Add password protection

src/content_engine/api/routes_ui.py

@@ -1,23 +1,172 @@
-"""Web UI route — serves the single-page dashboard."""
+"""Web UI route — serves the single-page dashboard with password protection."""
 
 from __future__ import annotations
 
+import hashlib
+import os
+import secrets
 from pathlib import Path
 
-from fastapi import APIRouter
-from fastapi.responses import HTMLResponse, Response
+from fastapi import APIRouter, Request, Form, HTTPException
+from fastapi.responses import HTMLResponse, Response, RedirectResponse
 
 router = APIRouter(tags=["ui"])
 
 UI_HTML_PATH = Path(__file__).parent / "ui.html"
 
+# Simple session storage (in-memory, resets on restart)
+_valid_sessions: set[str] = set()
+
+# Get password from environment variable
+APP_PASSWORD = os.environ.get("APP_PASSWORD", "")
+
+
+def _check_session(request: Request) -> bool:
+    """Check if request has valid session."""
+    if not APP_PASSWORD:
+        return True  # No password set, allow access
+    session_token = request.cookies.get("session")
+    return session_token in _valid_sessions
+
+
+LOGIN_HTML = """
+<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Login - Content Engine</title>
+<style>
+*, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }
+body {
+  font-family: 'Segoe UI', -apple-system, system-ui, sans-serif;
+  background: linear-gradient(135deg, #0a0a0f 0%, #1a1a2e 100%);
+  color: #eee;
+  min-height: 100vh;
+  display: flex;
+  align-items: center;
+  justify-content: center;
+}
+.login-box {
+  background: #1a1a28;
+  border: 1px solid #2a2a3a;
+  border-radius: 16px;
+  padding: 40px;
+  width: 100%;
+  max-width: 400px;
+  box-shadow: 0 20px 60px rgba(0,0,0,0.5);
+}
+h1 {
+  font-size: 24px;
+  margin-bottom: 8px;
+  background: linear-gradient(135deg, #7c3aed, #ec4899);
+  -webkit-background-clip: text;
+  -webkit-text-fill-color: transparent;
+}
+.subtitle { color: #888; font-size: 14px; margin-bottom: 30px; }
+label { display: block; font-size: 13px; color: #888; margin-bottom: 6px; }
+input[type="password"] {
+  width: 100%;
+  padding: 12px 16px;
+  border-radius: 8px;
+  border: 1px solid #2a2a3a;
+  background: #0a0a0f;
+  color: #eee;
+  font-size: 16px;
+  margin-bottom: 20px;
+}
+input[type="password"]:focus { outline: none; border-color: #7c3aed; }
+button {
+  width: 100%;
+  padding: 14px;
+  border-radius: 8px;
+  border: none;
+  background: linear-gradient(135deg, #7c3aed, #6d28d9);
+  color: white;
+  font-size: 16px;
+  font-weight: 600;
+  cursor: pointer;
+  transition: transform 0.1s, box-shadow 0.2s;
+}
+button:hover { transform: translateY(-1px); box-shadow: 0 4px 20px rgba(124, 58, 237, 0.4); }
+.error { color: #ef4444; font-size: 13px; margin-bottom: 16px; }
+</style>
+</head>
+<body>
+<div class="login-box">
+  <h1>Content Engine</h1>
+  <p class="subtitle">Enter password to access</p>
+  {{ERROR}}
+  <form method="POST" action="/login">
+    <label>Password</label>
+    <input type="password" name="password" placeholder="Enter password" autofocus required>
+    <button type="submit">Login</button>
+  </form>
+</div>
+</body>
+</html>
+"""
+
 
 @router.get("/", response_class=HTMLResponse)
-async def dashboard():
+async def dashboard(request: Request):
     """Serve the main dashboard UI."""
+    if not _check_session(request):
+        return RedirectResponse(url="/login", status_code=302)
+
     content = UI_HTML_PATH.read_text(encoding="utf-8")
     return Response(
         content=content,
         media_type="text/html",
         headers={"Cache-Control": "no-cache, no-store, must-revalidate"},
     )
+
+
+@router.get("/login", response_class=HTMLResponse)
+async def login_page(request: Request, error: str = ""):
+    """Show login page."""
+    if not APP_PASSWORD:
+        return RedirectResponse(url="/", status_code=302)
+
+    if _check_session(request):
+        return RedirectResponse(url="/", status_code=302)
+
+    error_html = f'<p class="error">{error}</p>' if error else ""
+    html = LOGIN_HTML.replace("{{ERROR}}", error_html)
+    return Response(content=html, media_type="text/html")
+
+
+@router.post("/login")
+async def login_submit(password: str = Form(...)):
+    """Handle login form submission."""
+    if not APP_PASSWORD:
+        return RedirectResponse(url="/", status_code=302)
+
+    if password == APP_PASSWORD:
+        # Create session token
+        session_token = secrets.token_hex(32)
+        _valid_sessions.add(session_token)
+
+        response = RedirectResponse(url="/", status_code=302)
+        response.set_cookie(
+            key="session",
+            value=session_token,
+            httponly=True,
+            max_age=86400 * 7,  # 7 days
+            samesite="lax",
+        )
+        return response
+    else:
+        return RedirectResponse(url="/login?error=Invalid+password", status_code=302)
+
+
+@router.get("/logout")
+async def logout(request: Request):
+    """Log out and clear session."""
+    session_token = request.cookies.get("session")
+    if session_token in _valid_sessions:
+        _valid_sessions.discard(session_token)
+
+    response = RedirectResponse(url="/login", status_code=302)
+    response.delete_cookie("session")
+    return response