feat(web): self-onboarding multi-tenant + auth sesiune (PRD 3.3a)
Canalul web trece de la 100% deschis (hardcodat cont 1) la autentificat si multi-tenant. Un service nou se inregistreaza din browser, primeste o cheie API (o singura data) si o sesiune; contul se creeaza "in asteptare" (active=0) si nu trimite la RAR pana la activarea de catre admin (tools/account.py activate). - users + app/users.py: parole scrypt (salt per-user, eticheta parametri onorata la verify pentru migrare cost), email unic case-insensitive - sesiune: SessionMiddleware (same_site=strict, https_only config) + app/web/session.py (current_account/web_account/require_login->LoginRequired, set_session clear-inainte) - CSRF (app/web/csrf.py) enforce in prod inclusiv pe login/signup + rate-limit in-proces (app/web/ratelimit.py) pe signup si login - signup/login/logout (app/web/auth_routes.py): signup tranzactie atomica, cheie-o-data, log SIGNUP pentru descoperire admin - dashboard + import scoped pe contul sesiunii (regula NULL->cont 1); toate rutele web care ating date sensibile sub require_login; nomenclator ramane global - banner "cont in asteptare" pentru conturi active=0 - gate worker: claim_one LEFT JOIN accounts COALESCE(active,1)=1 (account_id NULL=activ) VERIFY context curat (2 runde): leak cross-account /_fragments/mapari prins+reparat. /code-review high: csrf_token lipsa pe re-randari de eroare, scrypt_params ignorat, login fara rate-limit -- toate reparate. 361 teste pass (de la 313). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -1,5 +1,12 @@
|
||||
<div class="card banner {% if not blocked %}hidden{% endif %}"
|
||||
{% if not account_active %}
|
||||
<div class="card banner" style="border-color:var(--warn); background:#201c0f;"
|
||||
hx-get="/_fragments/banner" hx-trigger="every 15s" hx-swap="outerHTML">
|
||||
<strong>Cont in asteptare de activare.</strong>
|
||||
Configureaza creds RAR si pregateste importul ACUM; trimiterea catre RAR porneste automat dupa activare de catre admin.
|
||||
</div>
|
||||
{% endif %}
|
||||
<div class="card banner {% if not blocked %}hidden{% endif %}"
|
||||
{% if account_active %}hx-get="/_fragments/banner" hx-trigger="every 15s" hx-swap="outerHTML"{% endif %}>
|
||||
<strong>Atentie:</strong> {{ blocked }} submission-uri blocate (error / needs_data / needs_mapping).
|
||||
Plasa de siguranta pe pene RAR > 30h. Verifica coada mai jos.
|
||||
</div>
|
||||
|
||||
@@ -17,7 +17,7 @@
|
||||
{% set top = e.suggestions[0] if e.suggestions else None %}
|
||||
{% set preselect = top.cod_prestatie if (top and top.score >= 60) else '' %}
|
||||
<form class="maprow" hx-post="/mapari" hx-target="#mapari-section" hx-swap="outerHTML">
|
||||
<input type="hidden" name="account_id" value="{{ e.account_id }}">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token or '' }}">
|
||||
<input type="hidden" name="cod_op_service" value="{{ e.cod_op_service }}">
|
||||
|
||||
<div class="mapcol grow">
|
||||
|
||||
@@ -20,6 +20,7 @@
|
||||
<form hx-post="/_import/{{ import_id }}/mapare-coloane"
|
||||
hx-target="#import-section"
|
||||
hx-swap="outerHTML">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token or '' }}">
|
||||
|
||||
<div style="margin-bottom:8px; display:flex; align-items:center; gap:10px; flex-wrap:wrap;">
|
||||
<label for="format-data" style="font-size:13px; color:var(--muted);">
|
||||
|
||||
@@ -57,6 +57,7 @@
|
||||
hx-post="/_import/{{ import_id }}/confirma"
|
||||
hx-target="#import-section"
|
||||
hx-swap="outerHTML">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token or '' }}">
|
||||
|
||||
<div class="tablewrap">
|
||||
<table>
|
||||
|
||||
@@ -23,6 +23,7 @@
|
||||
hx-swap="outerHTML"
|
||||
hx-encoding="multipart/form-data"
|
||||
hx-indicator="#upload-spinner">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token or '' }}">
|
||||
|
||||
{% if sheets %}
|
||||
<div style="margin-bottom:12px;">
|
||||
|
||||
28
app/web/templates/login.html
Normal file
28
app/web/templates/login.html
Normal file
@@ -0,0 +1,28 @@
|
||||
{% extends "base.html" %}
|
||||
{% block title %}Autentificare — Gateway RAR AUTOPASS{% endblock %}
|
||||
{% block content %}
|
||||
<div class="card" style="max-width:400px;margin:40px auto;">
