From d92deeab514a52e7c3416baef78f8969ade951cc Mon Sep 17 00:00:00 2001 From: Tom Flux Date: Tue, 23 Jun 2026 20:37:48 +0100 Subject: Phase 2: session auth for the web UI Require login for /app/, with a long sliding session so you log in once per device and effectively stay in. - AppLoginRequiredMiddleware gates only /app/; /api/ keeps DRF token auth and /admin/ keeps its own login (a blanket LoginRequired would break token requests, whose user isn't resolved until the view runs). - Login page (styled to the dark palette) via django.contrib.auth.urls; logout control in the nav. - Session: ~1 year cookie, sliding (saved every request), survives browser close. - Dropped every @csrf_exempt now that a real session + CSRF token are in place (HTMX already sends X-CSRFToken). - SECRET_KEY and DEBUG now read from the environment (prod-safe defaults); systemd loads an optional /var/lib/food/.env. - Tests authenticate, plus new coverage: /app/ redirects when logged out, login grants access, /api/ is not caught by the app gate. Co-Authored-By: Claude Opus 4.8 --- food_project/settings.py | 25 +++++++++++++++++++++++-- food_project/urls.py | 1 + 2 files changed, 24 insertions(+), 2 deletions(-) (limited to 'food_project') diff --git a/food_project/settings.py b/food_project/settings.py index 05035af..96dcfd0 100644 --- a/food_project/settings.py +++ b/food_project/settings.py @@ -10,6 +10,7 @@ For the full list of settings and their values, see https://docs.djangoproject.com/en/5.2/ref/settings/ """ +import os from pathlib import Path # Build paths inside the project like this: BASE_DIR / 'subdir'. @@ -20,10 +21,16 @@ BASE_DIR = Path(__file__).resolve().parent.parent # See https://docs.djangoproject.com/en/5.2/howto/deployment/checklist/ # SECURITY WARNING: keep the secret key used in production secret! -SECRET_KEY = 'django-insecure-4v$$nwxx6)+2yz%$8c@+kocm#op1cjm*688np#)z$b_6crvub*' +# Set DJANGO_SECRET_KEY in the environment for production; the literal below is +# only a development fallback. +SECRET_KEY = os.environ.get( + "DJANGO_SECRET_KEY", + "django-insecure-4v$$nwxx6)+2yz%$8c@+kocm#op1cjm*688np#)z$b_6crvub*", +) # SECURITY WARNING: don't run with debug turned on in production! -DEBUG = True +# Off by default (prod-safe); set DJANGO_DEBUG=1 for local development. +DEBUG = os.environ.get("DJANGO_DEBUG", "0") == "1" ALLOWED_HOSTS = ['localhost', '127.0.0.1', 'food.jihakuz.xyz', 'food.tomflux.xyz'] @@ -60,6 +67,7 @@ MIDDLEWARE = [ 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', + 'kitchen.middleware.AppLoginRequiredMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', ] @@ -141,3 +149,16 @@ STORAGES = { # https://docs.djangoproject.com/en/5.2/ref/settings/#default-auto-field DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField' + + +# --- Auth / sessions --- +# Goal: log in once, then effectively never again on that device. +# A long cookie age + sliding expiry (re-saved each request) means an active +# user stays logged in indefinitely. +SESSION_COOKIE_AGE = 60 * 60 * 24 * 365 # ~1 year, in seconds +SESSION_EXPIRE_AT_BROWSER_CLOSE = False +SESSION_SAVE_EVERY_REQUEST = True + +LOGIN_URL = 'login' +LOGIN_REDIRECT_URL = 'app-pantry' +LOGOUT_REDIRECT_URL = 'login' diff --git a/food_project/urls.py b/food_project/urls.py index a788823..9884dbf 100644 --- a/food_project/urls.py +++ b/food_project/urls.py @@ -19,6 +19,7 @@ from django.urls import path, include urlpatterns = [ path('admin/', admin.site.urls), + path('accounts/', include('django.contrib.auth.urls')), # login/logout for the web UI path('api/', include('kitchen.urls')), path('api-auth/', include('rest_framework.urls')), # browsable API login path('app/', include('kitchen.urls_htmx')), # HTMX frontend -- cgit v1.2.3