abdf5e7747
A hidden /admin path (not in nav) protected by a TOTP secret you enroll by scanning a QR into Google Authenticator / Authy, then entering the rotating 6-digit code. adminauth.py persists the secret + session key under DATA_DIR (gitignored); the QR only renders until first successful verification so the provisioning secret isn't perpetually exposed. SessionMiddleware carries a 60-min admin session. This becomes the secured control center the rest of the system gets built into. Verified end-to-end: gate renders QR, the live code authenticates and sets the session, the dashboard renders only with the session cookie, a wrong code is rejected, and an unauthenticated request never leaks the dashboard. Deps: pyotp, qrcode[pil], itsdangerous. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
921 B
921 B