Add user authentication system with API key management (#50)

- Add User, Session, AuthSettings models with bcrypt password hashing - Add auth endpoints: login, logout, change-password, me - Add API key CRUD: create (orch_xxx format), list, revoke - Add admin user management: list, create, update, reset-password - Create default admin user on startup (admin/admin) - Add frontend: Login page, API Keys page, Admin Users page - Add AuthContext for session state management - Add user menu to Layout header with login/logout/settings - Add 15 integration tests for auth system - Add migration 006_auth_tables.sql
2026-01-08 15:01:37 -06:00
parent 1cbd335443
commit 2a68708a79
20 changed files with 4690 additions and 19 deletions
--- a/backend/app/main.py
+++ b/backend/app/main.py
@@ -9,6 +9,7 @@ from .config import get_settings
 from .database import init_db, SessionLocal
 from .routes import router
 from .seed import seed_database
+from .auth import create_default_admin

 settings = get_settings()
 logging.basicConfig(level=logging.INFO)
@@ -20,6 +21,18 @@ async def lifespan(app: FastAPI):
    # Startup: initialize database
    init_db()

+    # Create default admin user if no users exist
+    db = SessionLocal()
+    try:
+        admin = create_default_admin(db)
+        if admin:
+            logger.warning(
+                "Default admin user created with username 'admin' and password 'admin'. "
+                "CHANGE THIS PASSWORD IMMEDIATELY!"
+            )
+    finally:
+        db.close()
+
    # Seed test data in development mode
    if settings.is_development:
        logger.info(f"Running in {settings.env} mode - checking for seed data")
@@ -48,7 +61,11 @@ app.include_router(router)
 # Serve static files (React build) if the directory exists
 static_dir = os.path.join(os.path.dirname(__file__), "..", "..", "frontend", "dist")
 if os.path.exists(static_dir):
-    app.mount("/assets", StaticFiles(directory=os.path.join(static_dir, "assets")), name="assets")
+    app.mount(
+        "/assets",
+        StaticFiles(directory=os.path.join(static_dir, "assets")),
+        name="assets",
+    )

    @app.get("/")
    async def serve_spa():
@@ -60,6 +77,7 @@ if os.path.exists(static_dir):
        # Don't catch API routes or health endpoint
        if full_path.startswith("api/") or full_path.startswith("health"):
            from fastapi import HTTPException
+
            raise HTTPException(status_code=404, detail="Not found")

        # Serve SPA for all other routes (including /project/*)
@@ -68,4 +86,5 @@ if os.path.exists(static_dir):
            return FileResponse(index_path)

        from fastapi import HTTPException
+
        raise HTTPException(status_code=404, detail="Not found")