feat(config): web_auth_required ON implicit (login obligatoriu pe rutele web)

Inverseaza default-ul C12: rutele web cer sesiune + CSRF implicit (sigur pentru
prod). Dev rapid pe contul 1 = opt-out explicit AUTOPASS_WEB_AUTH_REQUIRED=false.
Testele de comportament import/dashboard marcate explicit dev-mode; test nou
blocheaza default-ul. 394 teste pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude Agent
2026-06-18 18:27:09 +00:00
parent b92055eb01
commit 958b182e8e
5 changed files with 25 additions and 3 deletions

View File

@@ -39,9 +39,10 @@ class Settings(BaseSettings):
# in prod seteaza persistent ca si creds_key, altfel cookieurile se invalideaza
# la restart). Genereaza: python -c "import secrets; print(secrets.token_hex(32))"
session_secret: str | None = None
# True (prod): rutele web fara sesiune -> redirect /login. False (dev): fara
# sesiune -> cont implicit id=1, back-compat (C12/§5 Q5).
web_auth_required: bool = False
# True (IMPLICIT, sigur pentru prod): rutele web fara sesiune -> redirect /login;
# CSRF enforce. Pentru dev rapid pe contul implicit id=1 (back-compat C12/§5 Q5),
# seteaza explicit AUTOPASS_WEB_AUTH_REQUIRED=false.
web_auth_required: bool = True
# True (prod, in spatele Cloudflare Tunnel TLS): cookie cu Secure flag (C4).
# False (dev): cookie fara Secure, functioneaza pe HTTP.
session_https_only: bool = False