Phase 2 Step 4: Implement Authentication System

Implemented comprehensive Flask-Login authentication with single-user support.

New Features:
- Flask-Login integration with User model
- Bcrypt password hashing via PasswordManager
- Login, logout, and initial password setup routes
- @login_required and @api_auth_required decorators
- All API endpoints now require authentication
- Bootstrap 5 dark theme UI templates
- Dashboard with navigation
- Remember me and next parameter redirect support

Files Created (12):
- web/auth/__init__.py, models.py, decorators.py, routes.py
- web/routes/__init__.py, main.py
- web/templates/login.html, setup.html, dashboard.html, scans.html, scan_detail.html
- tests/test_authentication.py (30+ tests)

Files Modified (6):
- web/app.py: Added Flask-Login initialization and main routes
- web/api/scans.py: Protected all endpoints with @api_auth_required
- web/api/settings.py: Protected all endpoints with @api_auth_required
- web/api/schedules.py: Protected all endpoints with @api_auth_required
- web/api/alerts.py: Protected all endpoints with @api_auth_required
- tests/conftest.py: Added authentication test fixtures

Security:
- Session-based authentication for both web UI and API
- Secure password storage with bcrypt
- Protected routes redirect to login page
- Protected API endpoints return 401 Unauthorized
- Health check endpoints remain accessible for monitoring

Testing:
- User model authentication and properties
- Login success/failure flows
- Logout and session management
- Password setup workflow
- API endpoint authentication requirements
- Session persistence and remember me functionality
- Next parameter redirect behavior

Total: ~1,200 lines of code added

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

web/auth/__init__.py

@@ -0,0 +1,9 @@
+"""
+Authentication package for SneakyScanner.
+
+Provides Flask-Login based authentication with single-user support.
+"""
+
+from web.auth.models import User
+
+__all__ = ['User']

web/auth/decorators.py

@@ -0,0 +1,65 @@
+"""
+Authentication decorators for SneakyScanner.
+
+Provides decorators for protecting web routes and API endpoints.
+"""
+
+from functools import wraps
+from typing import Callable
+
+from flask import jsonify, redirect, request, url_for
+from flask_login import current_user
+
+
+def login_required(f: Callable) -> Callable:
+    """
+    Decorator for web routes that require authentication.
+
+    Redirects to login page if user is not authenticated.
+    This is a wrapper around Flask-Login's login_required that can be
+    customized if needed.
+
+    Args:
+        f: Function to decorate
+
+    Returns:
+        Decorated function
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if not current_user.is_authenticated:
+            # Redirect to login page
+            return redirect(url_for('auth.login', next=request.url))
+        return f(*args, **kwargs)
+    return decorated_function
+
+
+def api_auth_required(f: Callable) -> Callable:
+    """
+    Decorator for API endpoints that require authentication.
+
+    Returns 401 JSON response if user is not authenticated.
+    Uses Flask-Login sessions (same as web UI).
+
+    Args:
+        f: Function to decorate
+
+    Returns:
+        Decorated function
+
+    Example:
+        @bp.route('/api/scans', methods=['POST'])
+        @api_auth_required
+        def trigger_scan():
+            # Protected endpoint
+            pass
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if not current_user.is_authenticated:
+            return jsonify({
+                'error': 'Authentication required',
+                'message': 'Please authenticate to access this endpoint'
+            }), 401
+        return f(*args, **kwargs)
+    return decorated_function

web/auth/models.py

@@ -0,0 +1,107 @@
+"""
+User model for Flask-Login authentication.
+
+Simple single-user model that loads credentials from the settings table.
+"""
+
+from typing import Optional
+
+from flask_login import UserMixin
+from sqlalchemy.orm import Session
+
+from web.utils.settings import PasswordManager, SettingsManager
+
+
+class User(UserMixin):
+    """
+    User class for Flask-Login.
+
+    Represents the single application user. Credentials are stored in the
+    settings table (app_password key).
+    """
+
+    # Single user ID (always 1 for single-user app)
+    USER_ID = '1'
+
+    def __init__(self, user_id: str = USER_ID):
+        """
+        Initialize user.
+
+        Args:
+            user_id: User ID (always '1' for single-user app)
+        """
+        self.id = user_id
+
+    def get_id(self) -> str:
+        """
+        Get user ID for Flask-Login.
+
+        Returns:
+            User ID string
+        """
+        return self.id
+
+    @property
+    def is_authenticated(self) -> bool:
+        """User is always authenticated if instance exists."""
+        return True
+
+    @property
+    def is_active(self) -> bool:
+        """User is always active."""
+        return True
+
+    @property
+    def is_anonymous(self) -> bool:
+        """User is never anonymous."""
+        return False
+
+    @staticmethod
+    def get(user_id: str, db_session: Session = None) -> Optional['User']:
+        """
+        Get user by ID (Flask-Login user_loader).
+
+        Args:
+            user_id: User ID to load
+            db_session: Database session (unused - kept for compatibility)
+
+        Returns:
+            User instance if ID is valid, None otherwise
+        """
+        if user_id == User.USER_ID:
+            return User(user_id)
+        return None
+
+    @staticmethod
+    def authenticate(password: str, db_session: Session) -> Optional['User']:
+        """
+        Authenticate user with password.
+
+        Args:
+            password: Password to verify
+            db_session: Database session for accessing settings
+
+        Returns:
+            User instance if password is correct, None otherwise
+        """
+        settings_manager = SettingsManager(db_session)
+
+        if PasswordManager.verify_app_password(settings_manager, password):
+            return User(User.USER_ID)
+
+        return None
+
+    @staticmethod
+    def has_password_set(db_session: Session) -> bool:
+        """
+        Check if application password is set.
+
+        Args:
+            db_session: Database session for accessing settings
+
+        Returns:
+            True if password is set, False otherwise
+        """
+        settings_manager = SettingsManager(db_session)
+        stored_hash = settings_manager.get('app_password', decrypt=False)
+        return bool(stored_hash)