|
||||
<h2 style="margin-top:0;">Autentificare</h2>
|
||||
|
||||
{% if error %}
|
||||
<div class="banner" style="margin-bottom:12px;padding:8px 12px;">{{ error }}</div>
|
||||
{% endif %}
|
||||
|
||||
<form method="post" action="/login">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token }}">
|
||||
<p>
|
||||
<label>Email</label><br>
|
||||
<input type="email" name="email" required style="width:100%;">
|
||||
</p>
|
||||
<p>
|
||||
<label>Parola</label><br>
|
||||
<input type="password" name="parola" required style="width:100%;">
|
||||
</p>
|
||||
<button type="submit" style="width:100%;margin-top:8px;">Intra in cont</button>
|
||||
</form>
|
||||
|
||||
<p style="text-align:center;font-size:13px;margin-top:16px;">
|
||||
Cont nou? <a href="/signup">Inregistrare</a>
|
||||
</p>
|
||||
</div>
|
||||
{% endblock %}
|
||||
73
app/web/templates/signup.html
Normal file
73
app/web/templates/signup.html
Normal file
@@ -0,0 +1,73 @@
|
||||
{% extends "base.html" %}
|
||||
{% block title %}Inregistrare — Gateway RAR AUTOPASS{% endblock %}
|
||||
{% block content %}
|
||||
<div class="card" style="max-width:480px;margin:40px auto;">
|
||||
{% if api_key %}
|
||||
<div class="flash">Contul a fost creat. Salveaza cheia API acum — nu o vei mai putea vedea.</div>
|
||||
|
||||
<div class="card" style="font-family:monospace;word-break:break-all;font-size:14px;background:#0f1115;margin:12px 0;">
|
||||
{{ api_key }}
|
||||
</div>
|
||||
|
||||
<button type="button"
|
||||
data-key="{{ api_key }}"
|
||||
onclick="navigator.clipboard.writeText(this.dataset.key).then(()=>this.textContent='Copiat!')">
|
||||
Copiaza cheia
|
||||
</button>
|
||||
|
||||
<p style="font-size:13px;color:var(--warn);margin-top:12px;">
|
||||
Atentie: la refresh sau la urmatoarea vizita aceasta cheie dispare.
|
||||
Recuperare posibila doar prin rotire cheie (CLI admin).
|
||||
</p>
|
||||
|
||||
<div class="banner warn" style="margin-top:16px;">
|
||||
<label style="display:flex;align-items:flex-start;gap:8px;cursor:pointer;">
|
||||
<input type="checkbox" id="saved-check" style="margin-top:3px;">
|
||||
Am salvat cheia in siguranta
|
||||
</label>
|
||||
</div>
|
||||
|
||||
<p id="cta-dashboard" style="display:none;margin-top:16px;">
|
||||
<a href="/">Mergi la dashboard</a> — configureaza creds RAR si pregateste importul.
|
||||
Trimiterea catre RAR porneste automat dupa activarea contului de catre admin.
|
||||
</p>
|
||||
<script>
|
||||
document.getElementById('saved-check').addEventListener('change', function() {
|
||||
document.getElementById('cta-dashboard').style.display = this.checked ? 'block' : 'none';
|
||||
});
|
||||
</script>
|
||||
{% else %}
|
||||
<h2 style="margin-top:0;">Inregistrare cont nou</h2>
|
||||
|
||||
{% if error %}
|
||||
<div class="banner" style="margin-bottom:12px;padding:8px 12px;">{{ error }}</div>
|
||||
{% endif %}
|
||||
|
||||
<form method="post" action="/signup">
|
||||
<input type="hidden" name="csrf_token" value="{{ csrf_token }}">
|
||||
<p>
|
||||
<label>Companie <span style="color:var(--err)">*</span></label><br>
|
||||
<input type="text" name="name" value="{{ name or '' }}" required style="width:100%;">
|
||||
</p>
|
||||
<p>
|
||||
<label>CUI <span style="color:var(--muted);font-size:12px;">(optional)</span></label><br>
|
||||
<input type="text" name="cui" value="{{ cui or '' }}" style="width:100%;">
|
||||
</p>
|
||||
<p>
|
||||
<label>Email <span style="color:var(--err)">*</span></label><br>
|
||||
<input type="email" name="email" value="{{ email or '' }}" required style="width:100%;">
|
||||
</p>
|
||||
<p>
|
||||
<label>Parola <span style="color:var(--err)">*</span>
|
||||
<span style="color:var(--muted);font-size:12px;">(minim 10 caractere)</span>
|
||||
</label><br>
|
||||
<input type="password" name="parola" required style="width:100%;">
|
||||
</p>
|
||||
<button type="submit" style="width:100%;margin-top:8px;">Creeaza cont</button>
|
||||
</form>
|
||||
<p style="text-align:center;font-size:13px;margin-top:16px;">
|
||||
Ai deja cont? <a href="/login">Autentificare</a>
|
||||
</p>
|
||||
{% endif %}
|
||||
</div>
|
||||
{% endblock %}
|
||||
Reference in New Issue
Block a user