setup admin connection

sop-back/.env.example

@@ -2,8 +2,10 @@
 PROJECT_NAME=Smash or Pass
 ALLOWED_ORIGINS=["http://localhost:5173","http://localhost:8080"]
 
-# Admin gate
-ADMIN_ENABLED=true
+# Admin account — set both to enable admin login at /login.
+# Leave empty to fully disable admin endpoints.
+ADMIN_USERNAME=admin
+ADMIN_PASSWORD=change-me
 
 # Database (SQLite file path)
 DATABASE_URL=sqlite:///./data/sop.db

sop-back/app/api/routes/auth.py

@@ -0,0 +1,37 @@
+import secrets
+from fastapi import APIRouter, HTTPException, status
+from pydantic import BaseModel
+
+from app.core.config import settings
+
+router = APIRouter()
+
+
+class LoginRequest(BaseModel):
+    username: str
+    password: str
+
+
+class LoginResponse(BaseModel):
+    token: str
+
+
+@router.post("/admin/login", response_model=LoginResponse)
+def admin_login(body: LoginRequest):
+    if not settings.ADMIN_USERNAME or not settings.ADMIN_PASSWORD:
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Admin account is not configured",
+        )
+    # constant-time compare to avoid leaking timing info
+    user_ok = secrets.compare_digest(body.username, settings.ADMIN_USERNAME)
+    pass_ok = secrets.compare_digest(body.password, settings.ADMIN_PASSWORD)
+    if not (user_ok and pass_ok):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid credentials",
+        )
+    # The token IS the password. Single account, no expiry, no rotation —
+    # simple and matches what require_admin() expects in the Authorization
+    # header. Swap for a signed/expiring token if you ever add multiple users.
+    return LoginResponse(token=settings.ADMIN_PASSWORD)

sop-back/app/api/routes/health.py

@@ -1,6 +1,4 @@
 from fastapi import APIRouter
-from app.core.config import settings
-from app.schemas.schemas import AdminStatus
 
 router = APIRouter()
 
@@ -8,8 +6,3 @@ router = APIRouter()
 @router.get("/health")
 def health():
     return {"status": "ok"}
-
-
-@router.get("/admin/status", response_model=AdminStatus)
-def admin_status():
-    return AdminStatus(admin_enabled=settings.ADMIN_ENABLED)

sop-back/app/core/config.py

@@ -9,7 +9,10 @@ class Settings(BaseSettings):
     VERSION: str = "0.1.0"
     ALLOWED_ORIGINS: List[str] = ["*"]
 
-    ADMIN_ENABLED: bool = False
+    # Single hardcoded admin account, configured via env.
+    # If either field is empty, admin login is effectively disabled.
+    ADMIN_USERNAME: str = ""
+    ADMIN_PASSWORD: str = ""
 
     DATABASE_URL: str = "sqlite:///./data/sop.db"
 

sop-back/app/core/deps.py

@@ -1,10 +1,30 @@
-from fastapi import HTTPException, status
+import secrets
+from fastapi import Header, HTTPException, status
 from app.core.config import settings
 
 
-def require_admin() -> None:
-    if not settings.ADMIN_ENABLED:
+def require_admin(authorization: str | None = Header(default=None)) -> None:
+    """Gate admin endpoints on a Bearer token equal to ADMIN_PASSWORD.
+
+    The token is issued by POST /admin/login after the username + password
+    match the values from .env. We keep things deliberately simple — no JWT,
+    no expiry — because there is exactly one admin account.
+    """
+    if not settings.ADMIN_PASSWORD:
         raise HTTPException(
             status_code=status.HTTP_403_FORBIDDEN,
-            detail="Admin module is disabled",
+            detail="Admin account is not configured",
+        )
+    if not authorization or not authorization.lower().startswith("bearer "):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Missing bearer token",
+            headers={"WWW-Authenticate": "Bearer"},
+        )
+    token = authorization.split(" ", 1)[1].strip()
+    if not secrets.compare_digest(token, settings.ADMIN_PASSWORD):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Invalid token",
+            headers={"WWW-Authenticate": "Bearer"},
         )

sop-back/app/main.py

@@ -6,7 +6,7 @@ from app.core.config import settings
 from app.db.database import Base, engine
 from app.models import models  # noqa: F401  (register models)
 from app.services.storage import ensure_bucket
-from app.api.routes import health, collections, admin
+from app.api.routes import health, collections, admin, auth
 
 
 @asynccontextmanager
@@ -35,5 +35,6 @@ app.add_middleware(
 )
 
 app.include_router(health.router, tags=["meta"])
+app.include_router(auth.router, tags=["auth"])
 app.include_router(collections.router, prefix="/collections", tags=["collections"])
 app.include_router(admin.router, prefix="/admin", tags=["admin"])

sop-back/app/schemas/schemas.py

@@ -33,7 +33,3 @@ class CollectionOut(BaseModel):
 
 class CollectionCreate(BaseModel):
     name: str
-
-
-class AdminStatus(BaseModel):
-    admin_enabled: bool