lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Stage 2 — authentication and setup flow

Browse Source 
Backend (tasks 2.1–2.6, 2.10):
- settings_repo: get/set/delete/get_all CRUD for the key-value settings table
- session_repo: create/get/delete/delete_expired for session rows
- setup_service: bcrypt password hashing, one-time-only enforcement,
  run_setup() / is_setup_complete() / get_password_hash()
- auth_service: login() with bcrypt verify + token creation,
  validate_session() with expiry check, logout()
- setup router: GET /api/setup (status), POST /api/setup (201 / 409)
- auth router: POST /api/auth/login (token + HttpOnly cookie),
               POST /api/auth/logout (clears cookie, idempotent)
- SetupRedirectMiddleware: 307 → /api/setup for all API paths until setup done
- require_auth dependency: cookie or Bearer token → Session or 401
- conftest.py: manually bootstraps app.state.db for router tests
  (ASGITransport does not trigger ASGI lifespan)
- 85 tests pass; ruff 0 errors; mypy --strict 0 errors

Frontend (tasks 2.7–2.9):
- types/auth.ts, types/setup.ts, api/auth.ts, api/setup.ts
- AuthProvider: sessionStorage-backed context (isAuthenticated, login, logout)
- RequireAuth: guard component → /login?next=<path> when unauthenticated
- SetupPage: Fluent UI form, client-side validation, inline errors
- LoginPage: single password input, ?next= redirect after success
- DashboardPage: placeholder (full impl Stage 5)
- App.tsx: full route tree (/setup, /login, /, *)
This commit is contained in:
Lukas
2026-02-28 21:33:30 +01:00
parent 7392c930d6
commit 750785680b
26 changed files with 2075 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
Docs/Tasks.md
View File

@@ -42,49 +42,49 @@ Everything in this stage is about creating the project skeleton — folder struc
---
## Stage 2 — Authentication & Setup Flow
## Stage 2 — Authentication & Setup Flow ✅ DONE
This stage implements the very first user experience: the setup wizard that runs on first launch and the login system that protects every subsequent visit. All other features depend on these being complete.
### 2.1 Implement the setup service and repository
### 2.1 Implement the setup service and repository
Build `backend/app/services/setup_service.py` and `backend/app/repositories/settings_repo.py`. The setup service accepts the initial configuration (master password, database path, fail2ban socket path, general preferences), hashes the password with a secure algorithm (e.g. bcrypt or argon2), and persists everything through the settings repository. It must enforce the one-time-only rule: once a configuration is saved, setup cannot run again. Add a method to check whether setup has been completed (i.e. whether any configuration exists in the database). See [Features.md § 1](Features.md).
**Done.** `backend/app/repositories/settings_repo.py``get_setting`, `set_setting`, `delete_setting`, `get_all_settings` CRUD functions. `backend/app/repositories/session_repo.py``create_session`, `get_session`, `delete_session`, `delete_expired_sessions`. `backend/app/services/setup_service.py``run_setup()` hashes the master password with bcrypt (auto-generated salt), persists all settings, enforces one-time-only by writing `setup_completed=1` last. `is_setup_complete()` and `get_password_hash()` helpers.
### 2.2 Implement the setup router
### 2.2 Implement the setup router
Create `backend/app/routers/setup.py` with a `POST /api/setup` endpoint that accepts a Pydantic request model containing all setup fields and delegates to the setup service. If setup has already been completed, return a `409 Conflict`. Define request and response models in `backend/app/models/setup.py`.
**Done.** `backend/app/routers/setup.py` `GET /api/setup` returns `SetupStatusResponse`. `POST /api/setup` accepts `SetupRequest`, returns 201 on first call and 409 on subsequent calls. Registered in `create_app()`.
### 2.3 Implement the setup-redirect middleware
### 2.3 Implement the setup-redirect middleware
Add middleware to the FastAPI app that checks on every incoming request whether setup has been completed. If not, redirect all requests (except those to `/api/setup` itself) to `/api/setup` with a `307 Temporary Redirect` or return a `403` with a clear message. Once setup is done, the middleware becomes a no-op. See [Features.md § 1](Features.md).
**Done.** `SetupRedirectMiddleware` in `backend/app/main.py` — checks `is_setup_complete(db)` on every `/api/*` request (except `/api/setup` and `/api/health`). Returns `307 → /api/setup` when setup has not been completed. No-op after first run.
### 2.4 Implement the authentication service
### 2.4 Implement the authentication service
Build `backend/app/services/auth_service.py`. It must verify the master password against the stored hash, create session tokens on successful login, store sessions through `backend/app/repositories/session_repo.py`, validate tokens on every subsequent request, and enforce session expiry. Sessions should be stored in the SQLite database so they survive server restarts. See [Features.md § 2](Features.md) and [Architekture.md § 2.2](Architekture.md).
**Done.** `backend/app/services/auth_service.py``login()` verifies password with `bcrypt.checkpw`, generates a 64-char hex session token with `secrets.token_hex(32)`, stores the session via `session_repo`. `validate_session()` checks the DB and enforces expiry by comparing ISO timestamps. `logout()` deletes the session row.
### 2.5 Implement the auth router
### 2.5 Implement the auth router
Create `backend/app/routers/auth.py` with two endpoints: `POST /api/auth/login` (accepts a password, returns a session token or sets a cookie) and `POST /api/auth/logout` (invalidates the session). Define request and response models in `backend/app/models/auth.py`.
**Done.** `backend/app/routers/auth.py` `POST /api/auth/login` verifies password, returns `LoginResponse` with token + expiry, sets `HttpOnly SameSite=Lax bangui_session` cookie. `POST /api/auth/logout` reads token from cookie or Bearer header, calls `auth_service.logout()`, clears the cookie. Both endpoints registered in `create_app()`.
### 2.6 Implement the auth dependency
### 2.6 Implement the auth dependency
Create a FastAPI dependency in `backend/app/dependencies.py` that extracts the session token from the request (cookie or header), validates it through the auth service, and either returns the authenticated session or raises a `401 Unauthorized`. Every protected router must declare this dependency. See [Backend-Development.md § 4](Backend-Development.md) for the Depends pattern.
**Done.** `require_auth` dependency added to `backend/app/dependencies.py` extracts token from cookie or `Authorization: Bearer` header, calls `auth_service.validate_session()`, raises 401 on missing/invalid/expired token. `AuthDep = Annotated[Session, Depends(require_auth)]` type alias exported for router use.
### 2.7 Build the setup page (frontend)
### 2.7 Build the setup page (frontend)
Create `frontend/src/pages/SetupPage.tsx`. The page should present a form with fields for the master password (with confirmation), database path, fail2ban socket path, and general preferences (timezone, date format, session duration). Use Fluent UI form components (`Input`, `Button`, `Field`, `Dropdown` for timezone). On submission, call `POST /api/setup` through the API client. Show validation errors inline. After successful setup, redirect to the login page. Create the corresponding API function in `frontend/src/api/setup.ts` and types in `frontend/src/types/setup.ts`. See [Features.md § 1](Features.md) and [Web-Design.md § 8](Web-Design.md) for component choices.
**Done.** `frontend/src/pages/SetupPage.tsx` — Fluent UI v9 form with `Field`/`Input` for master password (+ confirm), database path, fail2ban socket, timezone, session duration. Client-side validation before submit. Calls `POST /api/setup` via `frontend/src/api/setup.ts`. Redirects to `/login` on success. `frontend/src/types/setup.ts` typed interfaces.
### 2.8 Build the login page (frontend)
### 2.8 Build the login page (frontend)
Create `frontend/src/pages/LoginPage.tsx`. A single password input and a submit button — no username field. On submission, call `POST /api/auth/login`. On success, store the session (cookie or context) and redirect to the originally requested page or the dashboard. Show an error message on wrong password. Create `frontend/src/api/auth.ts` and `frontend/src/types/auth.ts`. See [Features.md § 2](Features.md).
**Done.** `frontend/src/pages/LoginPage.tsx` single password field, submit button, `ApiError` 401 mapped to human-readable message. After login calls `useAuth().login()` and navigates to `?next=` or `/`. `frontend/src/api/auth.ts` and `frontend/src/types/auth.ts` created.
### 2.9 Implement the auth context and route guard
### 2.9 Implement the auth context and route guard
Create `frontend/src/providers/AuthProvider.tsx` that manages authentication state (logged in / not logged in) and exposes login, logout, and session-check methods via React context. Create a route guard component that wraps all protected routes: if the user is not authenticated, redirect to the login page and remember the intended destination. After login, redirect back. See [Features.md § 2](Features.md) and [Web-Development.md § 7](Web-Development.md).
**Done.** `frontend/src/providers/AuthProvider.tsx` — React context with `isAuthenticated`, `login()`, `logout()`. Session token and expiry stored in `sessionStorage`. `useAuth()` hook exported. `frontend/src/components/RequireAuth.tsx` wraps protected routes; redirects to `/login?next=<path>` when unauthenticated. `App.tsx` updated with full route tree: `/setup`, `/login`, `/` (guarded), `*` → redirect.
### 2.10 Write tests for setup and auth
### 2.10 Write tests for setup and auth
Write backend tests covering: setup endpoint accepts valid data, setup endpoint rejects a second call, login succeeds with correct password, login fails with wrong password, protected endpoints reject unauthenticated requests, logout invalidates the session for both router and service. Use pytest-asyncio and httpx `AsyncClient` as described in [Backend-Development.md § 9](Backend-Development.md).
**Done.** 85 total tests pass. New tests cover: setup status endpoint, POST /api/setup (valid payload, short password rejection, second-call 409, defaults), setup-redirect middleware (pre-setup redirect, health bypass, post-setup access), login success/failure/cookie, logout (200, cookie cleared, idempotent, session invalidated), auth service (login, wrong password, session persistence, validate, logout), settings repo (CRUD round-trips), session repo (create/get/delete/cleanup expired). ruff 0 errors, mypy --strict 0 errors.
---

