summaryrefslogtreecommitdiff
path: root/food_project/urls.py
diff options
context:
space:
mode:
authorTom Flux <tom@tomflux.xyz>2026-06-23 20:37:48 +0100
committerTom Flux <tom@tomflux.xyz>2026-06-23 20:37:48 +0100
commitd92deeab514a52e7c3416baef78f8969ade951cc (patch)
treef5c071147ea6f62501dee904a1f381805a1e5941 /food_project/urls.py
parent682c0f76b85950ad0889e11750dc84e0f00d2807 (diff)
Phase 2: session auth for the web UI
Require login for /app/, with a long sliding session so you log in once per device and effectively stay in. - AppLoginRequiredMiddleware gates only /app/; /api/ keeps DRF token auth and /admin/ keeps its own login (a blanket LoginRequired would break token requests, whose user isn't resolved until the view runs). - Login page (styled to the dark palette) via django.contrib.auth.urls; logout control in the nav. - Session: ~1 year cookie, sliding (saved every request), survives browser close. - Dropped every @csrf_exempt now that a real session + CSRF token are in place (HTMX already sends X-CSRFToken). - SECRET_KEY and DEBUG now read from the environment (prod-safe defaults); systemd loads an optional /var/lib/food/.env. - Tests authenticate, plus new coverage: /app/ redirects when logged out, login grants access, /api/ is not caught by the app gate. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Diffstat (limited to 'food_project/urls.py')
-rw-r--r--food_project/urls.py1
1 files changed, 1 insertions, 0 deletions
diff --git a/food_project/urls.py b/food_project/urls.py
index a788823..9884dbf 100644
--- a/food_project/urls.py
+++ b/food_project/urls.py
@@ -19,6 +19,7 @@ from django.urls import path, include
urlpatterns = [
path('admin/', admin.site.urls),
+ path('accounts/', include('django.contrib.auth.urls')), # login/logout for the web UI
path('api/', include('kitchen.urls')),
path('api-auth/', include('rest_framework.urls')), # browsable API login
path('app/', include('kitchen.urls_htmx')), # HTMX frontend