v2.1: Security - Captcha, Admin-Login, Auth-Decorator

2026-05-16 12:21:10 +00:00
parent 1ae070f82f
commit 9f8c7fb78d
6 changed files with 1286 additions and 2 deletions
@@ -10,6 +10,8 @@ from flask import Flask, request, jsonify, render_template, send_from_directory,
 from flask_cors import CORS

 from database import get_db, init_db, generate_booking_number, log_change
+from auth import require_auth, verify_captcha
+from login_routes import auth_bp
 from utils.ollama_client import (
    parse_email_with_ollama, 
    generate_confirmation_email,
@@ -21,6 +23,24 @@ app = Flask(__name__,
            static_folder='static')
 CORS(app)

+# Security config
+app.secret_key = os.environ.get('SESSION_SECRET', 'dev-secret-change-in-production')
+
+# Register auth blueprint
+app.register_blueprint(auth_bp)
+
+@app.before_request
+def check_auth():
+    # Public endpoints don't require auth
+    public_endpoints = ['/', '/api/captcha', '/api/rooms', '/api/availability', 
+                       '/api/health', '/api/admin/login']
+    if request.path in public_endpoints or request.path.startswith('/static/'):
+        return None
+    
+    # Admin endpoints require login
+    if request.path.startswith('/api/admin/') and session.get('user_role') != 'admin':
+        return jsonify({"error": "Unauthorized"}), 401
+
 # Konfiguration
 DEFAULT_OPEN_HOUR = 10  # 10:00
 DEFAULT_CLOSE_HOUR = 23  # 23:00