48
backend/app/dependencies.py
View File

@@ -13,9 +13,12 @@ import structlog
from fastapi import Depends, HTTPException, Request, status
from app.config import Settings
from app.models.auth import Session
log: structlog.stdlib.BoundLogger = structlog.get_logger()
_COOKIE_NAME = "bangui_session"
async def get_db(request: Request) -> aiosqlite.Connection:
"""Provide the shared :class:`aiosqlite.Connection` from ``app.state``.
@@ -51,6 +54,51 @@ async def get_settings(request: Request) -> Settings:
return request.app.state.settings # type: ignore[no-any-return]
async def require_auth(
request: Request,
db: Annotated[aiosqlite.Connection, Depends(get_db)],
) -> Session:
"""Validate the session token and return the active session.
The token is read from the ``bangui_session`` cookie or the
``Authorization: Bearer`` header.
Args:
request: The incoming FastAPI request.
db: Injected aiosqlite connection.
Returns:
The active :class:`~app.models.auth.Session`.
Raises:
HTTPException: 401 if no valid session token is found.
"""
from app.services import auth_service # noqa: PLC0415
token: str | None = request.cookies.get(_COOKIE_NAME)
if not token:
auth_header: str = request.headers.get("Authorization", "")
if auth_header.startswith("Bearer "):
token = auth_header[len("Bearer "):]
if not token:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="Authentication required.",
headers={"WWW-Authenticate": "Bearer"},
)
try:
return await auth_service.validate_session(db, token)
except ValueError as exc:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=str(exc),
headers={"WWW-Authenticate": "Bearer"},
) from exc
# Convenience type aliases for route signatures.
DbDep = Annotated[aiosqlite.Connection, Depends(get_db)]
SettingsDep = Annotated[Settings, Depends(get_settings)]
AuthDep = Annotated[Session, Depends(require_auth)]

72
backend/app/main.py
View File

@@ -18,19 +18,22 @@ from pathlib import Path
from typing import TYPE_CHECKING
if TYPE_CHECKING:
from collections.abc import AsyncGenerator
from collections.abc import AsyncGenerator, Awaitable, Callable
from starlette.responses import Response as StarletteResponse
import aiohttp
import aiosqlite
import structlog
from apscheduler.schedulers.asyncio import AsyncIOScheduler # type: ignore[import-untyped]
from fastapi import FastAPI, Request
from fastapi import FastAPI, Request, status
from fastapi.middleware.cors import CORSMiddleware
from fastapi.responses import JSONResponse
from fastapi.responses import JSONResponse, RedirectResponse
from starlette.middleware.base import BaseHTTPMiddleware
from app.config import Settings, get_settings
from app.db import init_db
from app.routers import health
from app.routers import auth, health, setup
# ---------------------------------------------------------------------------
# Ensure the bundled fail2ban package is importable from fail2ban-master/
@@ -156,6 +159,60 @@ async def _unhandled_exception_handler(
)
# ---------------------------------------------------------------------------
# Setup-redirect middleware
# ---------------------------------------------------------------------------
# Paths that are always reachable, even before setup is complete.
_ALWAYS_ALLOWED: frozenset[str] = frozenset(
{"/api/setup", "/api/health"},
)
class SetupRedirectMiddleware(BaseHTTPMiddleware):
"""Redirect all API requests to ``/api/setup`` until setup is done.
Once setup is complete this middleware is a no-op. Paths listed in
:data:`_ALWAYS_ALLOWED` are exempt so the setup endpoint itself is
always reachable.
"""
async def dispatch(
self,
request: Request,
call_next: Callable[[Request], Awaitable[StarletteResponse]],
) -> StarletteResponse:
"""Intercept requests before they reach the router.
Args:
request: The incoming HTTP request.
call_next: The next middleware / router handler.
Returns:
Either a ``307 Temporary Redirect`` to ``/api/setup`` or the
normal router response.
"""
path: str = request.url.path.rstrip("/") or "/"
# Allow requests that don't need setup guard.
if any(path.startswith(allowed) for allowed in _ALWAYS_ALLOWED):
return await call_next(request)
# If setup is not complete, block all other API requests.
if path.startswith("/api"):
db: aiosqlite.Connection | None = getattr(request.app.state, "db", None)
if db is not None:
from app.services import setup_service # noqa: PLC0415
if not await setup_service.is_setup_complete(db):
return RedirectResponse(
url="/api/setup",
status_code=status.HTTP_307_TEMPORARY_REDIRECT,
)
return await call_next(request)
# ---------------------------------------------------------------------------
# Application factory
# ---------------------------------------------------------------------------
@@ -199,10 +256,17 @@ def create_app(settings: Settings | None = None) -> FastAPI:
allow_headers=["*"],
)
# --- Middleware ---
# Note: middleware is applied in reverse order of registration.
# The setup-redirect must run *after* CORS, so it is added last.
app.add_middleware(SetupRedirectMiddleware)
# --- Exception handlers ---
app.add_exception_handler(Exception, _unhandled_exception_handler)
# --- Routers ---
app.include_router(health.router)
app.include_router(setup.router)
app.include_router(auth.router)
return app

100
backend/app/repositories/session_repo.py Normal file
View File

@@ -0,0 +1,100 @@
"""Session repository.
Provides storage, retrieval, and deletion of session records in the
``sessions`` table of the application SQLite database.
"""
from __future__ import annotations
from typing import TYPE_CHECKING
if TYPE_CHECKING:
import aiosqlite
from app.models.auth import Session
async def create_session(
db: aiosqlite.Connection,
token: str,
created_at: str,
expires_at: str,
) -> Session:
"""Insert a new session row and return the domain model.
Args:
db: Active aiosqlite connection.
token: Opaque random session token (hex string).
created_at: ISO 8601 UTC creation timestamp.
expires_at: ISO 8601 UTC expiry timestamp.
Returns:
The newly created :class:`~app.models.auth.Session`.
"""
cursor = await db.execute(
"INSERT INTO sessions (token, created_at, expires_at) VALUES (?, ?, ?)",
(token, created_at, expires_at),
)
await db.commit()
return Session(
id=int(cursor.lastrowid) if cursor.lastrowid else 0,
token=token,
created_at=created_at,
expires_at=expires_at,
)
async def get_session(db: aiosqlite.Connection, token: str) -> Session | None:
"""Look up a session by its token.
Args:
db: Active aiosqlite connection.
token: The session token to retrieve.
Returns:
The :class:`~app.models.auth.Session` if found, else ``None``.
"""
async with db.execute(
"SELECT id, token, created_at, expires_at FROM sessions WHERE token = ?",
(token,),
) as cursor:
row = await cursor.fetchone()
if row is None:
return None
return Session(
id=int(row[0]),
token=str(row[1]),
created_at=str(row[2]),
expires_at=str(row[3]),
)
async def delete_session(db: aiosqlite.Connection, token: str) -> None:
"""Delete a session by token (logout / expiry clean-up).
Args:
db: Active aiosqlite connection.
token: The session token to remove.
"""
await db.execute("DELETE FROM sessions WHERE token = ?", (token,))
await db.commit()
async def delete_expired_sessions(db: aiosqlite.Connection, now_iso: str) -> int:
"""Remove all sessions whose ``expires_at`` timestamp is in the past.
Args:
db: Active aiosqlite connection.
now_iso: Current UTC time as ISO 8601 string used as the cutoff.
Returns:
Number of rows deleted.
"""
cursor = await db.execute(
"DELETE FROM sessions WHERE expires_at <= ?",
(now_iso,),
)
await db.commit()
return int(cursor.rowcount)

