38 lines
1.2 KiB
Python
38 lines
1.2 KiB
Python
import secrets
|
|
from fastapi import APIRouter, HTTPException, status
|
|
from pydantic import BaseModel
|
|
|
|
from app.core.config import settings
|
|
|
|
router = APIRouter()
|
|
|
|
|
|
class LoginRequest(BaseModel):
|
|
username: str
|
|
password: str
|
|
|
|
|
|
class LoginResponse(BaseModel):
|
|
token: str
|
|
|
|
|
|
@router.post("/admin/login", response_model=LoginResponse)
|
|
def admin_login(body: LoginRequest):
|
|
if not settings.ADMIN_USERNAME or not settings.ADMIN_PASSWORD:
|
|
raise HTTPException(
|
|
status_code=status.HTTP_403_FORBIDDEN,
|
|
detail="Admin account is not configured",
|
|
)
|
|
# constant-time compare to avoid leaking timing info
|
|
user_ok = secrets.compare_digest(body.username, settings.ADMIN_USERNAME)
|
|
pass_ok = secrets.compare_digest(body.password, settings.ADMIN_PASSWORD)
|
|
if not (user_ok and pass_ok):
|
|
raise HTTPException(
|
|
status_code=status.HTTP_401_UNAUTHORIZED,
|
|
detail="Invalid credentials",
|
|
)
|
|
# The token IS the password. Single account, no expiry, no rotation —
|
|
# simple and matches what require_admin() expects in the Authorization
|
|
# header. Swap for a signed/expiring token if you ever add multiple users.
|
|
return LoginResponse(token=settings.ADMIN_PASSWORD)
|