Phase 2 Step 4: Implement Authentication System

Implemented comprehensive Flask-Login authentication with single-user support.

New Features:
- Flask-Login integration with User model
- Bcrypt password hashing via PasswordManager
- Login, logout, and initial password setup routes
- @login_required and @api_auth_required decorators
- All API endpoints now require authentication
- Bootstrap 5 dark theme UI templates
- Dashboard with navigation
- Remember me and next parameter redirect support

Files Created (12):
- web/auth/__init__.py, models.py, decorators.py, routes.py
- web/routes/__init__.py, main.py
- web/templates/login.html, setup.html, dashboard.html, scans.html, scan_detail.html
- tests/test_authentication.py (30+ tests)

Files Modified (6):
- web/app.py: Added Flask-Login initialization and main routes
- web/api/scans.py: Protected all endpoints with @api_auth_required
- web/api/settings.py: Protected all endpoints with @api_auth_required
- web/api/schedules.py: Protected all endpoints with @api_auth_required
- web/api/alerts.py: Protected all endpoints with @api_auth_required
- tests/conftest.py: Added authentication test fixtures

Security:
- Session-based authentication for both web UI and API
- Secure password storage with bcrypt
- Protected routes redirect to login page
- Protected API endpoints return 401 Unauthorized
- Health check endpoints remain accessible for monitoring

Testing:
- User model authentication and properties
- Login success/failure flows
- Logout and session management
- Password setup workflow
- API endpoint authentication requirements
- Session persistence and remember me functionality
- Next parameter redirect behavior

Total: ~1,200 lines of code added

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

web/app.py

@@ -11,6 +11,7 @@ from pathlib import Path
 
 from flask import Flask, jsonify
 from flask_cors import CORS
+from flask_login import LoginManager
 from sqlalchemy import create_engine
 from sqlalchemy.orm import scoped_session, sessionmaker
 
@@ -60,6 +61,9 @@ def create_app(config: dict = None) -> Flask:
     # Initialize extensions
     init_extensions(app)
 
+    # Initialize authentication
+    init_authentication(app)
+
     # Initialize background scheduler
     init_scheduler(app)
 
@@ -172,6 +176,33 @@ def init_extensions(app: Flask) -> None:
     app.logger.info("Extensions initialized")
 
 
+def init_authentication(app: Flask) -> None:
+    """
+    Initialize Flask-Login authentication.
+
+    Args:
+        app: Flask application instance
+    """
+    from web.auth.models import User
+
+    # Initialize LoginManager
+    login_manager = LoginManager()
+    login_manager.init_app(app)
+
+    # Configure login view
+    login_manager.login_view = 'auth.login'
+    login_manager.login_message = 'Please log in to access this page.'
+    login_manager.login_message_category = 'info'
+
+    # User loader callback
+    @login_manager.user_loader
+    def load_user(user_id):
+        """Load user by ID for Flask-Login."""
+        return User.get(user_id, app.db_session)
+
+    app.logger.info("Authentication initialized")
+
+
 def init_scheduler(app: Flask) -> None:
     """
     Initialize background job scheduler.
@@ -203,6 +234,14 @@ def register_blueprints(app: Flask) -> None:
     from web.api.schedules import bp as schedules_bp
     from web.api.alerts import bp as alerts_bp
     from web.api.settings import bp as settings_bp
+    from web.auth.routes import bp as auth_bp
+    from web.routes.main import bp as main_bp
+
+    # Register authentication blueprint
+    app.register_blueprint(auth_bp, url_prefix='/auth')
+
+    # Register main web routes blueprint
+    app.register_blueprint(main_bp, url_prefix='/')
 
     # Register API blueprints
     app.register_blueprint(scans_bp, url_prefix='/api/scans')