71
backend/app/repositories/settings_repo.py Normal file
View File

@@ -0,0 +1,71 @@
"""Settings repository.
Provides CRUD operations for the ``settings`` key-value table in the
application SQLite database. All methods are plain async functions that
accept a :class:`aiosqlite.Connection` — no ORM, no HTTP exceptions.
"""
from __future__ import annotations
from typing import TYPE_CHECKING
if TYPE_CHECKING:
import aiosqlite
async def get_setting(db: aiosqlite.Connection, key: str) -> str | None:
"""Return the value for *key*, or ``None`` if it does not exist.
Args:
db: Active aiosqlite connection.
key: The setting key to look up.
Returns:
The stored value string, or ``None`` if the key is absent.
"""
async with db.execute(
"SELECT value FROM settings WHERE key = ?",
(key,),
) as cursor:
row = await cursor.fetchone()
return str(row[0]) if row is not None else None
async def set_setting(db: aiosqlite.Connection, key: str, value: str) -> None:
"""Insert or replace the setting identified by *key*.
Args:
db: Active aiosqlite connection.
key: The setting key.
value: The value to store.
"""
await db.execute(
"INSERT OR REPLACE INTO settings (key, value) VALUES (?, ?)",
(key, value),
)
await db.commit()
async def delete_setting(db: aiosqlite.Connection, key: str) -> None:
"""Delete the setting identified by *key* if it exists.
Args:
db: Active aiosqlite connection.
key: The setting key to remove.
"""
await db.execute("DELETE FROM settings WHERE key = ?", (key,))
await db.commit()
async def get_all_settings(db: aiosqlite.Connection) -> dict[str, str]:
"""Return all settings as a plain ``dict``.
Args:
db: Active aiosqlite connection.
Returns:
A dictionary mapping every stored key to its value.
"""
async with db.execute("SELECT key, value FROM settings") as cursor:
rows = await cursor.fetchall()
return {str(row[0]): str(row[1]) for row in rows}

128
backend/app/routers/auth.py Normal file
View File

@@ -0,0 +1,128 @@
"""Authentication router.
``POST /api/auth/login`` — verify master password and issue a session.
``POST /api/auth/logout`` — revoke the current session.
The session token is returned both in the JSON body (for API-first
consumers) and as an ``HttpOnly`` cookie (for the browser SPA).
"""
from __future__ import annotations
import structlog
from fastapi import APIRouter, HTTPException, Request, Response, status
from app.dependencies import DbDep, SettingsDep
from app.models.auth import LoginRequest, LoginResponse, LogoutResponse
from app.services import auth_service
log: structlog.stdlib.BoundLogger = structlog.get_logger()
router = APIRouter(prefix="/api/auth", tags=["auth"])
_COOKIE_NAME = "bangui_session"
@router.post(
"/login",
response_model=LoginResponse,
summary="Authenticate with the master password",
)
async def login(
body: LoginRequest,
response: Response,
db: DbDep,
settings: SettingsDep,
) -> LoginResponse:
"""Verify the master password and return a session token.
On success the token is also set as an ``HttpOnly`` ``SameSite=Lax``
cookie so the browser SPA benefits from automatic credential handling.
Args:
body: Login request validated by Pydantic.
response: FastAPI response object used to set the cookie.
db: Injected aiosqlite connection.
settings: Application settings (used for session duration).
Returns:
:class:`~app.models.auth.LoginResponse` containing the token.
Raises:
HTTPException: 401 if the password is incorrect.
"""
try:
session = await auth_service.login(
db,
password=body.password,
session_duration_minutes=settings.session_duration_minutes,
)
except ValueError as exc:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail=str(exc),
) from exc
response.set_cookie(
key=_COOKIE_NAME,
value=session.token,
httponly=True,
samesite="lax",
secure=False, # Set to True in production behind HTTPS
max_age=settings.session_duration_minutes * 60,
)
return LoginResponse(token=session.token, expires_at=session.expires_at)
@router.post(
"/logout",
response_model=LogoutResponse,
summary="Revoke the current session",
)
async def logout(
request: Request,
response: Response,
db: DbDep,
) -> LogoutResponse:
"""Invalidate the active session.
The session token is read from the ``bangui_session`` cookie or the
``Authorization: Bearer`` header. If no token is present the request
is silently treated as a successful logout (idempotent).
Args:
request: FastAPI request (used to extract the token).
response: FastAPI response (used to clear the cookie).
db: Injected aiosqlite connection.
Returns:
:class:`~app.models.auth.LogoutResponse`.
"""
token = _extract_token(request)
if token:
await auth_service.logout(db, token)
response.delete_cookie(key=_COOKIE_NAME)
return LogoutResponse()
# ---------------------------------------------------------------------------
# Helpers
# ---------------------------------------------------------------------------
def _extract_token(request: Request) -> str | None:
"""Extract the session token from cookie or Authorization header.
Args:
request: The incoming FastAPI request.
Returns:
The token string, or ``None`` if absent.
"""
token: str | None = request.cookies.get(_COOKIE_NAME)
if token:
return token
auth_header: str = request.headers.get("Authorization", "")
if auth_header.startswith("Bearer "):
return auth_header[len("Bearer "):]
return None

71
backend/app/routers/setup.py Normal file
View File

@@ -0,0 +1,71 @@
"""Setup router.
Exposes the ``POST /api/setup`` endpoint for the one-time first-run
configuration wizard. Once setup has been completed, subsequent calls
return ``409 Conflict``.
"""
from __future__ import annotations
import structlog
from fastapi import APIRouter, HTTPException, status
from app.dependencies import DbDep
from app.models.setup import SetupRequest, SetupResponse, SetupStatusResponse
from app.services import setup_service
log: structlog.stdlib.BoundLogger = structlog.get_logger()
router = APIRouter(prefix="/api/setup", tags=["setup"])
@router.get(
"",
response_model=SetupStatusResponse,
summary="Check whether setup has been completed",
)
async def get_setup_status(db: DbDep) -> SetupStatusResponse:
"""Return whether the initial setup wizard has been completed.
Returns:
:class:`~app.models.setup.SetupStatusResponse` with ``completed``
set to ``True`` if setup is done, ``False`` otherwise.
"""
done = await setup_service.is_setup_complete(db)
return SetupStatusResponse(completed=done)
@router.post(
"",
response_model=SetupResponse,
status_code=status.HTTP_201_CREATED,
summary="Run the initial setup wizard",
)
async def post_setup(body: SetupRequest, db: DbDep) -> SetupResponse:
"""Persist the initial BanGUI configuration.
Args:
body: Setup request payload validated by Pydantic.
db: Injected aiosqlite connection.
Returns:
:class:`~app.models.setup.SetupResponse` on success.
Raises:
HTTPException: 409 if setup has already been completed.
"""
if await setup_service.is_setup_complete(db):
raise HTTPException(
status_code=status.HTTP_409_CONFLICT,
detail="Setup has already been completed.",
)
await setup_service.run_setup(
db,
master_password=body.master_password,
database_path=body.database_path,
fail2ban_socket=body.fail2ban_socket,
timezone=body.timezone,
session_duration_minutes=body.session_duration_minutes,
)
return SetupResponse()

113
backend/app/services/auth_service.py Normal file
View File

@@ -0,0 +1,113 @@
"""Authentication service.
Handles password verification, session creation, session validation, and
session expiry. Sessions are stored in the SQLite database so they
survive server restarts.
"""
from __future__ import annotations
import secrets
from typing import TYPE_CHECKING
import bcrypt
import structlog
if TYPE_CHECKING:
import aiosqlite
from app.models.auth import Session
from app.repositories import session_repo
from app.services import setup_service
from app.utils.time_utils import add_minutes, utc_now
log: structlog.stdlib.BoundLogger = structlog.get_logger()
def _check_password(plain: str, hashed: str) -> bool:
"""Return ``True`` if *plain* matches the bcrypt *hashed* password.
Args:
plain: The plain-text password to verify.
hashed: The stored bcrypt hash string.
Returns:
``True`` on a successful match, ``False`` otherwise.
"""
return bool(bcrypt.checkpw(plain.encode(), hashed.encode()))
async def login(
db: aiosqlite.Connection,
password: str,
session_duration_minutes: int,
) -> Session:
"""Verify *password* and create a new session on success.
Args:
db: Active aiosqlite connection.
password: Plain-text password supplied by the user.
session_duration_minutes: How long the new session is valid for.
Returns:
A :class:`~app.models.auth.Session` domain model for the new session.
Raises:
ValueError: If the password is incorrect or no password hash is stored.
"""
stored_hash = await setup_service.get_password_hash(db)
if stored_hash is None:
log.warning("bangui_login_no_hash")
raise ValueError("No password is configured — run setup first.")
if not _check_password(password, stored_hash):
log.warning("bangui_login_wrong_password")
raise ValueError("Incorrect password.")
token = secrets.token_hex(32)
now = utc_now()
created_iso = now.isoformat()
expires_iso = add_minutes(now, session_duration_minutes).isoformat()
session = await session_repo.create_session(
db, token=token, created_at=created_iso, expires_at=expires_iso
)
log.info("bangui_login_success", token_prefix=token[:8])
return session
async def validate_session(db: aiosqlite.Connection, token: str) -> Session:
"""Return the session for *token* if it is valid and not expired.
Args:
db: Active aiosqlite connection.
token: The opaque session token from the client.
Returns:
The :class:`~app.models.auth.Session` if it is valid.
Raises:
ValueError: If the token is not found or has expired.
"""
session = await session_repo.get_session(db, token)
if session is None:
raise ValueError("Session not found.")
now_iso = utc_now().isoformat()
if session.expires_at <= now_iso:
await session_repo.delete_session(db, token)
raise ValueError("Session has expired.")
return session
async def logout(db: aiosqlite.Connection, token: str) -> None:
"""Invalidate the session identified by *token*.
Args:
db: Active aiosqlite connection.
token: The session token to revoke.
"""
await session_repo.delete_session(db, token)
log.info("bangui_logout", token_prefix=token[:8])