web/auth/routes.py

@@ -0,0 +1,120 @@
+"""
+Authentication routes for SneakyScanner.
+
+Provides login and logout endpoints for user authentication.
+"""
+
+import logging
+
+from flask import Blueprint, current_app, flash, redirect, render_template, request, url_for
+from flask_login import login_user, logout_user, current_user
+
+from web.auth.models import User
+
+logger = logging.getLogger(__name__)
+
+bp = Blueprint('auth', __name__)
+
+
+@bp.route('/login', methods=['GET', 'POST'])
+def login():
+    """
+    Login page and authentication endpoint.
+
+    GET: Render login form
+    POST: Authenticate user and create session
+
+    Returns:
+        GET: Rendered login template
+        POST: Redirect to dashboard on success, login page with error on failure
+    """
+    # If already logged in, redirect to dashboard
+    if current_user.is_authenticated:
+        return redirect(url_for('main.dashboard'))
+
+    # Check if password is set
+    if not User.has_password_set(current_app.db_session):
+        flash('Application password not set. Please contact administrator.', 'error')
+        logger.warning("Login attempted but no password is set")
+        return render_template('login.html', password_not_set=True)
+
+    if request.method == 'POST':
+        password = request.form.get('password', '')
+
+        # Authenticate user
+        user = User.authenticate(password, current_app.db_session)
+
+        if user:
+            # Login successful
+            login_user(user, remember=request.form.get('remember', False))
+            logger.info(f"User logged in successfully from {request.remote_addr}")
+
+            # Redirect to next page or dashboard
+            next_page = request.args.get('next')
+            if next_page:
+                return redirect(next_page)
+            return redirect(url_for('main.dashboard'))
+        else:
+            # Login failed
+            flash('Invalid password', 'error')
+            logger.warning(f"Failed login attempt from {request.remote_addr}")
+
+    return render_template('login.html')
+
+
+@bp.route('/logout')
+def logout():
+    """
+    Logout endpoint.
+
+    Destroys the user session and redirects to login page.
+
+    Returns:
+        Redirect to login page
+    """
+    if current_user.is_authenticated:
+        logger.info(f"User logged out from {request.remote_addr}")
+        logout_user()
+        flash('You have been logged out successfully', 'info')
+
+    return redirect(url_for('auth.login'))
+
+
+@bp.route('/setup', methods=['GET', 'POST'])
+def setup():
+    """
+    Initial password setup page.
+
+    Only accessible when no password is set. Allows setting the application password.
+
+    Returns:
+        GET: Rendered setup template
+        POST: Redirect to login page on success
+    """
+    # If password already set, redirect to login
+    if User.has_password_set(current_app.db_session):
+        flash('Password already set. Please login.', 'info')
+        return redirect(url_for('auth.login'))
+
+    if request.method == 'POST':
+        password = request.form.get('password', '')
+        confirm_password = request.form.get('confirm_password', '')
+
+        # Validate passwords
+        if not password:
+            flash('Password is required', 'error')
+        elif len(password) < 8:
+            flash('Password must be at least 8 characters', 'error')
+        elif password != confirm_password:
+            flash('Passwords do not match', 'error')
+        else:
+            # Set password
+            from web.utils.settings import PasswordManager, SettingsManager
+            settings_manager = SettingsManager(current_app.db_session)
+            PasswordManager.set_app_password(settings_manager, password)
+
+            logger.info(f"Application password set from {request.remote_addr}")
+            flash('Password set successfully! You can now login.', 'success')
+            return redirect(url_for('auth.login'))
+
+    return render_template('setup.html')