b8b62722ec
Auth system (off by default, zero friction for localhost): - New api/auth.py module: password hashing (SHA-256 + STATE_DIR salt), signed HMAC session cookies (24h TTL), auth middleware - Enable via HERMES_WEBUI_PASSWORD env var or Settings panel - Minimal dark-themed login page at /login (self-contained HTML) - POST /api/auth/login, /api/auth/logout, GET /api/auth/status - Settings panel: "Access Password" field + "Sign Out" button - password_hash added to settings.json (null = auth disabled) Security hardening: - Security headers on all responses: X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: same-origin - POST body size limit: 20MB cap in read_body() to prevent DoS Closes #23. 9 new tests. Total: 304 passed, 0 regressions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
46 KiB
46 KiB