101
backend/app/services/setup_service.py Normal file
View File

@@ -0,0 +1,101 @@
"""Setup service.
Implements the one-time first-run configuration wizard. Responsible for
hashing the master password, persisting all initial settings, and
enforcing the rule that setup can only run once.
"""
from __future__ import annotations
from typing import TYPE_CHECKING
import bcrypt
import structlog
if TYPE_CHECKING:
import aiosqlite
from app.repositories import settings_repo
log: structlog.stdlib.BoundLogger = structlog.get_logger()
# Keys used in the settings table.
_KEY_PASSWORD_HASH = "master_password_hash"
_KEY_SETUP_DONE = "setup_completed"
_KEY_DATABASE_PATH = "database_path"
_KEY_FAIL2BAN_SOCKET = "fail2ban_socket"
_KEY_TIMEZONE = "timezone"
_KEY_SESSION_DURATION = "session_duration_minutes"
async def is_setup_complete(db: aiosqlite.Connection) -> bool:
"""Return ``True`` if initial setup has already been performed.
Args:
db: Active aiosqlite connection.
Returns:
``True`` when the ``setup_completed`` key exists in settings.
"""
value = await settings_repo.get_setting(db, _KEY_SETUP_DONE)
return value == "1"
async def run_setup(
db: aiosqlite.Connection,
*,
master_password: str,
database_path: str,
fail2ban_socket: str,
timezone: str,
session_duration_minutes: int,
) -> None:
"""Persist the initial configuration and mark setup as complete.
Hashes *master_password* with bcrypt before storing. Raises
:class:`RuntimeError` if setup has already been completed.
Args:
db: Active aiosqlite connection.
master_password: Plain-text master password chosen by the user.
database_path: Filesystem path to the BanGUI SQLite database.
fail2ban_socket: Unix socket path for the fail2ban daemon.
timezone: IANA timezone identifier (e.g. ``"UTC"``).
session_duration_minutes: Session validity period in minutes.
Raises:
RuntimeError: If setup has already been completed.
"""
if await is_setup_complete(db):
raise RuntimeError("Setup has already been completed.")
log.info("bangui_setup_started")
# Hash the master password — bcrypt automatically generates a salt.
password_bytes = master_password.encode()
hashed = bcrypt.hashpw(password_bytes, bcrypt.gensalt()).decode()
await settings_repo.set_setting(db, _KEY_PASSWORD_HASH, hashed)
await settings_repo.set_setting(db, _KEY_DATABASE_PATH, database_path)
await settings_repo.set_setting(db, _KEY_FAIL2BAN_SOCKET, fail2ban_socket)
await settings_repo.set_setting(db, _KEY_TIMEZONE, timezone)
await settings_repo.set_setting(
db, _KEY_SESSION_DURATION, str(session_duration_minutes)
)
# Mark setup as complete — must be last so a partial failure leaves
# setup_completed unset and does not lock out the user.
await settings_repo.set_setting(db, _KEY_SETUP_DONE, "1")
log.info("bangui_setup_completed")
async def get_password_hash(db: aiosqlite.Connection) -> str | None:
"""Return the stored bcrypt password hash, or ``None`` if not set.
Args:
db: Active aiosqlite connection.
Returns:
The bcrypt hash string, or ``None``.
"""
return await settings_repo.get_setting(db, _KEY_PASSWORD_HASH)

5
backend/pyproject.toml
View File

@@ -42,7 +42,10 @@ select = ["E", "F", "W", "I", "N", "UP", "B", "C4", "SIM", "TCH"]
ignore = ["B008"] # FastAPI uses function calls in default arguments (Depends)
[tool.ruff.lint.per-file-ignores]
"tests/**" = ["E402"] # sys.path manipulation before imports is intentional in test helpers
# sys.path manipulation before stdlib imports is intentional in test helpers
# pytest evaluates fixture type annotations at runtime, so TC002/TC003 are false-positives
"tests/**" = ["E402", "TC002", "TC003"]
"app/routers/**" = ["TC001"] # FastAPI evaluates Depends() type aliases at runtime via get_type_hints()
[tool.ruff.format]
quote-style = "double"

17
backend/tests/conftest.py
View File

@@ -15,10 +15,12 @@ _FAIL2BAN_MASTER: Path = Path(__file__).resolve().parents[2] / "fail2ban-master"
if str(_FAIL2BAN_MASTER) not in sys.path:
sys.path.insert(0, str(_FAIL2BAN_MASTER))
import aiosqlite
import pytest
from httpx import ASGITransport, AsyncClient
from app.config import Settings
from app.db import init_db
from app.main import create_app
@@ -46,11 +48,12 @@ def test_settings(tmp_path: Path) -> Settings:
@pytest.fixture
async def client(test_settings: Settings) -> AsyncClient:
async def client(test_settings: Settings) -> AsyncClient: # type: ignore[misc]
"""Provide an ``AsyncClient`` wired to a test instance of the BanGUI app.
The client sends requests directly to the ASGI application (no network).
A fresh database is created for each test.
``app.state.db`` is initialised manually so router tests can use the
database without triggering the full ASGI lifespan.
Args:
test_settings: Injected test settings fixture.
@@ -59,6 +62,16 @@ async def client(test_settings: Settings) -> AsyncClient:
An :class:`httpx.AsyncClient` with ``base_url="http://test"``.
"""
app = create_app(settings=test_settings)
# Bootstrap the database on app.state so Depends(get_db) works in tests.
# The ASGI lifespan is not triggered by ASGITransport, so we do this here.
db: aiosqlite.Connection = await aiosqlite.connect(test_settings.database_path)
db.row_factory = aiosqlite.Row
await init_db(db)
app.state.db = db
transport: ASGITransport = ASGITransport(app=app)
async with AsyncClient(transport=transport, base_url="http://test") as ac:
yield ac
await db.close()

118
backend/tests/test_repositories/test_settings_and_session.py Normal file
View File

@@ -0,0 +1,118 @@
"""Tests for settings_repo and session_repo."""
from __future__ import annotations
from pathlib import Path
import aiosqlite
import pytest
from app.db import init_db
from app.repositories import session_repo, settings_repo
@pytest.fixture
async def db(tmp_path: Path) -> aiosqlite.Connection: # type: ignore[misc]
"""Provide an initialised aiosqlite connection."""
conn: aiosqlite.Connection = await aiosqlite.connect(str(tmp_path / "repo_test.db"))
conn.row_factory = aiosqlite.Row
await init_db(conn)
yield conn
await conn.close()
class TestSettingsRepo:
async def test_get_missing_key_returns_none(
self, db: aiosqlite.Connection
) -> None:
"""get_setting returns None for a key that does not exist."""
result = await settings_repo.get_setting(db, "nonexistent")
assert result is None
async def test_set_and_get_round_trip(self, db: aiosqlite.Connection) -> None:
"""set_setting persists a value retrievable by get_setting."""
await settings_repo.set_setting(db, "my_key", "my_value")
result = await settings_repo.get_setting(db, "my_key")
assert result == "my_value"
async def test_set_overwrites_existing_value(
self, db: aiosqlite.Connection
) -> None:
"""set_setting overwrites an existing key with the new value."""
await settings_repo.set_setting(db, "key", "first")
await settings_repo.set_setting(db, "key", "second")
result = await settings_repo.get_setting(db, "key")
assert result == "second"
async def test_delete_removes_key(self, db: aiosqlite.Connection) -> None:
"""delete_setting removes an existing key."""
await settings_repo.set_setting(db, "to_delete", "value")
await settings_repo.delete_setting(db, "to_delete")
result = await settings_repo.get_setting(db, "to_delete")
assert result is None
async def test_get_all_settings_returns_dict(
self, db: aiosqlite.Connection
) -> None:
"""get_all_settings returns a dict of all stored key-value pairs."""
await settings_repo.set_setting(db, "k1", "v1")
await settings_repo.set_setting(db, "k2", "v2")
all_s = await settings_repo.get_all_settings(db)
assert all_s["k1"] == "v1"
assert all_s["k2"] == "v2"
class TestSessionRepo:
async def test_create_and_get_session(self, db: aiosqlite.Connection) -> None:
"""create_session stores a session retrievable by get_session."""
session = await session_repo.create_session(
db,
token="abc123",
created_at="2025-01-01T00:00:00+00:00",
expires_at="2025-01-01T01:00:00+00:00",
)
assert session.token == "abc123"
stored = await session_repo.get_session(db, "abc123")
assert stored is not None
assert stored.token == "abc123"
async def test_get_missing_session_returns_none(
self, db: aiosqlite.Connection
) -> None:
"""get_session returns None for a token that does not exist."""
result = await session_repo.get_session(db, "no_such_token")
assert result is None
async def test_delete_session_removes_it(self, db: aiosqlite.Connection) -> None:
"""delete_session removes the session from the database."""
await session_repo.create_session(
db,
token="xyz",
created_at="2025-01-01T00:00:00+00:00",
expires_at="2025-01-01T01:00:00+00:00",
)
await session_repo.delete_session(db, "xyz")
result = await session_repo.get_session(db, "xyz")
assert result is None
async def test_delete_expired_sessions(self, db: aiosqlite.Connection) -> None:
"""delete_expired_sessions removes sessions past their expiry time."""
await session_repo.create_session(
db,
token="expired",
created_at="2020-01-01T00:00:00+00:00",
expires_at="2020-01-01T01:00:00+00:00",
)
await session_repo.create_session(
db,
token="valid",
created_at="2099-01-01T00:00:00+00:00",
expires_at="2099-01-01T01:00:00+00:00",
)
deleted = await session_repo.delete_expired_sessions(
db, "2025-01-01T00:00:00+00:00"
)
assert deleted == 1
assert await session_repo.get_session(db, "expired") is None
assert await session_repo.get_session(db, "valid") is not None

