114 lines
3.3 KiB
Python
114 lines
3.3 KiB
Python
# routes/auth_routes.py - Authentication Routes
|
|
|
|
from flask import Blueprint, request, jsonify, session, redirect, url_for, send_from_directory
|
|
from db import get_db
|
|
from auth import login_required, admin_required, get_current_user
|
|
|
|
auth_bp = Blueprint('auth', __name__)
|
|
|
|
|
|
@auth_bp.route('/login')
|
|
def login_page():
|
|
"""Serve login page."""
|
|
if 'user_id' in session:
|
|
return redirect(url_for('main.index'))
|
|
return send_from_directory('templates', 'login.html')
|
|
|
|
|
|
@auth_bp.route('/api/auth/login', methods=['POST'])
|
|
def login():
|
|
"""Handle user login."""
|
|
data = request.json
|
|
username = data.get('username', '').strip()
|
|
password = data.get('password', '')
|
|
|
|
if not username or not password:
|
|
return jsonify({'error': 'Username and password are required'}), 400
|
|
|
|
db = get_db()
|
|
cursor = db.cursor()
|
|
|
|
cursor.execute('''
|
|
SELECT id, username, password, role, is_active
|
|
FROM users WHERE username = ?
|
|
''', (username,))
|
|
|
|
user = cursor.fetchone()
|
|
|
|
if not user:
|
|
return jsonify({'error': 'Invalid username or password'}), 401
|
|
|
|
if not user['is_active']:
|
|
return jsonify({'error': 'Account is disabled. Contact your administrator.'}), 403
|
|
|
|
if user['password'] != password:
|
|
return jsonify({'error': 'Invalid username or password'}), 401
|
|
|
|
# Set session
|
|
session['user_id'] = user['id']
|
|
session['username'] = user['username']
|
|
session['user_role'] = user['role']
|
|
|
|
# Update last login
|
|
cursor.execute('''
|
|
UPDATE users SET last_login = CURRENT_TIMESTAMP WHERE id = ?
|
|
''', (user['id'],))
|
|
db.commit()
|
|
|
|
print(f"✅ User logged in: {username} (role: {user['role']})")
|
|
|
|
return jsonify({
|
|
'success': True,
|
|
'user': {
|
|
'id': user['id'],
|
|
'username': user['username'],
|
|
'role': user['role']
|
|
}
|
|
})
|
|
|
|
|
|
@auth_bp.route('/api/auth/logout', methods=['POST'])
|
|
def logout():
|
|
"""Handle user logout."""
|
|
username = session.get('username', 'Unknown')
|
|
session.clear()
|
|
print(f"👋 User logged out: {username}")
|
|
return jsonify({'success': True})
|
|
|
|
|
|
@auth_bp.route('/api/auth/me', methods=['GET'])
|
|
@login_required
|
|
def get_me():
|
|
"""Get current user info."""
|
|
user = get_current_user()
|
|
return jsonify({'user': user})
|
|
|
|
|
|
@auth_bp.route('/api/auth/change-password', methods=['POST'])
|
|
@login_required
|
|
def change_password():
|
|
"""Change current user's password."""
|
|
data = request.json
|
|
current_password = data.get('current_password', '')
|
|
new_password = data.get('new_password', '')
|
|
|
|
if not current_password or not new_password:
|
|
return jsonify({'error': 'Current password and new password are required'}), 400
|
|
|
|
if len(new_password) < 4:
|
|
return jsonify({'error': 'New password must be at least 4 characters'}), 400
|
|
|
|
db = get_db()
|
|
cursor = db.cursor()
|
|
|
|
cursor.execute('SELECT password FROM users WHERE id = ?', (session['user_id'],))
|
|
user = cursor.fetchone()
|
|
|
|
if not user or user['password'] != current_password:
|
|
return jsonify({'error': 'Current password is incorrect'}), 401
|
|
|
|
cursor.execute('UPDATE users SET password = ? WHERE id = ?', (new_password, session['user_id']))
|
|
db.commit()
|
|
|
|
return jsonify({'success': True, 'message': 'Password changed successfully'})
|