stage-26: hidden /admin gated by TOTP (authenticator-app 2FA)

A hidden /admin path (not in nav) protected by a TOTP secret you enroll
by scanning a QR into Google Authenticator / Authy, then entering the
rotating 6-digit code. adminauth.py persists the secret + session key
under DATA_DIR (gitignored); the QR only renders until first successful
verification so the provisioning secret isn't perpetually exposed.
SessionMiddleware carries a 60-min admin session. This becomes the
secured control center the rest of the system gets built into.

Verified end-to-end: gate renders QR, the live code authenticates and
sets the session, the dashboard renders only with the session cookie,
a wrong code is rejected, and an unauthenticated request never leaks
the dashboard. Deps: pyotp, qrcode[pil], itsdangerous.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

This commit is contained in:

m17hr1l

2026-05-23 00:35:02 +02:00

parent 73a932d8be

commit abdf5e7747

6 changed files with 211 additions and 1 deletions

									
										3

pyproject.toml
									
												View File
												
				@@ -19,6 +19,9 @@ dependencies = [

				    "structlog>=24.1",

				    "sqlalchemy>=2.0",

				    "python-dotenv>=1.0",

				    "pyotp>=2.9",

				    "qrcode[pil]>=7.4",

				    "itsdangerous>=2.1",

				]

				[project.optional-dependencies]

stage-26: hidden /admin gated by TOTP (authenticator-app 2FA)

3 pyproject.toml Unescape Escape View File

3

pyproject.toml

View File