Phase 2 Step 4: Implement Authentication System

Implemented comprehensive Flask-Login authentication with single-user support.

New Features:
- Flask-Login integration with User model
- Bcrypt password hashing via PasswordManager
- Login, logout, and initial password setup routes
- @login_required and @api_auth_required decorators
- All API endpoints now require authentication
- Bootstrap 5 dark theme UI templates
- Dashboard with navigation
- Remember me and next parameter redirect support

Files Created (12):
- web/auth/__init__.py, models.py, decorators.py, routes.py
- web/routes/__init__.py, main.py
- web/templates/login.html, setup.html, dashboard.html, scans.html, scan_detail.html
- tests/test_authentication.py (30+ tests)

Files Modified (6):
- web/app.py: Added Flask-Login initialization and main routes
- web/api/scans.py: Protected all endpoints with @api_auth_required
- web/api/settings.py: Protected all endpoints with @api_auth_required
- web/api/schedules.py: Protected all endpoints with @api_auth_required
- web/api/alerts.py: Protected all endpoints with @api_auth_required
- tests/conftest.py: Added authentication test fixtures

Security:
- Session-based authentication for both web UI and API
- Secure password storage with bcrypt
- Protected routes redirect to login page
- Protected API endpoints return 401 Unauthorized
- Health check endpoints remain accessible for monitoring

Testing:
- User model authentication and properties
- Login success/failure flows
- Logout and session management
- Password setup workflow
- API endpoint authentication requirements
- Session persistence and remember me functionality
- Next parameter redirect behavior

Total: ~1,200 lines of code added

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

web/auth/decorators.py

@@ -0,0 +1,65 @@
+"""
+Authentication decorators for SneakyScanner.
+
+Provides decorators for protecting web routes and API endpoints.
+"""
+
+from functools import wraps
+from typing import Callable
+
+from flask import jsonify, redirect, request, url_for
+from flask_login import current_user
+
+
+def login_required(f: Callable) -> Callable:
+    """
+    Decorator for web routes that require authentication.
+
+    Redirects to login page if user is not authenticated.
+    This is a wrapper around Flask-Login's login_required that can be
+    customized if needed.
+
+    Args:
+        f: Function to decorate
+
+    Returns:
+        Decorated function
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if not current_user.is_authenticated:
+            # Redirect to login page
+            return redirect(url_for('auth.login', next=request.url))
+        return f(*args, **kwargs)
+    return decorated_function
+
+
+def api_auth_required(f: Callable) -> Callable:
+    """
+    Decorator for API endpoints that require authentication.
+
+    Returns 401 JSON response if user is not authenticated.
+    Uses Flask-Login sessions (same as web UI).
+
+    Args:
+        f: Function to decorate
+
+    Returns:
+        Decorated function
+
+    Example:
+        @bp.route('/api/scans', methods=['POST'])
+        @api_auth_required
+        def trigger_scan():
+            # Protected endpoint
+            pass
+    """
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if not current_user.is_authenticated:
+            return jsonify({
+                'error': 'Authentication required',
+                'message': 'Please authenticate to access this endpoint'
+            }), 401
+        return f(*args, **kwargs)
+    return decorated_function