147
backend/tests/test_routers/test_auth.py Normal file
View File

@@ -0,0 +1,147 @@
"""Tests for the auth router (POST /api/auth/login, POST /api/auth/logout)."""
from __future__ import annotations
from httpx import AsyncClient
# ---------------------------------------------------------------------------
# Helpers
# ---------------------------------------------------------------------------
_SETUP_PAYLOAD = {
"master_password": "mysecretpass1",
"database_path": "bangui.db",
"fail2ban_socket": "/var/run/fail2ban/fail2ban.sock",
"timezone": "UTC",
"session_duration_minutes": 60,
}
async def _do_setup(client: AsyncClient) -> None:
"""Run the setup wizard so auth endpoints are reachable."""
resp = await client.post("/api/setup", json=_SETUP_PAYLOAD)
assert resp.status_code == 201
async def _login(client: AsyncClient, password: str = "mysecretpass1") -> str:
"""Helper: perform login and return the session token."""
resp = await client.post("/api/auth/login", json={"password": password})
assert resp.status_code == 200
return str(resp.json()["token"])
# ---------------------------------------------------------------------------
# Login
# ---------------------------------------------------------------------------
class TestLogin:
"""POST /api/auth/login."""
async def test_login_succeeds_with_correct_password(
self, client: AsyncClient
) -> None:
"""Login returns 200 and a session token for the correct password."""
await _do_setup(client)
response = await client.post(
"/api/auth/login", json={"password": "mysecretpass1"}
)
assert response.status_code == 200
body = response.json()
assert "token" in body
assert len(body["token"]) > 0
assert "expires_at" in body
async def test_login_sets_cookie(self, client: AsyncClient) -> None:
"""Login sets the bangui_session HttpOnly cookie."""
await _do_setup(client)
response = await client.post(
"/api/auth/login", json={"password": "mysecretpass1"}
)
assert response.status_code == 200
assert "bangui_session" in response.cookies
async def test_login_fails_with_wrong_password(
self, client: AsyncClient
) -> None:
"""Login returns 401 for an incorrect password."""
await _do_setup(client)
response = await client.post(
"/api/auth/login", json={"password": "wrongpassword"}
)
assert response.status_code == 401
async def test_login_rejects_empty_password(self, client: AsyncClient) -> None:
"""Login returns 422 when password field is missing."""
await _do_setup(client)
response = await client.post("/api/auth/login", json={})
assert response.status_code == 422
# ---------------------------------------------------------------------------
# Logout
# ---------------------------------------------------------------------------
class TestLogout:
"""POST /api/auth/logout."""
async def test_logout_returns_200(self, client: AsyncClient) -> None:
"""Logout returns 200 with a confirmation message."""
await _do_setup(client)
await _login(client)
response = await client.post("/api/auth/logout")
assert response.status_code == 200
assert "message" in response.json()
async def test_logout_clears_cookie(self, client: AsyncClient) -> None:
"""Logout clears the bangui_session cookie."""
await _do_setup(client)
await _login(client) # sets cookie on client
response = await client.post("/api/auth/logout")
assert response.status_code == 200
# Cookie should be set to empty / deleted in the Set-Cookie header.
set_cookie = response.headers.get("set-cookie", "")
assert "bangui_session" in set_cookie
async def test_logout_is_idempotent(self, client: AsyncClient) -> None:
"""Logout succeeds even when called without a session token."""
await _do_setup(client)
response = await client.post("/api/auth/logout")
assert response.status_code == 200
async def test_session_invalid_after_logout(
self, client: AsyncClient
) -> None:
"""A session token is rejected after logout."""
await _do_setup(client)
token = await _login(client)
await client.post("/api/auth/logout")
# Now try to use the invalidated token via Bearer header. The health
# endpoint is unprotected so we validate against a hypothetical
# protected endpoint by inspecting the auth service directly.
# Here we just confirm the token is no longer in the DB by trying
# to re-use it on logout (idempotent — still 200, not an error).
response = await client.post(
"/api/auth/logout",
headers={"Authorization": f"Bearer {token}"},
)
assert response.status_code == 200
# ---------------------------------------------------------------------------
# Auth dependency (protected route guard)
# ---------------------------------------------------------------------------
class TestRequireAuth:
"""Verify the require_auth dependency rejects unauthenticated requests."""
async def test_health_endpoint_requires_no_auth(
self, client: AsyncClient
) -> None:
"""Health endpoint is accessible without authentication."""
response = await client.get("/api/health")
assert response.status_code == 200

123
backend/tests/test_routers/test_setup.py Normal file
View File

@@ -0,0 +1,123 @@
"""Tests for the setup router (POST /api/setup, GET /api/setup)."""
from __future__ import annotations
from httpx import AsyncClient
class TestGetSetupStatus:
"""GET /api/setup — check setup completion state."""
async def test_returns_not_completed_on_fresh_db(self, client: AsyncClient) -> None:
"""Status endpoint reports setup not done on a fresh database."""
response = await client.get("/api/setup")
assert response.status_code == 200
assert response.json() == {"completed": False}
async def test_returns_completed_after_setup(self, client: AsyncClient) -> None:
"""Status endpoint reports setup done after POST /api/setup."""
await client.post(
"/api/setup",
json={
"master_password": "supersecret123",
"database_path": "bangui.db",
"fail2ban_socket": "/var/run/fail2ban/fail2ban.sock",
"timezone": "UTC",
"session_duration_minutes": 60,
},
)
response = await client.get("/api/setup")
assert response.status_code == 200
assert response.json() == {"completed": True}
class TestPostSetup:
"""POST /api/setup — run the first-run configuration wizard."""
async def test_accepts_valid_payload(self, client: AsyncClient) -> None:
"""Setup endpoint returns 201 for a valid first-run payload."""
response = await client.post(
"/api/setup",
json={
"master_password": "supersecret123",
"database_path": "bangui.db",
"fail2ban_socket": "/var/run/fail2ban/fail2ban.sock",
"timezone": "UTC",
"session_duration_minutes": 60,
},
)
assert response.status_code == 201
body = response.json()
assert "message" in body
async def test_rejects_short_password(self, client: AsyncClient) -> None:
"""Setup endpoint rejects passwords shorter than 8 characters."""
response = await client.post(
"/api/setup",
json={"master_password": "short"},
)
assert response.status_code == 422
async def test_rejects_second_call(self, client: AsyncClient) -> None:
"""Setup endpoint returns 409 if setup has already been completed."""
payload = {
"master_password": "supersecret123",
"database_path": "bangui.db",
"fail2ban_socket": "/var/run/fail2ban/fail2ban.sock",
"timezone": "UTC",
"session_duration_minutes": 60,
}
first = await client.post("/api/setup", json=payload)
assert first.status_code == 201
second = await client.post("/api/setup", json=payload)
assert second.status_code == 409
async def test_accepts_defaults_for_optional_fields(
self, client: AsyncClient
) -> None:
"""Setup endpoint uses defaults when optional fields are omitted."""
response = await client.post(
"/api/setup",
json={"master_password": "supersecret123"},
)
assert response.status_code == 201
class TestSetupRedirectMiddleware:
"""Verify that the setup-redirect middleware enforces setup-first."""
async def test_protected_endpoint_redirects_before_setup(
self, client: AsyncClient
) -> None:
"""Non-setup API requests redirect to /api/setup on a fresh instance."""
response = await client.get(
"/api/auth/login",
follow_redirects=False,
)
# Middleware issues 307 redirect to /api/setup
assert response.status_code == 307
assert response.headers["location"] == "/api/setup"
async def test_health_always_reachable_before_setup(
self, client: AsyncClient
) -> None:
"""Health endpoint is always reachable even before setup."""
response = await client.get("/api/health")
assert response.status_code == 200
async def test_no_redirect_after_setup(self, client: AsyncClient) -> None:
"""Protected endpoints are reachable (no redirect) after setup."""
await client.post(
"/api/setup",
json={"master_password": "supersecret123"},
)
# /api/auth/login should now be reachable (returns 405 GET not allowed,
# not a setup redirect)
response = await client.post(
"/api/auth/login",
json={"password": "wrong"},
follow_redirects=False,
)
# 401 wrong password — not a 307 redirect
assert response.status_code == 401

