restructure of dirs, huge docs update

app/web/auth/routes.py

@@ -0,0 +1,120 @@
+"""
+Authentication routes for SneakyScanner.
+
+Provides login and logout endpoints for user authentication.
+"""
+
+import logging
+
+from flask import Blueprint, current_app, flash, redirect, render_template, request, url_for
+from flask_login import login_user, logout_user, current_user
+
+from web.auth.models import User
+
+logger = logging.getLogger(__name__)
+
+bp = Blueprint('auth', __name__)
+
+
+@bp.route('/login', methods=['GET', 'POST'])
+def login():
+    """
+    Login page and authentication endpoint.
+
+    GET: Render login form
+    POST: Authenticate user and create session
+
+    Returns:
+        GET: Rendered login template
+        POST: Redirect to dashboard on success, login page with error on failure
+    """
+    # If already logged in, redirect to dashboard
+    if current_user.is_authenticated:
+        return redirect(url_for('main.dashboard'))
+
+    # Check if password is set
+    if not User.has_password_set(current_app.db_session):
+        flash('Application password not set. Please contact administrator.', 'error')
+        logger.warning("Login attempted but no password is set")
+        return render_template('login.html', password_not_set=True)
+
+    if request.method == 'POST':
+        password = request.form.get('password', '')
+
+        # Authenticate user
+        user = User.authenticate(password, current_app.db_session)
+
+        if user:
+            # Login successful
+            login_user(user, remember=request.form.get('remember', False))
+            logger.info(f"User logged in successfully from {request.remote_addr}")
+
+            # Redirect to next page or dashboard
+            next_page = request.args.get('next')
+            if next_page:
+                return redirect(next_page)
+            return redirect(url_for('main.dashboard'))
+        else:
+            # Login failed
+            flash('Invalid password', 'error')
+            logger.warning(f"Failed login attempt from {request.remote_addr}")
+
+    return render_template('login.html')
+
+
+@bp.route('/logout')
+def logout():
+    """
+    Logout endpoint.
+
+    Destroys the user session and redirects to login page.
+
+    Returns:
+        Redirect to login page
+    """
+    if current_user.is_authenticated:
+        logger.info(f"User logged out from {request.remote_addr}")
+        logout_user()
+        flash('You have been logged out successfully', 'info')
+
+    return redirect(url_for('auth.login'))
+
+
+@bp.route('/setup', methods=['GET', 'POST'])
+def setup():
+    """
+    Initial password setup page.
+
+    Only accessible when no password is set. Allows setting the application password.
+
+    Returns:
+        GET: Rendered setup template
+        POST: Redirect to login page on success
+    """
+    # If password already set, redirect to login
+    if User.has_password_set(current_app.db_session):
+        flash('Password already set. Please login.', 'info')
+        return redirect(url_for('auth.login'))
+
+    if request.method == 'POST':
+        password = request.form.get('password', '')
+        confirm_password = request.form.get('confirm_password', '')
+
+        # Validate passwords
+        if not password:
+            flash('Password is required', 'error')
+        elif len(password) < 8:
+            flash('Password must be at least 8 characters', 'error')
+        elif password != confirm_password:
+            flash('Passwords do not match', 'error')
+        else:
+            # Set password
+            from web.utils.settings import PasswordManager, SettingsManager
+            settings_manager = SettingsManager(current_app.db_session)
+            PasswordManager.set_app_password(settings_manager, password)
+
+            logger.info(f"Application password set from {request.remote_addr}")
+            flash('Password set successfully! You can now login.', 'success')
+            return redirect(url_for('auth.login'))
+
+    return render_template('setup.html')