38b35c933a
Three login endpoints under /api/v1/auth/ + dev-only CORS so the Vite
frontend can drive the session cookie.
- POST /login validates local credentials and sets a Flask session cookie.
Returns the CurrentUser shape on 200 (user_id, username=email,
display_name, role, permissions, groups). Uniform 401 invalid_credentials
on bad password or unknown user; a bcrypt round against a dummy hash runs
even on unknown users so the request timing does not enumerate accounts.
Audits an auth.login row and bumps user.last_login_at.
- POST /logout (login_required) clears the session, returns 204, audits an
auth.logout row.
- GET /me returns the current principal or 401 not_authenticated. Used by
the frontend at boot to rehydrate state.
Side wiring:
- LoginManager.unauthorized_handler emits the same {error, message} JSON
envelope so @login_required 401s match the rest of the API surface.
- api/_helpers gains `serialize_current_user(AuthUser) -> CurrentUser` and
`api_error(code, message, status)` — used by the auth blueprint and
available to follow-up endpoints.
- AuthUser carries display_name + user_type now; identity.load_user routes
through a new `authuser_from_orm()` helper that the login endpoint also
uses so /login and the user_loader produce identical shapes.
- Dev-only CORS via flask-cors on /api/*, gated on
MIMIC_ENV=development AND MIMIC_CORS_ORIGINS non-empty. Prod keeps
same-origin (reverse proxy fronts the SPA + API).
- LoginRequest + CurrentUser DTOs added to mimic.schemas.
No frontend-visible change to engagements (sprint-0 already shipped
created_by_id, audit log, F11 scope).
3.5 KiB
3.5 KiB