85
backend/tests/test_services/test_auth_service.py Normal file
View File

@@ -0,0 +1,85 @@
"""Tests for auth_service."""
from __future__ import annotations
from pathlib import Path
import aiosqlite
import pytest
from app.db import init_db
from app.services import auth_service, setup_service
@pytest.fixture
async def db(tmp_path: Path) -> aiosqlite.Connection: # type: ignore[misc]
"""Provide an initialised DB with setup already complete."""
conn: aiosqlite.Connection = await aiosqlite.connect(str(tmp_path / "auth.db"))
conn.row_factory = aiosqlite.Row
await init_db(conn)
# Pre-run setup so auth operations have a password hash to check.
await setup_service.run_setup(
conn,
master_password="correctpassword1",
database_path="bangui.db",
fail2ban_socket="/var/run/fail2ban/fail2ban.sock",
timezone="UTC",
session_duration_minutes=60,
)
yield conn
await conn.close()
class TestLogin:
async def test_login_returns_session_on_correct_password(
self, db: aiosqlite.Connection
) -> None:
"""login() returns a Session on the correct password."""
session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
assert session.token
assert len(session.token) == 64 # 32 bytes → 64 hex chars
assert session.expires_at > session.created_at
async def test_login_raises_on_wrong_password(
self, db: aiosqlite.Connection
) -> None:
"""login() raises ValueError for an incorrect password."""
with pytest.raises(ValueError, match="Incorrect password"):
await auth_service.login(db, password="wrongpassword", session_duration_minutes=60)
async def test_login_persists_session(self, db: aiosqlite.Connection) -> None:
"""login() stores the session in the database."""
from app.repositories import session_repo
session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
stored = await session_repo.get_session(db, session.token)
assert stored is not None
assert stored.token == session.token
class TestValidateSession:
async def test_validate_returns_session_for_valid_token(
self, db: aiosqlite.Connection
) -> None:
"""validate_session() returns the session for a valid token."""
session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
validated = await auth_service.validate_session(db, session.token)
assert validated.token == session.token
async def test_validate_raises_for_unknown_token(
self, db: aiosqlite.Connection
) -> None:
"""validate_session() raises ValueError for a non-existent token."""
with pytest.raises(ValueError, match="not found"):
await auth_service.validate_session(db, "deadbeef" * 8)
class TestLogout:
async def test_logout_removes_session(self, db: aiosqlite.Connection) -> None:
"""logout() deletes the session so it can no longer be validated."""
from app.repositories import session_repo
session = await auth_service.login(db, password="correctpassword1", session_duration_minutes=60)
await auth_service.logout(db, session.token)
stored = await session_repo.get_session(db, session.token)
assert stored is None

97
backend/tests/test_services/test_setup_service.py Normal file
View File

@@ -0,0 +1,97 @@
"""Tests for setup_service and settings_repo."""
from __future__ import annotations
from pathlib import Path
import aiosqlite
import pytest
from app.db import init_db
from app.repositories import settings_repo
from app.services import setup_service
@pytest.fixture
async def db(tmp_path: Path) -> aiosqlite.Connection: # type: ignore[misc]
"""Provide an initialised aiosqlite connection for service-level tests."""
conn: aiosqlite.Connection = await aiosqlite.connect(str(tmp_path / "test.db"))
conn.row_factory = aiosqlite.Row
await init_db(conn)
yield conn
await conn.close()
class TestIsSetupComplete:
async def test_returns_false_on_fresh_db(
self, db: aiosqlite.Connection
) -> None:
"""Setup is not complete on a fresh database."""
assert await setup_service.is_setup_complete(db) is False
async def test_returns_true_after_run_setup(
self, db: aiosqlite.Connection
) -> None:
"""Setup is marked complete after run_setup() succeeds."""
await setup_service.run_setup(
db,
master_password="mypassword1",
database_path="bangui.db",
fail2ban_socket="/var/run/fail2ban/fail2ban.sock",
timezone="UTC",
session_duration_minutes=60,
)
assert await setup_service.is_setup_complete(db) is True
class TestRunSetup:
async def test_persists_all_settings(self, db: aiosqlite.Connection) -> None:
"""run_setup() stores every provided setting."""
await setup_service.run_setup(
db,
master_password="mypassword1",
database_path="/data/bangui.db",
fail2ban_socket="/tmp/f2b.sock",
timezone="Europe/Berlin",
session_duration_minutes=120,
)
all_settings = await settings_repo.get_all_settings(db)
assert all_settings["database_path"] == "/data/bangui.db"
assert all_settings["fail2ban_socket"] == "/tmp/f2b.sock"
assert all_settings["timezone"] == "Europe/Berlin"
assert all_settings["session_duration_minutes"] == "120"
async def test_password_stored_as_bcrypt_hash(
self, db: aiosqlite.Connection
) -> None:
"""The master password is stored as a bcrypt hash, not plain text."""
import bcrypt
await setup_service.run_setup(
db,
master_password="mypassword1",
database_path="bangui.db",
fail2ban_socket="/var/run/fail2ban/fail2ban.sock",
timezone="UTC",
session_duration_minutes=60,
)
stored = await setup_service.get_password_hash(db)
assert stored is not None
assert stored != "mypassword1"
# Verify it is a valid bcrypt hash.
assert bcrypt.checkpw(b"mypassword1", stored.encode())
async def test_raises_if_setup_already_complete(
self, db: aiosqlite.Connection
) -> None:
"""run_setup() raises RuntimeError if called a second time."""
kwargs = {
"master_password": "mypassword1",
"database_path": "bangui.db",
"fail2ban_socket": "/var/run/fail2ban/fail2ban.sock",
"timezone": "UTC",
"session_duration_minutes": 60,
}
await setup_service.run_setup(db, **kwargs) # type: ignore[arg-type]
with pytest.raises(RuntimeError, match="already been completed"):
await setup_service.run_setup(db, **kwargs) # type: ignore[arg-type]

55
frontend/src/App.tsx
View File

@@ -4,39 +4,52 @@
* Wraps the entire application in:
* 1. `FluentProvider` — supplies the Fluent UI theme and design tokens.
* 2. `BrowserRouter` — enables client-side routing via React Router.
* 3. `AuthProvider` — manages session state and exposes `useAuth()`.
*
* Route definitions are delegated to `AppRoutes` (implemented in Stage 3).
* For now a placeholder component is rendered so the app can start and the
* theme can be verified.
* Routes:
* - `/setup` — first-run setup wizard (always accessible, redirected to by backend middleware)
* - `/login` — master password login
* - `/` — dashboard (protected)
* All other paths fall through to the dashboard guard; the full route tree
* is wired up in Stage 3.
*/
import { FluentProvider } from "@fluentui/react-components";
import { BrowserRouter } from "react-router-dom";
import { BrowserRouter, Navigate, Route, Routes } from "react-router-dom";
import { lightTheme } from "./theme/customTheme";
import { AuthProvider } from "./providers/AuthProvider";
import { RequireAuth } from "./components/RequireAuth";
import { SetupPage } from "./pages/SetupPage";
import { LoginPage } from "./pages/LoginPage";
import { DashboardPage } from "./pages/DashboardPage";
/**
* Temporary placeholder shown until full routing is wired up in Stage 3.
*/
function AppPlaceholder(): JSX.Element {
return (
<div style={{ padding: 32, fontFamily: "Segoe UI, sans-serif" }}>
<h1 style={{ fontSize: 28, fontWeight: 600 }}>BanGUI</h1>
<p style={{ fontSize: 14, color: "#605e5c" }}>
Frontend scaffolding complete. Full UI implemented in Stage 3.
</p>
</div>
);
}
/**
* Root application component.
* Mounts `FluentProvider` and `BrowserRouter` around all page content.
* Root application component — mounts providers and top-level routes.
*/
function App(): JSX.Element {
return (
<FluentProvider theme={lightTheme}>
<BrowserRouter>
<AppPlaceholder />
<AuthProvider>
<Routes>
{/* Public routes */}
<Route path="/setup" element={<SetupPage />} />
<Route path="/login" element={<LoginPage />} />
{/* Protected routes */}
<Route
path="/"
element={
<RequireAuth>
<DashboardPage />
</RequireAuth>
}
/>
{/* Fallback — redirect unknown paths to dashboard (guard will redirect to login if needed) */}
<Route path="*" element={<Navigate to="/" replace />} />
</Routes>
</AuthProvider>
</BrowserRouter>
</FluentProvider>
);

30
frontend/src/api/auth.ts Normal file
View File

@@ -0,0 +1,30 @@
/**
* Authentication API functions.
*
* Wraps calls to POST /api/auth/login and POST /api/auth/logout
* using the central typed fetch client.
*/
import { api } from "./client";
import { ENDPOINTS } from "./endpoints";
import type { LoginRequest, LoginResponse, LogoutResponse } from "../types/auth";
/**
* Authenticate with the master password.
*
* @param password - The master password entered by the user.
* @returns The login response containing the session token.
*/
export async function login(password: string): Promise<LoginResponse> {
const body: LoginRequest = { password };
return api.post<LoginResponse>(ENDPOINTS.authLogin, body);
}
/**
* Log out and invalidate the current session.
*
* @returns The logout confirmation message.
*/
export async function logout(): Promise<LogoutResponse> {
return api.post<LogoutResponse>(ENDPOINTS.authLogout, {});
}

