feat(config): web_auth_required ON implicit (login obligatoriu pe rutele web)

Inverseaza default-ul C12: rutele web cer sesiune + CSRF implicit (sigur pentru
prod). Dev rapid pe contul 1 = opt-out explicit AUTOPASS_WEB_AUTH_REQUIRED=false.
Testele de comportament import/dashboard marcate explicit dev-mode; test nou
blocheaza default-ul. 394 teste pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

app/config.py

@@ -39,9 +39,10 @@ class Settings(BaseSettings):
     # in prod seteaza persistent ca si creds_key, altfel cookieurile se invalideaza
     # la restart). Genereaza: python -c "import secrets; print(secrets.token_hex(32))"
     session_secret: str | None = None
-    # True (prod): rutele web fara sesiune -> redirect /login. False (dev): fara
-    # sesiune -> cont implicit id=1, back-compat (C12/§5 Q5).
-    web_auth_required: bool = False
+    # True (IMPLICIT, sigur pentru prod): rutele web fara sesiune -> redirect /login;
+    # CSRF enforce. Pentru dev rapid pe contul implicit id=1 (back-compat C12/§5 Q5),
+    # seteaza explicit AUTOPASS_WEB_AUTH_REQUIRED=false.
+    web_auth_required: bool = True
     # True (prod, in spatele Cloudflare Tunnel TLS): cookie cu Secure flag (C4).
     # False (dev): cookie fara Secure, functioneaza pe HTTP.
     session_https_only: bool = False

tests/test_dashboard.py

@@ -15,6 +15,9 @@ from fastapi.testclient import TestClient
 def client(monkeypatch):
     tmp = tempfile.mkdtemp()
     monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "t.db"))
+    # Comportament in mod dev (fallback cont 1, fara login/CSRF); auth web e
+    # default ON in prod — testat separat in test_web_*.
+    monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "false")
     from app.config import get_settings
 
     get_settings.cache_clear()

tests/test_import_ui.py

@@ -26,6 +26,9 @@ import pytest
 def client(monkeypatch):
     tmp = tempfile.mkdtemp()
     monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "t.db"))
+    # Comportament in mod dev (fallback cont 1, fara login/CSRF); auth web e
+    # default ON in prod — testat separat in test_web_*.
+    monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "false")
     from app.config import get_settings
 
     get_settings.cache_clear()

tests/test_import_web_scope.py

@@ -46,6 +46,9 @@ def _csrf_from(html: str) -> str:
 def env(monkeypatch):
     tmp = tempfile.mkdtemp()
     monkeypatch.setenv("AUTOPASS_DB_PATH", os.path.join(tmp, "scope.db"))
+    # Scoping testat prin monkeypatch require_login pe acct_a/acct_b; rulam in mod
+    # dev (CSRF skip fara sesiune) — auth web e default ON in prod, testat in test_web_*.
+    monkeypatch.setenv("AUTOPASS_WEB_AUTH_REQUIRED", "false")
     from app.config import get_settings
     get_settings.cache_clear()
     from app.main import app

tests/test_web_session.py

@@ -147,3 +147,15 @@ def test_ruta_protejata_cu_sesiune_trece(client_auth):
     resp = client_auth.get("/protected")
     assert resp.status_code == 200
     assert resp.json()["account_id"] == 5
+
+
+def test_web_auth_required_default_true(monkeypatch):
+    """Default-ul de productie: auth web e ON daca AUTOPASS_WEB_AUTH_REQUIRED nu e setat.
+
+    Dev rapid pe cont 1 = opt-out explicit (AUTOPASS_WEB_AUTH_REQUIRED=false).
+    """
+    monkeypatch.delenv("AUTOPASS_WEB_AUTH_REQUIRED", raising=False)
+    from app.config import Settings, get_settings
+    get_settings.cache_clear()
+    assert Settings().web_auth_required is True
+    get_settings.cache_clear()