phase A: user accounts + session-cookie auth

Replaces the static bearer-token gate with a real auth boundary. The existing CASSANDRA_TOKEN path is retained as an admin / scripting escape hatch — kept compatible by aliasing require_token to require_auth. - New users table (migration 0007): email, argon2 password_hash, tier, email_verified (declared but not enforced until phase E), settings_json for the tone/analysis/anchor knobs we'll wire in phase D. - app/services/auth_service.py: argon2-cffi password hashing with timing- attack-resistant authenticate() (always runs a hash verify even on unknown-email to deny a username-enumeration oracle). - app/auth.py rewritten: require_auth returns a CurrentUser with either is_admin=True (bearer path) or a User object (session path). Failing requests get 303 → /login for HTML, 401 for API. Sessions signed with itsdangerous against CASSANDRA_SESSION_SECRET; 14-day TTL. - app/routers/auth.py: /login, /signup, /logout. Login form preserves the ?next=… param for redirect-after-login. Signup respects a new CASSANDRA_SIGNUP_ENABLED flag. - Standalone /login + /signup templates (no app chrome). base.html grows a user chip + logout link in the header (reads request.state.current_user). Phase A's main known limitations are documented in the plan: email verification is declared but not enforced; session revocation is best-effort (cookie-only, not DB-backed). Both land in phase E. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-16 11:12:10 +01:00 · 2026-05-16 11:12:10 +01:00 · 480fd311c5
commit 480fd311c5
parent 8a155ef157
12 changed files with 644 additions and 21 deletions
--- a/app/templates/base.html
+++ b/app/templates/base.html
@ -52,6 +52,12 @@
              onclick="(function(){var d=document.documentElement;var t=d.dataset.theme==='light'?'dark':'light';d.dataset.theme=t;try{localStorage.setItem('cassandra.theme',t);}catch(e){}})()">
        <span class="theme-toggle__label"></span>
      </button>
+      {% set cu = request.state.current_user if request.state and request.state.current_user is defined else None %}
+      {% if cu and cu.user %}
+        <span class="user-chip">{{ cu.user.email }} · <a href="/logout">logout</a></span>
+      {% elif cu and cu.is_admin %}
+        <span class="user-chip">admin · <a href="/logout">logout</a></span>
+      {% endif %}
      <span class="meta">v0.1 · UTC</span>
    </div>
  </header>
--- a/app/templates/login.html
+++ b/app/templates/login.html
@ -0,0 +1,42 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Cassandra · Login</title>
+  <script>
+    (function() {
+      try { document.documentElement.dataset.theme = localStorage.getItem('cassandra.theme') || 'dark'; }
+      catch (e) { document.documentElement.dataset.theme = 'dark'; }
+    })();
+  </script>
+  <link rel="stylesheet" href="{{ url_for('static', path='/css/cassandra.css') }}" />
+</head>
+<body>
+<div class="auth-shell">
+  <div class="auth-card">
+    <div class="auth-card__brand">Cassandra</div>
+    <div class="auth-card__hint">log in to access the dashboard</div>
+
+    {% if error %}<div class="auth-error">{{ error }}</div>{% endif %}
+
+    <form method="post" action="/login" autocomplete="on">
+      <input type="hidden" name="next" value="{{ next_path or '/' }}">
+      <label>Email
+        <input type="email" name="email" value="{{ email or '' }}" required autofocus>
+      </label>
+      <label>Password
+        <input type="password" name="password" required>
+      </label>
+      <button type="submit">Sign in</button>
+    </form>
+
+    {% if signup_enabled %}
+    <div class="auth-card__alt">
+      No account? <a href="/signup">Create one →</a>
+    </div>
+    {% endif %}
+  </div>
+</div>
+</body>
+</html>
--- a/app/templates/signup.html
+++ b/app/templates/signup.html
@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8" />
+  <meta name="viewport" content="width=device-width, initial-scale=1.0" />
+  <title>Cassandra · Sign up</title>
+  <script>
+    (function() {
+      try { document.documentElement.dataset.theme = localStorage.getItem('cassandra.theme') || 'dark'; }
+      catch (e) { document.documentElement.dataset.theme = 'dark'; }
+    })();
+  </script>
+  <link rel="stylesheet" href="{{ url_for('static', path='/css/cassandra.css') }}" />
+</head>
+<body>
+<div class="auth-shell">
+  <div class="auth-card">
+    <div class="auth-card__brand">Cassandra</div>
+    <div class="auth-card__hint">create an account</div>
+
+    {% if error %}<div class="auth-error">{{ error }}</div>{% endif %}
+
+    <form method="post" action="/signup" autocomplete="on">
+      <label>Email
+        <input type="email" name="email" value="{{ email or '' }}" required autofocus>
+      </label>
+      <label>Password (min 8 characters)
+        <input type="password" name="password" minlength="8" required>
+      </label>
+      <button type="submit">Create account</button>
+    </form>
+
+    <div class="auth-card__alt">
+      Already have an account? <a href="/login">Sign in →</a>
+    </div>
+  </div>
+</div>
+</body>
+</html>