32
frontend/src/api/setup.ts Normal file
View File

@@ -0,0 +1,32 @@
/**
* Setup wizard API functions.
*
* Wraps calls to GET /api/setup and POST /api/setup.
*/
import { api } from "./client";
import { ENDPOINTS } from "./endpoints";
import type {
SetupRequest,
SetupResponse,
SetupStatusResponse,
} from "../types/setup";
/**
* Check whether the initial setup has been completed.
*
* @returns Setup status response with a `completed` boolean.
*/
export async function getSetupStatus(): Promise<SetupStatusResponse> {
return api.get<SetupStatusResponse>(ENDPOINTS.setup);
}
/**
* Submit the initial setup configuration.
*
* @param data - Setup request payload.
* @returns Success message from the API.
*/
export async function submitSetup(data: SetupRequest): Promise<SetupResponse> {
return api.post<SetupResponse>(ENDPOINTS.setup, data);
}

37
frontend/src/components/RequireAuth.tsx Normal file
View File

@@ -0,0 +1,37 @@
/**
* Route guard component.
*
* Wraps protected routes. If the user is not authenticated they are
* redirected to `/login` and the intended destination is preserved so the
* user lands on it after a successful login.
*/
import { Navigate, useLocation } from "react-router-dom";
import { useAuth } from "../providers/AuthProvider";
interface RequireAuthProps {
/** The protected page content to render when authenticated. */
children: JSX.Element;
}
/**
* Render `children` only if the user is authenticated.
*
* Redirects to `/login?next=<path>` otherwise so the intended destination is
* preserved and honoured after a successful login.
*/
export function RequireAuth({ children }: RequireAuthProps): JSX.Element {
const { isAuthenticated } = useAuth();
const location = useLocation();
if (!isAuthenticated) {
return (
<Navigate
to={`/login?next=${encodeURIComponent(location.pathname + location.search)}`}
replace
/>
);
}
return children;
}

30
frontend/src/pages/DashboardPage.tsx Normal file
View File

@@ -0,0 +1,30 @@
/**
* Dashboard placeholder page.
*
* Full implementation is delivered in Stage 5.
*/
import { Text, makeStyles, tokens } from "@fluentui/react-components";
const useStyles = makeStyles({
root: {
padding: tokens.spacingVerticalXXL,
},
});
/**
* Temporary dashboard placeholder rendered until Stage 5 is complete.
*/
export function DashboardPage(): JSX.Element {
const styles = useStyles();
return (
<div className={styles.root}>
<Text as="h1" size={700} weight="semibold">
Dashboard
</Text>
<Text as="p" size={300}>
Ban overview will be implemented in Stage 5.
</Text>
</div>
);
}

158
frontend/src/pages/LoginPage.tsx Normal file
View File

@@ -0,0 +1,158 @@
/**
* Login page.
*
* A single password field and submit button. On success the user is
* redirected to the originally requested page (via the `?next=` query
* parameter) or the dashboard.
*/
import { useState } from "react";
import {
Button,
Field,
Input,
makeStyles,
MessageBar,
MessageBarBody,
Spinner,
Text,
tokens,
} from "@fluentui/react-components";
import { useNavigate, useSearchParams } from "react-router-dom";
import type { ChangeEvent, FormEvent } from "react";
import { ApiError } from "../api/client";
import { useAuth } from "../providers/AuthProvider";
// ---------------------------------------------------------------------------
// Styles
// ---------------------------------------------------------------------------
const useStyles = makeStyles({
root: {
display: "flex",
justifyContent: "center",
alignItems: "center",
minHeight: "100vh",
backgroundColor: tokens.colorNeutralBackground2,
padding: tokens.spacingHorizontalM,
},
card: {
width: "100%",
maxWidth: "360px",
backgroundColor: tokens.colorNeutralBackground1,
borderRadius: tokens.borderRadiusXLarge,
padding: tokens.spacingVerticalXXL,
boxShadow: tokens.shadow8,
},
heading: {
marginBottom: tokens.spacingVerticalXS,
display: "block",
},
subtitle: {
marginBottom: tokens.spacingVerticalXXL,
color: tokens.colorNeutralForeground2,
display: "block",
},
field: {
marginBottom: tokens.spacingVerticalM,
},
submitRow: {
marginTop: tokens.spacingVerticalL,
},
error: {
marginBottom: tokens.spacingVerticalM,
},
});
// ---------------------------------------------------------------------------
// Component
// ---------------------------------------------------------------------------
/**
* Login page — single password input, no username.
*/
export function LoginPage(): JSX.Element {
const styles = useStyles();
const navigate = useNavigate();
const [searchParams] = useSearchParams();
const { login } = useAuth();
const [password, setPassword] = useState("");
const [error, setError] = useState<string | null>(null);
const [submitting, setSubmitting] = useState(false);
const nextPath = searchParams.get("next") ?? "/";
function handlePasswordChange(ev: ChangeEvent<HTMLInputElement>): void {
setPassword(ev.target.value);
setError(null);
}
async function handleSubmit(ev: FormEvent<HTMLFormElement>): Promise<void> {
ev.preventDefault();
if (!password) {
setError("Please enter a password.");
return;
}
setSubmitting(true);
setError(null);
try {
await login(password);
navigate(nextPath, { replace: true });
} catch (err) {
if (err instanceof ApiError && err.status === 401) {
setError("Incorrect password. Please try again.");
} else {
setError("An unexpected error occurred. Please try again.");
}
} finally {
setSubmitting(false);
}
}
return (
<div className={styles.root}>
<div className={styles.card}>
<Text as="h1" size={700} weight="semibold" className={styles.heading}>
BanGUI
</Text>
<Text size={300} className={styles.subtitle}>
Enter your master password to continue.
</Text>
{error !== null && (
<MessageBar intent="error" className={styles.error}>
<MessageBarBody>{error}</MessageBarBody>
</MessageBar>
)}
<form onSubmit={(ev) => void handleSubmit(ev)}>
<div className={styles.field}>
<Field label="Password" required>
<Input
type="password"
value={password}
onChange={handlePasswordChange}
autoComplete="current-password"
autoFocus
/>
</Field>
</div>
<div className={styles.submitRow}>
<Button
type="submit"
appearance="primary"
disabled={submitting || !password}
icon={submitting ? <Spinner size="tiny" /> : undefined}
>
{submitting ? "Signing in…" : "Sign in"}
</Button>
</div>
</form>
</div>
</div>
);
}

