts only (the GoToSocial default)</option>
+						<option value="unlisted">Show Public and Unlisted posts (the Mastodon default)</option>
+						<option value="none">Show no posts</option>
+					</>
+				}
+			/>
+			<Checkbox
+				field={form.locked}
+				label="Manually approve follow requests."
+			/>
+			<Checkbox
+				field={form.discoverable}
+				label="Mark account as discoverable by search engines and directories."
+			/>
+			<Checkbox
+				field={form.enableRSS}
+				label="Enable RSS feed of posts."
+			/>
+			<Checkbox
+				field={form.hideCollections}
+				label="Hide who you follow / are followed by."
+			/>
+
+			<div className="form-section-docs">
+				<h3>Advanced</h3>
+				<a
+					href="https://docs.gotosocial.org/en/latest/user_guide/settings/#advanced"
+					target="_blank"
+					className="docslink"
+					rel="noreferrer"
+				>
+					Learn more about these settings (opens in a new tab)
+				</a>
+			</div>
+			<TextArea
+				field={form.customCSS}
+				label={`Custom CSS` + (!instanceConfig.allowCustomCSS ? ` (not enabled on this instance)` : ``)}
+				className="monospace"
+				rows={8}
+				disabled={!instanceConfig.allowCustomCSS}
+				autoCapitalize="none"
+				spellCheck="false"
+			/>
+			<MutationButton
+				disabled={false}
+				label="Save profile info"
+				result={result}
+			/>
+		</form>
+	);
+}
+
+function ProfileFields({ field: formField }) {
+	return (
+		<div className="fields">
+			<FormContext.Provider value={formField.ctx}>
+				{formField.value.map((data, i) => (
+					<Field
+						key={i}
+						index={i}
+						data={data}
+					/>
+				))}
+			</FormContext.Provider>
+		</div>
+	);
+}
+
+function Field({ index, data }) {
+	const form = useWithFormContext(index, {
+		name: useTextInput("name", { defaultValue: data.name }),
+		value: useTextInput("value", { defaultValue: data.value })
+	});
+
+	return (
+		<div className="entry">
+			<TextInput
+				field={form.name}
+				placeholder="Name"
+				autoCapitalize="none"
+				spellCheck="false"
+			/>
+			<TextInput
+				field={form.value}
+				placeholder="Value"
+				autoCapitalize="none"
+				spellCheck="false"
+			/>
+		</div>
+	);
+}
diff --git a/web/source/settings/views/user/router.tsx b/web/source/settings/views/user/router.tsx
index 0d34c171f..62eaf0f36 100644
--- a/web/source/settings/views/user/router.tsx
+++ b/web/source/settings/views/user/router.tsx
@@ -21,10 +21,9 @@ import React from "react";
 import { BaseUrlContext, useBaseUrl } from "../../lib/navigation/util";
 import { Redirect, Route, Router, Switch } from "wouter";
 import { ErrorBoundary } from "../../lib/navigation/error";
-import UserProfile from "./profile";
-import UserMigration from "./migration";
+import Profile from "./profile/profile";
 import PostSettings from "./posts";
-import EmailPassword from "./emailpassword";
+import Account from "./account";
 import ExportImport from "./export-import";
 import InteractionRequests from "./interactions";
 import InteractionRequestDetail from "./interactions/detail";
@@ -33,11 +32,12 @@ import Applications from "./applications";
 import NewApp from "./applications/new";
 import AppDetail from "./applications/detail";
 import { AppTokenCallback } from "./applications/callback";
+import Migration from "./migration";
 
 /**
  * - /settings/user/profile
+ * - /settings/user/account
  * - /settings/user/posts
- * - /settings/user/emailpassword
  * - /settings/user/migration
  * - /settings/user/export-import
  * - /settings/user/tokens
@@ -53,10 +53,10 @@ export default function UserRouter() {
 		<BaseUrlContext.Provider value={absBase}>
 			<Router base={thisBase}>
 				<Switch>
-					<Route path="/profile" component={UserProfile} />
+					<Route path="/profile" component={Profile} />
+					<Route path="/account" component={Account} />
 					<Route path="/posts" component={PostSettings} />
-					<Route path="/emailpassword" component={EmailPassword} />
-					<Route path="/migration" component={UserMigration} />
+					<Route path="/migration" component={Migration} />
 					<Route path="/export-import" component={ExportImport} />
 					<Route path="/tokens" component={Tokens} />
 				</Switch>
-- 
cgit v1.2.3