phase A: user accounts + session-cookie auth
Replaces the static bearer-token gate with a real auth boundary. The existing CASSANDRA_TOKEN path is retained as an admin / scripting escape hatch — kept compatible by aliasing require_token to require_auth. - New users table (migration 0007): email, argon2 password_hash, tier, email_verified (declared but not enforced until phase E), settings_json for the tone/analysis/anchor knobs we'll wire in phase D. - app/services/auth_service.py: argon2-cffi password hashing with timing- attack-resistant authenticate() (always runs a hash verify even on unknown-email to deny a username-enumeration oracle). - app/auth.py rewritten: require_auth returns a CurrentUser with either is_admin=True (bearer path) or a User object (session path). Failing requests get 303 → /login for HTML, 401 for API. Sessions signed with itsdangerous against CASSANDRA_SESSION_SECRET; 14-day TTL. - app/routers/auth.py: /login, /signup, /logout. Login form preserves the ?next=… param for redirect-after-login. Signup respects a new CASSANDRA_SIGNUP_ENABLED flag. - Standalone /login + /signup templates (no app chrome). base.html grows a user chip + logout link in the header (reads request.state.current_user). Phase A's main known limitations are documented in the plan: email verification is declared but not enforced; session revocation is best-effort (cookie-only, not DB-backed). Both land in phase E. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
8a155ef157
commit
480fd311c5
12 changed files with 644 additions and 21 deletions
|
|
@ -591,6 +591,104 @@ table.dense tr.row-stale td { color: var(--dim); }
|
|||
.log-meta__row { display: flex; flex-wrap: wrap; align-items: center; gap: 0; margin-top: 6px; }
|
||||
.log-meta__row--dim { color: var(--dim); font-size: 10.5px; }
|
||||
|
||||
/* --- Auth pages (login / signup, standalone — no app chrome) -------- */
|
||||
|
||||
.auth-shell {
|
||||
min-height: 100vh;
|
||||
display: flex;
|
||||
align-items: center;
|
||||
justify-content: center;
|
||||
background: var(--bg);
|
||||
padding: 20px;
|
||||
}
|
||||
.auth-card {
|
||||
width: 360px;
|
||||
max-width: 100%;
|
||||
background: var(--surface);
|
||||
border: 1px solid var(--border);
|
||||
padding: 28px 26px;
|
||||
}
|
||||
.auth-card__brand {
|
||||
font-family: var(--font-mono);
|
||||
color: var(--accent);
|
||||
font-size: 18px;
|
||||
letter-spacing: 0.12em;
|
||||
text-transform: uppercase;
|
||||
font-weight: 700;
|
||||
}
|
||||
.auth-card__brand::before { content: "▰ "; opacity: 0.6; }
|
||||
.auth-card__hint {
|
||||
font-family: var(--font-mono);
|
||||
color: var(--muted);
|
||||
font-size: 10px;
|
||||
text-transform: uppercase;
|
||||
letter-spacing: 0.08em;
|
||||
margin: 2px 0 18px;
|
||||
}
|
||||
.auth-card form { display: flex; flex-direction: column; gap: 12px; }
|
||||
.auth-card label {
|
||||
display: flex;
|
||||
flex-direction: column;
|
||||
font-family: var(--font-mono);
|
||||
color: var(--muted);
|
||||
font-size: 10px;
|
||||
text-transform: uppercase;
|
||||
letter-spacing: 0.06em;
|
||||
gap: 4px;
|
||||
}
|
||||
.auth-card input[type="email"], .auth-card input[type="password"] {
|
||||
background: var(--bg);
|
||||
border: 1px solid var(--border);
|
||||
color: var(--text);
|
||||
font-family: var(--font-mono);
|
||||
font-size: 13px;
|
||||
padding: 8px 10px;
|
||||
outline: none;
|
||||
}
|
||||
.auth-card input:focus { border-color: var(--accent); }
|
||||
.auth-card button {
|
||||
margin-top: 8px;
|
||||
background: transparent;
|
||||
border: 1px solid var(--accent);
|
||||
color: var(--accent);
|
||||
font-family: var(--font-mono);
|
||||
font-size: 11px;
|
||||
padding: 9px 12px;
|
||||
text-transform: uppercase;
|
||||
letter-spacing: 0.1em;
|
||||
cursor: pointer;
|
||||
}
|
||||
.auth-card button:hover { background: var(--accent); color: var(--bg); }
|
||||
.auth-card__alt {
|
||||
margin-top: 18px;
|
||||
font-size: 12px;
|
||||
color: var(--muted);
|
||||
text-align: center;
|
||||
}
|
||||
.auth-error {
|
||||
border-left: 3px solid var(--negative);
|
||||
background: color-mix(in srgb, var(--negative) 6%, transparent);
|
||||
color: var(--negative);
|
||||
padding: 8px 10px;
|
||||
font-size: 12px;
|
||||
margin-bottom: 14px;
|
||||
font-family: var(--font-mono);
|
||||
}
|
||||
|
||||
/* User chip in header */
|
||||
.user-chip {
|
||||
font-family: var(--font-mono);
|
||||
font-size: 10.5px;
|
||||
color: var(--muted);
|
||||
margin-left: 8px;
|
||||
letter-spacing: 0.04em;
|
||||
}
|
||||
.user-chip a {
|
||||
color: var(--muted);
|
||||
border-bottom: 1px dotted var(--muted);
|
||||
}
|
||||
.user-chip a:hover { color: var(--accent); border-color: var(--accent); }
|
||||
|
||||
/* --- Upload page (drag-drop CSV) ------------------------------------- */
|
||||
|
||||
.dz {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue