first commit

routes/auth_routes.py

@@ -0,0 +1,113 @@
+# routes/auth_routes.py - Authentication Routes
+
+from flask import Blueprint, request, jsonify, session, redirect, url_for, send_from_directory
+from db import get_db
+from auth import login_required, admin_required, get_current_user
+
+auth_bp = Blueprint('auth', __name__)
+
+
+@auth_bp.route('/login')
+def login_page():
+    """Serve login page."""
+    if 'user_id' in session:
+        return redirect(url_for('main.index'))
+    return send_from_directory('templates', 'login.html')
+
+
+@auth_bp.route('/api/auth/login', methods=['POST'])
+def login():
+    """Handle user login."""
+    data = request.json
+    username = data.get('username', '').strip()
+    password = data.get('password', '')
+    
+    if not username or not password:
+        return jsonify({'error': 'Username and password are required'}), 400
+    
+    db = get_db()
+    cursor = db.cursor()
+    
+    cursor.execute('''
+        SELECT id, username, password, role, is_active 
+        FROM users WHERE username = ?
+    ''', (username,))
+    
+    user = cursor.fetchone()
+    
+    if not user:
+        return jsonify({'error': 'Invalid username or password'}), 401
+    
+    if not user['is_active']:
+        return jsonify({'error': 'Account is disabled. Contact your administrator.'}), 403
+    
+    if user['password'] != password:
+        return jsonify({'error': 'Invalid username or password'}), 401
+    
+    # Set session
+    session['user_id'] = user['id']
+    session['username'] = user['username']
+    session['user_role'] = user['role']
+    
+    # Update last login
+    cursor.execute('''
+        UPDATE users SET last_login = CURRENT_TIMESTAMP WHERE id = ?
+    ''', (user['id'],))
+    db.commit()
+    
+    print(f"✅ User logged in: {username} (role: {user['role']})")
+    
+    return jsonify({
+        'success': True,
+        'user': {
+            'id': user['id'],
+            'username': user['username'],
+            'role': user['role']
+        }
+    })
+
+
+@auth_bp.route('/api/auth/logout', methods=['POST'])
+def logout():
+    """Handle user logout."""
+    username = session.get('username', 'Unknown')
+    session.clear()
+    print(f"👋 User logged out: {username}")
+    return jsonify({'success': True})
+
+
+@auth_bp.route('/api/auth/me', methods=['GET'])
+@login_required
+def get_me():
+    """Get current user info."""
+    user = get_current_user()
+    return jsonify({'user': user})
+
+
+@auth_bp.route('/api/auth/change-password', methods=['POST'])
+@login_required
+def change_password():
+    """Change current user's password."""
+    data = request.json
+    current_password = data.get('current_password', '')
+    new_password = data.get('new_password', '')
+    
+    if not current_password or not new_password:
+        return jsonify({'error': 'Current password and new password are required'}), 400
+    
+    if len(new_password) < 4:
+        return jsonify({'error': 'New password must be at least 4 characters'}), 400
+    
+    db = get_db()
+    cursor = db.cursor()
+    
+    cursor.execute('SELECT password FROM users WHERE id = ?', (session['user_id'],))
+    user = cursor.fetchone()
+    
+    if not user or user['password'] != current_password:
+        return jsonify({'error': 'Current password is incorrect'}), 401
+    
+    cursor.execute('UPDATE users SET password = ? WHERE id = ?', (new_password, session['user_id']))
+    db.commit()
+    
+    return jsonify({'success': True, 'message': 'Password changed successfully'})