feat(gui): add auth core, setup gate, and first-run operator creation

- Add migrations 007-010 for system config, operators, sessions, audit_log - Implement argon2id password hashing via argon2-cffi - Implement session-based authentication with database-stored tokens - Add SetupGateMiddleware to redirect to /setup until first operator created - Add SessionMiddleware to load session from cookie and attach operator - Create /setup, /login, /logout, /change-password routes with CSRF protection - Add periodic session cleanup task (hourly) - Add audit logging for auth events - Update systemd unit with EnvironmentFile for /etc/central/central.env - Add comprehensive tests for auth, middleware, and audit modules Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-05-21 18:14:44 +02:00 · 2026-05-17 05:30:49 +00:00 · 2026-05-17 05:30:49 +00:00 · f059f982bc
commit f059f982bc
parent afde118d35
25 changed files with 1758 additions and 16 deletions
--- a/docs/environment.md
+++ b/docs/environment.md
@ -68,6 +68,34 @@ journalctl -u central-archive -f

 ## Database

+## Environment Variables
+
+Environment variables are stored in `/etc/central/central.env` and loaded by
+systemd services via `EnvironmentFile=`.
+
+| Variable | Required | Description |
+|----------|----------|-------------|
+| `CENTRAL_CSRF_SECRET` | Yes (for GUI) | Secret key for CSRF token signing. Generate with `python3 -c "import secrets; print(secrets.token_urlsafe(32))"` |
+
+### Generating CSRF Secret
+
+```bash
+python3 -c "import secrets; print(secrets.token_urlsafe(32))"
+```
+
+Add the generated value to `/etc/central/central.env`:
+
+```bash
+CENTRAL_CSRF_SECRET=<generated-secret>
+```
+
+Ensure the file has restricted permissions:
+
+```bash
+sudo chmod 640 /etc/central/central.env
+sudo chown central:central /etc/central/central.env
+```
+
 PostgreSQL 16 with TimescaleDB runs on CT104:

 ```bash