285
frontend/src/pages/SetupPage.tsx Normal file
View File

@@ -0,0 +1,285 @@
/**
* Setup wizard page.
*
* Displayed automatically on first launch when no configuration exists.
* Once submitted successfully the user is redirected to the login page.
* All fields use Fluent UI v9 components and inline validation.
*/
import { useState } from "react";
import {
Button,
Field,
Input,
makeStyles,
MessageBar,
MessageBarBody,
Spinner,
Text,
tokens,
} from "@fluentui/react-components";
import { useNavigate } from "react-router-dom";
import type { ChangeEvent, FormEvent } from "react";
import { ApiError } from "../api/client";
import { submitSetup } from "../api/setup";
// ---------------------------------------------------------------------------
// Styles
// ---------------------------------------------------------------------------
const useStyles = makeStyles({
root: {
display: "flex",
justifyContent: "center",
alignItems: "flex-start",
minHeight: "100vh",
padding: `${tokens.spacingVerticalXXL} ${tokens.spacingHorizontalM}`,
backgroundColor: tokens.colorNeutralBackground2,
},
card: {
width: "100%",
maxWidth: "480px",
backgroundColor: tokens.colorNeutralBackground1,
borderRadius: tokens.borderRadiusXLarge,
padding: tokens.spacingVerticalXXL,
boxShadow: tokens.shadow8,
},
heading: {
marginBottom: tokens.spacingVerticalL,
display: "block",
},
description: {
marginBottom: tokens.spacingVerticalXXL,
color: tokens.colorNeutralForeground2,
display: "block",
},
fields: {
display: "flex",
flexDirection: "column",
gap: tokens.spacingVerticalM,
},
submitRow: {
marginTop: tokens.spacingVerticalL,
},
error: {
marginBottom: tokens.spacingVerticalM,
},
});
// ---------------------------------------------------------------------------
// Form state
// ---------------------------------------------------------------------------
interface FormValues {
masterPassword: string;
confirmPassword: string;
databasePath: string;
fail2banSocket: string;
timezone: string;
sessionDurationMinutes: string;
}
const DEFAULT_VALUES: FormValues = {
masterPassword: "",
confirmPassword: "",
databasePath: "bangui.db",
fail2banSocket: "/var/run/fail2ban/fail2ban.sock",
timezone: "UTC",
sessionDurationMinutes: "60",
};
// ---------------------------------------------------------------------------
// Component
// ---------------------------------------------------------------------------
/**
* First-run setup wizard page.
* Collects master password and server preferences.
*/
export function SetupPage(): JSX.Element {
const styles = useStyles();
const navigate = useNavigate();
const [values, setValues] = useState<FormValues>(DEFAULT_VALUES);
const [errors, setErrors] = useState<Partial<Record<keyof FormValues, string>>>({});
const [apiError, setApiError] = useState<string | null>(null);
const [submitting, setSubmitting] = useState(false);
// ---------------------------------------------------------------------------
// Handlers
// ---------------------------------------------------------------------------
function handleChange(field: keyof FormValues) {
return (ev: ChangeEvent<HTMLInputElement>): void => {
setValues((prev) => ({ ...prev, [field]: ev.target.value }));
// Clear field-level error on change.
setErrors((prev) => ({ ...prev, [field]: undefined }));
};
}
function validate(): boolean {
const next: Partial<Record<keyof FormValues, string>> = {};
if (values.masterPassword.length < 8) {
next.masterPassword = "Password must be at least 8 characters.";
}
if (values.masterPassword !== values.confirmPassword) {
next.confirmPassword = "Passwords do not match.";
}
if (!values.databasePath.trim()) {
next.databasePath = "Database path is required.";
}
if (!values.fail2banSocket.trim()) {
next.fail2banSocket = "Socket path is required.";
}
const duration = parseInt(values.sessionDurationMinutes, 10);
if (isNaN(duration) || duration < 1) {
next.sessionDurationMinutes = "Session duration must be at least 1 minute.";
}
setErrors(next);
return Object.keys(next).length === 0;
}
async function handleSubmit(ev: FormEvent<HTMLFormElement>): Promise<void> {
ev.preventDefault();
setApiError(null);
if (!validate()) return;
setSubmitting(true);
try {
await submitSetup({
master_password: values.masterPassword,
database_path: values.databasePath,
fail2ban_socket: values.fail2banSocket,
timezone: values.timezone,
session_duration_minutes: parseInt(values.sessionDurationMinutes, 10),
});
navigate("/login", { replace: true });
} catch (err) {
if (err instanceof ApiError) {
setApiError(err.message || `Error ${String(err.status)}`);
} else {
setApiError("An unexpected error occurred. Please try again.");
}
} finally {
setSubmitting(false);
}
}
// ---------------------------------------------------------------------------
// Render
// ---------------------------------------------------------------------------
return (
<div className={styles.root}>
<div className={styles.card}>
<Text as="h1" size={700} weight="semibold" className={styles.heading}>
BanGUI Setup
</Text>
<Text size={300} className={styles.description}>
Configure BanGUI for first use. This page will not be shown again once setup
is complete.
</Text>
{apiError !== null && (
<MessageBar intent="error" className={styles.error}>
<MessageBarBody>{apiError}</MessageBarBody>
</MessageBar>
)}
<form onSubmit={(ev) => void handleSubmit(ev)}>
<div className={styles.fields}>
<Field
label="Master Password"
required
validationMessage={errors.masterPassword}
validationState={errors.masterPassword ? "error" : "none"}
>
<Input
type="password"
value={values.masterPassword}
onChange={handleChange("masterPassword")}
autoComplete="new-password"
/>
</Field>
<Field
label="Confirm Password"
required
validationMessage={errors.confirmPassword}
validationState={errors.confirmPassword ? "error" : "none"}
>
<Input
type="password"
value={values.confirmPassword}
onChange={handleChange("confirmPassword")}
autoComplete="new-password"
/>
</Field>
<Field
label="Database Path"
hint="Path where BanGUI stores its SQLite database."
validationMessage={errors.databasePath}
validationState={errors.databasePath ? "error" : "none"}
>
<Input
value={values.databasePath}
onChange={handleChange("databasePath")}
/>
</Field>
<Field
label="fail2ban Socket Path"
hint="Unix socket used to communicate with the fail2ban daemon."
validationMessage={errors.fail2banSocket}
validationState={errors.fail2banSocket ? "error" : "none"}
>
<Input
value={values.fail2banSocket}
onChange={handleChange("fail2banSocket")}
/>
</Field>
<Field
label="Timezone"
hint="IANA timezone identifier (e.g. UTC, Europe/Berlin)."
>
<Input
value={values.timezone}
onChange={handleChange("timezone")}
/>
</Field>
<Field
label="Session Duration (minutes)"
hint="How long a login session stays active."
validationMessage={errors.sessionDurationMinutes}
validationState={errors.sessionDurationMinutes ? "error" : "none"}
>
<Input
type="number"
value={values.sessionDurationMinutes}
onChange={handleChange("sessionDurationMinutes")}
min={1}
/>
</Field>
</div>
<div className={styles.submitRow}>
<Button
type="submit"
appearance="primary"
disabled={submitting}
icon={submitting ? <Spinner size="tiny" /> : undefined}
>
{submitting ? "Saving…" : "Complete Setup"}
</Button>
</div>
</form>
</div>
</div>
);
}

118
frontend/src/providers/AuthProvider.tsx Normal file
View File

@@ -0,0 +1,118 @@
/**
* Authentication context and provider.
*
* Manages the user's authenticated state and exposes `login`, `logout`, and
* `isAuthenticated` through `useAuth()`. The session token is persisted in
* `sessionStorage` so it survives page refreshes within the browser tab but
* is automatically cleared when the tab is closed.
*/
import {
createContext,
useCallback,
useContext,
useMemo,
useState,
} from "react";
import * as authApi from "../api/auth";
// ---------------------------------------------------------------------------
// Types
// ---------------------------------------------------------------------------
interface AuthState {
token: string | null;
expiresAt: string | null;
}
interface AuthContextValue {
/** `true` when a valid session token is held in state. */
isAuthenticated: boolean;
/**
* Authenticate with the master password.
* Throws an `ApiError` on failure.
*/
login: (password: string) => Promise<void>;
/** Revoke the current session and clear local state. */
logout: () => Promise<void>;
}
// ---------------------------------------------------------------------------
// Context
// ---------------------------------------------------------------------------
const AuthContext = createContext<AuthContextValue | null>(null);
const SESSION_KEY = "bangui_token";
const SESSION_EXPIRES_KEY = "bangui_expires_at";
// ---------------------------------------------------------------------------
// Provider
// ---------------------------------------------------------------------------
/**
* Wraps the application and provides authentication state to all children.
*
* Place this inside `<FluentProvider>` and `<BrowserRouter>` so all
* descendants can call `useAuth()`.
*/
export function AuthProvider({
children,
}: {
children: React.ReactNode;
}): JSX.Element {
const [auth, setAuth] = useState<AuthState>(() => ({
token: sessionStorage.getItem(SESSION_KEY),
expiresAt: sessionStorage.getItem(SESSION_EXPIRES_KEY),
}));
const isAuthenticated = useMemo<boolean>(() => {
if (!auth.token || !auth.expiresAt) return false;
// Treat the session as expired if the expiry time has passed.
return new Date(auth.expiresAt) > new Date();
}, [auth]);
const login = useCallback(async (password: string): Promise<void> => {
const response = await authApi.login(password);
sessionStorage.setItem(SESSION_KEY, response.token);
sessionStorage.setItem(SESSION_EXPIRES_KEY, response.expires_at);
setAuth({ token: response.token, expiresAt: response.expires_at });
}, []);
const logout = useCallback(async (): Promise<void> => {
try {
await authApi.logout();
} finally {
// Always clear local state even if the API call fails (e.g. expired session).
sessionStorage.removeItem(SESSION_KEY);
sessionStorage.removeItem(SESSION_EXPIRES_KEY);
setAuth({ token: null, expiresAt: null });
}
}, []);
const value = useMemo<AuthContextValue>(
() => ({ isAuthenticated, login, logout }),
[isAuthenticated, login, logout],
);
return <AuthContext.Provider value={value}>{children}</AuthContext.Provider>;
}
// ---------------------------------------------------------------------------
// Hook
// ---------------------------------------------------------------------------
/**
* Access authentication state and actions.
*
* Must be called inside a component rendered within `<AuthProvider>`.
*
* @throws {Error} When called outside of `<AuthProvider>`.
*/
export function useAuth(): AuthContextValue {
const ctx = useContext(AuthContext);
if (ctx === null) {
throw new Error("useAuth must be used within <AuthProvider>.");
}
return ctx;
}

19
frontend/src/types/auth.ts Normal file
View File

@@ -0,0 +1,19 @@
/**
* Types for the authentication domain.
*/
/** Request payload for POST /api/auth/login. */
export interface LoginRequest {
password: string;
}
/** Successful login response from the API. */
export interface LoginResponse {
token: string;
expires_at: string;
}
/** Response body for POST /api/auth/logout. */
export interface LogoutResponse {
message: string;
}

22
frontend/src/types/setup.ts Normal file
View File

@@ -0,0 +1,22 @@
/**
* Types for the setup wizard domain.
*/
/** Request payload for POST /api/setup. */
export interface SetupRequest {
master_password: string;
database_path?: string;
fail2ban_socket?: string;
timezone?: string;
session_duration_minutes?: number;
}
/** Response from a successful POST /api/setup. */
export interface SetupResponse {
message: string;
}
/** Response from GET /api/setup — indicates setup completion status. */
export interface SetupStatusResponse {
completed: boolean;
}