feat(web): self-service cheie/creds + admin web + email signup (PRD 3.3b)

US-007: rute web proprii /cont/roteste-cheie + /cont/rar-creds scoped pe sesiune (C13), sectiune "Contul meu" cu cheie afisata o data. US-010: rol admin (users.is_admin) + require_admin->403 + CLI set-admin + bootstrap primul cont=admin (count_admins in BEGIN IMMEDIATE, anti-race). US-011: panou /admin (activare/dezactivare conturi, CSRF + PRG), link admin + logout pe dashboard. US-012: app/email.py notify_signup best-effort degradat fara SMTP + config smtp_*. Fix: migrare defensiva users.is_admin/email_verified in _migrate. VERIFY x2 context curat (PASS) + /code-review high. 393 teste pass. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-18 17:19:06 +00:00
parent 504b490d3b
commit b92055eb01
21 changed files with 1766 additions and 10 deletions
--- a/app/web/routes.py
+++ b/app/web/routes.py
@@ -22,6 +22,7 @@ from fastapi.responses import HTMLResponse
 from fastapi.templating import Jinja2Templates

 from .. import __version__
+from ..auth import rotate_api_key
 from ..web.csrf import get_csrf_token, verify_csrf
 from ..web.session import require_login
 from ..api.v1.import_router import (
@@ -37,6 +38,7 @@ from ..crypto import decrypt_creds, encrypt_creds
 from ..db import get_connection, read_heartbeat
 from ..idempotency import build_key, canonicalize_row
 from ..import_parse import FileTooLarge, HeaderError, MultipleSheets, parse_date_value, parse_file
+from ..users import is_account_admin
 from ..mapping import (
    DEFAULT_ACCOUNT_ID,
    account_or_default,
@@ -131,6 +133,7 @@ def dashboard(request: Request) -> HTMLResponse:
            "last_login": hb["last_rar_login_ok"] if hb else None,
            "rar_state": _rar_state(hb, worker_alive),
            "account_active": _account_active(conn, account_id),
+            "is_admin": is_account_admin(conn, account_id),
            "csrf_token": get_csrf_token(request),
        }
        return templates.TemplateResponse("dashboard.html", ctx)
@@ -907,3 +910,119 @@ async def web_confirma_import(

    finally:
        conn.close()
+
+
+# =========================================================================== #
+# US-007 — Sectiune "Contul meu": rotire cheie API + creds RAR din UI         #
+# Rute web proprii scoped pe sesiune (C13: nu reutilizeaza /v1/conturi/rar-creds
+# care cere cheie API; sesiunea web e suficienta ca identitate).               #
+# =========================================================================== #
+
+def _render_cont(
+    request: Request,
+    *,
+    api_key: str | None = None,
+    are_creds: bool = False,
+    creds_mesaj: str | None = None,
+    creds_eroare: str | None = None,
+    rot_eroare: str | None = None,
+) -> HTMLResponse:
+    """Randeaza cardul 'Contul meu'. Parola niciodata in value=."""
+    return templates.TemplateResponse(
+        "_cont.html",
+        _ctx(
+            request,
+            api_key=api_key,
+            are_creds=are_creds,
+            creds_mesaj=creds_mesaj,
+            creds_eroare=creds_eroare,
+            rot_eroare=rot_eroare,
+        ),
+    )
+
+
+@router.get("/_fragments/cont", response_class=HTMLResponse)
+def fragment_cont(request: Request) -> HTMLResponse:
+    """Fragment HTMX card 'Contul meu': stare cheie + creds RAR (fara a le expune)."""
+    account_id = require_login(request)
+    acct = account_or_default(account_id)
+    conn = get_connection()
+    try:
+        row = conn.execute(
+            "SELECT rar_creds_enc FROM accounts WHERE id=?", (acct,)
+        ).fetchone()
+        are_creds = bool(row and row["rar_creds_enc"])
+        return _render_cont(request, are_creds=are_creds)
+    finally:
+        conn.close()
+
+
+@router.post("/cont/roteste-cheie", response_class=HTMLResponse)
+def cont_roteste_cheie(
+    request: Request,
+    csrf_token: str | None = Form(None),
+) -> HTMLResponse:
+    """Revoca toate cheile active si emite una noua. Afisata O SINGURA DATA."""
+    account_id = require_login(request)
+    verify_csrf(request, csrf_token)
+    acct = account_or_default(account_id)
+    conn = get_connection()
+    try:
+        new_key = rotate_api_key(conn, acct)
+        row = conn.execute(
+            "SELECT rar_creds_enc FROM accounts WHERE id=?", (acct,)
+        ).fetchone()
+        are_creds = bool(row and row["rar_creds_enc"])
+        return _render_cont(request, api_key=new_key, are_creds=are_creds)
+    finally:
+        conn.close()
+
+
+@router.post("/cont/rar-creds", response_class=HTMLResponse)
+def cont_rar_creds(
+    request: Request,
+    rar_email: str = Form(""),
+    rar_parola: str = Form(""),
+    csrf_token: str | None = Form(None),
+) -> HTMLResponse:
+    """Seteaza creds RAR per cont din sesiune (ruta web proprie, C13).
+
+    Camp parola NICIODATA re-pus in value= la re-randare.
+    Validare minima: email si parola negoale.
+    """
+    account_id = require_login(request)
+    verify_csrf(request, csrf_token)
+    acct = account_or_default(account_id)
+
+    email = rar_email.strip()
+    parola = rar_parola.strip()
+
+    if not email or not parola:
+        conn = get_connection()
+        try:
+            row = conn.execute(
+                "SELECT rar_creds_enc FROM accounts WHERE id=?", (acct,)
+            ).fetchone()
+            are_creds = bool(row and row["rar_creds_enc"])
+        finally:
+            conn.close()
+        return _render_cont(
+            request,
+            are_creds=are_creds,
+            creds_eroare="Email si parola sunt obligatorii.",
+        )
+
+    enc = encrypt_creds({"email": email, "password": parola})
+    conn = get_connection()
+    try:
+        conn.execute(
+            "UPDATE accounts SET rar_creds_enc=? WHERE id=?",
+            (enc, acct),
+        )
+        return _render_cont(
+            request,
+            are_creds=True,
+            creds_mesaj="Credentialele RAR au fost salvate cu succes.",
+        )
+    finally:
+        conn.close()